2

.dockerignore

@@ -1,2 +0,0 @@
-backend/node_modules
-frontend/node_modules

.env.example

@@ -9,7 +9,6 @@ JWT_SIGNUP_SECRET=3679e04ca949f914c03332aaaeba805a
 JWT_REFRESH_SECRET=5f2f3c8f0159068dc2bbb3a652a716ff
 JWT_AUTH_SECRET=4be6ba5602e0fa0ac6ac05c3cd4d247f
 JWT_SERVICE_SECRET=f32f716d70a42c5703f4656015e76200
-JWT_PROVIDER_AUTH_SECRET=f32f716d70a42c5703f4656015e76201
 
 # JWT lifetime
 # Optional lifetimes for JWT tokens expressed in seconds or a string 
@@ -17,7 +16,6 @@ JWT_PROVIDER_AUTH_SECRET=f32f716d70a42c5703f4656015e76201
 JWT_AUTH_LIFETIME=
 JWT_REFRESH_LIFETIME=
 JWT_SIGNUP_LIFETIME=
-JWT_PROVIDER_AUTH_LIFETIME=
 
 # MongoDB
 # Backend will connect to the MongoDB instance at connection string MONGO_URL which can either be a ref
@@ -61,6 +59,10 @@ SENTRY_DSN=
 # Ignore - Not applicable for self-hosted version
 POSTHOG_HOST=
 POSTHOG_PROJECT_API_KEY=
-
-CLIENT_ID_GOOGLE=
-CLIENT_SECRET_GOOGLE=
+STRIPE_SECRET_KEY=
+STRIPE_PUBLISHABLE_KEY=
+STRIPE_WEBHOOK_SECRET=
+STRIPE_PRODUCT_STARTER=
+STRIPE_PRODUCT_TEAM=
+STRIPE_PRODUCT_PRO=
+NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=

.github/resources/docker-compose.be-test.yml

@@ -13,7 +13,6 @@ services:
       - MONGO_URL=mongodb://test:example@mongo:27017/?authSource=admin
       - MONGO_USERNAME=test
       - MONGO_PASSWORD=example
-      - ENCRYPTION_KEY=a984ecdf82ec779e55dbcc21303a900f
     networks:
       - infisical-test
 

.github/values.yaml

@@ -1,10 +1,3 @@
-# secretScanningGitApp:
-#   enabled: false
-#   deploymentAnnotations:
-#     secrets.infisical.com/auto-reload: "true"
-#   image:
-#     repository: infisical/staging_deployment_secret-scanning-git-app
-    
 frontend:
   enabled: true
   name: frontend
@@ -13,7 +6,7 @@ frontend:
     secrets.infisical.com/auto-reload: "true"
   replicaCount: 2
   image:
-    repository: infisical/staging_deployment_frontend
+    repository: infisical/frontend
     tag: "latest"
     pullPolicy: Always
   kubeSecretRef: managed-secret-frontend
@@ -32,7 +25,7 @@ backend:
     secrets.infisical.com/auto-reload: "true"
   replicaCount: 2
   image:
-    repository: infisical/staging_deployment_backend
+    repository: infisical/backend
     tag: "latest"
     pullPolicy: Always
   kubeSecretRef: managed-backend-secret
@@ -58,8 +51,8 @@ mongodbConnection:
 
 ingress:
   enabled: true
-  # annotations:
-  #   kubernetes.io/ingress.class: "nginx"
+  annotations:
+    kubernetes.io/ingress.class: "nginx"
     # cert-manager.io/issuer: letsencrypt-nginx
   hostName: gamma.infisical.com ## <- Replace with your own domain
   frontend:

.github/workflows/build-docker-image-to-prod.yml

@@ -1,118 +0,0 @@
-name: Release production images (frontend, backend)
-on:
-  push:
-    tags:
-      - "infisical/v*.*.*"
-
-jobs:
-  backend-image:
-    name: Build backend image
-    runs-on: ubuntu-latest
-    steps:
-      - name: Extract version from tag
-        id: extract_version
-        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
-      - name: ☁️ Checkout source
-        uses: actions/checkout@v3
-      - name: 📦 Install dependencies to test all dependencies
-        run: npm ci --only-production
-        working-directory: backend
-      - name: 🧪 Run tests
-        run: npm run test:ci
-        working-directory: backend
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Set up Depot CLI
-        uses: depot/setup-action@v1
-      - name: 📦 Build backend and export to Docker
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          load: true
-          context: backend
-          tags: infisical/backend:test
-      - name: ⏻ Spawn backend container and dependencies
-        run: |
-          docker compose -f .github/resources/docker-compose.be-test.yml up --wait --quiet-pull
-      - name: 🧪 Test backend image
-        run: |
-          ./.github/resources/healthcheck.sh infisical-backend-test
-      - name: ⏻ Shut down backend container and dependencies
-        run: |
-          docker compose -f .github/resources/docker-compose.be-test.yml down
-      - name: 🏗️ Build backend and push
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          push: true
-          context: backend
-          tags: |
-            infisical/backend:${{ steps.commit.outputs.short }}
-            infisical/backend:latest
-            infisical/backend:${{ steps.extract_version.outputs.version }}
-          platforms: linux/amd64,linux/arm64
-
-  frontend-image:
-    name: Build frontend image
-    runs-on: ubuntu-latest
-    steps:
-      - name: Extract version from tag
-        id: extract_version
-        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
-      - name: ☁️ Checkout source
-        uses: actions/checkout@v3
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Set up Depot CLI
-        uses: depot/setup-action@v1
-      - name: 📦 Build frontend and export to Docker
-        uses: depot/build-push-action@v1
-        with:
-          load: true
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          project: 64mmf0n610
-          context: frontend
-          tags: infisical/frontend:test
-          build-args: |
-            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
-      - name: ⏻ Spawn frontend container
-        run: |
-          docker run -d --rm --name infisical-frontend-test infisical/frontend:test
-      - name: 🧪 Test frontend image
-        run: |
-          ./.github/resources/healthcheck.sh infisical-frontend-test
-      - name: ⏻ Shut down frontend container
-        run: |
-          docker stop infisical-frontend-test
-      - name: 🏗️ Build frontend and push
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          push: true
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          context: frontend
-          tags: |
-            infisical/frontend:${{ steps.commit.outputs.short }}
-            infisical/frontend:latest
-            infisical/frontend:${{ steps.extract_version.outputs.version }}
-          platforms: linux/amd64,linux/arm64
-          build-args: |
-            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}

.github/workflows/check-be-pull-request.yml

@@ -13,7 +13,6 @@ jobs:
   check-be-pr:
     name: Check
     runs-on: ubuntu-latest
-    timeout-minutes: 15
 
     steps:
       - name: ☁️ Checkout source
@@ -27,17 +26,17 @@ jobs:
       - name: 📦 Install dependencies
         run: npm ci --only-production
         working-directory: backend
-      # - name: 🧪 Run tests
-      #   run: npm run test:ci
-      #   working-directory: backend
-      # - name: 📁 Upload test results
-      #   uses: actions/upload-artifact@v3
-      #   if: always()
-      #   with:
-      #     name: be-test-results
-      #     path: |
-      #       ./backend/reports
-      #       ./backend/coverage
+      - name: 🧪 Run tests
+        run: npm run test:ci
+        working-directory: backend
+      - name: 📁 Upload test results
+        uses: actions/upload-artifact@v3
+        if: always()
+        with:
+          name: be-test-results
+          path: |
+            ./backend/reports
+            ./backend/coverage
       - name: 🏗️ Run build
         run: npm run build
         working-directory: backend

.github/workflows/check-fe-pull-request.yml

@@ -2,35 +2,40 @@ name: Check Frontend Pull Request
 
 on:
   pull_request:
-    types: [opened, synchronize]
+    types: [ opened, synchronize ]
     paths:
-      - "frontend/**"
-      - "!frontend/README.md"
-      - "!frontend/.*"
-      - "frontend/.eslintrc.js"
+      - 'frontend/**'
+      - '!frontend/README.md'
+      - '!frontend/.*'
+      - 'frontend/.eslintrc.js'
+
 
 jobs:
+
   check-fe-pr:
     name: Check
     runs-on: ubuntu-latest
-    timeout-minutes: 15
 
     steps:
-      - name: ☁️ Checkout source
+      -
+        name: ☁️ Checkout source
         uses: actions/checkout@v3
-      - name: 🔧 Setup Node 16
+      -
+        name: 🔧 Setup Node 16
         uses: actions/setup-node@v3
         with:
-          node-version: "16"
-          cache: "npm"
+          node-version: '16'
+          cache: 'npm'
           cache-dependency-path: frontend/package-lock.json
-      - name: 📦 Install dependencies
+      -
+        name: 📦 Install dependencies
         run: npm ci --only-production --ignore-scripts
         working-directory: frontend
       # -
       #   name: 🧪 Run tests
       #   run: npm run test:ci
       #   working-directory: frontend
-      - name: 🏗️ Run build
+      -
+        name: 🏗️ Run build
         run: npm run build
         working-directory: frontend

.github/workflows/docker-image.yml

@@ -1,11 +1,17 @@
 name: Build, Publish and Deploy to Gamma
-on: [workflow_dispatch]
+on:
+  push:
+    tags:
+      - "infisical/v*.*.*"
 
 jobs:
   backend-image:
     name: Build backend image
     runs-on: ubuntu-latest
     steps:
+      - name: Extract version from tag
+        id: extract_version
+        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
       - name: ☁️ Checkout source
         uses: actions/checkout@v3
       - name: 📦 Install dependencies to test all dependencies
@@ -51,14 +57,18 @@ jobs:
           push: true
           context: backend
           tags: |
-            infisical/staging_deployment_backend:${{ steps.commit.outputs.short }}
-            infisical/staging_deployment_backend:latest
+            infisical/backend:${{ steps.commit.outputs.short }}
+            infisical/backend:latest
+            infisical/backend:${{ steps.extract_version.outputs.version }}
           platforms: linux/amd64,linux/arm64
 
   frontend-image:
     name: Build frontend image
     runs-on: ubuntu-latest
     steps:
+      - name: Extract version from tag
+        id: extract_version
+        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
       - name: ☁️ Checkout source
         uses: actions/checkout@v3
       - name: Save commit hashes for tag
@@ -80,12 +90,12 @@ jobs:
           token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
           project: 64mmf0n610
           context: frontend
-          tags: infisical/staging_deployment_frontend:test
+          tags: infisical/frontend:test
           build-args: |
             POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
       - name: ⏻ Spawn frontend container
         run: |
-          docker run -d --rm --name infisical-frontend-test infisical/staging_deployment_frontend:test
+          docker run -d --rm --name infisical-frontend-test infisical/frontend:test
       - name: 🧪 Test frontend image
         run: |
           ./.github/resources/healthcheck.sh infisical-frontend-test
@@ -100,41 +110,12 @@ jobs:
           token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
           context: frontend
           tags: |
-            infisical/staging_deployment_frontend:${{ steps.commit.outputs.short }}
-            infisical/staging_deployment_frontend:latest
+            infisical/frontend:${{ steps.commit.outputs.short }}
+            infisical/frontend:latest
+            infisical/frontend:${{ steps.extract_version.outputs.version }}
           platforms: linux/amd64,linux/arm64
           build-args: |
             POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
-
-  secret-scanning-git-app:
-    name: Build secret scanning git app
-    runs-on: ubuntu-latest
-    steps:
-      - name: ☁️ Checkout source
-        uses: actions/checkout@v3
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Set up Depot CLI
-        uses: depot/setup-action@v1
-      - name: 🏗️ Build secret scanning git app and push
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          push: true
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          context: secret-engine
-          tags: |
-            infisical/staging_deployment_secret-scanning-git-app:${{ steps.commit.outputs.short }}
-            infisical/staging_deployment_secret-scanning-git-app:latest
-          platforms: linux/amd64,linux/arm64
   gamma-deployment:
     name: Deploy to gamma
     runs-on: ubuntu-latest
@@ -165,7 +146,7 @@ jobs:
       - name: Download helm values to file and upgrade gamma deploy
         run: |
           wget https://raw.githubusercontent.com/Infisical/infisical/main/.github/values.yaml
-          helm upgrade infisical infisical-helm-charts/infisical  --values values.yaml --wait --install
+          helm upgrade infisical infisical-helm-charts/infisical  --values values.yaml --recreate-pods
           if [[ $(helm status infisical) == *"FAILED"* ]]; then
             echo "Helm upgrade failed"
             exit 1

.github/workflows/release-standalone-docker-img.yml

@@ -1,24 +1,18 @@
 name: Release standalone docker image
-on:
-  push:
-    tags:
-      - "infisical/v*.*.*"
+on: [workflow_dispatch]
 
 jobs:
   infisical-standalone:
     name: Build infisical standalone image
     runs-on: ubuntu-latest
     steps:
-      - name: Extract version from tag
-        id: extract_version
-        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
       - name: ☁️ Checkout source
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
-      - name: 📦 Install dependencies to test all dependencies
-        run: npm ci --only-production
-        working-directory: backend
+      # - name: 📦 Install dependencies to test all dependencies
+      #   run: npm ci --only-production
+      #   working-directory: backend
       - uses: paulhatch/semantic-version@v5.0.2
         id: version
         with:
@@ -30,10 +24,10 @@ jobs:
           # Same as above except indicating a minor change, supports regular expressions wrapped with '/'
           minor_pattern: "(MINOR)"
           # A string to determine the format of the version output
-          version_format: "${major}.${minor}.${patch}-prerelease${increment}"
+          version_format: "${major}.${minor}.${patch}-${increment}"
           # Optional path to check for changes. If any changes are detected in the path the
           # 'changed' output will true. Enter multiple paths separated by spaces.
-          change_path: "backend,frontend"
+          change_path: "backend/ frontend/"
           # Prevents pre-v1.0.0 version from automatically incrementing the major version.
           # If enabled, when the major version is 0, major releases will be treated as minor and minor as patch. Note that the version_type output is unchanged.
           enable_prerelease_mode: true
@@ -48,28 +42,28 @@ jobs:
           echo "Output Value: ${{ steps.version.outputs.version }}"
           echo "Output Value: ${{ steps.version.outputs.version_type }}"
           echo "Output Value: ${{ steps.version.outputs.increment }}"
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Set up Depot CLI
-        uses: depot/setup-action@v1
-      - name: 📦 Build backend and export to Docker
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          push: true
-          context: .
-          tags: |
-            infisical/infisical:latest
-            infisical/infisical:${{ steps.commit.outputs.short }}
-            infisical/infisical:${{ steps.extract_version.outputs.version }}
-          platforms: linux/amd64,linux/arm64
-          file: Dockerfile.standalone-infisical
+          echo "Output Value: ${{ steps.version.outputs.changed }}"
+      # - name: Save commit hashes for tag
+      #   id: commit
+      #   uses: pr-mpt/actions-commit-hash@v2
+      # - name: 🔧 Set up Docker Buildx
+      #   uses: docker/setup-buildx-action@v2
+      # - name: 🐋 Login to Docker Hub
+      #   uses: docker/login-action@v2
+      #   with:
+      #     username: ${{ secrets.DOCKERHUB_USERNAME }}
+      #     password: ${{ secrets.DOCKERHUB_TOKEN }}
+      # - name: Set up Depot CLI
+      #   uses: depot/setup-action@v1
+      # - name: 📦 Build backend and export to Docker
+      #   uses: depot/build-push-action@v1
+      #   with:
+      #     project: 64mmf0n610
+      #     token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+      #     push: true
+      #     context: .
+      #     tags: |
+      #       infisical/infisical:latest
+      #       infisical/infisical:${{ steps.commit.outputs.short }}
+      #     platforms: linux/amd64,linux/arm64
+      #     file: Dockerfile.standalone-infisical

.github/workflows/release_build.yml

@@ -46,7 +46,6 @@ jobs:
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
-          POSTHOG_API_KEY_FOR_CLI: ${{ secrets.POSTHOG_API_KEY_FOR_CLI }}
           FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
           AUR_KEY: ${{ secrets.AUR_KEY }}
           GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}

.github/workflows/release_docker_k8_operator.yaml

@@ -1,16 +1,10 @@
-name: Release Docker image for K8 operator
-on:
-  push:
-    tags:
-      - "infisical-k8-operator/v*.*.*"
+name: Release Docker image for K8 operator 
+on: [workflow_dispatch]
 
 jobs:
   release:
     runs-on: ubuntu-latest
     steps:
-      - name: Extract version from tag
-        id: extract_version
-        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical-k8-operator/}"
       - uses: actions/checkout@v2
 
       - name: 🔧 Set up QEMU
@@ -32,6 +26,4 @@ jobs:
           context: k8-operator
           push: true
           platforms: linux/amd64,linux/arm64
-          tags: |
-            infisical/kubernetes-operator:latest
-            infisical/kubernetes-operator:${{ steps.extract_version.outputs.version }}
+          tags: infisical/kubernetes-operator:latest

.gitignore

@@ -2,7 +2,6 @@
 node_modules
 .env
 .env.dev
-.env.gamma
 .env.prod
 .env.infisical
 

.goreleaser.yaml

@@ -18,9 +18,7 @@ monorepo:
 builds:
   - id: darwin-build
     binary: infisical
-    ldflags:
-      - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
-      - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
+    ldflags: -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
     flags:
       - -trimpath
     env:
@@ -38,9 +36,7 @@ builds:
     env:
       - CGO_ENABLED=0
     binary: infisical
-    ldflags:
-      - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
-      - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
+    ldflags: -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
     flags:
       - -trimpath
     goos:
@@ -165,7 +161,7 @@ aurs:
       mkdir -p "${pkgdir}/usr/share/zsh/site-functions/"
       mkdir -p "${pkgdir}/usr/share/fish/vendor_completions.d/"
       install -Dm644 "./completions/infisical.bash" "${pkgdir}/usr/share/bash-completion/completions/infisical"
-      install -Dm644 "./completions/infisical.zsh" "${pkgdir}/usr/share/zsh/site-functions/_infisical"
+      install -Dm644 "./completions/infisical.zsh" "${pkgdir}/usr/share/zsh/site-functions/infisical"
       install -Dm644 "./completions/infisical.fish" "${pkgdir}/usr/share/fish/vendor_completions.d/infisical.fish"
       # man pages
       install -Dm644 "./manpages/infisical.1.gz" "${pkgdir}/usr/share/man/man1/infisical.1.gz"

.husky/pre-commit

@@ -3,5 +3,3 @@
 . "$(dirname -- "$0")/_/husky.sh"
 
 npx lint-staged
-
-infisical scan git-changes --staged -v

.infisicalignore

@@ -1 +0,0 @@
-.github/resources/docker-compose.be-test.yml:generic-api-key:16

.vscode/settings.json

@@ -1,3 +0,0 @@
-{
-	"workbench.editor.wrapTabs": true
-}

Dockerfile.standalone-infisical

@@ -25,8 +25,6 @@ ARG POSTHOG_HOST
 ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
 ARG POSTHOG_API_KEY
 ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
-ARG INTERCOM_ID
-ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
 
 # Build
 RUN npm run build
@@ -44,9 +42,6 @@ VOLUME /app/.next/cache/images
 ARG POSTHOG_API_KEY
 ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
   BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
-ARG INTERCOM_ID
-ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
-  BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
 
 COPY --chown=nextjs:nodejs --chmod=555 frontend/scripts ./scripts
 COPY --from=frontend-builder /app/public ./public
@@ -82,7 +77,7 @@ RUN npm ci --only-production
 COPY --from=backend-build /app .
 
 # Production stage
-FROM node:16-alpine AS production
+FROM node:14-alpine AS production
 
 WORKDIR / 
 

README.md

@@ -3,26 +3,17 @@
   <img width="300" src="/img/logoname-white.svg#gh-dark-mode-only" alt="infisical">
 </h1>
 <p align="center">
-  <p align="center"><b>Open-source, end-to-end encrypted secret management platform</b>: distribute secrets/configs across your team/infrastructure and prevent secret leaks.</p>
+  <p align="center">Open-source, end-to-end encrypted platform to manage secrets and configs across your team and infrastructure.</p>
 </p>
 
 <h4 align="center">
-  <a href="https://join.slack.com/t/infisical-users/shared_invite/zt-1ye0tm8ab-899qZ6ZbpfESuo6TEikyOQ">Slack</a> |
+  <a href="https://join.slack.com/t/infisical-users/shared_invite/zt-1kdbk07ro-RtoyEt_9E~fyzGo_xQYP6g">Slack</a> |
   <a href="https://infisical.com/">Infisical Cloud</a> |
   <a href="https://infisical.com/docs/self-hosting/overview">Self-Hosting</a> |
   <a href="https://infisical.com/docs/documentation/getting-started/introduction">Docs</a> |
   <a href="https://www.infisical.com">Website</a>
 </h4>
 
-<p align="center">
-  <a href="https://infisical.com/docs/self-hosting/deployment-options/aws-ec2">
-    <img src=".github/images/deploy-to-aws.png" width="137" />
-  </a>
-  <a href="https://infisical.com/docs/self-hosting/deployment-options/digital-ocean-marketplace" alt="Deploy to DigitalOcean">
-     <img width="200" alt="Deploy to DO" src="https://www.deploytodo.com/do-btn-blue.svg"/>
-  </a>
-</p>
-
 <h4 align="center">
   <a href="https://github.com/Infisical/infisical/blob/main/LICENSE">
     <img src="https://img.shields.io/badge/license-MIT-blue.svg" alt="Infisical is released under the MIT license." />
@@ -34,9 +25,9 @@
     <img src="https://img.shields.io/github/commit-activity/m/infisical/infisical" alt="git commit activity" />
   </a>
   <a href="https://cloudsmith.io/~infisical/repos/">
-    <img src="https://img.shields.io/badge/Downloads-395.8k-orange" alt="Cloudsmith downloads" />
+    <img src="https://img.shields.io/badge/Downloads-150.8k-orange" alt="Cloudsmith downloads" />
   </a>
-  <a href="https://join.slack.com/t/infisical-users/shared_invite/zt-1wehzfnzn-1aMo5JcGENJiNAC2SD8Jlg">
+  <a href="https://join.slack.com/t/infisical-users/shared_invite/zt-1kdbk07ro-RtoyEt_9E~fyzGo_xQYP6g">
     <img src="https://img.shields.io/badge/chat-on%20Slack-blueviolet" alt="Slack community channel" />
   </a>
   <a href="https://twitter.com/infisical">
@@ -63,18 +54,22 @@ We're on a mission to make secret management more accessible to everyone, not ju
 -   **[Secret versioning](https://infisical.com/docs/documentation/platform/secret-versioning)** and **[Point-in-Time Recovery]()** to version every secret and project state
 -   **[Audit logs](https://infisical.com/docs/documentation/platform/audit-logs)** to record every action taken in a project
 -   **Role-based Access Controls** per environment
--   [**Simple on-premise deployments** to AWS, Digital Ocean, and more](https://infisical.com/docs/self-hosting/overview)
--   [**Secret Scanning and Leak Prevention**](https://infisical.com/docs/cli/scanning-overview)
+-   [**Simple on-premise deployments** to AWS and Digital Ocean](https://infisical.com/docs/self-hosting/overview)
+- [**2FA**](https://infisical.com/docs/documentation/platform/mfa) with more options coming soon
 
 And much more.
 
 ## Getting started
 
-Check out the [Quickstart Guides](https://infisical.com/docs/getting-started/introduction)
+Check out the [Quickstart](https://infisical.com/docs/getting-started/introduction) Guides
 
-| Use Infisical Cloud | Deploy Infisical on premise |
-| --- | ----------- |
-| The fastest and most reliable way to <br> get started with Infisical is signing up <br> for free to [Infisical Cloud](https://app.infisical.com/login). | <a href="https://infisical.com/docs/self-hosting/deployment-options/aws-ec2"><img src=".github/images/deploy-to-aws.png" width="150" width="300" /></a> <a href="https://infisical.com/docs/self-hosting/deployment-options/digital-ocean-marketplace" alt="Deploy to DigitalOcean"> <img width="217" alt="Deploy to DO" src="https://www.deploytodo.com/do-btn-blue.svg"/> </a> <br> View all [deployment options](https://infisical.com/docs/self-hosting/overview) |
+### Use Infisical Cloud
+
+The fastest and most reliable way to get started with Infisical is signing up for free to [Infisical Cloud](https://app.infisical.com/login).
+
+### Deploy Infisical on premise
+
+Deployment options: [AWS EC2](https://infisical.com/docs/self-hosting/overview), [Kubernetes](https://infisical.com/docs/self-hosting/overview), and [more](https://infisical.com/docs/self-hosting/overview).
 
 ### Run Infisical locally
 
@@ -94,31 +89,9 @@ git clone https://github.com/Infisical/infisical && cd infisical && copy .env.ex
 
 Create an account at `http://localhost:80`
 
-### Scan and prevent secret leaks 
-On top managing secrets with Infisical, you can also [scan for over 140+ secret types]() in your files, directories and git repositories. 
-
-To scan your full git history, run:
-
-```
-infisical scan --verbose
-```
-
-Install pre commit hook to scan each commit before you push to your repository 
-
-```
-infisical scan install --pre-commit-hook
-```
-
-Lean about Infisical's code scanning feature [here](https://infisical.com/docs/cli/scanning-overview) 
-
-
 ## Open-source vs. paid
 
-This repo available under the [MIT expat license](https://github.com/Infisical/infisical/blob/main/LICENSE), with the exception of the `ee` directory which will contain premium enterprise features requiring a Infisical license. 
-
-If you are interested in managed Infisical Cloud of self-hosted Enterprise Offering, take a look at [our webiste](https://infisical.com/) or [book a meeting with us](https://cal.com/vmatsiiako/infisical-demo): 
-
-<a href="https://cal.com/vmatsiiako/infisical-demo"><img alt="Schedule a meeting" src="https://cal.com/book-with-cal-dark.svg" /></a>
+This repo available under the [MIT expat license](https://github.com/Infisical/infisical/blob/main/LICENSE), with the exception of the `ee` directory which will contain premium enterprise features requiring a Infisical license in the future. 
 
 ## Security
 
@@ -134,16 +107,16 @@ Whether it's big or small, we love contributions. Check out our guide to see how
 
 Not sure where to get started? You can:
 
--   [Book a free, non-pressure pairing session / code walkthrough with one of our teammates](https://cal.com/tony-infisical/30-min-meeting-contributing)!
--   Join our <a href="https://join.slack.com/t/infisical-users/shared_invite/zt-1wehzfnzn-1aMo5JcGENJiNAC2SD8Jlg">Slack</a>, and ask us any questions there.
+-   [Book a free, non-pressure pairing sessions with one of our teammates](mailto:tony@infisical.com?subject=Pairing%20session&body=I'd%20like%20to%20do%20a%20pairing%20session!)!
+-   Join our <a href="https://join.slack.com/t/infisical-users/shared_invite/zt-1kdbk07ro-RtoyEt_9E~fyzGo_xQYP6g">Slack</a>, and ask us any questions there.
 
 ## Resources
 
 - [Docs](https://infisical.com/docs/documentation/getting-started/introduction) for comprehensive documentation and guides
-- [Slack](https://join.slack.com/t/infisical-users/shared_invite/zt-1wehzfnzn-1aMo5JcGENJiNAC2SD8Jlg) for discussion with the community and Infisical team.
+- [Slack](https://join.slack.com/t/infisical-users/shared_invite/zt-1kdbk07ro-RtoyEt_9E~fyzGo_xQYP6g) for discussion with the community and Infisical team.
 - [GitHub](https://github.com/Infisical/infisical) for code, issues, and pull requests
 - [Twitter](https://twitter.com/infisical) for fast news
-- [YouTube](https://www.youtube.com/@infisical_od) for videos on secret management
+- [YouTube](https://www.youtube.com/@infisical5306) for videos on secret management
 - [Blog](https://infisical.com/blog) for secret management insights, articles, tutorials, and updates
 - [Roadmap](https://www.notion.so/infisical/be2d2585a6694e40889b03aef96ea36b?v=5b19a8127d1a4060b54769567a8785fa) for planned features
 

backend/.eslintrc

@@ -1,45 +1,12 @@
 {
   "parser": "@typescript-eslint/parser",
-  "plugins": [
-    "@typescript-eslint",
-    "unused-imports"
-  ],
+  "plugins": ["@typescript-eslint"],
   "extends": [
     "eslint:recommended",
     "plugin:@typescript-eslint/eslint-recommended",
     "plugin:@typescript-eslint/recommended"
   ],
   "rules": {
-    "@typescript-eslint/no-empty-function": "off",
-    "no-console": 2,
-    "quotes": [
-      "error",
-      "double",
-      {
-        "avoidEscape": true
-      }
-    ],
-    "comma-dangle": [
-      "error",
-      "only-multiline"
-    ],
-    "@typescript-eslint/no-unused-vars": "off",
-    "unused-imports/no-unused-imports": "error",
-    "@typescript-eslint/no-empty-function": "off",
-    "unused-imports/no-unused-vars": [
-      "warn",
-      {
-        "vars": "all",
-        "varsIgnorePattern": "^_",
-        "args": "after-used",
-        "argsIgnorePattern": "^_"
-      }
-    ],
-    "sort-imports": [
-      "error",
-      {
-        "ignoreDeclarationSort": true
-      }
-    ]
+    "no-console": 2
   }
-}
+}

backend/.prettierrc

@@ -1,7 +0,0 @@
-{
-  "singleQuote": false,
-  "printWidth": 100,
-  "trailingComma": "none",
-  "tabWidth": 2,
-  "semi": true
-}

backend/environment.d.ts

@@ -14,7 +14,7 @@ declare global {
 			JWT_SIGNUP_LIFETIME: string;
 			JWT_SIGNUP_SECRET: string;
       MONGO_URL: string;
-      NODE_ENV: "development" | "staging" | "testing" | "production";
+      NODE_ENV: 'development' | 'staging' | 'testing' | 'production';
       VERBOSE_ERROR_OUTPUT: string;
       LOKI_HOST: string;
       CLIENT_ID_HEROKU: string;
@@ -39,6 +39,12 @@ declare global {
       SMTP_PASSWORD: string;
       SMTP_FROM_ADDRESS: string;
       SMTP_FROM_NAME: string;
+      STRIPE_PRODUCT_STARTER: string;
+      STRIPE_PRODUCT_TEAM: string;
+      STRIPE_PRODUCT_PRO: string;
+      STRIPE_PUBLISHABLE_KEY: string;
+      STRIPE_SECRET_KEY: string;
+      STRIPE_WEBHOOK_SECRET: string;
       TELEMETRY_ENABLED: string;
       LICENSE_KEY: string;
     }

backend/jest.config.ts

@@ -1,9 +1,9 @@
 export default {
-  preset: "ts-jest",
-  testEnvironment: "node",
-  collectCoverageFrom: ["src/*.{js,ts}", "!**/node_modules/**"],
-  modulePaths: ["<rootDir>/src"],
-  testMatch: ["<rootDir>/tests/**/*.test.ts"],
-  setupFiles: ["<rootDir>/test-resources/env-vars.js"],
-  setupFilesAfterEnv: ["<rootDir>/tests/setupTests.ts"],
+  preset: 'ts-jest',
+  testEnvironment: 'node',
+  collectCoverageFrom: ['src/*.{js,ts}', '!**/node_modules/**'],
+  modulePaths: ['<rootDir>/src'],
+  testMatch: ['<rootDir>/tests/**/*.test.ts'],
+  setupFiles: ['<rootDir>/test-resources/env-vars.js'],
+  setupFilesAfterEnv: ['<rootDir>/tests/setupTests.ts']
 };

backend/package.json

@@ -1,44 +1,42 @@
 {
   "dependencies": {
-    "@aws-sdk/client-secrets-manager": "^3.319.0",
-    "@godaddy/terminus": "^4.12.0",
+    "@aws-sdk/client-secrets-manager": "^3.309.0",
+    "@godaddy/terminus": "^4.11.2",
     "@octokit/rest": "^19.0.5",
-    "@sentry/node": "^7.49.0",
-    "@sentry/tracing": "^7.48.0",
+    "@sentry/node": "^7.41.0",
+    "@sentry/tracing": "^7.47.0",
     "@types/crypto-js": "^4.1.1",
     "@types/libsodium-wrappers": "^0.7.10",
     "argon2": "^0.30.3",
-    "aws-sdk": "^2.1364.0",
+    "await-to-js": "^3.0.0",
+    "aws-sdk": "^2.1338.0",
     "axios": "^1.3.5",
     "axios-retry": "^3.4.0",
     "bcrypt": "^5.1.0",
     "bigint-conversion": "^2.4.0",
+    "builder-pattern": "^2.2.0",
     "cookie-parser": "^1.4.6",
     "cors": "^2.8.5",
     "crypto-js": "^4.1.1",
     "dotenv": "^16.0.1",
     "express": "^4.18.1",
-    "express-async-errors": "^3.1.1",
     "express-rate-limit": "^6.7.0",
     "express-validator": "^6.14.2",
     "handlebars": "^4.7.7",
     "helmet": "^5.1.1",
-    "infisical-node": "^1.2.1",
+    "infisical-node": "^1.1.3",
     "js-yaml": "^4.1.0",
     "jsonwebtoken": "^9.0.0",
     "jsrp": "^0.2.4",
     "libsodium-wrappers": "^0.7.10",
     "lodash": "^4.17.21",
     "mongoose": "^6.10.5",
-    "nanoid": "^3.3.6",
-    "node-cache": "^5.1.2",
     "nodemailer": "^6.8.0",
-    "passport": "^0.6.0",
-    "passport-google-oauth20": "^2.0.0",
     "posthog-node": "^2.6.0",
     "query-string": "^7.1.3",
-    "rate-limit-mongo": "^2.3.2",
+    "request-ip": "^3.3.0",
     "rimraf": "^3.0.2",
+    "stripe": "^10.7.0",
     "swagger-autogen": "^2.22.0",
     "swagger-ui-express": "^4.6.2",
     "tweetnacl": "^1.0.3",
@@ -55,7 +53,7 @@
     "start": "node build/index.js",
     "dev": "nodemon",
     "swagger-autogen": "node ./swagger/index.ts",
-    "build": "rimraf ./build && tsc && cp -R ./src/templates ./build && cp -R ./src/data ./build",
+    "build": "rimraf ./build && tsc && cp -R ./src/templates ./build",
     "lint": "eslint . --ext .ts",
     "lint-and-fix": "eslint . --ext .ts --fix",
     "lint-staged": "lint-staged",
@@ -88,8 +86,6 @@
     "@types/lodash": "^4.14.191",
     "@types/node": "^18.11.3",
     "@types/nodemailer": "^6.4.6",
-    "@types/passport": "^1.0.12",
-    "@types/picomatch": "^2.3.0",
     "@types/supertest": "^2.0.12",
     "@types/swagger-jsdoc": "^6.0.1",
     "@types/swagger-ui-express": "^4.1.3",
@@ -97,7 +93,6 @@
     "@typescript-eslint/parser": "^5.40.1",
     "cross-env": "^7.0.3",
     "eslint": "^8.26.0",
-    "eslint-plugin-unused-imports": "^2.0.0",
     "install": "^0.13.0",
     "jest": "^29.3.1",
     "jest-junit": "^15.0.0",

backend/src/config/index.ts

@@ -1,85 +1,69 @@
-import InfisicalClient from "infisical-node";
+import InfisicalClient from 'infisical-node';
 
-export const client = new InfisicalClient({
-  token: process.env.INFISICAL_TOKEN!,
+const client = new InfisicalClient({
+  token: process.env.INFISICAL_TOKEN!
 });
 
-export const getPort = async () => (await client.getSecret("PORT")).secretValue || 4000;
-export const getEncryptionKey = async () => {
-  const secretValue = (await client.getSecret("ENCRYPTION_KEY")).secretValue;
-  return secretValue === "" ? undefined : secretValue;
-}
-export const getRootEncryptionKey = async () => {
-  const secretValue = (await client.getSecret("ROOT_ENCRYPTION_KEY")).secretValue; 
-  return secretValue === "" ? undefined : secretValue;
-}
-export const getInviteOnlySignup = async () => (await client.getSecret("INVITE_ONLY_SIGNUP")).secretValue === "true"
-export const getSaltRounds = async () => parseInt((await client.getSecret("SALT_ROUNDS")).secretValue) || 10;
-export const getJwtAuthLifetime = async () => (await client.getSecret("JWT_AUTH_LIFETIME")).secretValue || "10d";
-export const getJwtAuthSecret = async () => (await client.getSecret("JWT_AUTH_SECRET")).secretValue;
-export const getJwtMfaLifetime = async () => (await client.getSecret("JWT_MFA_LIFETIME")).secretValue || "5m";
-export const getJwtMfaSecret = async () => (await client.getSecret("JWT_MFA_LIFETIME")).secretValue || "5m";
-export const getJwtRefreshLifetime = async () => (await client.getSecret("JWT_REFRESH_LIFETIME")).secretValue || "90d";
-export const getJwtRefreshSecret = async () => (await client.getSecret("JWT_REFRESH_SECRET")).secretValue;
-export const getJwtServiceSecret = async () => (await client.getSecret("JWT_SERVICE_SECRET")).secretValue;
-export const getJwtSignupLifetime = async () => (await client.getSecret("JWT_SIGNUP_LIFETIME")).secretValue || "15m";
-export const getJwtProviderAuthSecret = async () => (await client.getSecret("JWT_PROVIDER_AUTH_SECRET")).secretValue;
-export const getJwtProviderAuthLifetime = async () => (await client.getSecret("JWT_PROVIDER_AUTH_LIFETIME")).secretValue || "15m";
-export const getJwtSignupSecret = async () => (await client.getSecret("JWT_SIGNUP_SECRET")).secretValue;
-export const getMongoURL = async () => (await client.getSecret("MONGO_URL")).secretValue;
-export const getNodeEnv = async () => (await client.getSecret("NODE_ENV")).secretValue || "production";
-export const getVerboseErrorOutput = async () => (await client.getSecret("VERBOSE_ERROR_OUTPUT")).secretValue === "true" && true;
-export const getLokiHost = async () => (await client.getSecret("LOKI_HOST")).secretValue;
-export const getClientIdAzure = async () => (await client.getSecret("CLIENT_ID_AZURE")).secretValue;
-export const getClientIdHeroku = async () => (await client.getSecret("CLIENT_ID_HEROKU")).secretValue;
-export const getClientIdVercel = async () => (await client.getSecret("CLIENT_ID_VERCEL")).secretValue;
-export const getClientIdNetlify = async () => (await client.getSecret("CLIENT_ID_NETLIFY")).secretValue;
-export const getClientIdGitHub = async () => (await client.getSecret("CLIENT_ID_GITHUB")).secretValue;
-export const getClientIdGitLab = async () => (await client.getSecret("CLIENT_ID_GITLAB")).secretValue;
-export const getClientIdGoogle = async () => (await client.getSecret("CLIENT_ID_GOOGLE")).secretValue;
-export const getClientSecretAzure = async () => (await client.getSecret("CLIENT_SECRET_AZURE")).secretValue;
-export const getClientSecretHeroku = async () => (await client.getSecret("CLIENT_SECRET_HEROKU")).secretValue;
-export const getClientSecretVercel = async () => (await client.getSecret("CLIENT_SECRET_VERCEL")).secretValue;
-export const getClientSecretNetlify = async () => (await client.getSecret("CLIENT_SECRET_NETLIFY")).secretValue;
-export const getClientSecretGitHub = async () => (await client.getSecret("CLIENT_SECRET_GITHUB")).secretValue;
-export const getClientSecretGitLab = async () => (await client.getSecret("CLIENT_SECRET_GITLAB")).secretValue;
-export const getClientSecretGoogle = async () => (await client.getSecret("CLIENT_SECRET_GOOGLE")).secretValue;
-export const getClientSlugVercel = async () => (await client.getSecret("CLIENT_SLUG_VERCEL")).secretValue;
-export const getPostHogHost = async () => (await client.getSecret("POSTHOG_HOST")).secretValue || "https://app.posthog.com";
-export const getPostHogProjectApiKey = async () => (await client.getSecret("POSTHOG_PROJECT_API_KEY")).secretValue || "phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE";
-export const getSentryDSN = async () => (await client.getSecret("SENTRY_DSN")).secretValue;
-export const getSiteURL = async () => (await client.getSecret("SITE_URL")).secretValue;
-export const getSmtpHost = async () => (await client.getSecret("SMTP_HOST")).secretValue;
-export const getSmtpSecure = async () => (await client.getSecret("SMTP_SECURE")).secretValue === "true" || false;
-export const getSmtpPort = async () => parseInt((await client.getSecret("SMTP_PORT")).secretValue) || 587;
-export const getSmtpUsername = async () => (await client.getSecret("SMTP_USERNAME")).secretValue;
-export const getSmtpPassword = async () => (await client.getSecret("SMTP_PASSWORD")).secretValue;
-export const getSmtpFromAddress = async () => (await client.getSecret("SMTP_FROM_ADDRESS")).secretValue;
-export const getSmtpFromName = async () => (await client.getSecret("SMTP_FROM_NAME")).secretValue || "Infisical";
-
-export const getLicenseKey = async () => {
-  const secretValue = (await client.getSecret("LICENSE_KEY")).secretValue;
-  return secretValue === "" ? undefined : secretValue;
-}
-export const getLicenseServerKey = async () => {
-  const secretValue = (await client.getSecret("LICENSE_SERVER_KEY")).secretValue;
-  return secretValue === "" ? undefined : secretValue;
-}
-export const getLicenseServerUrl = async () => (await client.getSecret("LICENSE_SERVER_URL")).secretValue || "https://portal.infisical.com";
-
-export const getTelemetryEnabled = async () => (await client.getSecret("TELEMETRY_ENABLED")).secretValue !== "false" && true;
-export const getLoopsApiKey = async () => (await client.getSecret("LOOPS_API_KEY")).secretValue;
-export const getSmtpConfigured = async () => (await client.getSecret("SMTP_HOST")).secretValue == "" || (await client.getSecret("SMTP_HOST")).secretValue == undefined ? false : true
+export const getPort = async () => (await client.getSecret('PORT')).secretValue || 4000;
+export const getInviteOnlySignup = async () => (await client.getSecret('INVITE_ONLY_SIGNUP')).secretValue == undefined ? false : (await client.getSecret('INVITE_ONLY_SIGNUP')).secretValue;
+export const getEncryptionKey = async () => (await client.getSecret('ENCRYPTION_KEY')).secretValue;
+export const getSaltRounds = async () => parseInt((await client.getSecret('SALT_ROUNDS')).secretValue) || 10;
+export const getJwtAuthLifetime = async () => (await client.getSecret('JWT_AUTH_LIFETIME')).secretValue || '10d';
+export const getJwtAuthSecret = async () => (await client.getSecret('JWT_AUTH_SECRET')).secretValue;
+export const getJwtMfaLifetime = async () => (await client.getSecret('JWT_MFA_LIFETIME')).secretValue || '5m';
+export const getJwtMfaSecret = async () => (await client.getSecret('JWT_MFA_LIFETIME')).secretValue || '5m';
+export const getJwtRefreshLifetime = async () => (await client.getSecret('JWT_REFRESH_LIFETIME')).secretValue || '90d';
+export const getJwtRefreshSecret = async () => (await client.getSecret('JWT_REFRESH_SECRET')).secretValue;
+export const getJwtServiceSecret = async () => (await client.getSecret('JWT_SERVICE_SECRET')).secretValue;
+export const getJwtSignupLifetime = async () => (await client.getSecret('JWT_SIGNUP_LIFETIME')).secretValue || '15m';
+export const getJwtSignupSecret = async () => (await client.getSecret('JWT_SIGNUP_SECRET')).secretValue;
+export const getMongoURL = async () => (await client.getSecret('MONGO_URL')).secretValue;
+export const getNodeEnv = async () => (await client.getSecret('NODE_ENV')).secretValue || 'production';
+export const getVerboseErrorOutput = async () => (await client.getSecret('VERBOSE_ERROR_OUTPUT')).secretValue === 'true' && true;
+export const getLokiHost = async () => (await client.getSecret('LOKI_HOST')).secretValue;
+export const getClientIdAzure = async () => (await client.getSecret('CLIENT_ID_AZURE')).secretValue;
+export const getClientIdHeroku = async () => (await client.getSecret('CLIENT_ID_HEROKU')).secretValue;
+export const getClientIdVercel = async () => (await client.getSecret('CLIENT_ID_VERCEL')).secretValue;
+export const getClientIdNetlify = async () => (await client.getSecret('CLIENT_ID_NETLIFY')).secretValue;
+export const getClientIdGitHub = async () => (await client.getSecret('CLIENT_ID_GITHUB')).secretValue;
+export const getClientIdGitLab = async () => (await client.getSecret('CLIENT_ID_GITLAB')).secretValue;
+export const getClientSecretAzure = async () => (await client.getSecret('CLIENT_SECRET_AZURE')).secretValue;
+export const getClientSecretHeroku = async () => (await client.getSecret('CLIENT_SECRET_HEROKU')).secretValue;
+export const getClientSecretVercel = async () => (await client.getSecret('CLIENT_SECRET_VERCEL')).secretValue;
+export const getClientSecretNetlify = async () => (await client.getSecret('CLIENT_SECRET_NETLIFY')).secretValue;
+export const getClientSecretGitHub = async () => (await client.getSecret('CLIENT_SECRET_GITHUB')).secretValue;
+export const getClientSecretGitLab = async () => (await client.getSecret('CLIENT_SECRET_GITLAB')).secretValue;
+export const getClientSlugVercel = async () => (await client.getSecret('CLIENT_SLUG_VERCEL')).secretValue;
+export const getPostHogHost = async () => (await client.getSecret('POSTHOG_HOST')).secretValue || 'https://app.posthog.com';
+export const getPostHogProjectApiKey = async () => (await client.getSecret('POSTHOG_PROJECT_API_KEY')).secretValue || 'phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE';
+export const getSentryDSN = async () => (await client.getSecret('SENTRY_DSN')).secretValue;
+export const getSiteURL = async () => (await client.getSecret('SITE_URL')).secretValue;
+export const getSmtpHost = async () => (await client.getSecret('SMTP_HOST')).secretValue;
+export const getSmtpSecure = async () => (await client.getSecret('SMTP_SECURE')).secretValue === 'true' || false;
+export const getSmtpPort = async () => parseInt((await client.getSecret('SMTP_PORT')).secretValue) || 587;
+export const getSmtpUsername = async () => (await client.getSecret('SMTP_USERNAME')).secretValue;
+export const getSmtpPassword = async () => (await client.getSecret('SMTP_PASSWORD')).secretValue;
+export const getSmtpFromAddress = async () => (await client.getSecret('SMTP_FROM_ADDRESS')).secretValue;
+export const getSmtpFromName = async () => (await client.getSecret('SMTP_FROM_NAME')).secretValue || 'Infisical';
+export const getStripeProductStarter = async () => (await client.getSecret('STRIPE_PRODUCT_STARTER')).secretValue;
+export const getStripeProductPro = async () => (await client.getSecret('STRIPE_PRODUCT_PRO')).secretValue;
+export const getStripeProductTeam = async () => (await client.getSecret('STRIPE_PRODUCT_TEAM')).secretValue;
+export const getStripePublishableKey = async () => (await client.getSecret('STRIPE_PUBLISHABLE_KEY')).secretValue;
+export const getStripeSecretKey = async () => (await client.getSecret('STRIPE_SECRET_KEY')).secretValue;
+export const getStripeWebhookSecret = async () => (await client.getSecret('STRIPE_WEBHOOK_SECRET')).secretValue;
+export const getTelemetryEnabled = async () => (await client.getSecret('TELEMETRY_ENABLED')).secretValue !== 'false' && true;
+export const getLoopsApiKey = async () => (await client.getSecret('LOOPS_API_KEY')).secretValue;
+export const getSmtpConfigured = async () => (await client.getSecret('SMTP_HOST')).secretValue == '' || (await client.getSecret('SMTP_HOST')).secretValue == undefined ? false : true
 export const getHttpsEnabled = async () => {
   if ((await getNodeEnv()) != "production") {
     // no https for anything other than prod
     return false
   }
 
-  if ((await client.getSecret("HTTPS_ENABLED")).secretValue == undefined || (await client.getSecret("HTTPS_ENABLED")).secretValue == "") {
+  if ((await client.getSecret('HTTPS_ENABLED')).secretValue == undefined || (await client.getSecret('HTTPS_ENABLED')).secretValue == "") {
     // default when no value present
     return true
   }
 
-  return (await client.getSecret("HTTPS_ENABLED")).secretValue === "true" && true
-}
+  return (await client.getSecret('HTTPS_ENABLED')).secretValue === 'true' && true
+}

backend/src/config/request.ts

@@ -1,24 +1,10 @@
-import axios from "axios";
-import axiosRetry from "axios-retry";
-import {
-  getLicenseKeyAuthToken,
-  getLicenseServerKeyAuthToken,
-  setLicenseKeyAuthToken,
-  setLicenseServerKeyAuthToken,
-} from "./storage";
-import {
-  getLicenseKey,
-  getLicenseServerKey, 
-  getLicenseServerUrl,
-} from "./index";
+import axios from 'axios';
+import axiosRetry from 'axios-retry';
 
-// should have JWT to interact with the license server
-export const licenseServerKeyRequest = axios.create();
-export const licenseKeyRequest = axios.create();
-export const standardRequest = axios.create();
+const axiosInstance = axios.create();
 
 // add retry functionality to the axios instance
-axiosRetry(standardRequest, {
+axiosRetry(axiosInstance, {
   retries: 3,
   retryDelay: axiosRetry.exponentialDelay, // exponential back-off delay between retries
   retryCondition: (error) => {
@@ -27,98 +13,4 @@ axiosRetry(standardRequest, {
   },
 });
 
-export const refreshLicenseServerKeyToken = async () => {
-  const licenseServerKey = await getLicenseServerKey();
-  const licenseServerUrl = await getLicenseServerUrl();
-
-  const { data: { token } } = await standardRequest.post(
-    `${licenseServerUrl}/api/auth/v1/license-server-login`, {},
-    {
-      headers: {
-        "X-API-KEY": licenseServerKey,
-      },
-    }
-  );
-
-  setLicenseServerKeyAuthToken(token);
-
-  return token;
-}
-
-export const refreshLicenseKeyToken = async () => {
-  const licenseKey = await getLicenseKey();
-  const licenseServerUrl = await getLicenseServerUrl();
-
-  const { data: { token } } = await standardRequest.post(
-    `${licenseServerUrl}/api/auth/v1/license-login`, {},
-    {
-      headers: {
-        "X-API-KEY": licenseKey,
-      },
-    }
-  );
-
-  setLicenseKeyAuthToken(token);
-
-  return token;
-}
-
-licenseServerKeyRequest.interceptors.request.use((config) => {
-  const token = getLicenseServerKeyAuthToken();
-
-  if (token && config.headers) {
-      // eslint-disable-next-line no-param-reassign
-      config.headers.Authorization = `Bearer ${token}`;
-  }
-  return config;
-}, (err) => {
-  return Promise.reject(err);
-});
-
-licenseServerKeyRequest.interceptors.response.use((response) => {
-  return response
-}, async function (err) {
-  const originalRequest = err.config;
-  
-  if (err.response.status === 401 && !originalRequest._retry) {
-    originalRequest._retry = true;
-    
-    // refresh
-    const token = await refreshLicenseServerKeyToken();            
-    
-    axios.defaults.headers.common["Authorization"] = "Bearer " + token;
-    return licenseServerKeyRequest(originalRequest);
-  }
-
-  return Promise.reject(err);
-});
-
-licenseKeyRequest.interceptors.request.use((config) => {
-  const token = getLicenseKeyAuthToken();
-
-  if (token && config.headers) {
-      // eslint-disable-next-line no-param-reassign
-      config.headers.Authorization = `Bearer ${token}`;
-  }
-  return config;
-}, (err) => {
-  return Promise.reject(err);
-});
-
-licenseKeyRequest.interceptors.response.use((response) => {
-  return response
-}, async function (err) {
-  const originalRequest = err.config;
-  
-  if (err.response.status === 401 && !originalRequest._retry) {
-    originalRequest._retry = true;
-    
-    // refresh
-    const token = await refreshLicenseKeyToken();            
-    
-    axios.defaults.headers.common["Authorization"] = "Bearer " + token;
-    return licenseKeyRequest(originalRequest);
-  }
-
-  return Promise.reject(err);
-});
+export default axiosInstance;

backend/src/config/storage.ts

@@ -1,30 +0,0 @@
-const MemoryLicenseServerKeyTokenStorage = () => {
-    let authToken: string;
-  
-    return {
-      setToken: (token: string) => {
-        authToken = token;
-      },
-      getToken: () => authToken,
-    };
-};
-
-const MemoryLicenseKeyTokenStorage = () => {
-    let authToken: string;
-  
-    return {
-      setToken: (token: string) => {
-        authToken = token;
-      },
-      getToken: () => authToken,
-    };
-};
-
-const licenseServerTokenStorage = MemoryLicenseServerKeyTokenStorage();
-const licenseTokenStorage = MemoryLicenseKeyTokenStorage();
-
-export const getLicenseServerKeyAuthToken = licenseServerTokenStorage.getToken;
-export const setLicenseServerKeyAuthToken = licenseServerTokenStorage.setToken;
-
-export const getLicenseKeyAuthToken = licenseTokenStorage.getToken;
-export const setLicenseKeyAuthToken = licenseTokenStorage.setToken;

backend/src/controllers/v1/authController.ts

@@ -1,39 +1,29 @@
-import { Request, Response } from "express";
-import fs from "fs";
-import path from "path";
-import jwt from "jsonwebtoken";
-import * as bigintConversion from "bigint-conversion";
+import * as Sentry from '@sentry/node';
+import { Request, Response } from 'express';
+import jwt from 'jsonwebtoken';
+import * as bigintConversion from 'bigint-conversion';
 // eslint-disable-next-line @typescript-eslint/no-var-requires
-const jsrp = require("jsrp");
-import { 
-  LoginSRPDetail, 
-  TokenVersion,
-  User,
-} from "../../models";
-import { clearTokens, createToken, issueAuthTokens } from "../../helpers/auth";
-import { checkUserDevice } from "../../helpers/user";
+const jsrp = require('jsrp');
+import { User, LoginSRPDetail } from '../../models';
+import { createToken, issueAuthTokens, clearTokens } from '../../helpers/auth';
+import { checkUserDevice } from '../../helpers/user';
 import {
   ACTION_LOGIN,
-  ACTION_LOGOUT,
-  AUTH_MODE_JWT,
-} from "../../variables";
-import { 
-  BadRequestError,
-  UnauthorizedRequestError,
-} from "../../utils/errors";
-import { EELogService } from "../../ee/services";
-import { getChannelFromUserAgent } from "../../utils/posthog";
+  ACTION_LOGOUT
+} from '../../variables';
+import { BadRequestError } from '../../utils/errors';
+import { EELogService } from '../../ee/services';
+import { getChannelFromUserAgent } from '../../utils/posthog'; // TODO: move this
 import {
-  getHttpsEnabled,
+  getJwtRefreshSecret,
   getJwtAuthLifetime,
   getJwtAuthSecret,
-  getJwtRefreshSecret,
-} from "../../config";
+  getHttpsEnabled
+} from '../../config';
 
-declare module "jsonwebtoken" {
+declare module 'jsonwebtoken' {
   export interface UserIDJwtPayload extends jwt.JwtPayload {
     userId: string;
-    refreshVersion?: number;
   }
 }
 
@@ -44,39 +34,47 @@ declare module "jsonwebtoken" {
  * @returns
  */
 export const login1 = async (req: Request, res: Response) => {
-  const {
-    email,
-    clientPublicKey,
-  }: { email: string; clientPublicKey: string } = req.body;
+  try {
+    const {
+      email,
+      clientPublicKey
+    }: { email: string; clientPublicKey: string } = req.body;
 
-  const user = await User.findOne({
-    email,
-  }).select("+salt +verifier");
+    const user = await User.findOne({
+      email
+    }).select('+salt +verifier');
 
-  if (!user) throw new Error("Failed to find user");
+    if (!user) throw new Error('Failed to find user');
 
-  const server = new jsrp.server();
-  server.init(
-    {
-      salt: user.salt,
-      verifier: user.verifier,
-    },
-    async () => {
-      // generate server-side public key
-      const serverPublicKey = server.getPublicKey();
-
-      await LoginSRPDetail.findOneAndReplace({ email: email }, {
-        email: email,
-        clientPublicKey: clientPublicKey,
-        serverBInt: bigintConversion.bigintToBuf(server.bInt),
-      }, { upsert: true, returnNewDocument: false })
-
-      return res.status(200).send({
-        serverPublicKey,
+    const server = new jsrp.server();
+    server.init(
+      {
         salt: user.salt,
-      });
-    }
-  );
+        verifier: user.verifier
+      },
+      async () => {
+        // generate server-side public key
+        const serverPublicKey = server.getPublicKey();
+
+        await LoginSRPDetail.findOneAndReplace({ email: email }, {
+          email: email,
+          clientPublicKey: clientPublicKey,
+          serverBInt: bigintConversion.bigintToBuf(server.bInt),
+        }, { upsert: true, returnNewDocument: false })
+
+        return res.status(200).send({
+          serverPublicKey,
+          salt: user.salt
+        });
+      }
+    );
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: 'Failed to start authentication process'
+    });
+  }
 };
 
 /**
@@ -87,80 +85,84 @@ export const login1 = async (req: Request, res: Response) => {
  * @returns
  */
 export const login2 = async (req: Request, res: Response) => {
-  const { email, clientProof } = req.body;
-  const user = await User.findOne({
-    email,
-  }).select("+salt +verifier +publicKey +encryptedPrivateKey +iv +tag");
+  try {
+    const { email, clientProof } = req.body;
+    const user = await User.findOne({
+      email
+    }).select('+salt +verifier +publicKey +encryptedPrivateKey +iv +tag');
 
-  if (!user) throw new Error("Failed to find user");
+    if (!user) throw new Error('Failed to find user');
 
-  const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: email })
+    const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: email })
 
-  if (!loginSRPDetailFromDB) {
-    return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
-  }
+    if (!loginSRPDetailFromDB) {
+      return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
+    }
 
-  const server = new jsrp.server();
-  server.init(
-    {
-      salt: user.salt,
-      verifier: user.verifier,
-      b: loginSRPDetailFromDB.serverBInt,
-    },
-    async () => {
-      server.setClientPublicKey(loginSRPDetailFromDB.clientPublicKey);
+    const server = new jsrp.server();
+    server.init(
+      {
+        salt: user.salt,
+        verifier: user.verifier,
+        b: loginSRPDetailFromDB.serverBInt
+      },
+      async () => {
+        server.setClientPublicKey(loginSRPDetailFromDB.clientPublicKey);
 
-      // compare server and client shared keys
-      if (server.checkClientProof(clientProof)) {
-        // issue tokens
+        // compare server and client shared keys
+        if (server.checkClientProof(clientProof)) {
+          // issue tokens
 
-        await checkUserDevice({
-          user,
-          ip: req.realIP,
-          userAgent: req.headers["user-agent"] ?? "",
-        });
+          await checkUserDevice({
+            user,
+            ip: req.ip,
+            userAgent: req.headers['user-agent'] ?? ''
+          });
 
-        const tokens = await issueAuthTokens({ 
-          userId: user._id,
-          ip: req.realIP,
-          userAgent: req.headers["user-agent"] ?? "",
-        });
+          const tokens = await issueAuthTokens({ userId: user._id.toString() });
 
-        // store (refresh) token in httpOnly cookie
-        res.cookie("jid", tokens.refreshToken, {
-          httpOnly: true,
-          path: "/",
-          sameSite: "strict",
-          secure: await getHttpsEnabled(),
-        });
+          // store (refresh) token in httpOnly cookie
+          res.cookie('jid', tokens.refreshToken, {
+            httpOnly: true,
+            path: '/',
+            sameSite: 'strict',
+            secure: await getHttpsEnabled()
+          });
 
-        const loginAction = await EELogService.createAction({
-          name: ACTION_LOGIN,
-          userId: user._id,
-        });
+          const loginAction = await EELogService.createAction({
+            name: ACTION_LOGIN,
+            userId: user._id
+          });
 
-        loginAction && await EELogService.createLog({
-          userId: user._id,
-          actions: [loginAction],
-          channel: getChannelFromUserAgent(req.headers["user-agent"]),
-          ipAddress: req.realIP,
-        });
+          loginAction && await EELogService.createLog({
+            userId: user._id,
+            actions: [loginAction],
+            channel: getChannelFromUserAgent(req.headers['user-agent']),
+            ipAddress: req.ip
+          });
 
-        // return (access) token in response
-        return res.status(200).send({
-          token: tokens.token,
-          publicKey: user.publicKey,
-          encryptedPrivateKey: user.encryptedPrivateKey,
-          iv: user.iv,
-          tag: user.tag,
+          // return (access) token in response
+          return res.status(200).send({
+            token: tokens.token,
+            publicKey: user.publicKey,
+            encryptedPrivateKey: user.encryptedPrivateKey,
+            iv: user.iv,
+            tag: user.tag
+          });
+        }
+
+        return res.status(400).send({
+          message: 'Failed to authenticate. Try again?'
         });
       }
-
-      return res.status(400).send({
-        message: "Failed to authenticate. Try again?",
-      });
-    }
-  );
+    );
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: 'Failed to authenticate. Try again?'
+    });
+  }
 };
 
 /**
@@ -170,59 +172,44 @@ export const login2 = async (req: Request, res: Response) => {
  * @returns
  */
 export const logout = async (req: Request, res: Response) => {
-  if (req.authData.authMode === AUTH_MODE_JWT && req.authData.authPayload instanceof User && req.authData.tokenVersionId) {
-    await clearTokens(req.authData.tokenVersionId)
+  try {
+    await clearTokens({
+      userId: req.user._id.toString()
+    });
+
+    // clear httpOnly cookie
+    res.cookie('jid', '', {
+      httpOnly: true,
+      path: '/',
+      sameSite: 'strict',
+      secure: (await getHttpsEnabled()) as boolean
+    });
+
+    const logoutAction = await EELogService.createAction({
+      name: ACTION_LOGOUT,
+      userId: req.user._id
+    });
+
+    logoutAction && await EELogService.createLog({
+      userId: req.user._id,
+      actions: [logoutAction],
+      channel: getChannelFromUserAgent(req.headers['user-agent']),
+      ipAddress: req.ip
+    });
+
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: 'Failed to logout'
+    });
   }
 
-  // clear httpOnly cookie
-  res.cookie("jid", "", {
-    httpOnly: true,
-    path: "/",
-    sameSite: "strict",
-    secure: (await getHttpsEnabled()) as boolean,
-  });
-
-  const logoutAction = await EELogService.createAction({
-    name: ACTION_LOGOUT,
-    userId: req.user._id,
-  });
-
-  logoutAction && await EELogService.createLog({
-    userId: req.user._id,
-    actions: [logoutAction],
-    channel: getChannelFromUserAgent(req.headers["user-agent"]),
-    ipAddress: req.realIP,
-  });
-
   return res.status(200).send({
-    message: "Successfully logged out.",
+    message: 'Successfully logged out.'
   });
 };
 
-export const getCommonPasswords = async (req: Request, res: Response) => {
-  const commonPasswords = fs.readFileSync(
-		path.resolve(__dirname, "../../data/" + "common_passwords.txt"),
-		"utf8"
-	).split("\n");	
-
-  return res.status(200).send(commonPasswords);
-}
-
-export const revokeAllSessions = async (req: Request, res: Response) => {
-  await TokenVersion.updateMany({
-    user: req.user._id,
-  }, {
-    $inc: {
-      refreshVersion: 1,
-      accessVersion: 1,
-    },
-  });
-
-  return res.status(200).send({
-    message: "Successfully revoked all sessions.",
-  }); 
-}
-
 /**
  * Return user is authenticated
  * @param req
@@ -231,60 +218,52 @@ export const revokeAllSessions = async (req: Request, res: Response) => {
  */
 export const checkAuth = async (req: Request, res: Response) => {
   return res.status(200).send({
-    message: "Authenticated",
+    message: 'Authenticated'
   });
 }
 
 /**
- * Return new JWT access token by first validating the refresh token
+ * Return new token by redeeming refresh token
  * @param req
  * @param res
  * @returns
  */
 export const getNewToken = async (req: Request, res: Response) => {
-  const refreshToken = req.cookies.jid;
+  try {
+    const refreshToken = req.cookies.jid;
 
-  if (!refreshToken) throw BadRequestError({
-    message: "Failed to find refresh token in request cookies"
-  });
+    if (!refreshToken) {
+      throw new Error('Failed to find token in request cookies');
+    }
 
-  const decodedToken = <jwt.UserIDJwtPayload>(
-    jwt.verify(refreshToken, await getJwtRefreshSecret())
-  );
+    const decodedToken = <jwt.UserIDJwtPayload>(
+      jwt.verify(refreshToken, await getJwtRefreshSecret())
+    );
 
-  const user = await User.findOne({
-    _id: decodedToken.userId,
-  }).select("+publicKey +refreshVersion +accessVersion");
+    const user = await User.findOne({
+      _id: decodedToken.userId
+    }).select('+publicKey');
 
-  if (!user) throw new Error("Failed to authenticate unfound user");
-  if (!user?.publicKey)
-    throw new Error("Failed to authenticate not fully set up account");
-  
-  const tokenVersion = await TokenVersion.findById(decodedToken.tokenVersionId);
+    if (!user) throw new Error('Failed to authenticate unfound user');
+    if (!user?.publicKey)
+      throw new Error('Failed to authenticate not fully set up account');
 
-  if (!tokenVersion) throw UnauthorizedRequestError({
-    message: "Failed to validate refresh token",
-  });
+    const token = createToken({
+      payload: {
+        userId: decodedToken.userId
+      },
+      expiresIn: await getJwtAuthLifetime(),
+      secret: await getJwtAuthSecret()
+    });
 
-  if (decodedToken.refreshVersion !== tokenVersion.refreshVersion) throw BadRequestError({
-    message: "Failed to validate refresh token",
-  });
-
-  const token = createToken({
-    payload: {
-      userId: decodedToken.userId,
-      tokenVersionId: tokenVersion._id.toString(),
-      accessVersion: tokenVersion.refreshVersion,
-    },
-    expiresIn: await getJwtAuthLifetime(),
-    secret: await getJwtAuthSecret(),
-  });
-
-  return res.status(200).send({
-    token,
-  });
+    return res.status(200).send({
+      token
+    });
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: 'Invalid request'
+    });
+  }
 };
-
-export const handleAuthProviderCallback = (req: Request, res: Response) => {
-  res.redirect(`/login/provider/success?token=${encodeURIComponent(req.providerAuthToken)}`);
-}

backend/src/controllers/v1/botController.ts

@@ -1,7 +1,8 @@
-import { Request, Response } from "express";
-import { Types } from "mongoose";
-import { Bot, BotKey } from "../../models";
-import { createBot } from "../../helpers/bot";
+import { Request, Response } from 'express';
+import { Types } from 'mongoose';
+import * as Sentry from '@sentry/node';
+import { Bot, BotKey } from '../../models';
+import { createBot } from '../../helpers/bot';
 
 interface BotKey {
     encryptedKey: string;
@@ -16,24 +17,33 @@ interface BotKey {
  * @returns
  */
 export const getBotByWorkspaceId = async (req: Request, res: Response) => {
-  const { workspaceId } = req.params;
+    let bot;
+	try {
+        const { workspaceId } = req.params;
 
-  let bot = await Bot.findOne({
-      workspace: workspaceId,
-  });
-  
-  if (!bot) {
-      // case: bot doesn't exist for workspace with id [workspaceId]
-      // -> create a new bot and return it
-      bot = await createBot({
-          name: "Infisical Bot",
-          workspaceId: new Types.ObjectId(workspaceId),
-      });
-  }
+        bot = await Bot.findOne({
+            workspace: workspaceId
+        });
+        
+        if (!bot) {
+            // case: bot doesn't exist for workspace with id [workspaceId]
+            // -> create a new bot and return it
+            bot = await createBot({
+                name: 'Infisical Bot',
+                workspaceId: new Types.ObjectId(workspaceId)
+            });
+        }
+	} catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+        return res.status(400).send({
+			message: 'Failed to get bot for workspace'
+		});
+	}
     
-  return res.status(200).send({
-      bot,
-  });
+    return res.status(200).send({
+        bot
+    });
 };
 
 /**
@@ -43,46 +53,56 @@ export const getBotByWorkspaceId = async (req: Request, res: Response) => {
  * @returns
  */
 export const setBotActiveState = async (req: Request, res: Response) => {
-    const { isActive, botKey }: { isActive: boolean, botKey: BotKey } = req.body;
-    
-    if (isActive) {
-        // bot state set to active -> share workspace key with bot
-        if (!botKey?.encryptedKey || !botKey?.nonce) {
-            return res.status(400).send({
-                message: "Failed to set bot state to active - missing bot key",
+    let bot;
+	try {
+        const { isActive, botKey }: { isActive: boolean, botKey: BotKey } = req.body;
+        
+        if (isActive) {
+            // bot state set to active -> share workspace key with bot
+            if (!botKey?.encryptedKey || !botKey?.nonce) {
+                return res.status(400).send({
+                    message: 'Failed to set bot state to active - missing bot key'
+                });
+            }
+            
+            await BotKey.findOneAndUpdate({
+                workspace: req.bot.workspace
+            }, {
+                encryptedKey: botKey.encryptedKey,
+                nonce: botKey.nonce,
+                sender: req.user._id,
+                bot: req.bot._id,
+                workspace: req.bot.workspace
+            }, {
+                upsert: true,
+                new: true
+            });
+        } else {
+            // case: bot state set to inactive -> delete bot's workspace key
+            await BotKey.deleteOne({
+                bot: req.bot._id
             });
         }
-        
-        await BotKey.findOneAndUpdate({
-            workspace: req.bot.workspace,
-        }, {
-            encryptedKey: botKey.encryptedKey,
-            nonce: botKey.nonce,
-            sender: req.user._id,
-            bot: req.bot._id,
-            workspace: req.bot.workspace,
-        }, {
-            upsert: true,
-            new: true,
-        });
-    } else {
-        // case: bot state set to inactive -> delete bot's workspace key
-        await BotKey.deleteOne({
-            bot: req.bot._id,
-        });
-    }
 
-    const bot = await Bot.findOneAndUpdate({
-        _id: req.bot._id,
-    }, {
-        isActive,
-    }, {
-        new: true,
-    });
-    
-    if (!bot) throw new Error("Failed to update bot active state");
+        bot = await Bot.findOneAndUpdate({
+            _id: req.bot._id
+        }, {
+            isActive
+        }, {
+            new: true
+        });
+        
+        if (!bot) throw new Error('Failed to update bot active state');
+        
+	} catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+        return res.status(400).send({
+			message: 'Failed to update bot active state'
+		});
+	}
     
     return res.status(200).send({
-        bot,
+        bot
     });
 };

backend/src/controllers/v1/index.ts

@@ -1,19 +1,19 @@
-import * as authController from "./authController";
-import * as botController from "./botController";
-import * as integrationAuthController from "./integrationAuthController";
-import * as integrationController from "./integrationController";
-import * as keyController from "./keyController";
-import * as membershipController from "./membershipController";
-import * as membershipOrgController from "./membershipOrgController";
-import * as organizationController from "./organizationController";
-import * as passwordController from "./passwordController";
-import * as secretController from "./secretController";
-import * as serviceTokenController from "./serviceTokenController";
-import * as signupController from "./signupController";
-import * as userActionController from "./userActionController";
-import * as userController from "./userController";
-import * as workspaceController from "./workspaceController";
-import * as secretScanningController from "./secretScanningController";
+import * as authController from './authController';
+import * as botController from './botController';
+import * as integrationAuthController from './integrationAuthController';
+import * as integrationController from './integrationController';
+import * as keyController from './keyController';
+import * as membershipController from './membershipController';
+import * as membershipOrgController from './membershipOrgController';
+import * as organizationController from './organizationController';
+import * as passwordController from './passwordController';
+import * as secretController from './secretController';
+import * as serviceTokenController from './serviceTokenController';
+import * as signupController from './signupController';
+import * as stripeController from './stripeController';
+import * as userActionController from './userActionController';
+import * as userController from './userController';
+import * as workspaceController from './workspaceController';
 
 export {
 	authController,
@@ -28,8 +28,8 @@ export {
 	secretController,
 	serviceTokenController,
 	signupController,
+	stripeController,
 	userActionController,
 	userController,
-	workspaceController,
-	secretScanningController
+	workspaceController
 };

backend/src/controllers/v1/integrationAuthController.ts

@@ -1,41 +1,54 @@
-import { Request, Response } from "express";
-import { Types } from "mongoose";
-import { standardRequest } from "../../config/request";
-import { getApps, getTeams, revokeAccess } from "../../integrations";
-import { Bot, IntegrationAuth } from "../../models";
-import { IntegrationService } from "../../services";
+import { Request, Response } from 'express';
+import { Types } from 'mongoose';
+import * as Sentry from '@sentry/node';
 import {
-  ALGORITHM_AES_256_GCM,
-  ENCODING_SCHEME_UTF8,
-  INTEGRATION_RAILWAY_API_URL,
-  INTEGRATION_SET,
-  INTEGRATION_VERCEL_API_URL,
-  getIntegrationOptions as getIntegrationOptionsFunc
-} from "../../variables";
+	IntegrationAuth,
+	Bot 
+} from '../../models';
+import { INTEGRATION_SET, getIntegrationOptions as getIntegrationOptionsFunc } from '../../variables';
+import { IntegrationService } from '../../services';
+import {
+	getApps, 
+	getTeams,
+	revokeAccess 
+} from '../../integrations';
+import {
+	INTEGRATION_VERCEL_API_URL,
+	INTEGRATION_RAILWAY_API_URL
+} from '../../variables';
+import request from '../../config/request';
 
 /***
  * Return integration authorization with id [integrationAuthId]
  */
 export const getIntegrationAuth = async (req: Request, res: Response) => {
-  const { integrationAuthId } = req.params;
-  const integrationAuth = await IntegrationAuth.findById(integrationAuthId);
-
-  if (!integrationAuth)
-    return res.status(400).send({
-      message: "Failed to find integration authorization"
-    });
-
-  return res.status(200).send({
-    integrationAuth
-  });
-};
+	let integrationAuth;
+	try {
+		const { integrationAuthId } = req.params;
+		integrationAuth = await IntegrationAuth.findById(integrationAuthId);
+		
+		if (!integrationAuth) return res.status(400).send({
+			message: 'Failed to find integration authorization'
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get integration authorization'
+		});	
+	}
+	
+	return res.status(200).send({
+		integrationAuth
+	});
+}
 
 export const getIntegrationOptions = async (req: Request, res: Response) => {
-  const INTEGRATION_OPTIONS = await getIntegrationOptionsFunc();
+	const INTEGRATION_OPTIONS = await getIntegrationOptionsFunc();
 
-  return res.status(200).send({
-    integrationOptions: INTEGRATION_OPTIONS
-  });
+	return res.status(200).send({
+		integrationOptions: INTEGRATION_OPTIONS,
+	});
 };
 
 /**
@@ -44,94 +57,105 @@ export const getIntegrationOptions = async (req: Request, res: Response) => {
  * @param res
  * @returns
  */
-export const oAuthExchange = async (req: Request, res: Response) => {
-  const { workspaceId, code, integration } = req.body;
-  if (!INTEGRATION_SET.has(integration)) throw new Error("Failed to validate integration");
-
-  const environments = req.membership.workspace?.environments || [];
-  if (environments.length === 0) {
-    throw new Error("Failed to get environments");
-  }
-
-  const integrationAuth = await IntegrationService.handleOAuthExchange({
-    workspaceId,
-    integration,
-    code,
-    environment: environments[0].slug
-  });
-
-  return res.status(200).send({
-    integrationAuth
-  });
+export const oAuthExchange = async (
+	req: Request,
+	res: Response
+) => {
+	try {
+		const { workspaceId, code, integration } = req.body;
+		if (!INTEGRATION_SET.has(integration))
+			throw new Error('Failed to validate integration');
+		
+		const environments = req.membership.workspace?.environments || [];
+		if(environments.length === 0){
+			throw new Error("Failed to get environments")
+		}
+	
+		const integrationAuth = await IntegrationService.handleOAuthExchange({
+			workspaceId,
+			integration,
+			code,
+			environment: environments[0].slug,
+		});
+		
+		return res.status(200).send({
+			integrationAuth
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get OAuth2 code-token exchange'
+		});
+	}
 };
 
 /**
  * Save integration access token and (optionally) access id as part of integration
  * [integration] for workspace with id [workspaceId]
- * @param req
- * @param res
+ * @param req 
+ * @param res 
  */
-export const saveIntegrationAccessToken = async (req: Request, res: Response) => {
-  // TODO: refactor
-  // TODO: check if access token is valid for each integration
+export const saveIntegrationAccessToken = async (
+  req: Request,
+  res: Response
+) => {
+	// TODO: refactor
+	// TODO: check if access token is valid for each integration
 
-  let integrationAuth;
-  const {
-    workspaceId,
-    accessId,
-    accessToken,
-    url,
-    namespace,
-    integration
-  }: {
-    workspaceId: string;
-    accessId: string | null;
-    accessToken: string;
-    url: string;
-    namespace: string;
-    integration: string;
-  } = req.body;
+	let integrationAuth;
+	try {
+		const {
+			workspaceId,
+			accessId,
+			accessToken,
+			integration
+		}: {
+			workspaceId: string;
+			accessId: string | null;
+			accessToken: string;
+			integration: string;
+		} = req.body;
 
-  const bot = await Bot.findOne({
-    workspace: new Types.ObjectId(workspaceId),
-    isActive: true
-  });
+		const bot = await Bot.findOne({
+            workspace: new Types.ObjectId(workspaceId),
+            isActive: true
+        });
+        
+        if (!bot) throw new Error('Bot must be enabled to save integration access token');
 
-  if (!bot) throw new Error("Bot must be enabled to save integration access token");
-
-  integrationAuth = await IntegrationAuth.findOneAndUpdate(
-    {
-      workspace: new Types.ObjectId(workspaceId),
-      integration
-    },
-    {
-      workspace: new Types.ObjectId(workspaceId),
-      integration,
-      url,
-      namespace,
-      algorithm: ALGORITHM_AES_256_GCM,
-      keyEncoding: ENCODING_SCHEME_UTF8
-    },
-    {
-      new: true,
-      upsert: true
-    }
-  );
-
-  // encrypt and save integration access details
-  integrationAuth = await IntegrationService.setIntegrationAuthAccess({
-    integrationAuthId: integrationAuth._id.toString(),
-    accessId,
-    accessToken,
-    accessExpiresAt: undefined
-  });
-
-  if (!integrationAuth) throw new Error("Failed to save integration access token");
-
-  return res.status(200).send({
-    integrationAuth
-  });
-};
+		integrationAuth = await IntegrationAuth.findOneAndUpdate({
+            workspace: new Types.ObjectId(workspaceId),
+            integration
+        }, {
+            workspace: new Types.ObjectId(workspaceId),
+            integration
+		}, {
+            new: true,
+            upsert: true
+        });
+		
+		// encrypt and save integration access details
+		integrationAuth = await IntegrationService.setIntegrationAuthAccess({
+			integrationAuthId: integrationAuth._id.toString(),
+			accessId,
+			accessToken,
+			accessExpiresAt: undefined
+		});
+		
+		if (!integrationAuth) throw new Error('Failed to save integration access token');
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to save access token for integration'
+		});
+	}
+	
+	return res.status(200).send({
+		integrationAuth
+	});
+}
 
 /**
  * Return list of applications allowed for integration with integration authorization id [integrationAuthId]
@@ -140,109 +164,117 @@ export const saveIntegrationAccessToken = async (req: Request, res: Response) =>
  * @returns
  */
 export const getIntegrationAuthApps = async (req: Request, res: Response) => {
-  const teamId = req.query.teamId as string;
+	let apps;
+	try {
+		const teamId = req.query.teamId as string;
+		
+		apps = await getApps({
+			integrationAuth: req.integrationAuth,
+			accessToken: req.accessToken,
+			...teamId && { teamId }
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: "Failed to get integration authorization applications",
+		});
+	}
 
-  const apps = await getApps({
-    integrationAuth: req.integrationAuth,
-    accessToken: req.accessToken,
-    accessId: req.accessId,
-    ...(teamId && { teamId })
-  });
-
-  return res.status(200).send({
-    apps
-  });
+	return res.status(200).send({
+		apps
+	});
 };
 
 /**
  * Return list of teams allowed for integration with integration authorization id [integrationAuthId]
- * @param req
- * @param res
- * @returns
+ * @param req 
+ * @param res 
+ * @returns 
  */
 export const getIntegrationAuthTeams = async (req: Request, res: Response) => {
-  const teams = await getTeams({
-    integrationAuth: req.integrationAuth,
-    accessToken: req.accessToken
-  });
-
-  return res.status(200).send({
-    teams
-  });
-};
+	const teams = await getTeams({
+		integrationAuth: req.integrationAuth,
+		accessToken: req.accessToken
+	});
+	
+	return res.status(200).send({
+		teams
+	});
+}
 
 /**
  * Return list of available Vercel (preview) branches for Vercel project with
  * id [appId]
- * @param req
- * @param res
+ * @param req 
+ * @param res 
  */
 export const getIntegrationAuthVercelBranches = async (req: Request, res: Response) => {
-  const appId = req.query.appId as string;
+	const { integrationAuthId } = req.params;
+	const appId = req.query.appId as string;
+	
+	interface VercelBranch {
+		ref: string;
+		lastCommit: string;
+		isProtected: boolean;
+	}
 
-  interface VercelBranch {
-    ref: string;
-    lastCommit: string;
-    isProtected: boolean;
-  }
+	const params = new URLSearchParams({
+		projectId: appId,
+		...(req.integrationAuth.teamId ? {
+			teamId: req.integrationAuth.teamId
+		} : {})
+	});
 
-  const params = new URLSearchParams({
-    projectId: appId,
-    ...(req.integrationAuth.teamId
-      ? {
-          teamId: req.integrationAuth.teamId
-        }
-      : {})
-  });
+	let branches: string[] = [];
+	
+	if (appId && appId !== '') {
+		const { data }: { data: VercelBranch[] } = await request.get(
+			`${INTEGRATION_VERCEL_API_URL}/v1/integrations/git-branches`,
+			{
+				params,
+				headers: {
+					Authorization: `Bearer ${req.accessToken}`,
+					'Accept-Encoding': 'application/json'
+				}
+			}
+		);
+		
+		branches = data.map((b) => b.ref);
+	}
 
-  let branches: string[] = [];
-
-  if (appId && appId !== "") {
-    const { data }: { data: VercelBranch[] } = await standardRequest.get(
-      `${INTEGRATION_VERCEL_API_URL}/v1/integrations/git-branches`,
-      {
-        params,
-        headers: {
-          Authorization: `Bearer ${req.accessToken}`,
-          "Accept-Encoding": "application/json"
-        }
-      }
-    );
-
-    branches = data.map((b) => b.ref);
-  }
-
-  return res.status(200).send({
-    branches
-  });
-};
+	return res.status(200).send({
+		branches
+	});
+}
 
 /**
  * Return list of Railway environments for Railway project with
  * id [appId]
- * @param req
- * @param res
+ * @param req 
+ * @param res 
  */
 export const getIntegrationAuthRailwayEnvironments = async (req: Request, res: Response) => {
-  const appId = req.query.appId as string;
+	const { integrationAuthId } = req.params;
+	const appId = req.query.appId as string;
+	
+	interface RailwayEnvironment {
+		node: {
+			id: string;
+			name: string;
+			isEphemeral: boolean;
+		}
+	}
+	
+	interface Environment {
+		environmentId: string;
+		name: string;
+	}
+	
+	let environments: Environment[] = [];
 
-  interface RailwayEnvironment {
-    node: {
-      id: string;
-      name: string;
-      isEphemeral: boolean;
-    };
-  }
-
-  interface Environment {
-    environmentId: string;
-    name: string;
-  }
-
-  let environments: Environment[] = [];
-
-  if (appId && appId !== "") {
-    const query = `
+	if (appId && appId !== '') {
+		const query = `
 			query GetEnvironments($projectId: String!, $after: String, $before: String, $first: Int, $isEphemeral: Boolean, $last: Int) {
 				environments(projectId: $projectId, after: $after, before: $before, first: $first, isEphemeral: $isEphemeral, last: $last) {
 				edges {
@@ -255,68 +287,59 @@ export const getIntegrationAuthRailwayEnvironments = async (req: Request, res: R
 				}
 			}
 			`;
-
-    const variables = {
-      projectId: appId
-    };
-
-    const {
-      data: {
-        data: {
-          environments: { edges }
-        }
-      }
-    } = await standardRequest.post(
-      INTEGRATION_RAILWAY_API_URL,
-      {
-        query,
-        variables
-      },
-      {
-        headers: {
-          Authorization: `Bearer ${req.accessToken}`,
-          "Content-Type": "application/json"
-        }
-      }
-    );
-
-    environments = edges.map((e: RailwayEnvironment) => {
-      return {
-        name: e.node.name,
-        environmentId: e.node.id
-      };
-    });
-  }
-
-  return res.status(200).send({
-    environments
-  });
-};
+		
+		const variables = {
+			projectId: appId
+		}
+		
+		const { data: { data: { environments: { edges } } } } = await request.post(INTEGRATION_RAILWAY_API_URL, {
+			query,
+			variables,
+		}, {
+			headers: {
+				'Authorization': `Bearer ${req.accessToken}`,
+				'Content-Type': 'application/json',
+			},
+		});
+		
+		environments = edges.map((e: RailwayEnvironment) => {
+			return ({
+				name: e.node.name,
+				environmentId: e.node.id
+			});
+		});
+	}
+	
+	return res.status(200).send({
+		environments
+	});
+}
 
 /**
  * Return list of Railway services for Railway project with id
  * [appId]
- * @param req
- * @param res
+ * @param req 
+ * @param res 
  */
 export const getIntegrationAuthRailwayServices = async (req: Request, res: Response) => {
-  const appId = req.query.appId as string;
-
-  interface RailwayService {
-    node: {
-      id: string;
-      name: string;
-    };
-  }
-
-  interface Service {
-    name: string;
-    serviceId: string;
-  }
-
-  let services: Service[] = [];
-
-  const query = `
+	const { integrationAuthId } = req.params;
+	const appId = req.query.appId as string;
+	
+	interface RailwayService {
+		node: {
+			id: string;
+			name: string;
+		}
+	}
+	
+	interface Service {
+		name: string;
+		serviceId: string;
+	}
+	
+	let services: Service[] = [];
+	
+	const query = `
       query project($id: String!) {
         project(id: $id) {
           createdAt
@@ -344,43 +367,31 @@ export const getIntegrationAuthRailwayServices = async (req: Request, res: Respo
       }
     `;
 
-  if (appId && appId !== "") {
-    const variables = {
-      id: appId
-    };
-
-    const {
-      data: {
-        data: {
-          project: {
-            services: { edges }
-          }
-        }
-      }
-    } = await standardRequest.post(
-      INTEGRATION_RAILWAY_API_URL,
-      {
-        query,
-        variables
-      },
-      {
-        headers: {
-          Authorization: `Bearer ${req.accessToken}`,
-          "Content-Type": "application/json"
-        }
-      }
-    );
-
-    services = edges.map((e: RailwayService) => ({
-      name: e.node.name,
-      serviceId: e.node.id
-    }));
-  }
-
-  return res.status(200).send({
-    services
-  });
-};
+	if (appId && appId !== '') {
+		const variables = {
+			id: appId
+		}
+		
+		const { data: { data: { project: { services: { edges } } } } } = await request.post(INTEGRATION_RAILWAY_API_URL, {
+			query,
+			variables
+		}, {
+			headers: {
+				'Authorization': `Bearer ${req.accessToken}`,
+				'Content-Type': 'application/json',
+			},
+		});
+		
+		services = edges.map((e: RailwayService) => ({
+			name: e.node.name,
+			serviceId: e.node.id
+		}));
+	}
+	
+	return res.status(200).send({
+		services
+	});
+}
 
 /**
  * Delete integration authorization with id [integrationAuthId]
@@ -389,12 +400,21 @@ export const getIntegrationAuthRailwayServices = async (req: Request, res: Respo
  * @returns
  */
 export const deleteIntegrationAuth = async (req: Request, res: Response) => {
-  const integrationAuth = await revokeAccess({
-    integrationAuth: req.integrationAuth,
-    accessToken: req.accessToken
-  });
+  let integrationAuth;
+  try {
+    integrationAuth = await revokeAccess({
+      integrationAuth: req.integrationAuth,
+      accessToken: req.accessToken,
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to delete integration authorization",
+    });
+  }
 
   return res.status(200).send({
-    integrationAuth
+    integrationAuth,
   });
 };

backend/src/controllers/v1/integrationController.ts

@@ -1,11 +1,11 @@
-import { Request, Response } from "express";
-import { Types } from "mongoose";
-import { Integration } from "../../models";
-import { EventService } from "../../services";
-import { eventPushSecrets } from "../../events";
-import Folder from "../../models/folder";
-import { getFolderByPath } from "../../services/FolderService";
-import { BadRequestError } from "../../utils/errors";
+import { Request, Response } from 'express';
+import { Types } from 'mongoose';
+import * as Sentry from '@sentry/node';
+import { 
+	Integration
+} from '../../models';
+import { EventService } from '../../services';
+import { eventPushSecrets } from '../../events';
 
 /**
  * Create/initialize an (empty) integration for integration authorization
@@ -14,66 +14,61 @@ import { BadRequestError } from "../../utils/errors";
  * @returns
  */
 export const createIntegration = async (req: Request, res: Response) => {
-  const {
-    integrationAuthId,
-    app,
-    appId,
-    isActive,
-    sourceEnvironment,
-    targetEnvironment,
-    targetEnvironmentId,
-    targetService,
-    targetServiceId,
-    owner,
-    path,
-    region,
-    secretPath,
-  } = req.body;
+	let integration;
 
-  const folders = await Folder.findOne({
-    workspace: req.integrationAuth.workspace._id,
-    environment: sourceEnvironment,
-  });
+	try {
+		const {
+			integrationAuthId,
+			app,
+			appId,
+			isActive,
+			sourceEnvironment,
+			targetEnvironment,
+			targetEnvironmentId,
+      targetService,
+      targetServiceId,
+			owner,
+			path,
+			region
+		} = req.body;
+		
+		// TODO: validate [sourceEnvironment] and [targetEnvironment]
 
-  if (folders) {
-    const folder = getFolderByPath(folders.nodes, secretPath);
-    if (!folder) {
-      throw BadRequestError({
-        message: "Path for service token does not exist",
-      });
-    }
-  }
+		// initialize new integration after saving integration access token
+    integration = await new Integration({
+      workspace: req.integrationAuth.workspace._id,
+      environment: sourceEnvironment,
+      isActive,
+      app,
+			appId,
+			targetEnvironment,
+			targetEnvironmentId,
+      targetService,
+      targetServiceId,
+			owner,
+			path,
+			region,
+      integration: req.integrationAuth.integration,
+      integrationAuth: new Types.ObjectId(integrationAuthId)
+    }).save();
+		
+		if (integration) {
+			// trigger event - push secrets
+			EventService.handleEvent({
+				event: eventPushSecrets({
+					workspaceId: integration.workspace,
+          environment: sourceEnvironment
+				})
+			});
+		}
 
-  // TODO: validate [sourceEnvironment] and [targetEnvironment]
-
-  // initialize new integration after saving integration access token
-  const integration = await new Integration({
-    workspace: req.integrationAuth.workspace._id,
-    environment: sourceEnvironment,
-    isActive,
-    app,
-    appId,
-    targetEnvironment,
-    targetEnvironmentId,
-    targetService,
-    targetServiceId,
-    owner,
-    path,
-    region,
-    secretPath,
-    integration: req.integrationAuth.integration,
-    integrationAuth: new Types.ObjectId(integrationAuthId),
-  }).save();
-
-  if (integration) {
-    // trigger event - push secrets
-    EventService.handleEvent({
-      event: eventPushSecrets({
-        workspaceId: integration.workspace,
-        environment: sourceEnvironment,
-      }),
-    });
-  }
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to create integration'
+		});
+	}
 
   return res.status(200).send({
     integration,
@@ -87,58 +82,52 @@ export const createIntegration = async (req: Request, res: Response) => {
  * @returns
  */
 export const updateIntegration = async (req: Request, res: Response) => {
+  let integration;
+
   // TODO: add integration-specific validation to ensure that each
   // integration has the correct fields populated in [Integration]
 
-  const {
-    environment,
-    isActive,
-    app,
-    appId,
-    targetEnvironment,
-    owner, // github-specific integration param
-    secretPath,
-  } = req.body;
-
-  const folders = await Folder.findOne({
-    workspace: req.integration.workspace,
-    environment,
-  });
-
-  if (folders) {
-    const folder = getFolderByPath(folders.nodes, secretPath);
-    if (!folder) {
-      throw BadRequestError({
-        message: "Path for service token does not exist",
-      });
-    }
-  }
-
-  const integration = await Integration.findOneAndUpdate(
-    {
-      _id: req.integration._id,
-    },
-    {
+  try {
+    const {
       environment,
       isActive,
       app,
       appId,
       targetEnvironment,
-      owner,
-      secretPath,
-    },
-    {
-      new: true,
-    }
-  );
+      owner, // github-specific integration param
+    } = req.body;
 
-  if (integration) {
-    // trigger event - push secrets
-    EventService.handleEvent({
-      event: eventPushSecrets({
-        workspaceId: integration.workspace,
+    integration = await Integration.findOneAndUpdate(
+      {
+        _id: req.integration._id,
+      },
+      {
         environment,
-      }),
+        isActive,
+        app,
+        appId,
+        targetEnvironment,
+        owner,
+      },
+      {
+        new: true,
+      }
+    );
+
+    if (integration) {
+      // trigger event - push secrets
+      EventService.handleEvent({
+        event: eventPushSecrets({
+          workspaceId: integration.workspace,
+          environment
+        }),
+      });
+    }
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to update integration",
     });
   }
 
@@ -155,13 +144,22 @@ export const updateIntegration = async (req: Request, res: Response) => {
  * @returns
  */
 export const deleteIntegration = async (req: Request, res: Response) => {
-  const { integrationId } = req.params;
+  let integration;
+  try {
+    const { integrationId } = req.params;
 
-  const integration = await Integration.findOneAndDelete({
-    _id: integrationId,
-  });
+    integration = await Integration.findOneAndDelete({
+      _id: integrationId,
+    });
 
-  if (!integration) throw new Error("Failed to find integration");
+    if (!integration) throw new Error("Failed to find integration");
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to delete integration",
+    });
+  }
 
   return res.status(200).send({
     integration,

backend/src/controllers/v1/keyController.ts

@@ -1,6 +1,7 @@
-import { Request, Response } from "express";
-import { Key } from "../../models";
-import { findMembership } from "../../helpers/membership";
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { Key } from '../../models';
+import { findMembership } from '../../helpers/membership';
 
 /**
  * Add (encrypted) copy of workspace key for workspace with id [workspaceId] for user with
@@ -10,29 +11,37 @@ import { findMembership } from "../../helpers/membership";
  * @returns
  */
 export const uploadKey = async (req: Request, res: Response) => {
-  const { workspaceId } = req.params;
-  const { key } = req.body;
+	try {
+		const { workspaceId } = req.params;
+		const { key } = req.body;
 
-  // validate membership of receiver
-  const receiverMembership = await findMembership({
-    user: key.userId,
-    workspace: workspaceId,
-  });
+		// validate membership of receiver
+		const receiverMembership = await findMembership({
+			user: key.userId,
+			workspace: workspaceId
+		});
 
-  if (!receiverMembership) {
-    throw new Error("Failed receiver membership validation for workspace");
-  }
+		if (!receiverMembership) {
+			throw new Error('Failed receiver membership validation for workspace');
+		}
 
-  await new Key({
-    encryptedKey: key.encryptedKey,
-    nonce: key.nonce,
-    sender: req.user._id,
-    receiver: key.userId,
-    workspace: workspaceId,
-  }).save();
+		await new Key({
+			encryptedKey: key.encryptedKey,
+			nonce: key.nonce,
+			sender: req.user._id,
+			receiver: key.userId,
+			workspace: workspaceId
+		}).save();
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to upload key to workspace'
+		});
+	}
 
 	return res.status(200).send({
-		message: "Successfully uploaded key to workspace",
+		message: 'Successfully uploaded key to workspace'
 	});
 };
 
@@ -43,22 +52,31 @@ export const uploadKey = async (req: Request, res: Response) => {
  * @returns
  */
 export const getLatestKey = async (req: Request, res: Response) => {
-  const { workspaceId } = req.params;
+	let latestKey;
+	try {
+		const { workspaceId } = req.params;
 
-  // get latest key
-  const latestKey = await Key.find({
-    workspace: workspaceId,
-    receiver: req.user._id,
-  })
-    .sort({ createdAt: -1 })
-    .limit(1)
-    .populate("sender", "+publicKey");
+		// get latest key
+		latestKey = await Key.find({
+			workspace: workspaceId,
+			receiver: req.user._id
+		})
+			.sort({ createdAt: -1 })
+			.limit(1)
+			.populate('sender', '+publicKey');
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get latest key'
+		});
+	}
 
 	const resObj: any = {};
 
 	if (latestKey.length > 0) {
-		resObj["latestKey"] = latestKey[0];
+		resObj['latestKey'] = latestKey[0];
 	}
 
 	return res.status(200).send(resObj);
-};
+};

backend/src/controllers/v1/membershipController.ts

@@ -1,9 +1,13 @@
-import { Request, Response } from "express";
-import { Key, Membership, MembershipOrg, User } from "../../models";
-import { deleteMembership as deleteMember, findMembership } from "../../helpers/membership";
-import { sendMail } from "../../helpers/nodemailer";
-import { ACCEPTED, ADMIN, MEMBER } from "../../variables";
-import { getSiteURL } from "../../config";
+import * as Sentry from '@sentry/node';
+import { Request, Response } from 'express';
+import { Membership, MembershipOrg, User, Key } from '../../models';
+import {
+	findMembership,
+	deleteMembership as deleteMember
+} from '../../helpers/membership';
+import { sendMail } from '../../helpers/nodemailer';
+import { ADMIN, MEMBER, ACCEPTED } from '../../variables';
+import { getSiteURL } from '../../config';
 
 /**
  * Check that user is a member of workspace with id [workspaceId]
@@ -12,20 +16,29 @@ import { getSiteURL } from "../../config";
  * @returns
  */
 export const validateMembership = async (req: Request, res: Response) => {
-  const { workspaceId } = req.params;
-  // validate membership
-  const membership = await findMembership({
-    user: req.user._id,
-    workspace: workspaceId
-  });
+	try {
+		const { workspaceId } = req.params;
 
-  if (!membership) {
-    throw new Error("Failed to validate membership");
-  }
+		// validate membership
+		const membership = await findMembership({
+			user: req.user._id,
+			workspace: workspaceId
+		});
 
-  return res.status(200).send({
-    message: "Workspace membership confirmed"
-  });
+		if (!membership) {
+			throw new Error('Failed to validate membership');
+		}
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed workspace connection check'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Workspace membership confirmed'
+	});
 };
 
 /**
@@ -35,41 +48,52 @@ export const validateMembership = async (req: Request, res: Response) => {
  * @returns
  */
 export const deleteMembership = async (req: Request, res: Response) => {
-  const { membershipId } = req.params;
+	let deletedMembership;
+	try {
+		const { membershipId } = req.params;
 
-  // check if membership to delete exists
-  const membershipToDelete = await Membership.findOne({
-    _id: membershipId
-  }).populate("user");
+		// check if membership to delete exists
+		const membershipToDelete = await Membership.findOne({
+			_id: membershipId
+		}).populate('user');
 
-  if (!membershipToDelete) {
-    throw new Error("Failed to delete workspace membership that doesn't exist");
-  }
+		if (!membershipToDelete) {
+			throw new Error(
+				"Failed to delete workspace membership that doesn't exist"
+			);
+		}
 
-  // check if user is a member and admin of the workspace
-  // whose membership we wish to delete
-  const membership = await Membership.findOne({
-    user: req.user._id,
-    workspace: membershipToDelete.workspace
-  });
+		// check if user is a member and admin of the workspace
+		// whose membership we wish to delete
+		const membership = await Membership.findOne({
+			user: req.user._id,
+			workspace: membershipToDelete.workspace
+		});
 
-  if (!membership) {
-    throw new Error("Failed to validate workspace membership");
-  }
+		if (!membership) {
+			throw new Error('Failed to validate workspace membership');
+		}
 
-  if (membership.role !== ADMIN) {
-    // user is not an admin member of the workspace
-    throw new Error("Insufficient role for deleting workspace membership");
-  }
+		if (membership.role !== ADMIN) {
+			// user is not an admin member of the workspace
+			throw new Error('Insufficient role for deleting workspace membership');
+		}
 
-  // delete workspace membership
-  const deletedMembership = await deleteMember({
-    membershipId: membershipToDelete._id.toString()
-  });
+		// delete workspace membership
+		deletedMembership = await deleteMember({
+			membershipId: membershipToDelete._id.toString()
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to delete membership'
+		});
+	}
 
-  return res.status(200).send({
-    deletedMembership
-  });
+	return res.status(200).send({
+		deletedMembership
+	});
 };
 
 /**
@@ -79,44 +103,53 @@ export const deleteMembership = async (req: Request, res: Response) => {
  * @returns
  */
 export const changeMembershipRole = async (req: Request, res: Response) => {
-  const { membershipId } = req.params;
-  const { role } = req.body;
+	let membershipToChangeRole;
+	try {
+		const { membershipId } = req.params;
+		const { role } = req.body;
 
-  if (![ADMIN, MEMBER].includes(role)) {
-    throw new Error("Failed to validate role");
-  }
+		if (![ADMIN, MEMBER].includes(role)) {
+			throw new Error('Failed to validate role');
+		}
 
-  // validate target membership
-  const membershipToChangeRole = await findMembership({
-    _id: membershipId
-  });
+		// validate target membership
+		membershipToChangeRole = await findMembership({
+			_id: membershipId
+		});
 
-  if (!membershipToChangeRole) {
-    throw new Error("Failed to find membership to change role");
-  }
+		if (!membershipToChangeRole) {
+			throw new Error('Failed to find membership to change role');
+		}
 
-  // check if user is a member and admin of target membership's
-  // workspace
-  const membership = await findMembership({
-    user: req.user._id,
-    workspace: membershipToChangeRole.workspace
-  });
+		// check if user is a member and admin of target membership's
+		// workspace
+		const membership = await findMembership({
+			user: req.user._id,
+			workspace: membershipToChangeRole.workspace
+		});
 
-  if (!membership) {
-    throw new Error("Failed to validate membership");
-  }
+		if (!membership) {
+			throw new Error('Failed to validate membership');
+		}
 
-  if (membership.role !== ADMIN) {
-    // user is not an admin member of the workspace
-    throw new Error("Insufficient role for changing member roles");
-  }
+		if (membership.role !== ADMIN) {
+			// user is not an admin member of the workspace
+			throw new Error('Insufficient role for changing member roles');
+		}
 
-  membershipToChangeRole.role = role;
-  await membershipToChangeRole.save();
+		membershipToChangeRole.role = role;
+		await membershipToChangeRole.save();
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to change membership role'
+		});
+	}
 
-  return res.status(200).send({
-    membership: membershipToChangeRole
-  });
+	return res.status(200).send({
+		membership: membershipToChangeRole
+	});
 };
 
 /**
@@ -126,63 +159,75 @@ export const changeMembershipRole = async (req: Request, res: Response) => {
  * @returns
  */
 export const inviteUserToWorkspace = async (req: Request, res: Response) => {
-  const { workspaceId } = req.params;
-  const { email }: { email: string } = req.body;
+	let invitee, latestKey;
+	try {
+		const { workspaceId } = req.params;
+		const { email }: { email: string } = req.body;
 
-  const invitee = await User.findOne({
-    email
-  }).select("+publicKey");
+		invitee = await User.findOne({
+			email
+		}).select('+publicKey');
 
-  if (!invitee || !invitee?.publicKey) throw new Error("Failed to validate invitee");
+		if (!invitee || !invitee?.publicKey)
+			throw new Error('Failed to validate invitee');
 
-  // validate invitee's workspace membership - ensure member isn't
-  // already a member of the workspace
-  const inviteeMembership = await Membership.findOne({
-    user: invitee._id,
-    workspace: workspaceId
-  });
+		// validate invitee's workspace membership - ensure member isn't
+		// already a member of the workspace
+		const inviteeMembership = await Membership.findOne({
+			user: invitee._id,
+			workspace: workspaceId
+		});
 
-  if (inviteeMembership) throw new Error("Failed to add existing member of workspace");
+		if (inviteeMembership)
+			throw new Error('Failed to add existing member of workspace');
 
-  // validate invitee's organization membership - ensure that only
-  // (accepted) organization members can be added to the workspace
-  const membershipOrg = await MembershipOrg.findOne({
-    user: invitee._id,
-    organization: req.membership.workspace.organization,
-    status: ACCEPTED
-  });
+		// validate invitee's organization membership - ensure that only
+		// (accepted) organization members can be added to the workspace
+		const membershipOrg = await MembershipOrg.findOne({
+			user: invitee._id,
+			organization: req.membership.workspace.organization,
+			status: ACCEPTED
+		});
 
-  if (!membershipOrg) throw new Error("Failed to validate invitee's organization membership");
+		if (!membershipOrg)
+			throw new Error("Failed to validate invitee's organization membership");
 
-  // get latest key
-  const latestKey = await Key.findOne({
-    workspace: workspaceId,
-    receiver: req.user._id
-  })
-    .sort({ createdAt: -1 })
-    .populate("sender", "+publicKey");
+		// get latest key
+		latestKey = await Key.findOne({
+			workspace: workspaceId,
+			receiver: req.user._id
+		})
+			.sort({ createdAt: -1 })
+			.populate('sender', '+publicKey');
 
-  // create new workspace membership
-  await new Membership({
-    user: invitee._id,
-    workspace: workspaceId,
-    role: MEMBER
-  }).save();
+		// create new workspace membership
+		const m = await new Membership({
+			user: invitee._id,
+			workspace: workspaceId,
+			role: MEMBER
+		}).save();
 
-  await sendMail({
-    template: "workspaceInvitation.handlebars",
-    subjectLine: "Infisical workspace invitation",
-    recipients: [invitee.email],
-    substitutions: {
-      inviterFirstName: req.user.firstName,
-      inviterEmail: req.user.email,
-      workspaceName: req.membership.workspace.name,
-      callback_url: (await getSiteURL()) + "/login"
-    }
-  });
+		await sendMail({
+			template: 'workspaceInvitation.handlebars',
+			subjectLine: 'Infisical workspace invitation',
+			recipients: [invitee.email],
+			substitutions: {
+				inviterFirstName: req.user.firstName,
+				inviterEmail: req.user.email,
+				workspaceName: req.membership.workspace.name,
+				callback_url: (await getSiteURL()) + '/login'
+			}
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to invite user to workspace'
+		});
+	}
 
-  return res.status(200).send({
-    invitee,
-    latestKey
-  });
-};
+	return res.status(200).send({
+		invitee,
+		latestKey
+	});
+};

backend/src/controllers/v1/membershipOrgController.ts

@@ -1,27 +1,14 @@
-import { Types } from "mongoose";
-import { Request, Response } from "express";
-import { MembershipOrg, Organization, User } from "../../models";
-import { deleteMembershipOrg as deleteMemberFromOrg } from "../../helpers/membershipOrg";
-import { createToken } from "../../helpers/auth";
-import { updateSubscriptionOrgQuantity } from "../../helpers/organization";
-import { sendMail } from "../../helpers/nodemailer";
-import { TokenService } from "../../services";
-import { EELicenseService } from "../../ee/services";
-import {
-  ACCEPTED,
-  ADMIN,
-  INVITED,
-  MEMBER,
-  OWNER,
-  TOKEN_EMAIL_ORG_INVITATION
-} from "../../variables";
-import {
-  getJwtSignupLifetime,
-  getJwtSignupSecret,
-  getSiteURL,
-  getSmtpConfigured
-} from "../../config";
-import { validateUserEmail } from "../../validation";
+import { Types } from 'mongoose';
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { MembershipOrg, Organization, User } from '../../models';
+import { deleteMembershipOrg as deleteMemberFromOrg } from '../../helpers/membershipOrg';
+import { createToken } from '../../helpers/auth';
+import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
+import { sendMail } from '../../helpers/nodemailer';
+import { TokenService } from '../../services';
+import { OWNER, ADMIN, MEMBER, ACCEPTED, INVITED, TOKEN_EMAIL_ORG_INVITATION } from '../../variables';
+import { getSiteURL, getJwtSignupLifetime, getJwtSignupSecret, getSmtpConfigured } from '../../config';
 
 /**
  * Delete organization membership with id [membershipOrgId] from organization
@@ -29,44 +16,55 @@ import { validateUserEmail } from "../../validation";
  * @param res
  * @returns
  */
-export const deleteMembershipOrg = async (req: Request, _res: Response) => {
-  const { membershipOrgId } = req.params;
+export const deleteMembershipOrg = async (req: Request, res: Response) => {
+	let membershipOrgToDelete;
+	try {
+		const { membershipOrgId } = req.params;
 
-  // check if organization membership to delete exists
-  const membershipOrgToDelete = await MembershipOrg.findOne({
-    _id: membershipOrgId
-  }).populate("user");
+		// check if organization membership to delete exists
+		membershipOrgToDelete = await MembershipOrg.findOne({
+			_id: membershipOrgId
+		}).populate('user');
 
-  if (!membershipOrgToDelete) {
-    throw new Error("Failed to delete organization membership that doesn't exist");
-  }
+		if (!membershipOrgToDelete) {
+			throw new Error(
+				"Failed to delete organization membership that doesn't exist"
+			);
+		}
 
-  // check if user is a member and admin of the organization
-  // whose membership we wish to delete
-  const membershipOrg = await MembershipOrg.findOne({
-    user: req.user._id,
-    organization: membershipOrgToDelete.organization
-  });
+		// check if user is a member and admin of the organization
+		// whose membership we wish to delete
+		const membershipOrg = await MembershipOrg.findOne({
+			user: req.user._id,
+			organization: membershipOrgToDelete.organization
+		});
 
-  if (!membershipOrg) {
-    throw new Error("Failed to validate organization membership");
-  }
+		if (!membershipOrg) {
+			throw new Error('Failed to validate organization membership');
+		}
 
-  if (membershipOrg.role !== OWNER && membershipOrg.role !== ADMIN) {
-    // user is not an admin member of the organization
-    throw new Error("Insufficient role for deleting organization membership");
-  }
+		if (membershipOrg.role !== OWNER && membershipOrg.role !== ADMIN) {
+			// user is not an admin member of the organization
+			throw new Error('Insufficient role for deleting organization membership');
+		}
 
-  // delete organization membership
-  await deleteMemberFromOrg({
-    membershipOrgId: membershipOrgToDelete._id.toString()
-  });
+		// delete organization membership
+		const deletedMembershipOrg = await deleteMemberFromOrg({
+			membershipOrgId: membershipOrgToDelete._id.toString()
+		});
 
-  await updateSubscriptionOrgQuantity({
-    organizationId: membershipOrg.organization.toString()
-  });
+		await updateSubscriptionOrgQuantity({
+			organizationId: membershipOrg.organization.toString()
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to delete organization membership'
+		});
+	}
 
-  return membershipOrgToDelete;
+	return membershipOrgToDelete;
 };
 
 /**
@@ -76,14 +74,22 @@ export const deleteMembershipOrg = async (req: Request, _res: Response) => {
  * @returns
  */
 export const changeMembershipOrgRole = async (req: Request, res: Response) => {
-  // change role for (target) organization membership with id
-  // [membershipOrgId]
+	// change role for (target) organization membership with id
+	// [membershipOrgId]
 
-  let membershipToChangeRole;
+	let membershipToChangeRole;
+	// try {
+	// } catch (err) {
+	// 	Sentry.setUser({ email: req.user.email });
+	// 	Sentry.captureException(err);
+	// 	return res.status(400).send({
+	// 		message: 'Failed to change organization membership role'
+	// 	});
+	// }
 
-  return res.status(200).send({
-    membershipOrg: membershipToChangeRole
-  });
+	return res.status(200).send({
+		membershipOrg: membershipToChangeRole
+	});
 };
 
 /**
@@ -94,119 +100,111 @@ export const changeMembershipOrgRole = async (req: Request, res: Response) => {
  * @returns
  */
 export const inviteUserToOrganization = async (req: Request, res: Response) => {
-  let inviteeMembershipOrg, completeInviteLink;
-  const { organizationId, inviteeEmail } = req.body;
-  const host = req.headers.host;
-  const siteUrl = `${req.protocol}://${host}`;
+	let invitee, inviteeMembershipOrg, completeInviteLink;
+	try {
+		const { organizationId, inviteeEmail } = req.body;
+		const host = req.headers.host;
+		const siteUrl = `${req.protocol}://${host}`;
 
-  // validate membership
-  const membershipOrg = await MembershipOrg.findOne({
-    user: req.user._id,
-    organization: organizationId
-  });
+		// validate membership
+		const membershipOrg = await MembershipOrg.findOne({
+			user: req.user._id,
+			organization: organizationId
+		});
 
-  if (!membershipOrg) {
-    throw new Error("Failed to validate organization membership");
-  }
+		if (!membershipOrg) {
+			throw new Error('Failed to validate organization membership');
+		}
 
-  const plan = await EELicenseService.getPlan(organizationId);
+		invitee = await User.findOne({
+			email: inviteeEmail
+		}).select('+publicKey');
 
-  if (plan.memberLimit !== null) {
-    // case: limit imposed on number of members allowed
+		if (invitee) {
+			// case: invitee is an existing user
 
-    if (plan.membersUsed >= plan.memberLimit) {
-      // case: number of members used exceeds the number of members allowed
-      return res.status(400).send({
-        message:
-          "Failed to invite member due to member limit reached. Upgrade plan to invite more members."
-      });
-    }
-  }
+			inviteeMembershipOrg = await MembershipOrg.findOne({
+				user: invitee._id,
+				organization: organizationId
+			});
 
-  const invitee = await User.findOne({
-    email: inviteeEmail
-  }).select("+publicKey");
+			if (inviteeMembershipOrg && inviteeMembershipOrg.status === ACCEPTED) {
+				throw new Error(
+					'Failed to invite an existing member of the organization'
+				);
+			}
 
-  if (invitee) {
-    // case: invitee is an existing user
+			if (!inviteeMembershipOrg) {
+				await new MembershipOrg({
+					user: invitee,
+					inviteEmail: inviteeEmail,
+					organization: organizationId,
+					role: MEMBER,
+					status: INVITED
+				}).save();
+			}
+		} else {
+			// check if invitee has been invited before
+			inviteeMembershipOrg = await MembershipOrg.findOne({
+				inviteEmail: inviteeEmail,
+				organization: organizationId
+			});
 
-    inviteeMembershipOrg = await MembershipOrg.findOne({
-      user: invitee._id,
-      organization: organizationId
-    });
+			if (!inviteeMembershipOrg) {
+				// case: invitee has never been invited before
 
-    if (inviteeMembershipOrg && inviteeMembershipOrg.status === ACCEPTED) {
-      throw new Error("Failed to invite an existing member of the organization");
-    }
+				await new MembershipOrg({
+					inviteEmail: inviteeEmail,
+					organization: organizationId,
+					role: MEMBER,
+					status: INVITED
+				}).save();
+			}
+		}
 
-    if (!inviteeMembershipOrg) {
-      await new MembershipOrg({
-        user: invitee,
-        inviteEmail: inviteeEmail,
-        organization: organizationId,
-        role: MEMBER,
-        status: INVITED
-      }).save();
-    }
-  } else {
-    // check if invitee has been invited before
-    inviteeMembershipOrg = await MembershipOrg.findOne({
-      inviteEmail: inviteeEmail,
-      organization: organizationId
-    });
+		const organization = await Organization.findOne({ _id: organizationId });
 
-    if (!inviteeMembershipOrg) {
-      // case: invitee has never been invited before
+		if (organization) {
 
-      // validate that email is not disposable
-      validateUserEmail(inviteeEmail);
+			const token = await TokenService.createToken({
+				type: TOKEN_EMAIL_ORG_INVITATION,
+				email: inviteeEmail,
+				organizationId: organization._id
+			});
 
-      await new MembershipOrg({
-        inviteEmail: inviteeEmail,
-        organization: organizationId,
-        role: MEMBER,
-        status: INVITED
-      }).save();
-    }
-  }
+			await sendMail({
+				template: 'organizationInvitation.handlebars',
+				subjectLine: 'Infisical organization invitation',
+				recipients: [inviteeEmail],
+				substitutions: {
+					inviterFirstName: req.user.firstName,
+					inviterEmail: req.user.email,
+					organizationName: organization.name,
+					email: inviteeEmail,
+					organizationId: organization._id.toString(),
+					token,
+					callback_url: (await getSiteURL()) + '/signupinvite'
+				}
+			});
 
-  const organization = await Organization.findOne({ _id: organizationId });
+			if (!(await getSmtpConfigured())) {
+				completeInviteLink = `${siteUrl + '/signupinvite'}?token=${token}&to=${inviteeEmail}&organization_id=${organization._id}`
+			}
+		}
 
-  if (organization) {
-    const token = await TokenService.createToken({
-      type: TOKEN_EMAIL_ORG_INVITATION,
-      email: inviteeEmail,
-      organizationId: organization._id
-    });
+		await updateSubscriptionOrgQuantity({ organizationId });
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to send organization invite'
+		});
+	}
 
-    await sendMail({
-      template: "organizationInvitation.handlebars",
-      subjectLine: "Infisical organization invitation",
-      recipients: [inviteeEmail],
-      substitutions: {
-        inviterFirstName: req.user.firstName,
-        inviterEmail: req.user.email,
-        organizationName: organization.name,
-        email: inviteeEmail,
-        organizationId: organization._id.toString(),
-        token,
-        callback_url: (await getSiteURL()) + "/signupinvite"
-      }
-    });
-
-    if (!(await getSmtpConfigured())) {
-      completeInviteLink = `${
-        siteUrl + "/signupinvite"
-      }?token=${token}&to=${inviteeEmail}&organization_id=${organization._id}`;
-    }
-  }
-
-  await updateSubscriptionOrgQuantity({ organizationId });
-
-  return res.status(200).send({
-    message: `Sent an invite link to ${req.body.inviteeEmail}`,
-    completeInviteLink
-  });
+	return res.status(200).send({
+		message: `Sent an invite link to ${req.body.inviteeEmail}`,
+		completeInviteLink
+	});
 };
 
 /**
@@ -217,61 +215,70 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
  * @returns
  */
 export const verifyUserToOrganization = async (req: Request, res: Response) => {
-  let user;
-  const { email, organizationId, code } = req.body;
+	let user, token;
+	try {
+		const {
+			email,
+			organizationId,
+			code
+		} = req.body;
 
-  user = await User.findOne({ email }).select("+publicKey");
+		user = await User.findOne({ email }).select('+publicKey');
 
-  const membershipOrg = await MembershipOrg.findOne({
-    inviteEmail: email,
-    status: INVITED,
-    organization: new Types.ObjectId(organizationId)
-  });
+		const membershipOrg = await MembershipOrg.findOne({
+			inviteEmail: email,
+			status: INVITED,
+			organization: new Types.ObjectId(organizationId)
+		});
 
-  if (!membershipOrg) throw new Error("Failed to find any invitations for email");
+		if (!membershipOrg)
+			throw new Error('Failed to find any invitations for email');
 
-  await TokenService.validateToken({
-    type: TOKEN_EMAIL_ORG_INVITATION,
-    email,
-    organizationId: membershipOrg.organization,
-    token: code
-  });
+		await TokenService.validateToken({
+			type: TOKEN_EMAIL_ORG_INVITATION,
+			email,
+			organizationId: membershipOrg.organization,
+			token: code
+		});
 
-  if (user && user?.publicKey) {
-    // case: user has already completed account
-    // membership can be approved and redirected to login/dashboard
-    membershipOrg.status = ACCEPTED;
-    await membershipOrg.save();
+		if (user && user?.publicKey) {
+			// case: user has already completed account
+			// membership can be approved and redirected to login/dashboard
+			membershipOrg.status = ACCEPTED;
+			await membershipOrg.save();
 
-    await updateSubscriptionOrgQuantity({
-      organizationId
-    });
+			return res.status(200).send({
+				message: 'Successfully verified email',
+				user,
+			});
+		}
 
-    return res.status(200).send({
-      message: "Successfully verified email",
-      user
-    });
-  }
+		if (!user) {
+			// initialize user account
+			user = await new User({
+				email
+			}).save();
+		}
 
-  if (!user) {
-    // initialize user account
-    user = await new User({
-      email
-    }).save();
-  }
+		// generate temporary signup token
+		token = createToken({
+			payload: {
+				userId: user._id.toString()
+			},
+			expiresIn: await getJwtSignupLifetime(),
+			secret: await getJwtSignupSecret()
+		});
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			error: 'Failed email magic link verification for organization invitation'
+		});
+	}
 
-  // generate temporary signup token
-  const token = createToken({
-    payload: {
-      userId: user._id.toString()
-    },
-    expiresIn: await getJwtSignupLifetime(),
-    secret: await getJwtSignupSecret()
-  });
-
-  return res.status(200).send({
-    message: "Successfully verified email",
-    user,
-    token
-  });
+	return res.status(200).send({
+		message: 'Successfully verified email',
+		user,
+		token
+	});
 };

backend/src/controllers/v1/organizationController.ts

@@ -1,27 +1,37 @@
-import { Request, Response } from "express";
+import * as Sentry from '@sentry/node';
+import { Request, Response } from 'express';
+import Stripe from 'stripe';
 import {
-	IncidentContactOrg,
 	Membership,
 	MembershipOrg,
 	Organization,
 	Workspace,
-} from "../../models";
-import { createOrganization as create } from "../../helpers/organization";
-import { addMembershipsOrg } from "../../helpers/membershipOrg";
-import { ACCEPTED, OWNER } from "../../variables";
-import { getSiteURL, getLicenseServerUrl } from "../../config";
-import { licenseServerKeyRequest } from "../../config/request";
+	IncidentContactOrg
+} from '../../models';
+import { createOrganization as create } from '../../helpers/organization';
+import { addMembershipsOrg } from '../../helpers/membershipOrg';
+import { OWNER, ACCEPTED } from '../../variables';
+import _ from 'lodash';
+import { getStripeSecretKey, getSiteURL } from '../../config';
 
 export const getOrganizations = async (req: Request, res: Response) => {
-  const organizations = (
-    await MembershipOrg.find({
-      user: req.user._id,
-      status: ACCEPTED,
-    }).populate("organization")
-  ).map((m) => m.organization);
+	let organizations;
+	try {
+		organizations = (
+			await MembershipOrg.find({
+				user: req.user._id
+			}).populate('organization')
+		).map((m) => m.organization);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get organizations'
+		});
+	}
 
 	return res.status(200).send({
-		organizations,
+		organizations
 	});
 };
 
@@ -33,27 +43,36 @@ export const getOrganizations = async (req: Request, res: Response) => {
  * @returns
  */
 export const createOrganization = async (req: Request, res: Response) => {
-  const { organizationName } = req.body;
+	let organization;
+	try {
+		const { organizationName } = req.body;
 
-  if (organizationName.length < 1) {
-    throw new Error("Organization names must be at least 1-character long");
-  }
+		if (organizationName.length < 1) {
+			throw new Error('Organization names must be at least 1-character long');
+		}
 
-  // create organization and add user as member
-  const organization = await create({
-    email: req.user.email,
-    name: organizationName,
-  });
+		// create organization and add user as member
+		organization = await create({
+			email: req.user.email,
+			name: organizationName
+		});
 
-  await addMembershipsOrg({
-    userIds: [req.user._id.toString()],
-    organizationId: organization._id.toString(),
-    roles: [OWNER],
-    statuses: [ACCEPTED],
-  });
+		await addMembershipsOrg({
+			userIds: [req.user._id.toString()],
+			organizationId: organization._id.toString(),
+			roles: [OWNER],
+			statuses: [ACCEPTED]
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to create organization'
+		});
+	}
 
 	return res.status(200).send({
-		organization,
+		organization
 	});
 };
 
@@ -64,9 +83,19 @@ export const createOrganization = async (req: Request, res: Response) => {
  * @returns
  */
 export const getOrganization = async (req: Request, res: Response) => {
-	const organization = req.organization
+	let organization;
+	try {
+		organization = req.organization
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to find organization'
+		});
+	}
+
 	return res.status(200).send({
-		organization,
+		organization
 	});
 };
 
@@ -77,14 +106,23 @@ export const getOrganization = async (req: Request, res: Response) => {
  * @returns
  */
 export const getOrganizationMembers = async (req: Request, res: Response) => {
-  const { organizationId } = req.params;
+	let users;
+	try {
+		const { organizationId } = req.params;
 
-  const users = await MembershipOrg.find({
-    organization: organizationId,
-  }).populate("user", "+publicKey");
+		users = await MembershipOrg.find({
+			organization: organizationId
+		}).populate('user', '+publicKey');
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get organization members'
+		});
+	}
 
 	return res.status(200).send({
-		users,
+		users
 	});
 };
 
@@ -98,29 +136,38 @@ export const getOrganizationWorkspaces = async (
 	req: Request,
 	res: Response
 ) => {
-  const { organizationId } = req.params;
+	let workspaces;
+	try {
+		const { organizationId } = req.params;
 
-  const workspacesSet = new Set(
-    (
-      await Workspace.find(
-        {
-          organization: organizationId,
-        },
-        "_id"
-      )
-    ).map((w) => w._id.toString())
-  );
+		const workspacesSet = new Set(
+			(
+				await Workspace.find(
+					{
+						organization: organizationId
+					},
+					'_id'
+				)
+			).map((w) => w._id.toString())
+		);
 
-  const workspaces = (
-    await Membership.find({
-      user: req.user._id,
-    }).populate("workspace")
-  )
-    .filter((m) => workspacesSet.has(m.workspace._id.toString()))
-    .map((m) => m.workspace);
+		workspaces = (
+			await Membership.find({
+				user: req.user._id
+			}).populate('workspace')
+		)
+			.filter((m) => workspacesSet.has(m.workspace._id.toString()))
+			.map((m) => m.workspace);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get my workspaces'
+		});
+	}
 
 	return res.status(200).send({
-		workspaces,
+		workspaces
 	});
 };
 
@@ -131,24 +178,33 @@ export const getOrganizationWorkspaces = async (
  * @returns
  */
 export const changeOrganizationName = async (req: Request, res: Response) => {
-  const { organizationId } = req.params;
-  const { name } = req.body;
+	let organization;
+	try {
+		const { organizationId } = req.params;
+		const { name } = req.body;
 
-  const organization = await Organization.findOneAndUpdate(
-    {
-      _id: organizationId,
-    },
-    {
-      name,
-    },
-    {
-      new: true,
-    }
-  );
+		organization = await Organization.findOneAndUpdate(
+			{
+				_id: organizationId
+			},
+			{
+				name
+			},
+			{
+				new: true
+			}
+		);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to change organization name'
+		});
+	}
 
 	return res.status(200).send({
-		message: "Successfully changed organization name",
-		organization,
+		message: 'Successfully changed organization name',
+		organization
 	});
 };
 
@@ -162,14 +218,23 @@ export const getOrganizationIncidentContacts = async (
 	req: Request,
 	res: Response
 ) => {
-  const { organizationId } = req.params;
+	let incidentContactsOrg;
+	try {
+		const { organizationId } = req.params;
 
-  const incidentContactsOrg = await IncidentContactOrg.find({
-    organization: organizationId,
-  });
+		incidentContactsOrg = await IncidentContactOrg.find({
+			organization: organizationId
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get organization incident contacts'
+		});
+	}
 
 	return res.status(200).send({
-		incidentContactsOrg,
+		incidentContactsOrg
 	});
 };
 
@@ -183,17 +248,26 @@ export const addOrganizationIncidentContact = async (
 	req: Request,
 	res: Response
 ) => {
-  const { organizationId } = req.params;
-  const { email } = req.body;
+	let incidentContactOrg;
+	try {
+		const { organizationId } = req.params;
+		const { email } = req.body;
 
-  const incidentContactOrg = await IncidentContactOrg.findOneAndUpdate(
-    { email, organization: organizationId },
-    { email, organization: organizationId },
-    { upsert: true, new: true }
-  );
+		incidentContactOrg = await IncidentContactOrg.findOneAndUpdate(
+			{ email, organization: organizationId },
+			{ email, organization: organizationId },
+			{ upsert: true, new: true }
+		);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to add incident contact for organization'
+		});
+	}
 
 	return res.status(200).send({
-		incidentContactOrg,
+		incidentContactOrg
 	});
 };
 
@@ -207,22 +281,31 @@ export const deleteOrganizationIncidentContact = async (
 	req: Request,
 	res: Response
 ) => {
-  const { organizationId } = req.params;
-  const { email } = req.body;
+	let incidentContactOrg;
+	try {
+		const { organizationId } = req.params;
+		const { email } = req.body;
 
-  const incidentContactOrg = await IncidentContactOrg.findOneAndDelete({
-    email,
-    organization: organizationId,
-  });
+		incidentContactOrg = await IncidentContactOrg.findOneAndDelete({
+			email,
+			organization: organizationId
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to delete organization incident contact'
+		});
+	}
 
 	return res.status(200).send({
-		message: "Successfully deleted organization incident contact",
-		incidentContactOrg,
+		message: 'Successfully deleted organization incident contact',
+		incidentContactOrg
 	});
 };
 
 /**
- * Redirect user to billing portal or add card page depending on
+ * Redirect user to (stripe) billing portal or add card page depending on
  * if there is a card on file
  * @param req
  * @param res
@@ -232,32 +315,42 @@ export const createOrganizationPortalSession = async (
 	req: Request,
 	res: Response
 ) => {
-  const { data: { pmtMethods } } = await licenseServerKeyRequest.get(
-    `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/payment-methods`,
-  );
-  
-  if (pmtMethods.length < 1) {
-    // case: organization has no payment method on file
-    // -> redirect to add payment method portal 
-    const { data: { url } } = await licenseServerKeyRequest.post(
-      `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/payment-methods`,
-      {
-        success_url: (await getSiteURL()) + "/dashboard",
-        cancel_url: (await getSiteURL()) + "/dashboard"
-      }
-    );
-    return res.status(200).send({ url });
-  } else {
-    // case: organization has payment method on file
-    // -> redirect to billing portal
-    const { data: { url } } = await licenseServerKeyRequest.post(
-      `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/billing-portal`,
-      {
-        return_url: (await getSiteURL()) + "/dashboard"
-      }
-    );
-    return res.status(200).send({ url });
-  }
+	let session;
+	try {
+		const stripe = new Stripe(await getStripeSecretKey(), {
+			apiVersion: '2022-08-01'
+		});
+
+		// check if there is a payment method on file
+		const paymentMethods = await stripe.paymentMethods.list({
+			customer: req.organization.customerId,
+			type: 'card'
+		});
+		
+		if (paymentMethods.data.length < 1) {
+			// case: no payment method on file
+			session = await stripe.checkout.sessions.create({
+				customer: req.organization.customerId,
+				mode: 'setup',
+				payment_method_types: ['card'],
+				success_url: (await getSiteURL()) + '/dashboard',
+				cancel_url: (await getSiteURL()) + '/dashboard'
+			});
+		} else {
+			session = await stripe.billingPortal.sessions.create({
+				customer: req.organization.customerId,
+				return_url: (await getSiteURL()) + '/dashboard'
+			});
+		}
+
+		return res.status(200).send({ url: session.url });
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to redirect to organization billing portal'
+		});
+	}
 };
 
 /**
@@ -270,8 +363,25 @@ export const getOrganizationSubscriptions = async (
 	req: Request,
 	res: Response
 ) => {
+	let subscriptions;
+	try {
+		const stripe = new Stripe(await getStripeSecretKey(), {
+			apiVersion: '2022-08-01'
+		});
+		
+		subscriptions = await stripe.subscriptions.list({
+			customer: req.organization.customerId
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get organization subscriptions'
+		});
+	}
+
 	return res.status(200).send({
-		subscriptions: []
+		subscriptions
 	});
 };
 
@@ -291,16 +401,16 @@ export const getOrganizationMembersAndTheirWorkspaces = async (
 	const workspacesSet = (
 			await Workspace.find(
 				{
-					organization: organizationId,
+					organization: organizationId
 				},
-				"_id"
+				'_id'
 			)
 		).map((w) => w._id.toString());
 
 	const memberships = (
 		await Membership.find({
-			workspace: { $in: workspacesSet },
-		}).populate("workspace")
+			workspace: { $in: workspacesSet }
+		}).populate('workspace')
 	);
 	const userToWorkspaceIds: any = {};
 
@@ -314,4 +424,4 @@ export const getOrganizationMembersAndTheirWorkspaces = async (
 	});
 
 	return res.json(userToWorkspaceIds);
-};
+};

backend/src/controllers/v1/passwordController.ts

@@ -1,98 +1,113 @@
-import { Request, Response } from "express";
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
 // eslint-disable-next-line @typescript-eslint/no-var-requires
-const jsrp = require("jsrp");
-import * as bigintConversion from "bigint-conversion";
-import { BackupPrivateKey, LoginSRPDetail, User } from "../../models";
-import { clearTokens, createToken, sendMail } from "../../helpers";
-import { TokenService } from "../../services";
-import { AUTH_MODE_JWT, TOKEN_EMAIL_PASSWORD_RESET } from "../../variables";
-import { BadRequestError } from "../../utils/errors";
-import {
-  getHttpsEnabled,
-  getJwtSignupLifetime,
-  getJwtSignupSecret,
-  getSiteURL
-} from "../../config";
+const jsrp = require('jsrp');
+import * as bigintConversion from 'bigint-conversion';
+import { User, BackupPrivateKey, LoginSRPDetail } from '../../models';
+import { createToken } from '../../helpers/auth';
+import { sendMail } from '../../helpers/nodemailer';
+import { TokenService } from '../../services';
+import { TOKEN_EMAIL_PASSWORD_RESET } from '../../variables';
+import { BadRequestError } from '../../utils/errors';
+import { getSiteURL, getJwtSignupLifetime, getJwtSignupSecret } from '../../config';
 
 /**
- * Password reset step 1: Send email verification link to email [email]
+ * Password reset step 1: Send email verification link to email [email] 
  * for account recovery.
  * @param req
  * @param res
  * @returns
  */
 export const emailPasswordReset = async (req: Request, res: Response) => {
-  const email: string = req.body.email;
+	let email: string;
+	try {
+		email = req.body.email;
 
-  const user = await User.findOne({ email }).select("+publicKey");
-  if (!user || !user?.publicKey) {
-    // case: user has already completed account
+		const user = await User.findOne({ email }).select('+publicKey');
+		if (!user || !user?.publicKey) {
+			// case: user has already completed account
 
-    return res.status(200).send({
-      message: "If an account exists with this email, a password reset link has been sent"
-    });
-  }
+			return res.status(403).send({
+				error: 'Failed to send email verification for password reset'
+			});
+		}
+		
+		const token = await TokenService.createToken({
+			type: TOKEN_EMAIL_PASSWORD_RESET,
+			email
+		});
+		
+		await sendMail({
+			template: 'passwordReset.handlebars',
+			subjectLine: 'Infisical password reset',
+			recipients: [email],
+			substitutions: {
+				email,
+				token,
+				callback_url: (await getSiteURL()) + '/password-reset'
+			}
+		});
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to send email for account recovery'
+		});
+	}
 
-  const token = await TokenService.createToken({
-    type: TOKEN_EMAIL_PASSWORD_RESET,
-    email
-  });
-
-  await sendMail({
-    template: "passwordReset.handlebars",
-    subjectLine: "Infisical password reset",
-    recipients: [email],
-    substitutions: {
-      email,
-      token,
-      callback_url: (await getSiteURL()) + "/password-reset"
-    }
-  });
-
-  return res.status(200).send({
-    message: "If an account exists with this email, a password reset link has been sent"
-  });
-};
+	return res.status(200).send({
+		message: `Sent an email for account recovery to ${email}`
+	});
+}
 
 /**
  * Password reset step 2: Verify email verification link sent to email [email]
- * @param req
- * @param res
- * @returns
+ * @param req 
+ * @param res 
+ * @returns 
  */
 export const emailPasswordResetVerify = async (req: Request, res: Response) => {
-  const { email, code } = req.body;
+	let user, token;
+	try {
+		const { email, code } = req.body;
 
-  const user = await User.findOne({ email }).select("+publicKey");
-  if (!user || !user?.publicKey) {
-    // case: user doesn't exist with email [email] or
-    // hasn't even completed their account
-    return res.status(403).send({
-      error: "Failed email verification for password reset"
-    });
-  }
+		user = await User.findOne({ email }).select('+publicKey');
+		if (!user || !user?.publicKey) {
+			// case: user doesn't exist with email [email] or 
+			// hasn't even completed their account
+			return res.status(403).send({
+				error: 'Failed email verification for password reset'
+			});
+		}
+		
+		await TokenService.validateToken({
+			type: TOKEN_EMAIL_PASSWORD_RESET,
+			email,
+			token: code
+		});
 
-  await TokenService.validateToken({
-    type: TOKEN_EMAIL_PASSWORD_RESET,
-    email,
-    token: code
-  });
+		// generate temporary password-reset token
+		token = createToken({
+			payload: {
+				userId: user._id.toString()
+			},
+			expiresIn: await getJwtSignupLifetime(),
+			secret: await getJwtSignupSecret()
+		});
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed email verification for password reset'
+		});
+	}
 
-  // generate temporary password-reset token
-  const token = createToken({
-    payload: {
-      userId: user._id.toString()
-    },
-    expiresIn: await getJwtSignupLifetime(),
-    secret: await getJwtSignupSecret()
-  });
-
-  return res.status(200).send({
-    message: "Successfully verified email",
-    user,
-    token
-  });
-};
+	return res.status(200).send({
+		message: 'Successfully verified email',
+		user,
+		token
+	});
+}
 
 /**
  * Return [salt] and [serverPublicKey] as part of step 1 of SRP protocol
@@ -101,41 +116,44 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => {
  * @returns
  */
 export const srp1 = async (req: Request, res: Response) => {
-  // return salt, serverPublicKey as part of first step of SRP protocol
+	// return salt, serverPublicKey as part of first step of SRP protocol
+	try {
+		const { clientPublicKey } = req.body;
+		const user = await User.findOne({
+			email: req.user.email
+		}).select('+salt +verifier');
 
-  const { clientPublicKey } = req.body;
-  const user = await User.findOne({
-    email: req.user.email
-  }).select("+salt +verifier");
+		if (!user) throw new Error('Failed to find user');
 
-  if (!user) throw new Error("Failed to find user");
+		const server = new jsrp.server();
+		server.init(
+			{
+				salt: user.salt,
+				verifier: user.verifier
+			},
+			async () => {
+				// generate server-side public key
+				const serverPublicKey = server.getPublicKey();
 
-  const server = new jsrp.server();
-  server.init(
-    {
-      salt: user.salt,
-      verifier: user.verifier
-    },
-    async () => {
-      // generate server-side public key
-      const serverPublicKey = server.getPublicKey();
+				await LoginSRPDetail.findOneAndReplace({ email: req.user.email }, {
+					email: req.user.email,
+					clientPublicKey: clientPublicKey,
+					serverBInt: bigintConversion.bigintToBuf(server.bInt),
+				}, { upsert: true, returnNewDocument: false })
 
-      await LoginSRPDetail.findOneAndReplace(
-        { email: req.user.email },
-        {
-          email: req.user.email,
-          clientPublicKey: clientPublicKey,
-          serverBInt: bigintConversion.bigintToBuf(server.bInt)
-        },
-        { upsert: true, returnNewDocument: false }
-      );
-
-      return res.status(200).send({
-        serverPublicKey,
-        salt: user.salt
-      });
-    }
-  );
+				return res.status(200).send({
+					serverPublicKey,
+					salt: user.salt
+				});
+			}
+		);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			error: 'Failed to start change password process'
+		});
+	}
 };
 
 /**
@@ -147,93 +165,80 @@ export const srp1 = async (req: Request, res: Response) => {
  * @returns
  */
 export const changePassword = async (req: Request, res: Response) => {
-  const {
-    clientProof,
-    protectedKey,
-    protectedKeyIV,
-    protectedKeyTag,
-    encryptedPrivateKey,
-    encryptedPrivateKeyIV,
-    encryptedPrivateKeyTag,
-    salt,
-    verifier
-  } = req.body;
+	try {
+		const { 
+			clientProof, 
+			protectedKey,
+			protectedKeyIV,
+			protectedKeyTag,
+			encryptedPrivateKey,
+			encryptedPrivateKeyIV,
+			encryptedPrivateKeyTag,
+			salt,
+			verifier
+		} = req.body;
 
-  const user = await User.findOne({
-    email: req.user.email
-  }).select("+salt +verifier");
+		const user = await User.findOne({
+			email: req.user.email
+		}).select('+salt +verifier');
 
-  if (!user) throw new Error("Failed to find user");
+		if (!user) throw new Error('Failed to find user');
 
-  const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email });
+		const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email })
 
-  if (!loginSRPDetailFromDB) {
-    return BadRequestError(
-      Error(
-        "It looks like some details from the first login are not found. Please try login one again"
-      )
-    );
-  }
+		if (!loginSRPDetailFromDB) {
+			return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
+		}
 
-  const server = new jsrp.server();
-  server.init(
-    {
-      salt: user.salt,
-      verifier: user.verifier,
-      b: loginSRPDetailFromDB.serverBInt
-    },
-    async () => {
-      server.setClientPublicKey(loginSRPDetailFromDB.clientPublicKey);
+		const server = new jsrp.server();
+		server.init(
+			{
+				salt: user.salt,
+				verifier: user.verifier,
+				b: loginSRPDetailFromDB.serverBInt
+			},
+			async () => {
+				server.setClientPublicKey(loginSRPDetailFromDB.clientPublicKey);
 
-      // compare server and client shared keys
-      if (server.checkClientProof(clientProof)) {
-        // change password
+				// compare server and client shared keys
+				if (server.checkClientProof(clientProof)) {
+					// change password
 
-        await User.findByIdAndUpdate(
-          req.user._id.toString(),
-          {
-            encryptionVersion: 2,
-            protectedKey,
-            protectedKeyIV,
-            protectedKeyTag,
-            encryptedPrivateKey,
-            iv: encryptedPrivateKeyIV,
-            tag: encryptedPrivateKeyTag,
-            salt,
-            verifier
-          },
-          {
-            new: true
-          }
-        );
+					await User.findByIdAndUpdate(
+						req.user._id.toString(),
+						{
+							encryptionVersion: 2,
+							protectedKey,
+							protectedKeyIV,
+							protectedKeyTag,
+							encryptedPrivateKey,
+							iv: encryptedPrivateKeyIV,
+							tag: encryptedPrivateKeyTag,
+							salt,
+							verifier
+						},
+						{
+							new: true
+						}
+					);
 
-        if (
-          req.authData.authMode === AUTH_MODE_JWT &&
-          req.authData.authPayload instanceof User &&
-          req.authData.tokenVersionId
-        ) {
-          await clearTokens(req.authData.tokenVersionId);
-        }
+					return res.status(200).send({
+						message: 'Successfully changed password'
+					});
+				}
 
-        // clear httpOnly cookie
-
-        res.cookie("jid", "", {
-          httpOnly: true,
-          path: "/",
-          sameSite: "strict",
-          secure: (await getHttpsEnabled()) as boolean
-        });
-
-        return res.status(200).send({
-          message: "Successfully changed password"
-        });
-      }
-
-      return res.status(400).send({
-        error: "Failed to change password. Try again?"
-      });
-    }
-  );
+				return res.status(400).send({
+					error: 'Failed to change password. Try again?'
+				});
+			}
+		);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			error: 'Failed to change password. Try again?'
+		});
+	}
 };
 
 /**
@@ -243,117 +248,141 @@ export const changePassword = async (req: Request, res: Response) => {
  * @returns
  */
 export const createBackupPrivateKey = async (req: Request, res: Response) => {
-  // create/change backup private key
-  // requires verifying [clientProof] as part of second step of SRP protocol
-  // as initiated in /srp1
+	// create/change backup private key
+	// requires verifying [clientProof] as part of second step of SRP protocol
+	// as initiated in /srp1
 
-  const { clientProof, encryptedPrivateKey, iv, tag, salt, verifier } = req.body;
-  const user = await User.findOne({
-    email: req.user.email
-  }).select("+salt +verifier");
+	try {
+		const { clientProof, encryptedPrivateKey, iv, tag, salt, verifier } =
+			req.body;
+		const user = await User.findOne({
+			email: req.user.email
+		}).select('+salt +verifier');
 
-  if (!user) throw new Error("Failed to find user");
+		if (!user) throw new Error('Failed to find user');
 
-  const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email });
+		const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email })
 
-  if (!loginSRPDetailFromDB) {
-    return BadRequestError(
-      Error(
-        "It looks like some details from the first login are not found. Please try login one again"
-      )
-    );
-  }
+		if (!loginSRPDetailFromDB) {
+			return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
+		}
 
-  const server = new jsrp.server();
-  server.init(
-    {
-      salt: user.salt,
-      verifier: user.verifier,
-      b: loginSRPDetailFromDB.serverBInt
-    },
-    async () => {
-      server.setClientPublicKey(loginSRPDetailFromDB.clientPublicKey);
+		const server = new jsrp.server();
+		server.init(
+			{
+				salt: user.salt,
+				verifier: user.verifier,
+				b: loginSRPDetailFromDB.serverBInt
+			},
+			async () => {
+				server.setClientPublicKey(
+					loginSRPDetailFromDB.clientPublicKey
+				);
 
-      // compare server and client shared keys
-      if (server.checkClientProof(clientProof)) {
-        // create new or replace backup private key
+				// compare server and client shared keys
+				if (server.checkClientProof(clientProof)) {
+					// create new or replace backup private key
 
-        const backupPrivateKey = await BackupPrivateKey.findOneAndUpdate(
-          { user: req.user._id },
-          {
-            user: req.user._id,
-            encryptedPrivateKey,
-            iv,
-            tag,
-            salt,
-            verifier
-          },
-          { upsert: true, new: true }
-        ).select("+user, encryptedPrivateKey");
+					const backupPrivateKey = await BackupPrivateKey.findOneAndUpdate(
+						{ user: req.user._id },
+						{
+							user: req.user._id,
+							encryptedPrivateKey,
+							iv,
+							tag,
+							salt,
+							verifier
+						},
+						{ upsert: true, new: true }
+					).select('+user, encryptedPrivateKey');
 
-        // issue tokens
-        return res.status(200).send({
-          message: "Successfully updated backup private key",
-          backupPrivateKey
-        });
-      }
+					// issue tokens
+					return res.status(200).send({
+						message: 'Successfully updated backup private key',
+						backupPrivateKey
+					});
+				}
 
-      return res.status(400).send({
-        message: "Failed to update backup private key"
-      });
-    }
-  );
+				return res.status(400).send({
+					message: 'Failed to update backup private key'
+				});
+			}
+		);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to update backup private key'
+		});
+	}
 };
 
 /**
  * Return backup private key for user
- * @param req
- * @param res
- * @returns
+ * @param req 
+ * @param res 
+ * @returns 
  */
 export const getBackupPrivateKey = async (req: Request, res: Response) => {
-  const backupPrivateKey = await BackupPrivateKey.findOne({
-    user: req.user._id
-  }).select("+encryptedPrivateKey +iv +tag");
+	let backupPrivateKey;
+	try {
+		backupPrivateKey = await BackupPrivateKey.findOne({
+			user: req.user._id
+		}).select('+encryptedPrivateKey +iv +tag');
 
-  if (!backupPrivateKey) throw new Error("Failed to find backup private key");
+		if (!backupPrivateKey) throw new Error('Failed to find backup private key');
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get backup private key'
+		});
+	}
 
-  return res.status(200).send({
-    backupPrivateKey
-  });
-};
+	return res.status(200).send({
+		backupPrivateKey
+	});
+}
 
 export const resetPassword = async (req: Request, res: Response) => {
-  const {
-    protectedKey,
-    protectedKeyIV,
-    protectedKeyTag,
-    encryptedPrivateKey,
-    encryptedPrivateKeyIV,
-    encryptedPrivateKeyTag,
-    salt,
-    verifier
-  } = req.body;
+	try {
+		const {
+			protectedKey,
+			protectedKeyIV,
+			protectedKeyTag,
+			encryptedPrivateKey,
+			encryptedPrivateKeyIV,
+			encryptedPrivateKeyTag,
+			salt,
+			verifier,
+		} = req.body;
 
-  await User.findByIdAndUpdate(
-    req.user._id.toString(),
-    {
-      encryptionVersion: 2,
-      protectedKey,
-      protectedKeyIV,
-      protectedKeyTag,
-      encryptedPrivateKey,
-      iv: encryptedPrivateKeyIV,
-      tag: encryptedPrivateKeyTag,
-      salt,
-      verifier
-    },
-    {
-      new: true
-    }
-  );
+		await User.findByIdAndUpdate(
+			req.user._id.toString(),
+			{
+				encryptionVersion: 2,
+				protectedKey,
+				protectedKeyIV,
+				protectedKeyTag,	
+				encryptedPrivateKey,
+				iv: encryptedPrivateKeyIV,
+				tag: encryptedPrivateKeyTag,
+				salt,
+				verifier
+			},
+			{
+				new: true
+			}
+		);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get backup private key'
+		});
+	}
 
-  return res.status(200).send({
-    message: "Successfully reset password"
-  });
-};
+	return res.status(200).send({
+		message: 'Successfully reset password'
+	});
+}

backend/src/controllers/v1/secretController.ts

@@ -1,30 +1,31 @@
-import { Request, Response } from "express";
-import { Types } from "mongoose";
-import { Key } from "../../models";
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
+import { Key, Secret } from '../../models';
 import {
-  pullSecrets as pull,
-  v1PushSecrets as push,
-  reformatPullSecrets
-} from "../../helpers/secret";
-import { pushKeys } from "../../helpers/key";
-import { eventPushSecrets } from "../../events";
-import { EventService } from "../../services";
-import { TelemetryService } from "../../services";
+	v1PushSecrets as push,
+	pullSecrets as pull,
+	reformatPullSecrets
+} from '../../helpers/secret';
+import { pushKeys } from '../../helpers/key';
+import { eventPushSecrets } from '../../events';
+import { EventService } from '../../services';
+import { TelemetryService } from '../../services';
 
 interface PushSecret {
-  ciphertextKey: string;
-  ivKey: string;
-  tagKey: string;
-  hashKey: string;
-  ciphertextValue: string;
-  ivValue: string;
-  tagValue: string;
-  hashValue: string;
-  ciphertextComment: string;
-  ivComment: string;
-  tagComment: string;
-  hashComment: string;
-  type: "shared" | "personal";
+	ciphertextKey: string;
+	ivKey: string;
+	tagKey: string;
+	hashKey: string;
+	ciphertextValue: string;
+	ivValue: string;
+	tagValue: string;
+	hashValue: string;
+	ciphertextComment: string;
+	ivComment: string;
+	tagComment: string;
+	hashComment: string;
+	type: 'shared' | 'personal';
 }
 
 /**
@@ -35,58 +36,71 @@ interface PushSecret {
  * @returns
  */
 export const pushSecrets = async (req: Request, res: Response) => {
-  // upload (encrypted) secrets to workspace with id [workspaceId]
-  const postHogClient = await TelemetryService.getPostHogClient();
-  let { secrets }: { secrets: PushSecret[] } = req.body;
-  const { keys, environment, channel } = req.body;
-  const { workspaceId } = req.params;
+	// upload (encrypted) secrets to workspace with id [workspaceId]
 
-  // validate environment
-  const workspaceEnvs = req.membership.workspace.environments;
-  if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
-    throw new Error("Failed to validate environment");
-  }
+	try {
+		const postHogClient = await TelemetryService.getPostHogClient();
+		let { secrets }: { secrets: PushSecret[] } = req.body;
+		const { keys, environment, channel } = req.body;
+		const { workspaceId } = req.params;
 
-  // sanitize secrets
-  secrets = secrets.filter((s: PushSecret) => s.ciphertextKey !== "" && s.ciphertextValue !== "");
+		// validate environment
+		const workspaceEnvs = req.membership.workspace.environments;
+		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+			throw new Error('Failed to validate environment');
+		}
 
-  await push({
-    userId: req.user._id,
-    workspaceId,
-    environment,
-    secrets
-  });
+		// sanitize secrets
+		secrets = secrets.filter(
+			(s: PushSecret) => s.ciphertextKey !== '' && s.ciphertextValue !== ''
+		);
 
-  await pushKeys({
-    userId: req.user._id,
-    workspaceId,
-    keys
-  });
+		await push({
+			userId: req.user._id,
+			workspaceId,
+			environment,
+			secrets
+		});
 
-  if (postHogClient) {
-    postHogClient.capture({
-      event: "secrets pushed",
-      distinctId: req.user.email,
-      properties: {
-        numberOfSecrets: secrets.length,
-        environment,
-        workspaceId,
-        channel: channel ? channel : "cli"
-      }
-    });
-  }
+		await pushKeys({
+			userId: req.user._id,
+			workspaceId,
+			keys
+		});
+		
+		
+		if (postHogClient) {
+			postHogClient.capture({
+				event: 'secrets pushed',
+				distinctId: req.user.email,
+				properties: {
+					numberOfSecrets: secrets.length,
+					environment,
+					workspaceId,
+					channel: channel ? channel : 'cli'
+				}
+			});
+		}
 
-  // trigger event - push secrets
-  EventService.handleEvent({
-    event: eventPushSecrets({
-      workspaceId: new Types.ObjectId(workspaceId),
-      environment
-    })
-  });
+		// trigger event - push secrets
+		EventService.handleEvent({
+			event: eventPushSecrets({
+				workspaceId: new Types.ObjectId(workspaceId),
+				environment
+			})
+		});
 
-  return res.status(200).send({
-    message: "Successfully uploaded workspace secrets"
-  });
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to upload workspace secrets'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully uploaded workspace secrets'
+	});
 };
 
 /**
@@ -97,56 +111,64 @@ export const pushSecrets = async (req: Request, res: Response) => {
  * @returns
  */
 export const pullSecrets = async (req: Request, res: Response) => {
-  let secrets;
+	let secrets;
+	let key;
+	try {
+		const postHogClient = await TelemetryService.getPostHogClient();
+		const environment: string = req.query.environment as string;
+		const channel: string = req.query.channel as string;
+		const { workspaceId } = req.params;
 
-  const postHogClient = await TelemetryService.getPostHogClient();
-  const environment: string = req.query.environment as string;
-  const channel: string = req.query.channel as string;
-  const { workspaceId } = req.params;
+		// validate environment
+		const workspaceEnvs = req.membership.workspace.environments;
+		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+			throw new Error('Failed to validate environment');
+		}
 
-  // validate environment
-  const workspaceEnvs = req.membership.workspace.environments;
-  if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
-    throw new Error("Failed to validate environment");
-  }
+		secrets = await pull({
+			userId: req.user._id.toString(),
+			workspaceId,
+			environment,
+			channel: channel ? channel : 'cli',
+			ipAddress: req.ip
+		});
 
-  secrets = await pull({
-    userId: req.user._id.toString(),
-    workspaceId,
-    environment,
-    channel: channel ? channel : "cli",
-    ipAddress: req.realIP
-  });
+		key = await Key.findOne({
+			workspace: workspaceId,
+			receiver: req.user._id
+		})
+			.sort({ createdAt: -1 })
+			.populate('sender', '+publicKey');
+		
+		if (channel !== 'cli') {
+			secrets = reformatPullSecrets({ secrets });
+		}
 
-  const key = await Key.findOne({
-    workspace: workspaceId,
-    receiver: req.user._id
-  })
-    .sort({ createdAt: -1 })
-    .populate("sender", "+publicKey");
+		if (postHogClient) {
+			// capture secrets pushed event in production
+			postHogClient.capture({
+				distinctId: req.user.email,
+				event: 'secrets pulled',
+				properties: {
+					numberOfSecrets: secrets.length,
+					environment,
+					workspaceId,
+					channel: channel ? channel : 'cli'
+				}
+			});
+		}
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to pull workspace secrets'
+		});
+	}
 
-  if (channel !== "cli") {
-    secrets = reformatPullSecrets({ secrets });
-  }
-
-  if (postHogClient) {
-    // capture secrets pushed event in production
-    postHogClient.capture({
-      distinctId: req.user.email,
-      event: "secrets pulled",
-      properties: {
-        numberOfSecrets: secrets.length,
-        environment,
-        workspaceId,
-        channel: channel ? channel : "cli"
-      }
-    });
-  }
-
-  return res.status(200).send({
-    secrets,
-    key
-  });
+	return res.status(200).send({
+		secrets,
+		key
+	});
 };
 
 /**
@@ -158,51 +180,61 @@ export const pullSecrets = async (req: Request, res: Response) => {
  * @returns
  */
 export const pullSecretsServiceToken = async (req: Request, res: Response) => {
-  const postHogClient = await TelemetryService.getPostHogClient();
-  const environment: string = req.query.environment as string;
-  const channel: string = req.query.channel as string;
-  const { workspaceId } = req.params;
+	let secrets;
+	let key;
+	try {
+		const postHogClient = await TelemetryService.getPostHogClient();
+		const environment: string = req.query.environment as string;
+		const channel: string = req.query.channel as string;
+		const { workspaceId } = req.params;
 
-  // validate environment
-  const workspaceEnvs = req.membership.workspace.environments;
-  if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
-    throw new Error("Failed to validate environment");
-  }
+		// validate environment
+		const workspaceEnvs = req.membership.workspace.environments;
+		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+			throw new Error('Failed to validate environment');
+		}
 
-  const secrets = await pull({
-    userId: req.serviceToken.user._id.toString(),
-    workspaceId,
-    environment,
-    channel: "cli",
-    ipAddress: req.realIP
-  });
+		secrets = await pull({
+			userId: req.serviceToken.user._id.toString(),
+			workspaceId,
+			environment,
+			channel: 'cli',
+			ipAddress: req.ip
+		});
 
-  const key = {
-    encryptedKey: req.serviceToken.encryptedKey,
-    nonce: req.serviceToken.nonce,
-    sender: {
-      publicKey: req.serviceToken.publicKey
-    },
-    receiver: req.serviceToken.user,
-    workspace: req.serviceToken.workspace
-  };
+		key = {
+			encryptedKey: req.serviceToken.encryptedKey,
+			nonce: req.serviceToken.nonce,
+			sender: {
+				publicKey: req.serviceToken.publicKey
+			},
+			receiver: req.serviceToken.user,
+			workspace: req.serviceToken.workspace
+		};
 
-  if (postHogClient) {
-    // capture secrets pulled event in production
-    postHogClient.capture({
-      distinctId: req.serviceToken.user.email,
-      event: "secrets pulled",
-      properties: {
-        numberOfSecrets: secrets.length,
-        environment,
-        workspaceId,
-        channel: channel ? channel : "cli"
-      }
-    });
-  }
+		if (postHogClient) {
+			// capture secrets pulled event in production
+			postHogClient.capture({
+				distinctId: req.serviceToken.user.email,
+				event: 'secrets pulled',
+				properties: {
+					numberOfSecrets: secrets.length,
+					environment,
+					workspaceId,
+					channel: channel ? channel : 'cli'
+				}
+			});
+		}
+	} catch (err) {
+		Sentry.setUser({ email: req.serviceToken.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to pull workspace secrets'
+		});
+	}
 
-  return res.status(200).send({
-    secrets: reformatPullSecrets({ secrets }),
-    key
-  });
-};
+	return res.status(200).send({
+		secrets: reformatPullSecrets({ secrets }),
+		key
+	});
+};

backend/src/controllers/v1/secretScanningController.ts

@@ -1,89 +0,0 @@
-import { Request, Response } from "express";
-import GitAppInstallationSession from "../../models/gitAppInstallationSession";
-import crypto from "crypto";
-import { Types } from "mongoose";
-import { UnauthorizedRequestError } from "../../utils/errors";
-import GitAppOrganizationInstallation from "../../models/gitAppOrganizationInstallation";
-import { MembershipOrg } from "../../models";
-import GitRisks, { STATUS_UNRESOLVED } from "../../models/gitRisks";
-
-export const createInstallationSession = async (req: Request, res: Response) => {
-  const sessionId = crypto.randomBytes(16).toString("hex");
-  await GitAppInstallationSession.findByIdAndUpdate(
-    req.organization,
-    {
-      organization: new Types.ObjectId(req.organization),
-      sessionId: sessionId,
-      user: new Types.ObjectId(req.user._id)
-    },
-    { upsert: true }
-  ).lean();
-
-  res.send({
-    sessionId: sessionId
-  })
-}
-
-export const linkInstallationToOrganization = async (req: Request, res: Response) => {
-  const { installationId, sessionId } = req.body
-
-  const installationSession = await GitAppInstallationSession.findOneAndDelete({ sessionId: sessionId })
-  if (!installationSession) {
-    throw UnauthorizedRequestError()
-  }
-
-  const userMembership = await MembershipOrg.find({ user: req.user._id, organization: installationSession.organization })
-  if (!userMembership) {
-    throw UnauthorizedRequestError()
-  }
-
-  const installationLink = await GitAppOrganizationInstallation.findOneAndUpdate({
-    organizationId: installationSession.organization,
-  }, {
-    installationId: installationId,
-    organizationId: installationSession.organization,
-    user: installationSession.user
-  }, {
-    upsert: true
-  }).lean()
-
-  res.json(installationLink)
-}
-
-export const getCurrentOrganizationInstallationStatus = async (req: Request, res: Response) => {
-  const { organizationId } = req.params
-  try {
-    const appInstallation = await GitAppOrganizationInstallation.findOne({ organizationId: organizationId }).lean()
-    if (!appInstallation) {
-      res.json({
-        appInstallationComplete: false
-      })
-    }
-
-    res.json({
-      appInstallationComplete: true
-    })
-  } catch {
-    res.json({
-      appInstallationComplete: false
-    })
-  }
-}
-
-export const getRisksForOrganization = async (req: Request, res: Response) => {
-  const { organizationId } = req.params
-  const risks = await GitRisks.find({ organization: organizationId, status: STATUS_UNRESOLVED }).lean()
-  res.json({
-    risks: risks
-  })
-}
-
-export const updateRisksStatus = async (req: Request, res: Response) => {
-  const { riskId } = req.params
-  const { status } = req.body
-  const risks = await GitRisks.findByIdAndUpdate(riskId, {
-    sttaus: status
-  }).lean()
-
-  res.json(risks)
-}

backend/src/controllers/v1/secretsFolderController.ts

@@ -1,235 +1,89 @@
-import { Request, Response } from "express";
-import { Secret } from "../../models";
-import Folder from "../../models/folder";
-import { BadRequestError } from "../../utils/errors";
-import {
-  appendFolder,
-  deleteFolderById,
-  generateFolderId,
-  getAllFolderIds,
-  getFolderByPath,
-  getParentFromFolderId,
-  searchByFolderId,
-  searchByFolderIdWithDir,
-  validateFolderName,
-} from "../../services/FolderService";
-import { ADMIN, MEMBER } from "../../variables";
-import { validateMembership } from "../../helpers/membership";
-import { FolderVersion } from "../../ee/models";
-import { EESecretService } from "../../ee/services";
+import { Request, Response } from 'express';
+import { Secret } from '../../models';
+import Folder from '../../models/folder';
+import { BadRequestError } from '../../utils/errors';
+import { ROOT_FOLDER_PATH, getFolderPath, getParentPath, normalizePath, validateFolderName } from '../../utils/folder';
+import { ADMIN, MEMBER } from '../../variables';
+import { validateMembership } from '../../helpers/membership';
 
 // TODO
 // verify workspace id/environment
 export const createFolder = async (req: Request, res: Response) => {
-  const { workspaceId, environment, folderName, parentFolderId } = req.body;
+  const { workspaceId, environment, folderName, parentFolderId } = req.body
   if (!validateFolderName(folderName)) {
-    throw BadRequestError({
-      message: "Folder name cannot contain spaces. Only underscore and dashes",
-    });
+    throw BadRequestError({ message: "Folder name cannot contain spaces. Only underscore and dashes" })
   }
 
-  const folders = await Folder.findOne({
+  if (parentFolderId) {
+    const parentFolder = await Folder.find({ environment: environment, workspace: workspaceId, id: parentFolderId });
+    if (!parentFolder) {
+      throw BadRequestError({ message: "The parent folder doesn't exist" })
+    }
+  }
+
+  let completePath = await getFolderPath(parentFolderId)
+  if (completePath == ROOT_FOLDER_PATH) {
+    completePath = ""
+  }
+
+  const currentFolderPath = completePath + "/" + folderName // construct new path with current folder to be created
+  const normalizedCurrentPath = normalizePath(currentFolderPath)
+  const normalizedParentPath = getParentPath(normalizedCurrentPath)
+
+  const existingFolder = await Folder.findOne({
+    name: folderName,
     workspace: workspaceId,
-    environment,
-  }).lean();
-  // space has no folders initialized
-  if (!folders) {
-    const id = generateFolderId();
-    const folder = new Folder({
-      workspace: workspaceId,
-      environment,
-      nodes: {
-        id: "root",
-        name: "root",
-        version: 1,
-        children: [{ id, name: folderName, children: [], version: 1 }],
-      },
-    });
-    await folder.save();
-    const folderVersion = new FolderVersion({
-      workspace: workspaceId,
-      environment,
-      nodes: folder.nodes,
-    });
-    await folderVersion.save();
-    await EESecretService.takeSecretSnapshot({
-      workspaceId,
-      environment,
-    });
-    return res.json({ folder: { id, name: folderName } });
+    environment: environment,
+    parent: parentFolderId,
+    path: normalizedCurrentPath
+  });
+
+  if (existingFolder) {
+    return res.json(existingFolder)
   }
 
-  const folder = appendFolder(folders.nodes, { folderName, parentFolderId });
-  await Folder.findByIdAndUpdate(folders._id, folders);
-
-  const parentFolder = searchByFolderId(folders.nodes, parentFolderId);
-  const folderVersion = new FolderVersion({
+  const newFolder = new Folder({
+    name: folderName,
     workspace: workspaceId,
-    environment,
-    nodes: parentFolder,
-  });
-  await folderVersion.save();
-
-  await EESecretService.takeSecretSnapshot({
-    workspaceId,
-    environment,
-    folderId: parentFolderId,
+    environment: environment,
+    parent: parentFolderId,
+    path: normalizedCurrentPath,
+    parentPath: normalizedParentPath
   });
 
-  return res.json({ folder });
-};
+  await newFolder.save();
 
-export const updateFolderById = async (req: Request, res: Response) => {
-  const { folderId } = req.params;
-  const { name, workspaceId, environment } = req.body;
-
-  const folders = await Folder.findOne({ workspace: workspaceId, environment });
-  if (!folders) {
-    throw BadRequestError({ message: "The folder doesn't exist" });
-  }
-
-  // check that user is a member of the workspace
-  await validateMembership({
-    userId: req.user._id.toString(),
-    workspaceId,
-    acceptedRoles: [ADMIN, MEMBER],
-  });
-
-  const parentFolder = getParentFromFolderId(folders.nodes, folderId);
-  if (!parentFolder) {
-    throw BadRequestError({ message: "The folder doesn't exist" });
-  }
-  const folder = parentFolder.children.find(({ id }) => id === folderId);
-  if (!folder) {
-    throw BadRequestError({ message: "The folder doesn't exist" });
-  }
-
-  parentFolder.version += 1;
-  folder.name = name;
-
-  await Folder.findByIdAndUpdate(folders._id, folders);
-  const folderVersion = new FolderVersion({
-    workspace: workspaceId,
-    environment,
-    nodes: parentFolder,
-  });
-  await folderVersion.save();
-
-  await EESecretService.takeSecretSnapshot({
-    workspaceId,
-    environment,
-    folderId: parentFolder.id,
-  });
-
-  return res.json({
-    message: "Successfully updated folder",
-    folder: { name: folder.name, id: folder.id },
-  });
-};
+  return res.json(newFolder)
+}
 
 export const deleteFolder = async (req: Request, res: Response) => {
-  const { folderId } = req.params;
-  const { workspaceId, environment } = req.body;
+  const { folderId } = req.params
+  const queue: any[] = [folderId];
 
-  const folders = await Folder.findOne({ workspace: workspaceId, environment });
-  if (!folders) {
-    throw BadRequestError({ message: "The folder doesn't exist" });
+  const folder = await Folder.findById(folderId);
+  if (!folder) {
+    throw BadRequestError({ message: "The folder doesn't exist" })
   }
 
   // check that user is a member of the workspace
   await validateMembership({
     userId: req.user._id.toString(),
-    workspaceId,
-    acceptedRoles: [ADMIN, MEMBER],
+    workspaceId: folder.workspace as any,
+    acceptedRoles: [ADMIN, MEMBER]
   });
 
-  const delOp = deleteFolderById(folders.nodes, folderId);
-  if (!delOp) {
-    throw BadRequestError({ message: "The folder doesn't exist" });
-  }
-  const { deletedNode: delFolder, parent: parentFolder } = delOp;
+  while (queue.length > 0) {
+    const currentFolderId = queue.shift();
 
-  parentFolder.version += 1;
-  const delFolderIds = getAllFolderIds(delFolder);
-
-  await Folder.findByIdAndUpdate(folders._id, folders);
-  const folderVersion = new FolderVersion({
-    workspace: workspaceId,
-    environment,
-    nodes: parentFolder,
-  });
-  await folderVersion.save();
-  if (delFolderIds.length) {
-    await Secret.deleteMany({
-      folder: { $in: delFolderIds.map(({ id }) => id) },
-      workspace: workspaceId,
-      environment,
-    });
-  }
-
-  await EESecretService.takeSecretSnapshot({
-    workspaceId,
-    environment,
-    folderId: parentFolder.id,
-  });
-
-  res.send({ message: "successfully deleted folders", folders: delFolderIds });
-};
-
-// TODO: validate workspace
-export const getFolders = async (req: Request, res: Response) => {
-  const { workspaceId, environment, parentFolderId, parentFolderPath } =
-    req.query as {
-      workspaceId: string;
-      environment: string;
-      parentFolderId?: string;
-      parentFolderPath?: string;
-    };
-
-  const folders = await Folder.findOne({ workspace: workspaceId, environment });
-  if (!folders) {
-    res.send({ folders: [], dir: [] });
-    return;
-  }
-
-  // check that user is a member of the workspace
-  await validateMembership({
-    userId: req.user._id.toString(),
-    workspaceId,
-    acceptedRoles: [ADMIN, MEMBER],
-  });
-
-  // if instead of parentFolderId given a path like /folder1/folder2
-  if (parentFolderPath) {
-    const folder = getFolderByPath(folders.nodes, parentFolderPath);
-    if (!folder) {
-      res.send({ folders: [], dir: [] });
-      return;
+    const childFolders = await Folder.find({ parent: currentFolderId });
+    for (const childFolder of childFolders) {
+      queue.push(childFolder._id);
     }
-    // dir is not needed at present as this is only used in overview section of secrets
-    res.send({
-      folders: folder.children.map(({ id, name }) => ({ id, name })),
-      dir: [{ name: folder.name, id: folder.id }],
-    });
+
+    await Secret.deleteMany({ folder: currentFolderId });
+
+    await Folder.deleteOne({ _id: currentFolderId });
   }
 
-  if (!parentFolderId) {
-    const rootFolders = folders.nodes.children.map(({ id, name }) => ({
-      id,
-      name,
-    }));
-    res.send({ folders: rootFolders });
-    return;
-  }
-
-  const folderBySearch = searchByFolderIdWithDir(folders.nodes, parentFolderId);
-  if (!folderBySearch) {
-    throw BadRequestError({ message: "The folder doesn't exist" });
-  }
-  const { folder, dir } = folderBySearch;
-
-  res.send({
-    folders: folder.children.map(({ id, name }) => ({ id, name })),
-    dir,
-  });
-};
+  res.send()
+}

backend/src/controllers/v1/serviceTokenController.ts

@@ -1,7 +1,7 @@
-import { Request, Response } from "express";
-import { ServiceToken } from "../../models";
-import { createToken } from "../../helpers/auth";
-import { getJwtServiceSecret } from "../../config";
+import { Request, Response } from 'express';
+import { ServiceToken } from '../../models';
+import { createToken } from '../../helpers/auth';
+import { getJwtServiceSecret } from '../../config';
 
 /**
  * Return service token on request
@@ -11,7 +11,7 @@ import { getJwtServiceSecret } from "../../config";
  */
 export const getServiceToken = async (req: Request, res: Response) => {
 	return res.status(200).send({
-		serviceToken: req.serviceToken,
+		serviceToken: req.serviceToken
 	});
 };
 
@@ -31,13 +31,13 @@ export const createServiceToken = async (req: Request, res: Response) => {
 			expiresIn,
 			publicKey,
 			encryptedKey,
-			nonce,
+			nonce
 		} = req.body;
 
 		// validate environment
 		const workspaceEnvs = req.membership.workspace.environments;
 		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
-			throw new Error("Failed to validate environment");
+			throw new Error('Failed to validate environment');
 		}
 
 		// compute access token expiration date
@@ -52,24 +52,24 @@ export const createServiceToken = async (req: Request, res: Response) => {
 			expiresAt,
 			publicKey,
 			encryptedKey,
-			nonce,
+			nonce
 		}).save();
 
 		token = createToken({
 			payload: {
 				serviceTokenId: serviceToken._id.toString(),
-				workspaceId,
+				workspaceId
 			},
 			expiresIn: expiresIn,
-			secret: await getJwtServiceSecret(),
+			secret: await getJwtServiceSecret()
 		});
 	} catch (err) {
 		return res.status(400).send({
-			message: "Failed to create service token",
+			message: 'Failed to create service token'
 		});
 	}
 
 	return res.status(200).send({
-		token,
+		token
 	});
 };

backend/src/controllers/v1/signupController.ts

@@ -1,15 +1,13 @@
-import { Request, Response } from "express";
-import { User } from "../../models";
-import { checkEmailVerification, sendEmailVerification } from "../../helpers/signup";
-import { createToken } from "../../helpers/auth";
-import { BadRequestError } from "../../utils/errors";
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { User } from '../../models';
 import {
-  getInviteOnlySignup,
-  getJwtSignupLifetime,
-  getJwtSignupSecret,
-  getSmtpConfigured
-} from "../../config";
-import { validateUserEmail } from "../../validation";
+	sendEmailVerification,
+	checkEmailVerification,
+} from '../../helpers/signup';
+import { createToken } from '../../helpers/auth';
+import { BadRequestError } from '../../utils/errors';
+import { getInviteOnlySignup, getJwtSignupLifetime, getJwtSignupSecret, getSmtpConfigured } from '../../config';
 
 /**
  * Signup step 1: Initialize account for user under email [email] and send a verification code
@@ -19,26 +17,40 @@ import { validateUserEmail } from "../../validation";
  * @returns
  */
 export const beginEmailSignup = async (req: Request, res: Response) => {
-  const email: string = req.body.email;
+	let email: string;
+	try {
+		email = req.body.email;
 
-  // validate that email is not disposable
-  validateUserEmail(email);
+		if (await getInviteOnlySignup()) {
+			// Only one user can create an account without being invited. The rest need to be invited in order to make an account
+			const userCount = await User.countDocuments({})
+			if (userCount != 0) {
+				throw BadRequestError({ message: "New user sign ups are not allowed at this time. You must be invited to sign up." })
+			}
+		}
 
-  const user = await User.findOne({ email }).select("+publicKey");
-  if (user && user?.publicKey) {
-    // case: user has already completed account
+		const user = await User.findOne({ email }).select('+publicKey');
+		if (user && user?.publicKey) {
+			// case: user has already completed account
 
-    return res.status(403).send({
-      error: "Failed to send email verification code for complete account"
-    });
-  }
+			return res.status(403).send({
+				error: 'Failed to send email verification code for complete account'
+			});
+		}
 
-  // send send verification email
-  await sendEmailVerification({ email });
+		// send send verification email
+		await sendEmailVerification({ email });
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			error: 'Failed to send email verification code'
+		});
+	}
 
-  return res.status(200).send({
-    message: `Sent an email verification code to ${email}`
-  });
+	return res.status(200).send({
+		message: `Sent an email verification code to ${email}`
+	});
 };
 
 /**
@@ -49,54 +61,52 @@ export const beginEmailSignup = async (req: Request, res: Response) => {
  * @returns
  */
 export const verifyEmailSignup = async (req: Request, res: Response) => {
-  let user;
-  const { email, code } = req.body;
+	let user, token;
+	try {
+		const { email, code } = req.body;
 
-  // initialize user account
-  user = await User.findOne({ email }).select("+publicKey");
-  if (user && user?.publicKey) {
-    // case: user has already completed account
-    return res.status(403).send({
-      error: "Failed email verification for complete user"
-    });
-  }
+		// initialize user account
+		user = await User.findOne({ email }).select('+publicKey');
+		if (user && user?.publicKey) {
+			// case: user has already completed account
+			return res.status(403).send({
+				error: 'Failed email verification for complete user'
+			});
+		}
 
-  if (await getInviteOnlySignup()) {
-    // Only one user can create an account without being invited. The rest need to be invited in order to make an account
-    const userCount = await User.countDocuments({});
-    if (userCount != 0) {
-      throw BadRequestError({
-        message: "New user sign ups are not allowed at this time. You must be invited to sign up."
-      });
-    }
-  }
+		// verify email
+		if (await getSmtpConfigured()) {
+			await checkEmailVerification({
+				email,
+				code
+			});
+		}
 
-  // verify email
-  if (await getSmtpConfigured()) {
-    await checkEmailVerification({
-      email,
-      code
-    });
-  }
+		if (!user) {
+			user = await new User({
+				email
+			}).save();
+		}
 
-  if (!user) {
-    user = await new User({
-      email
-    }).save();
-  }
+		// generate temporary signup token
+		token = createToken({
+			payload: {
+				userId: user._id.toString()
+			},
+			expiresIn: await getJwtSignupLifetime(),
+			secret: await getJwtSignupSecret()
+		});
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			error: 'Failed email verification'
+		});
+	}
 
-  // generate temporary signup token
-  const token = createToken({
-    payload: {
-      userId: user._id.toString()
-    },
-    expiresIn: await getJwtSignupLifetime(),
-    secret: await getJwtSignupSecret()
-  });
-
-  return res.status(200).send({
-    message: "Successfuly verified email",
-    user,
-    token
-  });
+	return res.status(200).send({
+		message: 'Successfuly verified email',
+		user,
+		token
+	});
 };

backend/src/controllers/v1/stripeController.ts

@@ -0,0 +1,41 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import Stripe from 'stripe';
+import { getStripeSecretKey, getStripeWebhookSecret } from '../../config';
+
+/**
+ * Handle service provisioning/un-provisioning via Stripe
+ * @param req
+ * @param res
+ * @returns
+ */
+export const handleWebhook = async (req: Request, res: Response) => {
+	let event;
+	try {
+		// check request for valid stripe signature
+		const stripe = new Stripe(await getStripeSecretKey(), {
+			apiVersion: '2022-08-01'
+		});
+
+		const sig = req.headers['stripe-signature'] as string;
+		event = stripe.webhooks.constructEvent(
+			req.body,
+			sig,
+			await getStripeWebhookSecret()
+		);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			error: 'Failed to process webhook'
+		});
+	}
+
+	switch (event.type) {
+		case '':
+			break;
+		default:
+	}
+
+	return res.json({ received: true });
+};

backend/src/controllers/v1/userActionController.ts

@@ -1,5 +1,6 @@
-import { Request, Response } from "express";
-import { UserAction } from "../../models";
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { UserAction } from '../../models';
 
 /**
  * Add user action [action]
@@ -10,23 +11,32 @@ import { UserAction } from "../../models";
 export const addUserAction = async (req: Request, res: Response) => {
 	// add/record new action [action] for user with id [req.user._id]
 
-  const { action } = req.body;
+	let userAction;
+	try {
+		const { action } = req.body;
 
-  const userAction = await UserAction.findOneAndUpdate(
-    {
-      user: req.user._id,
-      action,
-    },
-    { user: req.user._id, action },
-    {
-      new: true,
-      upsert: true,
-    }
-  );
+		userAction = await UserAction.findOneAndUpdate(
+			{
+				user: req.user._id,
+				action
+			},
+			{ user: req.user._id, action },
+			{
+				new: true,
+				upsert: true
+			}
+		);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to record user action'
+		});
+	}
 
 	return res.status(200).send({
-		message: "Successfully recorded user action",
-		userAction,
+		message: 'Successfully recorded user action',
+		userAction
 	});
 };
 
@@ -38,14 +48,23 @@ export const addUserAction = async (req: Request, res: Response) => {
  */
 export const getUserAction = async (req: Request, res: Response) => {
 	// get user action [action] for user with id [req.user._id]
-  const action: string = req.query.action as string;
+	let userAction;
+	try {
+		const action: string = req.query.action as string;
 
-  const userAction = await UserAction.findOne({
-    user: req.user._id,
-    action,
-  });
+		userAction = await UserAction.findOne({
+			user: req.user._id,
+			action
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get user action'
+		});
+	}
 
 	return res.status(200).send({
-		userAction,
+		userAction
 	});
 };

backend/src/controllers/v1/userController.ts

@@ -1,4 +1,4 @@
-import { Request, Response } from "express";
+import { Request, Response } from 'express';
 
 /**
  * Return user on request
@@ -8,6 +8,6 @@ import { Request, Response } from "express";
  */
 export const getUser = async (req: Request, res: Response) => {
 	return res.status(200).send({
-		user: req.user,
+		user: req.user
 	});
 };

backend/src/controllers/v1/workspaceController.ts

@@ -1,18 +1,19 @@
 import { Request, Response } from "express";
+import * as Sentry from "@sentry/node";
 import {
-  IUser,
-  Integration,
-  IntegrationAuth,
+  Workspace,
   Membership,
   MembershipOrg,
+  Integration,
+  IntegrationAuth,
+  IUser,
   ServiceToken,
-  Workspace,
+  ServiceTokenData,
 } from "../../models";
 import {
   createWorkspace as create,
   deleteWorkspace as deleteWork,
 } from "../../helpers/workspace";
-import { EELicenseService } from "../../ee/services";
 import { addMemberships } from "../../helpers/membership";
 import { ADMIN } from "../../variables";
 
@@ -23,18 +24,27 @@ import { ADMIN } from "../../variables";
  * @returns
  */
 export const getWorkspacePublicKeys = async (req: Request, res: Response) => {
-  const { workspaceId } = req.params;
+  let publicKeys;
+  try {
+    const { workspaceId } = req.params;
 
-  const publicKeys = (
-    await Membership.find({
-      workspace: workspaceId,
-    }).populate<{ user: IUser }>("user", "publicKey")
-  ).map((member) => {
-    return {
-      publicKey: member.user.publicKey,
-      userId: member.user._id,
-    };
-  });
+    publicKeys = (
+      await Membership.find({
+        workspace: workspaceId,
+      }).populate<{ user: IUser }>("user", "publicKey")
+    ).map((member) => {
+      return {
+        publicKey: member.user.publicKey,
+        userId: member.user._id,
+      };
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get workspace member public keys",
+    });
+  }
 
   return res.status(200).send({
     publicKeys,
@@ -48,11 +58,20 @@ export const getWorkspacePublicKeys = async (req: Request, res: Response) => {
  * @returns
  */
 export const getWorkspaceMemberships = async (req: Request, res: Response) => {
-  const { workspaceId } = req.params;
+  let users;
+  try {
+    const { workspaceId } = req.params;
 
-  const users = await Membership.find({
-    workspace: workspaceId,
-  }).populate("user", "+publicKey");
+    users = await Membership.find({
+      workspace: workspaceId,
+    }).populate("user", "+publicKey");
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get workspace members",
+    });
+  }
 
   return res.status(200).send({
     users,
@@ -66,11 +85,20 @@ export const getWorkspaceMemberships = async (req: Request, res: Response) => {
  * @returns
  */
 export const getWorkspaces = async (req: Request, res: Response) => {
-  const workspaces = (
-    await Membership.find({
-      user: req.user._id,
-    }).populate("workspace")
-  ).map((m) => m.workspace);
+  let workspaces;
+  try {
+    workspaces = (
+      await Membership.find({
+        user: req.user._id,
+      }).populate("workspace")
+    ).map((m) => m.workspace);
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get workspaces",
+    });
+  }
 
   return res.status(200).send({
     workspaces,
@@ -84,11 +112,20 @@ export const getWorkspaces = async (req: Request, res: Response) => {
  * @returns
  */
 export const getWorkspace = async (req: Request, res: Response) => {
-  const { workspaceId } = req.params;
+  let workspace;
+  try {
+    const { workspaceId } = req.params;
 
-  const workspace = await Workspace.findOne({
-    _id: workspaceId,
-  });
+    workspace = await Workspace.findOne({
+      _id: workspaceId,
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get workspace",
+    });
+  }
 
   return res.status(200).send({
     workspace,
@@ -103,46 +140,43 @@ export const getWorkspace = async (req: Request, res: Response) => {
  * @returns
  */
 export const createWorkspace = async (req: Request, res: Response) => {
-  const { workspaceName, organizationId } = req.body;
+  let workspace;
+  try {
+    const { workspaceName, organizationId } = req.body;
 
-  // validate organization membership
-  const membershipOrg = await MembershipOrg.findOne({
-    user: req.user._id,
-    organization: organizationId,
-  });
+    // validate organization membership
+    const membershipOrg = await MembershipOrg.findOne({
+      user: req.user._id,
+      organization: organizationId,
+    });
 
-  if (!membershipOrg) {
-    throw new Error("Failed to validate organization membership");
-  }
-
-  const plan = await EELicenseService.getPlan(organizationId);
-  
-  if (plan.workspaceLimit !== null) {
-    // case: limit imposed on number of workspaces allowed
-    if (plan.workspacesUsed >= plan.workspaceLimit) {
-      // case: number of workspaces used exceeds the number of workspaces allowed
-      return res.status(400).send({
-        message: "Failed to create workspace due to plan limit reached. Upgrade plan to add more workspaces.",
-      });
+    if (!membershipOrg) {
+      throw new Error("Failed to validate organization membership");
     }
+
+    if (workspaceName.length < 1) {
+      throw new Error("Workspace names must be at least 1-character long");
+    }
+
+    // create workspace and add user as member
+    workspace = await create({
+      name: workspaceName,
+      organizationId,
+    });
+
+    await addMemberships({
+      userIds: [req.user._id],
+      workspaceId: workspace._id.toString(),
+      roles: [ADMIN],
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to create workspace",
+    });
   }
 
-  if (workspaceName.length < 1) {
-    throw new Error("Workspace names must be at least 1-character long");
-  }
-
-  // create workspace and add user as member
-  const workspace = await create({
-    name: workspaceName,
-    organizationId,
-  });
-
-  await addMemberships({
-    userIds: [req.user._id],
-    workspaceId: workspace._id.toString(),
-    roles: [ADMIN],
-  });
-
   return res.status(200).send({
     workspace,
   });
@@ -155,12 +189,20 @@ export const createWorkspace = async (req: Request, res: Response) => {
  * @returns
  */
 export const deleteWorkspace = async (req: Request, res: Response) => {
-  const { workspaceId } = req.params;
+  try {
+    const { workspaceId } = req.params;
 
-  // delete workspace
-  await deleteWork({
-    id: workspaceId,
-  });
+    // delete workspace
+    await deleteWork({
+      id: workspaceId,
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to delete workspace",
+    });
+  }
 
   return res.status(200).send({
     message: "Successfully deleted workspace",
@@ -174,20 +216,29 @@ export const deleteWorkspace = async (req: Request, res: Response) => {
  * @returns
  */
 export const changeWorkspaceName = async (req: Request, res: Response) => {
-  const { workspaceId } = req.params;
-  const { name } = req.body;
+  let workspace;
+  try {
+    const { workspaceId } = req.params;
+    const { name } = req.body;
 
-  const workspace = await Workspace.findOneAndUpdate(
-    {
-      _id: workspaceId,
-    },
-    {
-      name,
-    },
-    {
-      new: true,
-    }
-  );
+    workspace = await Workspace.findOneAndUpdate(
+      {
+        _id: workspaceId,
+      },
+      {
+        name,
+      },
+      {
+        new: true,
+      }
+    );
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to change workspace name",
+    });
+  }
 
   return res.status(200).send({
     message: "Successfully changed workspace name",
@@ -202,11 +253,20 @@ export const changeWorkspaceName = async (req: Request, res: Response) => {
  * @returns
  */
 export const getWorkspaceIntegrations = async (req: Request, res: Response) => {
-  const { workspaceId } = req.params;
+  let integrations;
+  try {
+    const { workspaceId } = req.params;
 
-  const integrations = await Integration.find({
-    workspace: workspaceId,
-  });
+    integrations = await Integration.find({
+      workspace: workspaceId,
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get workspace integrations",
+    });
+  }
 
   return res.status(200).send({
     integrations,
@@ -223,11 +283,20 @@ export const getWorkspaceIntegrationAuthorizations = async (
   req: Request,
   res: Response
 ) => {
-  const { workspaceId } = req.params;
+  let authorizations;
+  try {
+    const { workspaceId } = req.params;
 
-  const authorizations = await IntegrationAuth.find({
-    workspace: workspaceId,
-  });
+    authorizations = await IntegrationAuth.find({
+      workspace: workspaceId,
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get workspace integration authorizations",
+    });
+  }
 
   return res.status(200).send({
     authorizations,
@@ -244,12 +313,21 @@ export const getWorkspaceServiceTokens = async (
   req: Request,
   res: Response
 ) => {
-  const { workspaceId } = req.params;
-  // ?? FIX.
-  const serviceTokens = await ServiceToken.find({
-    user: req.user._id,
-    workspace: workspaceId,
-  });
+  let serviceTokens;
+  try {
+    const { workspaceId } = req.params;
+    // ?? FIX.
+    serviceTokens = await ServiceToken.find({
+      user: req.user._id,
+      workspace: workspaceId,
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get workspace service tokens",
+    });
+  }
 
   return res.status(200).send({
     serviceTokens,

backend/src/controllers/v2/apiKeyDataController.ts

@@ -0,0 +1,104 @@
+import * as Sentry from '@sentry/node';
+import { Request, Response } from 'express';
+import crypto from 'crypto';
+import bcrypt from 'bcrypt';
+import {
+    APIKeyData
+} from '../../models';
+import { getSaltRounds } from '../../config';
+
+/**
+ * Return API key data for user with id [req.user_id]
+ * @param req
+ * @param res 
+ * @returns 
+ */
+export const getAPIKeyData = async (req: Request, res: Response) => {
+    let apiKeyData;
+    try {
+        apiKeyData = await APIKeyData.find({
+            user: req.user._id
+        });
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+        Sentry.captureException(err);
+        return res.status(400).send({
+            message: 'Failed to get API key data'
+        });
+    }
+    
+    return res.status(200).send({
+        apiKeyData
+    });
+}
+
+/**
+ * Create new API key data for user with id [req.user._id]
+ * @param req 
+ * @param res 
+ */
+export const createAPIKeyData = async (req: Request, res: Response) => {
+    let apiKey, apiKeyData;
+    try {
+        const { name, expiresIn } = req.body;
+        
+        const secret = crypto.randomBytes(16).toString('hex');
+        const secretHash = await bcrypt.hash(secret, await getSaltRounds());
+        
+		const expiresAt = new Date();
+		expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
+        
+        apiKeyData = await new APIKeyData({
+            name,
+            lastUsed: new Date(),
+            expiresAt,
+            user: req.user._id,
+            secretHash
+        }).save();
+        
+        // return api key data without sensitive data
+        apiKeyData = await APIKeyData.findById(apiKeyData._id);
+        
+        if (!apiKeyData) throw new Error('Failed to find API key data');
+        
+        apiKey = `ak.${apiKeyData._id.toString()}.${secret}`;
+            
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+        Sentry.captureException(err);
+        return res.status(400).send({
+            message: 'Failed to API key data'
+        });
+    }
+    
+    return res.status(200).send({
+        apiKey,
+        apiKeyData
+    });
+}
+
+/**
+ * Delete API key data with id [apiKeyDataId].
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const deleteAPIKeyData = async (req: Request, res: Response) => {
+    let apiKeyData;
+    try {
+        const { apiKeyDataId } = req.params;
+
+        apiKeyData = await APIKeyData.findByIdAndDelete(apiKeyDataId);
+        
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+        Sentry.captureException(err);
+        return res.status(400).send({
+            message: 'Failed to delete API key data'
+        });
+    }
+    
+    return res.status(200).send({
+        apiKeyData
+    });
+}

backend/src/controllers/v2/authController.ts

@@ -1,27 +1,28 @@
 /* eslint-disable @typescript-eslint/no-var-requires */
-import { Request, Response } from "express";
-import jwt from "jsonwebtoken";
-import * as bigintConversion from "bigint-conversion";
-const jsrp = require("jsrp");
-import { LoginSRPDetail, User } from "../../models";
-import { createToken, issueAuthTokens } from "../../helpers/auth";
-import { checkUserDevice } from "../../helpers/user";
-import { sendMail } from "../../helpers/nodemailer";
-import { TokenService } from "../../services";
-import { EELogService } from "../../ee/services";
-import { BadRequestError, InternalServerError } from "../../utils/errors";
+import { Request, Response } from 'express';
+import jwt from 'jsonwebtoken';
+import * as Sentry from '@sentry/node';
+import * as bigintConversion from 'bigint-conversion';
+const jsrp = require('jsrp');
+import { User, LoginSRPDetail } from '../../models';
+import { issueAuthTokens, createToken } from '../../helpers/auth';
+import { checkUserDevice } from '../../helpers/user';
+import { sendMail } from '../../helpers/nodemailer';
+import { TokenService } from '../../services';
+import { EELogService } from '../../ee/services';
+import { BadRequestError, InternalServerError } from '../../utils/errors';
 import {
-  ACTION_LOGIN,
   TOKEN_EMAIL_MFA,
-} from "../../variables";
-import { getChannelFromUserAgent } from "../../utils/posthog"; // TODO: move this
+  ACTION_LOGIN
+} from '../../variables';
+import { getChannelFromUserAgent } from '../../utils/posthog'; // TODO: move this
 import {
-  getHttpsEnabled,
   getJwtMfaLifetime,
   getJwtMfaSecret,
-} from "../../config";
+  getHttpsEnabled
+} from '../../config';
 
-declare module "jsonwebtoken" {
+declare module 'jsonwebtoken' {
   export interface UserIDJwtPayload extends jwt.JwtPayload {
     userId: string;
   }
@@ -34,40 +35,47 @@ declare module "jsonwebtoken" {
  * @returns
  */
 export const login1 = async (req: Request, res: Response) => {
-  const {
-    email,
-    clientPublicKey,
-  }: { email: string; clientPublicKey: string } = req.body;
+  try {
+    const {
+      email,
+      clientPublicKey
+    }: { email: string; clientPublicKey: string } = req.body;
 
-  const user = await User.findOne({
-    email,
-  }).select("+salt +verifier");
+    const user = await User.findOne({
+      email
+    }).select('+salt +verifier');
 
-  if (!user) throw new Error("Failed to find user");
+    if (!user) throw new Error('Failed to find user');
 
-  const server = new jsrp.server();
-  server.init(
-    {
-      salt: user.salt,
-      verifier: user.verifier,
-    },
-    async () => {
-      // generate server-side public key
-      const serverPublicKey = server.getPublicKey();
-
-      await LoginSRPDetail.findOneAndReplace({ email: email }, {
-        email: email,
-        clientPublicKey: clientPublicKey,
-        serverBInt: bigintConversion.bigintToBuf(server.bInt),
-      }, { upsert: true, returnNewDocument: false });
-
-      return res.status(200).send({
-        serverPublicKey,
+    const server = new jsrp.server();
+    server.init(
+      {
         salt: user.salt,
-      });
-    }
-  );
-  
+        verifier: user.verifier
+      },
+      async () => {
+        // generate server-side public key
+        const serverPublicKey = server.getPublicKey();
+
+        await LoginSRPDetail.findOneAndReplace({ email: email }, {
+          email: email,
+          clientPublicKey: clientPublicKey,
+          serverBInt: bigintConversion.bigintToBuf(server.bInt),
+        }, { upsert: true, returnNewDocument: false });
+
+        return res.status(200).send({
+          serverPublicKey,
+          salt: user.salt
+        });
+      }
+    );
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: 'Failed to start authentication process'
+    });
+  }
 };
 
 /**
@@ -78,143 +86,149 @@ export const login1 = async (req: Request, res: Response) => {
  * @returns
  */
 export const login2 = async (req: Request, res: Response) => {
-  if (!req.headers["user-agent"]) throw InternalServerError({ message: "User-Agent header is required" });
+  try {
 
-  const { email, clientProof } = req.body;
-  const user = await User.findOne({
-    email,
-  }).select("+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag +devices");
+    if (!req.headers['user-agent']) throw InternalServerError({ message: 'User-Agent header is required' });
 
-  if (!user) throw new Error("Failed to find user");
+    const { email, clientProof } = req.body;
+    const user = await User.findOne({
+      email
+    }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag');
 
-  const loginSRPDetail = await LoginSRPDetail.findOneAndDelete({ email: email })
+    if (!user) throw new Error('Failed to find user');
 
-  if (!loginSRPDetail) {
-    return BadRequestError(Error("Failed to find login details for SRP"))
-  }
+    const loginSRPDetail = await LoginSRPDetail.findOneAndDelete({ email: email })
 
-  const server = new jsrp.server();
-  server.init(
-    {
-      salt: user.salt,
-      verifier: user.verifier,
-      b: loginSRPDetail.serverBInt,
-    },
-    async () => {
-      server.setClientPublicKey(loginSRPDetail.clientPublicKey);
-
-      // compare server and client shared keys
-      if (server.checkClientProof(clientProof)) {
-        if (user.isMfaEnabled) {
-          // case: user has MFA enabled
-
-          // generate temporary MFA token
-          const token = createToken({
-            payload: {
-              userId: user._id.toString(),
-            },
-            expiresIn: await getJwtMfaLifetime(),
-            secret: await getJwtMfaSecret(),
-          });
-
-          const code = await TokenService.createToken({
-            type: TOKEN_EMAIL_MFA,
-            email,
-          });
-
-          // send MFA code [code] to [email]
-          await sendMail({
-            template: "emailMfa.handlebars",
-            subjectLine: "Infisical MFA code",
-            recipients: [email],
-            substitutions: {
-              code,
-            },
-          });
-
-          return res.status(200).send({
-            mfaEnabled: true,
-            token,
-          });
-        }
-
-        await checkUserDevice({
-          user,
-          ip: req.realIP,
-          userAgent: req.headers["user-agent"] ?? "",
-        });
-
-        // issue tokens
-        const tokens = await issueAuthTokens({ 
-          userId: user._id,
-          ip: req.realIP,
-          userAgent: req.headers["user-agent"] ?? "",
-        });
-
-        // store (refresh) token in httpOnly cookie
-        res.cookie("jid", tokens.refreshToken, {
-          httpOnly: true,
-          path: "/",
-          sameSite: "strict",
-          secure: await getHttpsEnabled(),
-        });
-
-        // case: user does not have MFA enabled
-        // return (access) token in response
-
-        interface ResponseData {
-          mfaEnabled: boolean;
-          encryptionVersion: any;
-          protectedKey?: string;
-          protectedKeyIV?: string;
-          protectedKeyTag?: string;
-          token: string;
-          publicKey?: string;
-          encryptedPrivateKey?: string;
-          iv?: string;
-          tag?: string;
-        }
-
-        const response: ResponseData = {
-          mfaEnabled: false,
-          encryptionVersion: user.encryptionVersion,
-          token: tokens.token,
-          publicKey: user.publicKey,
-          encryptedPrivateKey: user.encryptedPrivateKey,
-          iv: user.iv,
-          tag: user.tag,
-        }
-
-        if (
-          user?.protectedKey &&
-          user?.protectedKeyIV &&
-          user?.protectedKeyTag
-        ) {
-          response.protectedKey = user.protectedKey;
-          response.protectedKeyIV = user.protectedKeyIV
-          response.protectedKeyTag = user.protectedKeyTag;
-        }
-
-        const loginAction = await EELogService.createAction({
-          name: ACTION_LOGIN,
-          userId: user._id,
-        });
-
-        loginAction && await EELogService.createLog({
-          userId: user._id,
-          actions: [loginAction],
-          channel: getChannelFromUserAgent(req.headers["user-agent"]),
-          ipAddress: req.ip,
-        });
-
-        return res.status(200).send(response);
-      }
-
-      return res.status(400).send({
-        message: "Failed to authenticate. Try again?",
-      });
+    if (!loginSRPDetail) {
+      return BadRequestError(Error("Failed to find login details for SRP"))
     }
-  );
+
+    const server = new jsrp.server();
+    server.init(
+      {
+        salt: user.salt,
+        verifier: user.verifier,
+        b: loginSRPDetail.serverBInt
+      },
+      async () => {
+        server.setClientPublicKey(loginSRPDetail.clientPublicKey);
+
+        // compare server and client shared keys
+        if (server.checkClientProof(clientProof)) {
+
+          if (user.isMfaEnabled) {
+            // case: user has MFA enabled
+
+            // generate temporary MFA token
+            const token = createToken({
+              payload: {
+                userId: user._id.toString()
+              },
+              expiresIn: await getJwtMfaLifetime(),
+              secret: await getJwtMfaSecret()
+            });
+
+            const code = await TokenService.createToken({
+              type: TOKEN_EMAIL_MFA,
+              email
+            });
+
+            // send MFA code [code] to [email]
+            await sendMail({
+              template: 'emailMfa.handlebars',
+              subjectLine: 'Infisical MFA code',
+              recipients: [email],
+              substitutions: {
+                code
+              }
+            });
+
+            return res.status(200).send({
+              mfaEnabled: true,
+              token
+            });
+          }
+
+          await checkUserDevice({
+            user,
+            ip: req.ip,
+            userAgent: req.headers['user-agent'] ?? ''
+          });
+
+          // issue tokens
+          const tokens = await issueAuthTokens({ userId: user._id.toString() });
+
+          // store (refresh) token in httpOnly cookie
+          res.cookie('jid', tokens.refreshToken, {
+            httpOnly: true,
+            path: '/',
+            sameSite: 'strict',
+            secure: await getHttpsEnabled()
+          });
+
+          // case: user does not have MFA enablgged
+          // return (access) token in response
+
+          interface ResponseData {
+            mfaEnabled: boolean;
+            encryptionVersion: any;
+            protectedKey?: string;
+            protectedKeyIV?: string;
+            protectedKeyTag?: string;
+            token: string;
+            publicKey?: string;
+            encryptedPrivateKey?: string;
+            iv?: string;
+            tag?: string;
+          }
+
+          const response: ResponseData = {
+            mfaEnabled: false,
+            encryptionVersion: user.encryptionVersion,
+            token: tokens.token,
+            publicKey: user.publicKey,
+            encryptedPrivateKey: user.encryptedPrivateKey,
+            iv: user.iv,
+            tag: user.tag
+          }
+
+          if (
+            user?.protectedKey &&
+            user?.protectedKeyIV &&
+            user?.protectedKeyTag
+          ) {
+            response.protectedKey = user.protectedKey;
+            response.protectedKeyIV = user.protectedKeyIV
+            response.protectedKeyTag = user.protectedKeyTag;
+          }
+
+          const loginAction = await EELogService.createAction({
+            name: ACTION_LOGIN,
+            userId: user._id
+          });
+
+          loginAction && await EELogService.createLog({
+            userId: user._id,
+            actions: [loginAction],
+            channel: getChannelFromUserAgent(req.headers['user-agent']),
+            ipAddress: req.ip
+          });
+
+          return res.status(200).send(response);
+        }
+
+        return res.status(400).send({
+          message: 'Failed to authenticate. Try again?'
+        });
+      }
+    );
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: 'Failed to authenticate. Try again?'
+    });
+  }
 };
 
 /**
@@ -223,25 +237,33 @@ export const login2 = async (req: Request, res: Response) => {
  * @param res 
  */
 export const sendMfaToken = async (req: Request, res: Response) => {
-  const { email } = req.body;
+  try {
+    const { email } = req.body;
 
-  const code = await TokenService.createToken({
-    type: TOKEN_EMAIL_MFA,
-    email,
-  });
+    const code = await TokenService.createToken({
+      type: TOKEN_EMAIL_MFA,
+      email
+    });
 
-  // send MFA code [code] to [email]
-  await sendMail({
-    template: "emailMfa.handlebars",
-    subjectLine: "Infisical MFA code",
-    recipients: [email],
-    substitutions: {
-      code,
-    },
-  });
+    // send MFA code [code] to [email]
+    await sendMail({
+      template: 'emailMfa.handlebars',
+      subjectLine: 'Infisical MFA code',
+      recipients: [email],
+      substitutions: {
+        code
+      }
+    });
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: 'Failed to send MFA code'
+    });
+  }
 
   return res.status(200).send({
-    message: "Successfully sent new MFA code",
+    message: 'Successfully sent new MFA code'
   });
 }
 
@@ -257,36 +279,30 @@ export const verifyMfaToken = async (req: Request, res: Response) => {
   await TokenService.validateToken({
     type: TOKEN_EMAIL_MFA,
     email,
-    token: mfaToken,
+    token: mfaToken
   });
 
   const user = await User.findOne({
-    email,
-  }).select("+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag +devices");
+    email
+  }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag');
 
-  if (!user) throw new Error("Failed to find user");
-
-  await LoginSRPDetail.deleteOne({ userId: user.id })
+  if (!user) throw new Error('Failed to find user');
 
   await checkUserDevice({
     user,
-    ip: req.realIP,
-    userAgent: req.headers["user-agent"] ?? "",
+    ip: req.ip,
+    userAgent: req.headers['user-agent'] ?? ''
   });
 
   // issue tokens
-  const tokens = await issueAuthTokens({ 
-    userId: user._id,
-    ip: req.realIP,
-    userAgent: req.headers["user-agent"] ?? "",
-  });
+  const tokens = await issueAuthTokens({ userId: user._id.toString() });
 
   // store (refresh) token in httpOnly cookie
-  res.cookie("jid", tokens.refreshToken, {
+  res.cookie('jid', tokens.refreshToken, {
     httpOnly: true,
-    path: "/",
-    sameSite: "strict",
-    secure: await getHttpsEnabled(),
+    path: '/',
+    sameSite: 'strict',
+    secure: await getHttpsEnabled()
   });
 
   interface VerifyMfaTokenRes {
@@ -319,7 +335,7 @@ export const verifyMfaToken = async (req: Request, res: Response) => {
     publicKey: user.publicKey as string,
     encryptedPrivateKey: user.encryptedPrivateKey as string,
     iv: user.iv as string,
-    tag: user.tag as string,
+    tag: user.tag as string
   }
 
   if (user?.protectedKey && user?.protectedKeyIV && user?.protectedKeyTag) {
@@ -330,14 +346,14 @@ export const verifyMfaToken = async (req: Request, res: Response) => {
 
   const loginAction = await EELogService.createAction({
     name: ACTION_LOGIN,
-    userId: user._id,
+    userId: user._id
   });
 
   loginAction && await EELogService.createLog({
     userId: user._id,
     actions: [loginAction],
-    channel: getChannelFromUserAgent(req.headers["user-agent"]),
-    ipAddress: req.realIP,
+    channel: getChannelFromUserAgent(req.headers['user-agent']),
+    ipAddress: req.ip
   });
 
   return res.status(200).send(resObj);

backend/src/controllers/v2/environmentController.ts

@@ -1,17 +1,17 @@
-import { Request, Response } from "express";
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
 import {
-  Integration,
-  Membership,
   Secret,
   ServiceToken,
-  ServiceTokenData,
   Workspace,
-} from "../../models";
-import { SecretVersion } from "../../ee/models";
-import { EELicenseService } from "../../ee/services";
-import { BadRequestError, WorkspaceNotFoundError } from "../../utils/errors";
-import _ from "lodash";
-import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from "../../variables";
+  Integration,
+  ServiceTokenData,
+  Membership,
+} from '../../models';
+import { SecretVersion } from '../../ee/models';
+import { BadRequestError } from '../../utils/errors';
+import _ from 'lodash';
+import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from '../../variables';
 
 /**
  * Create new workspace environment named [environmentName] under workspace with id
@@ -23,45 +23,34 @@ export const createWorkspaceEnvironment = async (
   req: Request,
   res: Response
 ) => {
-
   const { workspaceId } = req.params;
   const { environmentName, environmentSlug } = req.body;
-  const workspace = await Workspace.findById(workspaceId).exec();
-  
-  if (!workspace) throw WorkspaceNotFoundError();
-  
-  const plan = await EELicenseService.getPlan(workspace.organization.toString());
-  
-  if (plan.environmentLimit !== null) {
-    // case: limit imposed on number of environments allowed
-    if (workspace.environments.length >= plan.environmentLimit) {
-      // case: number of environments used exceeds the number of environments allowed
-      
-      return res.status(400).send({
-        message: "Failed to create environment due to environment limit reached. Upgrade plan to create more environments.",
-      });
+  try {
+    const workspace = await Workspace.findById(workspaceId).exec();
+    if (
+      !workspace ||
+      workspace?.environments.find(
+        ({ name, slug }) => slug === environmentSlug || environmentName === name
+      )
+    ) {
+      throw new Error('Failed to create workspace environment');
     }
+
+    workspace?.environments.push({
+      name: environmentName,
+      slug: environmentSlug.toLowerCase(),
+    });
+    await workspace.save();
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: 'Failed to create new workspace environment',
+    });
   }
 
-  if (
-    !workspace ||
-    workspace?.environments.find(
-      ({ name, slug }) => slug === environmentSlug || environmentName === name
-    )
-  ) {
-    throw new Error("Failed to create workspace environment");
-  }
-
-  workspace?.environments.push({
-    name: environmentName,
-    slug: environmentSlug.toLowerCase(),
-  });
-  await workspace.save();
-
-  await EELicenseService.refreshPlan(workspace.organization.toString(), workspaceId);
-
   return res.status(200).send({
-    message: "Successfully created new environment",
+    message: 'Successfully created new environment',
     workspace: workspaceId,
     environment: {
       name: environmentName,
@@ -83,69 +72,77 @@ export const renameWorkspaceEnvironment = async (
 ) => {
   const { workspaceId } = req.params;
   const { environmentName, environmentSlug, oldEnvironmentSlug } = req.body;
-  // user should pass both new slug and env name
-  if (!environmentSlug || !environmentName) {
-    throw new Error("Invalid environment given.");
+  try {
+    // user should pass both new slug and env name
+    if (!environmentSlug || !environmentName) {
+      throw new Error('Invalid environment given.');
+    }
+
+    // atomic update the env to avoid conflict
+    const workspace = await Workspace.findById(workspaceId).exec();
+    if (!workspace) {
+      throw new Error('Failed to create workspace environment');
+    }
+
+    const isEnvExist = workspace.environments.some(
+      ({ name, slug }) =>
+        slug !== oldEnvironmentSlug &&
+        (name === environmentName || slug === environmentSlug)
+    );
+    if (isEnvExist) {
+      throw new Error('Invalid environment given');
+    }
+
+    const envIndex = workspace?.environments.findIndex(
+      ({ slug }) => slug === oldEnvironmentSlug
+    );
+    if (envIndex === -1) {
+      throw new Error('Invalid environment given');
+    }
+
+    workspace.environments[envIndex].name = environmentName;
+    workspace.environments[envIndex].slug = environmentSlug.toLowerCase();
+
+    await workspace.save();
+    await Secret.updateMany(
+      { workspace: workspaceId, environment: oldEnvironmentSlug },
+      { environment: environmentSlug }
+    );
+    await SecretVersion.updateMany(
+      { workspace: workspaceId, environment: oldEnvironmentSlug },
+      { environment: environmentSlug }
+    );
+    await ServiceToken.updateMany(
+      { workspace: workspaceId, environment: oldEnvironmentSlug },
+      { environment: environmentSlug }
+    );
+    await ServiceTokenData.updateMany(
+      { workspace: workspaceId, environment: oldEnvironmentSlug },
+      { environment: environmentSlug }
+    );
+    await Integration.updateMany(
+      { workspace: workspaceId, environment: oldEnvironmentSlug },
+      { environment: environmentSlug }
+    );
+    await Membership.updateMany(
+      {
+        workspace: workspaceId,
+        "deniedPermissions.environmentSlug": oldEnvironmentSlug
+      },
+      { $set: { "deniedPermissions.$[element].environmentSlug": environmentSlug } },
+      { arrayFilters: [{ "element.environmentSlug": oldEnvironmentSlug }] }
+    )
+
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: 'Failed to update workspace environment',
+    });
   }
 
-  // atomic update the env to avoid conflict
-  const workspace = await Workspace.findById(workspaceId).exec();
-  if (!workspace) {
-    throw new Error("Failed to create workspace environment");
-  }
-
-  const isEnvExist = workspace.environments.some(
-    ({ name, slug }) =>
-      slug !== oldEnvironmentSlug &&
-      (name === environmentName || slug === environmentSlug)
-  );
-  if (isEnvExist) {
-    throw new Error("Invalid environment given");
-  }
-
-  const envIndex = workspace?.environments.findIndex(
-    ({ slug }) => slug === oldEnvironmentSlug
-  );
-  if (envIndex === -1) {
-    throw new Error("Invalid environment given");
-  }
-
-  workspace.environments[envIndex].name = environmentName;
-  workspace.environments[envIndex].slug = environmentSlug.toLowerCase();
-
-  await workspace.save();
-  await Secret.updateMany(
-    { workspace: workspaceId, environment: oldEnvironmentSlug },
-    { environment: environmentSlug }
-  );
-  await SecretVersion.updateMany(
-    { workspace: workspaceId, environment: oldEnvironmentSlug },
-    { environment: environmentSlug }
-  );
-  await ServiceToken.updateMany(
-    { workspace: workspaceId, environment: oldEnvironmentSlug },
-    { environment: environmentSlug }
-  );
-  await ServiceTokenData.updateMany(
-    { workspace: workspaceId, environment: oldEnvironmentSlug },
-    { environment: environmentSlug }
-  );
-  await Integration.updateMany(
-    { workspace: workspaceId, environment: oldEnvironmentSlug },
-    { environment: environmentSlug }
-  );
-  await Membership.updateMany(
-    {
-      workspace: workspaceId,
-      "deniedPermissions.environmentSlug": oldEnvironmentSlug,
-    },
-    { $set: { "deniedPermissions.$[element].environmentSlug": environmentSlug } },
-    { arrayFilters: [{ "element.environmentSlug": oldEnvironmentSlug }] }
-  )
-
-
   return res.status(200).send({
-    message: "Successfully update environment",
+    message: 'Successfully update environment',
     workspace: workspaceId,
     environment: {
       name: environmentName,
@@ -166,52 +163,59 @@ export const deleteWorkspaceEnvironment = async (
 ) => {
   const { workspaceId } = req.params;
   const { environmentSlug } = req.body;
-  // atomic update the env to avoid conflict
-  const workspace = await Workspace.findById(workspaceId).exec();
-  if (!workspace) {
-    throw new Error("Failed to create workspace environment");
+  try {
+    // atomic update the env to avoid conflict
+    const workspace = await Workspace.findById(workspaceId).exec();
+    if (!workspace) {
+      throw new Error('Failed to create workspace environment');
+    }
+
+    const envIndex = workspace?.environments.findIndex(
+      ({ slug }) => slug === environmentSlug
+    );
+    if (envIndex === -1) {
+      throw new Error('Invalid environment given');
+    }
+
+    workspace.environments.splice(envIndex, 1);
+    await workspace.save();
+
+    // clean up
+    await Secret.deleteMany({
+      workspace: workspaceId,
+      environment: environmentSlug,
+    });
+    await SecretVersion.deleteMany({
+      workspace: workspaceId,
+      environment: environmentSlug,
+    });
+    await ServiceToken.deleteMany({
+      workspace: workspaceId,
+      environment: environmentSlug,
+    });
+    await ServiceTokenData.deleteMany({
+      workspace: workspaceId,
+      environment: environmentSlug,
+    });
+    await Integration.deleteMany({
+      workspace: workspaceId,
+      environment: environmentSlug,
+    });
+    await Membership.updateMany(
+      { workspace: workspaceId },
+      { $pull: { deniedPermissions: { environmentSlug: environmentSlug } } }
+    )
+
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: 'Failed to delete workspace environment',
+    });
   }
 
-  const envIndex = workspace?.environments.findIndex(
-    ({ slug }) => slug === environmentSlug
-  );
-  if (envIndex === -1) {
-    throw new Error("Invalid environment given");
-  }
-
-  workspace.environments.splice(envIndex, 1);
-  await workspace.save();
-
-  // clean up
-  await Secret.deleteMany({
-    workspace: workspaceId,
-    environment: environmentSlug,
-  });
-  await SecretVersion.deleteMany({
-    workspace: workspaceId,
-    environment: environmentSlug,
-  });
-  await ServiceToken.deleteMany({
-    workspace: workspaceId,
-    environment: environmentSlug,
-  });
-  await ServiceTokenData.deleteMany({
-    workspace: workspaceId,
-    environment: environmentSlug,
-  });
-  await Integration.deleteMany({
-    workspace: workspaceId,
-    environment: environmentSlug,
-  });
-  await Membership.updateMany(
-    { workspace: workspaceId },
-    { $pull: { deniedPermissions: { environmentSlug: environmentSlug } } }
-  );
-
-  await EELicenseService.refreshPlan(workspace.organization.toString(), workspaceId);
-
   return res.status(200).send({
-    message: "Successfully deleted environment",
+    message: 'Successfully deleted environment',
     workspace: workspaceId,
     environment: environmentSlug,
   });
@@ -225,7 +229,7 @@ export const getAllAccessibleEnvironmentsOfWorkspace = async (
   const { workspaceId } = req.params;
   const workspacesUserIsMemberOf = await Membership.findOne({
     workspace: workspaceId,
-    user: req.user,
+    user: req.user
   })
 
   if (!workspacesUserIsMemberOf) {
@@ -249,7 +253,7 @@ export const getAllAccessibleEnvironmentsOfWorkspace = async (
         name: environment.name,
         slug: environment.slug,
         isWriteDenied: isWriteBlocked,
-        isReadDenied: isReadBlocked,
+        isReadDenied: isReadBlocked
       })
     }
   })

backend/src/controllers/v2/index.ts

@@ -1,14 +1,15 @@
-import * as authController from "./authController";
-import * as signupController from "./signupController";
-import * as usersController from "./usersController";
-import * as organizationsController from "./organizationsController";
-import * as workspaceController from "./workspaceController";
-import * as serviceTokenDataController from "./serviceTokenDataController";
-import * as secretController from "./secretController";
-import * as secretsController from "./secretsController";
-import * as serviceAccountsController from "./serviceAccountsController";
-import * as environmentController from "./environmentController";
-import * as tagController from "./tagController";
+import * as authController from './authController';
+import * as signupController from './signupController';
+import * as usersController from './usersController';
+import * as organizationsController from './organizationsController';
+import * as workspaceController from './workspaceController';
+import * as serviceTokenDataController from './serviceTokenDataController';
+import * as apiKeyDataController from './apiKeyDataController';
+import * as secretController from './secretController';
+import * as secretsController from './secretsController';
+import * as serviceAccountsController from './serviceAccountsController';
+import * as environmentController from './environmentController';
+import * as tagController from './tagController';
 
 export {
     authController,
@@ -17,9 +18,10 @@ export {
     organizationsController,
     workspaceController,
     serviceTokenDataController,
+    apiKeyDataController,
     secretController,
     secretsController,
     serviceAccountsController,
     environmentController,
-    tagController,
+    tagController
 }

backend/src/controllers/v2/organizationsController.ts

@@ -1,13 +1,14 @@
-import { Request, Response } from "express";
-import { Types } from "mongoose";
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
 import { 
-    Membership,
     MembershipOrg,
-    ServiceAccount,
+    Membership,
     Workspace,
-} from "../../models";
-import { deleteMembershipOrg } from "../../helpers/membershipOrg";
-import { updateSubscriptionOrgQuantity } from "../../helpers/organization";
+    ServiceAccount
+} from '../../models';
+import { deleteMembershipOrg } from '../../helpers/membershipOrg';
+import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
 
 /**
  * Return memberships for organization with id [organizationId]
@@ -48,14 +49,23 @@ export const getOrganizationMemberships = async (req: Request, res: Response) =>
         }
     }   
     */
-    const { organizationId } = req.params;
+    let memberships;
+    try {
+        const { organizationId } = req.params;
 
-		const memberships = await MembershipOrg.find({
-			organization: organizationId,
-		}).populate("user", "+publicKey");
+		memberships = await MembershipOrg.find({
+			organization: organizationId
+		}).populate('user', '+publicKey');
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get organization memberships'
+		});
+    }
     
     return res.status(200).send({
-        memberships,
+        memberships
     });
 }
 
@@ -118,20 +128,29 @@ export const updateOrganizationMembership = async (req: Request, res: Response)
         }
     }   
     */
-    const { membershipId } = req.params;
-    const { role } = req.body;
-    
-    const membership = await MembershipOrg.findByIdAndUpdate(
-        membershipId,
-        {
-            role,
-        }, {
-            new: true,
-        }
-    );
+    let membership;
+    try {
+        const { membershipId } = req.params;
+        const { role } = req.body;
+        
+        membership = await MembershipOrg.findByIdAndUpdate(
+            membershipId,
+            {
+                role
+            }, {
+                new: true
+            }
+        );
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to update organization membership'
+		});
+    }
     
     return res.status(200).send({
-        membership,
+        membership
     });
 }
 
@@ -178,19 +197,28 @@ export const deleteOrganizationMembership = async (req: Request, res: Response)
         }
     }   
     */
-    const { membershipId } = req.params;
-    
-    // delete organization membership
-    const membership = await deleteMembershipOrg({
-        membershipOrgId: membershipId,
-    });
+    let membership;
+    try {
+        const { membershipId } = req.params;
+        
+        // delete organization membership
+        membership = await deleteMembershipOrg({
+            membershipOrgId: membershipId
+        });
 
-    await updateSubscriptionOrgQuantity({
-			organizationId: membership.organization.toString(),
+        await updateSubscriptionOrgQuantity({
+			organizationId: membership.organization.toString()
 		});
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to delete organization membership'
+		});	
+    }
 
     return res.status(200).send({
-        membership,
+        membership
     });
 }
 
@@ -240,23 +268,23 @@ export const getOrganizationWorkspaces = async (req: Request, res: Response) =>
         (
             await Workspace.find(
                 {
-                    organization: organizationId,
+                    organization: organizationId
                 },
-                "_id"
+                '_id'
             )
         ).map((w) => w._id.toString())
     );
 
     const workspaces = (
         await Membership.find({
-            user: req.user._id,
-        }).populate("workspace")
+            user: req.user._id
+        }).populate('workspace')
     )
     .filter((m) => workspacesSet.has(m.workspace._id.toString()))
     .map((m) => m.workspace);
 
 return res.status(200).send({
-        workspaces,
+        workspaces
     });
 }
 
@@ -269,10 +297,10 @@ export const getOrganizationServiceAccounts = async (req: Request, res: Response
     const { organizationId } = req.params;
     
     const serviceAccounts = await ServiceAccount.find({
-        organization: new Types.ObjectId(organizationId),
+        organization: new Types.ObjectId(organizationId)
     });
     
     return res.status(200).send({
-        serviceAccounts,
+        serviceAccounts
     });
-}
+}

backend/src/controllers/v2/secretController.ts

@@ -1,39 +1,25 @@
+import to from "await-to-js";
 import { Request, Response } from "express";
 import mongoose, { Types } from "mongoose";
 import Secret, { ISecret } from "../../models/secret";
-import {
-  CreateSecretRequestBody,
-  ModifySecretRequestBody,
-  SanitizedSecretForCreate,
-  SanitizedSecretModify
-} from "../../types/secret";
+import { CreateSecretRequestBody, ModifySecretRequestBody, SanitizedSecretForCreate, SanitizedSecretModify } from "../../types/secret";
 const { ValidationError } = mongoose.Error;
-import {
-  BadRequestError,
-  InternalServerError,
-  ValidationError as RouteValidationError,
-  UnauthorizedRequestError
-} from "../../utils/errors";
-import { AnyBulkWriteOperation } from "mongodb";
-import {
-  ALGORITHM_AES_256_GCM,
-  ENCODING_SCHEME_UTF8,
-  SECRET_PERSONAL,
-  SECRET_SHARED
-} from "../../variables";
-import { TelemetryService } from "../../services";
+import { BadRequestError, InternalServerError, UnauthorizedRequestError, ValidationError as RouteValidationError } from '../../utils/errors';
+import { AnyBulkWriteOperation } from 'mongodb';
+import { SECRET_PERSONAL, SECRET_SHARED } from "../../variables";
+import { TelemetryService } from '../../services';
 import { User } from "../../models";
-import { AccountNotFoundError } from "../../utils/errors";
+import { AccountNotFoundError } from '../../utils/errors';
 
 /**
  * Create secret for workspace with id [workspaceId] and environment [environment]
- * @param req
- * @param res
+ * @param req 
+ * @param res 
  */
 export const createSecret = async (req: Request, res: Response) => {
   const postHogClient = await TelemetryService.getPostHogClient();
   const secretToCreate: CreateSecretRequestBody = req.body.secret;
-  const { workspaceId, environment } = req.params;
+  const { workspaceId, environment } = req.params
   const sanitizedSecret: SanitizedSecretForCreate = {
     secretKeyCiphertext: secretToCreate.secretKeyCiphertext,
     secretKeyIV: secretToCreate.secretKeyIV,
@@ -50,44 +36,46 @@ export const createSecret = async (req: Request, res: Response) => {
     workspace: new Types.ObjectId(workspaceId),
     environment,
     type: secretToCreate.type,
-    user: new Types.ObjectId(req.user._id),
-    algorithm: ALGORITHM_AES_256_GCM,
-    keyEncoding: ENCODING_SCHEME_UTF8
-  };
+    user: new Types.ObjectId(req.user._id)
+  }
 
-  const secret = await new Secret(sanitizedSecret).save();
+
+  const [error, secret] = await to(Secret.create(sanitizedSecret).then())
+  if (error instanceof ValidationError) {
+    throw RouteValidationError({ message: error.message, stack: error.stack })
+  }
 
   if (postHogClient) {
     postHogClient.capture({
-      event: "secrets added",
+      event: 'secrets added',
       distinctId: req.user.email,
       properties: {
         numberOfSecrets: 1,
         workspaceId,
         environment,
-        channel: req.headers?.["user-agent"]?.toLowerCase().includes("mozilla") ? "web" : "cli",
-        userAgent: req.headers?.["user-agent"]
+        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+        userAgent: req.headers?.['user-agent']
       }
     });
   }
 
   res.status(200).send({
     secret
-  });
-};
+  })
+}
 
 /**
- * Create many secrets for workspace with id [workspaceId] and environment [environment]
- * @param req
- * @param res
+ * Create many secrets for workspace wiht id [workspaceId] and environment [environment]
+ * @param req 
+ * @param res 
  */
 export const createSecrets = async (req: Request, res: Response) => {
   const postHogClient = await TelemetryService.getPostHogClient();
   const secretsToCreate: CreateSecretRequestBody[] = req.body.secrets;
-  const { workspaceId, environment } = req.params;
-  const sanitizedSecretesToCreate: SanitizedSecretForCreate[] = [];
+  const { workspaceId, environment } = req.params
+  const sanitizedSecretesToCreate: SanitizedSecretForCreate[] = []
 
-  secretsToCreate.forEach((rawSecret) => {
+  secretsToCreate.forEach(rawSecret => {
     const safeUpdateFields: SanitizedSecretForCreate = {
       secretKeyCiphertext: rawSecret.secretKeyCiphertext,
       secretKeyIV: rawSecret.secretKeyIV,
@@ -104,132 +92,141 @@ export const createSecrets = async (req: Request, res: Response) => {
       workspace: new Types.ObjectId(workspaceId),
       environment,
       type: rawSecret.type,
-      user: new Types.ObjectId(req.user._id),
-      algorithm: ALGORITHM_AES_256_GCM,
-      keyEncoding: ENCODING_SCHEME_UTF8
-    };
+      user: new Types.ObjectId(req.user._id)
+    }
 
-    sanitizedSecretesToCreate.push(safeUpdateFields);
-  });
+    sanitizedSecretesToCreate.push(safeUpdateFields)
+  })
 
-  const secrets = await Secret.insertMany(sanitizedSecretesToCreate);
+  const [bulkCreateError, secrets] = await to(Secret.insertMany(sanitizedSecretesToCreate).then())
+  if (bulkCreateError) {
+    if (bulkCreateError instanceof ValidationError) {
+      throw RouteValidationError({ message: bulkCreateError.message, stack: bulkCreateError.stack })
+    }
+
+    throw InternalServerError({ message: "Unable to process your batch create request. Please try again", stack: bulkCreateError.stack })
+  }
 
   if (postHogClient) {
     postHogClient.capture({
-      event: "secrets added",
+      event: 'secrets added',
       distinctId: req.user.email,
       properties: {
         numberOfSecrets: (secretsToCreate ?? []).length,
         workspaceId,
         environment,
-        channel: req.headers?.["user-agent"]?.toLowerCase().includes("mozilla") ? "web" : "cli",
-        userAgent: req.headers?.["user-agent"]
+        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+        userAgent: req.headers?.['user-agent']
       }
     });
   }
 
   res.status(200).send({
     secrets
-  });
-};
+  })
+}
 
 /**
  * Delete secrets in workspace with id [workspaceId] and environment [environment]
- * @param req
- * @param res
+ * @param req 
+ * @param res 
  */
 export const deleteSecrets = async (req: Request, res: Response) => {
   const postHogClient = await TelemetryService.getPostHogClient();
-  const { workspaceId, environmentName } = req.params;
-  const secretIdsToDelete: string[] = req.body.secretIds;
+  const { workspaceId, environmentName } = req.params
+  const secretIdsToDelete: string[] = req.body.secretIds
 
-  const secretIdsUserCanDelete = await Secret.find({ workspace: workspaceId, environment: environmentName }, { _id: 1 });
+  const [secretIdsUserCanDeleteError, secretIdsUserCanDelete] = await to(Secret.find({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
+  if (secretIdsUserCanDeleteError) {
+    throw InternalServerError({ message: `Unable to fetch secrets you own: [error=${secretIdsUserCanDeleteError.message}]` })
+  }
 
-  const secretsUserCanDeleteSet: Set<string> = new Set(
-    secretIdsUserCanDelete.map((objectId) => objectId._id.toString())
-  );
-  const deleteOperationsToPerform: AnyBulkWriteOperation<ISecret>[] = [];
+  const secretsUserCanDeleteSet: Set<string> = new Set(secretIdsUserCanDelete.map(objectId => objectId._id.toString()));
+  const deleteOperationsToPerform: AnyBulkWriteOperation<ISecret>[] = []
 
   let numSecretsDeleted = 0;
-  secretIdsToDelete.forEach((secretIdToDelete) => {
+  secretIdsToDelete.forEach(secretIdToDelete => {
     if (secretsUserCanDeleteSet.has(secretIdToDelete)) {
-      const deleteOperation = {
-        deleteOne: { filter: { _id: new Types.ObjectId(secretIdToDelete) } }
-      };
-      deleteOperationsToPerform.push(deleteOperation);
+      const deleteOperation = { deleteOne: { filter: { _id: new Types.ObjectId(secretIdToDelete) } } }
+      deleteOperationsToPerform.push(deleteOperation)
       numSecretsDeleted++;
     } else {
-      throw RouteValidationError({
-        message: "You cannot delete secrets that you do not have access to"
-      });
+      throw RouteValidationError({ message: "You cannot delete secrets that you do not have access to" })
     }
-  });
+  })
 
-  await Secret.bulkWrite(deleteOperationsToPerform);
+  const [bulkDeleteError, bulkDelete] = await to(Secret.bulkWrite(deleteOperationsToPerform).then())
+  if (bulkDeleteError) {
+    if (bulkDeleteError instanceof ValidationError) {
+      throw RouteValidationError({ message: "Unable to apply modifications, please try again", stack: bulkDeleteError.stack })
+    }
+    throw InternalServerError()
+  }
 
   if (postHogClient) {
     postHogClient.capture({
-      event: "secrets deleted",
+      event: 'secrets deleted',
       distinctId: req.user.email,
       properties: {
         numberOfSecrets: numSecretsDeleted,
         environment: environmentName,
         workspaceId,
-        channel: req.headers?.["user-agent"]?.toLowerCase().includes("mozilla") ? "web" : "cli",
-        userAgent: req.headers?.["user-agent"]
+        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+        userAgent: req.headers?.['user-agent']
       }
     });
   }
 
-  res.status(200).send();
-};
+  res.status(200).send()
+}
 
 /**
  * Delete secret with id [secretId]
- * @param req
+ * @param req 
  * @param res
  */
 export const deleteSecret = async (req: Request, res: Response) => {
   const postHogClient = await TelemetryService.getPostHogClient();
-  await Secret.findByIdAndDelete(req._secret._id);
+  await Secret.findByIdAndDelete(req._secret._id)
 
   if (postHogClient) {
     postHogClient.capture({
-      event: "secrets deleted",
+      event: 'secrets deleted',
       distinctId: req.user.email,
       properties: {
         numberOfSecrets: 1,
         workspaceId: req._secret.workspace.toString(),
         environment: req._secret.environment,
-        channel: req.headers?.["user-agent"]?.toLowerCase().includes("mozilla") ? "web" : "cli",
-        userAgent: req.headers?.["user-agent"]
+        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+        userAgent: req.headers?.['user-agent']
       }
     });
   }
 
   res.status(200).send({
     secret: req._secret
-  });
-};
+  })
+}
 
 /**
  * Update secrets for workspace with id [workspaceId] and environment [environment]
- * @param req
- * @param res
- * @returns
+ * @param req 
+ * @param res 
+ * @returns 
  */
 export const updateSecrets = async (req: Request, res: Response) => {
   const postHogClient = await TelemetryService.getPostHogClient();
-  const { workspaceId, environmentName } = req.params;
+  const { workspaceId, environmentName } = req.params
   const secretsModificationsRequested: ModifySecretRequestBody[] = req.body.secrets;
-  const secretIdsUserCanModify = await Secret.find({ workspace: workspaceId, environment: environmentName }, { _id: 1 });
+  const [secretIdsUserCanModifyError, secretIdsUserCanModify] = await to(Secret.find({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
+  if (secretIdsUserCanModifyError) {
+    throw InternalServerError({ message: "Unable to fetch secrets you own" })
+  }
 
-  const secretsUserCanModifySet: Set<string> = new Set(
-    secretIdsUserCanModify.map((objectId) => objectId._id.toString())
-  );
-  const updateOperationsToPerform: any = [];
+  const secretsUserCanModifySet: Set<string> = new Set(secretIdsUserCanModify.map(objectId => objectId._id.toString()));
+  const updateOperationsToPerform: any = []
 
-  secretsModificationsRequested.forEach((userModifiedSecret) => {
+  secretsModificationsRequested.forEach(userModifiedSecret => {
     if (secretsUserCanModifySet.has(userModifiedSecret._id.toString())) {
       const sanitizedSecret: SanitizedSecretModify = {
         secretKeyCiphertext: userModifiedSecret.secretKeyCiphertext,
@@ -243,54 +240,57 @@ export const updateSecrets = async (req: Request, res: Response) => {
         secretCommentCiphertext: userModifiedSecret.secretCommentCiphertext,
         secretCommentIV: userModifiedSecret.secretCommentIV,
         secretCommentTag: userModifiedSecret.secretCommentTag,
-        secretCommentHash: userModifiedSecret.secretCommentHash
-      };
+        secretCommentHash: userModifiedSecret.secretCommentHash,
+      }
 
-      const updateOperation = {
-        updateOne: {
-          filter: { _id: userModifiedSecret._id, workspace: workspaceId },
-          update: { $inc: { version: 1 }, $set: sanitizedSecret }
-        }
-      };
-      updateOperationsToPerform.push(updateOperation);
+      const updateOperation = { updateOne: { filter: { _id: userModifiedSecret._id, workspace: workspaceId }, update: { $inc: { version: 1 }, $set: sanitizedSecret } } }
+      updateOperationsToPerform.push(updateOperation)
     } else {
-      throw UnauthorizedRequestError({
-        message: "You do not have permission to modify one or more of the requested secrets"
-      });
+      throw UnauthorizedRequestError({ message: "You do not have permission to modify one or more of the requested secrets" })
     }
-  });
+  })
 
-  await Secret.bulkWrite(updateOperationsToPerform);
+  const [bulkModificationInfoError, bulkModificationInfo] = await to(Secret.bulkWrite(updateOperationsToPerform).then())
+  if (bulkModificationInfoError) {
+    if (bulkModificationInfoError instanceof ValidationError) {
+      throw RouteValidationError({ message: "Unable to apply modifications, please try again", stack: bulkModificationInfoError.stack })
+    }
+
+    throw InternalServerError()
+  }
 
   if (postHogClient) {
     postHogClient.capture({
-      event: "secrets modified",
+      event: 'secrets modified',
       distinctId: req.user.email,
       properties: {
         numberOfSecrets: (secretsModificationsRequested ?? []).length,
         environment: environmentName,
         workspaceId,
-        channel: req.headers?.["user-agent"]?.toLowerCase().includes("mozilla") ? "web" : "cli",
-        userAgent: req.headers?.["user-agent"]
+        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+        userAgent: req.headers?.['user-agent']
       }
     });
   }
 
-  return res.status(200).send();
-};
+  return res.status(200).send()
+}
 
 /**
  * Update a secret within workspace with id [workspaceId] and environment [environment]
- * @param req
- * @param res
- * @returns
+ * @param req 
+ * @param res 
+ * @returns 
  */
 export const updateSecret = async (req: Request, res: Response) => {
   const postHogClient = await TelemetryService.getPostHogClient();
-  const { workspaceId, environmentName } = req.params;
+  const { workspaceId, environmentName } = req.params
   const secretModificationsRequested: ModifySecretRequestBody = req.body.secret;
 
-  await Secret.findOne({ workspace: workspaceId, environment: environmentName }, { _id: 1 });
+  const [secretIdUserCanModifyError, secretIdUserCanModify] = await to(Secret.findOne({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
+  if (secretIdUserCanModifyError && !secretIdUserCanModify) {
+    throw BadRequestError()
+  }
 
   const sanitizedSecret: SanitizedSecretModify = {
     secretKeyCiphertext: secretModificationsRequested.secretKeyCiphertext,
@@ -304,55 +304,45 @@ export const updateSecret = async (req: Request, res: Response) => {
     secretCommentCiphertext: secretModificationsRequested.secretCommentCiphertext,
     secretCommentIV: secretModificationsRequested.secretCommentIV,
     secretCommentTag: secretModificationsRequested.secretCommentTag,
-    secretCommentHash: secretModificationsRequested.secretCommentHash
-  };
+    secretCommentHash: secretModificationsRequested.secretCommentHash,
+  }
 
-  const singleModificationUpdate = await Secret.updateOne(
-    { _id: secretModificationsRequested._id, workspace: workspaceId },
-    { $inc: { version: 1 }, $set: sanitizedSecret }
-  )
-  .catch((error) => {
-    if (error instanceof ValidationError) {
-      throw RouteValidationError({
-        message: "Unable to apply modifications, please try again",
-        stack: error.stack
-      });
-    }
-
-    throw error;
-  });
+  const [error, singleModificationUpdate] = await to(Secret.updateOne({ _id: secretModificationsRequested._id, workspace: workspaceId }, { $inc: { version: 1 }, $set: sanitizedSecret }).then())
+  if (error instanceof ValidationError) {
+    throw RouteValidationError({ message: "Unable to apply modifications, please try again", stack: error.stack })
+  }
 
   if (postHogClient) {
     postHogClient.capture({
-      event: "secrets modified",
+      event: 'secrets modified',
       distinctId: req.user.email,
       properties: {
         numberOfSecrets: 1,
         environment: environmentName,
         workspaceId,
-        channel: req.headers?.["user-agent"]?.toLowerCase().includes("mozilla") ? "web" : "cli",
-        userAgent: req.headers?.["user-agent"]
+        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+        userAgent: req.headers?.['user-agent']
       }
     });
   }
 
-  return res.status(200).send(singleModificationUpdate);
-};
+  return res.status(200).send(singleModificationUpdate)
+}
 
 /**
  * Return secrets for workspace with id [workspaceId], environment [environment] and user
  * with id [req.user._id]
- * @param req
- * @param res
- * @returns
+ * @param req 
+ * @param res 
+ * @returns 
  */
 export const getSecrets = async (req: Request, res: Response) => {
   const postHogClient = await TelemetryService.getPostHogClient();
   const { environment } = req.query;
   const { workspaceId } = req.params;
 
-  let userId: Types.ObjectId | undefined = undefined; // used for getting personal secrets for user
-  let userEmail: string | undefined = undefined; // used for posthog
+  let userId: Types.ObjectId | undefined = undefined // used for getting personal secrets for user
+  let userEmail: string | undefined = undefined // used for posthog 
   if (req.user) {
     userId = req.user._id;
     userEmail = req.user.email;
@@ -360,47 +350,47 @@ export const getSecrets = async (req: Request, res: Response) => {
 
   if (req.serviceTokenData) {
     userId = req.serviceTokenData.user;
-
-    const user = await User.findById(req.serviceTokenData.user, "email");
+    
+    const user = await User.findById(req.serviceTokenData.user, 'email');
     if (!user) throw AccountNotFoundError();
     userEmail = user.email;
   }
 
-  const secrets = await Secret.find({
-    workspace: workspaceId,
-    environment,
-    $or: [{ user: userId }, { user: { $exists: false } }],
-    type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
-  })
-  .catch((err) => {
-    throw RouteValidationError({
-      message: "Failed to get secrets, please try again",
-      stack: err.stack
-    });
-  })
+  const [err, secrets] = await to(Secret.find(
+    {
+      workspace: workspaceId,
+      environment,
+      $or: [{ user: userId }, { user: { $exists: false } }],
+      type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
+    }
+  ).then())
+
+  if (err) {
+    throw RouteValidationError({ message: "Failed to get secrets, please try again", stack: err.stack })
+  }
 
   if (postHogClient) {
     postHogClient.capture({
-      event: "secrets pulled",
+      event: 'secrets pulled',
       distinctId: userEmail,
       properties: {
         numberOfSecrets: (secrets ?? []).length,
         environment,
         workspaceId,
-        channel: req.headers?.["user-agent"]?.toLowerCase().includes("mozilla") ? "web" : "cli",
-        userAgent: req.headers?.["user-agent"]
+        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+        userAgent: req.headers?.['user-agent']
       }
     });
   }
 
-  return res.json(secrets);
-};
+  return res.json(secrets)
+}
 
 /**
  * Return secret with id [secretId]
- * @param req
- * @param res
- * @returns
+ * @param req 
+ * @param res 
+ * @returns 
  */
 export const getSecret = async (req: Request, res: Response) => {
   // if (postHogClient) {
@@ -420,4 +410,4 @@ export const getSecret = async (req: Request, res: Response) => {
   return res.status(200).send({
     secret: req._secret
   });
-};
+}

backend/src/controllers/v2/serviceAccountsController.ts

@@ -1,18 +1,18 @@
-import { Request, Response } from "express";
-import { Types } from "mongoose";
-import crypto from "crypto";
-import bcrypt from "bcrypt";
+import { Request, Response } from 'express';
+import { Types } from 'mongoose';
+import crypto from 'crypto';
+import bcrypt from 'bcrypt';
 import { 
     ServiceAccount,
     ServiceAccountKey,
     ServiceAccountOrganizationPermission,
-    ServiceAccountWorkspacePermission,
-} from "../../models";
+    ServiceAccountWorkspacePermission
+} from '../../models';
 import {
-    CreateServiceAccountDto,
-} from "../../interfaces/serviceAccounts/dto";
-import { BadRequestError, ServiceAccountNotFoundError } from "../../utils/errors";
-import { getSaltRounds } from "../../config";
+    CreateServiceAccountDto
+} from '../../interfaces/serviceAccounts/dto';
+import { BadRequestError, ServiceAccountNotFoundError } from '../../utils/errors';
+import { getSaltRounds } from '../../config';
 
 /**
  * Return service account tied to the request (service account) client
@@ -23,11 +23,11 @@ export const getCurrentServiceAccount = async (req: Request, res: Response) => {
     const serviceAccount = await ServiceAccount.findById(req.serviceAccount._id);
     
     if (!serviceAccount) {
-        throw ServiceAccountNotFoundError({ message: "Failed to find service account" });
+        throw ServiceAccountNotFoundError({ message: 'Failed to find service account' });
     }
     
     return res.status(200).send({
-        serviceAccount,
+        serviceAccount
     });
 }
 
@@ -42,11 +42,11 @@ export const getServiceAccountById = async (req: Request, res: Response) => {
     const serviceAccount = await ServiceAccount.findById(serviceAccountId);
     
     if (!serviceAccount) {
-        throw ServiceAccountNotFoundError({ message: "Failed to find service account" });
+        throw ServiceAccountNotFoundError({ message: 'Failed to find service account' });
     }
     
     return res.status(200).send({
-        serviceAccount,
+        serviceAccount
     });
 }
 
@@ -71,7 +71,7 @@ export const createServiceAccount = async (req: Request, res: Response) => {
         expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
     }
 
-    const secret = crypto.randomBytes(16).toString("base64");
+    const secret = crypto.randomBytes(16).toString('base64');
     const secretHash = await bcrypt.hash(secret, await getSaltRounds());
     
     // create service account
@@ -82,7 +82,7 @@ export const createServiceAccount = async (req: Request, res: Response) => {
         publicKey,
         lastUsed: new Date(),
         expiresAt,
-        secretHash,
+        secretHash
     }).save();
     
     const serviceAccountObj = serviceAccount.toObject();
@@ -91,14 +91,14 @@ export const createServiceAccount = async (req: Request, res: Response) => {
 
     // provision default org-level permission for service account
     await new ServiceAccountOrganizationPermission({
-        serviceAccount: serviceAccount._id,
+        serviceAccount: serviceAccount._id
     }).save();
     
-    const secretId = Buffer.from(serviceAccount._id.toString(), "hex").toString("base64");
+    const secretId = Buffer.from(serviceAccount._id.toString(), 'hex').toString('base64');
 
     return res.status(200).send({
         serviceAccountAccessKey: `sa.${secretId}.${secret}`,
-        serviceAccount: serviceAccountObj,
+        serviceAccount: serviceAccountObj
     });
 }
 
@@ -114,18 +114,18 @@ export const changeServiceAccountName = async (req: Request, res: Response) => {
     
     const serviceAccount = await ServiceAccount.findOneAndUpdate(
         {
-            _id: new Types.ObjectId(serviceAccountId),
+            _id: new Types.ObjectId(serviceAccountId)
         },
         {
-            name,
+            name
         },
         {
-            new: true,
+            new: true
         }
     );
     
     return res.status(200).send({
-        serviceAccount,
+        serviceAccount
     });
 }
 
@@ -140,7 +140,7 @@ export const addServiceAccountKey = async (req: Request, res: Response) => {
     const {
         workspaceId,
         encryptedKey,
-        nonce,
+        nonce
     } = req.body;
     
     const serviceAccountKey = await new ServiceAccountKey({
@@ -148,7 +148,7 @@ export const addServiceAccountKey = async (req: Request, res: Response) => {
         nonce,
         sender: req.user._id,
         serviceAccount: req.serviceAccount._d,
-        workspace: new Types.ObjectId(workspaceId),
+        workspace: new Types.ObjectId(workspaceId)
     }).save();
 
     return serviceAccountKey;
@@ -161,11 +161,11 @@ export const addServiceAccountKey = async (req: Request, res: Response) => {
  */
 export const getServiceAccountWorkspacePermissions = async (req: Request, res: Response) => {
     const serviceAccountWorkspacePermissions = await ServiceAccountWorkspacePermission.find({
-        serviceAccount: req.serviceAccount._id,
-    }).populate("workspace");
+        serviceAccount: req.serviceAccount._id
+    }).populate('workspace');
     
     return res.status(200).send({
-        serviceAccountWorkspacePermissions,
+        serviceAccountWorkspacePermissions
     });
 }
 
@@ -182,34 +182,34 @@ export const addServiceAccountWorkspacePermission = async (req: Request, res: Re
         read = false,
         write = false,
         encryptedKey,
-        nonce,
+        nonce
     } = req.body;
     
     if (!req.membership.workspace.environments.some((e: { name: string; slug: string }) => e.slug === environment)) {
         return res.status(400).send({
-            message: "Failed to validate workspace environment",
+            message: 'Failed to validate workspace environment'
         });
     }
     
     const existingPermission = await ServiceAccountWorkspacePermission.findOne({
         serviceAccount: new Types.ObjectId(serviceAccountId),
         workspace: new Types.ObjectId(workspaceId),
-        environment,
+        environment
     });
     
-    if (existingPermission) throw BadRequestError({ message: "Failed to add workspace permission to service account due to already-existing " });
+    if (existingPermission) throw BadRequestError({ message: 'Failed to add workspace permission to service account due to already-existing ' });
 
     const serviceAccountWorkspacePermission = await new ServiceAccountWorkspacePermission({
         serviceAccount: new Types.ObjectId(serviceAccountId),
         workspace: new Types.ObjectId(workspaceId),
         environment,
         read,
-        write,
+        write
     }).save();
     
     const existingServiceAccountKey = await ServiceAccountKey.findOne({
         serviceAccount: new Types.ObjectId(serviceAccountId),
-        workspace: new Types.ObjectId(workspaceId), 
+        workspace: new Types.ObjectId(workspaceId) 
     });
     
     if (!existingServiceAccountKey) {
@@ -218,12 +218,12 @@ export const addServiceAccountWorkspacePermission = async (req: Request, res: Re
             nonce,
             sender: req.user._id,
             serviceAccount: new Types.ObjectId(serviceAccountId),
-            workspace: new Types.ObjectId(workspaceId),
+            workspace: new Types.ObjectId(workspaceId)
         }).save();
     }
 
     return res.status(200).send({
-        serviceAccountWorkspacePermission,
+        serviceAccountWorkspacePermission
     });
 }
 
@@ -240,19 +240,19 @@ export const deleteServiceAccountWorkspacePermission = async (req: Request, res:
         const { serviceAccount, workspace } = serviceAccountWorkspacePermission;
         const count = await ServiceAccountWorkspacePermission.countDocuments({
             serviceAccount,
-            workspace,
+            workspace
         });
         
         if (count === 0) {
             await ServiceAccountKey.findOneAndDelete({
                 serviceAccount,
-                workspace,
+                workspace
             });
         }
     }
 
     return res.status(200).send({
-        serviceAccountWorkspacePermission,
+        serviceAccountWorkspacePermission
     });
 }
 
@@ -269,20 +269,20 @@ export const deleteServiceAccount = async (req: Request, res: Response) => {
 
     if (serviceAccount) {
         await ServiceAccountKey.deleteMany({
-            serviceAccount: serviceAccount._id,
+            serviceAccount: serviceAccount._id
         });
 
         await ServiceAccountOrganizationPermission.deleteMany({
-            serviceAccount: new Types.ObjectId(serviceAccountId),
+            serviceAccount: new Types.ObjectId(serviceAccountId)
         });
 
         await ServiceAccountWorkspacePermission.deleteMany({
-            serviceAccount: new Types.ObjectId(serviceAccountId),
+            serviceAccount: new Types.ObjectId(serviceAccountId)
         });
     }
 
     return res.status(200).send({
-        serviceAccount,
+        serviceAccount
     });
 }
 
@@ -297,10 +297,10 @@ export const getServiceAccountKeys = async (req: Request, res: Response) => {
     
     const serviceAccountKeys = await ServiceAccountKey.find({
         serviceAccount: req.serviceAccount._id,
-        ...(workspaceId ? { workspace: new Types.ObjectId(workspaceId) } : {}),
+        ...(workspaceId ? { workspace: new Types.ObjectId(workspaceId) } : {})
     });
     
     return res.status(200).send({
-        serviceAccountKeys,
+        serviceAccountKeys
     });
 }

backend/src/controllers/v2/serviceTokenDataController.ts

@@ -1,21 +1,30 @@
-import { Request, Response } from "express";
-import crypto from "crypto";
-import bcrypt from "bcrypt";
-import { ServiceAccount, ServiceTokenData, User } from "../../models";
-import { AUTH_MODE_JWT, AUTH_MODE_SERVICE_ACCOUNT } from "../../variables";
-import { getSaltRounds } from "../../config";
-import { BadRequestError } from "../../utils/errors";
-import Folder from "../../models/folder";
-import { getFolderByPath } from "../../services/FolderService";
+import * as Sentry from '@sentry/node';
+import { Request, Response } from 'express';
+import crypto from 'crypto';
+import bcrypt from 'bcrypt';
+import {
+    User,
+    ServiceAccount,
+    ServiceTokenData
+} from '../../models';
+import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';
+import { 
+    PERMISSION_READ_SECRETS,
+    AUTH_MODE_JWT,
+    AUTH_MODE_SERVICE_ACCOUNT,
+    AUTH_MODE_SERVICE_TOKEN
+} from '../../variables';
+import { getSaltRounds } from '../../config';
+import { BadRequestError } from '../../utils/errors';
 
 /**
  * Return service token data associated with service token on request
- * @param req
- * @param res
- * @returns
+ * @param req 
+ * @param res 
+ * @returns 
  */
 export const getServiceTokenData = async (req: Request, res: Response) => {
-  /* 
+    /* 
     #swagger.summary = 'Return Infisical Token data'
     #swagger.description = 'Return Infisical Token data'
     
@@ -28,106 +37,111 @@ export const getServiceTokenData = async (req: Request, res: Response) => {
             "application/json": {
                 "schema": { 
                     "type": "object",
-          "properties": {
+					"properties": {
                         "serviceTokenData": {
                             "type": "object",
                             $ref: "#/components/schemas/ServiceTokenData",
                             "description": "Details of service token"
                         }
-          }
+					}
                 }
             }           
         }
     }   
     */
 
-  if (!(req.authData.authPayload instanceof ServiceTokenData))
-    throw BadRequestError({
-      message: "Failed accepted client validation for service token data"
+    if (!(req.authData.authPayload instanceof ServiceTokenData)) throw BadRequestError({
+        message: 'Failed accepted client validation for service token data'
     });
 
-  const serviceTokenData = await ServiceTokenData.findById(req.authData.authPayload._id)
-    .select("+encryptedKey +iv +tag")
-    .populate("user")
-    .lean();
+    const serviceTokenData = await ServiceTokenData
+        .findById(req.authData.authPayload._id)
+        .select('+encryptedKey +iv +tag')
+        .populate('user');
 
-  return res.status(200).json(serviceTokenData);
-};
+    return res.status(200).json(serviceTokenData);
+}
 
 /**
  * Create new service token data for workspace with id [workspaceId] and
  * environment [environment].
- * @param req
- * @param res
- * @returns
+ * @param req 
+ * @param res 
+ * @returns 
  */
 export const createServiceTokenData = async (req: Request, res: Response) => {
-  let serviceTokenData;
+    let serviceTokenData;
 
-  const { name, workspaceId, encryptedKey, iv, tag, expiresIn, permissions, scopes } = req.body;
+    const {
+        name,
+        workspaceId,
+        environment,
+        encryptedKey,
+        iv,
+        tag,
+        expiresIn,
+        permissions
+    } = req.body;
 
-  const secret = crypto.randomBytes(16).toString("hex");
-  const secretHash = await bcrypt.hash(secret, await getSaltRounds());
+    const secret = crypto.randomBytes(16).toString('hex');
+    const secretHash = await bcrypt.hash(secret, await getSaltRounds());
 
-  let expiresAt;
-  if (expiresIn) {
-    expiresAt = new Date();
-    expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
-  }
+    let expiresAt; 
+    if (expiresIn) {
+        expiresAt = new Date()
+        expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
+    }
 
-  let user, serviceAccount;
+    let user, serviceAccount;
+    
+    if (req.authData.authMode === AUTH_MODE_JWT && req.authData.authPayload instanceof User) {
+        user = req.authData.authPayload._id;
+    }
 
-  if (req.authData.authMode === AUTH_MODE_JWT && req.authData.authPayload instanceof User) {
-    user = req.authData.authPayload._id;
-  }
+    if (req.authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && req.authData.authPayload instanceof ServiceAccount) {
+        serviceAccount = req.authData.authPayload._id;
+    }
+        
+    serviceTokenData = await new ServiceTokenData({
+        name,
+        workspace: workspaceId,
+        environment,
+        user,
+        serviceAccount,
+        lastUsed: new Date(),
+        expiresAt,
+        secretHash,
+        encryptedKey,
+        iv,
+        tag,
+        permissions
+    }).save();
 
-  if (
-    req.authData.authMode === AUTH_MODE_SERVICE_ACCOUNT &&
-    req.authData.authPayload instanceof ServiceAccount
-  ) {
-    serviceAccount = req.authData.authPayload._id;
-  }
+    // return service token data without sensitive data
+    serviceTokenData = await ServiceTokenData.findById(serviceTokenData._id);
 
-  serviceTokenData = await new ServiceTokenData({
-    name,
-    workspace: workspaceId,
-    user,
-    serviceAccount,
-    scopes,
-    lastUsed: new Date(),
-    expiresAt,
-    secretHash,
-    encryptedKey,
-    iv,
-    tag,
-    permissions
-  }).save();
+    if (!serviceTokenData) throw new Error('Failed to find service token data');
 
-  // return service token data without sensitive data
-  serviceTokenData = await ServiceTokenData.findById(serviceTokenData._id);
+    const serviceToken = `st.${serviceTokenData._id.toString()}.${secret}`;
 
-  if (!serviceTokenData) throw new Error("Failed to find service token data");
-
-  const serviceToken = `st.${serviceTokenData._id.toString()}.${secret}`;
-
-  return res.status(200).send({
-    serviceToken,
-    serviceTokenData
-  });
-};
+    return res.status(200).send({
+        serviceToken,
+        serviceTokenData
+    });
+}
 
 /**
  * Delete service token data with id [serviceTokenDataId].
- * @param req
- * @param res
- * @returns
+ * @param req 
+ * @param res 
+ * @returns 
  */
 export const deleteServiceTokenData = async (req: Request, res: Response) => {
-  const { serviceTokenDataId } = req.params;
+    const { serviceTokenDataId } = req.params;
 
-  const serviceTokenData = await ServiceTokenData.findByIdAndDelete(serviceTokenDataId);
+    const serviceTokenData = await ServiceTokenData.findByIdAndDelete(serviceTokenDataId);
 
-  return res.status(200).send({
-    serviceTokenData
-  });
-};
+    return res.status(200).send({
+        serviceTokenData
+    });
+}

backend/src/controllers/v2/signupController.ts

@@ -1,14 +1,14 @@
-import { Request, Response } from "express";
-import { MembershipOrg, User } from "../../models";
-import { completeAccount } from "../../helpers/user";
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { User, MembershipOrg } from '../../models';
+import { completeAccount } from '../../helpers/user';
 import {
-	initializeDefaultOrg,
-} from "../../helpers/signup";
-import { issueAuthTokens } from "../../helpers/auth";
-import { ACCEPTED, INVITED } from "../../variables";
-import { standardRequest } from "../../config/request";
-import { getHttpsEnabled, getLoopsApiKey } from "../../config";
-import { updateSubscriptionOrgQuantity } from "../../helpers/organization";
+	initializeDefaultOrg
+} from '../../helpers/signup';
+import { issueAuthTokens } from '../../helpers/auth';
+import { INVITED, ACCEPTED } from '../../variables';
+import request from '../../config/request';
+import { getLoopsApiKey, getHttpsEnabled } from '../../config';
 
 /**
  * Complete setting up user by adding their personal and auth information as part of the
@@ -19,135 +19,128 @@ import { updateSubscriptionOrgQuantity } from "../../helpers/organization";
  */
 export const completeAccountSignup = async (req: Request, res: Response) => {
 	let user, token, refreshToken;
-  const {
-    email,
-    firstName,
-    lastName,
-    protectedKey,
-    protectedKeyIV,
-    protectedKeyTag,
-    publicKey,
-    encryptedPrivateKey,
-    encryptedPrivateKeyIV,
-    encryptedPrivateKeyTag,
-    salt,
-    verifier,
-    organizationName,
-  }: {
-    email: string;
-    firstName: string;
-    lastName: string;
-    protectedKey: string;
-    protectedKeyIV: string;
-    protectedKeyTag: string;
-    publicKey: string;
-    encryptedPrivateKey: string;
-    encryptedPrivateKeyIV: string;
-    encryptedPrivateKeyTag: string;
-    salt: string;
-    verifier: string;
-    organizationName: string;
-  } = req.body;
+	try {
+		const {
+			email,
+			firstName,
+			lastName,
+			protectedKey,
+			protectedKeyIV,
+			protectedKeyTag,
+			publicKey,
+			encryptedPrivateKey,
+			encryptedPrivateKeyIV,
+			encryptedPrivateKeyTag,
+			salt,
+			verifier,
+			organizationName
+		}: {
+			email: string;
+			firstName: string;
+			lastName: string;
+			protectedKey: string;
+			protectedKeyIV: string;
+			protectedKeyTag: string;
+			publicKey: string;
+			encryptedPrivateKey: string;
+			encryptedPrivateKeyIV: string;
+			encryptedPrivateKeyTag: string;
+			salt: string;
+			verifier: string;
+			organizationName: string;
+		} = req.body;
 
-  // get user
-  user = await User.findOne({ email });
+		// get user
+		user = await User.findOne({ email });
 
-  if (!user || (user && user?.publicKey)) {
-    // case 1: user doesn't exist.
-    // case 2: user has already completed account
-    return res.status(403).send({
-      error: "Failed to complete account for complete user",
-    });
-  }
+		if (!user || (user && user?.publicKey)) {
+			// case 1: user doesn't exist.
+			// case 2: user has already completed account
+			return res.status(403).send({
+				error: 'Failed to complete account for complete user'
+			});
+		}
 
-  // complete setting up user's account
-  user = await completeAccount({
-    userId: user._id.toString(),
-    firstName,
-    lastName,
-    encryptionVersion: 2,
-    protectedKey,
-    protectedKeyIV,
-    protectedKeyTag,
-    publicKey,
-    encryptedPrivateKey,
-    encryptedPrivateKeyIV,
-    encryptedPrivateKeyTag,
-    salt,
-    verifier,
-  });
+		// complete setting up user's account
+		user = await completeAccount({
+			userId: user._id.toString(),
+			firstName,
+			lastName,
+			encryptionVersion: 2,
+			protectedKey,
+			protectedKeyIV,
+			protectedKeyTag,
+			publicKey,
+			encryptedPrivateKey,
+			encryptedPrivateKeyIV,
+			encryptedPrivateKeyTag,
+			salt,
+			verifier
+		});
 
-  if (!user)
-    throw new Error("Failed to complete account for non-existent user"); // ensure user is non-null
+		if (!user)
+			throw new Error('Failed to complete account for non-existent user'); // ensure user is non-null
 
-  // initialize default organization and workspace
-  await initializeDefaultOrg({
-    organizationName,
-    user,
-  });
+		// initialize default organization and workspace
+		await initializeDefaultOrg({
+			organizationName,
+			user
+		});
 
-  // update organization membership statuses that are
-  // invited to completed with user attached
-  const membershipsToUpdate = await MembershipOrg.find({
-    inviteEmail: email,
-    status: INVITED,
-  });
-  
-  membershipsToUpdate.forEach(async (membership) => {
-    await updateSubscriptionOrgQuantity({
-      organizationId: membership.organization.toString(),
-    });
-  });
+		// update organization membership statuses that are
+		// invited to completed with user attached
+		await MembershipOrg.updateMany(
+			{
+				inviteEmail: email,
+				status: INVITED
+			},
+			{
+				user,
+				status: ACCEPTED
+			}
+		);
 
-  // update organization membership statuses that are
-  // invited to completed with user attached
-  await MembershipOrg.updateMany(
-    {
-      inviteEmail: email,
-      status: INVITED,
-    },
-    {
-      user,
-      status: ACCEPTED,
-    }
-  );
+		// issue tokens
+		const tokens = await issueAuthTokens({
+			userId: user._id.toString()
+		});
 
-  // issue tokens
-  const tokens = await issueAuthTokens({
-    userId: user._id,
-    ip: req.realIP,
-    userAgent: req.headers["user-agent"] ?? "",
-  });
+		token = tokens.token;
 
-  token = tokens.token;
+		// sending a welcome email to new users
+		if (await getLoopsApiKey()) {
+			await request.post("https://app.loops.so/api/v1/events/send", {
+				"email": email,
+				"eventName": "Sign Up",
+				"firstName": firstName,
+				"lastName": lastName
+			}, {
+				headers: {
+					"Accept": "application/json",
+					"Authorization": "Bearer " + (await getLoopsApiKey())
+				},
+			});
+		}
 
-  // sending a welcome email to new users
-  if (await getLoopsApiKey()) {
-    await standardRequest.post("https://app.loops.so/api/v1/events/send", {
-      "email": email,
-      "eventName": "Sign Up",
-      "firstName": firstName,
-      "lastName": lastName,
-    }, {
-      headers: {
-        "Accept": "application/json",
-        "Authorization": "Bearer " + (await getLoopsApiKey()),
-      },
-    });
-  }
-
-  // store (refresh) token in httpOnly cookie
-  res.cookie("jid", tokens.refreshToken, {
-    httpOnly: true,
-    path: "/",
-    sameSite: "strict",
-    secure: await getHttpsEnabled(),
-  });
+		// store (refresh) token in httpOnly cookie
+		res.cookie('jid', tokens.refreshToken, {
+			httpOnly: true,
+			path: '/',
+			sameSite: 'strict',
+			secure: await getHttpsEnabled()
+		});
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to complete account setup'
+		});
+	}
 
 	return res.status(200).send({
-		message: "Successfully set up account",
+		message: 'Successfully set up account',
 		user,
-		token,
+		token
 	});
 };
 
@@ -160,103 +153,98 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
  */
 export const completeAccountInvite = async (req: Request, res: Response) => {
 	let user, token, refreshToken;
-  const {
-    email,
-    firstName,
-    lastName,
-    protectedKey,
-    protectedKeyIV,
-    protectedKeyTag,
-    publicKey,
-    encryptedPrivateKey,
-    encryptedPrivateKeyIV,
-    encryptedPrivateKeyTag,
-    salt,
-    verifier,
-  } = req.body;
+	try {
+		const {
+			email,
+			firstName,
+			lastName,
+			protectedKey,
+			protectedKeyIV,
+			protectedKeyTag,
+			publicKey,
+			encryptedPrivateKey,
+			encryptedPrivateKeyIV,
+			encryptedPrivateKeyTag,
+			salt,
+			verifier
+		} = req.body;
 
-  // get user
-  user = await User.findOne({ email });
+		// get user
+		user = await User.findOne({ email });
 
-  if (!user || (user && user?.publicKey)) {
-    // case 1: user doesn't exist.
-    // case 2: user has already completed account
-    return res.status(403).send({
-      error: "Failed to complete account for complete user",
-    });
-  }
+		if (!user || (user && user?.publicKey)) {
+			// case 1: user doesn't exist.
+			// case 2: user has already completed account
+			return res.status(403).send({
+				error: 'Failed to complete account for complete user'
+			});
+		}
 
-  const membershipOrg = await MembershipOrg.findOne({
-    inviteEmail: email,
-    status: INVITED,
-  });
+		const membershipOrg = await MembershipOrg.findOne({
+			inviteEmail: email,
+			status: INVITED
+		});
 
-  if (!membershipOrg) throw new Error("Failed to find invitations for email");
+		if (!membershipOrg) throw new Error('Failed to find invitations for email');
 
-  // complete setting up user's account
-  user = await completeAccount({
-    userId: user._id.toString(),
-    firstName,
-    lastName,
-    encryptionVersion: 2,
-    protectedKey,
-    protectedKeyIV,
-    protectedKeyTag,
-    publicKey,
-    encryptedPrivateKey,
-    encryptedPrivateKeyIV,
-    encryptedPrivateKeyTag,
-    salt,
-    verifier,
-  });
+		// complete setting up user's account
+		user = await completeAccount({
+			userId: user._id.toString(),
+			firstName,
+			lastName,
+			encryptionVersion: 2,
+			protectedKey,
+			protectedKeyIV,
+			protectedKeyTag,
+			publicKey,
+			encryptedPrivateKey,
+			encryptedPrivateKeyIV,
+			encryptedPrivateKeyTag,
+			salt,
+			verifier
+		});
 
-  if (!user)
-    throw new Error("Failed to complete account for non-existent user");
-  
-  // update organization membership statuses that are
-  // invited to completed with user attached
-  const membershipsToUpdate = await MembershipOrg.find({
-    inviteEmail: email,
-    status: INVITED,
-  });
-  
-  membershipsToUpdate.forEach(async (membership) => {
-    await updateSubscriptionOrgQuantity({
-      organizationId: membership.organization.toString(),
-    });
-  });
+		if (!user)
+			throw new Error('Failed to complete account for non-existent user');
 
-  await MembershipOrg.updateMany(
-    {
-      inviteEmail: email,
-      status: INVITED,
-    },
-    {
-      user,
-      status: ACCEPTED,
-    }
-  );
+		// update organization membership statuses that are
+		// invited to completed with user attached
+		await MembershipOrg.updateMany(
+			{
+				inviteEmail: email,
+				status: INVITED
+			},
+			{
+				user,
+				status: ACCEPTED
+			}
+		);
 
-  // issue tokens
-  const tokens = await issueAuthTokens({
-    userId: user._id,
-    ip: req.realIP,
-    userAgent: req.headers["user-agent"] ?? "",
-  });
+		// issue tokens
+		const tokens = await issueAuthTokens({
+			userId: user._id.toString()
+		});
 
-  token = tokens.token;
+		token = tokens.token;
 
-  // store (refresh) token in httpOnly cookie
-  res.cookie("jid", tokens.refreshToken, {
-    httpOnly: true,
-    path: "/",
-    sameSite: "strict",
-    secure: await getHttpsEnabled(),
-  });
+		// store (refresh) token in httpOnly cookie
+		res.cookie('jid', tokens.refreshToken, {
+			httpOnly: true,
+			path: '/',
+			sameSite: 'strict',
+			secure: await getHttpsEnabled()
+		});
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to complete account setup'
+		});
+	}
 
 	return res.status(200).send({
-		message: "Successfully set up account",
+		message: 'Successfully set up account',
 		user,
-		token,
+		token
 	});
-};
+};

backend/src/controllers/v2/tagController.ts

@@ -1,59 +1,72 @@
-import { Request, Response } from "express";
-import { Types } from "mongoose";
-import { Membership, Secret } from "../../models";
-import Tag from "../../models/tag";
-import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors";
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
+import {
+	Membership, Secret,
+} from '../../models';
+import Tag, { ITag } from '../../models/tag';
+import { Builder } from "builder-pattern"
+import to from 'await-to-js';
+import { BadRequestError, UnauthorizedRequestError } from '../../utils/errors';
+import { MongoError } from 'mongodb';
+import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';
 
 export const createWorkspaceTag = async (req: Request, res: Response) => {
-  const { workspaceId } = req.params;
-  const { name, slug } = req.body;
-  
-  const tagToCreate = {
-      name,
-      workspace: new Types.ObjectId(workspaceId),
-      slug,
-      user: new Types.ObjectId(req.user._id),
-    };
-  
-  const createdTag = await new Tag(tagToCreate).save();
-  
-  res.json(createdTag);
-};
+	const { workspaceId } = req.params
+	const { name, slug } = req.body
+	const sanitizedTagToCreate = Builder<ITag>()
+		.name(name)
+		.workspace(new Types.ObjectId(workspaceId))
+		.slug(slug)
+		.user(new Types.ObjectId(req.user._id))
+		.build();
+
+	const [err, createdTag] = await to(Tag.create(sanitizedTagToCreate))
+
+	if (err) {
+		if ((err as MongoError).code === 11000) {
+			throw BadRequestError({ message: "Tags must be unique in a workspace" })
+		}
+
+		throw err
+	}
+
+	res.json(createdTag)
+}
 
 export const deleteWorkspaceTag = async (req: Request, res: Response) => {
-  const { tagId } = req.params;
+	const { tagId } = req.params
 
-  const tagFromDB = await Tag.findById(tagId);
-  if (!tagFromDB) {
-    throw BadRequestError();
-  }
+	const tagFromDB = await Tag.findById(tagId)
+	if (!tagFromDB) {
+		throw BadRequestError()
+	}
 
-  // can only delete if the request user is one that belongs to the same workspace as the tag
-  const membership = await Membership.findOne({
-    user: req.user,
-    workspace: tagFromDB.workspace
-  });
+	// can only delete if the request user is one that belongs to the same workspace as the tag
+	const membership = await Membership.findOne({
+		user: req.user,
+		workspace: tagFromDB.workspace
+	});
 
-  if (!membership) {
-    UnauthorizedRequestError({ message: "Failed to validate membership" });
-  }
+	if (!membership) {
+		UnauthorizedRequestError({ message: 'Failed to validate membership' });
+	}
 
-  const result = await Tag.findByIdAndDelete(tagId);
+	const result = await Tag.findByIdAndDelete(tagId);
 
-  // remove the tag from secrets
-  await Secret.updateMany({ tags: { $in: [tagId] } }, { $pull: { tags: tagId } });
+	// remove the tag from secrets
+	await Secret.updateMany(
+		{ tags: { $in: [tagId] } },
+		{ $pull: { tags: tagId } }
+	);
 
-  res.json(result);
-};
+	res.json(result);
+}
 
 export const getWorkspaceTags = async (req: Request, res: Response) => {
-  const { workspaceId } = req.params;
-  
-  const workspaceTags = await Tag.find({ 
-    workspace: new Types.ObjectId(workspaceId) 
-  });
-  
-  return res.json({
-    workspaceTags
-  });
-};
+	const { workspaceId } = req.params
+	const workspaceTags = await Tag.find({ workspace: workspaceId })
+	return res.json({
+		workspaceTags
+	})
+}

backend/src/controllers/v2/usersController.ts

@@ -1,14 +1,9 @@
-import { Request, Response } from "express";
-import { Types } from "mongoose";
-import crypto from "crypto";
-import bcrypt from "bcrypt";
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
 import {
-    MembershipOrg,
     User,
-    APIKeyData,
-    TokenVersion
-} from "../../models";
-import { getSaltRounds } from "../../config";
+    MembershipOrg
+} from '../../models';
 
 /**
  * Return the current user.
@@ -42,12 +37,21 @@ export const getMe = async (req: Request, res: Response) => {
         }
     }   
     */
-    const user = await User
-        .findById(req.user._id)
-        .select("+salt +publicKey +encryptedPrivateKey +iv +tag +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag");
+    let user;
+    try {
+        user = await User
+            .findById(req.user._id)
+            .select('+salt +publicKey +encryptedPrivateKey +iv +tag +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag');
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get current user'
+		});
+    }
     
     return res.status(200).send({
-        user,
+        user
     });
 }
 
@@ -60,23 +64,32 @@ export const getMe = async (req: Request, res: Response) => {
  * @returns 
  */
 export const updateMyMfaEnabled = async (req: Request, res: Response) => {
-    const { isMfaEnabled }: { isMfaEnabled: boolean } = req.body;
-    req.user.isMfaEnabled = isMfaEnabled;
-    
-    if (isMfaEnabled) { 
-        // TODO: adapt this route/controller 
-        // to work for different forms of MFA
-        req.user.mfaMethods = ["email"];
-    } else {
-        req.user.mfaMethods = [];
-    }
+    let user;
+    try {
+        const { isMfaEnabled }: { isMfaEnabled: boolean } = req.body;
+        req.user.isMfaEnabled = isMfaEnabled;
+        
+        if (isMfaEnabled) { 
+            // TODO: adapt this route/controller 
+            // to work for different forms of MFA
+            req.user.mfaMethods = ['email'];
+        } else {
+            req.user.mfaMethods = [];
+        }
 
-    await req.user.save();
-    
-    const user = req.user;
+        await req.user.save();
+        
+        user = req.user;
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: "Failed to update current user's MFA status"
+		}); 
+    }
     
     return res.status(200).send({
-        user,
+        user
     });
 }
 
@@ -113,116 +126,22 @@ export const getMyOrganizations = async (req: Request, res: Response) => {
         }
     }   
     */
-  const organizations = (
-    await MembershipOrg.find({
-      user: req.user._id,
-    }).populate("organization")
-  ).map((m) => m.organization);
+	let organizations;
+	try {
+		organizations = (
+			await MembershipOrg.find({
+				user: req.user._id
+			}).populate('organization')
+		).map((m) => m.organization);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: "Failed to get current user's organizations"
+		});
+	}
 
 	return res.status(200).send({
-		organizations,
+		organizations
 	});
-}
-
-/**
- * Return API keys belonging to current user.
- * @param req 
- * @param res 
- * @returns 
- */
-export const getMyAPIKeys = async (req: Request, res: Response) => {
-    const apiKeyData = await APIKeyData.find({
-		user: req.user._id,
-	});
-
-	return res.status(200).send(apiKeyData);
-}
-
-/**
- * Create new API key for current user.
- * @param req 
- * @param res 
- * @returns 
- */
-export const createAPIKey = async (req: Request, res: Response) => {
-	const { name, expiresIn } = req.body;
-
-	const secret = crypto.randomBytes(16).toString("hex");
-	const secretHash = await bcrypt.hash(secret, await getSaltRounds());
-
-	const expiresAt = new Date();
-	expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
-
-	let apiKeyData = await new APIKeyData({
-		name,
-		lastUsed: new Date(),
-		expiresAt,
-		user: req.user._id,
-		secretHash,
-	}).save();
-
-	// return api key data without sensitive data
-	apiKeyData = (await APIKeyData.findById(apiKeyData._id)) as any;
-
-	if (!apiKeyData) throw new Error("Failed to find API key data");
-
-	const apiKey = `ak.${apiKeyData._id.toString()}.${secret}`;
-
-	return res.status(200).send({
-		apiKey,
-		apiKeyData,
-	});
-}
-
-/**
- * Delete API key with id [apiKeyDataId] belonging to current user
- * @param req 
- * @param res 
- */
-export const deleteAPIKey = async (req: Request, res: Response) => {
-    const { apiKeyDataId } = req.params;
-
-    const apiKeyData = await APIKeyData.findOneAndDelete({
-        _id: new Types.ObjectId(apiKeyDataId),
-        user: req.user._id
-    });
-
-	return res.status(200).send({
-		apiKeyData
-	});
-}
-
-/**
- * Return active sessions (TokenVersion) belonging to user
- * @param req 
- * @param res 
- * @returns 
- */
-export const getMySessions = async (req: Request, res: Response) => {
-    const tokenVersions = await TokenVersion.find({
-        user: req.user._id
-    });
-    
-    return res.status(200).send(tokenVersions);
-}
-
-/**
- * Revoke all active sessions belong to user
- * @param req 
- * @param res 
- * @returns 
- */
-export const deleteMySessions = async (req: Request, res: Response) => {
-    await TokenVersion.updateMany({
-        user: req.user._id,
-    }, {
-        $inc: {
-            refreshVersion: 1,
-            accessVersion: 1,
-        },
-    });
-
-    return res.status(200).send({
-        message: "Successfully revoked all sessions"
-    });
 }

backend/src/controllers/v2/workspaceController.ts

@@ -1,19 +1,26 @@
-import { Request, Response } from "express";
-import { Types } from "mongoose";
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
 import {
-	Key,
-	Membership,
-	ServiceTokenData,
 	Workspace,
-} from "../../models";
+	Secret,
+	Membership,
+	MembershipOrg,
+	Integration,
+	IntegrationAuth,
+	Key,
+	IUser,
+	ServiceToken,
+	ServiceTokenData
+} from '../../models';
 import {
-	pullSecrets as pull,
 	v2PushSecrets as push,
-	reformatPullSecrets,
-} from "../../helpers/secret";
-import { pushKeys } from "../../helpers/key";
-import { EventService, TelemetryService } from "../../services";
-import { eventPushSecrets } from "../../events";
+	pullSecrets as pull,
+	reformatPullSecrets
+} from '../../helpers/secret';
+import { pushKeys } from '../../helpers/key';
+import { TelemetryService, EventService } from '../../services';
+import { eventPushSecrets } from '../../events';
 
 interface V2PushSecret {
 	type: string; // personal or shared
@@ -40,60 +47,69 @@ interface V2PushSecret {
  */
 export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
 	// upload (encrypted) secrets to workspace with id [workspaceId]
-  const postHogClient = await TelemetryService.getPostHogClient();
-  let { secrets }: { secrets: V2PushSecret[] } = req.body;
-  const { keys, environment, channel } = req.body;
-  const { workspaceId } = req.params;
+	try {
+		const postHogClient = await TelemetryService.getPostHogClient();
+		let { secrets }: { secrets: V2PushSecret[] } = req.body;
+		const { keys, environment, channel } = req.body;
+		const { workspaceId } = req.params;
 
-  // validate environment
-  const workspaceEnvs = req.membership.workspace.environments;
-  if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
-    throw new Error("Failed to validate environment");
-  }
+		// validate environment
+		const workspaceEnvs = req.membership.workspace.environments;
+		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+			throw new Error('Failed to validate environment');
+		}
 
-  // sanitize secrets
-  secrets = secrets.filter(
-    (s: V2PushSecret) => s.secretKeyCiphertext !== "" && s.secretValueCiphertext !== ""
-  );
+		// sanitize secrets
+		secrets = secrets.filter(
+			(s: V2PushSecret) => s.secretKeyCiphertext !== '' && s.secretValueCiphertext !== ''
+		);
 
-  await push({
-    userId: req.user._id,
-    workspaceId,
-    environment,
-    secrets,
-    channel: channel ? channel : "cli",
-    ipAddress: req.realIP,
-  });
+		await push({
+			userId: req.user._id,
+			workspaceId,
+			environment,
+			secrets,
+			channel: channel ? channel : 'cli',
+			ipAddress: req.ip
+		});
 
-  await pushKeys({
-    userId: req.user._id,
-    workspaceId,
-    keys,
-  });
+		await pushKeys({
+			userId: req.user._id,
+			workspaceId,
+			keys
+		});
 
-  if (postHogClient) {
-    postHogClient.capture({
-      event: "secrets pushed",
-      distinctId: req.user.email,
-      properties: {
-        numberOfSecrets: secrets.length,
-        environment,
-        workspaceId,
-        channel: channel ? channel : "cli",
-      },
-    });
-  }
+		if (postHogClient) {
+			postHogClient.capture({
+				event: 'secrets pushed',
+				distinctId: req.user.email,
+				properties: {
+					numberOfSecrets: secrets.length,
+					environment,
+					workspaceId,
+					channel: channel ? channel : 'cli'
+				}
+			});
+		}
 
-  // trigger event - push secrets
-  EventService.handleEvent({
-    event: eventPushSecrets({
-      workspaceId: new Types.ObjectId(workspaceId),
-      environment,
-    }),
-  });
+		// trigger event - push secrets
+		EventService.handleEvent({
+			event: eventPushSecrets({
+				workspaceId: new Types.ObjectId(workspaceId),
+				environment
+			})
+		});
+
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to upload workspace secrets'
+		});
+	}
 
 	return res.status(200).send({
-		message: "Successfully uploaded workspace secrets",
+		message: 'Successfully uploaded workspace secrets'
 	});
 };
 
@@ -106,51 +122,59 @@ export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
  */
 export const pullSecrets = async (req: Request, res: Response) => {
 	let secrets;
-  const postHogClient = await TelemetryService.getPostHogClient();
-  const environment: string = req.query.environment as string;
-  const channel: string = req.query.channel as string;
-  const { workspaceId } = req.params;
+	try {
+		const postHogClient = await TelemetryService.getPostHogClient();
+		const environment: string = req.query.environment as string;
+		const channel: string = req.query.channel as string;
+		const { workspaceId } = req.params;
 
-  let userId;
-  if (req.user) {
-    userId = req.user._id.toString();
-  } else if (req.serviceTokenData) {
-    userId = req.serviceTokenData.user.toString();
-  }
-  // validate environment
-  const workspaceEnvs = req.membership.workspace.environments;
-  if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
-    throw new Error("Failed to validate environment");
-  }
+		let userId;
+		if (req.user) {
+			userId = req.user._id.toString();
+		} else if (req.serviceTokenData) {
+			userId = req.serviceTokenData.user.toString();
+		}
+		// validate environment
+		const workspaceEnvs = req.membership.workspace.environments;
+		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+			throw new Error('Failed to validate environment');
+		}
 
-  secrets = await pull({
-    userId,
-    workspaceId,
-    environment,
-    channel: channel ? channel : "cli",
-    ipAddress: req.realIP,
-  });
+		secrets = await pull({
+			userId,
+			workspaceId,
+			environment,
+			channel: channel ? channel : 'cli',
+			ipAddress: req.ip
+		});
 
-  if (channel !== "cli") {
-    secrets = reformatPullSecrets({ secrets });
-  }
+		if (channel !== 'cli') {
+			secrets = reformatPullSecrets({ secrets });
+		}
 
-  if (postHogClient) {
-    // capture secrets pushed event in production
-    postHogClient.capture({
-      distinctId: req.user.email,
-      event: "secrets pulled",
-      properties: {
-        numberOfSecrets: secrets.length,
-        environment,
-        workspaceId,
-        channel: channel ? channel : "cli",
-      },
-    });
-  }
+		if (postHogClient) {
+			// capture secrets pushed event in production
+			postHogClient.capture({
+				distinctId: req.user.email,
+				event: 'secrets pulled',
+				properties: {
+					numberOfSecrets: secrets.length,
+					environment,
+					workspaceId,
+					channel: channel ? channel : 'cli'
+				}
+			});
+		}
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to pull workspace secrets'
+		});
+	}
 
 	return res.status(200).send({
-		secrets,
+		secrets
 	});
 };
 
@@ -184,14 +208,22 @@ export const getWorkspaceKey = async (req: Request, res: Response) => {
     }   
     */
 	let key;
-  const { workspaceId } = req.params;
+	try {
+		const { workspaceId } = req.params;
 
-  key = await Key.findOne({
-    workspace: workspaceId,
-    receiver: req.user._id,
-  }).populate("sender", "+publicKey");
+		key = await Key.findOne({
+			workspace: workspaceId,
+			receiver: req.user._id
+		}).populate('sender', '+publicKey');
 
-  if (!key) throw new Error("Failed to find workspace key");
+		if (!key) throw new Error('Failed to find workspace key');
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace key'
+		});
+	}
 
 	return res.status(200).json(key);
 }
@@ -199,16 +231,26 @@ export const getWorkspaceServiceTokenData = async (
 	req: Request,
 	res: Response
 ) => {
-  const { workspaceId } = req.params;
+	let serviceTokenData;
+	try {
+		const { workspaceId } = req.params;
 
-  const serviceTokenData = await ServiceTokenData
-    .find({
-      workspace: workspaceId,
-    })
-    .select("+encryptedKey +iv +tag");
+		serviceTokenData = await ServiceTokenData
+			.find({
+				workspace: workspaceId
+			})
+			.select('+encryptedKey +iv +tag');
+
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace service token data'
+		});
+	}
 
 	return res.status(200).send({
-		serviceTokenData,
+		serviceTokenData
 	});
 }
 
@@ -252,14 +294,23 @@ export const getWorkspaceMemberships = async (req: Request, res: Response) => {
         }
     }   
     */
-  const { workspaceId } = req.params;
+	let memberships;
+	try {
+		const { workspaceId } = req.params;
 
-  const memberships = await Membership.find({
-    workspace: workspaceId,
-  }).populate("user", "+publicKey");
+		memberships = await Membership.find({
+			workspace: workspaceId
+		}).populate('user', '+publicKey');
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace memberships'
+		});
+	}
 
 	return res.status(200).send({
-		memberships,
+		memberships
 	});
 }
 
@@ -323,22 +374,31 @@ export const updateWorkspaceMembership = async (req: Request, res: Response) =>
         }
     }   
     */
-  const {
-    membershipId,
-  } = req.params;
-  const { role } = req.body;
-  
-  const membership = await Membership.findByIdAndUpdate(
-    membershipId,
-    {
-      role,
-    }, {
-      new: true,
-    }
-  );
-
+	let membership;
+	try {
+		const {
+			membershipId
+		} = req.params;
+		const { role } = req.body;
+		
+		membership = await Membership.findByIdAndUpdate(
+			membershipId,
+			{
+				role
+			}, {
+				new: true
+			}
+		);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to update workspace membership'
+		});
+	}
+	
 	return res.status(200).send({
-		membership,
+		membership
 	}); 
 }
 
@@ -385,21 +445,30 @@ export const deleteWorkspaceMembership = async (req: Request, res: Response) =>
         }
     }   
     */
-  const { 
-    membershipId,
-  } = req.params;
-  
-  const membership = await Membership.findByIdAndDelete(membershipId);
-  
-  if (!membership) throw new Error("Failed to delete workspace membership");
-  
-  await Key.deleteMany({
-    receiver: membership.user,
-    workspace: membership.workspace,
-  });
+	let membership;
+	try {
+		const { 
+			membershipId
+		} = req.params;
+		
+		membership = await Membership.findByIdAndDelete(membershipId);
+		
+		if (!membership) throw new Error('Failed to delete workspace membership');
+		
+		await Key.deleteMany({
+			receiver: membership.user,
+			workspace: membership.workspace
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to delete workspace membership'
+		});	
+	}
 	
 	return res.status(200).send({
-		membership,
+		membership
 	});
 }
 
@@ -410,23 +479,32 @@ export const deleteWorkspaceMembership = async (req: Request, res: Response) =>
  * @returns
  */
 export const toggleAutoCapitalization = async (req: Request, res: Response) => {
-  const { workspaceId } = req.params;
-  const { autoCapitalization } = req.body;
+	let workspace;
+	try {
+		const { workspaceId } = req.params;
+		const { autoCapitalization } = req.body;
 
-  const workspace = await Workspace.findOneAndUpdate(
-    {
-      _id: workspaceId,
-    },
-    {
-      autoCapitalization,
-    },
-    {
-      new: true,
-    }
-  );
+		workspace = await Workspace.findOneAndUpdate(
+			{
+				_id: workspaceId
+			},
+			{
+				autoCapitalization
+			},
+			{
+				new: true
+			}
+		);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to change autoCapitalization setting'
+		});
+	}
 
 	return res.status(200).send({
-		message: "Successfully changed autoCapitalization setting",
-		workspace,
+		message: 'Successfully changed autoCapitalization setting',
+		workspace
 	});
-};
+};

backend/src/controllers/v3/authController.ts

@@ -1,264 +0,0 @@
-/* eslint-disable @typescript-eslint/no-var-requires */
-import { Request, Response } from "express";
-import jwt from "jsonwebtoken";
-import * as Sentry from "@sentry/node";
-import * as bigintConversion from "bigint-conversion";
-const jsrp = require("jsrp");
-import { LoginSRPDetail, User } from "../../models";
-import { createToken, issueAuthTokens, validateProviderAuthToken } from "../../helpers/auth";
-import { checkUserDevice } from "../../helpers/user";
-import { sendMail } from "../../helpers/nodemailer";
-import { TokenService } from "../../services";
-import { EELogService } from "../../ee/services";
-import { BadRequestError, InternalServerError } from "../../utils/errors";
-import {
-    ACTION_LOGIN,
-    TOKEN_EMAIL_MFA,
-} from "../../variables";
-import { getChannelFromUserAgent } from "../../utils/posthog"; // TODO: move this
-import {
-    getHttpsEnabled,
-    getJwtMfaLifetime,
-    getJwtMfaSecret,
-} from "../../config";
-import { AuthProvider } from "../../models/user";
-
-declare module "jsonwebtoken" {
-    export interface ProviderAuthJwtPayload extends jwt.JwtPayload {
-        userId: string;
-        email: string;
-        authProvider: AuthProvider;
-        isUserCompleted: boolean,
-    }
-}
-
-/**
- * Log in user step 1: Return [salt] and [serverPublicKey] as part of step 1 of SRP protocol
- * @param req
- * @param res
- * @returns
- */
-export const login1 = async (req: Request, res: Response) => {
-    try {
-        const {
-            email,
-            providerAuthToken,
-            clientPublicKey,
-        }: {
-            email: string;
-            clientPublicKey: string,
-            providerAuthToken?: string;
-        } = req.body;
-
-        const user = await User.findOne({
-            email,
-        }).select("+salt +verifier");
-
-        if (!user) throw new Error("Failed to find user");
-
-        if (user.authProvider) {
-            await validateProviderAuthToken({
-                email,
-                user,
-                providerAuthToken,
-            })
-        }
-
-        const server = new jsrp.server();
-        server.init(
-            {
-                salt: user.salt,
-                verifier: user.verifier,
-            },
-            async () => {
-                // generate server-side public key
-                const serverPublicKey = server.getPublicKey();
-                await LoginSRPDetail.findOneAndReplace({
-                    email: email,
-                }, {
-                    email,
-                    userId: user.id,
-                    clientPublicKey: clientPublicKey,
-                    serverBInt: bigintConversion.bigintToBuf(server.bInt),
-                }, { upsert: true, returnNewDocument: false });
-
-                return res.status(200).send({
-                    serverPublicKey,
-                    salt: user.salt,
-                });
-            }
-        );
-    } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-        return res.status(400).send({
-            message: "Failed to start authentication process",
-        });
-    }
-};
-
-/**
- * Log in user step 2: complete step 2 of SRP protocol and return token and their (encrypted)
- * private key
- * @param req
- * @param res
- * @returns
- */
-export const login2 = async (req: Request, res: Response) => {
-    try {
-
-        if (!req.headers["user-agent"]) throw InternalServerError({ message: "User-Agent header is required" });
-
-        const { email, clientProof, providerAuthToken } = req.body;
-
-        const user = await User.findOne({
-            email,
-        }).select("+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag +devices");
-
-        if (!user) throw new Error("Failed to find user");
-
-        if (user.authProvider) {
-            await validateProviderAuthToken({
-                email,
-                user,
-                providerAuthToken,
-            })
-        }
-
-        const loginSRPDetail = await LoginSRPDetail.findOneAndDelete({ email: email })
-
-        if (!loginSRPDetail) {
-            return BadRequestError(Error("Failed to find login details for SRP"))
-        }
-
-        const server = new jsrp.server();
-        server.init(
-            {
-                salt: user.salt,
-                verifier: user.verifier,
-                b: loginSRPDetail.serverBInt,
-            },
-            async () => {
-                server.setClientPublicKey(loginSRPDetail.clientPublicKey);
-
-                // compare server and client shared keys
-                if (server.checkClientProof(clientProof)) {
-
-                    if (user.isMfaEnabled) {
-                        // case: user has MFA enabled
-
-                        // generate temporary MFA token
-                        const token = createToken({
-                            payload: {
-                                userId: user._id.toString(),
-                            },
-                            expiresIn: await getJwtMfaLifetime(),
-                            secret: await getJwtMfaSecret(),
-                        });
-
-                        const code = await TokenService.createToken({
-                            type: TOKEN_EMAIL_MFA,
-                            email,
-                        });
-
-                        // send MFA code [code] to [email]
-                        await sendMail({
-                            template: "emailMfa.handlebars",
-                            subjectLine: "Infisical MFA code",
-                            recipients: [user.email],
-                            substitutions: {
-                                code,
-                            },
-                        });
-
-                        return res.status(200).send({
-                            mfaEnabled: true,
-                            token,
-                        });
-                    }
-
-                    await checkUserDevice({
-                        user,
-                        ip: req.realIP,
-                        userAgent: req.headers["user-agent"] ?? "",
-                    });
-
-                    // issue tokens
-                    const tokens = await issueAuthTokens({ 
-                        userId: user._id,
-                        ip: req.realIP,
-                        userAgent: req.headers["user-agent"] ?? "",
-                    });
-
-                    // store (refresh) token in httpOnly cookie
-                    res.cookie("jid", tokens.refreshToken, {
-                        httpOnly: true,
-                        path: "/",
-                        sameSite: "strict",
-                        secure: await getHttpsEnabled(),
-                    });
-
-                    // case: user does not have MFA enablgged
-                    // return (access) token in response
-
-                    interface ResponseData {
-                        mfaEnabled: boolean;
-                        encryptionVersion: any;
-                        protectedKey?: string;
-                        protectedKeyIV?: string;
-                        protectedKeyTag?: string;
-                        token: string;
-                        publicKey?: string;
-                        encryptedPrivateKey?: string;
-                        iv?: string;
-                        tag?: string;
-                    }
-
-                    const response: ResponseData = {
-                        mfaEnabled: false,
-                        encryptionVersion: user.encryptionVersion,
-                        token: tokens.token,
-                        publicKey: user.publicKey,
-                        encryptedPrivateKey: user.encryptedPrivateKey,
-                        iv: user.iv,
-                        tag: user.tag,
-                    }
-
-                    if (
-                        user?.protectedKey &&
-                        user?.protectedKeyIV &&
-                        user?.protectedKeyTag
-                    ) {
-                        response.protectedKey = user.protectedKey;
-                        response.protectedKeyIV = user.protectedKeyIV
-                        response.protectedKeyTag = user.protectedKeyTag;
-                    }
-
-                    const loginAction = await EELogService.createAction({
-                        name: ACTION_LOGIN,
-                        userId: user._id,
-                    });
-
-                    loginAction && await EELogService.createLog({
-                        userId: user._id,
-                        actions: [loginAction],
-                        channel: getChannelFromUserAgent(req.headers["user-agent"]),
-                        ipAddress: req.realIP,
-                    });
-
-                    return res.status(200).send(response);
-                }
-
-                return res.status(400).send({
-                    message: "Failed to authenticate. Try again?",
-                });
-            }
-        );
-    } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-        return res.status(400).send({
-            message: "Failed to authenticate. Try again?",
-        });
-    }
-};

backend/src/controllers/v3/index.ts

@@ -1,11 +1,7 @@
-import * as secretsController from "./secretsController";
-import * as workspacesController from "./workspacesController";
-import * as authController from "./authController";
-import * as signupController from "./signupController";
+import * as secretsController from './secretsController';
+import * as workspacesController from './workspacesController';
 
 export {
-    authController,
     secretsController,
-    signupController,
-    workspacesController,
-}
+    workspacesController
+}

backend/src/controllers/v3/secretsController.ts

@@ -1,420 +1,183 @@
-import { Request, Response } from "express";
-import { Types } from "mongoose";
-import { EventService, SecretService } from "../../services";
-import { eventPushSecrets } from "../../events";
-import { BotService } from "../../services";
-import { repackageSecretToRaw } from "../../helpers/secrets";
-import { encryptSymmetric128BitHexKeyUTF8 } from "../../utils/crypto";
+import { Request, Response } from 'express';
+import { Types } from 'mongoose';
+import { 
+    SecretService, 
+    TelemetryService,
+    EventService
+} from '../../services';
+import { eventPushSecrets } from '../../events';
+import { getAuthDataPayloadIdObj } from '../../utils/auth';
+import { BadRequestError } from '../../utils/errors';
 
 /**
- * Return secrets for workspace with id [workspaceId] and environment
- * [environment] in plaintext
- * @param req
- * @param res
- */
-export const getSecretsRaw = async (req: Request, res: Response) => {
-  const workspaceId = req.query.workspaceId as string;
-  const environment = req.query.environment as string;
-  const secretPath = req.query.secretPath as string;
-
-  const secrets = await SecretService.getSecrets({
-    workspaceId: new Types.ObjectId(workspaceId),
-    environment,
-    secretPath,
-    authData: req.authData,
-  });
-
-  const key = await BotService.getWorkspaceKeyWithBot({
-    workspaceId: new Types.ObjectId(workspaceId),
-  });
-
-  return res.status(200).send({
-    secrets: secrets.map((secret) => {
-      const rep = repackageSecretToRaw({
-        secret,
-        key,
-      });
-
-      return rep;
-    }),
-  });
-};
-
-/**
- * Return secret with name [secretName] in plaintext
- * @param req
- * @param res
- */
-export const getSecretByNameRaw = async (req: Request, res: Response) => {
-  const { secretName } = req.params;
-  const workspaceId = req.query.workspaceId as string;
-  const environment = req.query.environment as string;
-  const secretPath = req.query.secretPath as string;
-  const type = req.query.type as "shared" | "personal" | undefined;
-
-  const secret = await SecretService.getSecret({
-    secretName,
-    workspaceId: new Types.ObjectId(workspaceId),
-    environment,
-    type,
-    secretPath,
-    authData: req.authData,
-  });
-
-  const key = await BotService.getWorkspaceKeyWithBot({
-    workspaceId: new Types.ObjectId(workspaceId),
-  });
-
-  return res.status(200).send({
-    secret: repackageSecretToRaw({
-      secret,
-      key,
-    }),
-  });
-};
-
-/**
- * Create secret with name [secretName] in plaintext
- * @param req
+ * Get secrets for workspace with id [workspaceId] and environment
+ * [environment]
+ * @param req 
  * @param res 
  */
-export const createSecretRaw = async (req: Request, res: Response) => {
-  const { secretName } = req.params;
-  const {
-    workspaceId,
-    environment,
-    type,
-    secretValue,
-    secretComment,
-    secretPath = "/",
-  } = req.body;
+export const getSecrets = async (req: Request, res: Response) => {
+    const workspaceId = req.query.workspaceId as string;
+    const environment = req.query.environment as string;
 
-  const key = await BotService.getWorkspaceKeyWithBot({
-    workspaceId: new Types.ObjectId(workspaceId),
-  });
+    const secrets = await SecretService.getSecrets({
+        workspaceId: new Types.ObjectId(workspaceId),
+        environment,
+        authData: req.authData
+    });
 
-  const secretKeyEncrypted = encryptSymmetric128BitHexKeyUTF8({
-    plaintext: secretName,
-    key,
-  });
+    return res.status(200).send({
+        secrets
+    });
+}
 
-  const secretValueEncrypted = encryptSymmetric128BitHexKeyUTF8({
-    plaintext: secretValue,
-    key,
-  });
+/**
+ * Get secret with name [secretName]
+ * @param req 
+ * @param res 
+ */
+export const getSecretByName = async (req: Request, res: Response) => {
+    const { secretName } = req.params;
+    const workspaceId = req.query.workspaceId as string;
+    const environment = req.query.environment as string;
+    const type = req.query.type as 'shared' | 'personal' | undefined;
 
-  const secretCommentEncrypted = encryptSymmetric128BitHexKeyUTF8({
-    plaintext: secretComment,
-    key,
-  });
+    const secret = await SecretService.getSecret({
+        secretName,
+        workspaceId: new Types.ObjectId(workspaceId),
+        environment,
+        type,
+        authData: req.authData
+    });
+    
+    return res.status(200).send({
+        secret
+    });
+}
 
-  const secret = await SecretService.createSecret({
-    secretName,
-    workspaceId: new Types.ObjectId(workspaceId),
-    environment,
-    type,
-    authData: req.authData,
-    secretKeyCiphertext: secretKeyEncrypted.ciphertext,
-    secretKeyIV: secretKeyEncrypted.iv,
-    secretKeyTag: secretKeyEncrypted.tag,
-    secretValueCiphertext: secretValueEncrypted.ciphertext,
-    secretValueIV: secretValueEncrypted.iv,
-    secretValueTag: secretValueEncrypted.tag,
-    secretPath,
-    secretCommentCiphertext: secretCommentEncrypted.ciphertext,
-    secretCommentIV: secretCommentEncrypted.iv,
-    secretCommentTag: secretCommentEncrypted.tag,
-  });
+/**
+ * Create secret with name [secretName]
+ * @param req 
+ * @param res 
+ */
+export const createSecret = async (req: Request, res: Response) => {
+    const { secretName } = req.params;
+    const { 
+        workspaceId,
+        environment,
+        type,
+        secretKeyCiphertext,
+        secretKeyIV,
+        secretKeyTag,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag,
+        secretCommentCiphertext,
+        secretCommentIV,
+        secretCommentTag
+    } = req.body;
+    
+    const secret = await SecretService.createSecret({
+        secretName,
+        workspaceId: new Types.ObjectId(workspaceId),
+        environment,
+        type,
+        authData: req.authData,
+        secretKeyCiphertext,
+        secretKeyIV,
+        secretKeyTag,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag,
+        ...((secretCommentCiphertext && secretCommentIV && secretCommentTag) ? {
+            secretCommentCiphertext,
+            secretCommentIV,
+            secretCommentTag
+        } : {})
+    });
 
-  await EventService.handleEvent({
-    event: eventPushSecrets({
-      workspaceId: new Types.ObjectId(workspaceId),
-      environment,
-    }),
-  });
+    await EventService.handleEvent({
+        event: eventPushSecrets({
+            workspaceId: new Types.ObjectId(workspaceId),
+            environment
+        })
+    });
 
-  const secretWithoutBlindIndex = secret.toObject();
-  delete secretWithoutBlindIndex.secretBlindIndex;
-
-  return res.status(200).send({
-    secret: repackageSecretToRaw({
-      secret: secretWithoutBlindIndex,
-      key,
-    }),
-  });
+    const secretWithoutBlindIndex = secret.toObject();
+    delete secretWithoutBlindIndex.secretBlindIndex;
+    
+    return res.status(200).send({
+        secret: secretWithoutBlindIndex
+    });
 }
 
 /**
  * Update secret with name [secretName]
  * @param req
- * @param res
- */
-export const updateSecretByNameRaw = async (req: Request, res: Response) => {
-  const { secretName } = req.params;
-  const {
-    workspaceId,
-    environment,
-    type,
-    secretValue,
-    secretPath = "/",
-  } = req.body;
-
-  const key = await BotService.getWorkspaceKeyWithBot({
-    workspaceId: new Types.ObjectId(workspaceId),
-  });
-
-  const secretValueEncrypted = encryptSymmetric128BitHexKeyUTF8({
-    plaintext: secretValue,
-    key,
-  });
-
-  const secret = await SecretService.updateSecret({
-    secretName,
-    workspaceId,
-    environment,
-    type,
-    authData: req.authData,
-    secretValueCiphertext: secretValueEncrypted.ciphertext,
-    secretValueIV: secretValueEncrypted.iv,
-    secretValueTag: secretValueEncrypted.tag,
-    secretPath,
-  });
-
-  await EventService.handleEvent({
-    event: eventPushSecrets({
-      workspaceId: new Types.ObjectId(workspaceId),
-      environment,
-    }),
-  });
-
-  return res.status(200).send({
-    secret: repackageSecretToRaw({
-      secret,
-      key,
-    }),
-  });
-};
-
-/**
- * Delete secret with name [secretName]
- * @param req
- * @param res
- */
-export const deleteSecretByNameRaw = async (req: Request, res: Response) => {
-  const { secretName } = req.params;
-  const {
-    workspaceId,
-    environment,
-    type,
-    secretPath = "/",
-  } = req.body;
-
-  const { secret } = await SecretService.deleteSecret({
-    secretName,
-    workspaceId,
-    environment,
-    type,
-    authData: req.authData,
-    secretPath,
-  });
-
-  await EventService.handleEvent({
-    event: eventPushSecrets({
-      workspaceId: new Types.ObjectId(workspaceId),
-      environment,
-    }),
-  });
-
-  const key = await BotService.getWorkspaceKeyWithBot({
-    workspaceId: new Types.ObjectId(workspaceId),
-  });
-
-  return res.status(200).send({
-    secret: repackageSecretToRaw({
-      secret,
-      key,
-    }),
-  });
-};
-
-/**
- * Get secrets for workspace with id [workspaceId] and environment
- * [environment]
- * @param req
- * @param res
- */
-export const getSecrets = async (req: Request, res: Response) => {
-  const workspaceId = req.query.workspaceId as string;
-  const environment = req.query.environment as string;
-  const secretPath = req.query.secretPath as string;
-
-  const secrets = await SecretService.getSecrets({
-    workspaceId: new Types.ObjectId(workspaceId),
-    environment,
-    secretPath,
-    authData: req.authData,
-  });
-
-  return res.status(200).send({
-    secrets,
-  });
-};
-
-/**
- * Return secret with name [secretName]
- * @param req
- * @param res
- */
-export const getSecretByName = async (req: Request, res: Response) => {
-  const { secretName } = req.params;
-  const workspaceId = req.query.workspaceId as string;
-  const environment = req.query.environment as string;
-  const secretPath = req.query.secretPath as string;
-  const type = req.query.type as "shared" | "personal" | undefined;
-
-  const secret = await SecretService.getSecret({
-    secretName,
-    workspaceId: new Types.ObjectId(workspaceId),
-    environment,
-    type,
-    secretPath,
-    authData: req.authData,
-  });
-
-  return res.status(200).send({
-    secret,
-  });
-};
-
-/**
- * Create secret with name [secretName]
- * @param req
- * @param res
- */
-export const createSecret = async (req: Request, res: Response) => {
-  const { secretName } = req.params;
-  const {
-    workspaceId,
-    environment,
-    type,
-    secretKeyCiphertext,
-    secretKeyIV,
-    secretKeyTag,
-    secretValueCiphertext,
-    secretValueIV,
-    secretValueTag,
-    secretCommentCiphertext,
-    secretCommentIV,
-    secretCommentTag,
-    secretPath = "/",
-  } = req.body;
-
-  const secret = await SecretService.createSecret({
-    secretName,
-    workspaceId: new Types.ObjectId(workspaceId),
-    environment,
-    type,
-    authData: req.authData,
-    secretKeyCiphertext,
-    secretKeyIV,
-    secretKeyTag,
-    secretValueCiphertext,
-    secretValueIV,
-    secretValueTag,
-    secretPath,
-    secretCommentCiphertext,
-    secretCommentIV,
-    secretCommentTag,
-  });
-
-  await EventService.handleEvent({
-    event: eventPushSecrets({
-      workspaceId: new Types.ObjectId(workspaceId),
-      environment,
-    }),
-  });
-
-  const secretWithoutBlindIndex = secret.toObject();
-  delete secretWithoutBlindIndex.secretBlindIndex;
-
-  return res.status(200).send({
-    secret: secretWithoutBlindIndex,
-  });
-};
-
-
-/**
- * Update secret with name [secretName]
- * @param req
- * @param res
+ * @param res 
  */
 export const updateSecretByName = async (req: Request, res: Response) => {
-  const { secretName } = req.params;
-  const {
-    workspaceId,
-    environment,
-    type,
-    secretValueCiphertext,
-    secretValueIV,
-    secretValueTag,
-    secretPath = "/",
-  } = req.body;
+    const { secretName } = req.params;
+    const {
+        workspaceId,
+        environment,
+        type,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag
+    } = req.body;
 
-  const secret = await SecretService.updateSecret({
-    secretName,
-    workspaceId,
-    environment,
-    type,
-    authData: req.authData,
-    secretValueCiphertext,
-    secretValueIV,
-    secretValueTag,
-    secretPath,
-  });
+    const secret = await SecretService.updateSecret({
+        secretName,
+        workspaceId,
+        environment,
+        type,
+        authData: req.authData,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag
+    });
+    
+    await EventService.handleEvent({
+        event: eventPushSecrets({
+            workspaceId: new Types.ObjectId(workspaceId),
+            environment
+        })
+    });
 
-  await EventService.handleEvent({
-    event: eventPushSecrets({
-      workspaceId: new Types.ObjectId(workspaceId),
-      environment,
-    }),
-  });
-
-  return res.status(200).send({
-    secret,
-  });
-};
+    return res.status(200).send({
+        secret
+    });
+}
 
 /**
  * Delete secret with name [secretName]
- * @param req
- * @param res
+ * @param req 
+ * @param res 
  */
 export const deleteSecretByName = async (req: Request, res: Response) => {
-  const { secretName } = req.params;
-  const {
-    workspaceId,
-    environment,
-    type,
-    secretPath = "/",
-  } = req.body;
+    const { secretName } = req.params;
+    const {
+        workspaceId,
+        environment,
+        type
+    } = req.body;
+    
+    const { secret, secrets } = await SecretService.deleteSecret({
+        secretName,
+        workspaceId,
+        environment,
+        type,
+        authData: req.authData
+    });
 
-  const { secret } = await SecretService.deleteSecret({
-    secretName,
-    workspaceId,
-    environment,
-    type,
-    authData: req.authData,
-    secretPath,
-  });
+    await EventService.handleEvent({
+        event: eventPushSecrets({
+            workspaceId: new Types.ObjectId(workspaceId),
+            environment
+        })
+    });
 
-  await EventService.handleEvent({
-    event: eventPushSecrets({
-      workspaceId: new Types.ObjectId(workspaceId),
-      environment,
-    }),
-  });
-
-  return res.status(200).send({
-    secret,
-  });
-};
+    return res.status(200).send({
+        secret
+    });
+}

backend/src/controllers/v3/signupController.ts

@@ -1,194 +0,0 @@
-import jwt from "jsonwebtoken";
-import { Request, Response } from "express";
-import * as Sentry from "@sentry/node";
-import { MembershipOrg, User } from "../../models";
-import { completeAccount } from "../../helpers/user";
-import {
-	initializeDefaultOrg,
-} from "../../helpers/signup";
-import { issueAuthTokens, validateProviderAuthToken } from "../../helpers/auth";
-import { ACCEPTED, INVITED } from "../../variables";
-import { standardRequest } from "../../config/request";
-import { getHttpsEnabled, getJwtSignupSecret, getLoopsApiKey } from "../../config";
-import { BadRequestError } from "../../utils/errors";
-import { TelemetryService } from "../../services";
-
-/**
- * Complete setting up user by adding their personal and auth information as part of the
- * signup flow
- * @param req
- * @param res
- * @returns
- */
-export const completeAccountSignup = async (req: Request, res: Response) => {
-	let user, token, refreshToken;
-	try {
-		const {
-			email,
-			firstName,
-			lastName,
-			protectedKey,
-			protectedKeyIV,
-			protectedKeyTag,
-			publicKey,
-			encryptedPrivateKey,
-			encryptedPrivateKeyIV,
-			encryptedPrivateKeyTag,
-			salt,
-			verifier,
-			organizationName,
-			providerAuthToken,
-			attributionSource,
-		}: {
-			email: string;
-			firstName: string;
-			lastName: string;
-			protectedKey: string;
-			protectedKeyIV: string;
-			protectedKeyTag: string;
-			publicKey: string;
-			encryptedPrivateKey: string;
-			encryptedPrivateKeyIV: string;
-			encryptedPrivateKeyTag: string;
-			salt: string;
-			verifier: string;
-			organizationName: string;
-			providerAuthToken?: string;
-			attributionSource?: string;
-		} = req.body;
-
-		user = await User.findOne({ email });
-
-		if (!user || (user && user?.publicKey)) {
-			// case 1: user doesn't exist.
-			// case 2: user has already completed account
-			return res.status(403).send({
-				error: "Failed to complete account for complete user",
-			});
-		}
-
-		if (providerAuthToken) {
-			await validateProviderAuthToken({
-				email,
-				providerAuthToken,
-				user,
-			});
-		} else {
-			const [AUTH_TOKEN_TYPE, AUTH_TOKEN_VALUE] = <[string, string]>req.headers["authorization"]?.split(" ", 2) ?? [null, null]
-			if (AUTH_TOKEN_TYPE === null) {
-				throw BadRequestError({ message: "Missing Authorization Header in the request header." });
-			}
-			if (AUTH_TOKEN_TYPE.toLowerCase() !== "bearer") {
-				throw BadRequestError({ message: `The provided authentication type '${AUTH_TOKEN_TYPE}' is not supported.` })
-			}
-			if (AUTH_TOKEN_VALUE === null) {
-				throw BadRequestError({
-					message: "Missing Authorization Body in the request header",
-				})
-			}
-
-			const decodedToken = <jwt.UserIDJwtPayload>(
-				jwt.verify(AUTH_TOKEN_VALUE, await getJwtSignupSecret())
-			);
-
-			if (decodedToken.userId !== user.id) {
-				throw BadRequestError();
-			}
-		}
-
-		// complete setting up user's account
-		user = await completeAccount({
-			userId: user._id.toString(),
-			firstName,
-			lastName,
-			encryptionVersion: 2,
-			protectedKey,
-			protectedKeyIV,
-			protectedKeyTag,
-			publicKey,
-			encryptedPrivateKey,
-			encryptedPrivateKeyIV,
-			encryptedPrivateKeyTag,
-			salt,
-			verifier,
-		});
-
-		if (!user)
-			throw new Error("Failed to complete account for non-existent user"); // ensure user is non-null
-
-		// initialize default organization and workspace
-		await initializeDefaultOrg({
-			organizationName,
-			user,
-		});
-
-		// update organization membership statuses that are
-		// invited to completed with user attached
-		await MembershipOrg.updateMany(
-			{
-				inviteEmail: email,
-				status: INVITED,
-			},
-			{
-				user,
-				status: ACCEPTED,
-			}
-		);
-
-		// issue tokens
-		const tokens = await issueAuthTokens({
-			userId: user._id,
-			ip: req.realIP,
-			userAgent: req.headers["user-agent"] ?? "",
-		});
-
-		token = tokens.token;
-
-		// sending a welcome email to new users
-		if (await getLoopsApiKey()) {
-			await standardRequest.post("https://app.loops.so/api/v1/events/send", {
-				"email": email,
-				"eventName": "Sign Up",
-				"firstName": firstName,
-				"lastName": lastName,
-			}, {
-				headers: {
-					"Accept": "application/json",
-					"Authorization": "Bearer " + (await getLoopsApiKey()),
-				},
-			});
-		}
-
-		// store (refresh) token in httpOnly cookie
-		res.cookie("jid", tokens.refreshToken, {
-			httpOnly: true,
-			path: "/",
-			sameSite: "strict",
-			secure: await getHttpsEnabled(),
-		});
-
-		const postHogClient = await TelemetryService.getPostHogClient();
-		if (postHogClient) {
-			postHogClient.capture({
-				event: "User Signed Up",
-				distinctId: email,
-				properties: {
-					email,
-					attributionSource,
-				},
-			});
-		}
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: "Failed to complete account setup",
-		});
-	}
-
-	return res.status(200).send({
-		message: "Successfully set up account",
-		user,
-		token,
-	});
-};

backend/src/controllers/v3/workspacesController.ts

@@ -1,7 +1,7 @@
-import { Request, Response } from "express";
-import { Types } from "mongoose";
-import { Secret } from "../../models";
-import { SecretService } from"../../services";
+import { Request, Response } from 'express';
+import { Types } from 'mongoose';
+import { Secret } from '../../models';
+import { SecretService } from'../../services';
 
 /**
  * Return whether or not all secrets in workspace with id [workspaceId]
@@ -16,8 +16,8 @@ export const getWorkspaceBlindIndexStatus = async (req: Request, res: Response)
     const secretsWithoutBlindIndex = await Secret.countDocuments({
         workspace: new Types.ObjectId(workspaceId),
         secretBlindIndex: {
-            $exists: false,
-        },
+            $exists: false
+        }
     });
 
     return res.status(200).send(secretsWithoutBlindIndex === 0);
@@ -30,11 +30,11 @@ export const getWorkspaceSecrets = async (req: Request, res: Response) => {
     const { workspaceId } = req.params;
 
     const secrets = await Secret.find({
-        workspace: new Types.ObjectId (workspaceId),
+        workspace: new Types.ObjectId (workspaceId)
     });
     
     return res.status(200).send({
-        secrets,
+        secrets
     });
 }
 
@@ -51,14 +51,14 @@ export const nameWorkspaceSecrets = async (req: Request, res: Response) => {
 
     const { workspaceId } = req.params;
     const { 
-        secretsToUpdate, 
+        secretsToUpdate 
     }: {
         secretsToUpdate: SecretToUpdate[];
     } = req.body;
 
     // get secret blind index salt
     const salt = await SecretService.getSecretBlindIndexSalt({
-        workspaceId: new Types.ObjectId(workspaceId),
+        workspaceId: new Types.ObjectId(workspaceId)
     });
 
     // update secret blind indices
@@ -66,18 +66,18 @@ export const nameWorkspaceSecrets = async (req: Request, res: Response) => {
         secretsToUpdate.map(async (secretToUpdate: SecretToUpdate) => {
             const secretBlindIndex = await SecretService.generateSecretBlindIndexWithSalt({
                 secretName: secretToUpdate.secretName,
-                salt,
+                salt
             });
     
             return ({
                 updateOne: {
                     filter: {
-                        _id: new Types.ObjectId(secretToUpdate._id),
+                        _id: new Types.ObjectId(secretToUpdate._id)
                     },
                     update: {
-                        secretBlindIndex,
-                    },
-                },
+                        secretBlindIndex
+                    }
+                }
             });
         })
     );
@@ -85,6 +85,6 @@ export const nameWorkspaceSecrets = async (req: Request, res: Response) => {
     await Secret.bulkWrite(operations);
 
     return res.status(200).send({
-        message: "Successfully named workspace secrets",
+        message: 'Successfully named workspace secrets'
     });
 }

backend/src/ee/controllers/v1/actionController.ts

@@ -1,6 +1,7 @@
-import { Request, Response } from "express";
-import { Action } from "../../models";
-import { ActionNotFoundError } from "../../../utils/errors";
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { Action, SecretVersion } from '../../models';
+import { ActionNotFoundError } from '../../../utils/errors';
 
 export const getAction = async (req: Request, res: Response) => {
     let action;
@@ -10,21 +11,21 @@ export const getAction = async (req: Request, res: Response) => {
         action = await Action
             .findById(actionId)
             .populate([
-                "payload.secretVersions.oldSecretVersion",
-                "payload.secretVersions.newSecretVersion",
+                'payload.secretVersions.oldSecretVersion',
+                'payload.secretVersions.newSecretVersion'
             ]);
         
         if (!action) throw ActionNotFoundError({
-            message: "Failed to find action",
+            message: 'Failed to find action'
         });
 
     } catch (err) {
         throw ActionNotFoundError({
-            message: "Failed to find action",
+            message: 'Failed to find action'
         });
     }
     
     return res.status(200).send({
-        action,
+        action
     });
-}
+}

backend/src/ee/controllers/v1/cloudProductsController.ts

@@ -1,28 +0,0 @@
-import { Request, Response } from "express";
-import { EELicenseService } from "../../services";
-import { getLicenseServerUrl } from "../../../config";
-import { licenseServerKeyRequest } from "../../../config/request";
-
-/**
- * Return available cloud product information.
- * Note: Nicely formatted to easily construct a table from
- * @param req 
- * @param res 
- * @returns 
- */
-export const getCloudProducts = async (req: Request, res: Response) => {
-    const billingCycle = req.query["billing-cycle"] as string;
-
-    if (EELicenseService.instanceType === "cloud") {
-        const { data } = await licenseServerKeyRequest.get(
-            `${await getLicenseServerUrl()}/api/license-server/v1/cloud-products?billing-cycle=${billingCycle}`
-        ); 
-
-        return res.status(200).send(data);
-    }
-    
-    return res.status(200).send({
-        head: [],
-        rows: [],
-    });
-}

backend/src/ee/controllers/v1/index.ts

@@ -1,17 +1,15 @@
-import * as secretController from "./secretController";
-import * as secretSnapshotController from "./secretSnapshotController";
-import * as organizationsController from "./organizationsController";
-import * as workspaceController from "./workspaceController";
-import * as actionController from "./actionController";
-import * as membershipController from "./membershipController";
-import * as cloudProductsController from "./cloudProductsController";
+import * as stripeController from './stripeController';
+import * as secretController from './secretController';
+import * as secretSnapshotController from './secretSnapshotController';
+import * as workspaceController from './workspaceController';
+import * as actionController from './actionController';
+import * as membershipController from './membershipController';
 
 export {
+    stripeController,
     secretController,
     secretSnapshotController,
-    organizationsController,
     workspaceController,
     actionController,
-    membershipController,
-    cloudProductsController,
+    membershipController
 }

backend/src/ee/controllers/v1/membershipController.ts

@@ -3,7 +3,8 @@ import { Membership, Workspace } from "../../../models";
 import { IMembershipPermission } from "../../../models/membership";
 import { BadRequestError, UnauthorizedRequestError } from "../../../utils/errors";
 import { ADMIN, MEMBER } from "../../../variables/organization";
-import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from "../../../variables";
+import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from '../../../variables';
+import { Builder } from "builder-pattern"
 import _ from "lodash";
 
 export const denyMembershipPermissions = async (req: Request, res: Response) => {
@@ -14,10 +15,10 @@ export const denyMembershipPermissions = async (req: Request, res: Response) =>
       throw BadRequestError({ message: "One or more required fields are missing from the request or have incorrect type" })
     }
 
-    return {
-      environmentSlug: permission.environmentSlug,
-      ability: permission.ability
-    }
+    return Builder<IMembershipPermission>()
+      .environmentSlug(permission.environmentSlug)
+      .ability(permission.ability)
+      .build();
   })
 
   const sanitizedMembershipPermissionsUnique = _.uniqWith(sanitizedMembershipPermissions, _.isEqual)
@@ -38,7 +39,7 @@ export const denyMembershipPermissions = async (req: Request, res: Response) =>
     throw BadRequestError({ message: "Something went wrong when locating the related workspace" })
   }
 
-  const uniqueEnvironmentSlugs = new Set(_.uniq(_.map(relatedWorkspace.environments, "slug")));
+  const uniqueEnvironmentSlugs = new Set(_.uniq(_.map(relatedWorkspace.environments, 'slug')));
 
   sanitizedMembershipPermissionsUnique.forEach(permission => {
     if (!uniqueEnvironmentSlugs.has(permission.environmentSlug)) {
@@ -58,6 +59,6 @@ export const denyMembershipPermissions = async (req: Request, res: Response) =>
   }
 
   res.send({
-    permissionsDenied: updatedMembershipWithPermissions.deniedPermissions,
+    permissionsDenied: updatedMembershipWithPermissions.deniedPermissions
   })
 }

backend/src/ee/controllers/v1/organizationsController.ts

@@ -1,197 +0,0 @@
-import { Request, Response } from "express";
-import { getLicenseServerUrl } from "../../../config";
-import { licenseServerKeyRequest } from "../../../config/request";
-import { EELicenseService } from "../../services";
-
-export const getOrganizationPlansTable = async (req: Request, res: Response) => {
-    const billingCycle = req.query.billingCycle as string;
-    
-    const { data } = await licenseServerKeyRequest.get(
-        `${await getLicenseServerUrl()}/api/license-server/v1/cloud-products?billing-cycle=${billingCycle}`
-    ); 
-
-    return res.status(200).send(data); 
-}
-
-/**
- * Return the organization current plan's feature set
- */
-export const getOrganizationPlan = async (req: Request, res: Response) => {
-    const { organizationId } = req.params;
-    const workspaceId = req.query.workspaceId as string;
-
-    const plan = await EELicenseService.getPlan(organizationId, workspaceId);
-
-    return res.status(200).send({
-        plan,
-    });
-}
-
-/**
- * Return checkout url for pro trial
- * @param req 
- * @param res 
- * @returns 
- */
-export const startOrganizationTrial = async (req: Request, res: Response) => {
-    const { organizationId } = req.params;
-    const { success_url } = req.body;
-
-    const { data: { url } } = await licenseServerKeyRequest.post(
-        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/session/trial`,
-        {
-            success_url
-        }
-    ); 
-    
-    EELicenseService.delPlan(organizationId);
-    
-    return res.status(200).send({
-        url
-    });
-}
-
-/**
- * Return the organization's current plan's billing info
- * @param req 
- * @param res 
- * @returns 
- */
-export const getOrganizationPlanBillingInfo = async (req: Request, res: Response) => {
-    const { data } = await licenseServerKeyRequest.get(
-        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/cloud-plan/billing`
-    ); 
-    
-    return res.status(200).send(data);
-}
-
-/**
- * Return the organization's current plan's feature table
- * @param req 
- * @param res 
- * @returns 
- */
-export const getOrganizationPlanTable = async (req: Request, res: Response) => {
-    const { data } = await licenseServerKeyRequest.get(
-        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/cloud-plan/table`
-    ); 
-
-    return res.status(200).send(data);
-}
-
-export const getOrganizationBillingDetails = async (req: Request, res: Response) => {
-    const { data  } = await licenseServerKeyRequest.get(
-        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details`
-    ); 
-
-    return res.status(200).send(data);
-}
-
-export const updateOrganizationBillingDetails = async (req: Request, res: Response) => {
-    const {
-        name,
-        email
-    } = req.body;
-
-    const { data } = await licenseServerKeyRequest.patch(
-        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details`,
-        {
-            ...(name ? { name } : {}),
-            ...(email ? { email } : {})
-        }
-    ); 
-
-    return res.status(200).send(data); 
-}
-
-/**
- * Return the organization's payment methods on file
- */
-export const getOrganizationPmtMethods = async (req: Request, res: Response) => {
-    const { data: { pmtMethods } } = await licenseServerKeyRequest.get(
-        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/payment-methods`
-    );
-
-    return res.status(200).send(pmtMethods); 
-}
-
-/**
- * Return URL to add payment method for organization
- */
-export const addOrganizationPmtMethod = async (req: Request, res: Response) => {
-    const {
-        success_url,
-        cancel_url,
-    } = req.body;
-    
-    const { data: { url } } = await licenseServerKeyRequest.post(
-        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/payment-methods`,
-        {
-            success_url,
-            cancel_url,
-        }
-    );
-    
-    return res.status(200).send({
-        url,
-    }); 
-}
-
-export const deleteOrganizationPmtMethod = async (req: Request, res: Response) => {
-    const { pmtMethodId } = req.params;
-
-    const { data } = await licenseServerKeyRequest.delete(
-        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/payment-methods/${pmtMethodId}`,
-    );
-        
-    return res.status(200).send(data);
-}
-
-/**
- * Return the organization's tax ids on file
- */
-export const getOrganizationTaxIds = async (req: Request, res: Response) => {
-    const { data: { tax_ids } } = await licenseServerKeyRequest.get(
-        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/tax-ids`
-    );
-
-    return res.status(200).send(tax_ids); 
-}
-
-/**
- * Add tax id to organization
- */
-export const addOrganizationTaxId = async (req: Request, res: Response) => {
-    const {
-        type,
-        value
-    } = req.body;
-
-    const { data } = await licenseServerKeyRequest.post(
-        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/tax-ids`,
-        {
-            type,
-            value
-        }
-    );
-
-    return res.status(200).send(data); 
-}
-
-export const deleteOrganizationTaxId = async (req: Request, res: Response) => {
-    const { taxId } = req.params;
-
-    const { data } = await licenseServerKeyRequest.delete(
-        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/tax-ids/${taxId}`,
-    );
-        
-    return res.status(200).send(data); 
-}
-
-export const getOrganizationInvoices = async (req: Request, res: Response) => {
-    const { data: { invoices } } = await licenseServerKeyRequest.get(
-        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/invoices`
-    );
-
-    return res.status(200).send(invoices); 
-}

backend/src/ee/controllers/v1/secretController.ts

@@ -1,15 +1,16 @@
-import { Request, Response } from "express";
-import { Secret } from "../../../models";
-import { SecretVersion } from "../../models";
-import { EESecretService } from "../../services";
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { Secret } from '../../../models';
+import { SecretVersion } from '../../models';
+import { EESecretService } from '../../services';
 
 /**
  * Return secret versions for secret with id [secretId]
- * @param req
- * @param res
+ * @param req 
+ * @param res 
  */
-export const getSecretVersions = async (req: Request, res: Response) => {
-  /* 
+ export const getSecretVersions = async (req: Request, res: Response) => {
+	/* 
     #swagger.summary = 'Return secret versions'
     #swagger.description = 'Return secret versions'
     
@@ -54,31 +55,41 @@ export const getSecretVersions = async (req: Request, res: Response) => {
         }
     }   
     */
-  const { secretId } = req.params;
+	let secretVersions;
+	try {
+		const { secretId } = req.params;
 
-  const offset: number = parseInt(req.query.offset as string);
-  const limit: number = parseInt(req.query.limit as string);
+		const offset: number = parseInt(req.query.offset as string);
+		const limit: number = parseInt(req.query.limit as string);
+		
+		secretVersions = await SecretVersion.find({
+			secret: secretId
+		})
+		.sort({ createdAt: -1 })
+		.skip(offset)
+		.limit(limit);
 
-  const secretVersions = await SecretVersion.find({
-    secret: secretId
-  })
-    .sort({ createdAt: -1 })
-    .skip(offset)
-    .limit(limit);
-
-  return res.status(200).send({
-    secretVersions
-  });
-};
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get secret versions'
+		});
+	}
+	
+	return res.status(200).send({
+		secretVersions
+	});
+}
 
 /**
  * Roll back secret with id [secretId] to version [version]
- * @param req
- * @param res
- * @returns
+ * @param req 
+ * @param res 
+ * @returns 
  */
 export const rollbackSecretVersion = async (req: Request, res: Response) => {
-  /* 
+	/* 
     #swagger.summary = 'Roll back secret to a version.'
     #swagger.description = 'Roll back secret to a version.'
     
@@ -126,92 +137,91 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
         }
     }   
     */
-  const { secretId } = req.params;
-  const { version } = req.body;
+	let secret;
+	try {
+		const { secretId } = req.params;
+		const { version } = req.body;
+		
+		// validate secret version
+		const oldSecretVersion = await SecretVersion.findOne({
+			secret: secretId,
+			version
+		}).select('+secretBlindIndex')
+		
+		if (!oldSecretVersion) throw new Error('Failed to find secret version');
+		
+		const {
+			workspace,
+			type,
+			user,
+			environment,
+			secretBlindIndex,
+			secretKeyCiphertext,
+			secretKeyIV,
+			secretKeyTag,
+			secretValueCiphertext,
+			secretValueIV,
+			secretValueTag,
+		} = oldSecretVersion;
+		
+		// update secret
+		secret = await Secret.findByIdAndUpdate(
+			secretId,
+			{
+				$inc: {
+					version: 1
+				},
+				workspace,
+				type,
+				user,
+				environment,
+				...(secretBlindIndex ? { secretBlindIndex } : {}),
+				secretKeyCiphertext,
+				secretKeyIV,
+				secretKeyTag,
+				secretValueCiphertext,
+				secretValueIV,
+				secretValueTag,
+			},
+			{
+				new: true
+			}
+		);
+		
+		if (!secret) throw new Error('Failed to find and update secret');
 
-  // validate secret version
-  const oldSecretVersion = await SecretVersion.findOne({
-    secret: secretId,
-    version
-  }).select("+secretBlindIndex");
-
-  if (!oldSecretVersion) throw new Error("Failed to find secret version");
-
-  const {
-    workspace,
-    type,
-    user,
-    environment,
-    secretBlindIndex,
-    secretKeyCiphertext,
-    secretKeyIV,
-    secretKeyTag,
-    secretValueCiphertext,
-    secretValueIV,
-    secretValueTag,
-    algorithm,
-    folder,
-    keyEncoding
-  } = oldSecretVersion;
-
-  // update secret
-  const secret = await Secret.findByIdAndUpdate(
-    secretId,
-    {
-      $inc: {
-        version: 1
-      },
-      workspace,
-      type,
-      user,
-      environment,
-      ...(secretBlindIndex ? { secretBlindIndex } : {}),
-      secretKeyCiphertext,
-      secretKeyIV,
-      secretKeyTag,
-      secretValueCiphertext,
-      secretValueIV,
-      secretValueTag,
-      folderId: folder,
-      algorithm,
-      keyEncoding
-    },
-    {
-      new: true
-    }
-  );
-
-  if (!secret) throw new Error("Failed to find and update secret");
-
-  // add new secret version
-  await new SecretVersion({
-    secret: secretId,
-    version: secret.version,
-    workspace,
-    type,
-    user,
-    environment,
-    isDeleted: false,
-    ...(secretBlindIndex ? { secretBlindIndex } : {}),
-    secretKeyCiphertext,
-    secretKeyIV,
-    secretKeyTag,
-    secretValueCiphertext,
-    secretValueIV,
-    secretValueTag,
-    folder,
-    algorithm,
-    keyEncoding
-  }).save();
-
-  // take secret snapshot
-  await EESecretService.takeSecretSnapshot({
-    workspaceId: secret.workspace,
-    environment,
-    folderId: folder
-  });
-
-  return res.status(200).send({
-    secret
-  });
-};
+		// add new secret version
+		await new SecretVersion({
+			secret: secretId,
+			version: secret.version,
+			workspace,
+			type,
+			user,
+			environment,
+			isDeleted: false,
+			...(secretBlindIndex ? { secretBlindIndex } : {}),
+			secretKeyCiphertext,
+			secretKeyIV,
+			secretKeyTag,
+			secretValueCiphertext,
+			secretValueIV,
+			secretValueTag
+		}).save();
+		
+		// take secret snapshot
+		await EESecretService.takeSecretSnapshot({
+			workspaceId: secret.workspace
+		});
+		
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to roll back secret version'
+		});
+	}
+	
+	return res.status(200).send({
+		secret
+	});
+}

backend/src/ee/controllers/v1/secretSnapshotController.ts

@@ -1,45 +1,33 @@
-import { Request, Response } from "express";
-import {
-  ISecretVersion,
-  SecretSnapshot,
-  TFolderRootVersionSchema,
-} from "../../models";
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { SecretSnapshot } from '../../models';
 
 /**
  * Return secret snapshot with id [secretSnapshotId]
- * @param req
- * @param res
- * @returns
+ * @param req 
+ * @param res 
+ * @returns 
  */
 export const getSecretSnapshot = async (req: Request, res: Response) => {
-  const { secretSnapshotId } = req.params;
+    let secretSnapshot;
+    try {
+        const { secretSnapshotId } = req.params;
 
-  const secretSnapshot = await SecretSnapshot.findById(secretSnapshotId)
-    .lean()
-    .populate<{ secretVersions: ISecretVersion[] }>({
-      path: "secretVersions",
-      populate: {
-        path: "tags",
-        model: "Tag",
-      },
-    })
-    .populate<{ folderVersion: TFolderRootVersionSchema }>("folderVersion");
-  
-  if (!secretSnapshot) throw new Error("Failed to find secret snapshot");
-  
-  const folderId = secretSnapshot.folderId;
-  // to show only the folder required secrets
-  secretSnapshot.secretVersions = secretSnapshot.secretVersions.filter(
-    ({ folder }) => folder === folderId
-  );
+        secretSnapshot = await SecretSnapshot
+            .findById(secretSnapshotId)
+            .populate('secretVersions');
+        
+        if (!secretSnapshot) throw new Error('Failed to find secret snapshot');
 
-  secretSnapshot.folderVersion =
-    secretSnapshot?.folderVersion?.nodes?.children?.map(({ id, name }) => ({
-      id,
-      name,
-    })) as any;
-
-  return res.status(200).send({
-    secretSnapshot,
-  });
-};
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get secret snapshot'
+		});
+    }
+    
+    return res.status(200).send({
+        secretSnapshot
+    });
+}

backend/src/ee/controllers/v1/stripeController.ts

@@ -0,0 +1,41 @@
+import * as Sentry from '@sentry/node';
+import { Request, Response } from 'express';
+import Stripe from 'stripe';
+import { getStripeSecretKey, getStripeWebhookSecret } from '../../../config';
+
+/**
+ * Handle service provisioning/un-provisioning via Stripe
+ * @param req
+ * @param res
+ * @returns
+ */
+export const handleWebhook = async (req: Request, res: Response) => {
+	let event;
+	try {
+		const stripe = new Stripe(await getStripeSecretKey(), {
+			apiVersion: '2022-08-01'
+		});
+
+		// check request for valid stripe signature
+		const sig = req.headers['stripe-signature'] as string;
+		event = stripe.webhooks.constructEvent(
+			req.body,
+			sig,
+			await getStripeWebhookSecret()
+		);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			error: 'Failed to process webhook'
+		});
+	}
+
+	switch (event.type) {
+		case '':
+			break;
+		default:
+	}
+
+	return res.json({ received: true });
+};

backend/src/ee/controllers/v1/workspaceController.ts

@@ -1,29 +1,25 @@
-import { Request, Response } from "express";
-import { PipelineStage, Types } from "mongoose";
-import { Secret } from "../../../models";
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
 import {
-  FolderVersion,
-  ISecretVersion,
-  Log,
-  SecretSnapshot,
-  SecretVersion,
-  TFolderRootVersionSchema,
-} from "../../models";
-import { EESecretService } from "../../services";
-import { getLatestSecretVersionIds } from "../../helpers/secretVersion";
-import Folder, { TFolderSchema } from "../../../models/folder";
-import { searchByFolderId } from "../../../services/FolderService";
+	Secret
+} from '../../../models';
+import { 
+	SecretSnapshot,
+	Log,
+	SecretVersion,
+	ISecretVersion
+} from '../../models';
+import { EESecretService } from '../../services';
+import { getLatestSecretVersionIds } from '../../helpers/secretVersion';
 
 /**
  * Return secret snapshots for workspace with id [workspaceId]
- * @param req
- * @param res
+ * @param req 
+ * @param res 
  */
-export const getWorkspaceSecretSnapshots = async (
-  req: Request,
-  res: Response
-) => {
-  /* 
+ export const getWorkspaceSecretSnapshots = async (req: Request, res: Response) => {
+	/* 
     #swagger.summary = 'Return project secret snapshot ids'
     #swagger.description = 'Return project secret snapshots ids'
     
@@ -68,60 +64,66 @@ export const getWorkspaceSecretSnapshots = async (
         }
     }
     */
-  const { workspaceId } = req.params;
-  const { environment, folderId } = req.query;
+	let secretSnapshots;
+	try {
+		const { workspaceId } = req.params;
 
-  const offset: number = parseInt(req.query.offset as string);
-  const limit: number = parseInt(req.query.limit as string);
+		const offset: number = parseInt(req.query.offset as string);
+		const limit: number = parseInt(req.query.limit as string);
+		
+		secretSnapshots = await SecretSnapshot.find({
+			workspace: workspaceId
+		})
+		.sort({ createdAt: -1 })
+		.skip(offset)
+		.limit(limit);
 
-  const secretSnapshots = await SecretSnapshot.find({
-    workspace: workspaceId,
-    environment,
-    folderId: folderId || "root",
-  })
-    .sort({ createdAt: -1 })
-    .skip(offset)
-    .limit(limit);
-
-  return res.status(200).send({
-    secretSnapshots,
-  });
-};
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get secret snapshots'
+		});
+	}
+	
+	return res.status(200).send({
+		secretSnapshots
+	});
+}
 
 /**
  * Return count of secret snapshots for workspace with id [workspaceId]
- * @param req
- * @param res
+ * @param req 
+ * @param res 
  */
-export const getWorkspaceSecretSnapshotsCount = async (
-  req: Request,
-  res: Response
-) => {
-  const { workspaceId } = req.params;
-  const { environment, folderId } = req.query;
-
-  const count = await SecretSnapshot.countDocuments({
-    workspace: workspaceId,
-    environment,
-    folderId: folderId || "root",
-  });
-
-  return res.status(200).send({
-    count,
-  });
-};
+export const getWorkspaceSecretSnapshotsCount = async (req: Request, res: Response) => {
+	let count;
+	try {
+		const { workspaceId } = req.params;
+		count = await SecretSnapshot.countDocuments({
+			workspace: workspaceId
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to count number of secret snapshots'
+		});
+	}
+	
+	return res.status(200).send({
+		count
+	});
+}
 
 /**
  * Rollback secret snapshot with id [secretSnapshotId] to version [version]
- * @param req
- * @param res
- * @returns
+ * @param req 
+ * @param res 
+ * @returns 
  */
-export const rollbackWorkspaceSecretSnapshot = async (
-  req: Request,
-  res: Response
-) => {
-  /* 
+export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Response) => {
+	/* 
     #swagger.summary = 'Roll back project secrets to those captured in a secret snapshot version.'
     #swagger.description = 'Roll back project secrets to those captured in a secret snapshot version.'
     
@@ -171,329 +173,168 @@ export const rollbackWorkspaceSecretSnapshot = async (
         }
     }   
     */
+	
+	let secrets;
+    try {	
+        const { workspaceId } = req.params;
+        const { version } = req.body;
+        
+		// validate secret snapshot
+		const secretSnapshot = await SecretSnapshot.findOne({
+			workspace: workspaceId,
+			version
+		}).populate<{ secretVersions: ISecretVersion[]}>({
+			path: 'secretVersions',
+			select: '+secretBlindIndex'
+		});
+        
+        if (!secretSnapshot) throw new Error('Failed to find secret snapshot');
 
-  const { workspaceId } = req.params;
-  const { version, environment, folderId = "root" } = req.body;
+		// TODO: fix any
+		const oldSecretVersionsObj: any = secretSnapshot.secretVersions
+			.reduce((accumulator, s) => ({ 
+				...accumulator, 
+				[`${s.secret.toString()}`]: s 
+			}), {});	
+		
+		const latestSecretVersionIds = await getLatestSecretVersionIds({
+			secretIds: secretSnapshot.secretVersions.map((sv) => sv.secret)
+		});
+		
+		// TODO: fix any
+		const latestSecretVersions: any = (await SecretVersion.find({
+			_id: {
+				$in: latestSecretVersionIds.map((s) => s.versionId)
+			}
+		}, 'secret version'))
+		.reduce((accumulator, s) => ({ 
+			...accumulator, 
+			[`${s.secret.toString()}`]: s 
+		}), {});
+		
+		// delete existing secrets
+		await Secret.deleteMany({
+			workspace: workspaceId
+		});
 
-  // validate secret snapshot
-  const secretSnapshot = await SecretSnapshot.findOne({
-    workspace: workspaceId,
-    version,
-    environment,
-    folderId: folderId,
-  })
-    .populate<{ secretVersions: ISecretVersion[] }>({
-      path: "secretVersions",
-      select: "+secretBlindIndex",
-    })
-    .populate<{ folderVersion: TFolderRootVersionSchema }>("folderVersion");
-
-  if (!secretSnapshot) throw new Error("Failed to find secret snapshot");
-
-  const snapshotFolderTree = secretSnapshot.folderVersion;
-  const latestFolderTree = await Folder.findOne({
-    workspace: workspaceId,
-    environment,
-  });
-
-  const latestFolderVersion = await FolderVersion.findOne({
-    environment,
-    workspace: workspaceId,
-    "nodes.id": folderId,
-  }).sort({ "nodes.version": -1 });
-
-  const oldSecretVersionsObj: Record<string, ISecretVersion> = {};
-  const secretIds: Types.ObjectId[] = [];
-  const folderIds: string[] = [folderId];
-
-  secretSnapshot.secretVersions.forEach((snapSecVer) => {
-    oldSecretVersionsObj[snapSecVer.secret.toString()] = snapSecVer;
-    secretIds.push(snapSecVer.secret);
-  });
-
-  // the parent node from current latest one
-  // this will be modified according to the snapshot and latest snapshots
-  const newFolderTree =
-    latestFolderTree && searchByFolderId(latestFolderTree.nodes, folderId);
-
-  if (newFolderTree) {
-    newFolderTree.children = snapshotFolderTree?.nodes?.children || [];
-    const queue = [newFolderTree];
-    // a bfs algorithm in which we take the latest snapshots of all the folders in a level
-    while (queue.length) {
-      const groupByFolderId: Record<string, TFolderSchema> = {};
-      // the original queue is popped out completely to get what ever in a level
-      // subqueue is filled with all the children thus next level folders
-      // subQueue will then be transfered to the oriinal queue
-      const subQueue: TFolderSchema[] = [];
-      // get everything inside a level
-      while (queue.length) {
-        const folder = queue.pop() as TFolderSchema;
-        folder.children.forEach((el) => {
-          folderIds.push(el.id); // push ids and data into queu
-          subQueue.push(el);
-          // to modify the original tree very fast we keep a reference object
-          // key with folder id and pointing to the various nodes
-          groupByFolderId[el.id] = el;
-        });
-      }
-      // get latest snapshots of all the folder
-      const matchWsFoldersPipeline = {
-        $match: {
-          workspace: new Types.ObjectId(workspaceId),
-          environment,
-          folderId: {
-            $in: Object.keys(groupByFolderId),
-          },
-        },
-      };
-      const sortByFolderIdAndVersion: PipelineStage = {
-        $sort: { folderId: 1, version: -1 },
-      };
-      const pickLatestVersionOfEachFolder = {
-        $group: {
-          _id: "$folderId",
-          latestVersion: { $first: "$version" },
-          doc: {
-            $first: "$$ROOT",
-          },
-        },
-      };
-      const populateSecVersion = {
-        $lookup: {
-          from: SecretVersion.collection.name,
-          localField: "doc.secretVersions",
-          foreignField: "_id",
-          as: "doc.secretVersions",
-        },
-      };
-      const populateFolderVersion = {
-        $lookup: {
-          from: FolderVersion.collection.name,
-          localField: "doc.folderVersion",
-          foreignField: "_id",
-          as: "doc.folderVersion",
-        },
-      };
-      const unwindFolderVerField = {
-        $unwind: {
-          path: "$doc.folderVersion",
-          preserveNullAndEmptyArrays: true,
-        },
-      };
-      const latestSnapshotsByFolders: Array<{ doc: typeof secretSnapshot }> =
-        await SecretSnapshot.aggregate([
-          matchWsFoldersPipeline,
-          sortByFolderIdAndVersion,
-          pickLatestVersionOfEachFolder,
-          populateSecVersion,
-          populateFolderVersion,
-          unwindFolderVerField,
-        ]);
-
-      // recursive snapshotting each level
-      latestSnapshotsByFolders.forEach((snap) => {
-        // mutate the folder tree to update the nodes to the latest version tree
-        // we are reconstructing the folder tree by latest snapshots here
-        if (groupByFolderId[snap.doc.folderId]) {
-          groupByFolderId[snap.doc.folderId].children =
-            snap.doc?.folderVersion?.nodes?.children || [];
-        }
-
-        // push all children of next level snapshots
-        if (snap.doc.folderVersion?.nodes?.children) {
-          queue.push(...snap.doc.folderVersion.nodes.children);
-        }
-
-        snap.doc.secretVersions.forEach((snapSecVer) => {
-          // record all the secrets
-          oldSecretVersionsObj[snapSecVer.secret.toString()] = snapSecVer;
-          secretIds.push(snapSecVer.secret);
-        });
-      });
-
-      queue.push(...subQueue);
+		// add secrets
+        secrets = await Secret.insertMany(
+			secretSnapshot.secretVersions.map((sv) => {
+				const secretId = sv.secret;
+				const {
+					workspace,
+					type,
+					user,
+					environment,
+					secretBlindIndex,
+					secretKeyCiphertext,
+					secretKeyIV,
+					secretKeyTag,
+					secretKeyHash,
+					secretValueCiphertext,
+					secretValueIV,
+					secretValueTag,
+					secretValueHash,
+					createdAt
+				} = oldSecretVersionsObj[secretId.toString()];
+				
+				return ({
+					_id: secretId,
+					version: latestSecretVersions[secretId.toString()].version + 1,
+					workspace,
+					type,
+					user,
+					environment,
+					secretBlindIndex: secretBlindIndex ?? undefined,
+					secretKeyCiphertext,
+					secretKeyIV,
+					secretKeyTag,
+					secretKeyHash,
+					secretValueCiphertext,
+					secretValueIV,
+					secretValueTag,
+					secretValueHash,
+					secretCommentCiphertext: '',
+					secretCommentIV: '',
+					secretCommentTag: '',
+					createdAt
+				});
+			})
+		);
+		
+		// add secret versions
+		const secretV = await SecretVersion.insertMany(
+			secrets.map(({
+				_id,
+				version,
+				workspace,
+				type,
+				user,
+				environment,
+				secretBlindIndex,
+				secretKeyCiphertext,
+				secretKeyIV,
+				secretKeyTag,
+				secretKeyHash,
+				secretValueCiphertext,
+				secretValueIV,
+				secretValueTag,
+				secretValueHash
+			}) => ({
+				_id: new Types.ObjectId(),
+				secret: _id,
+				version,
+				workspace,
+				type,
+				user,
+				environment,
+				isDeleted: false,
+				secretBlindIndex: secretBlindIndex ?? undefined,
+				secretKeyCiphertext,
+				secretKeyIV,
+				secretKeyTag,
+				secretKeyHash,
+				secretValueCiphertext,
+				secretValueIV,
+				secretValueTag,
+				secretValueHash
+			}))
+		);
+		
+		// update secret versions of restored secrets as not deleted
+		await SecretVersion.updateMany({
+			secret: {
+				$in: secretSnapshot.secretVersions.map((sv) => sv.secret)
+			}
+		}, {
+			isDeleted: false
+		});
+		
+        // take secret snapshot
+		await EESecretService.takeSecretSnapshot({
+			workspaceId: new Types.ObjectId(workspaceId)
+		});
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to roll back secret snapshot'
+		}); 
     }
-  }
-
-  // TODO: fix any
-  const latestSecretVersionIds = await getLatestSecretVersionIds({
-    secretIds,
-  });
-
-  // TODO: fix any
-  const latestSecretVersions: any = (
-    await SecretVersion.find(
-      {
-        _id: {
-          $in: latestSecretVersionIds.map((s) => s.versionId),
-        },
-      },
-      "secret version"
-    )
-  ).reduce(
-    (accumulator, s) => ({
-      ...accumulator,
-      [`${s.secret.toString()}`]: s,
-    }),
-    {}
-  );
-
-  const secDelQuery: Record<string, unknown> = {
-    workspace: workspaceId,
-    environment,
-    // undefined means root thus collect all secrets
-  };
-  if (folderId !== "root" && folderIds.length)
-    secDelQuery.folder = { $in: folderIds };
-
-  // delete existing secrets
-  await Secret.deleteMany(secDelQuery);
-  await Folder.deleteOne({
-    workspace: workspaceId,
-    environment,
-  });
-
-  // add secrets
-  const secrets = await Secret.insertMany(
-    Object.keys(oldSecretVersionsObj).map((sv) => {
-      const {
-        secret: secretId,
-        workspace,
-        type,
-        user,
-        environment,
-        secretBlindIndex,
-        secretKeyCiphertext,
-        secretKeyIV,
-        secretKeyTag,
-        secretValueCiphertext,
-        secretValueIV,
-        secretValueTag,
-        createdAt,
-        algorithm,
-        keyEncoding,
-        folder: secFolderId,
-      } = oldSecretVersionsObj[sv];
-
-      return {
-        _id: secretId,
-        version: latestSecretVersions[secretId.toString()].version + 1,
-        workspace,
-        type,
-        user,
-        environment,
-        secretBlindIndex: secretBlindIndex ?? undefined,
-        secretKeyCiphertext,
-        secretKeyIV,
-        secretKeyTag,
-        secretValueCiphertext,
-        secretValueIV,
-        secretValueTag,
-        secretCommentCiphertext: "",
-        secretCommentIV: "",
-        secretCommentTag: "",
-        createdAt,
-        algorithm,
-        keyEncoding,
-        folder: secFolderId,
-      };
-    })
-  );
-
-  // add secret versions
-  const secretV = await SecretVersion.insertMany(
-    secrets.map(
-      ({
-        _id,
-        version,
-        workspace,
-        type,
-        user,
-        environment,
-        secretBlindIndex,
-        secretKeyCiphertext,
-        secretKeyIV,
-        secretKeyTag,
-        secretValueCiphertext,
-        secretValueIV,
-        secretValueTag,
-        algorithm,
-        keyEncoding,
-        folder: secFolderId,
-      }) => ({
-        _id: new Types.ObjectId(),
-        secret: _id,
-        version,
-        workspace,
-        type,
-        user,
-        environment,
-        isDeleted: false,
-        secretBlindIndex: secretBlindIndex ?? undefined,
-        secretKeyCiphertext,
-        secretKeyIV,
-        secretKeyTag,
-        secretValueCiphertext,
-        secretValueIV,
-        secretValueTag,
-        algorithm,
-        keyEncoding,
-        folder: secFolderId,
-      })
-    )
-  );
-
-  if (newFolderTree && latestFolderTree) {
-    // save the updated folder tree to the present one
-    newFolderTree.version = (latestFolderVersion?.nodes?.version || 0) + 1;
-    latestFolderTree._id = new Types.ObjectId();
-    latestFolderTree.isNew = true;
-    await latestFolderTree.save();
-
-    // create new folder version
-    const newFolderVersion = new FolderVersion({
-      workspace: workspaceId,
-      environment,
-      nodes: newFolderTree,
-    });
-    await newFolderVersion.save();
-  }
-
-  // update secret versions of restored secrets as not deleted
-  await SecretVersion.updateMany(
-    {
-      secret: {
-        $in: Object.keys(oldSecretVersionsObj).map(
-          (sv) => oldSecretVersionsObj[sv].secret
-        ),
-      },
-    },
-    {
-      isDeleted: false,
-    }
-  );
-
-  // take secret snapshot
-  await EESecretService.takeSecretSnapshot({
-    workspaceId: new Types.ObjectId(workspaceId),
-    environment,
-    folderId,
-  });
-
-  return res.status(200).send({
-    secrets,
-  });
-};
+    
+	return res.status(200).send({
+		secrets
+	});
+}
 
 /**
  * Return (audit) logs for workspace with id [workspaceId]
- * @param req
- * @param res
- * @returns
+ * @param req 
+ * @param res 
+ * @returns 
  */
 export const getWorkspaceLogs = async (req: Request, res: Response) => {
-  /* 
+	/* 
     #swagger.summary = 'Return project (audit) logs'
     #swagger.description = 'Return project (audit) logs'
     
@@ -559,32 +400,43 @@ export const getWorkspaceLogs = async (req: Request, res: Response) => {
         }
     }   
     */
-  const { workspaceId } = req.params;
+	let logs
+	try {
+		const { workspaceId } = req.params;
 
-  const offset: number = parseInt(req.query.offset as string);
-  const limit: number = parseInt(req.query.limit as string);
-  const sortBy: string = req.query.sortBy as string;
-  const userId: string = req.query.userId as string;
-  const actionNames: string = req.query.actionNames as string;
+		const offset: number = parseInt(req.query.offset as string);
+		const limit: number = parseInt(req.query.limit as string);
+		const sortBy: string = req.query.sortBy as string;
+		const userId: string = req.query.userId as string;
+		const actionNames: string = req.query.actionNames as string;
+		
+		logs = await Log.find({
+			workspace: workspaceId,
+			...( userId ? { user: userId } : {}),
+			...( 
+				actionNames 
+				? { 
+					actionNames: {
+						$in: actionNames.split(',')
+					}
+				} : {}
+			)
+		})
+		.sort({ createdAt: sortBy === 'recent' ? -1 : 1 })
+		.skip(offset)
+		.limit(limit)
+		.populate('actions')
+		.populate('user serviceAccount serviceTokenData');
 
-  const logs = await Log.find({
-    workspace: workspaceId,
-    ...(userId ? { user: userId } : {}),
-    ...(actionNames
-      ? {
-          actionNames: {
-            $in: actionNames.split(","),
-          },
-        }
-      : {}),
-  })
-    .sort({ createdAt: sortBy === "recent" ? -1 : 1 })
-    .skip(offset)
-    .limit(limit)
-    .populate("actions")
-    .populate("user serviceAccount serviceTokenData");
-
-  return res.status(200).send({
-    logs,
-  });
-};
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace logs'
+		});
+	}
+	
+	return res.status(200).send({
+		logs
+	});
+}

backend/src/ee/helpers/action.ts

@@ -1,17 +1,17 @@
-import { Types } from "mongoose";
-import { Action } from "../models";
+import { Types } from 'mongoose';
+import { Action } from '../models';
 import { 
-    getLatestNSecretSecretVersionIds,
     getLatestSecretVersionIds,
-} from "../helpers/secretVersion";
+    getLatestNSecretSecretVersionIds
+} from '../helpers/secretVersion';
 import { 
-    ACTION_ADD_SECRETS,
-    ACTION_DELETE_SECRETS,
     ACTION_LOGIN,
     ACTION_LOGOUT,
+    ACTION_ADD_SECRETS,
     ACTION_READ_SECRETS,
+    ACTION_DELETE_SECRETS,
     ACTION_UPDATE_SECRETS,
-} from "../../variables";
+} from '../../variables';
 
 /**
  * Create an (audit) action for updating secrets
@@ -26,7 +26,7 @@ const createActionUpdateSecret = async ({
     serviceAccountId,
     serviceTokenDataId,
     workspaceId,
-    secretIds,
+    secretIds
 }: {
     name: string;
     userId?: Types.ObjectId;
@@ -37,11 +37,11 @@ const createActionUpdateSecret = async ({
 }) => {
     const latestSecretVersions = (await getLatestNSecretSecretVersionIds({
             secretIds,
-            n: 2,
+            n: 2
         }))
         .map((s) => ({
             oldSecretVersion: s.versions[0]._id,
-            newSecretVersion: s.versions[1]._id,
+            newSecretVersion: s.versions[1]._id
         }));
     
     const action = await new Action({
@@ -51,8 +51,8 @@ const createActionUpdateSecret = async ({
         serviceTokenData: serviceTokenDataId,
         workspace: workspaceId,
         payload: {
-            secretVersions: latestSecretVersions,
-        },
+            secretVersions: latestSecretVersions
+        }
     }).save();
     
     return action;
@@ -72,7 +72,7 @@ const createActionSecret = async ({
     serviceAccountId,
     serviceTokenDataId,
     workspaceId,
-    secretIds,
+    secretIds
 }: {
     name: string;
     userId?: Types.ObjectId;
@@ -84,10 +84,10 @@ const createActionSecret = async ({
     // case: action is adding, deleting, or reading secrets
     // -> add new secret versions
     const latestSecretVersions = (await getLatestSecretVersionIds({
-        secretIds,
+        secretIds
     }))
     .map((s) => ({
-        newSecretVersion: s.versionId,
+        newSecretVersion: s.versionId
     }));
     
    const action = await new Action({
@@ -97,8 +97,8 @@ const createActionSecret = async ({
         serviceTokenData: serviceTokenDataId,
         workspace: workspaceId,
         payload: {
-            secretVersions: latestSecretVersions,
-        },
+            secretVersions: latestSecretVersions
+        }
     }).save(); 
     
     return action;
@@ -116,7 +116,7 @@ const createActionClient = ({
     name,
     userId,
     serviceAccountId,
-    serviceTokenDataId,
+    serviceTokenDataId
 }: {
     name: string;
     userId?: Types.ObjectId;
@@ -127,7 +127,7 @@ const createActionClient = ({
         name,
         user: userId,
         serviceAccount: serviceAccountId,
-        serviceTokenData: serviceTokenDataId,
+        serviceTokenData: serviceTokenDataId
     }).save();
 
     return action; 
@@ -162,27 +162,27 @@ const createActionHelper = async ({
         case ACTION_LOGOUT:
             action = await createActionClient({
                 name,
-                userId,
+                userId
             });
             break;
         case ACTION_ADD_SECRETS:
         case ACTION_READ_SECRETS:
         case ACTION_DELETE_SECRETS:
-            if (!workspaceId || !secretIds) throw new Error("Missing required params workspace id or secret ids to create action secret");
+            if (!workspaceId || !secretIds) throw new Error('Missing required params workspace id or secret ids to create action secret');
             action = await createActionSecret({
                 name,
                 userId,
                 workspaceId,
-                secretIds,
+                secretIds
             });
             break;
         case ACTION_UPDATE_SECRETS:
-            if (!workspaceId || !secretIds) throw new Error("Missing required params workspace id or secret ids to create action secret");
+            if (!workspaceId || !secretIds) throw new Error('Missing required params workspace id or secret ids to create action secret');
             action = await createActionUpdateSecret({
                 name,
                 userId,
                 workspaceId,
-                secretIds,
+                secretIds
             });
             break;
     }
@@ -191,5 +191,5 @@ const createActionHelper = async ({
 }
 
 export { 
-    createActionHelper,
+    createActionHelper
 };

backend/src/ee/helpers/checkMembershipPermissions.ts

@@ -1,7 +1,7 @@
-import { Types } from "mongoose";
+import { Types } from 'mongoose';
 import _ from "lodash";
 import { Membership } from "../../models";
-import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from "../../variables";
+import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from '../../variables';
 
 export const userHasWorkspaceAccess = async (userId: Types.ObjectId, workspaceId: Types.ObjectId, environment: string, action: any) => {
   const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })

backend/src/ee/helpers/log.ts

@@ -1,8 +1,8 @@
-import { Types } from "mongoose";
+import { Types } from 'mongoose';
 import { 
-    IAction,
     Log,
-} from "../models";
+    IAction
+} from '../models';
 
 /**
  * Create an (audit) log
@@ -21,7 +21,7 @@ const createLogHelper = async ({
     workspaceId,
     actions,
     channel,
-    ipAddress,
+    ipAddress
 }: {
     userId?: Types.ObjectId;
     serviceAccountId?: Types.ObjectId;
@@ -39,12 +39,12 @@ const createLogHelper = async ({
         actionNames: actions.map((a) => a.name),
         actions,
         channel,
-        ipAddress,
+        ipAddress
     }).save();
 
     return log;
 }
 
 export {
-    createLogHelper,
+    createLogHelper
 }

backend/src/ee/helpers/secret.ts

@@ -1,11 +1,6 @@
 import { Types } from "mongoose";
-import { Secret } from "../../models";
-import {
-  FolderVersion,
-  ISecretVersion,
-  SecretSnapshot,
-  SecretVersion,
-} from "../models";
+import { Secret, ISecret } from "../../models";
+import { SecretSnapshot, SecretVersion, ISecretVersion } from "../models";
 
 /**
  * Save a secret snapshot that is a copy of the current state of secrets in workspace with id
@@ -17,31 +12,22 @@ import {
  */
 const takeSecretSnapshotHelper = async ({
   workspaceId,
-  environment,
-  folderId = "root",
 }: {
   workspaceId: Types.ObjectId;
-  environment: string;
-  folderId?: string;
 }) => {
-  // get all folder ids
   const secretIds = (
     await Secret.find(
       {
         workspace: workspaceId,
-        environment,
-        folder: folderId,
       },
       "_id"
-    ).lean()
+    )
   ).map((s) => s._id);
 
   const latestSecretVersions = (
     await SecretVersion.aggregate([
       {
         $match: {
-          environment,
-          workspace: new Types.ObjectId(workspaceId),
           secret: {
             $in: secretIds,
           },
@@ -59,11 +45,6 @@ const takeSecretSnapshotHelper = async ({
       },
     ]).exec()
   ).map((s) => s.versionId);
-  const latestFolderVersion = await FolderVersion.findOne({
-    environment,
-    workspace: workspaceId,
-    "nodes.id": folderId,
-  }).sort({ "nodes.version": -1 });
 
   const latestSecretSnapshot = await SecretSnapshot.findOne({
     workspace: workspaceId,
@@ -71,11 +52,8 @@ const takeSecretSnapshotHelper = async ({
 
   const secretSnapshot = await new SecretSnapshot({
     workspace: workspaceId,
-    environment,
     version: latestSecretSnapshot ? latestSecretSnapshot.version + 1 : 1,
     secretVersions: latestSecretVersions,
-    folderId,
-    folderVersion: latestFolderVersion,
   }).save();
 
   return secretSnapshot;
@@ -115,8 +93,52 @@ const markDeletedSecretVersionsHelper = async ({
   );
 };
 
+/**
+ * Initialize secret versioning by setting previously unversioned
+ * secrets to version 1 and begin populating secret versions.
+ */
+const initSecretVersioningHelper = async () => {
+  await Secret.updateMany(
+    { version: { $exists: false } },
+    { $set: { version: 1 } }
+  );
+
+  const unversionedSecrets: ISecret[] = await Secret.aggregate([
+    {
+      $lookup: {
+        from: "secretversions",
+        localField: "_id",
+        foreignField: "secret",
+        as: "versions",
+      },
+    },
+    {
+      $match: {
+        versions: { $size: 0 },
+      },
+    },
+  ]);
+
+  if (unversionedSecrets.length > 0) {
+    await addSecretVersionsHelper({
+      secretVersions: unversionedSecrets.map(
+        (s, idx) =>
+          new SecretVersion({
+            ...s,
+            secret: s._id,
+            version: s.version ? s.version : 1,
+            isDeleted: false,
+            workspace: s.workspace,
+            environment: s.environment,
+          })
+      ),
+    });
+  }
+};
+
 export {
   takeSecretSnapshotHelper,
   addSecretVersionsHelper,
   markDeletedSecretVersionsHelper,
+  initSecretVersioningHelper,
 };

backend/src/ee/helpers/secretVersion.ts

@@ -1,82 +1,92 @@
-import { Types } from "mongoose";
-import { SecretVersion } from "../models";
+import { Types } from 'mongoose';
+import { SecretVersion } from '../models';
 
 /**
  * Return latest secret versions for secrets with ids [secretIds]
  * @param {Object} obj
  * @param {Object} obj.secretIds = ids of secrets to get latest versions for
- * @returns
+ * @returns 
  */
 const getLatestSecretVersionIds = async ({
-  secretIds,
+    secretIds
 }: {
-  secretIds: Types.ObjectId[];
+    secretIds: Types.ObjectId[];
 }) => {
-  const latestSecretVersionIds = await SecretVersion.aggregate([
-    {
-      $match: {
-        secret: {
-          $in: secretIds,
+    interface LatestSecretVersionId {
+        _id: Types.ObjectId;
+        version: number;
+        versionId: Types.ObjectId;
+    }
+    
+    const latestSecretVersionIds = (await SecretVersion.aggregate([
+        {
+            $match: { 
+                secret: { 
+                    $in: secretIds 
+                } 
+            }
         },
-      },
-    },
-    {
-      $group: {
-        _id: "$secret",
-        version: { $max: "$version" },
-        versionId: { $max: "$_id" }, // id of latest secret version
-      },
-    },
-    {
-      $sort: { version: -1 },
-    },
-  ]).exec();
-
-  return latestSecretVersionIds;
-};
+        {
+            $group: {
+                _id: '$secret',
+                version: { $max: '$version' },
+                versionId: { $max: '$_id' } // id of latest secret version
+            }
+        },
+        {
+            $sort: { version: -1 }
+        }
+        ])
+        .exec());
+    
+    return latestSecretVersionIds;
+}
 
 /**
  * Return latest [n] secret versions for secrets with ids [secretIds]
  * @param {Object} obj
  * @param {Object} obj.secretIds = ids of secrets to get latest versions for
  * @param {Number} obj.n - number of latest secret versions to return for each secret
- * @returns
+ * @returns 
  */
 const getLatestNSecretSecretVersionIds = async ({
-  secretIds,
-  n,
+    secretIds,
+    n
 }: {
-  secretIds: Types.ObjectId[];
-  n: number;
+    secretIds: Types.ObjectId[];
+    n: number;
 }) => {
-  // TODO: optimize query
-  const latestNSecretVersions = await SecretVersion.aggregate([
-    {
-      $match: {
-        secret: {
-          $in: secretIds,
+    // TODO: optimize query
+    const latestNSecretVersions = (await SecretVersion.aggregate([
+        {
+            $match: {
+            secret: {
+                $in: secretIds,
+            },
+            },
         },
-      },
-    },
-    {
-      $sort: { version: -1 },
-    },
-    {
-      $group: {
-        _id: "$secret",
-        versions: { $push: "$$ROOT" },
-      },
-    },
-    {
-      $project: {
-        _id: 0,
-        secret: "$_id",
-        versions: { $slice: ["$versions", n] },
-      },
-    },
-  ]);
+        {
+            $sort: { version: -1 },
+        },
+        {
+            $group: {
+            _id: "$secret",
+            versions: { $push: "$$ROOT" },
+            },
+        },
+        {
+            $project: {
+            _id: 0,
+            secret: "$_id",
+            versions: { $slice: ["$versions", n] },
+            },
+        }
+    ]));
+    
+    return latestNSecretVersions;
+}
 
-  return latestNSecretVersions;
-};
-
-export { getLatestSecretVersionIds, getLatestNSecretSecretVersionIds };
+export {
+    getLatestSecretVersionIds,
+    getLatestNSecretSecretVersionIds
+}

backend/src/ee/middleware/index.ts

@@ -1,7 +1,7 @@
-import requireLicenseAuth from "./requireLicenseAuth";
-import requireSecretSnapshotAuth from "./requireSecretSnapshotAuth";
+import requireLicenseAuth from './requireLicenseAuth';
+import requireSecretSnapshotAuth from './requireSecretSnapshotAuth';
 
 export {
     requireLicenseAuth,
-    requireSecretSnapshotAuth,
+    requireSecretSnapshotAuth
 }

backend/src/ee/middleware/requireLicenseAuth.ts

@@ -1,4 +1,4 @@
-import { NextFunction, Request, Response } from "express";
+import { Request, Response, NextFunction } from 'express';
 
 /**
  * Validate if organization hosting meets license requirements to 
@@ -7,7 +7,7 @@ import { NextFunction, Request, Response } from "express";
  * @param {String[]} obj.acceptedTiers
  */
 const requireLicenseAuth = ({
-    acceptedTiers,
+    acceptedTiers
 }: {
     acceptedTiers: string[];
 }) => {

backend/src/ee/middleware/requireSecretSnapshotAuth.ts

@@ -1,9 +1,9 @@
-import { NextFunction, Request, Response } from "express";
-import { SecretSnapshotNotFoundError } from "../../utils/errors";
-import { SecretSnapshot } from "../models";
+import { Request, Response, NextFunction } from 'express';
+import { UnauthorizedRequestError, SecretSnapshotNotFoundError } from '../../utils/errors';
+import { SecretSnapshot } from '../models';
 import {
-    validateMembership,
-} from "../../helpers/membership";
+    validateMembership
+} from '../../helpers/membership';
 
 /**
  * Validate if user on request has proper membership for secret snapshot
@@ -15,7 +15,7 @@ import {
 const requireSecretSnapshotAuth = ({
     acceptedRoles,
 }: {
-    acceptedRoles: Array<"admin" | "member">;
+    acceptedRoles: Array<'admin' | 'member'>;
 }) => {
     return async (req: Request, res: Response, next: NextFunction) => {
         const { secretSnapshotId } = req.params;
@@ -24,14 +24,14 @@ const requireSecretSnapshotAuth = ({
         
         if (!secretSnapshot) {
             return next(SecretSnapshotNotFoundError({
-                message: "Failed to find secret snapshot",
+                message: 'Failed to find secret snapshot'
             }));
         }
         
         await validateMembership({
             userId: req.user._id,
             workspaceId: secretSnapshot.workspace,
-            acceptedRoles,
+            acceptedRoles
         });
         
         req.secretSnapshot = secretSnapshot as any;

backend/src/ee/models/action.ts

@@ -1,12 +1,12 @@
-import { Schema, Types, model } from "mongoose";
+import { Schema, model, Types } from 'mongoose';
 import {
-    ACTION_ADD_SECRETS,
-    ACTION_DELETE_SECRETS,
     ACTION_LOGIN,
     ACTION_LOGOUT,
-    ACTION_READ_SECRETS,
+    ACTION_ADD_SECRETS,
     ACTION_UPDATE_SECRETS,
-} from "../../variables";
+    ACTION_READ_SECRETS,
+    ACTION_DELETE_SECRETS
+} from '../../variables';
 
 export interface IAction {
     name: string;
@@ -30,42 +30,42 @@ const actionSchema = new Schema<IAction>(
                 ACTION_ADD_SECRETS,
                 ACTION_UPDATE_SECRETS,
                 ACTION_READ_SECRETS,
-                ACTION_DELETE_SECRETS,
-            ],
+                ACTION_DELETE_SECRETS
+            ]
         },
         user: {
             type: Schema.Types.ObjectId,
-            ref: "User",
+            ref: 'User'
         },
         serviceAccount: {
             type: Schema.Types.ObjectId,
-            ref: "ServiceAccount",
+            ref: 'ServiceAccount'
         },
         serviceTokenData: {
             type: Schema.Types.ObjectId,
-            ref: "ServiceTokenData",
+            ref: 'ServiceTokenData'
         },
         workspace: {
             type: Schema.Types.ObjectId,
-            ref: "Workspace",
+            ref: 'Workspace'
         },
         payload: {
             secretVersions: [{
                 oldSecretVersion: {
                     type: Schema.Types.ObjectId,
-                    ref: "SecretVersion",
+                    ref: 'SecretVersion'
                 },
                 newSecretVersion: {
                     type: Schema.Types.ObjectId,
-                    ref: "SecretVersion",
-                },
-            }],
-        },
+                    ref: 'SecretVersion'
+                }
+            }]
+        }
     }, {
-        timestamps: true,
+        timestamps: true
     }
 );
 
-const Action = model<IAction>("Action", actionSchema);
+const Action = model<IAction>('Action', actionSchema);
 
 export default Action;

backend/src/ee/models/folderVersion.ts

@@ -1,60 +0,0 @@
-import { Schema, Types, model } from "mongoose";
-
-export type TFolderRootVersionSchema = {
-  _id: Types.ObjectId;
-  workspace: Types.ObjectId;
-  environment: string;
-  nodes: TFolderVersionSchema;
-};
-
-export type TFolderVersionSchema = {
-  id: string;
-  name: string;
-  version: number;
-  children: TFolderVersionSchema[];
-};
-
-const folderVersionSchema = new Schema<TFolderVersionSchema>({
-  id: {
-    required: true,
-    type: String,
-    default: "root",
-  },
-  name: {
-    required: true,
-    type: String,
-    default: "root",
-  },
-  version: {
-    required: true,
-    type: Number,
-    default: 1,
-  },
-});
-
-folderVersionSchema.add({ children: [folderVersionSchema] });
-
-const folderRootVersionSchema = new Schema<TFolderRootVersionSchema>(
-  {
-    workspace: {
-      type: Schema.Types.ObjectId,
-      ref: "Workspace",
-      required: true,
-    },
-    environment: {
-      type: String,
-      required: true,
-    },
-    nodes: folderVersionSchema,
-  },
-  {
-    timestamps: true,
-  }
-);
-
-const FolderVersion = model<TFolderRootVersionSchema>(
-  "FolderVersion",
-  folderRootVersionSchema
-);
-
-export default FolderVersion;

backend/src/ee/models/index.ts

@@ -1,18 +1,15 @@
-import SecretSnapshot, { ISecretSnapshot } from "./secretSnapshot";
-import SecretVersion, { ISecretVersion } from "./secretVersion";
-import FolderVersion, { TFolderRootVersionSchema } from "./folderVersion";
-import Log, { ILog } from "./log";
-import Action, { IAction } from "./action";
+import SecretSnapshot, { ISecretSnapshot } from './secretSnapshot';
+import SecretVersion, { ISecretVersion } from './secretVersion';
+import Log, { ILog } from './log';
+import Action, { IAction } from './action';
 
 export {
-  SecretSnapshot,
-  ISecretSnapshot,
-  SecretVersion,
-  ISecretVersion,
-  FolderVersion,
-  TFolderRootVersionSchema,
-  Log,
-  ILog,
-  Action,
-  IAction,
-};
+    SecretSnapshot,
+    ISecretSnapshot,
+    SecretVersion,
+    ISecretVersion,
+    Log,
+    ILog,
+    Action,
+    IAction
+}

backend/src/ee/models/log.ts

@@ -1,12 +1,12 @@
-import { Schema, Types, model } from "mongoose";
+import { Schema, model, Types } from 'mongoose';
 import {
-    ACTION_ADD_SECRETS,
-    ACTION_DELETE_SECRETS,
     ACTION_LOGIN,
     ACTION_LOGOUT,
-    ACTION_READ_SECRETS,
+    ACTION_ADD_SECRETS,
     ACTION_UPDATE_SECRETS,
-} from "../../variables";
+    ACTION_READ_SECRETS,
+    ACTION_DELETE_SECRETS
+} from '../../variables';
 
 export interface ILog {
     _id: Types.ObjectId;
@@ -24,19 +24,19 @@ const logSchema = new Schema<ILog>(
     {
         user: {
             type: Schema.Types.ObjectId,
-            ref: "User",
+            ref: 'User'
         },
         serviceAccount: {
             type: Schema.Types.ObjectId,
-            ref: "ServiceAccount",
+            ref: 'ServiceAccount'
         },
         serviceTokenData: {
             type: Schema.Types.ObjectId,
-            ref: "ServiceTokenData",
+            ref: 'ServiceTokenData'
         },
         workspace: {
             type: Schema.Types.ObjectId,
-            ref: "Workspace",
+            ref: 'Workspace'
         },
         actionNames: {
             type: [String],
@@ -46,28 +46,28 @@ const logSchema = new Schema<ILog>(
                 ACTION_ADD_SECRETS,
                 ACTION_UPDATE_SECRETS,
                 ACTION_READ_SECRETS,
-                ACTION_DELETE_SECRETS,
+                ACTION_DELETE_SECRETS
             ],
-            required: true,
+            required: true
         },
         actions: [{
             type: Schema.Types.ObjectId,
-            ref: "Action",
-            required: true,
+            ref: 'Action',
+            required: true
         }],
         channel: {
             type: String,
-            enum: ["web", "cli", "auto", "k8-operator", "other"],
-            required: true,
+            enum: ['web', 'cli', 'auto', 'k8-operator', 'other'],
+            required: true
         },
         ipAddress: {
-            type: String,
-        },
+            type: String
+        }
     }, {
-    timestamps: true,
+    timestamps: true
 }
 );
 
-const Log = model<ILog>("Log", logSchema);
+const Log = model<ILog>('Log', logSchema);
 
 export default Log;

backend/src/ee/models/secretSnapshot.ts

@@ -1,54 +1,33 @@
-import { Schema, Types, model } from "mongoose";
+import { Schema, model, Types } from 'mongoose';
 
 export interface ISecretSnapshot {
-  workspace: Types.ObjectId;
-  environment: string;
-  folderId: string | "root";
-  version: number;
-  secretVersions: Types.ObjectId[];
-  folderVersion: Types.ObjectId;
+    workspace: Types.ObjectId;
+    version: number;
+    secretVersions: Types.ObjectId[];
 }
 
 const secretSnapshotSchema = new Schema<ISecretSnapshot>(
-  {
-    workspace: {
-      type: Schema.Types.ObjectId,
-      ref: "Workspace",
-      required: true,
+    {
+        workspace: {
+            type: Schema.Types.ObjectId,
+            ref: 'Workspace',
+            required: true
+        },
+        version: {
+            type: Number,
+            required: true
+        },
+        secretVersions: [{
+            type: Schema.Types.ObjectId,
+            ref: 'SecretVersion',
+            required: true
+        }]
     },
-    environment: {
-      type: String,
-      required: true,
-    },
-    folderId: {
-      type: String,
-      default: "root",
-    },
-    version: {
-      type: Number,
-      default: 1,
-      required: true,
-    },
-    secretVersions: [
-      {
-        type: Schema.Types.ObjectId,
-        ref: "SecretVersion",
-        required: true,
-      },
-    ],
-    folderVersion: {
-      type: Schema.Types.ObjectId,
-      ref: "FolderVersion",
-    },
-  },
-  {
-    timestamps: true,
-  }
+    {
+        timestamps: true
+    }
 );
 
-const SecretSnapshot = model<ISecretSnapshot>(
-  "SecretSnapshot",
-  secretSnapshotSchema
-);
+const SecretSnapshot = model<ISecretSnapshot>('SecretSnapshot', secretSnapshotSchema);
 
-export default SecretSnapshot;
+export default SecretSnapshot;

backend/src/ee/models/secretVersion.ts

@@ -1,132 +1,97 @@
-import { Schema, Types, model } from "mongoose";
+import { Schema, model, Types } from 'mongoose';
 import {
-  ALGORITHM_AES_256_GCM,
-  ENCODING_SCHEME_BASE64,
-  ENCODING_SCHEME_UTF8,
-  SECRET_PERSONAL,
-  SECRET_SHARED,
-} from "../../variables";
+	SECRET_SHARED,
+	SECRET_PERSONAL,
+} from '../../variables';
 
 export interface ISecretVersion {
-  _id: Types.ObjectId;
-  secret: Types.ObjectId;
-  version: number;
-  workspace: Types.ObjectId; // new
-  type: string; // new
-  user?: Types.ObjectId; // new
-  environment: string; // new
-  isDeleted: boolean;
-  secretBlindIndex?: string;
-  secretKeyCiphertext: string;
-  secretKeyIV: string;
-  secretKeyTag: string;
-  secretValueCiphertext: string;
-  secretValueIV: string;
-  secretValueTag: string;
-  algorithm: "aes-256-gcm";
-  keyEncoding: "utf8" | "base64";
-  createdAt: string;
-  folder?: string;
-  tags?: string[];
+	_id: Types.ObjectId;
+	secret: Types.ObjectId;
+	version: number;
+	workspace: Types.ObjectId; // new
+	type: string; // new
+	user?: Types.ObjectId; // new
+	environment: string; // new
+	isDeleted: boolean;
+	secretBlindIndex?: string;
+	secretKeyCiphertext: string;
+	secretKeyIV: string;
+	secretKeyTag: string;
+	secretValueCiphertext: string;
+	secretValueIV: string;
+	secretValueTag: string;
 }
 
 const secretVersionSchema = new Schema<ISecretVersion>(
-  {
-    secret: {
-      // could be deleted
-      type: Schema.Types.ObjectId,
-      ref: "Secret",
-      required: true,
-    },
-    version: {
-      type: Number,
-      default: 1,
-      required: true,
-    },
-    workspace: {
-      type: Schema.Types.ObjectId,
-      ref: "Workspace",
-      required: true,
-    },
-    type: {
-      type: String,
-      enum: [SECRET_SHARED, SECRET_PERSONAL],
-      required: true,
-    },
-    user: {
-      // user associated with the personal secret
-      type: Schema.Types.ObjectId,
-      ref: "User",
-    },
-    environment: {
-      type: String,
-      required: true,
-    },
-    isDeleted: {
-      // consider removing field
-      type: Boolean,
-      default: false,
-      required: true,
-    },
-    secretBlindIndex: {
-      type: String,
-      select: false,
-    },
-    secretKeyCiphertext: {
-      type: String,
-      required: true,
-    },
-    secretKeyIV: {
-      type: String, // symmetric
-      required: true,
-    },
-    secretKeyTag: {
-      type: String, // symmetric
-      required: true,
-    },
-    secretValueCiphertext: {
-      type: String,
-      required: true,
-    },
-    secretValueIV: {
-      type: String, // symmetric
-      required: true,
-    },
-    secretValueTag: {
-      type: String, // symmetric
-      required: true,
-    },
-    algorithm: {
-      // the encryption algorithm used
-      type: String,
-      enum: [ALGORITHM_AES_256_GCM],
-      required: true,
-      default: ALGORITHM_AES_256_GCM,
-    },
-    keyEncoding: {
-      type: String,
-      enum: [ENCODING_SCHEME_UTF8, ENCODING_SCHEME_BASE64],
-      required: true,
-      default: ENCODING_SCHEME_UTF8,
-    },
-    folder: {
-      type: String,
-      required: true,
-    },
-    tags: {
-      ref: "Tag",
-      type: [Schema.Types.ObjectId],
-      default: [],
-    },
-  },
-  {
-    timestamps: true,
-  }
+	{
+		secret: { // could be deleted
+			type: Schema.Types.ObjectId,
+			ref: 'Secret',
+			required: true
+		},
+		version: {
+			type: Number,
+			default: 1,
+			required: true
+		},
+		workspace: {
+			type: Schema.Types.ObjectId,
+			ref: 'Workspace',
+			required: true
+		},
+		type: {
+			type: String,
+			enum: [SECRET_SHARED, SECRET_PERSONAL],
+			required: true
+		},
+		user: {
+			// user associated with the personal secret
+			type: Schema.Types.ObjectId,
+			ref: 'User'
+		},
+		environment: {
+			type: String,
+			required: true
+		},
+		isDeleted: { // consider removing field
+			type: Boolean,
+			default: false,
+			required: true
+		},
+		secretBlindIndex: {
+			type: String,
+			select: false
+		},
+		secretKeyCiphertext: {
+			type: String,
+			required: true
+		},
+		secretKeyIV: {
+			type: String, // symmetric
+			required: true
+		},
+		secretKeyTag: {
+			type: String, // symmetric
+			required: true
+		},
+		secretValueCiphertext: {
+			type: String,
+			required: true
+		},
+		secretValueIV: {
+			type: String, // symmetric
+			required: true
+		},
+		secretValueTag: {
+			type: String, // symmetric
+			required: true
+		}
+	},
+	{
+		timestamps: true
+	}
 );
 
-const SecretVersion = model<ISecretVersion>(
-  "SecretVersion",
-  secretVersionSchema
-);
+const SecretVersion = model<ISecretVersion>('SecretVersion', secretVersionSchema);
 
-export default SecretVersion;
+export default SecretVersion;

backend/src/ee/routes/v1/action.ts

@@ -1,15 +1,15 @@
-import express from "express";
+import express from 'express';
 const router = express.Router();
 import {
-    validateRequest,
-} from "../../../middleware";
-import { param } from "express-validator";
-import { actionController } from "../../controllers/v1";
+    validateRequest
+} from '../../../middleware';
+import { param } from 'express-validator';
+import { actionController } from '../../controllers/v1';
 
 // TODO: put into action controller
 router.get(
-    "/:actionId",
-    param("actionId").exists().trim(),
+    '/:actionId',
+    param('actionId').exists().trim(),
     validateRequest,
     actionController.getAction
 );

backend/src/ee/routes/v1/cloudProducts.ts

@@ -1,20 +0,0 @@
-import express from "express";
-const router = express.Router();
-import {
-    requireAuth,
-    validateRequest,
-} from "../../../middleware";
-import { query } from "express-validator";
-import { cloudProductsController } from "../../controllers/v1";
-
-router.get(
-    "/",
-    requireAuth({
-		acceptedAuthModes: ["jwt", "apiKey"],
-	}),
-    query("billing-cycle").exists().isIn(["monthly", "yearly"]),
-    validateRequest,
-    cloudProductsController.getCloudProducts 
-);
-
-export default router;

backend/src/ee/routes/v1/index.ts

@@ -1,15 +1,11 @@
-import secret from "./secret";
-import secretSnapshot from "./secretSnapshot";
-import organizations from "./organizations";
-import workspace from "./workspace";
-import action from "./action";
-import cloudProducts from "./cloudProducts";
+import secret from './secret';
+import secretSnapshot from './secretSnapshot';
+import workspace from './workspace';
+import action from './action';
 
 export {
     secret,
     secretSnapshot,
-    organizations,
     workspace,
-    action,
-    cloudProducts,
+    action
 }

backend/src/ee/routes/v1/organizations.ts

@@ -1,223 +0,0 @@
-import express from "express";
-const router = express.Router();
-import {
-    requireAuth,
-    requireOrganizationAuth,
-    validateRequest,
-} from "../../../middleware";
-import { body, param, query } from "express-validator";
-import { organizationsController } from "../../controllers/v1";
-import {
-    ACCEPTED, ADMIN, MEMBER, OWNER,
-} from "../../../variables";
-
-router.get(
-    "/:organizationId/plans/table",
-    requireAuth({
-		acceptedAuthModes: ["jwt"],
-	}),
-    requireOrganizationAuth({
-        acceptedRoles: [OWNER, ADMIN, MEMBER],
-        acceptedStatuses: [ACCEPTED],
-    }),
-    param("organizationId").exists().trim(),
-    query("billingCycle").exists().isString().isIn(["monthly", "yearly"]),
-    validateRequest,
-    organizationsController.getOrganizationPlansTable
-);
-
-router.get(
-    "/:organizationId/plan",
-    requireAuth({
-		acceptedAuthModes: ["jwt"],
-	}),
-    requireOrganizationAuth({
-        acceptedRoles: [OWNER, ADMIN, MEMBER],
-        acceptedStatuses: [ACCEPTED],
-    }),
-    param("organizationId").exists().trim(),
-    query("workspaceId").optional().isString(),
-    validateRequest,
-    organizationsController.getOrganizationPlan
-);
-
-router.post(
-    "/:organizationId/session/trial",
-    requireAuth({
-		acceptedAuthModes: ["jwt"],
-	}),
-    requireOrganizationAuth({
-        acceptedRoles: [OWNER, ADMIN, MEMBER],
-        acceptedStatuses: [ACCEPTED],
-    }),
-    param("organizationId").exists().trim(),
-    body("success_url").exists().trim(),
-    validateRequest,
-    organizationsController.startOrganizationTrial
-);
-
-router.get(
-    "/:organizationId/plan/billing",
-    requireAuth({
-		acceptedAuthModes: ["jwt"],
-	}),
-    requireOrganizationAuth({
-        acceptedRoles: [OWNER, ADMIN, MEMBER],
-        acceptedStatuses: [ACCEPTED],
-    }),
-    param("organizationId").exists().trim(),
-    query("workspaceId").optional().isString(),
-    validateRequest,
-    organizationsController.getOrganizationPlanBillingInfo
-);
-
-router.get(
-    "/:organizationId/plan/table",
-    requireAuth({
-		acceptedAuthModes: ["jwt"],
-	}),
-    requireOrganizationAuth({
-        acceptedRoles: [OWNER, ADMIN, MEMBER],
-        acceptedStatuses: [ACCEPTED],
-    }),
-    param("organizationId").exists().trim(),
-    query("workspaceId").optional().isString(),
-    validateRequest,
-    organizationsController.getOrganizationPlanTable
-);
-
-router.get(
-    "/:organizationId/billing-details",
-    requireAuth({
-		acceptedAuthModes: ["jwt"],
-	}),
-    requireOrganizationAuth({
-        acceptedRoles: [OWNER, ADMIN, MEMBER],
-        acceptedStatuses: [ACCEPTED],
-    }),
-    param("organizationId").exists().trim(),
-    validateRequest,
-    organizationsController.getOrganizationBillingDetails
-);
-
-router.patch(
-    "/:organizationId/billing-details",
-    requireAuth({
-		acceptedAuthModes: ["jwt"],
-	}),
-    requireOrganizationAuth({
-        acceptedRoles: [OWNER, ADMIN, MEMBER],
-        acceptedStatuses: [ACCEPTED],
-    }),
-    param("organizationId").exists().trim(),
-    body("email").optional().isString().trim(),
-    body("name").optional().isString().trim(),
-    validateRequest,
-    organizationsController.updateOrganizationBillingDetails
-);
-
-router.get(
-    "/:organizationId/billing-details/payment-methods",
-    requireAuth({
-		acceptedAuthModes: ["jwt"],
-	}),
-    requireOrganizationAuth({
-        acceptedRoles: [OWNER, ADMIN, MEMBER],
-        acceptedStatuses: [ACCEPTED],
-    }),
-    param("organizationId").exists().trim(),
-    validateRequest,
-    organizationsController.getOrganizationPmtMethods
-);
-
-router.post(
-    "/:organizationId/billing-details/payment-methods",
-    requireAuth({
-		acceptedAuthModes: ["jwt"],
-	}),
-    requireOrganizationAuth({
-        acceptedRoles: [OWNER, ADMIN, MEMBER],
-        acceptedStatuses: [ACCEPTED],
-    }),
-    param("organizationId").exists().trim(),
-    body("success_url").exists().isString(),
-    body("cancel_url").exists().isString(),
-    validateRequest,
-    organizationsController.addOrganizationPmtMethod
-);
-
-router.delete(
-    "/:organizationId/billing-details/payment-methods/:pmtMethodId",
-    requireAuth({
-		acceptedAuthModes: ["jwt"],
-	}),
-    requireOrganizationAuth({
-        acceptedRoles: [OWNER, ADMIN, MEMBER],
-        acceptedStatuses: [ACCEPTED],
-    }),
-    param("organizationId").exists().trim(),
-    param("pmtMethodId").exists().trim(),
-    validateRequest,
-    organizationsController.deleteOrganizationPmtMethod
-);
-
-router.get(
-    "/:organizationId/billing-details/tax-ids",
-    requireAuth({
-		acceptedAuthModes: ["jwt"],
-	}),
-    requireOrganizationAuth({
-        acceptedRoles: [OWNER, ADMIN, MEMBER],
-        acceptedStatuses: [ACCEPTED],
-    }),
-    param("organizationId").exists().trim(),
-    validateRequest,
-    organizationsController.getOrganizationTaxIds
-);
-
-router.post(
-    "/:organizationId/billing-details/tax-ids",
-    requireAuth({
-		acceptedAuthModes: ["jwt"],
-	}),
-    requireOrganizationAuth({
-        acceptedRoles: [OWNER, ADMIN, MEMBER],
-        acceptedStatuses: [ACCEPTED],
-    }),
-    param("organizationId").exists().trim(),
-    body("type").exists().isString(),
-    body("value").exists().isString(),
-    validateRequest,
-    organizationsController.addOrganizationTaxId
-);
-
-router.delete(
-    "/:organizationId/billing-details/tax-ids/:taxId",
-    requireAuth({
-		acceptedAuthModes: ["jwt"],
-	}),
-    requireOrganizationAuth({
-        acceptedRoles: [OWNER, ADMIN, MEMBER],
-        acceptedStatuses: [ACCEPTED],
-    }),
-    param("organizationId").exists().trim(),
-    param("taxId").exists().trim(),
-    validateRequest,
-    organizationsController.deleteOrganizationTaxId
-);
-
-router.get(
-    "/:organizationId/invoices",
-    requireAuth({
-		acceptedAuthModes: ["jwt"],
-	}),
-    requireOrganizationAuth({
-        acceptedRoles: [OWNER, ADMIN, MEMBER],
-        acceptedStatuses: [ACCEPTED],
-    }),
-    param("organizationId").exists().trim(),
-    validateRequest,
-    organizationsController.getOrganizationInvoices
-);
-
-export default router;

backend/src/ee/routes/v1/secret.ts

@@ -1,46 +1,46 @@
-import express from "express";
+import express from 'express';
 const router = express.Router();
 import {
     requireAuth,
 	requireSecretAuth,
-    validateRequest,
-} from "../../../middleware";
-import { body, param, query } from "express-validator";
-import { secretController } from "../../controllers/v1";
+    validateRequest
+} from '../../../middleware';
+import { query, param, body } from 'express-validator';
+import { secretController } from '../../controllers/v1';
 import {
 	ADMIN, 
 	MEMBER,
 	PERMISSION_READ_SECRETS,
-	PERMISSION_WRITE_SECRETS,
-} from "../../../variables";
+	PERMISSION_WRITE_SECRETS
+} from '../../../variables';
 
 router.get(
-	"/:secretId/secret-versions",
+	'/:secretId/secret-versions',
 	requireAuth({
-		acceptedAuthModes: ["jwt", "apiKey"],
+		acceptedAuthModes: ['jwt', 'apiKey']
 	}),
 	requireSecretAuth({
 		acceptedRoles: [ADMIN, MEMBER],
-		requiredPermissions: [PERMISSION_READ_SECRETS],
+		requiredPermissions: [PERMISSION_READ_SECRETS]
 	}),
-	param("secretId").exists().trim(),
-	query("offset").exists().isInt(),
-	query("limit").exists().isInt(),
+	param('secretId').exists().trim(),
+	query('offset').exists().isInt(),
+	query('limit').exists().isInt(),
 	validateRequest,
 	secretController.getSecretVersions
 );
 
 router.post(
-	"/:secretId/secret-versions/rollback",
+	'/:secretId/secret-versions/rollback',
 	requireAuth({
-		acceptedAuthModes: ["jwt", "apiKey"],
+		acceptedAuthModes: ['jwt', 'apiKey']
 	}),
 	requireSecretAuth({
 		acceptedRoles: [ADMIN, MEMBER],
-		requiredPermissions: [PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS],
+		requiredPermissions: [PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS]
 	}),
-	param("secretId").exists().trim(),
-	body("version").exists().isInt(),
+	param('secretId').exists().trim(),
+	body('version').exists().isInt(),
 	secretController.rollbackSecretVersion
 );
 

backend/src/ee/routes/v1/secretSnapshot.ts

@@ -1,25 +1,25 @@
-import express from "express";
+import express from 'express';
 const router = express.Router();
 import {
-    requireSecretSnapshotAuth,
-} from "../../middleware";
+    requireSecretSnapshotAuth
+} from '../../middleware';
 import {
     requireAuth,
-    validateRequest,
-} from "../../../middleware";
-import { param } from "express-validator";
-import { ADMIN, MEMBER } from "../../../variables";
-import { secretSnapshotController } from "../../controllers/v1";
+    validateRequest
+} from '../../../middleware';
+import { param, body } from 'express-validator';
+import { ADMIN, MEMBER } from '../../../variables';
+import { secretSnapshotController } from '../../controllers/v1';
 
 router.get(
-    "/:secretSnapshotId",
+    '/:secretSnapshotId',
     requireAuth({
-		acceptedAuthModes: ["jwt"],
+		acceptedAuthModes: ['jwt']
 	}),
     requireSecretSnapshotAuth({
-        acceptedRoles: [ADMIN, MEMBER],
+        acceptedRoles: [ADMIN, MEMBER]
     }),
-    param("secretSnapshotId").exists().trim(),
+    param('secretSnapshotId').exists().trim(),
     validateRequest,
     secretSnapshotController.getSecretSnapshot
 );

backend/src/ee/routes/v1/stripe.ts

@@ -0,0 +1,7 @@
+import express from 'express';
+const router = express.Router();
+import { stripeController } from '../../controllers/v1';
+
+router.post('/webhook', stripeController.handleWebhook);
+
+export default router;