Merge pull request #1088 from adelowo/support_path_when_generating_sample_env

[ENG-179] Add suport for --path for the secrets generate-example-env command

.env.example

@@ -1,24 +1,12 @@
 # Keys
 # Required key for platform encryption/decryption ops
-# THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NOT BE USED FOR PRODUCTION
+# THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NEVER BE USED FOR PRODUCTION
 ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218
 
 # JWT
 # Required secrets to sign JWT tokens
-JWT_SIGNUP_SECRET=3679e04ca949f914c03332aaaeba805a
-JWT_REFRESH_SECRET=5f2f3c8f0159068dc2bbb3a652a716ff
-JWT_AUTH_SECRET=4be6ba5602e0fa0ac6ac05c3cd4d247f
-JWT_SERVICE_SECRET=f32f716d70a42c5703f4656015e76200
-JWT_SERVICE_TOKEN_SECRET=f32f716d70a42c5703f4656015e76200
-JWT_PROVIDER_AUTH_SECRET=f32f716d70a42c5703f4656015e76201
-
-# JWT lifetime
-# Optional lifetimes for JWT tokens expressed in seconds or a string 
-# describing a time span (e.g. 60, "2 days", "10h", "7d")
-JWT_AUTH_LIFETIME=
-JWT_REFRESH_LIFETIME=
-JWT_SIGNUP_LIFETIME=
-JWT_PROVIDER_AUTH_LIFETIME=
+# THIS IS A SAMPLE AUTH_SECRET KEY AND SHOULD NEVER BE USED FOR PRODUCTION
+AUTH_SECRET=5lrMXKKWCVocS/uerPsl7V+TX/aaUaI7iDkgl3tSmLE=
 
 # MongoDB
 # Backend will connect to the MongoDB instance at connection string MONGO_URL which can either be a ref
@@ -68,5 +56,12 @@ SENTRY_DSN=
 POSTHOG_HOST=
 POSTHOG_PROJECT_API_KEY=
 
-CLIENT_ID_GOOGLE=
-CLIENT_SECRET_GOOGLE=
+# SSO-specific variables
+CLIENT_ID_GOOGLE_LOGIN=
+CLIENT_SECRET_GOOGLE_LOGIN=
+
+CLIENT_ID_GITHUB_LOGIN=
+CLIENT_SECRET_GITHUB_LOGIN=
+
+CLIENT_ID_GITLAB_LOGIN=
+CLIENT_SECRET_GITLAB_LOGIN=

.github/values.yaml

@@ -39,12 +39,6 @@ ingress:
   #   kubernetes.io/ingress.class: "nginx"
   # cert-manager.io/issuer: letsencrypt-nginx
   hostName: gamma.infisical.com ## <- Replace with your own domain
-  frontend:
-    path: /
-    pathType: Prefix
-  backend:
-    path: /api
-    pathType: Prefix
   tls:
     []
     # - secretName: letsencrypt-nginx

.github/workflows/build-docker-image-to-prod.yml

@@ -39,7 +39,7 @@ jobs:
           token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
           load: true
           context: backend
-          tags: infisical/backend:test
+          tags: infisical/infisical:test
       - name: ⏻ Spawn backend container and dependencies
         run: |
           docker compose -f .github/resources/docker-compose.be-test.yml up --wait --quiet-pull

backend/src/config/index.ts

@@ -17,17 +17,13 @@ export const getRootEncryptionKey = async () => {
 }
 export const getInviteOnlySignup = async () => (await client.getSecret("INVITE_ONLY_SIGNUP")).secretValue === "true"
 export const getSaltRounds = async () => parseInt((await client.getSecret("SALT_ROUNDS")).secretValue) || 10;
+export const getAuthSecret = async () => (await client.getSecret("JWT_AUTH_SECRET")).secretValue ?? (await client.getSecret("AUTH_SECRET")).secretValue;
 export const getJwtAuthLifetime = async () => (await client.getSecret("JWT_AUTH_LIFETIME")).secretValue || "10d";
-export const getJwtAuthSecret = async () => (await client.getSecret("JWT_AUTH_SECRET")).secretValue;
 export const getJwtMfaLifetime = async () => (await client.getSecret("JWT_MFA_LIFETIME")).secretValue || "5m";
-export const getJwtMfaSecret = async () => (await client.getSecret("JWT_MFA_LIFETIME")).secretValue || "5m";
 export const getJwtRefreshLifetime = async () => (await client.getSecret("JWT_REFRESH_LIFETIME")).secretValue || "90d";
-export const getJwtRefreshSecret = async () => (await client.getSecret("JWT_REFRESH_SECRET")).secretValue;
-export const getJwtServiceSecret = async () => (await client.getSecret("JWT_SERVICE_SECRET")).secretValue;
+export const getJwtServiceSecret = async () => (await client.getSecret("JWT_SERVICE_SECRET")).secretValue; // TODO: deprecate (related to ST V1)
 export const getJwtSignupLifetime = async () => (await client.getSecret("JWT_SIGNUP_LIFETIME")).secretValue || "15m";
-export const getJwtProviderAuthSecret = async () => (await client.getSecret("JWT_PROVIDER_AUTH_SECRET")).secretValue;
 export const getJwtProviderAuthLifetime = async () => (await client.getSecret("JWT_PROVIDER_AUTH_LIFETIME")).secretValue || "15m";
-export const getJwtSignupSecret = async () => (await client.getSecret("JWT_SIGNUP_SECRET")).secretValue;
 export const getJwtServiceTokenSecret = async () => (await client.getSecret("JWT_SERVICE_TOKEN_SECRET")).secretValue;
 export const getMongoURL = async () => (await client.getSecret("MONGO_URL")).secretValue;
 export const getNodeEnv = async () => (await client.getSecret("NODE_ENV")).secretValue || "production";

backend/src/controllers/v1/authController.ts

@@ -6,15 +6,18 @@ const jsrp = require("jsrp");
 import { LoginSRPDetail, TokenVersion, User } from "../../models";
 import { clearTokens, createToken, issueAuthTokens } from "../../helpers/auth";
 import { checkUserDevice } from "../../helpers/user";
-import { ACTION_LOGIN, ACTION_LOGOUT } from "../../variables";
+import { 
+  ACTION_LOGIN,
+  ACTION_LOGOUT, 
+  AuthTokenType 
+} from "../../variables";
 import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors";
 import { EELogService } from "../../ee/services";
 import { getUserAgentType } from "../../utils/posthog";
 import {
+  getAuthSecret,
   getHttpsEnabled,
-  getJwtAuthLifetime,
-  getJwtAuthSecret,
-  getJwtRefreshSecret
+  getJwtAuthLifetime
 } from "../../config";
 import { ActorType } from "../../ee/models";
 import { validateRequest } from "../../helpers/validation";
@@ -238,6 +241,7 @@ export const checkAuth = async (req: Request, res: Response) => {
  * @returns
  */
 export const getNewToken = async (req: Request, res: Response) => {
+
   const refreshToken = req.cookies.jid;
 
   if (!refreshToken)
@@ -245,7 +249,9 @@ export const getNewToken = async (req: Request, res: Response) => {
       message: "Failed to find refresh token in request cookies"
     });
 
-  const decodedToken = <jwt.UserIDJwtPayload>jwt.verify(refreshToken, await getJwtRefreshSecret());
+  const decodedToken = <jwt.UserIDJwtPayload>jwt.verify(refreshToken, await getAuthSecret());
+  
+  if (decodedToken.authTokenType !== AuthTokenType.REFRESH_TOKEN) throw UnauthorizedRequestError();
 
   const user = await User.findOne({
     _id: decodedToken.userId
@@ -268,12 +274,13 @@ export const getNewToken = async (req: Request, res: Response) => {
 
   const token = createToken({
     payload: {
+      authTokenType: AuthTokenType.ACCESS_TOKEN,
       userId: decodedToken.userId,
       tokenVersionId: tokenVersion._id.toString(),
       accessVersion: tokenVersion.refreshVersion
     },
     expiresIn: await getJwtAuthLifetime(),
-    secret: await getJwtAuthSecret()
+    secret: await getAuthSecret()
   });
 
   return res.status(200).send({

backend/src/controllers/v1/membershipOrgController.ts

@@ -8,11 +8,11 @@ import { updateSubscriptionOrgQuantity } from "../../helpers/organization";
 import { sendMail } from "../../helpers/nodemailer";
 import { TokenService } from "../../services";
 import { EELicenseService } from "../../ee/services";
-import { ACCEPTED, INVITED, MEMBER, TOKEN_EMAIL_ORG_INVITATION } from "../../variables";
+import { ACCEPTED, AuthTokenType, INVITED, MEMBER, TOKEN_EMAIL_ORG_INVITATION } from "../../variables";
 import * as reqValidator from "../../validation/membershipOrg";
 import {
+  getAuthSecret,
   getJwtSignupLifetime,
-  getJwtSignupSecret,
   getSiteURL,
   getSmtpConfigured
 } from "../../config";
@@ -272,10 +272,11 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
   // generate temporary signup token
   const token = createToken({
     payload: {
+      authTokenType: AuthTokenType.SIGNUP_TOKEN,
       userId: user._id.toString()
     },
     expiresIn: await getJwtSignupLifetime(),
-    secret: await getJwtSignupSecret()
+    secret: await getAuthSecret()
   });
 
   return res.status(200).send({

backend/src/controllers/v1/passwordController.ts

@@ -5,12 +5,12 @@ import * as bigintConversion from "bigint-conversion";
 import { BackupPrivateKey, LoginSRPDetail, User } from "../../models";
 import { clearTokens, createToken, sendMail } from "../../helpers";
 import { TokenService } from "../../services";
-import { TOKEN_EMAIL_PASSWORD_RESET } from "../../variables";
+import { AuthTokenType, TOKEN_EMAIL_PASSWORD_RESET } from "../../variables";
 import { BadRequestError } from "../../utils/errors";
 import {
+  getAuthSecret,
   getHttpsEnabled,
   getJwtSignupLifetime,
-  getJwtSignupSecret,
   getSiteURL
 } from "../../config";
 import { ActorType } from "../../ee/models";
@@ -88,10 +88,11 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => {
   // generate temporary password-reset token
   const token = createToken({
     payload: {
+      authTokenType: AuthTokenType.SIGNUP_TOKEN,
       userId: user._id.toString()
     },
     expiresIn: await getJwtSignupLifetime(),
-    secret: await getJwtSignupSecret()
+    secret: await getAuthSecret()
   });
 
   return res.status(200).send({

backend/src/controllers/v1/signupController.ts

@@ -4,14 +4,15 @@ import { checkEmailVerification, sendEmailVerification } from "../../helpers/sig
 import { createToken } from "../../helpers/auth";
 import { BadRequestError } from "../../utils/errors";
 import {
+  getAuthSecret,
   getInviteOnlySignup,
   getJwtSignupLifetime,
-  getJwtSignupSecret,
   getSmtpConfigured
 } from "../../config";
 import { validateUserEmail } from "../../validation";
 import { validateRequest } from "../../helpers/validation";
 import * as reqValidator from "../../validation/auth";
+import { AuthTokenType } from "../../variables";
 
 /**
  * Signup step 1: Initialize account for user under email [email] and send a verification code
@@ -95,10 +96,11 @@ export const verifyEmailSignup = async (req: Request, res: Response) => {
   // generate temporary signup token
   const token = createToken({
     payload: {
+      authTokenType: AuthTokenType.SIGNUP_TOKEN,
       userId: user._id.toString()
     },
     expiresIn: await getJwtSignupLifetime(),
-    secret: await getJwtSignupSecret()
+    secret: await getAuthSecret()
   });
 
   return res.status(200).send({

backend/src/controllers/v2/authController.ts

@@ -10,9 +10,9 @@ import { sendMail } from "../../helpers/nodemailer";
 import { TokenService } from "../../services";
 import { EELogService } from "../../ee/services";
 import { BadRequestError, InternalServerError } from "../../utils/errors";
-import { ACTION_LOGIN, TOKEN_EMAIL_MFA } from "../../variables";
+import { ACTION_LOGIN, AuthTokenType, TOKEN_EMAIL_MFA } from "../../variables";
 import { getUserAgentType } from "../../utils/posthog"; // TODO: move this
-import { getHttpsEnabled, getJwtMfaLifetime, getJwtMfaSecret } from "../../config";
+import { getAuthSecret, getHttpsEnabled, getJwtMfaLifetime } from "../../config";
 import { validateRequest } from "../../helpers/validation";
 import * as reqValidator from "../../validation/auth";
 
@@ -109,10 +109,11 @@ export const login2 = async (req: Request, res: Response) => {
           // generate temporary MFA token
           const token = createToken({
             payload: {
+              authTokenType: AuthTokenType.MFA_TOKEN,
               userId: user._id.toString()
             },
             expiresIn: await getJwtMfaLifetime(),
-            secret: await getJwtMfaSecret()
+            secret: await getAuthSecret()
           });
 
           const code = await TokenService.createToken({

backend/src/controllers/v3/authController.ts

@@ -10,9 +10,9 @@ import { sendMail } from "../../helpers/nodemailer";
 import { TokenService } from "../../services";
 import { EELogService } from "../../ee/services";
 import { BadRequestError, InternalServerError } from "../../utils/errors";
-import { ACTION_LOGIN, TOKEN_EMAIL_MFA } from "../../variables";
+import { ACTION_LOGIN, AuthTokenType, TOKEN_EMAIL_MFA } from "../../variables";
 import { getUserAgentType } from "../../utils/posthog"; // TODO: move this
-import { getHttpsEnabled, getJwtMfaLifetime, getJwtMfaSecret } from "../../config";
+import { getAuthSecret, getHttpsEnabled, getJwtMfaLifetime } from "../../config";
 import { AuthMethod } from "../../models/user";
 import { validateRequest } from "../../helpers/validation";
 import * as reqValidator from "../../validation/auth";
@@ -134,10 +134,11 @@ export const login2 = async (req: Request, res: Response) => {
           // generate temporary MFA token
           const token = createToken({
             payload: {
+              authTokenType: AuthTokenType.MFA_TOKEN,
               userId: user._id.toString()
             },
             expiresIn: await getJwtMfaLifetime(),
-            secret: await getJwtMfaSecret()
+            secret: await getAuthSecret()
           });
 
           const code = await TokenService.createToken({

backend/src/controllers/v3/signupController.ts

@@ -5,10 +5,10 @@ import { MembershipOrg, User } from "../../models";
 import { completeAccount } from "../../helpers/user";
 import { initializeDefaultOrg } from "../../helpers/signup";
 import { issueAuthTokens, validateProviderAuthToken } from "../../helpers/auth";
-import { ACCEPTED, INVITED } from "../../variables";
+import { ACCEPTED, AuthTokenType, INVITED } from "../../variables";
 import { standardRequest } from "../../config/request";
-import { getHttpsEnabled, getJwtSignupSecret, getLoopsApiKey } from "../../config";
-import { BadRequestError } from "../../utils/errors";
+import { getAuthSecret, getHttpsEnabled, getLoopsApiKey } from "../../config";
+import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors";
 import { TelemetryService } from "../../services";
 import { AuthMethod } from "../../models";
 import { validateRequest } from "../../helpers/validation";
@@ -78,12 +78,11 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
       }
 
       const decodedToken = <jwt.UserIDJwtPayload>(
-        jwt.verify(AUTH_TOKEN_VALUE, await getJwtSignupSecret())
+        jwt.verify(AUTH_TOKEN_VALUE, await getAuthSecret())
       );
-
-      if (decodedToken.userId !== user.id) {
-        throw BadRequestError();
-      }
+      
+      if (decodedToken.authTokenType !== AuthTokenType.SIGNUP_TOKEN) throw UnauthorizedRequestError();
+      if (decodedToken.userId !== user.id) throw UnauthorizedRequestError();
     }
 
     // complete setting up user's account

backend/src/helpers/auth.ts

@@ -19,15 +19,14 @@ import {
 	UnauthorizedRequestError,
 } from "../utils/errors";
 import {
+	getAuthSecret,
 	getJwtAuthLifetime,
-	getJwtAuthSecret,
-	getJwtProviderAuthSecret,
 	getJwtRefreshLifetime,
-	getJwtRefreshSecret,
 	getJwtServiceTokenSecret
 } from "../config";
 import {
-	AuthMode
+	AuthMode,
+	AuthTokenType
 } from "../variables";
 import {
 	ServiceTokenAuthData,
@@ -51,8 +50,6 @@ export const validateAuthMode = ({
 	acceptedAuthModes: AuthMode[]
 }) => {
 	
-	// TODO: update this to accept service token v3
-	
 	const apiKey = headers["x-api-key"];
 	const authHeader = headers["authorization"];
 
@@ -120,9 +117,11 @@ export const getAuthUserPayload = async ({
 	authTokenValue: string;
 }): Promise<UserAuthData> => {
 	const decodedToken = <jwt.UserIDJwtPayload>(
-		jwt.verify(authTokenValue, await getJwtAuthSecret())
+		jwt.verify(authTokenValue, await getAuthSecret())
 	);
 
+	if (decodedToken.authTokenType !== AuthTokenType.ACCESS_TOKEN) throw UnauthorizedRequestError();
+
 	const user = await User.findOne({
 		_id: new Types.ObjectId(decodedToken.userId),
 	}).select("+publicKey +accessVersion");
@@ -159,11 +158,6 @@ export const getAuthUserPayload = async ({
 		userAgent: req.headers["user-agent"] ?? "",
 		userAgentType: getUserAgentType(req.headers["user-agent"])
 	}
-	
-	// return ({
-	// 	user,
-	// 	tokenVersionId: tokenVersion._id, // what to do with this? // move this out
-	// });
 }
 
 /**
@@ -404,22 +398,24 @@ export const issueAuthTokens = async ({
 	// issue tokens
 	const token = createToken({
 		payload: {
+			authTokenType: AuthTokenType.ACCESS_TOKEN,
 			userId,
 			tokenVersionId: tokenVersion._id.toString(),
 			accessVersion: tokenVersion.accessVersion,
 		},
 		expiresIn: await getJwtAuthLifetime(),
-		secret: await getJwtAuthSecret(),
+		secret: await getAuthSecret(),
 	});
 
 	const refreshToken = createToken({
 		payload: {
+			authTokenType: AuthTokenType.REFRESH_TOKEN,
 			userId,
 			tokenVersionId: tokenVersion._id.toString(),
 			refreshVersion: tokenVersion.refreshVersion,
 		},
 		expiresIn: await getJwtRefreshLifetime(),
-		secret: await getJwtRefreshSecret(),
+		secret: await getAuthSecret(),
 	});
 
 	return {
@@ -451,7 +447,7 @@ export const clearTokens = async (tokenVersionId: Types.ObjectId): Promise<void>
  * bearer/auth, refresh, and temporary signup tokens
  * @param {Object} obj
  * @param {Object} obj.payload - payload of (JWT) token
- * @param {String} obj.secret - (JWT) secret such as [JWT_AUTH_SECRET]
+ * @param {String} obj.secret - (JWT) secret such as [AUTH_SECRET]
  * @param {String} obj.expiresIn - string describing time span such as '10h' or '7d'
  */
 export const createToken = ({
@@ -479,13 +475,16 @@ export const validateProviderAuthToken = async ({
 	email: string;
 	providerAuthToken?: string;
 }) => {
+
 	if (!providerAuthToken) {
 		throw new Error("Invalid authentication request.");
 	}
 
 	const decodedToken = <jwt.ProviderAuthJwtPayload>(
-		jwt.verify(providerAuthToken, await getJwtProviderAuthSecret())
+		jwt.verify(providerAuthToken, await getAuthSecret())
 	);
+	
+	if (decodedToken.authTokenType !== AuthTokenType.PROVIDER_TOKEN) throw UnauthorizedRequestError();
 
 	if (decodedToken.email !== email) {
 		throw new Error("Invalid authentication credentials.")

backend/src/index.ts

@@ -81,7 +81,7 @@ import {
   getSecretScanningPrivateKey,
   getSecretScanningWebhookProxy,
   getSecretScanningWebhookSecret,
-  getSiteURL
+  getSiteURL,
 } from "./config";
 import { setup } from "./utils/setup";
 import { syncSecretsToThirdPartyServices } from "./queues/integrations/syncSecretsToThirdPartyServices";

backend/src/middleware/requireMfaAuth.ts

@@ -2,7 +2,8 @@ import jwt from "jsonwebtoken";
 import { NextFunction, Request, Response } from "express";
 import { User } from "../models";
 import { BadRequestError, UnauthorizedRequestError } from "../utils/errors";
-import { getJwtMfaSecret } from "../config";
+import { getAuthSecret } from "../config";
+import { AuthTokenType } from "../variables";
 
 declare module "jsonwebtoken" {
 	export interface UserIDJwtPayload extends jwt.JwtPayload {
@@ -26,8 +27,10 @@ const requireMfaAuth = async (
 	if(AUTH_TOKEN_VALUE === null) return next(BadRequestError({message: "Missing Authorization Body in the request header"}))
 	
 	const decodedToken = <jwt.UserIDJwtPayload>(
-		jwt.verify(AUTH_TOKEN_VALUE, await getJwtMfaSecret())
+		jwt.verify(AUTH_TOKEN_VALUE, await getAuthSecret())
 	);
+	
+	if (decodedToken.authTokenType !== AuthTokenType.MFA_TOKEN) throw UnauthorizedRequestError();
 
 	const user = await User.findOne({
 		_id: decodedToken.userId,

backend/src/middleware/requireSignupAuth.ts

@@ -2,7 +2,8 @@ import jwt from "jsonwebtoken";
 import { NextFunction, Request, Response } from "express";
 import { User } from "../models";
 import { BadRequestError, UnauthorizedRequestError } from "../utils/errors";
-import { getJwtSignupSecret } from "../config";
+import { getAuthSecret } from "../config";
+import { AuthTokenType } from "../variables";
 
 declare module "jsonwebtoken" {
 	export interface UserIDJwtPayload extends jwt.JwtPayload {
@@ -27,8 +28,10 @@ const requireSignupAuth = async (
 	if(AUTH_TOKEN_VALUE === null) return next(BadRequestError({message: "Missing Authorization Body in the request header"}))
 	
 	const decodedToken = <jwt.UserIDJwtPayload>(
-		jwt.verify(AUTH_TOKEN_VALUE, await getJwtSignupSecret())
+		jwt.verify(AUTH_TOKEN_VALUE, await getAuthSecret())
 	);
+	
+	if (decodedToken.authTokenType !== AuthTokenType.SIGNUP_TOKEN) throw UnauthorizedRequestError();
 
 	const user = await User.findOne({
 		_id: decodedToken.userId,

backend/src/utils/auth.ts

@@ -13,6 +13,7 @@ import {
 } from "../models";
 import { createToken } from "../helpers/auth";
 import {
+  getAuthSecret,
   getClientIdGitHubLogin,
   getClientIdGitLabLogin,
   getClientIdGoogleLogin,
@@ -20,13 +21,12 @@ import {
   getClientSecretGitLabLogin,
   getClientSecretGoogleLogin,
   getJwtProviderAuthLifetime,
-  getJwtProviderAuthSecret,
   getSiteURL,
   getUrlGitLabLogin
 } from "../config";
 import { getSSOConfigHelper } from "../ee/helpers/organizations";
 import { InternalServerError, OrganizationNotFoundError } from "./errors";
-import { ACCEPTED, INTEGRATION_GITHUB_API_URL, INVITED, MEMBER } from "../variables";
+import { ACCEPTED, AuthTokenType, INTEGRATION_GITHUB_API_URL, INVITED, MEMBER } from "../variables";
 import { standardRequest } from "../config/request";
 
 // eslint-disable-next-line @typescript-eslint/no-var-requires
@@ -131,6 +131,7 @@ const initializePassport = async () => {
         const isUserCompleted = !!user.publicKey;
         const providerAuthToken = createToken({
           payload: {
+            authTokenType: AuthTokenType.PROVIDER_TOKEN,
             userId: user._id.toString(),
             email: user.email,
             firstName: user.firstName,
@@ -143,7 +144,7 @@ const initializePassport = async () => {
             } : {})
           },
           expiresIn: await getJwtProviderAuthLifetime(),
-          secret: await getJwtProviderAuthSecret(),
+          secret: await getAuthSecret(),
         });
 
         req.isUserCompleted = isUserCompleted;
@@ -204,6 +205,7 @@ const initializePassport = async () => {
       const isUserCompleted = !!user.publicKey;
       const providerAuthToken = createToken({
         payload: {
+          authTokenType: AuthTokenType.PROVIDER_TOKEN,
           userId: user._id.toString(),
           email: user.email,
           firstName: user.firstName,
@@ -216,7 +218,7 @@ const initializePassport = async () => {
           } : {})
         },
         expiresIn: await getJwtProviderAuthLifetime(),
-        secret: await getJwtProviderAuthSecret(),
+        secret: await getAuthSecret(),
       });
 
       req.isUserCompleted = isUserCompleted;
@@ -258,6 +260,7 @@ const initializePassport = async () => {
       const isUserCompleted = !!user.publicKey;
       const providerAuthToken = createToken({
         payload: {
+          authTokenType: AuthTokenType.PROVIDER_TOKEN,
           userId: user._id.toString(),
           email: user.email,
           firstName: user.firstName,
@@ -270,7 +273,7 @@ const initializePassport = async () => {
           } : {})
         },
         expiresIn: await getJwtProviderAuthLifetime(),
-        secret: await getJwtProviderAuthSecret(),
+        secret: await getAuthSecret(),
       });
 
       req.isUserCompleted = isUserCompleted;
@@ -401,6 +404,7 @@ const initializePassport = async () => {
       const isUserCompleted = !!user.publicKey;
       const providerAuthToken = createToken({
         payload: {
+          authTokenType: AuthTokenType.PROVIDER_TOKEN,
           userId: user._id.toString(),
           email: user.email,
           firstName,
@@ -413,7 +417,7 @@ const initializePassport = async () => {
           } : {})
         },
         expiresIn: await getJwtProviderAuthLifetime(),
-        secret: await getJwtProviderAuthSecret(),
+        secret: await getAuthSecret(),
       });
       
       req.isUserCompleted = isUserCompleted;

backend/src/variables/authentication.ts

@@ -1,3 +1,11 @@
+export enum AuthTokenType {
+    ACCESS_TOKEN = "accessToken",
+    REFRESH_TOKEN = "refreshToken",
+    SIGNUP_TOKEN = "signupToken",
+    MFA_TOKEN = "mfaToken",
+    PROVIDER_TOKEN = "providerToken"
+}
+
 export enum AuthMode {
     JWT = "jwt",
     SERVICE_TOKEN = "serviceToken",

cli/packages/cmd/secrets.go

@@ -4,6 +4,7 @@ Copyright (c) 2023 Infisical Inc.
 package cmd
 
 import (
+	"crypto/sha256"
 	"encoding/base64"
 	"fmt"
 	"regexp"
@@ -11,8 +12,6 @@ import (
 	"strings"
 	"unicode"
 
-	"crypto/sha256"
-
 	"github.com/Infisical/infisical-merge/packages/api"
 	"github.com/Infisical/infisical-merge/packages/crypto"
 	"github.com/Infisical/infisical-merge/packages/models"
@@ -441,6 +440,11 @@ func generateExampleEnv(cmd *cobra.Command, args []string) {
 		}
 	}
 
+	secretsPath, err := cmd.Flags().GetString("path")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
 	infisicalToken, err := cmd.Flags().GetString("token")
 	if err != nil {
 		util.HandleError(err, "Unable to parse flag")
@@ -451,7 +455,7 @@ func generateExampleEnv(cmd *cobra.Command, args []string) {
 		util.HandleError(err, "Unable to parse flag")
 	}
 
-	secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, InfisicalToken: infisicalToken, TagSlugs: tagSlugs})
+	secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, InfisicalToken: infisicalToken, TagSlugs: tagSlugs, SecretsPath: secretsPath})
 	if err != nil {
 		util.HandleError(err, "To fetch all secrets")
 	}
@@ -650,8 +654,8 @@ func getSecretsByKeys(secrets []models.SingleEnvironmentVariable) map[string]mod
 }
 
 func init() {
-
 	secretsGenerateExampleEnvCmd.Flags().String("token", "", "Fetch secrets using the Infisical Token")
+	secretsGenerateExampleEnvCmd.Flags().String("path", "/", "Fetch secrets from within a folder path")
 	secretsCmd.AddCommand(secretsGenerateExampleEnvCmd)
 
 	secretsGetCmd.Flags().String("token", "", "Fetch secrets using the Infisical Token")

docs/self-hosting/configuration/envars.mdx

@@ -11,43 +11,12 @@ Other environment variables are listed below to increase the functionality of yo
 <Tabs>
   <Tab title="Required">
     <ParamField query="ENCRYPTION_KEY" type="string" default="none" required>
-    Must be a random 16 byte hex string. Can be generated with `openssl rand -hex 16`
-  </ParamField>
+      Must be a random 16 byte hex string. Can be generated with `openssl rand -hex 16`
+    </ParamField>
 
-{" "}
-
-<ParamField query="JWT_SIGNUP_SECRET" type="string" default="none" required>
-  Must be a random 16 byte hex string. Can be generated with `openssl rand -hex
-  16`
-</ParamField>
-
-{" "}
-
-<ParamField query="JWT_REFRESH_SECRET" type="string" default="none" required>
-  Must be a random 16 byte hex string. Can be generated with `openssl rand -hex
-  16`
-</ParamField>
-
-{" "}
-
-<ParamField query="JWT_AUTH_SECRET" type="string" default="none" required>
-  Must be a random 16 byte hex string. Can be generated with `openssl rand -hex
-  16`
-</ParamField>
-
-{" "}
-
-<ParamField query="JWT_MFA_SECRET" type="string" default="none" required>
-  Must be a random 16 byte hex string. Can be generated with `openssl rand -hex
-  16`
-</ParamField>
-
-{" "}
-
-<ParamField query="JWT_SERVICE_SECRET" type="string" default="none" required>
-  Must be a random 16 byte hex string. Can be generated with `openssl rand -hex
-  16`
-</ParamField>
+    <ParamField query="AUTH_SECRET" type="string" default="none" required>
+      Must be a random 32 byte base64 string. Can be generated with `openssl rand -base64 32`
+    </ParamField>
 
 <ParamField query="MONGO_URL" type="string" default="none" required>
   *TLS based connection string is not yet supported
@@ -140,9 +109,6 @@ Other environment variables are listed below to increase the functionality of yo
   </Tab>
   <Tab title="Auth Integrations">
     To integrate with external auth providers, provide value for the related keys
-    <ParamField query="JWT_PROVIDER_AUTH_SECRET" type="string" required>
-      Must be a random 16 byte hex string. Can be generated with `openssl rand -hex 16`
-    </ParamField>
     <ParamField query="CLIENT_ID_GOOGLE_LOGIN" type="string" default="none" optional>
       OAuth2 client ID for Google login
     </ParamField>

helm-charts/infisical/Chart.yaml

@@ -7,7 +7,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.0
+version: 0.4.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

helm-charts/infisical/templates/backend-deployment.yaml

@@ -37,8 +37,8 @@ spec:
           httpGet:
             path: /api/status
             port: 8080
-          initialDelaySeconds: 50
-          periodSeconds: 30
+          initialDelaySeconds: 10
+          periodSeconds: 10
         ports: 
         - containerPort: 8080
         envFrom: