add helm with postgres + docs

[Snyk] Upgrade aws-sdk from 2.1545.0 to 2.1549.0

.github/workflows/check-api-for-breaking-changes.yml

@@ -72,4 +72,4 @@ jobs:
         run: |
           docker-compose -f "docker-compose.dev.yml" down
           docker stop infisical-api
-          docker remove infisical-api
+          docker remove infisical-api

.github/workflows/check-fe-ts-and-lint.yml

@@ -1,4 +1,4 @@
-name: Check Frontend Pull Request
+name: Check Frontend Type and Lint check
 
 on:
   pull_request:
@@ -10,8 +10,8 @@ on:
       - "frontend/.eslintrc.js"
 
 jobs:
-  check-fe-pr:
-    name: Check
+  check-fe-ts-lint:
+    name: Check Frontend Type and Lint check
     runs-on: ubuntu-latest
     timeout-minutes: 15
 
@@ -25,12 +25,11 @@ jobs:
           cache: "npm"
           cache-dependency-path: frontend/package-lock.json
       - name: 📦 Install dependencies
-        run: npm ci --only-production --ignore-scripts
+        run: npm install
         working-directory: frontend
-      # -
-      #   name: 🧪 Run tests
-      #   run: npm run test:ci
-      #   working-directory: frontend
-      - name: 🏗️ Run build
-        run: npm run build
+      - name: 🏗️ Run Type check
+        run: npm run type:check 
+        working-directory: frontend
+      - name: 🏗️ Run Link check
+        run: npm run lint:fix 
         working-directory: frontend

.github/workflows/run-backend-tests.yml

@@ -44,4 +44,4 @@ jobs:
           ENCRYPTION_KEY: 4bnfe4e407b8921c104518903515b218
       - name: cleanup
         run: |
-          docker-compose -f "docker-compose.dev.yml" down
+          docker-compose -f "docker-compose.dev.yml" down

.gitignore

@@ -63,3 +63,5 @@ yarn-error.log*
 .vscode/*
 
 frontend-build
+
+*.tgz

backend/e2e-test/vitest-environment-knex.ts

@@ -56,6 +56,7 @@ export default {
         { expiresIn: cfg.JWT_AUTH_LIFETIME }
       );
     } catch (error) {
+      console.log("[TEST] Error setting up environment", error);
       await db.destroy();
       throw error;
     }

backend/package-lock.json

@@ -9,17 +9,17 @@
       "version": "1.0.0",
       "license": "ISC",
       "dependencies": {
-        "@aws-sdk/client-secrets-manager": "^3.502.0",
+        "@aws-sdk/client-secrets-manager": "^3.504.0",
         "@casl/ability": "^6.5.0",
         "@fastify/cookie": "^9.2.0",
-        "@fastify/cors": "^8.4.1",
+        "@fastify/cors": "^8.5.0",
         "@fastify/etag": "^5.1.0",
         "@fastify/formbody": "^7.4.0",
         "@fastify/helmet": "^11.1.1",
         "@fastify/passport": "^2.4.0",
         "@fastify/rate-limit": "^9.0.0",
         "@fastify/session": "^10.7.0",
-        "@fastify/swagger": "^8.12.0",
+        "@fastify/swagger": "^8.14.0",
         "@fastify/swagger-ui": "^2.1.0",
         "@node-saml/passport-saml": "^4.0.4",
         "@octokit/rest": "^20.0.2",
@@ -29,13 +29,13 @@
         "@ucast/mongo2js": "^1.3.4",
         "ajv": "^8.12.0",
         "argon2": "^0.31.2",
-        "aws-sdk": "^2.1545.0",
-        "axios": "^1.6.4",
+        "aws-sdk": "^2.1549.0",
+        "axios": "^1.6.7",
         "axios-retry": "^4.0.0",
         "bcrypt": "^5.1.1",
-        "bullmq": "^5.1.1",
-        "dotenv": "^16.3.1",
-        "fastify": "^4.24.3",
+        "bullmq": "^5.1.6",
+        "dotenv": "^16.4.1",
+        "fastify": "^4.26.0",
         "fastify-plugin": "^4.5.1",
         "handlebars": "^4.7.8",
         "ioredis": "^5.3.2",
@@ -45,7 +45,7 @@
         "knex": "^3.0.1",
         "libsodium-wrappers": "^0.7.13",
         "lodash.isequal": "^4.5.0",
-        "mysql2": "^3.6.5",
+        "mysql2": "^3.9.1",
         "nanoid": "^5.0.4",
         "node-cache": "^5.1.2",
         "nodemailer": "^6.9.9",
@@ -63,7 +63,7 @@
         "tweetnacl-util": "^0.15.1",
         "uuid": "^9.0.1",
         "zod": "^3.22.4",
-        "zod-to-json-schema": "^3.22.0"
+        "zod-to-json-schema": "^3.22.4"
       },
       "devDependencies": {
         "@types/bcrypt": "^5.0.2",
@@ -661,15 +661,15 @@
       }
     },
     "node_modules/@aws-sdk/client-secrets-manager": {
-      "version": "3.502.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/client-secrets-manager/-/client-secrets-manager-3.502.0.tgz",
-      "integrity": "sha512-ICU084A/EbYMqca6NVFqeMtHh+KCdn0H7UjARUy5ur1yOlXXvxqAJGtKZDYFjuEO08F30zbv7+4HCOy6yjOJ0Q==",
+      "version": "3.504.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/client-secrets-manager/-/client-secrets-manager-3.504.0.tgz",
+      "integrity": "sha512-JPwsYfQMjs5t74JmA4r1AjpiOG/LEw74d4a8vEdSy3pe2lhl/sSsxSdQtbI30wlJJramngtLNZjxn2+BGDphbg==",
       "dependencies": {
         "@aws-crypto/sha256-browser": "3.0.0",
         "@aws-crypto/sha256-js": "3.0.0",
-        "@aws-sdk/client-sts": "3.502.0",
+        "@aws-sdk/client-sts": "3.504.0",
         "@aws-sdk/core": "3.496.0",
-        "@aws-sdk/credential-provider-node": "3.502.0",
+        "@aws-sdk/credential-provider-node": "3.504.0",
         "@aws-sdk/middleware-host-header": "3.502.0",
         "@aws-sdk/middleware-logger": "3.502.0",
         "@aws-sdk/middleware-recursion-detection": "3.502.0",
@@ -767,13 +767,13 @@
       }
     },
     "node_modules/@aws-sdk/client-sso-oidc": {
-      "version": "3.502.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/client-sso-oidc/-/client-sso-oidc-3.502.0.tgz",
-      "integrity": "sha512-Yc9tZqTOMWtdgpkrdjKShgWb9oKNsFQrItfoiN1xWDllaFFRPi2KTiZiR0AbSTrNasJy13d210DOxrIdte+kWQ==",
+      "version": "3.504.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/client-sso-oidc/-/client-sso-oidc-3.504.0.tgz",
+      "integrity": "sha512-ODA33/nm2srhV08EW0KZAP577UgV0qjyr7Xp2yEo8MXWL4ZqQZprk1c+QKBhjr4Djesrm0VPmSD/np0mtYP68A==",
       "dependencies": {
         "@aws-crypto/sha256-browser": "3.0.0",
         "@aws-crypto/sha256-js": "3.0.0",
-        "@aws-sdk/client-sts": "3.502.0",
+        "@aws-sdk/client-sts": "3.504.0",
         "@aws-sdk/core": "3.496.0",
         "@aws-sdk/middleware-host-header": "3.502.0",
         "@aws-sdk/middleware-logger": "3.502.0",
@@ -815,13 +815,13 @@
         "node": ">=14.0.0"
       },
       "peerDependencies": {
-        "@aws-sdk/credential-provider-node": "*"
+        "@aws-sdk/credential-provider-node": "^3.504.0"
       }
     },
     "node_modules/@aws-sdk/client-sts": {
-      "version": "3.502.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/client-sts/-/client-sts-3.502.0.tgz",
-      "integrity": "sha512-0q08gsvn6nuRqjK+i/e30PT/t7vvYwmGJS0PhJikZWv5yRDNSUxSYG0uDwKSbLDzmc2UX5+mLeyjPHlL4hbGlA==",
+      "version": "3.504.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/client-sts/-/client-sts-3.504.0.tgz",
+      "integrity": "sha512-IESs8FkL7B/uY+ml4wgoRkrr6xYo4PizcNw6JX17eveq1gRBCPKeGMjE6HTDOcIYZZ8rqz/UeuH3JD4UhrMOnA==",
       "dependencies": {
         "@aws-crypto/sha256-browser": "3.0.0",
         "@aws-crypto/sha256-js": "3.0.0",
@@ -867,7 +867,7 @@
         "node": ">=14.0.0"
       },
       "peerDependencies": {
-        "@aws-sdk/credential-provider-node": "*"
+        "@aws-sdk/credential-provider-node": "^3.504.0"
       }
     },
     "node_modules/@aws-sdk/core": {
@@ -900,16 +900,35 @@
         "node": ">=14.0.0"
       }
     },
-    "node_modules/@aws-sdk/credential-provider-ini": {
-      "version": "3.502.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-ini/-/credential-provider-ini-3.502.0.tgz",
-      "integrity": "sha512-1wB/escbspUY6uRDEMp9AMMyypUSyuQ0AMO1yQNtXviV8cPf+CuRbqP/UVnimHO1RuX0n5BmjDVVjUIEU6kuGA==",
+    "node_modules/@aws-sdk/credential-provider-http": {
+      "version": "3.503.1",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-http/-/credential-provider-http-3.503.1.tgz",
+      "integrity": "sha512-rTdlFFGoPPFMF2YjtlfRuSgKI+XsF49u7d98255hySwhsbwd3Xp+utTTPquxP+CwDxMHbDlI7NxDzFiFdsoZug==",
       "dependencies": {
-        "@aws-sdk/client-sts": "3.502.0",
+        "@aws-sdk/types": "3.502.0",
+        "@smithy/fetch-http-handler": "^2.4.1",
+        "@smithy/node-http-handler": "^2.3.1",
+        "@smithy/property-provider": "^2.1.1",
+        "@smithy/protocol-http": "^3.1.1",
+        "@smithy/smithy-client": "^2.3.1",
+        "@smithy/types": "^2.9.1",
+        "@smithy/util-stream": "^2.1.1",
+        "tslib": "^2.5.0"
+      },
+      "engines": {
+        "node": ">=14.0.0"
+      }
+    },
+    "node_modules/@aws-sdk/credential-provider-ini": {
+      "version": "3.504.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-ini/-/credential-provider-ini-3.504.0.tgz",
+      "integrity": "sha512-ODICLXfr8xTUd3wweprH32Ge41yuBa+u3j0JUcLdTUO1N9ldczSMdo8zOPlP0z4doqD3xbnqMkjNQWgN/Q+5oQ==",
+      "dependencies": {
+        "@aws-sdk/client-sts": "3.504.0",
         "@aws-sdk/credential-provider-env": "3.502.0",
         "@aws-sdk/credential-provider-process": "3.502.0",
-        "@aws-sdk/credential-provider-sso": "3.502.0",
-        "@aws-sdk/credential-provider-web-identity": "3.502.0",
+        "@aws-sdk/credential-provider-sso": "3.504.0",
+        "@aws-sdk/credential-provider-web-identity": "3.504.0",
         "@aws-sdk/types": "3.502.0",
         "@smithy/credential-provider-imds": "^2.2.1",
         "@smithy/property-provider": "^2.1.1",
@@ -922,15 +941,16 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-node": {
-      "version": "3.502.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-node/-/credential-provider-node-3.502.0.tgz",
-      "integrity": "sha512-qg71UpYeFrjhu5hD+vdRqZ+EYFB11BeszsbfEJGaHhOMHmmTHNBaDAexW+bUnJSXcJL0a8vniCvca+rElbcAHQ==",
+      "version": "3.504.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-node/-/credential-provider-node-3.504.0.tgz",
+      "integrity": "sha512-6+V5hIh+tILmUjf2ZQWQINR3atxQVgH/bFrGdSR/sHSp/tEgw3m0xWL3IRslWU1e4/GtXrfg1iYnMknXy68Ikw==",
       "dependencies": {
         "@aws-sdk/credential-provider-env": "3.502.0",
-        "@aws-sdk/credential-provider-ini": "3.502.0",
+        "@aws-sdk/credential-provider-http": "3.503.1",
+        "@aws-sdk/credential-provider-ini": "3.504.0",
         "@aws-sdk/credential-provider-process": "3.502.0",
-        "@aws-sdk/credential-provider-sso": "3.502.0",
-        "@aws-sdk/credential-provider-web-identity": "3.502.0",
+        "@aws-sdk/credential-provider-sso": "3.504.0",
+        "@aws-sdk/credential-provider-web-identity": "3.504.0",
         "@aws-sdk/types": "3.502.0",
         "@smithy/credential-provider-imds": "^2.2.1",
         "@smithy/property-provider": "^2.1.1",
@@ -958,12 +978,12 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-sso": {
-      "version": "3.502.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-sso/-/credential-provider-sso-3.502.0.tgz",
-      "integrity": "sha512-/2Nyvo+cWQpH283lmZBimTJ9JDhES9FzQUkhUXZgxQo3Ez4sguLVi2V9xoFFyG0cMff5fuNivdKHfj4FeMGjZw==",
+      "version": "3.504.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-sso/-/credential-provider-sso-3.504.0.tgz",
+      "integrity": "sha512-4MgH2or2SjPzaxM08DCW+BjaX4DSsEGJlicHKmz6fh+w9JmLh750oXcTnbvgUeVz075jcs6qTKjvUcsdGM/t8Q==",
       "dependencies": {
         "@aws-sdk/client-sso": "3.502.0",
-        "@aws-sdk/token-providers": "3.502.0",
+        "@aws-sdk/token-providers": "3.504.0",
         "@aws-sdk/types": "3.502.0",
         "@smithy/property-provider": "^2.1.1",
         "@smithy/shared-ini-file-loader": "^2.3.1",
@@ -975,11 +995,11 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-web-identity": {
-      "version": "3.502.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-web-identity/-/credential-provider-web-identity-3.502.0.tgz",
-      "integrity": "sha512-veBAjDqjMMgA2Qxxf9ywDfHYLeJpaeHWLWCQ9XCHwJJ6ZIGWmAZPTq3he/UMr5JIQXooIccqqyqXMDIXPenXpA==",
+      "version": "3.504.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-web-identity/-/credential-provider-web-identity-3.504.0.tgz",
+      "integrity": "sha512-L1ljCvGpIEFdJk087ijf2ohg7HBclOeB1UgBxUBBzf4iPRZTQzd2chGaKj0hm2VVaXz7nglswJeURH5PFcS5oA==",
       "dependencies": {
-        "@aws-sdk/client-sts": "3.502.0",
+        "@aws-sdk/client-sts": "3.504.0",
         "@aws-sdk/types": "3.502.0",
         "@smithy/property-provider": "^2.1.1",
         "@smithy/types": "^2.9.1",
@@ -1079,11 +1099,11 @@
       }
     },
     "node_modules/@aws-sdk/token-providers": {
-      "version": "3.502.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/token-providers/-/token-providers-3.502.0.tgz",
-      "integrity": "sha512-RQgMgIXYlSf0xGl6EUeD+pqIPBlb7e29dbqHOBFc66hJVYUC2ULZX7Y+jLvcGIEaMiIaTPyvntZRFip+U+9hag==",
+      "version": "3.504.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/token-providers/-/token-providers-3.504.0.tgz",
+      "integrity": "sha512-YIJWWsZi2ClUiILS1uh5L6VjmCUSTI6KKMuL9DkGjYqJ0aI6M8bd8fT9Wm7QmXCyjcArTgr/Atkhia4T7oKvzQ==",
       "dependencies": {
-        "@aws-sdk/client-sso-oidc": "3.502.0",
+        "@aws-sdk/client-sso-oidc": "3.504.0",
         "@aws-sdk/types": "3.502.0",
         "@smithy/property-provider": "^2.1.1",
         "@smithy/shared-ini-file-loader": "^2.3.1",
@@ -1676,12 +1696,12 @@
       }
     },
     "node_modules/@fastify/cors": {
-      "version": "8.4.1",
-      "resolved": "https://registry.npmjs.org/@fastify/cors/-/cors-8.4.1.tgz",
-      "integrity": "sha512-iYQJtrY3pFiDS5mo5zRaudzg2OcUdJ96PD6xfkKOOEilly5nnrFZx/W6Sce2T79xxlEn2qpU3t5+qS2phS369w==",
+      "version": "8.5.0",
+      "resolved": "https://registry.npmjs.org/@fastify/cors/-/cors-8.5.0.tgz",
+      "integrity": "sha512-/oZ1QSb02XjP0IK1U0IXktEsw/dUBTxJOW7IpIeO8c/tNalw/KjoNSJv1Sf6eqoBPO+TDGkifq6ynFK3v68HFQ==",
       "dependencies": {
         "fastify-plugin": "^4.0.0",
-        "mnemonist": "0.39.5"
+        "mnemonist": "0.39.6"
       }
     },
     "node_modules/@fastify/deepmerge": {
@@ -1790,9 +1810,9 @@
       }
     },
     "node_modules/@fastify/swagger": {
-      "version": "8.12.0",
-      "resolved": "https://registry.npmjs.org/@fastify/swagger/-/swagger-8.12.0.tgz",
-      "integrity": "sha512-IMRc0xYuzRvtFDMuaWHyVbvM7CuAi0g3o2jaVgLDvETXPrXWAMWsHYR5niIdWBDPgGUq+soHkag1DKXyhPDB0w==",
+      "version": "8.14.0",
+      "resolved": "https://registry.npmjs.org/@fastify/swagger/-/swagger-8.14.0.tgz",
+      "integrity": "sha512-sGiznEb3rl6pKGGUZ+JmfI7ct5cwbTQGo+IjewaTvtzfrshnryu4dZwEsjw0YHABpBA+kCz3kpRaHB7qpa67jg==",
       "dependencies": {
         "fastify-plugin": "^4.0.0",
         "json-schema-resolver": "^2.0.0",
@@ -5169,9 +5189,9 @@
       "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
     },
     "node_modules/aws-sdk": {
-      "version": "2.1545.0",
-      "resolved": "https://registry.npmjs.org/aws-sdk/-/aws-sdk-2.1545.0.tgz",
-      "integrity": "sha512-iDUv6ksG7lTA0l/HlOgYdO6vfYFA1D2/JzAEXSdgKY0C901WgJqBtfs2CncOkCgDe2CjmlMuqciBzAfxCIiKFA==",
+      "version": "2.1549.0",
+      "resolved": "https://registry.npmjs.org/aws-sdk/-/aws-sdk-2.1549.0.tgz",
+      "integrity": "sha512-SoVfrrV3A2mxH+NV2tA0eMtG301glhewvhL3Ob4107qLWjvwjy/CoWLclMLmfXniTGxbI8tsgN0r5mLZUKey3Q==",
       "dependencies": {
         "buffer": "4.9.2",
         "events": "1.1.1",
@@ -5250,9 +5270,9 @@
       }
     },
     "node_modules/axios": {
-      "version": "1.6.4",
-      "resolved": "https://registry.npmjs.org/axios/-/axios-1.6.4.tgz",
-      "integrity": "sha512-heJnIs6N4aa1eSthhN9M5ioILu8Wi8vmQW9iHQ9NUvfkJb0lEEDUiIdQNAuBtfUt3FxReaKdpQA5DbmMOqzF/A==",
+      "version": "1.6.7",
+      "resolved": "https://registry.npmjs.org/axios/-/axios-1.6.7.tgz",
+      "integrity": "sha512-/hDJGff6/c7u0hDkvkGxR/oy6CbCs8ziCsC7SqmhjfozqiJGc8Z11wrv9z9lYfY4K8l+H9TpjcMDX0xOZmx+RA==",
       "dependencies": {
         "follow-redirects": "^1.15.4",
         "form-data": "^4.0.0",
@@ -5472,15 +5492,15 @@
       }
     },
     "node_modules/bullmq": {
-      "version": "5.1.1",
-      "resolved": "https://registry.npmjs.org/bullmq/-/bullmq-5.1.1.tgz",
-      "integrity": "sha512-j3zbNEQWsyHjpqGWiem2XBfmxAjYcArbwsmGlkM1E9MAVcrqB5hQUsXmyy9gEBAdL+PVotMICr7xTquR4Y2sKQ==",
+      "version": "5.1.6",
+      "resolved": "https://registry.npmjs.org/bullmq/-/bullmq-5.1.6.tgz",
+      "integrity": "sha512-VkLfig+xm4U3hc4QChzuuAy0NGQ9dfPB8o54hmcZHCX9ofp0Zn6bEY+W3Ytkk76eYwPAgXfywDBlAb2Unjl1Rg==",
       "dependencies": {
         "cron-parser": "^4.6.0",
         "glob": "^8.0.3",
         "ioredis": "^5.3.2",
         "lodash": "^4.17.21",
-        "msgpackr": "^1.6.2",
+        "msgpackr": "^1.10.1",
         "node-abort-controller": "^3.1.1",
         "semver": "^7.5.4",
         "tslib": "^2.0.0",
@@ -5995,9 +6015,9 @@
       }
     },
     "node_modules/dotenv": {
-      "version": "16.3.1",
-      "resolved": "https://registry.npmjs.org/dotenv/-/dotenv-16.3.1.tgz",
-      "integrity": "sha512-IPzF4w4/Rd94bA9imS68tZBaYyBWSCE47V1RGuMrB94iyTOIEwRmVL2x/4An+6mETpLrKJ5hQkB8W4kFAadeIQ==",
+      "version": "16.4.1",
+      "resolved": "https://registry.npmjs.org/dotenv/-/dotenv-16.4.1.tgz",
+      "integrity": "sha512-CjA3y+Dr3FyFDOAMnxZEGtnW9KBR2M0JvvUtXNW+dYJL5ROWxP9DUHCwgFqpMk0OXCc0ljhaNTr2w/kutYIcHQ==",
       "engines": {
         "node": ">=12"
       },
@@ -6972,9 +6992,19 @@
       }
     },
     "node_modules/fastify": {
-      "version": "4.24.3",
-      "resolved": "https://registry.npmjs.org/fastify/-/fastify-4.24.3.tgz",
-      "integrity": "sha512-6HHJ+R2x2LS3y1PqxnwEIjOTZxFl+8h4kSC/TuDPXtA+v2JnV9yEtOsNSKK1RMD7sIR2y1ZsA4BEFaid/cK5pg==",
+      "version": "4.26.0",
+      "resolved": "https://registry.npmjs.org/fastify/-/fastify-4.26.0.tgz",
+      "integrity": "sha512-Fq/7ziWKc6pYLYLIlCRaqJqEVTIZ5tZYfcW/mDK2AQ9v/sqjGFpj0On0/7hU50kbPVjLO4de+larPA1WwPZSfw==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/fastify"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/fastify"
+        }
+      ],
       "dependencies": {
         "@fastify/ajv-compiler": "^3.5.0",
         "@fastify/error": "^3.4.0",
@@ -6983,10 +7013,10 @@
         "avvio": "^8.2.1",
         "fast-content-type-parse": "^1.1.0",
         "fast-json-stringify": "^5.8.0",
-        "find-my-way": "^7.7.0",
+        "find-my-way": "^8.0.0",
         "light-my-request": "^5.11.0",
-        "pino": "^8.16.0",
-        "process-warning": "^2.2.0",
+        "pino": "^8.17.0",
+        "process-warning": "^3.0.0",
         "proxy-addr": "^2.0.7",
         "rfdc": "^1.3.0",
         "secure-json-parse": "^2.7.0",
@@ -6999,6 +7029,11 @@
       "resolved": "https://registry.npmjs.org/fastify-plugin/-/fastify-plugin-4.5.1.tgz",
       "integrity": "sha512-stRHYGeuqpEZTL1Ef0Ovr2ltazUT9g844X5z/zEBFLG8RYlpDiOCIG+ATvYEp+/zmc7sN29mcIMp8gvYplYPIQ=="
     },
+    "node_modules/fastify/node_modules/process-warning": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/process-warning/-/process-warning-3.0.0.tgz",
+      "integrity": "sha512-mqn0kFRl0EoqhnL0GQ0veqFHyIN1yig9RHh/InzORTUiZHFRAur+aMtRkELNwGs9aNwKS6tg/An4NYBPGwvtzQ=="
+    },
     "node_modules/fastq": {
       "version": "1.15.0",
       "resolved": "https://registry.npmjs.org/fastq/-/fastq-1.15.0.tgz",
@@ -7062,9 +7097,9 @@
       "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A=="
     },
     "node_modules/find-my-way": {
-      "version": "7.7.0",
-      "resolved": "https://registry.npmjs.org/find-my-way/-/find-my-way-7.7.0.tgz",
-      "integrity": "sha512-+SrHpvQ52Q6W9f3wJoJBbAQULJuNEEQwBvlvYwACDhBTLOTMiQ0HYWh4+vC3OivGP2ENcTI1oKlFA2OepJNjhQ==",
+      "version": "8.1.0",
+      "resolved": "https://registry.npmjs.org/find-my-way/-/find-my-way-8.1.0.tgz",
+      "integrity": "sha512-41QwjCGcVTODUmLLqTMeoHeiozbMXYMAE1CKFiDyi9zVZ2Vjh0yz3MF0WQZoIb+cmzP/XlbFjlF2NtJmvZHznA==",
       "dependencies": {
         "fast-deep-equal": "^3.1.3",
         "fast-querystring": "^1.0.0",
@@ -9049,9 +9084,9 @@
       }
     },
     "node_modules/mnemonist": {
-      "version": "0.39.5",
-      "resolved": "https://registry.npmjs.org/mnemonist/-/mnemonist-0.39.5.tgz",
-      "integrity": "sha512-FPUtkhtJ0efmEFGpU14x7jGbTB+s18LrzRL2KgoWz9YvcY3cPomz8tih01GbHwnGk/OmkOKfqd/RAQoc8Lm7DQ==",
+      "version": "0.39.6",
+      "resolved": "https://registry.npmjs.org/mnemonist/-/mnemonist-0.39.6.tgz",
+      "integrity": "sha512-A/0v5Z59y63US00cRSLiloEIw3t5G+MiKz4BhX21FI+YBJXBOGW0ohFxTxO08dsOYlzxo87T7vGfZKYp2bcAWA==",
       "dependencies": {
         "obliterator": "^2.0.1"
       }
@@ -9112,9 +9147,9 @@
       }
     },
     "node_modules/mysql2": {
-      "version": "3.6.5",
-      "resolved": "https://registry.npmjs.org/mysql2/-/mysql2-3.6.5.tgz",
-      "integrity": "sha512-pS/KqIb0xlXmtmqEuTvBXTmLoQ5LmAz5NW/r8UyQ1ldvnprNEj3P9GbmuQQ2J0A4LO+ynotGi6TbscPa8OUb+w==",
+      "version": "3.9.1",
+      "resolved": "https://registry.npmjs.org/mysql2/-/mysql2-3.9.1.tgz",
+      "integrity": "sha512-3njoWAAhGBYy0tWBabqUQcLtczZUxrmmtc2vszQUekg3kTJyZ5/IeLC3Fo04u6y6Iy5Sba7pIIa2P/gs8D3ZeQ==",
       "dependencies": {
         "denque": "^2.1.0",
         "generate-function": "^2.3.1",
@@ -13812,9 +13847,9 @@
       }
     },
     "node_modules/zod-to-json-schema": {
-      "version": "3.22.0",
-      "resolved": "https://registry.npmjs.org/zod-to-json-schema/-/zod-to-json-schema-3.22.0.tgz",
-      "integrity": "sha512-XQr8EwxPMzJGhoR+d/nRFWdi15VaZ+R5Uhssm+Xx5yS30xCpuutfKRm4rerE0SK9j2dWB5Z3FvDD0w8WMVGzkA==",
+      "version": "3.22.4",
+      "resolved": "https://registry.npmjs.org/zod-to-json-schema/-/zod-to-json-schema-3.22.4.tgz",
+      "integrity": "sha512-2Ed5dJ+n/O3cU383xSY28cuVi0BCQhF8nYqWU5paEpl7fVdqdAmiLdqLyfblbNdfOFwFfi/mqU4O1pwc60iBhQ==",
       "peerDependencies": {
         "zod": "^3.22.4"
       }

backend/package.json

@@ -70,17 +70,17 @@
     "vitest": "^1.2.2"
   },
   "dependencies": {
-    "@aws-sdk/client-secrets-manager": "^3.502.0",
+    "@aws-sdk/client-secrets-manager": "^3.504.0",
     "@casl/ability": "^6.5.0",
     "@fastify/cookie": "^9.2.0",
-    "@fastify/cors": "^8.4.1",
+    "@fastify/cors": "^8.5.0",
     "@fastify/etag": "^5.1.0",
     "@fastify/formbody": "^7.4.0",
     "@fastify/helmet": "^11.1.1",
     "@fastify/passport": "^2.4.0",
     "@fastify/rate-limit": "^9.0.0",
     "@fastify/session": "^10.7.0",
-    "@fastify/swagger": "^8.12.0",
+    "@fastify/swagger": "^8.14.0",
     "@fastify/swagger-ui": "^2.1.0",
     "@node-saml/passport-saml": "^4.0.4",
     "@octokit/rest": "^20.0.2",
@@ -90,13 +90,13 @@
     "@ucast/mongo2js": "^1.3.4",
     "ajv": "^8.12.0",
     "argon2": "^0.31.2",
-    "aws-sdk": "^2.1545.0",
-    "axios": "^1.6.4",
+    "aws-sdk": "^2.1549.0",
+    "axios": "^1.6.7",
     "axios-retry": "^4.0.0",
     "bcrypt": "^5.1.1",
-    "bullmq": "^5.1.1",
-    "dotenv": "^16.3.1",
-    "fastify": "^4.24.3",
+    "bullmq": "^5.1.6",
+    "dotenv": "^16.4.1",
+    "fastify": "^4.26.0",
     "fastify-plugin": "^4.5.1",
     "handlebars": "^4.7.8",
     "ioredis": "^5.3.2",
@@ -106,7 +106,7 @@
     "knex": "^3.0.1",
     "libsodium-wrappers": "^0.7.13",
     "lodash.isequal": "^4.5.0",
-    "mysql2": "^3.6.5",
+    "mysql2": "^3.9.1",
     "nanoid": "^5.0.4",
     "node-cache": "^5.1.2",
     "nodemailer": "^6.9.9",
@@ -124,6 +124,6 @@
     "tweetnacl-util": "^0.15.1",
     "uuid": "^9.0.1",
     "zod": "^3.22.4",
-    "zod-to-json-schema": "^3.22.0"
+    "zod-to-json-schema": "^3.22.4"
   }
 }

backend/src/db/migrations/20240216154123_ghost_users.ts

@@ -0,0 +1,39 @@
+import { Knex } from "knex";
+
+import { ProjectVersion, TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasGhostUserColumn = await knex.schema.hasColumn(TableName.Users, "isGhost");
+  const hasProjectVersionColumn = await knex.schema.hasColumn(TableName.Project, "version");
+
+  if (!hasGhostUserColumn) {
+    await knex.schema.alterTable(TableName.Users, (t) => {
+      t.boolean("isGhost").defaultTo(false).notNullable();
+    });
+  }
+
+  if (!hasProjectVersionColumn) {
+    await knex.schema.alterTable(TableName.Project, (t) => {
+      t.integer("version").defaultTo(ProjectVersion.V1).notNullable();
+      t.string("upgradeStatus").nullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasGhostUserColumn = await knex.schema.hasColumn(TableName.Users, "isGhost");
+  const hasProjectVersionColumn = await knex.schema.hasColumn(TableName.Project, "version");
+
+  if (hasGhostUserColumn) {
+    await knex.schema.alterTable(TableName.Users, (t) => {
+      t.dropColumn("isGhost");
+    });
+  }
+
+  if (hasProjectVersionColumn) {
+    await knex.schema.alterTable(TableName.Project, (t) => {
+      t.dropColumn("version");
+      t.dropColumn("upgradeStatus");
+    });
+  }
+}

backend/src/db/migrations/20240222201806_admin-signup-control.ts

@@ -0,0 +1,20 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const isTablePresent = await knex.schema.hasTable(TableName.SuperAdmin);
+  if (isTablePresent) {
+    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+      t.string("allowedSignUpDomain");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.SuperAdmin, "allowedSignUpDomain")) {
+    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+      t.dropColumn("allowedSignUpDomain");
+    });
+  }
+}

backend/src/db/schemas/models.ts

@@ -112,6 +112,17 @@ export enum SecretType {
   Personal = "personal"
 }
 
+export enum ProjectVersion {
+  V1 = 1,
+  V2 = 2
+}
+
+export enum ProjectUpgradeStatus {
+  InProgress = "IN_PROGRESS",
+  // Completed -> Will be null if completed. So a completed status is not needed
+  Failed = "FAILED"
+}
+
 export enum IdentityAuthMethod {
   Univeral = "universal-auth"
 }

backend/src/db/schemas/projects.ts

@@ -14,7 +14,9 @@ export const ProjectsSchema = z.object({
   autoCapitalization: z.boolean().default(true).nullable().optional(),
   orgId: z.string().uuid(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  version: z.number().default(1),
+  upgradeStatus: z.string().nullable().optional()
 });
 
 export type TProjects = z.infer<typeof ProjectsSchema>;

backend/src/db/schemas/super-admin.ts

@@ -12,7 +12,8 @@ export const SuperAdminSchema = z.object({
   initialized: z.boolean().default(false).nullable().optional(),
   allowSignUp: z.boolean().default(true).nullable().optional(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  allowedSignUpDomain: z.string().nullable().optional()
 });
 
 export type TSuperAdmin = z.infer<typeof SuperAdminSchema>;

backend/src/db/schemas/users.ts

@@ -19,7 +19,8 @@ export const UsersSchema = z.object({
   mfaMethods: z.string().array().nullable().optional(),
   devices: z.unknown().nullable().optional(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  isGhost: z.boolean().default(false)
 });
 
 export type TUsers = z.infer<typeof UsersSchema>;

backend/src/db/seed-data.ts

@@ -1,3 +1,4 @@
+/* eslint-disable import/no-mutable-exports */
 import crypto from "node:crypto";
 
 import argon2, { argon2id } from "argon2";
@@ -15,9 +16,12 @@ import {
 
 import { TSecrets, TUserEncryptionKeys } from "./schemas";
 
+export let userPrivateKey: string | undefined;
+export let userPublicKey: string | undefined;
+
 export const seedData1 = {
   id: "3dafd81d-4388-432b-a4c5-f735616868c1",
-  email: "test@localhost.local",
+  email: process.env.TEST_USER_EMAIL || "test@localhost.local",
   password: process.env.TEST_USER_PASSWORD || "testInfisical@1",
   organization: {
     id: "180870b7-f464-4740-8ffe-9d11c9245ea7",
@@ -42,6 +46,12 @@ export const seedData1 = {
   },
   token: {
     id: "a9dfafba-a3b7-42e3-8618-91abb702fd36"
+  },
+
+  // We set these values during user creation, and later re-use them during project seeding.
+  encryptionKeys: {
+    publicKey: "",
+    privateKey: ""
   }
 };
 

backend/src/ee/routes/v1/scim-router.ts

@@ -5,7 +5,7 @@ import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 export const registerScimRouter = async (server: FastifyZodProvider) => {
-  server.addContentTypeParser("application/scim+json", { parseAs: "string" }, function (req, body, done) {
+  server.addContentTypeParser("application/scim+json", { parseAs: "string" }, (_, body, done) => {
     try {
       const strBody = body instanceof Buffer ? body.toString() : body;
 

backend/src/ee/services/audit-log/audit-log-service.ts

@@ -58,6 +58,7 @@ export const auditLogServiceFactory = ({
     if (data.event.type !== EventType.LOGIN_IDENTITY_UNIVERSAL_AUTH) {
       if (!data.projectId && !data.orgId) throw new BadRequestError({ message: "Must either project id or org id" });
     }
+
     return auditLogQueue.pushToLog(data);
   };
 

backend/src/ee/services/permission/permission-service.ts

@@ -177,6 +177,8 @@ export const permissionServiceFactory = ({
 
   const getServiceTokenProjectPermission = async (serviceTokenId: string, projectId: string) => {
     const serviceToken = await serviceTokenDAL.findById(serviceTokenId);
+    if (!serviceToken) throw new BadRequestError({ message: "Service token not found" });
+
     if (serviceToken.projectId !== projectId)
       throw new UnauthorizedError({
         message: "Failed to find service authorization for given project"

backend/src/ee/services/saml-config/saml-config-service.ts

@@ -338,7 +338,8 @@ export const samlConfigServiceFactory = ({
             email,
             firstName,
             lastName,
-            authMethods: [AuthMethod.EMAIL]
+            authMethods: [AuthMethod.EMAIL],
+            isGhost: false
           },
           tx
         );

backend/src/ee/services/scim/scim-service.ts

@@ -251,7 +251,8 @@ export const scimServiceFactory = ({
             email,
             firstName,
             lastName,
-            authMethods: [AuthMethod.EMAIL]
+            authMethods: [AuthMethod.EMAIL],
+            isGhost: false
           },
           tx
         );

backend/src/ee/services/secret-approval-request/secret-approval-request-secret-dal.ts

@@ -1,8 +1,13 @@
 import { Knex } from "knex";
 
 import { TDbClient } from "@app/db";
-import { SecretApprovalRequestsSecretsSchema, TableName, TSecretTags } from "@app/db/schemas";
-import { DatabaseError } from "@app/lib/errors";
+import {
+  SecretApprovalRequestsSecretsSchema,
+  TableName,
+  TSecretApprovalRequestsSecrets,
+  TSecretTags
+} from "@app/db/schemas";
+import { BadRequestError, DatabaseError } from "@app/lib/errors";
 import { ormify, selectAllTableCols, sqlNestRelationships } from "@app/lib/knex";
 
 export type TSecretApprovalRequestSecretDALFactory = ReturnType<typeof secretApprovalRequestSecretDALFactory>;
@@ -11,6 +16,35 @@ export const secretApprovalRequestSecretDALFactory = (db: TDbClient) => {
   const secretApprovalRequestSecretOrm = ormify(db, TableName.SecretApprovalRequestSecret);
   const secretApprovalRequestSecretTagOrm = ormify(db, TableName.SecretApprovalRequestSecretTag);
 
+  const bulkUpdateNoVersionIncrement = async (data: TSecretApprovalRequestsSecrets[], tx?: Knex) => {
+    try {
+      const existingApprovalSecrets = await secretApprovalRequestSecretOrm.find(
+        {
+          $in: {
+            id: data.map((el) => el.id)
+          }
+        },
+        { tx }
+      );
+
+      if (existingApprovalSecrets.length !== data.length) {
+        throw new BadRequestError({ message: "Some of the secret approvals do not exist" });
+      }
+
+      if (data.length === 0) return [];
+
+      const updatedApprovalSecrets = await (tx || db)(TableName.SecretApprovalRequestSecret)
+        .insert(data)
+        .onConflict("id") // this will cause a conflict then merge the data
+        .merge() // Merge the data with the existing data
+        .returning("*");
+
+      return updatedApprovalSecrets;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "bulk update secret" });
+    }
+  };
+
   const findByRequestId = async (requestId: string, tx?: Knex) => {
     try {
       const doc = await (tx || db)({
@@ -190,6 +224,7 @@ export const secretApprovalRequestSecretDALFactory = (db: TDbClient) => {
   return {
     ...secretApprovalRequestSecretOrm,
     findByRequestId,
+    bulkUpdateNoVersionIncrement,
     insertApprovalSecretTags: secretApprovalRequestSecretTagOrm.insertMany
   };
 };

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -11,6 +11,7 @@ import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
 import { groupBy, pick, unique } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { ActorType } from "@app/services/auth/auth-type";
+import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TSecretQueueFactory } from "@app/services/secret/secret-queue";
 import { TSecretServiceFactory } from "@app/services/secret/secret-service";
 import { TSecretVersionDALFactory } from "@app/services/secret/secret-version-dal";
@@ -47,6 +48,7 @@ type TSecretApprovalRequestServiceFactoryDep = {
   secretBlindIndexDAL: Pick<TSecretBlindIndexDALFactory, "findOne">;
   snapshotService: Pick<TSecretSnapshotServiceFactory, "performSnapshot">;
   secretVersionDAL: Pick<TSecretVersionDALFactory, "findLatestVersionMany">;
+  projectDAL: Pick<TProjectDALFactory, "checkProjectUpgradeStatus">;
   secretService: Pick<
     TSecretServiceFactory,
     | "fnSecretBulkInsert"
@@ -67,6 +69,7 @@ export const secretApprovalRequestServiceFactory = ({
   secretApprovalRequestReviewerDAL,
   secretApprovalRequestSecretDAL,
   secretBlindIndexDAL,
+  projectDAL,
   permissionService,
   snapshotService,
   secretService,
@@ -434,6 +437,8 @@ export const secretApprovalRequestServiceFactory = ({
       subject(ProjectPermissionSub.Secrets, { environment, secretPath })
     );
 
+    await projectDAL.checkProjectUpgradeStatus(projectId);
+
     const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
     if (!folder) throw new BadRequestError({ message: "Folder not  found", name: "GenSecretApproval" });
     const folderId = folder.id;

backend/src/lib/crypto/encryption.ts

@@ -8,6 +8,9 @@ import { SecretEncryptionAlgo, SecretKeyEncoding } from "@app/db/schemas";
 
 import { getConfig } from "../config/env";
 
+export const decodeBase64 = (s: string) => naclUtils.decodeBase64(s);
+export const encodeBase64 = (u: Uint8Array) => naclUtils.encodeBase64(u);
+
 export type TDecryptSymmetricInput = {
   ciphertext: string;
   iv: string;

backend/src/lib/crypto/index.ts

@@ -1,12 +1,20 @@
 export {
   buildSecretBlindIndexFromName,
   createSecretBlindIndex,
+  decodeBase64,
   decryptAsymmetric,
   decryptSymmetric,
   decryptSymmetric128BitHexKeyUTF8,
+  encodeBase64,
   encryptAsymmetric,
   encryptSymmetric,
   encryptSymmetric128BitHexKeyUTF8,
   generateAsymmetricKeyPair
 } from "./encryption";
+export {
+  decryptIntegrationAuths,
+  decryptSecretApprovals,
+  decryptSecrets,
+  decryptSecretVersions
+} from "./secret-encryption";
 export { generateSrpServerKey, srpCheckClientProof } from "./srp";

backend/src/lib/crypto/secret-encryption.ts

@@ -0,0 +1,293 @@
+import crypto from "crypto";
+import { z } from "zod";
+
+import {
+  IntegrationAuthsSchema,
+  SecretApprovalRequestsSecretsSchema,
+  SecretsSchema,
+  SecretVersionsSchema,
+  TIntegrationAuths,
+  TProjectKeys,
+  TSecretApprovalRequestsSecrets,
+  TSecrets,
+  TSecretVersions
+} from "../../db/schemas";
+import { decryptAsymmetric } from "./encryption";
+
+const DecryptedValuesSchema = z.object({
+  id: z.string(),
+  secretKey: z.string(),
+  secretValue: z.string(),
+  secretComment: z.string().optional()
+});
+
+const DecryptedSecretSchema = z.object({
+  decrypted: DecryptedValuesSchema,
+  original: SecretsSchema
+});
+
+const DecryptedIntegrationAuthsSchema = z.object({
+  decrypted: z.object({
+    id: z.string(),
+    access: z.string(),
+    accessId: z.string(),
+    refresh: z.string()
+  }),
+  original: IntegrationAuthsSchema
+});
+
+const DecryptedSecretVersionsSchema = z.object({
+  decrypted: DecryptedValuesSchema,
+  original: SecretVersionsSchema
+});
+
+const DecryptedSecretApprovalsSchema = z.object({
+  decrypted: DecryptedValuesSchema,
+  original: SecretApprovalRequestsSecretsSchema
+});
+
+type DecryptedSecret = z.infer<typeof DecryptedSecretSchema>;
+type DecryptedSecretVersions = z.infer<typeof DecryptedSecretVersionsSchema>;
+type DecryptedSecretApprovals = z.infer<typeof DecryptedSecretApprovalsSchema>;
+type DecryptedIntegrationAuths = z.infer<typeof DecryptedIntegrationAuthsSchema>;
+
+type TLatestKey = TProjectKeys & {
+  sender: {
+    publicKey: string;
+  };
+};
+
+const decryptCipher = ({
+  ciphertext,
+  iv,
+  tag,
+  key
+}: {
+  ciphertext: string;
+  iv: string;
+  tag: string;
+  key: string | Buffer;
+}) => {
+  const decipher = crypto.createDecipheriv("aes-256-gcm", key, Buffer.from(iv, "base64"));
+  decipher.setAuthTag(Buffer.from(tag, "base64"));
+
+  let cleartext = decipher.update(ciphertext, "base64", "utf8");
+  cleartext += decipher.final("utf8");
+
+  return cleartext;
+};
+
+const getDecryptedValues = (data: Array<{ ciphertext: string; iv: string; tag: string }>, key: string | Buffer) => {
+  const results: string[] = [];
+
+  for (const { ciphertext, iv, tag } of data) {
+    if (!ciphertext || !iv || !tag) {
+      results.push("");
+    } else {
+      results.push(decryptCipher({ ciphertext, iv, tag, key }));
+    }
+  }
+
+  return results;
+};
+export const decryptSecrets = (encryptedSecrets: TSecrets[], privateKey: string, latestKey: TLatestKey) => {
+  const key = decryptAsymmetric({
+    ciphertext: latestKey.encryptedKey,
+    nonce: latestKey.nonce,
+    publicKey: latestKey.sender.publicKey,
+    privateKey
+  });
+
+  const decryptedSecrets: DecryptedSecret[] = [];
+
+  encryptedSecrets.forEach((encSecret) => {
+    const [secretKey, secretValue, secretComment] = getDecryptedValues(
+      [
+        {
+          ciphertext: encSecret.secretKeyCiphertext,
+          iv: encSecret.secretKeyIV,
+          tag: encSecret.secretKeyTag
+        },
+        {
+          ciphertext: encSecret.secretValueCiphertext,
+          iv: encSecret.secretValueIV,
+          tag: encSecret.secretValueTag
+        },
+        {
+          ciphertext: encSecret.secretCommentCiphertext || "",
+          iv: encSecret.secretCommentIV || "",
+          tag: encSecret.secretCommentTag || ""
+        }
+      ],
+      key
+    );
+
+    const decryptedSecret: DecryptedSecret = {
+      decrypted: {
+        secretKey,
+        secretValue,
+        secretComment,
+        id: encSecret.id
+      },
+      original: encSecret
+    };
+
+    decryptedSecrets.push(DecryptedSecretSchema.parse(decryptedSecret));
+  });
+
+  return decryptedSecrets;
+};
+
+export const decryptSecretVersions = (
+  encryptedSecretVersions: TSecretVersions[],
+  privateKey: string,
+  latestKey: TLatestKey
+) => {
+  const key = decryptAsymmetric({
+    ciphertext: latestKey.encryptedKey,
+    nonce: latestKey.nonce,
+    publicKey: latestKey.sender.publicKey,
+    privateKey
+  });
+
+  const decryptedSecrets: DecryptedSecretVersions[] = [];
+
+  encryptedSecretVersions.forEach((encSecret) => {
+    const [secretKey, secretValue, secretComment] = getDecryptedValues(
+      [
+        {
+          ciphertext: encSecret.secretKeyCiphertext,
+          iv: encSecret.secretKeyIV,
+          tag: encSecret.secretKeyTag
+        },
+        {
+          ciphertext: encSecret.secretValueCiphertext,
+          iv: encSecret.secretValueIV,
+          tag: encSecret.secretValueTag
+        },
+        {
+          ciphertext: encSecret.secretCommentCiphertext || "",
+          iv: encSecret.secretCommentIV || "",
+          tag: encSecret.secretCommentTag || ""
+        }
+      ],
+      key
+    );
+
+    const decryptedSecret: DecryptedSecretVersions = {
+      decrypted: {
+        secretKey,
+        secretValue,
+        secretComment,
+        id: encSecret.id
+      },
+      original: encSecret
+    };
+
+    decryptedSecrets.push(DecryptedSecretVersionsSchema.parse(decryptedSecret));
+  });
+
+  return decryptedSecrets;
+};
+
+export const decryptSecretApprovals = (
+  encryptedSecretApprovals: TSecretApprovalRequestsSecrets[],
+  privateKey: string,
+  latestKey: TLatestKey
+) => {
+  const key = decryptAsymmetric({
+    ciphertext: latestKey.encryptedKey,
+    nonce: latestKey.nonce,
+    publicKey: latestKey.sender.publicKey,
+    privateKey
+  });
+
+  const decryptedSecrets: DecryptedSecretApprovals[] = [];
+
+  encryptedSecretApprovals.forEach((encApproval) => {
+    const [secretKey, secretValue, secretComment] = getDecryptedValues(
+      [
+        {
+          ciphertext: encApproval.secretKeyCiphertext,
+          iv: encApproval.secretKeyIV,
+          tag: encApproval.secretKeyTag
+        },
+        {
+          ciphertext: encApproval.secretValueCiphertext,
+          iv: encApproval.secretValueIV,
+          tag: encApproval.secretValueTag
+        },
+        {
+          ciphertext: encApproval.secretCommentCiphertext || "",
+          iv: encApproval.secretCommentIV || "",
+          tag: encApproval.secretCommentTag || ""
+        }
+      ],
+      key
+    );
+
+    const decryptedSecret: DecryptedSecretApprovals = {
+      decrypted: {
+        secretKey,
+        secretValue,
+        secretComment,
+        id: encApproval.id
+      },
+      original: encApproval
+    };
+
+    decryptedSecrets.push(DecryptedSecretApprovalsSchema.parse(decryptedSecret));
+  });
+
+  return decryptedSecrets;
+};
+
+export const decryptIntegrationAuths = (
+  encryptedIntegrationAuths: TIntegrationAuths[],
+  privateKey: string,
+  latestKey: TLatestKey
+) => {
+  const key = decryptAsymmetric({
+    ciphertext: latestKey.encryptedKey,
+    nonce: latestKey.nonce,
+    publicKey: latestKey.sender.publicKey,
+    privateKey
+  });
+
+  const decryptedIntegrationAuths: DecryptedIntegrationAuths[] = [];
+
+  encryptedIntegrationAuths.forEach((encAuth) => {
+    const [access, accessId, refresh] = getDecryptedValues(
+      [
+        {
+          ciphertext: encAuth.accessCiphertext || "",
+          iv: encAuth.accessIV || "",
+          tag: encAuth.accessTag || ""
+        },
+        {
+          ciphertext: encAuth.accessIdCiphertext || "",
+          iv: encAuth.accessIdIV || "",
+          tag: encAuth.accessIdTag || ""
+        },
+        {
+          ciphertext: encAuth.refreshCiphertext || "",
+          iv: encAuth.refreshIV || "",
+          tag: encAuth.refreshTag || ""
+        }
+      ],
+      key
+    );
+
+    decryptedIntegrationAuths.push({
+      decrypted: {
+        id: encAuth.id,
+        access,
+        accessId,
+        refresh
+      },
+      original: encAuth
+    });
+  });
+
+  return decryptedIntegrationAuths;
+};

backend/src/lib/crypto/srp.ts

@@ -1,4 +1,12 @@
+import argon2 from "argon2";
+import crypto from "crypto";
 import jsrp from "jsrp";
+import nacl from "tweetnacl";
+import tweetnacl from "tweetnacl-util";
+
+import { TUserEncryptionKeys } from "@app/db/schemas";
+
+import { decryptSymmetric, encryptAsymmetric, encryptSymmetric } from "./encryption";
 
 export const generateSrpServerKey = async (salt: string, verifier: string) => {
   // eslint-disable-next-line new-cap
@@ -24,3 +32,99 @@ export const srpCheckClientProof = async (
   server.setClientPublicKey(clientPublicKey);
   return server.checkClientProof(clientProof);
 };
+
+// Ghost user related:
+// This functionality is intended for ghost user logic. This happens on the frontend when a user is being created.
+// We replicate the same functionality on the backend when creating a ghost user.
+export const generateUserSrpKeys = async (email: string, password: string) => {
+  const pair = nacl.box.keyPair();
+  const secretKeyUint8Array = pair.secretKey;
+  const publicKeyUint8Array = pair.publicKey;
+  const privateKey = tweetnacl.encodeBase64(secretKeyUint8Array);
+  const publicKey = tweetnacl.encodeBase64(publicKeyUint8Array);
+
+  // eslint-disable-next-line
+  const client = new jsrp.client();
+  await new Promise((resolve) => {
+    client.init({ username: email, password }, () => resolve(null));
+  });
+  const { salt, verifier } = await new Promise<{ salt: string; verifier: string }>((resolve, reject) => {
+    client.createVerifier((err, res) => {
+      if (err) return reject(err);
+      return resolve(res);
+    });
+  });
+  const derivedKey = await argon2.hash(password, {
+    salt: Buffer.from(salt),
+    memoryCost: 65536,
+    timeCost: 3,
+    parallelism: 1,
+    hashLength: 32,
+    type: argon2.argon2id,
+    raw: true
+  });
+  if (!derivedKey) throw new Error("Failed to derive key from password");
+
+  const key = crypto.randomBytes(32);
+
+  // create encrypted private key by encrypting the private
+  // key with the symmetric key [key]
+  const {
+    ciphertext: encryptedPrivateKey,
+    iv: encryptedPrivateKeyIV,
+    tag: encryptedPrivateKeyTag
+  } = encryptSymmetric(privateKey, key.toString("base64"));
+
+  // create the protected key by encrypting the symmetric key
+  // [key] with the derived key
+  const {
+    ciphertext: protectedKey,
+    iv: protectedKeyIV,
+    tag: protectedKeyTag
+  } = encryptSymmetric(key.toString("hex"), derivedKey.toString("base64"));
+
+  return {
+    protectedKey,
+    plainPrivateKey: privateKey,
+    protectedKeyIV,
+    protectedKeyTag,
+    publicKey,
+    encryptedPrivateKey,
+    encryptedPrivateKeyIV,
+    encryptedPrivateKeyTag,
+    salt,
+    verifier
+  };
+};
+
+export const getUserPrivateKey = async (password: string, user: TUserEncryptionKeys) => {
+  const derivedKey = await argon2.hash(password, {
+    salt: Buffer.from(user.salt),
+    memoryCost: 65536,
+    timeCost: 3,
+    parallelism: 1,
+    hashLength: 32,
+    type: argon2.argon2id,
+    raw: true
+  });
+  if (!derivedKey) throw new Error("Failed to derive key from password");
+  const key = decryptSymmetric({
+    ciphertext: user.protectedKey!,
+    iv: user.protectedKeyIV!,
+    tag: user.protectedKeyTag!,
+    key: derivedKey.toString("base64")
+  });
+  const privateKey = decryptSymmetric({
+    ciphertext: user.encryptedPrivateKey,
+    iv: user.iv,
+    tag: user.tag,
+    key
+  });
+  return privateKey;
+};
+
+export const buildUserProjectKey = async (privateKey: string, publickey: string) => {
+  const randomBytes = crypto.randomBytes(16).toString("hex");
+  const { nonce, ciphertext } = encryptAsymmetric(randomBytes, publickey, privateKey);
+  return { nonce, ciphertext };
+};

backend/src/queue/queue-service.ts

@@ -1,6 +1,7 @@
 import { Job, JobsOptions, Queue, QueueOptions, RepeatOptions, Worker, WorkerListener } from "bullmq";
 import Redis from "ioredis";
 
+import { SecretKeyEncoding } from "@app/db/schemas";
 import { TCreateAuditLogDTO } from "@app/ee/services/audit-log/audit-log-types";
 import {
   TScanFullRepoEventPayload,
@@ -15,7 +16,8 @@ export enum QueueName {
   IntegrationSync = "sync-integrations",
   SecretWebhook = "secret-webhook",
   SecretFullRepoScan = "secret-full-repo-scan",
-  SecretPushEventScan = "secret-push-event-scan"
+  SecretPushEventScan = "secret-push-event-scan",
+  UpgradeProjectToGhost = "upgrade-project-to-ghost"
 }
 
 export enum QueueJobs {
@@ -25,7 +27,8 @@ export enum QueueJobs {
   AuditLogPrune = "audit-log-prune-job",
   SecWebhook = "secret-webhook-trigger",
   IntegrationSync = "secret-integration-pull",
-  SecretScan = "secret-scan"
+  SecretScan = "secret-scan",
+  UpgradeProjectToGhost = "upgrade-project-to-ghost-job"
 }
 
 export type TQueueJobTypes = {
@@ -64,6 +67,20 @@ export type TQueueJobTypes = {
     payload: TScanFullRepoEventPayload;
   };
   [QueueName.SecretPushEventScan]: { name: QueueJobs.SecretScan; payload: TScanPushEventPayload };
+
+  [QueueName.UpgradeProjectToGhost]: {
+    name: QueueJobs.UpgradeProjectToGhost;
+    payload: {
+      projectId: string;
+      startedByUserId: string;
+      encryptedPrivateKey: {
+        encryptedKey: string;
+        encryptedKeyIv: string;
+        encryptedKeyTag: string;
+        keyEncoding: SecretKeyEncoding;
+      };
+    };
+  };
 };
 
 export type TQueueServiceFactory = ReturnType<typeof queueServiceFactory>;

backend/src/server/lib/telemetry.ts

@@ -0,0 +1,17 @@
+import { FastifyRequest } from "fastify";
+
+import { ActorType } from "@app/services/auth/auth-type";
+
+// this is a unique id for sending posthog event
+export const getTelemetryDistinctId = (req: FastifyRequest) => {
+  if (req.auth.actor === ActorType.USER) {
+    return req.auth.user.email;
+  }
+  if (req.auth.actor === ActorType.IDENTITY) {
+    return `identity-${req.auth.identityId}`;
+  }
+  if (req.auth.actor === ActorType.SERVICE) {
+    return req.auth.serviceToken.createdByEmail || `service-token-null-creator-${req.auth.serviceTokenId}`; // when user gets removed from system
+  }
+  return "unknown-auth-data";
+};

backend/src/server/plugins/auth/inject-identity.ts

@@ -27,7 +27,7 @@ export type TAuthMode =
     }
   | {
       authMode: AuthMode.SERVICE_TOKEN;
-      serviceToken: TServiceTokens;
+      serviceToken: TServiceTokens & { createdByEmail: string };
       actor: ActorType.SERVICE;
       serviceTokenId: string;
     }

backend/src/server/routes/index.ts

@@ -65,6 +65,7 @@ import { orgRoleDALFactory } from "@app/services/org/org-role-dal";
 import { orgRoleServiceFactory } from "@app/services/org/org-role-service";
 import { orgServiceFactory } from "@app/services/org/org-service";
 import { projectDALFactory } from "@app/services/project/project-dal";
+import { projectQueueFactory } from "@app/services/project/project-queue";
 import { projectServiceFactory } from "@app/services/project/project-service";
 import { projectBotDALFactory } from "@app/services/project-bot/project-bot-dal";
 import { projectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
@@ -280,19 +281,13 @@ export const registerRoutes = async (
     secretScanningDAL,
     secretScanningQueue
   });
-  const projectService = projectServiceFactory({
-    permissionService,
-    projectDAL,
-    secretBlindIndexDAL,
-    projectEnvDAL,
-    projectMembershipDAL,
-    folderDAL,
-    licenseService
-  });
+  const projectBotService = projectBotServiceFactory({ permissionService, projectBotDAL, projectDAL });
+
   const projectMembershipService = projectMembershipServiceFactory({
     projectMembershipDAL,
     projectDAL,
     permissionService,
+    projectBotDAL,
     orgDAL,
     userDAL,
     smtpService,
@@ -300,6 +295,46 @@ export const registerRoutes = async (
     projectRoleDAL,
     licenseService
   });
+  const projectKeyService = projectKeyServiceFactory({
+    permissionService,
+    projectKeyDAL,
+    projectMembershipDAL
+  });
+
+  const projectQueueService = projectQueueFactory({
+    queueService,
+    secretDAL,
+    folderDAL,
+    projectDAL,
+    orgDAL,
+    integrationAuthDAL,
+    orgService,
+    projectEnvDAL,
+    userDAL,
+    secretVersionDAL,
+    projectKeyDAL,
+    projectBotDAL,
+    projectMembershipDAL,
+    secretApprovalRequestDAL,
+    secretApprovalSecretDAL: sarSecretDAL
+  });
+
+  const projectService = projectServiceFactory({
+    permissionService,
+    projectDAL,
+    projectQueue: projectQueueService,
+    secretBlindIndexDAL,
+    identityProjectDAL,
+    identityOrgMembershipDAL,
+    projectBotDAL,
+    projectKeyDAL,
+    userDAL,
+    projectEnvDAL,
+    orgService,
+    projectMembershipDAL,
+    folderDAL,
+    licenseService
+  });
   const projectEnvService = projectEnvServiceFactory({
     permissionService,
     projectEnvDAL,
@@ -307,11 +342,7 @@ export const registerRoutes = async (
     projectDAL,
     folderDAL
   });
-  const projectKeyService = projectKeyServiceFactory({
-    permissionService,
-    projectKeyDAL,
-    projectMembershipDAL
-  });
+
   const projectRoleService = projectRoleServiceFactory({ permissionService, projectRoleDAL });
 
   const snapshotService = secretSnapshotServiceFactory({
@@ -346,9 +377,9 @@ export const registerRoutes = async (
     folderDAL,
     permissionService,
     secretImportDAL,
+    projectDAL,
     secretDAL
   });
-  const projectBotService = projectBotServiceFactory({ permissionService, projectBotDAL });
   const integrationAuthService = integrationAuthServiceFactory({
     integrationAuthDAL,
     integrationDAL,
@@ -382,6 +413,7 @@ export const registerRoutes = async (
     secretVersionTagDAL,
     secretBlindIndexDAL,
     permissionService,
+    projectDAL,
     secretDAL,
     secretTagDAL,
     snapshotService,
@@ -395,6 +427,7 @@ export const registerRoutes = async (
     secretTagDAL,
     secretApprovalRequestSecretDAL: sarSecretDAL,
     secretApprovalRequestReviewerDAL: sarReviewerDAL,
+    projectDAL,
     secretVersionDAL,
     secretBlindIndexDAL,
     secretApprovalRequestDAL,
@@ -552,4 +585,8 @@ export const registerRoutes = async (
   );
   await server.register(registerV2Routes, { prefix: "/api/v2" });
   await server.register(registerV3Routes, { prefix: "/api/v3" });
+
+  server.addHook("onClose", async () => {
+    await telemetryService.flushAll();
+  });
 };

backend/src/server/routes/v1/admin-router.ts

@@ -31,7 +31,8 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
     method: "PATCH",
     schema: {
       body: z.object({
-        allowSignUp: z.boolean().optional()
+        allowSignUp: z.boolean().optional(),
+        allowedSignUpDomain: z.string().optional().nullable()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/identity-router.ts

@@ -2,8 +2,10 @@ import { z } from "zod";
 
 import { IdentitiesSchema, OrgMembershipRole } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
+import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 
 export const registerIdentityRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -49,6 +51,17 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
         }
       });
 
+      server.services.telemetry.sendPostHogEvents({
+        event: PostHogEventTypes.MachineIdentityCreated,
+        distinctId: getTelemetryDistinctId(req),
+        properties: {
+          orgId: req.body.organizationId,
+          name: identity.name,
+          identityId: identity.id,
+          ...req.auditLogInfo
+        }
+      });
+
       return { identity };
     }
   });

backend/src/server/routes/v1/index.ts

@@ -48,6 +48,7 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
       await projectRouter.register(registerProjectMembershipRouter);
       await projectRouter.register(registerSecretTagRouter);
     },
+
     { prefix: "/workspace" }
   );
 

backend/src/server/routes/v1/integration-router.ts

@@ -3,8 +3,10 @@ import { z } from "zod";
 import { IntegrationsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { removeTrailingSlash, shake } from "@app/lib/fn";
+import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
+import { PostHogEventTypes, TIntegrationCreatedEvent } from "@app/services/telemetry/telemetry-types";
 
 export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -53,28 +55,40 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
         actorOrgId: req.permission.orgId,
         ...req.body
       });
+
+      const createIntegrationEventProperty = shake({
+        integrationId: integration.id.toString(),
+        integration: integration.integration,
+        environment: req.body.sourceEnvironment,
+        secretPath: req.body.secretPath,
+        url: integration.url,
+        app: integration.app,
+        appId: integration.appId,
+        targetEnvironment: integration.targetEnvironment,
+        targetEnvironmentId: integration.targetEnvironmentId,
+        targetService: integration.targetService,
+        targetServiceId: integration.targetServiceId,
+        path: integration.path,
+        region: integration.region
+      }) as TIntegrationCreatedEvent["properties"];
+
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
         projectId: integrationAuth.projectId,
         event: {
           type: EventType.CREATE_INTEGRATION,
           // eslint-disable-next-line
-          metadata: shake({
-            integrationId: integration.id.toString(),
-            integration: integration.integration,
-            environment: req.body.sourceEnvironment,
-            secretPath: req.body.secretPath,
-            url: integration.url,
-            app: integration.app,
-            appId: integration.appId,
-            targetEnvironment: integration.targetEnvironment,
-            targetEnvironmentId: integration.targetEnvironmentId,
-            targetService: integration.targetService,
-            targetServiceId: integration.targetServiceId,
-            path: integration.path,
-            region: integration.region
-            // eslint-disable-next-line
-          }) as any
+          metadata: createIntegrationEventProperty
+        }
+      });
+
+      server.services.telemetry.sendPostHogEvents({
+        event: PostHogEventTypes.IntegrationCreated,
+        distinctId: getTelemetryDistinctId(req),
+        properties: {
+          ...createIntegrationEventProperty,
+          projectId: integrationAuth.projectId,
+          ...req.auditLogInfo
         }
       });
       return { integration };

backend/src/server/routes/v1/invite-org-router.ts

@@ -1,8 +1,10 @@
 import { z } from "zod";
 
 import { UsersSchema } from "@app/db/schemas";
+import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { ActorType, AuthMode } from "@app/services/auth/auth-type";
+import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 
 export const registerInviteOrgRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -30,6 +32,15 @@ export const registerInviteOrgRouter = async (server: FastifyZodProvider) => {
         actorOrgId: req.permission.orgId
       });
 
+      server.services.telemetry.sendPostHogEvents({
+        event: PostHogEventTypes.UserOrgInvitation,
+        distinctId: getTelemetryDistinctId(req),
+        properties: {
+          inviteeEmail: req.body.inviteeEmail,
+          ...req.auditLogInfo
+        }
+      });
+
       return {
         completeInviteLink,
         message: `Send an invite link to ${req.body.inviteeEmail}`

backend/src/server/routes/v1/project-membership-router.ts

@@ -1,6 +1,12 @@
 import { z } from "zod";
 
-import { OrgMembershipsSchema, ProjectMembershipsSchema, UserEncryptionKeysSchema, UsersSchema } from "@app/db/schemas";
+import {
+  OrgMembershipsSchema,
+  ProjectMembershipRole,
+  ProjectMembershipsSchema,
+  UserEncryptionKeysSchema,
+  UsersSchema
+} from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -80,7 +86,10 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
         actor: req.permission.type,
         actorOrgId: req.permission.orgId,
         projectId: req.params.workspaceId,
-        members: req.body.members
+        members: req.body.members.map((member) => ({
+          ...member,
+          projectRole: ProjectMembershipRole.Member
+        }))
       });
 
       await server.services.auditLog.createAuditLog({

backend/src/server/routes/v1/project-router.ts

@@ -2,13 +2,11 @@ import { z } from "zod";
 
 import {
   IntegrationsSchema,
-  ProjectKeysSchema,
   ProjectMembershipsSchema,
   ProjectsSchema,
   UserEncryptionKeysSchema,
   UsersSchema
 } from "@app/db/schemas";
-import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 
@@ -119,7 +117,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         })
       }
     },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
       const workspace = await server.services.project.getAProject({
         actorId: req.permission.id,
@@ -171,7 +169,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         })
       }
     },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
       const workspace = await server.services.project.deleteProject({
         actorId: req.permission.id,
@@ -216,6 +214,41 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
     }
   });
 
+  server.route({
+    url: "/:workspaceId",
+    method: "PATCH",
+    schema: {
+      params: z.object({
+        workspaceId: z.string().trim()
+      }),
+      body: z.object({
+        name: z.string().trim().optional(),
+        autoCapitalization: z.boolean().optional()
+      }),
+      response: {
+        200: z.object({
+          workspace: ProjectsSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const workspace = await server.services.project.updateProject({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        projectId: req.params.workspaceId,
+        update: {
+          name: req.body.name,
+          autoCapitalization: req.body.autoCapitalization
+        }
+      });
+      return {
+        workspace
+      };
+    }
+  });
+
   server.route({
     url: "/:workspaceId/auto-capitalization",
     method: "POST",
@@ -249,48 +282,6 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
     }
   });
 
-  server.route({
-    url: "/:workspaceId/invite-signup",
-    method: "POST",
-    schema: {
-      params: z.object({
-        workspaceId: z.string().trim()
-      }),
-      body: z.object({
-        email: z.string().trim()
-      }),
-      response: {
-        200: z.object({
-          invitee: UsersSchema,
-          latestKey: ProjectKeysSchema.optional()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const { invitee, latestKey } = await server.services.projectMembership.inviteUserToProject({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorOrgId: req.permission.orgId,
-        projectId: req.params.workspaceId,
-        email: req.body.email
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        projectId: req.params.workspaceId,
-        event: {
-          type: EventType.ADD_WORKSPACE_MEMBER,
-          metadata: {
-            userId: invitee.id,
-            email: invitee.email
-          }
-        }
-      });
-      return { invitee, latestKey };
-    }
-  });
-
   server.route({
     url: "/:workspaceId/integrations",
     method: "GET",

backend/src/server/routes/v1/sso-router.ts

@@ -18,7 +18,6 @@ import { BadRequestError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { fetchGithubEmails } from "@app/lib/requests/github";
 import { AuthMethod } from "@app/services/auth/auth-type";
-import { getServerCfg } from "@app/services/super-admin/super-admin-service";
 
 export const registerSsoRouter = async (server: FastifyZodProvider) => {
   const appCfg = getConfig();
@@ -42,7 +41,6 @@ export const registerSsoRouter = async (server: FastifyZodProvider) => {
         async (req, _accessToken, _refreshToken, profile, cb) => {
           try {
             const email = profile?.emails?.[0]?.value;
-            const serverCfg = await getServerCfg();
             if (!email)
               throw new BadRequestError({
                 message: "Email not found",
@@ -54,8 +52,7 @@ export const registerSsoRouter = async (server: FastifyZodProvider) => {
               firstName: profile?.name?.givenName || "",
               lastName: profile?.name?.familyName || "",
               authMethod: AuthMethod.GOOGLE,
-              callbackPort: req.query.state as string,
-              isSignupAllowed: Boolean(serverCfg.allowSignUp)
+              callbackPort: req.query.state as string
             });
             cb(null, { isUserCompleted, providerAuthToken });
           } catch (error) {
@@ -84,14 +81,12 @@ export const registerSsoRouter = async (server: FastifyZodProvider) => {
           try {
             const ghEmails = await fetchGithubEmails(accessToken);
             const { email } = ghEmails.filter((gitHubEmail) => gitHubEmail.primary)[0];
-            const serverCfg = await getServerCfg();
             const { isUserCompleted, providerAuthToken } = await server.services.login.oauth2Login({
               email,
               firstName: profile.displayName,
               lastName: "",
               authMethod: AuthMethod.GITHUB,
-              callbackPort: req.query.state as string,
-              isSignupAllowed: Boolean(serverCfg.allowSignUp)
+              callbackPort: req.query.state as string
             });
             return cb(null, { isUserCompleted, providerAuthToken });
           } catch (error) {
@@ -120,14 +115,12 @@ export const registerSsoRouter = async (server: FastifyZodProvider) => {
         async (req: any, _accessToken: string, _refreshToken: string, profile: any, cb: any) => {
           try {
             const email = profile.emails[0].value;
-            const serverCfg = await getServerCfg();
             const { isUserCompleted, providerAuthToken } = await server.services.login.oauth2Login({
               email,
               firstName: profile.displayName,
               lastName: "",
               authMethod: AuthMethod.GITLAB,
-              callbackPort: req.query.state as string,
-              isSignupAllowed: Boolean(serverCfg.allowSignUp)
+              callbackPort: req.query.state as string
             });
 
             return cb(null, { isUserCompleted, providerAuthToken });

backend/src/server/routes/v2/index.ts

@@ -2,6 +2,7 @@ import { registerIdentityOrgRouter } from "./identity-org-router";
 import { registerIdentityProjectRouter } from "./identity-project-router";
 import { registerMfaRouter } from "./mfa-router";
 import { registerOrgRouter } from "./organization-router";
+import { registerProjectMembershipRouter } from "./project-membership-router";
 import { registerProjectRouter } from "./project-router";
 import { registerServiceTokenRouter } from "./service-token-router";
 import { registerUserRouter } from "./user-router";
@@ -21,6 +22,7 @@ export const registerV2Routes = async (server: FastifyZodProvider) => {
     async (projectServer) => {
       await projectServer.register(registerProjectRouter);
       await projectServer.register(registerIdentityProjectRouter);
+      await projectServer.register(registerProjectMembershipRouter);
     },
     { prefix: "/workspace" }
   );

backend/src/server/routes/v2/project-membership-router.ts

@@ -0,0 +1,95 @@
+import { z } from "zod";
+
+import { ProjectMembershipsSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+export const registerProjectMembershipRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/:projectId/memberships",
+    schema: {
+      params: z.object({
+        projectId: z.string().describe("The ID of the project.")
+      }),
+      body: z.object({
+        emails: z.string().email().array().describe("Emails of the users to add to the project.")
+      }),
+      response: {
+        200: z.object({
+          memberships: ProjectMembershipsSchema.array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const memberships = await server.services.projectMembership.addUsersToProjectNonE2EE({
+        projectId: req.params.projectId,
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        emails: req.body.emails
+      });
+
+      await server.services.auditLog.createAuditLog({
+        projectId: req.params.projectId,
+        ...req.auditLogInfo,
+        event: {
+          type: EventType.ADD_BATCH_WORKSPACE_MEMBER,
+          metadata: memberships.map(({ userId, id }) => ({
+            userId: userId || "",
+            membershipId: id,
+            email: ""
+          }))
+        }
+      });
+
+      return { memberships };
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/:projectId/memberships",
+    schema: {
+      params: z.object({
+        projectId: z.string().describe("The ID of the project.")
+      }),
+
+      body: z.object({
+        emails: z.string().email().array().describe("Emails of the users to remove from the project.")
+      }),
+      response: {
+        200: z.object({
+          memberships: ProjectMembershipsSchema.array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const memberships = await server.services.projectMembership.deleteProjectMemberships({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        projectId: req.params.projectId,
+        emails: req.body.emails
+      });
+
+      for (const membership of memberships) {
+        // eslint-disable-next-line no-await-in-loop
+        await server.services.auditLog.createAuditLog({
+          ...req.auditLogInfo,
+          projectId: req.params.projectId,
+          event: {
+            type: EventType.REMOVE_WORKSPACE_MEMBER,
+            metadata: {
+              userId: membership.userId,
+              email: ""
+            }
+          }
+        });
+      }
+      return { memberships };
+    }
+  });
+};

backend/src/server/routes/v2/project-router.ts

@@ -1,11 +1,23 @@
+import slugify from "@sindresorhus/slugify";
 import { z } from "zod";
 
-import { ProjectKeysSchema } from "@app/db/schemas";
+import { ProjectKeysSchema, ProjectsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { authRateLimit } from "@app/server/config/rateLimiter";
+import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
+import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
+
+const projectWithEnv = ProjectsSchema.merge(
+  z.object({
+    _id: z.string(),
+    environments: z.object({ name: z.string(), slug: z.string(), id: z.string() }).array()
+  })
+);
 
 export const registerProjectRouter = async (server: FastifyZodProvider) => {
+  /* Get project key */
   server.route({
     url: "/:workspaceId/encrypted-key",
     method: "GET",
@@ -34,8 +46,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
       const key = await server.services.projectKey.getLatestProjectKey({
         actor: req.permission.type,
         actorId: req.permission.id,
-        projectId: req.params.workspaceId,
-        actorOrgId: req.permission.orgId
+        actorOrgId: req.permission.orgId,
+        projectId: req.params.workspaceId
       });
 
       await server.services.auditLog.createAuditLog({
@@ -52,4 +64,107 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
       return key;
     }
   });
+
+  /* Start upgrade of a project */
+  server.route({
+    url: "/:projectId/upgrade",
+    method: "POST",
+    schema: {
+      params: z.object({
+        projectId: z.string().trim()
+      }),
+
+      body: z.object({
+        userPrivateKey: z.string().trim()
+      }),
+      response: {
+        200: z.void()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY]),
+    handler: async (req) => {
+      await server.services.project.upgradeProject({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        projectId: req.params.projectId,
+        userPrivateKey: req.body.userPrivateKey
+      });
+    }
+  });
+
+  /* Get upgrade status of project */
+  server.route({
+    url: "/:projectId/upgrade/status",
+    method: "GET",
+    schema: {
+      params: z.object({
+        projectId: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          status: z.string().nullable()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY]),
+    handler: async (req) => {
+      const status = await server.services.project.getProjectUpgradeStatus({
+        projectId: req.params.projectId,
+        actor: req.permission.type,
+        actorId: req.permission.id
+      });
+
+      return { status };
+    }
+  });
+
+  /* Create new project */
+  server.route({
+    method: "POST",
+    url: "/",
+    config: {
+      rateLimit: authRateLimit
+    },
+    schema: {
+      body: z.object({
+        projectName: z.string().trim(),
+        slug: z
+          .string()
+          .min(5)
+          .max(36)
+          .refine((v) => slugify(v) === v, {
+            message: "Slug must be a valid slug"
+          })
+          .optional(),
+        organizationId: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          project: projectWithEnv
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const project = await server.services.project.createProject({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        orgId: req.body.organizationId,
+        workspaceName: req.body.projectName,
+        slug: req.body.slug
+      });
+
+      server.services.telemetry.sendPostHogEvents({
+        event: PostHogEventTypes.ProjectCreated,
+        distinctId: getTelemetryDistinctId(req),
+        properties: {
+          orgId: req.body.organizationId,
+          name: project.name,
+          ...req.auditLogInfo
+        }
+      });
+
+      return { project };
+    }
+  });
 };

backend/src/server/routes/v3/secret-router.ts

@@ -1,4 +1,3 @@
-import { FastifyRequest } from "fastify";
 import picomatch from "picomatch";
 import { z } from "zod";
 
@@ -13,6 +12,7 @@ import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { CommitType } from "@app/ee/services/secret-approval-request/secret-approval-request-types";
 import { BadRequestError } from "@app/lib/errors";
 import { removeTrailingSlash } from "@app/lib/fn";
+import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { getUserAgentType } from "@app/server/plugins/audit-log";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { ActorType, AuthMode } from "@app/services/auth/auth-type";
@@ -20,19 +20,6 @@ import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 
 import { secretRawSchema } from "../sanitizedSchemas";
 
-const getDistinctId = (req: FastifyRequest) => {
-  if (req.auth.actor === ActorType.USER) {
-    return req.auth.user.email;
-  }
-  if (req.auth.actor === ActorType.IDENTITY) {
-    return `identity-${req.auth.identityId}`;
-  }
-  if (req.auth.actor === ActorType.SERVICE) {
-    return `service-token-${req.auth.serviceToken.id}`;
-  }
-  return "unknown-auth-data";
-};
-
 export const registerSecretRouter = async (server: FastifyZodProvider) => {
   server.route({
     url: "/raw",
@@ -110,7 +97,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
 
       server.services.telemetry.sendPostHogEvents({
         event: PostHogEventTypes.SecretPulled,
-        distinctId: getDistinctId(req),
+        distinctId: getTelemetryDistinctId(req),
         properties: {
           numberOfSecrets: secrets.length,
           workspaceId,
@@ -200,7 +187,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
 
       server.services.telemetry.sendPostHogEvents({
         event: PostHogEventTypes.SecretPulled,
-        distinctId: getDistinctId(req),
+        distinctId: getTelemetryDistinctId(req),
         properties: {
           numberOfSecrets: 1,
           workspaceId,
@@ -276,7 +263,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
 
       server.services.telemetry.sendPostHogEvents({
         event: PostHogEventTypes.SecretCreated,
-        distinctId: getDistinctId(req),
+        distinctId: getTelemetryDistinctId(req),
         properties: {
           numberOfSecrets: 1,
           workspaceId: req.body.workspaceId,
@@ -351,7 +338,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
 
       server.services.telemetry.sendPostHogEvents({
         event: PostHogEventTypes.SecretUpdated,
-        distinctId: getDistinctId(req),
+        distinctId: getTelemetryDistinctId(req),
         properties: {
           numberOfSecrets: 1,
           workspaceId: req.body.workspaceId,
@@ -421,7 +408,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
 
       server.services.telemetry.sendPostHogEvents({
         event: PostHogEventTypes.SecretDeleted,
-        distinctId: getDistinctId(req),
+        distinctId: getTelemetryDistinctId(req),
         properties: {
           numberOfSecrets: 1,
           workspaceId: req.body.workspaceId,
@@ -527,7 +514,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
       if (shouldCapture) {
         server.services.telemetry.sendPostHogEvents({
           event: PostHogEventTypes.SecretPulled,
-          distinctId: getDistinctId(req),
+          distinctId: getTelemetryDistinctId(req),
           properties: {
             numberOfSecrets: shouldRecordK8Event ? approximateNumberTotalSecrets : secrets.length,
             workspaceId: req.query.workspaceId,
@@ -604,7 +591,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
 
       server.services.telemetry.sendPostHogEvents({
         event: PostHogEventTypes.SecretPulled,
-        distinctId: getDistinctId(req),
+        distinctId: getTelemetryDistinctId(req),
         properties: {
           numberOfSecrets: 1,
           workspaceId: req.query.workspaceId,
@@ -767,7 +754,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
 
       server.services.telemetry.sendPostHogEvents({
         event: PostHogEventTypes.SecretCreated,
-        distinctId: getDistinctId(req),
+        distinctId: getTelemetryDistinctId(req),
         properties: {
           numberOfSecrets: 1,
           workspaceId: req.body.workspaceId,
@@ -949,7 +936,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
 
       server.services.telemetry.sendPostHogEvents({
         event: PostHogEventTypes.SecretUpdated,
-        distinctId: getDistinctId(req),
+        distinctId: getTelemetryDistinctId(req),
         properties: {
           numberOfSecrets: 1,
           workspaceId: req.body.workspaceId,
@@ -1067,7 +1054,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
 
       server.services.telemetry.sendPostHogEvents({
         event: PostHogEventTypes.SecretDeleted,
-        distinctId: getDistinctId(req),
+        distinctId: getTelemetryDistinctId(req),
         properties: {
           numberOfSecrets: 1,
           workspaceId: req.body.workspaceId,
@@ -1187,7 +1174,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
 
       server.services.telemetry.sendPostHogEvents({
         event: PostHogEventTypes.SecretCreated,
-        distinctId: getDistinctId(req),
+        distinctId: getTelemetryDistinctId(req),
         properties: {
           numberOfSecrets: secrets.length,
           workspaceId: req.body.workspaceId,
@@ -1307,7 +1294,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
 
       server.services.telemetry.sendPostHogEvents({
         event: PostHogEventTypes.SecretUpdated,
-        distinctId: getDistinctId(req),
+        distinctId: getTelemetryDistinctId(req),
         properties: {
           numberOfSecrets: secrets.length,
           workspaceId: req.body.workspaceId,
@@ -1415,7 +1402,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
 
       server.services.telemetry.sendPostHogEvents({
         event: PostHogEventTypes.SecretDeleted,
-        distinctId: getDistinctId(req),
+        distinctId: getTelemetryDistinctId(req),
         properties: {
           numberOfSecrets: secrets.length,
           workspaceId: req.body.workspaceId,

backend/src/server/routes/v3/signup-router.ts

@@ -2,7 +2,9 @@ import { z } from "zod";
 
 import { UsersSchema } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
+import { BadRequestError } from "@app/lib/errors";
 import { authRateLimit } from "@app/server/config/rateLimiter";
+import { getServerCfg } from "@app/services/super-admin/super-admin-service";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 
 export const registerSignupRouter = async (server: FastifyZodProvider) => {
@@ -23,8 +25,26 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      await server.services.signup.beginEmailSignupProcess(req.body.email);
-      return { message: `Sent an email verification code to ${req.body.email}` };
+      const { email } = req.body;
+
+      const serverCfg = await getServerCfg();
+      if (!serverCfg.allowSignUp) {
+        throw new BadRequestError({
+          message: "Sign up is disabled"
+        });
+      }
+
+      if (serverCfg?.allowedSignUpDomain) {
+        const domain = email.split("@")[1];
+        const allowedDomains = serverCfg.allowedSignUpDomain.split(",").map((e) => e.trim());
+        if (!allowedDomains.includes(domain)) {
+          throw new BadRequestError({
+            message: `Email with a domain (@${domain}) is not supported`
+          });
+        }
+      }
+      await server.services.signup.beginEmailSignupProcess(email);
+      return { message: `Sent an email verification code to ${email}` };
     }
   });
 
@@ -48,6 +68,13 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
+      const serverCfg = await getServerCfg();
+      if (!serverCfg.allowSignUp) {
+        throw new BadRequestError({
+          message: "Sign up is disabled"
+        });
+      }
+
       const { token, user } = await server.services.signup.verifyEmailSignup(req.body.email, req.body.code);
       return { message: "Successfuly verified email", token, user };
     }
@@ -90,6 +117,13 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
       if (!userAgent) throw new Error("user agent header is required");
       const appCfg = getConfig();
 
+      const serverCfg = await getServerCfg();
+      if (!serverCfg.allowSignUp) {
+        throw new BadRequestError({
+          message: "Sign up is disabled"
+        });
+      }
+
       const { user, accessToken, refreshToken } = await server.services.signup.completeEmailAccountSignup({
         ...req.body,
         ip: req.realIp,

backend/src/services/auth/auth-login-service.ts

@@ -4,6 +4,7 @@ import { TUsers, UserDeviceSchema } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { generateSrpServerKey, srpCheckClientProof } from "@app/lib/crypto";
 import { BadRequestError } from "@app/lib/errors";
+import { getServerCfg } from "@app/services/super-admin/super-admin-service";
 
 import { TAuthTokenServiceFactory } from "../auth-token/auth-token-service";
 import { TokenType } from "../auth-token/auth-token-types";
@@ -261,21 +262,27 @@ export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }:
   /*
    * OAuth2 login for google,github, and other oauth2 provider
    * */
-  const oauth2Login = async ({
-    email,
-    firstName,
-    lastName,
-    authMethod,
-    callbackPort,
-    isSignupAllowed
-  }: TOauthLoginDTO) => {
+  const oauth2Login = async ({ email, firstName, lastName, authMethod, callbackPort }: TOauthLoginDTO) => {
     let user = await userDAL.findUserByEmail(email);
+    const serverCfg = await getServerCfg();
+
     const appCfg = getConfig();
-    const isOauthSignUpDisabled = !isSignupAllowed && !user;
-    if (isOauthSignUpDisabled) throw new BadRequestError({ message: "User signup disabled", name: "Oauth 2 login" });
 
     if (!user) {
-      user = await userDAL.create({ email, firstName, lastName, authMethods: [authMethod] });
+      // Create a new user based on oAuth
+      if (!serverCfg?.allowSignUp) throw new BadRequestError({ message: "Sign up disabled", name: "Oauth 2 login" });
+
+      if (serverCfg?.allowedSignUpDomain) {
+        const domain = email.split("@")[1];
+        const allowedDomains = serverCfg.allowedSignUpDomain.split(",").map((e) => e.trim());
+        if (!allowedDomains.includes(domain))
+          throw new BadRequestError({
+            message: `Email with a domain (@${domain}) is not supported`,
+            name: "Oauth 2 login"
+          });
+      }
+
+      user = await userDAL.create({ email, firstName, lastName, authMethods: [authMethod], isGhost: false });
     }
     const isLinkingRequired = !user?.authMethods?.includes(authMethod);
     const isUserCompleted = user.isAccepted;

backend/src/services/auth/auth-login-type.ts

@@ -28,5 +28,4 @@ export type TOauthLoginDTO = {
   lastName?: string;
   authMethod: AuthMethod;
   callbackPort?: string;
-  isSignupAllowed?: boolean;
 };

backend/src/services/auth/auth-signup-service.ts

@@ -50,7 +50,7 @@ export const authSignupServiceFactory = ({
       throw new Error("Failed to send verification code for complete account");
     }
     if (!user) {
-      user = await userDAL.create({ authMethods: [AuthMethod.EMAIL], email });
+      user = await userDAL.create({ authMethods: [AuthMethod.EMAIL], email, isGhost: false });
     }
     if (!user) throw new Error("Failed to create user");
 

backend/src/services/integration-auth/integration-auth-dal.ts

@@ -1,10 +1,35 @@
+import { Knex } from "knex";
+
 import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
+import { TableName, TIntegrationAuths, TIntegrationAuthsUpdate } from "@app/db/schemas";
+import { BadRequestError, DatabaseError } from "@app/lib/errors";
 import { ormify } from "@app/lib/knex";
 
 export type TIntegrationAuthDALFactory = ReturnType<typeof integrationAuthDALFactory>;
 
 export const integrationAuthDALFactory = (db: TDbClient) => {
   const integrationAuthOrm = ormify(db, TableName.IntegrationAuth);
-  return integrationAuthOrm;
+
+  const bulkUpdate = async (
+    data: Array<{ filter: Partial<TIntegrationAuths>; data: TIntegrationAuthsUpdate }>,
+    tx?: Knex
+  ) => {
+    try {
+      const integrationAuths = await Promise.all(
+        data.map(async ({ filter, data: updateData }) => {
+          const [doc] = await (tx || db)(TableName.IntegrationAuth).where(filter).update(updateData).returning("*");
+          if (!doc) throw new BadRequestError({ message: "Failed to update document" });
+          return doc;
+        })
+      );
+      return integrationAuths;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "bulk update secret" });
+    }
+  };
+
+  return {
+    ...integrationAuthOrm,
+    bulkUpdate
+  };
 };

backend/src/services/org/org-dal.ts

@@ -76,7 +76,8 @@ export const orgDALFactory = (db: TDbClient) => {
           db.ref("lastName").withSchema(TableName.Users),
           db.ref("id").withSchema(TableName.Users).as("userId"),
           db.ref("publicKey").withSchema(TableName.UserEncryptionKey)
-        );
+        )
+        .where({ isGhost: false }); // MAKE SURE USER IS NOT A GHOST USER
       return members.map(({ email, firstName, lastName, userId, publicKey, ...data }) => ({
         ...data,
         user: { email, firstName, lastName, id: userId, publicKey }
@@ -86,6 +87,79 @@ export const orgDALFactory = (db: TDbClient) => {
     }
   };
 
+  const findOrgMembersByEmail = async (orgId: string, emails: string[]) => {
+    try {
+      const members = await db(TableName.OrgMembership)
+        .where({ orgId })
+        .join(TableName.Users, `${TableName.OrgMembership}.userId`, `${TableName.Users}.id`)
+        .leftJoin<TUserEncryptionKeys>(
+          TableName.UserEncryptionKey,
+          `${TableName.UserEncryptionKey}.userId`,
+          `${TableName.Users}.id`
+        )
+        .select(
+          db.ref("id").withSchema(TableName.OrgMembership),
+          db.ref("inviteEmail").withSchema(TableName.OrgMembership),
+          db.ref("orgId").withSchema(TableName.OrgMembership),
+          db.ref("role").withSchema(TableName.OrgMembership),
+          db.ref("roleId").withSchema(TableName.OrgMembership),
+          db.ref("status").withSchema(TableName.OrgMembership),
+          db.ref("email").withSchema(TableName.Users),
+          db.ref("firstName").withSchema(TableName.Users),
+          db.ref("lastName").withSchema(TableName.Users),
+          db.ref("id").withSchema(TableName.Users).as("userId"),
+          db.ref("publicKey").withSchema(TableName.UserEncryptionKey)
+        )
+        .where({ isGhost: false })
+        .whereIn("email", emails);
+      return members.map(({ email, firstName, lastName, userId, publicKey, ...data }) => ({
+        ...data,
+        user: { email, firstName, lastName, id: userId, publicKey }
+      }));
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find all org members" });
+    }
+  };
+
+  const findOrgGhostUser = async (orgId: string) => {
+    try {
+      const member = await db(TableName.OrgMembership)
+        .where({ orgId })
+        .join(TableName.Users, `${TableName.OrgMembership}.userId`, `${TableName.Users}.id`)
+        .leftJoin(TableName.UserEncryptionKey, `${TableName.UserEncryptionKey}.userId`, `${TableName.Users}.id`)
+        .select(
+          db.ref("id").withSchema(TableName.OrgMembership),
+          db.ref("orgId").withSchema(TableName.OrgMembership),
+          db.ref("role").withSchema(TableName.OrgMembership),
+          db.ref("roleId").withSchema(TableName.OrgMembership),
+          db.ref("status").withSchema(TableName.OrgMembership),
+          db.ref("email").withSchema(TableName.Users),
+          db.ref("id").withSchema(TableName.Users).as("userId"),
+          db.ref("publicKey").withSchema(TableName.UserEncryptionKey)
+        )
+        .where({ isGhost: true })
+        .first();
+      return member;
+    } catch (error) {
+      return null;
+    }
+  };
+
+  const ghostUserExists = async (orgId: string) => {
+    try {
+      const member = await db(TableName.OrgMembership)
+        .where({ orgId })
+        .join(TableName.Users, `${TableName.OrgMembership}.userId`, `${TableName.Users}.id`)
+        .leftJoin(TableName.UserEncryptionKey, `${TableName.UserEncryptionKey}.userId`, `${TableName.Users}.id`)
+        .select(db.ref("id").withSchema(TableName.Users).as("userId"))
+        .where({ isGhost: true })
+        .first();
+      return Boolean(member);
+    } catch (error) {
+      return false;
+    }
+  };
+
   const create = async (dto: TOrganizationsInsert, tx?: Knex) => {
     try {
       const [organization] = await (tx || db)(TableName.Organization).insert(dto).returning("*");
@@ -191,6 +265,9 @@ export const orgDALFactory = (db: TDbClient) => {
     findAllOrgMembers,
     findOrgById,
     findAllOrgsByUserId,
+    ghostUserExists,
+    findOrgMembersByEmail,
+    findOrgGhostUser,
     create,
     updateById,
     deleteById,

backend/src/services/org/org-service.ts

@@ -1,6 +1,8 @@
 import { ForbiddenError } from "@casl/ability";
 import slugify from "@sindresorhus/slugify";
+import crypto from "crypto";
 import jwt from "jsonwebtoken";
+import { Knex } from "knex";
 
 import { OrgMembershipRole, OrgMembershipStatus } from "@app/db/schemas";
 import { TProjects } from "@app/db/schemas/projects";
@@ -11,6 +13,7 @@ import { TSamlConfigDALFactory } from "@app/ee/services/saml-config/saml-config-
 import { getConfig } from "@app/lib/config/env";
 import { generateAsymmetricKeyPair } from "@app/lib/crypto";
 import { generateSymmetricKey, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
+import { generateUserSrpKeys } from "@app/lib/crypto/srp";
 import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { isDisposableEmail } from "@app/lib/validator";
@@ -28,6 +31,7 @@ import { TOrgRoleDALFactory } from "./org-role-dal";
 import {
   TDeleteOrgMembershipDTO,
   TFindAllWorkspacesDTO,
+  TFindOrgMembersByEmailDTO,
   TInviteUserToOrgDTO,
   TUpdateOrgDTO,
   TUpdateOrgMembershipDTO,
@@ -93,6 +97,15 @@ export const orgServiceFactory = ({
     return members;
   };
 
+  const findOrgMembersByEmail = async ({ actor, actorId, orgId, emails }: TFindOrgMembersByEmailDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Member);
+
+    const members = await orgDAL.findOrgMembersByEmail(orgId, emails);
+
+    return members;
+  };
+
   const findAllWorkspaces = async ({ actor, actorId, actorOrgId, orgId }: TFindAllWorkspacesDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Workspace);
@@ -118,6 +131,54 @@ export const orgServiceFactory = ({
     return workspaces.filter((workspace) => organizationWorkspaceIds.has(workspace.id));
   };
 
+  const addGhostUser = async (orgId: string, tx?: Knex) => {
+    const email = `sudo-${alphaNumericNanoId(16)}-${orgId}@infisical.com`; // We add a nanoid because the email is unique. And we have to create a new ghost user each time, so we can have access to the private key.
+    const password = crypto.randomBytes(128).toString("hex");
+
+    const user = await userDAL.create(
+      {
+        isGhost: true,
+        authMethods: [AuthMethod.EMAIL],
+        email,
+        isAccepted: true
+      },
+      tx
+    );
+
+    const encKeys = await generateUserSrpKeys(email, password);
+
+    await userDAL.upsertUserEncryptionKey(
+      user.id,
+      {
+        encryptionVersion: 2,
+        protectedKey: encKeys.protectedKey,
+        protectedKeyIV: encKeys.protectedKeyIV,
+        protectedKeyTag: encKeys.protectedKeyTag,
+        publicKey: encKeys.publicKey,
+        encryptedPrivateKey: encKeys.encryptedPrivateKey,
+        iv: encKeys.encryptedPrivateKeyIV,
+        tag: encKeys.encryptedPrivateKeyTag,
+        salt: encKeys.salt,
+        verifier: encKeys.verifier
+      },
+      tx
+    );
+
+    const createMembershipData = {
+      orgId,
+      userId: user.id,
+      role: OrgMembershipRole.Admin,
+      status: OrgMembershipStatus.Accepted
+    };
+
+    await orgDAL.createMembership(createMembershipData, tx);
+
+    return {
+      user,
+      keys: encKeys
+    };
+  };
+
   /*
    * Update organization details
    * */
@@ -338,7 +399,8 @@ export const orgServiceFactory = ({
         {
           email: inviteeEmail,
           isAccepted: false,
-          authMethods: [AuthMethod.EMAIL]
+          authMethods: [AuthMethod.EMAIL],
+          isGhost: false
         },
         tx
       );
@@ -487,10 +549,12 @@ export const orgServiceFactory = ({
     inviteUserToOrganization,
     verifyUserToOrg,
     updateOrg,
+    findOrgMembersByEmail,
     createOrganization,
     deleteOrganizationById,
     deleteOrgMembership,
     findAllWorkspaces,
+    addGhostUser,
     updateOrgMembership,
     // incident contacts
     findIncidentContacts,

backend/src/services/org/org-types.ts

@@ -30,6 +30,13 @@ export type TVerifyUserToOrgDTO = {
   code: string;
 };
 
+export type TFindOrgMembersByEmailDTO = {
+  actor: ActorType;
+  actorId: string;
+  orgId: string;
+  emails: string[];
+};
+
 export type TFindAllWorkspacesDTO = {
   actor: ActorType;
   actorId: string;

backend/src/services/project-bot/project-bot-dal.ts

@@ -27,5 +27,19 @@ export const projectBotDALFactory = (db: TDbClient) => {
     }
   };
 
-  return { ...projectBotOrm, findOne };
+  const findProjectByBotId = async (botId: string) => {
+    try {
+      const project = await db(TableName.ProjectBot)
+        .where({ [`${TableName.ProjectBot}.id` as "id"]: botId })
+        .join(TableName.Project, `${TableName.ProjectBot}.projectId`, `${TableName.Project}.id`)
+        .select(selectAllTableCols(TableName.Project))
+        .first();
+
+      return project || null;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find project by bot id" });
+    }
+  };
+
+  return { ...projectBotOrm, findOne, findProjectByBotId };
 };

backend/src/services/project-bot/project-bot-service.ts

@@ -1,125 +1,111 @@
 import { ForbiddenError } from "@casl/ability";
 
-import { SecretEncryptionAlgo, SecretKeyEncoding } from "@app/db/schemas";
+import { ProjectVersion, SecretKeyEncoding } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { getConfig } from "@app/lib/config/env";
-import {
-  decryptAsymmetric,
-  decryptSymmetric,
-  decryptSymmetric128BitHexKeyUTF8,
-  encryptSymmetric,
-  encryptSymmetric128BitHexKeyUTF8,
-  generateAsymmetricKeyPair
-} from "@app/lib/crypto";
+import { decryptAsymmetric, generateAsymmetricKeyPair } from "@app/lib/crypto";
+import { infisicalSymmetricDecrypt, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
 import { BadRequestError } from "@app/lib/errors";
-import { TProjectPermission } from "@app/lib/types";
 
+import { TProjectDALFactory } from "../project/project-dal";
 import { TProjectBotDALFactory } from "./project-bot-dal";
-import { TSetActiveStateDTO } from "./project-bot-types";
+import { TFindBotByProjectIdDTO, TGetPrivateKeyDTO, TSetActiveStateDTO } from "./project-bot-types";
 
 type TProjectBotServiceFactoryDep = {
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
+  projectDAL: Pick<TProjectDALFactory, "findById">;
   projectBotDAL: TProjectBotDALFactory;
 };
 
 export type TProjectBotServiceFactory = ReturnType<typeof projectBotServiceFactory>;
 
-export const projectBotServiceFactory = ({ projectBotDAL, permissionService }: TProjectBotServiceFactoryDep) => {
-  const getBotKey = async (projectId: string) => {
-    const appCfg = getConfig();
-    const encryptionKey = appCfg.ENCRYPTION_KEY;
-    const rootEncryptionKey = appCfg.ROOT_ENCRYPTION_KEY;
+export const projectBotServiceFactory = ({
+  projectBotDAL,
+  projectDAL,
+  permissionService
+}: TProjectBotServiceFactoryDep) => {
+  const getBotPrivateKey = ({ bot }: TGetPrivateKeyDTO) =>
+    infisicalSymmetricDecrypt({
+      keyEncoding: bot.keyEncoding as SecretKeyEncoding,
+      iv: bot.iv,
+      tag: bot.tag,
+      ciphertext: bot.encryptedPrivateKey
+    });
 
+  const getBotKey = async (projectId: string) => {
     const bot = await projectBotDAL.findOne({ projectId });
     if (!bot) throw new BadRequestError({ message: "failed to find bot key" });
     if (!bot.isActive) throw new BadRequestError({ message: "Bot is not active" });
     if (!bot.encryptedProjectKeyNonce || !bot.encryptedProjectKey)
       throw new BadRequestError({ message: "Encryption key missing" });
 
-    if (rootEncryptionKey && (bot.keyEncoding as SecretKeyEncoding) === SecretKeyEncoding.BASE64) {
-      const privateKeyBot = decryptSymmetric({
-        iv: bot.iv,
-        tag: bot.tag,
-        ciphertext: bot.encryptedPrivateKey,
-        key: rootEncryptionKey
-      });
-      return decryptAsymmetric({
-        ciphertext: bot.encryptedProjectKey,
-        privateKey: privateKeyBot,
-        nonce: bot.encryptedProjectKeyNonce,
-        publicKey: bot.sender.publicKey
-      });
-    }
-    if (encryptionKey && (bot.keyEncoding as SecretKeyEncoding) === SecretKeyEncoding.UTF8) {
-      const privateKeyBot = decryptSymmetric128BitHexKeyUTF8({
-        iv: bot.iv,
-        tag: bot.tag,
-        ciphertext: bot.encryptedPrivateKey,
-        key: encryptionKey
-      });
-      return decryptAsymmetric({
-        ciphertext: bot.encryptedProjectKey,
-        privateKey: privateKeyBot,
-        nonce: bot.encryptedProjectKeyNonce,
-        publicKey: bot.sender.publicKey
-      });
-    }
+    const botPrivateKey = getBotPrivateKey({ bot });
 
-    throw new BadRequestError({
-      message: "Failed to obtain bot copy of workspace key needed for operation"
+    return decryptAsymmetric({
+      ciphertext: bot.encryptedProjectKey,
+      privateKey: botPrivateKey,
+      nonce: bot.encryptedProjectKeyNonce,
+      publicKey: bot.sender.publicKey
     });
   };
 
-  const findBotByProjectId = async ({ actorId, actor, actorOrgId, projectId }: TProjectPermission) => {
+  const findBotByProjectId = async ({
+    actorId,
+    actor,
+    projectId,
+    actorOrgId,
+    privateKey,
+    botKey,
+    publicKey
+  }: TFindBotByProjectIdDTO) => {
     const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
-    const appCfg = getConfig();
 
     const bot = await projectBotDAL.transaction(async (tx) => {
       const doc = await projectBotDAL.findOne({ projectId }, tx);
       if (doc) return doc;
 
-      const { publicKey, privateKey } = generateAsymmetricKeyPair();
-      if (appCfg.ROOT_ENCRYPTION_KEY) {
-        const { iv, tag, ciphertext } = encryptSymmetric(privateKey, appCfg.ROOT_ENCRYPTION_KEY);
-        return projectBotDAL.create(
-          {
-            name: "Infisical Bot",
-            projectId,
-            tag,
-            iv,
-            encryptedPrivateKey: ciphertext,
-            isActive: false,
-            publicKey,
-            algorithm: SecretEncryptionAlgo.AES_256_GCM,
-            keyEncoding: SecretKeyEncoding.BASE64
-          },
-          tx
-        );
+      const keys = privateKey && publicKey ? { privateKey, publicKey } : generateAsymmetricKeyPair();
+
+      const { iv, tag, ciphertext, encoding, algorithm } = infisicalSymmetricEncypt(keys.privateKey);
+
+      const project = await projectDAL.findById(projectId, tx);
+
+      if (project.version === ProjectVersion.V2) {
+        throw new BadRequestError({ message: "Failed to create bot, project is upgraded." });
       }
-      if (appCfg.ENCRYPTION_KEY) {
-        const { iv, tag, ciphertext } = encryptSymmetric128BitHexKeyUTF8(privateKey, appCfg.ENCRYPTION_KEY);
-        return projectBotDAL.create(
-          {
-            name: "Infisical Bot",
-            projectId,
-            tag,
-            iv,
-            encryptedPrivateKey: ciphertext,
-            isActive: false,
-            publicKey,
-            algorithm: SecretEncryptionAlgo.AES_256_GCM,
-            keyEncoding: SecretKeyEncoding.UTF8
-          },
-          tx
-        );
-      }
-      throw new BadRequestError({ message: "Failed to create bot due to missing encryption key" });
+
+      return projectBotDAL.create(
+        {
+          name: "Infisical Bot",
+          projectId,
+          tag,
+          iv,
+          encryptedPrivateKey: ciphertext,
+          isActive: false,
+          publicKey: keys.publicKey,
+          algorithm,
+          keyEncoding: encoding,
+          ...(botKey && {
+            encryptedProjectKey: botKey.encryptedKey,
+            encryptedProjectKeyNonce: botKey.nonce
+          })
+        },
+        tx
+      );
     });
     return bot;
   };
 
+  const findProjectByBotId = async (botId: string) => {
+    try {
+      const bot = await projectBotDAL.findProjectByBotId(botId);
+      return bot;
+    } catch (e) {
+      throw new BadRequestError({ message: "Failed to find bot by ID" });
+    }
+  };
+
   const setBotActiveState = async ({ actor, botId, botKey, actorId, actorOrgId, isActive }: TSetActiveStateDTO) => {
     const bot = await projectBotDAL.findById(botId);
     if (!bot) throw new BadRequestError({ message: "Bot not found" });
@@ -127,6 +113,16 @@ export const projectBotServiceFactory = ({ projectBotDAL, permissionService }: T
     const { permission } = await permissionService.getProjectPermission(actor, actorId, bot.projectId, actorOrgId);
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Integrations);
 
+    const project = await projectBotDAL.findProjectByBotId(botId);
+
+    if (!project) {
+      throw new BadRequestError({ message: "Failed to find project by bot ID" });
+    }
+
+    if (project.version === ProjectVersion.V2) {
+      throw new BadRequestError({ message: "Failed to set bot active for upgraded project. Bot is already active" });
+    }
+
     if (isActive) {
       if (!botKey?.nonce || !botKey?.encryptedKey) {
         throw new BadRequestError({ message: "Failed to set bot active - missing bot key" });
@@ -153,6 +149,8 @@ export const projectBotServiceFactory = ({ projectBotDAL, permissionService }: T
   return {
     findBotByProjectId,
     setBotActiveState,
+    getBotPrivateKey,
+    findProjectByBotId,
     getBotKey
   };
 };

backend/src/services/project-bot/project-bot-types.ts

@@ -1,3 +1,4 @@
+import { TProjectBots } from "@app/db/schemas";
 import { TProjectPermission } from "@app/lib/types";
 
 export type TSetActiveStateDTO = {
@@ -8,3 +9,16 @@ export type TSetActiveStateDTO = {
   };
   botId: string;
 } & Omit<TProjectPermission, "projectId">;
+
+export type TFindBotByProjectIdDTO = {
+  privateKey?: string;
+  publicKey?: string;
+  botKey?: {
+    nonce: string;
+    encryptedKey: string;
+  };
+} & TProjectPermission;
+
+export type TGetPrivateKeyDTO = {
+  bot: TProjectBots;
+};

backend/src/services/project-key/project-key-dal.ts

@@ -1,3 +1,5 @@
+import { Knex } from "knex";
+
 import { TDbClient } from "@app/db";
 import { TableName, TProjectKeys } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
@@ -10,10 +12,11 @@ export const projectKeyDALFactory = (db: TDbClient) => {
 
   const findLatestProjectKey = async (
     userId: string,
-    projectId: string
+    projectId: string,
+    tx?: Knex
   ): Promise<(TProjectKeys & { sender: { publicKey: string } }) | undefined> => {
     try {
-      const projectKey = await db(TableName.ProjectKeys)
+      const projectKey = await (tx || db)(TableName.ProjectKeys)
         .join(TableName.Users, `${TableName.ProjectKeys}.senderId`, `${TableName.Users}.id`)
         .join(TableName.UserEncryptionKey, `${TableName.UserEncryptionKey}.userId`, `${TableName.Users}.id`)
         .where({ projectId, receiverId: userId })
@@ -29,9 +32,9 @@ export const projectKeyDALFactory = (db: TDbClient) => {
     }
   };
 
-  const findAllProjectUserPubKeys = async (projectId: string) => {
+  const findAllProjectUserPubKeys = async (projectId: string, tx?: Knex) => {
     try {
-      const pubKeys = await db(TableName.ProjectMembership)
+      const pubKeys = await (tx || db)(TableName.ProjectMembership)
         .where({ projectId })
         .join(TableName.Users, `${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`)
         .join(TableName.UserEncryptionKey, `${TableName.Users}.id`, `${TableName.UserEncryptionKey}.userId`)

backend/src/services/project-membership/project-membership-dal.ts

@@ -1,7 +1,7 @@
 import { TDbClient } from "@app/db";
 import { TableName, TUserEncryptionKeys } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
-import { ormify } from "@app/lib/knex";
+import { ormify, selectAllTableCols } from "@app/lib/knex";
 
 export type TProjectMembershipDALFactory = ReturnType<typeof projectMembershipDALFactory>;
 
@@ -24,20 +24,63 @@ export const projectMembershipDALFactory = (db: TDbClient) => {
           db.ref("projectId").withSchema(TableName.ProjectMembership),
           db.ref("role").withSchema(TableName.ProjectMembership),
           db.ref("roleId").withSchema(TableName.ProjectMembership),
+          db.ref("isGhost").withSchema(TableName.Users),
           db.ref("email").withSchema(TableName.Users),
           db.ref("publicKey").withSchema(TableName.UserEncryptionKey),
           db.ref("firstName").withSchema(TableName.Users),
           db.ref("lastName").withSchema(TableName.Users),
           db.ref("id").withSchema(TableName.Users).as("userId")
-        );
-      return members.map(({ email, firstName, lastName, publicKey, ...data }) => ({
+        )
+        .where({ isGhost: false });
+      return members.map(({ email, firstName, lastName, publicKey, isGhost, ...data }) => ({
         ...data,
-        user: { email, firstName, lastName, id: data.userId, publicKey }
+        user: { email, firstName, lastName, id: data.userId, publicKey, isGhost }
       }));
     } catch (error) {
       throw new DatabaseError({ error, name: "Find all project members" });
     }
   };
 
-  return { ...projectMemberOrm, findAllProjectMembers };
+  const findProjectGhostUser = async (projectId: string) => {
+    try {
+      const ghostUser = await db(TableName.ProjectMembership)
+        .where({ projectId })
+        .join(TableName.Users, `${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`)
+        .select(selectAllTableCols(TableName.Users))
+        .where({ isGhost: true })
+        .first();
+
+      return ghostUser;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find project top-level user" });
+    }
+  };
+
+  const findMembershipsByEmail = async (projectId: string, emails: string[]) => {
+    try {
+      const members = await db(TableName.ProjectMembership)
+        .where({ projectId })
+        .join(TableName.Users, `${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`)
+        .join<TUserEncryptionKeys>(
+          TableName.UserEncryptionKey,
+          `${TableName.UserEncryptionKey}.userId`,
+          `${TableName.Users}.id`
+        )
+        .select(
+          selectAllTableCols(TableName.ProjectMembership),
+          db.ref("id").withSchema(TableName.Users).as("userId"),
+          db.ref("email").withSchema(TableName.Users)
+        )
+        .whereIn("email", emails)
+        .where({ isGhost: false });
+      return members.map(({ userId, email, ...data }) => ({
+        ...data,
+        user: { id: userId, email }
+      }));
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find members by email" });
+    }
+  };
+
+  return { ...projectMemberOrm, findAllProjectMembers, findProjectGhostUser, findMembershipsByEmail };
 };

backend/src/services/project-membership/project-membership-service.ts

@@ -1,15 +1,28 @@
+/* eslint-disable no-await-in-loop */
 import { ForbiddenError } from "@casl/ability";
 
-import { OrgMembershipStatus, ProjectMembershipRole, TableName } from "@app/db/schemas";
+import {
+  OrgMembershipStatus,
+  ProjectMembershipRole,
+  ProjectVersion,
+  SecretKeyEncoding,
+  TableName,
+  TProjectMemberships,
+  TUsers
+} from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { getConfig } from "@app/lib/config/env";
+import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
 import { BadRequestError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
 
+import { ActorType } from "../auth/auth-type";
 import { TOrgDALFactory } from "../org/org-dal";
 import { TProjectDALFactory } from "../project/project-dal";
+import { assignWorkspaceKeysToMembers } from "../project/project-fns";
+import { TProjectBotDALFactory } from "../project-bot/project-bot-dal";
 import { TProjectKeyDALFactory } from "../project-key/project-key-dal";
 import { TProjectRoleDALFactory } from "../project-role/project-role-dal";
 import { SmtpTemplates, TSmtpService } from "../smtp/smtp-service";
@@ -17,7 +30,9 @@ import { TUserDALFactory } from "../user/user-dal";
 import { TProjectMembershipDALFactory } from "./project-membership-dal";
 import {
   TAddUsersToWorkspaceDTO,
-  TDeleteProjectMembershipDTO,
+  TAddUsersToWorkspaceNonE2EEDTO,
+  TDeleteProjectMembershipOldDTO,
+  TDeleteProjectMembershipsDTO,
   TGetProjectMembershipDTO,
   TInviteUserToProjectDTO,
   TUpdateProjectMembershipDTO
@@ -26,11 +41,12 @@ import {
 type TProjectMembershipServiceFactoryDep = {
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
   smtpService: TSmtpService;
+  projectBotDAL: TProjectBotDALFactory;
   projectMembershipDAL: TProjectMembershipDALFactory;
-  userDAL: Pick<TUserDALFactory, "findById" | "findOne">;
+  userDAL: Pick<TUserDALFactory, "findById" | "findOne" | "findUserByProjectMembershipId" | "find">;
   projectRoleDAL: Pick<TProjectRoleDALFactory, "findOne">;
-  orgDAL: Pick<TOrgDALFactory, "findMembership">;
-  projectDAL: Pick<TProjectDALFactory, "findById">;
+  orgDAL: Pick<TOrgDALFactory, "findMembership" | "findOrgMembersByEmail">;
+  projectDAL: Pick<TProjectDALFactory, "findById" | "findProjectGhostUser" | "transaction">;
   projectKeyDAL: Pick<TProjectKeyDALFactory, "findLatestProjectKey" | "delete" | "insertMany">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
 };
@@ -42,6 +58,7 @@ export const projectMembershipServiceFactory = ({
   projectMembershipDAL,
   smtpService,
   projectRoleDAL,
+  projectBotDAL,
   orgDAL,
   userDAL,
   projectDAL,
@@ -55,64 +72,90 @@ export const projectMembershipServiceFactory = ({
     return projectMembershipDAL.findAllProjectMembers(projectId);
   };
 
-  const inviteUserToProject = async ({ actorId, actor, actorOrgId, projectId, email }: TInviteUserToProjectDTO) => {
+  const inviteUserToProject = async ({ actorId, actor, actorOrgId, projectId, emails }: TInviteUserToProjectDTO) => {
     const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Member);
 
-    const invitee = await userDAL.findOne({ email });
-    if (!invitee || !invitee.isAccepted)
-      throw new BadRequestError({
-        message: "Faield to validate invitee",
-        name: "Invite user to project"
-      });
-
-    const inviteeMembership = await projectMembershipDAL.findOne({
-      userId: invitee.id,
-      projectId
-    });
-    if (inviteeMembership)
-      throw new BadRequestError({
-        message: "Existing member of project",
-        name: "Invite user to project"
-      });
+    const invitees: TUsers[] = [];
 
     const project = await projectDAL.findById(projectId);
-    const inviteeMembershipOrg = await orgDAL.findMembership({
-      userId: invitee.id,
-      orgId: project.orgId,
-      status: OrgMembershipStatus.Accepted
+    const users = await userDAL.find({
+      $in: { email: emails }
     });
-    if (!inviteeMembershipOrg)
-      throw new BadRequestError({
-        message: "Failed to validate invitee org membership",
-        name: "Invite user to project"
+
+    await projectDAL.transaction(async (tx) => {
+      for (const invitee of users) {
+        if (!invitee.isAccepted)
+          throw new BadRequestError({
+            message: "Failed to validate invitee",
+            name: "Invite user to project"
+          });
+
+        const inviteeMembership = await projectMembershipDAL.findOne(
+          {
+            userId: invitee.id,
+            projectId
+          },
+          tx
+        );
+
+        if (inviteeMembership) {
+          throw new BadRequestError({
+            message: "Existing member of project",
+            name: "Invite user to project"
+          });
+        }
+
+        const inviteeMembershipOrg = await orgDAL.findMembership({
+          userId: invitee.id,
+          orgId: project.orgId,
+          status: OrgMembershipStatus.Accepted
+        });
+
+        if (!inviteeMembershipOrg) {
+          throw new BadRequestError({
+            message: "Failed to validate invitee org membership",
+            name: "Invite user to project"
+          });
+        }
+
+        await projectMembershipDAL.create(
+          {
+            userId: invitee.id,
+            projectId,
+            role: ProjectMembershipRole.Member
+          },
+          tx
+        );
+
+        invitees.push(invitee);
+      }
+
+      const appCfg = getConfig();
+      await smtpService.sendMail({
+        template: SmtpTemplates.WorkspaceInvite,
+        subjectLine: "Infisical workspace invitation",
+        recipients: invitees.map((i) => i.email),
+        substitutions: {
+          workspaceName: project.name,
+          callback_url: `${appCfg.SITE_URL}/login`
+        }
       });
+    });
 
     const latestKey = await projectKeyDAL.findLatestProjectKey(actorId, projectId);
-    await projectMembershipDAL.create({
-      userId: invitee.id,
-      projectId,
-      role: ProjectMembershipRole.Member
-    });
 
-    const sender = await userDAL.findById(actorId);
-    const appCfg = getConfig();
-    await smtpService.sendMail({
-      template: SmtpTemplates.WorkspaceInvite,
-      subjectLine: "Infisical workspace invitation",
-      recipients: [invitee.email],
-      substitutions: {
-        inviterFirstName: sender.firstName,
-        inviterEmail: sender.email,
-        workspaceName: project.name,
-        callback_url: `${appCfg.SITE_URL}/login`
-      }
-    });
-
-    return { invitee, latestKey };
+    return { invitees, latestKey };
   };
 
-  const addUsersToProject = async ({ projectId, actorId, actor, actorOrgId, members }: TAddUsersToWorkspaceDTO) => {
+  const addUsersToProject = async ({
+    projectId,
+    actorId,
+    actor,
+    actorOrgId,
+    members,
+    sendEmails = true
+  }: TAddUsersToWorkspaceDTO) => {
     const project = await projectDAL.findById(projectId);
     if (!project) throw new BadRequestError({ message: "Project not found" });
 
@@ -134,11 +177,16 @@ export const projectMembershipServiceFactory = ({
 
     await projectMembershipDAL.transaction(async (tx) => {
       await projectMembershipDAL.insertMany(
-        orgMembers.map(({ userId }) => ({
-          projectId,
-          userId: userId as string,
-          role: ProjectMembershipRole.Member
-        })),
+        orgMembers.map(({ userId, id: membershipId }) => {
+          const role =
+            members.find((i) => i.orgMembershipId === membershipId)?.projectRole || ProjectMembershipRole.Member;
+
+          return {
+            projectId,
+            userId: userId as string,
+            role
+          };
+        }),
         tx
       );
       const encKeyGroupByOrgMembId = groupBy(members, (i) => i.orgMembershipId);
@@ -153,22 +201,132 @@ export const projectMembershipServiceFactory = ({
         tx
       );
     });
-    const sender = await userDAL.findById(actorId);
-    const appCfg = getConfig();
-    await smtpService.sendMail({
-      template: SmtpTemplates.WorkspaceInvite,
-      subjectLine: "Infisical workspace invitation",
-      recipients: orgMembers.map(({ email }) => email).filter(Boolean),
-      substitutions: {
-        inviterFirstName: sender.firstName,
-        inviterEmail: sender.email,
-        workspaceName: project.name,
-        callback_url: `${appCfg.SITE_URL}/login`
-      }
-    });
+
+    if (sendEmails) {
+      const appCfg = getConfig();
+      await smtpService.sendMail({
+        template: SmtpTemplates.WorkspaceInvite,
+        subjectLine: "Infisical workspace invitation",
+        recipients: orgMembers.map(({ email }) => email).filter(Boolean),
+        substitutions: {
+          workspaceName: project.name,
+          callback_url: `${appCfg.SITE_URL}/login`
+        }
+      });
+    }
     return orgMembers;
   };
 
+  const addUsersToProjectNonE2EE = async ({
+    projectId,
+    actorId,
+    actor,
+    emails,
+    sendEmails = true
+  }: TAddUsersToWorkspaceNonE2EEDTO) => {
+    const project = await projectDAL.findById(projectId);
+    if (!project) throw new BadRequestError({ message: "Project not found" });
+
+    if (project.version === ProjectVersion.V1) {
+      throw new BadRequestError({ message: "Please upgrade your project on your dashboard" });
+    }
+
+    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId);
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Member);
+
+    const orgMembers = await orgDAL.findOrgMembersByEmail(project.orgId, emails);
+
+    if (orgMembers.length !== emails.length) throw new BadRequestError({ message: "Some users are not part of org" });
+
+    const existingMembers = await projectMembershipDAL.find({
+      projectId,
+      $in: { userId: orgMembers.map(({ user }) => user.id).filter(Boolean) }
+    });
+    if (existingMembers.length) throw new BadRequestError({ message: "Some users are already part of project" });
+
+    const ghostUser = await projectDAL.findProjectGhostUser(projectId);
+
+    if (!ghostUser) {
+      throw new BadRequestError({
+        message: "Failed to find sudo user"
+      });
+    }
+
+    const ghostUserLatestKey = await projectKeyDAL.findLatestProjectKey(ghostUser.id, projectId);
+
+    if (!ghostUserLatestKey) {
+      throw new BadRequestError({
+        message: "Failed to find sudo user latest key"
+      });
+    }
+
+    const bot = await projectBotDAL.findOne({ projectId });
+
+    if (!bot) {
+      throw new BadRequestError({
+        message: "Failed to find bot"
+      });
+    }
+
+    const botPrivateKey = infisicalSymmetricDecrypt({
+      keyEncoding: bot.keyEncoding as SecretKeyEncoding,
+      iv: bot.iv,
+      tag: bot.tag,
+      ciphertext: bot.encryptedPrivateKey
+    });
+
+    const newWsMembers = assignWorkspaceKeysToMembers({
+      decryptKey: ghostUserLatestKey,
+      userPrivateKey: botPrivateKey,
+      members: orgMembers.map((membership) => ({
+        orgMembershipId: membership.id,
+        projectMembershipRole: ProjectMembershipRole.Member,
+        userPublicKey: membership.user.publicKey
+      }))
+    });
+
+    const members: TProjectMemberships[] = [];
+
+    await projectMembershipDAL.transaction(async (tx) => {
+      const result = await projectMembershipDAL.insertMany(
+        orgMembers.map(({ user }) => ({
+          projectId,
+          userId: user.id,
+          role: ProjectMembershipRole.Member
+        })),
+        tx
+      );
+
+      members.push(...result);
+
+      const encKeyGroupByOrgMembId = groupBy(newWsMembers, (i) => i.orgMembershipId);
+      await projectKeyDAL.insertMany(
+        orgMembers.map(({ user, id }) => ({
+          encryptedKey: encKeyGroupByOrgMembId[id][0].workspaceEncryptedKey,
+          nonce: encKeyGroupByOrgMembId[id][0].workspaceEncryptedNonce,
+          senderId: ghostUser.id,
+          receiverId: user.id,
+          projectId
+        })),
+        tx
+      );
+    });
+
+    if (sendEmails) {
+      const appCfg = getConfig();
+      await smtpService.sendMail({
+        template: SmtpTemplates.WorkspaceInvite,
+        subjectLine: "Infisical workspace invitation",
+        recipients: orgMembers.map(({ user }) => user.email).filter(Boolean),
+        substitutions: {
+          workspaceName: project.name,
+          callback_url: `${appCfg.SITE_URL}/login`
+        }
+      });
+    }
+    return members;
+  };
+
   const updateProjectMembership = async ({
     actorId,
     actor,
@@ -180,6 +338,15 @@ export const projectMembershipServiceFactory = ({
     const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);
 
+    const membershipUser = await userDAL.findUserByProjectMembershipId(membershipId);
+
+    if (membershipUser?.isGhost) {
+      throw new BadRequestError({
+        message: "Unauthorized member update",
+        name: "Update project membership"
+      });
+    }
+
     const isCustomRole = !Object.values(ProjectMembershipRole).includes(role as ProjectMembershipRole);
     if (isCustomRole) {
       const customRole = await projectRoleDAL.findOne({ slug: role, projectId });
@@ -205,16 +372,26 @@ export const projectMembershipServiceFactory = ({
     return membership;
   };
 
+  // This is old and should be removed later. Its not used anywhere, but it is exposed in our API. So to avoid breaking changes, we are keeping it for now.
   const deleteProjectMembership = async ({
     actorId,
     actor,
     actorOrgId,
     projectId,
     membershipId
-  }: TDeleteProjectMembershipDTO) => {
+  }: TDeleteProjectMembershipOldDTO) => {
     const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Member);
 
+    const member = await userDAL.findUserByProjectMembershipId(membershipId);
+
+    if (member?.isGhost) {
+      throw new BadRequestError({
+        message: "Unauthorized member delete",
+        name: "Delete project membership"
+      });
+    }
+
     const membership = await projectMembershipDAL.transaction(async (tx) => {
       const [deletedMembership] = await projectMembershipDAL.delete({ projectId, id: membershipId }, tx);
       await projectKeyDAL.delete({ receiverId: deletedMembership.userId, projectId }, tx);
@@ -223,11 +400,74 @@ export const projectMembershipServiceFactory = ({
     return membership;
   };
 
+  const deleteProjectMemberships = async ({
+    actorId,
+    actor,
+    actorOrgId,
+    projectId,
+    emails
+  }: TDeleteProjectMembershipsDTO) => {
+    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Member);
+
+    const project = await projectDAL.findById(projectId);
+
+    if (!project) {
+      throw new BadRequestError({
+        message: "Project not found",
+        name: "Delete project membership"
+      });
+    }
+
+    const projectMembers = await projectMembershipDAL.findMembershipsByEmail(projectId, emails);
+
+    if (projectMembers.length !== emails.length) {
+      throw new BadRequestError({
+        message: "Some users are not part of project",
+        name: "Delete project membership"
+      });
+    }
+
+    if (actor === ActorType.USER && projectMembers.some(({ user }) => user.id === actorId)) {
+      throw new BadRequestError({
+        message: "Cannot remove yourself from project",
+        name: "Delete project membership"
+      });
+    }
+
+    const memberships = await projectMembershipDAL.transaction(async (tx) => {
+      const deletedMemberships = await projectMembershipDAL.delete(
+        {
+          projectId,
+          $in: {
+            id: projectMembers.map(({ id }) => id)
+          }
+        },
+        tx
+      );
+
+      await projectKeyDAL.delete(
+        {
+          projectId,
+          $in: {
+            receiverId: projectMembers.map(({ user }) => user.id).filter(Boolean)
+          }
+        },
+        tx
+      );
+
+      return deletedMemberships;
+    });
+    return memberships;
+  };
+
   return {
     getProjectMemberships,
     inviteUserToProject,
     updateProjectMembership,
-    deleteProjectMembership,
+    addUsersToProjectNonE2EE,
+    deleteProjectMemberships,
+    deleteProjectMembership, // TODO: Remove this
     addUsersToProject
   };
 };

backend/src/services/project-membership/project-membership-types.ts

@@ -1,9 +1,10 @@
+import { ProjectMembershipRole } from "@app/db/schemas";
 import { TProjectPermission } from "@app/lib/types";
 
 export type TGetProjectMembershipDTO = TProjectPermission;
 
 export type TInviteUserToProjectDTO = {
-  email: string;
+  emails: string[];
 } & TProjectPermission;
 
 export type TUpdateProjectMembershipDTO = {
@@ -11,14 +12,25 @@ export type TUpdateProjectMembershipDTO = {
   role: string;
 } & TProjectPermission;
 
-export type TDeleteProjectMembershipDTO = {
+export type TDeleteProjectMembershipOldDTO = {
   membershipId: string;
 } & TProjectPermission;
 
+export type TDeleteProjectMembershipsDTO = {
+  emails: string[];
+} & TProjectPermission;
+
 export type TAddUsersToWorkspaceDTO = {
+  sendEmails?: boolean;
   members: {
     orgMembershipId: string;
     workspaceEncryptedKey: string;
     workspaceEncryptedNonce: string;
+    projectRole: ProjectMembershipRole;
   }[];
 } & TProjectPermission;
+
+export type TAddUsersToWorkspaceNonE2EEDTO = {
+  sendEmails?: boolean;
+  emails: string[];
+} & TProjectPermission;

backend/src/services/project/project-dal.ts

@@ -1,6 +1,8 @@
+import { Knex } from "knex";
+
 import { TDbClient } from "@app/db";
-import { ProjectsSchema, TableName } from "@app/db/schemas";
-import { DatabaseError } from "@app/lib/errors";
+import { ProjectsSchema, ProjectUpgradeStatus, ProjectVersion, TableName, TProjectsUpdate } from "@app/db/schemas";
+import { BadRequestError, DatabaseError } from "@app/lib/errors";
 import { ormify, selectAllTableCols, sqlNestRelationships } from "@app/lib/knex";
 
 export type TProjectDALFactory = ReturnType<typeof projectDALFactory>;
@@ -52,6 +54,32 @@ export const projectDALFactory = (db: TDbClient) => {
     }
   };
 
+  const findProjectGhostUser = async (projectId: string) => {
+    try {
+      const ghostUser = await db(TableName.ProjectMembership)
+        .where({ projectId })
+        .join(TableName.Users, `${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`)
+        .select(selectAllTableCols(TableName.Users))
+        .where({ isGhost: true })
+        .first();
+      return ghostUser;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find project top-level user" });
+    }
+  };
+
+  const setProjectUpgradeStatus = async (projectId: string, status: ProjectUpgradeStatus | null, tx?: Knex) => {
+    try {
+      const data: TProjectsUpdate = {
+        upgradeStatus: status
+      } as const;
+
+      await (tx || db)(TableName.Project).where({ id: projectId }).update(data);
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Set project upgrade status" });
+    }
+  };
+
   const findAllProjectsByIdentity = async (identityId: string) => {
     try {
       const workspaces = await db(TableName.IdentityProjectMembership)
@@ -132,10 +160,25 @@ export const projectDALFactory = (db: TDbClient) => {
     }
   };
 
+  const checkProjectUpgradeStatus = async (projectId: string) => {
+    const project = await projectOrm.findById(projectId);
+    const upgradeInProgress =
+      project.upgradeStatus === ProjectUpgradeStatus.InProgress && project.version === ProjectVersion.V1;
+
+    if (upgradeInProgress) {
+      throw new BadRequestError({
+        message: "Project is currently being upgraded, and secrets cannot be written. Please try again"
+      });
+    }
+  };
+
   return {
     ...projectOrm,
     findAllProjects,
+    setProjectUpgradeStatus,
     findAllProjectsByIdentity,
-    findProjectById
+    findProjectGhostUser,
+    findProjectById,
+    checkProjectUpgradeStatus
   };
 };

backend/src/services/project/project-fns.ts

@@ -0,0 +1,51 @@
+import crypto from "crypto";
+
+import { decryptAsymmetric, encryptAsymmetric } from "@app/lib/crypto";
+
+import { AddUserToWsDTO } from "./project-types";
+
+export const assignWorkspaceKeysToMembers = ({ members, decryptKey, userPrivateKey }: AddUserToWsDTO) => {
+  const plaintextProjectKey = decryptAsymmetric({
+    ciphertext: decryptKey.encryptedKey,
+    nonce: decryptKey.nonce,
+    publicKey: decryptKey.sender.publicKey,
+    privateKey: userPrivateKey
+  });
+
+  const newWsMembers = members.map(({ orgMembershipId, userPublicKey, projectMembershipRole }) => {
+    const { ciphertext: inviteeCipherText, nonce: inviteeNonce } = encryptAsymmetric(
+      plaintextProjectKey,
+      userPublicKey,
+      userPrivateKey
+    );
+
+    return {
+      orgMembershipId,
+      projectRole: projectMembershipRole,
+      workspaceEncryptedKey: inviteeCipherText,
+      workspaceEncryptedNonce: inviteeNonce
+    };
+  });
+
+  return newWsMembers;
+};
+
+type TCreateProjectKeyDTO = {
+  publicKey: string;
+  privateKey: string;
+  plainProjectKey?: string;
+};
+
+export const createProjectKey = ({ publicKey, privateKey, plainProjectKey }: TCreateProjectKeyDTO) => {
+  // 3. Create a random key that we'll use as the project key.
+  const randomBytes = plainProjectKey || crypto.randomBytes(16).toString("hex");
+
+  // 4. Encrypt the project key with the users key pair.
+  const { ciphertext: encryptedProjectKey, nonce: encryptedProjectKeyIv } = encryptAsymmetric(
+    randomBytes,
+    publicKey,
+    privateKey
+  );
+
+  return { key: encryptedProjectKey, iv: encryptedProjectKeyIv };
+};

backend/src/services/project/project-queue.ts

@@ -0,0 +1,549 @@
+/* eslint-disable no-await-in-loop */
+import {
+  IntegrationAuthsSchema,
+  ProjectMembershipRole,
+  ProjectUpgradeStatus,
+  ProjectVersion,
+  SecretApprovalRequestsSecretsSchema,
+  SecretKeyEncoding,
+  SecretsSchema,
+  SecretVersionsSchema,
+  TIntegrationAuths,
+  TSecretApprovalRequestsSecrets,
+  TSecrets,
+  TSecretVersions
+} from "@app/db/schemas";
+import { TSecretApprovalRequestDALFactory } from "@app/ee/services/secret-approval-request/secret-approval-request-dal";
+import { TSecretApprovalRequestSecretDALFactory } from "@app/ee/services/secret-approval-request/secret-approval-request-secret-dal";
+import { RequestState } from "@app/ee/services/secret-approval-request/secret-approval-request-types";
+import {
+  decryptIntegrationAuths,
+  decryptSecretApprovals,
+  decryptSecrets,
+  decryptSecretVersions
+} from "@app/lib/crypto";
+import {
+  decryptAsymmetric,
+  encryptSymmetric128BitHexKeyUTF8,
+  infisicalSymmetricDecrypt,
+  infisicalSymmetricEncypt
+} from "@app/lib/crypto/encryption";
+import { logger } from "@app/lib/logger";
+import { QueueJobs, QueueName, TQueueJobTypes, TQueueServiceFactory } from "@app/queue";
+
+import { TIntegrationAuthDALFactory } from "../integration-auth/integration-auth-dal";
+import { TOrgDALFactory } from "../org/org-dal";
+import { TOrgServiceFactory } from "../org/org-service";
+import { TProjectBotDALFactory } from "../project-bot/project-bot-dal";
+import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
+import { TProjectKeyDALFactory } from "../project-key/project-key-dal";
+import { TProjectMembershipDALFactory } from "../project-membership/project-membership-dal";
+import { TSecretDALFactory } from "../secret/secret-dal";
+import { TSecretVersionDALFactory } from "../secret/secret-version-dal";
+import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
+import { TUserDALFactory } from "../user/user-dal";
+import { TProjectDALFactory } from "./project-dal";
+import { assignWorkspaceKeysToMembers, createProjectKey } from "./project-fns";
+
+export type TProjectQueueFactory = ReturnType<typeof projectQueueFactory>;
+
+type TProjectQueueFactoryDep = {
+  queueService: TQueueServiceFactory;
+  secretVersionDAL: Pick<TSecretVersionDALFactory, "find" | "bulkUpdateNoVersionIncrement" | "delete">;
+  folderDAL: Pick<TSecretFolderDALFactory, "find">;
+  secretDAL: Pick<TSecretDALFactory, "find" | "bulkUpdateNoVersionIncrement">;
+  projectKeyDAL: Pick<TProjectKeyDALFactory, "findLatestProjectKey" | "find" | "create" | "delete" | "insertMany">;
+  secretApprovalRequestDAL: Pick<TSecretApprovalRequestDALFactory, "find">;
+  secretApprovalSecretDAL: Pick<TSecretApprovalRequestSecretDALFactory, "find" | "bulkUpdateNoVersionIncrement">;
+  projectBotDAL: Pick<TProjectBotDALFactory, "findOne" | "delete" | "create">;
+  orgService: Pick<TOrgServiceFactory, "addGhostUser">;
+  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "create">;
+  integrationAuthDAL: TIntegrationAuthDALFactory;
+  userDAL: Pick<TUserDALFactory, "findUserEncKeyByUserId">;
+
+  projectEnvDAL: Pick<TProjectEnvDALFactory, "find">;
+  projectDAL: Pick<TProjectDALFactory, "findOne" | "transaction" | "updateById" | "setProjectUpgradeStatus" | "find">;
+  orgDAL: Pick<TOrgDALFactory, "findMembership">;
+};
+
+export const projectQueueFactory = ({
+  queueService,
+  secretDAL,
+  folderDAL,
+  userDAL,
+  secretVersionDAL,
+  integrationAuthDAL,
+  secretApprovalRequestDAL,
+  secretApprovalSecretDAL,
+  projectKeyDAL,
+  projectBotDAL,
+  projectEnvDAL,
+  orgDAL,
+  projectDAL,
+  orgService,
+  projectMembershipDAL
+}: TProjectQueueFactoryDep) => {
+  const upgradeProject = async (dto: TQueueJobTypes["upgrade-project-to-ghost"]["payload"]) => {
+    await queueService.queue(QueueName.UpgradeProjectToGhost, QueueJobs.UpgradeProjectToGhost, dto, {
+      attempts: 1,
+      removeOnComplete: true,
+      removeOnFail: {
+        count: 5 // keep the most recent jobs
+      }
+    });
+  };
+
+  queueService.start(QueueName.UpgradeProjectToGhost, async ({ data }) => {
+    try {
+      const [project] = await projectDAL.find({
+        id: data.projectId,
+        version: ProjectVersion.V1
+      });
+
+      const oldProjectKey = await projectKeyDAL.findLatestProjectKey(data.startedByUserId, data.projectId);
+
+      if (!project || !oldProjectKey) {
+        throw new Error("Project or project key not found");
+      }
+
+      if (project.upgradeStatus !== ProjectUpgradeStatus.Failed && project.upgradeStatus !== null) {
+        throw new Error("Project upgrade status is not valid");
+      }
+
+      await projectDAL.setProjectUpgradeStatus(data.projectId, ProjectUpgradeStatus.InProgress); // Set the status to in progress. This is important to prevent multiple upgrades at the same time.
+
+      // eslint-disable-next-line no-promise-executor-return
+      //   await new Promise((resolve) => setTimeout(resolve, 50_000));
+
+      const userPrivateKey = infisicalSymmetricDecrypt({
+        keyEncoding: data.encryptedPrivateKey.keyEncoding,
+        ciphertext: data.encryptedPrivateKey.encryptedKey,
+        iv: data.encryptedPrivateKey.encryptedKeyIv,
+        tag: data.encryptedPrivateKey.encryptedKeyTag
+      });
+
+      const decryptedPlainProjectKey = decryptAsymmetric({
+        ciphertext: oldProjectKey.encryptedKey,
+        nonce: oldProjectKey.nonce,
+        publicKey: oldProjectKey.sender.publicKey,
+        privateKey: userPrivateKey
+      });
+
+      const projectEnvs = await projectEnvDAL.find({
+        projectId: project.id
+      });
+
+      const projectFolders = await folderDAL.find({
+        $in: {
+          envId: projectEnvs.map((env) => env.id)
+        }
+      });
+
+      // Get all the secrets within the project (as encrypted)
+      const projectIntegrationAuths = await integrationAuthDAL.find({
+        projectId: project.id
+      });
+      const secrets: TSecrets[] = [];
+      const secretVersions: TSecretVersions[] = [];
+      const approvalSecrets: TSecretApprovalRequestsSecrets[] = [];
+      const folderSecretVersionIdsToDelete: string[] = [];
+
+      for (const folder of projectFolders) {
+        const folderSecrets = await secretDAL.find({ folderId: folder.id });
+
+        const folderSecretVersions = await secretVersionDAL.find(
+          {
+            folderId: folder.id
+          },
+          // Only get the latest 700 secret versions for each folder.
+          {
+            limit: 1000,
+            sort: [["createdAt", "desc"]]
+          }
+        );
+
+        const deletedSecretVersions = await secretVersionDAL.find(
+          {
+            folderId: folder.id
+          },
+          {
+            // Get all the secret versions that are not the latest 700
+            offset: 1000
+          }
+        );
+        folderSecretVersionIdsToDelete.push(...deletedSecretVersions.map((el) => el.id));
+
+        const approvalRequests = await secretApprovalRequestDAL.find({
+          status: RequestState.Open,
+          folderId: folder.id
+        });
+        const secretApprovals = await secretApprovalSecretDAL.find({
+          $in: {
+            requestId: approvalRequests.map((el) => el.id)
+          }
+        });
+
+        secrets.push(...folderSecrets);
+        secretVersions.push(...folderSecretVersions);
+        approvalSecrets.push(...secretApprovals);
+      }
+
+      const decryptedSecrets = decryptSecrets(secrets, userPrivateKey, oldProjectKey);
+      const decryptedSecretVersions = decryptSecretVersions(secretVersions, userPrivateKey, oldProjectKey);
+      const decryptedApprovalSecrets = decryptSecretApprovals(approvalSecrets, userPrivateKey, oldProjectKey);
+      const decryptedIntegrationAuths = decryptIntegrationAuths(projectIntegrationAuths, userPrivateKey, oldProjectKey);
+
+      // Get the existing bot and the existing project keys for the members of the project
+      const existingBot = await projectBotDAL.findOne({ projectId: project.id }).catch(() => null);
+      const existingProjectKeys = await projectKeyDAL.find({ projectId: project.id });
+
+      // TRANSACTION START
+      await projectDAL.transaction(async (tx) => {
+        await projectDAL.updateById(project.id, { version: ProjectVersion.V2 }, tx);
+
+        // Create a ghost user
+        const ghostUser = await orgService.addGhostUser(project.orgId, tx);
+
+        // Create a project key
+        const { key: newEncryptedProjectKey, iv: newEncryptedProjectKeyIv } = createProjectKey({
+          plainProjectKey: decryptedPlainProjectKey,
+          publicKey: ghostUser.keys.publicKey,
+          privateKey: ghostUser.keys.plainPrivateKey
+        });
+
+        // Create a new project key for the GHOST
+        await projectKeyDAL.create(
+          {
+            projectId: project.id,
+            receiverId: ghostUser.user.id,
+            encryptedKey: newEncryptedProjectKey,
+            nonce: newEncryptedProjectKeyIv,
+            senderId: ghostUser.user.id
+          },
+          tx
+        );
+
+        // Create a membership for the ghost user
+        await projectMembershipDAL.create(
+          {
+            projectId: project.id,
+            userId: ghostUser.user.id,
+            role: ProjectMembershipRole.Admin
+          },
+          tx
+        );
+
+        // If a bot already exists, delete it
+        if (existingBot) {
+          await projectBotDAL.delete({ id: existingBot.id }, tx);
+        }
+
+        // Delete all the existing project keys
+        await projectKeyDAL.delete(
+          {
+            projectId: project.id,
+            $in: {
+              id: existingProjectKeys.map((key) => key.id)
+            }
+          },
+          tx
+        );
+
+        const ghostUserLatestKey = await projectKeyDAL.findLatestProjectKey(ghostUser.user.id, project.id, tx);
+
+        if (!ghostUserLatestKey) {
+          throw new Error("User latest key not found (V2 Upgrade)");
+        }
+
+        const newProjectMembers: {
+          encryptedKey: string;
+          nonce: string;
+          senderId: string;
+          receiverId: string;
+          projectId: string;
+        }[] = [];
+
+        for (const key of existingProjectKeys) {
+          const user = await userDAL.findUserEncKeyByUserId(key.receiverId);
+          const [orgMembership] = await orgDAL.findMembership({ userId: key.receiverId, orgId: project.orgId });
+
+          if (!user || !orgMembership) {
+            throw new Error(`User with ID ${key.receiverId} was not found during upgrade, or user is not in org.`);
+          }
+
+          const [newMember] = assignWorkspaceKeysToMembers({
+            decryptKey: ghostUserLatestKey,
+            userPrivateKey: ghostUser.keys.plainPrivateKey,
+            members: [
+              {
+                userPublicKey: user.publicKey,
+                orgMembershipId: orgMembership.id,
+                projectMembershipRole: ProjectMembershipRole.Admin
+              }
+            ]
+          });
+
+          newProjectMembers.push({
+            encryptedKey: newMember.workspaceEncryptedKey,
+            nonce: newMember.workspaceEncryptedNonce,
+            senderId: ghostUser.user.id,
+            receiverId: user.id,
+            projectId: project.id
+          });
+        }
+
+        // Create project keys for all the old members
+        await projectKeyDAL.insertMany(newProjectMembers, tx);
+
+        // Encrypt the bot private key (which is the same as the ghost user)
+        const { iv, tag, ciphertext, encoding, algorithm } = infisicalSymmetricEncypt(ghostUser.keys.plainPrivateKey);
+
+        // 5. Create a bot for the project
+        const newBot = await projectBotDAL.create(
+          {
+            name: "Infisical Bot (Ghost)",
+            projectId: project.id,
+            tag,
+            iv,
+            encryptedPrivateKey: ciphertext,
+            isActive: true,
+            publicKey: ghostUser.keys.publicKey,
+            senderId: ghostUser.user.id,
+            encryptedProjectKey: newEncryptedProjectKey,
+            encryptedProjectKeyNonce: newEncryptedProjectKeyIv,
+            algorithm,
+            keyEncoding: encoding
+          },
+          tx
+        );
+
+        const botPrivateKey = infisicalSymmetricDecrypt({
+          keyEncoding: newBot.keyEncoding as SecretKeyEncoding,
+          iv: newBot.iv,
+          tag: newBot.tag,
+          ciphertext: newBot.encryptedPrivateKey
+        });
+
+        const botKey = decryptAsymmetric({
+          ciphertext: newBot.encryptedProjectKey!,
+          privateKey: botPrivateKey,
+          nonce: newBot.encryptedProjectKeyNonce!,
+          publicKey: ghostUser.keys.publicKey
+        });
+
+        const updatedSecrets: TSecrets[] = [];
+        const updatedSecretVersions: TSecretVersions[] = [];
+        const updatedSecretApprovals: TSecretApprovalRequestsSecrets[] = [];
+        const updatedIntegrationAuths: TIntegrationAuths[] = [];
+        for (const rawSecret of decryptedSecrets) {
+          const secretKeyEncrypted = encryptSymmetric128BitHexKeyUTF8(rawSecret.decrypted.secretKey, botKey);
+          const secretValueEncrypted = encryptSymmetric128BitHexKeyUTF8(rawSecret.decrypted.secretValue || "", botKey);
+          const secretCommentEncrypted = encryptSymmetric128BitHexKeyUTF8(
+            rawSecret.decrypted.secretComment || "",
+            botKey
+          );
+
+          const payload: TSecrets = {
+            ...rawSecret.original,
+            keyEncoding: SecretKeyEncoding.UTF8,
+
+            secretKeyCiphertext: secretKeyEncrypted.ciphertext,
+            secretKeyIV: secretKeyEncrypted.iv,
+            secretKeyTag: secretKeyEncrypted.tag,
+
+            secretValueCiphertext: secretValueEncrypted.ciphertext,
+            secretValueIV: secretValueEncrypted.iv,
+            secretValueTag: secretValueEncrypted.tag,
+
+            secretCommentCiphertext: secretCommentEncrypted.ciphertext,
+            secretCommentIV: secretCommentEncrypted.iv,
+            secretCommentTag: secretCommentEncrypted.tag
+          } as const;
+
+          if (!SecretsSchema.safeParse(payload).success) {
+            throw new Error(`Invalid secret payload: ${JSON.stringify(payload)}`);
+          }
+
+          updatedSecrets.push(payload);
+        }
+
+        for (const rawSecretVersion of decryptedSecretVersions) {
+          const secretKeyEncrypted = encryptSymmetric128BitHexKeyUTF8(rawSecretVersion.decrypted.secretKey, botKey);
+          const secretValueEncrypted = encryptSymmetric128BitHexKeyUTF8(
+            rawSecretVersion.decrypted.secretValue || "",
+            botKey
+          );
+          const secretCommentEncrypted = encryptSymmetric128BitHexKeyUTF8(
+            rawSecretVersion.decrypted.secretComment || "",
+            botKey
+          );
+
+          const payload: TSecretVersions = {
+            ...rawSecretVersion.original,
+            keyEncoding: SecretKeyEncoding.UTF8,
+
+            secretKeyCiphertext: secretKeyEncrypted.ciphertext,
+            secretKeyIV: secretKeyEncrypted.iv,
+            secretKeyTag: secretKeyEncrypted.tag,
+
+            secretValueCiphertext: secretValueEncrypted.ciphertext,
+            secretValueIV: secretValueEncrypted.iv,
+            secretValueTag: secretValueEncrypted.tag,
+
+            secretCommentCiphertext: secretCommentEncrypted.ciphertext,
+            secretCommentIV: secretCommentEncrypted.iv,
+            secretCommentTag: secretCommentEncrypted.tag
+          } as const;
+
+          if (!SecretVersionsSchema.safeParse(payload).success) {
+            throw new Error(`Invalid secret version payload: ${JSON.stringify(payload)}`);
+          }
+
+          updatedSecretVersions.push(payload);
+        }
+
+        for (const rawSecretApproval of decryptedApprovalSecrets) {
+          const secretKeyEncrypted = encryptSymmetric128BitHexKeyUTF8(rawSecretApproval.decrypted.secretKey, botKey);
+          const secretValueEncrypted = encryptSymmetric128BitHexKeyUTF8(
+            rawSecretApproval.decrypted.secretValue || "",
+            botKey
+          );
+          const secretCommentEncrypted = encryptSymmetric128BitHexKeyUTF8(
+            rawSecretApproval.decrypted.secretComment || "",
+            botKey
+          );
+
+          const payload: TSecretApprovalRequestsSecrets = {
+            ...rawSecretApproval.original,
+            keyEncoding: SecretKeyEncoding.UTF8,
+
+            secretKeyCiphertext: secretKeyEncrypted.ciphertext,
+            secretKeyIV: secretKeyEncrypted.iv,
+            secretKeyTag: secretKeyEncrypted.tag,
+
+            secretValueCiphertext: secretValueEncrypted.ciphertext,
+            secretValueIV: secretValueEncrypted.iv,
+            secretValueTag: secretValueEncrypted.tag,
+
+            secretCommentCiphertext: secretCommentEncrypted.ciphertext,
+            secretCommentIV: secretCommentEncrypted.iv,
+            secretCommentTag: secretCommentEncrypted.tag
+          } as const;
+
+          if (!SecretApprovalRequestsSecretsSchema.safeParse(payload).success) {
+            throw new Error(`Invalid secret approval payload: ${JSON.stringify(payload)}`);
+          }
+
+          updatedSecretApprovals.push(payload);
+        }
+
+        for (const integrationAuth of decryptedIntegrationAuths) {
+          const access = encryptSymmetric128BitHexKeyUTF8(integrationAuth.decrypted.access, botKey);
+          const accessId = encryptSymmetric128BitHexKeyUTF8(integrationAuth.decrypted.accessId, botKey);
+          const refresh = encryptSymmetric128BitHexKeyUTF8(integrationAuth.decrypted.refresh, botKey);
+
+          const payload: TIntegrationAuths = {
+            ...integrationAuth.original,
+            keyEncoding: SecretKeyEncoding.UTF8,
+
+            accessCiphertext: access.ciphertext,
+            accessIV: access.iv,
+            accessTag: access.tag,
+
+            accessIdCiphertext: accessId.ciphertext,
+            accessIdIV: accessId.iv,
+            accessIdTag: accessId.tag,
+
+            refreshCiphertext: refresh.ciphertext,
+            refreshIV: refresh.iv,
+            refreshTag: refresh.tag
+          } as const;
+
+          if (!IntegrationAuthsSchema.safeParse(payload).success) {
+            throw new Error(`Invalid integration auth payload: ${JSON.stringify(payload)}`);
+          }
+
+          updatedIntegrationAuths.push(payload);
+        }
+
+        if (updatedSecrets.length !== secrets.length) {
+          throw new Error("Failed to update some secrets");
+        }
+        if (updatedSecretVersions.length !== secretVersions.length) {
+          throw new Error("Failed to update some secret versions");
+        }
+        if (updatedSecretApprovals.length !== approvalSecrets.length) {
+          throw new Error("Failed to update some secret approvals");
+        }
+        if (updatedIntegrationAuths.length !== projectIntegrationAuths.length) {
+          throw new Error("Failed to update some integration auths");
+        }
+
+        const secretUpdates = await secretDAL.bulkUpdateNoVersionIncrement(updatedSecrets, tx);
+        const secretVersionUpdates = await secretVersionDAL.bulkUpdateNoVersionIncrement(updatedSecretVersions, tx);
+        const secretApprovalUpdates = await secretApprovalSecretDAL.bulkUpdateNoVersionIncrement(
+          updatedSecretApprovals,
+          tx
+        );
+        const integrationAuthUpdates = await integrationAuthDAL.bulkUpdate(
+          updatedIntegrationAuths.map((el) => ({
+            filter: { id: el.id },
+            data: {
+              ...el,
+              id: undefined
+            }
+          })),
+          tx
+        );
+
+        // Delete all secret versions that are no longer needed. We only store the latest 100 versions for each secret.
+        await secretVersionDAL.delete(
+          {
+            $in: {
+              id: folderSecretVersionIdsToDelete
+            }
+          },
+          tx
+        );
+
+        if (
+          secretUpdates.length !== updatedSecrets.length ||
+          secretVersionUpdates.length !== updatedSecretVersions.length ||
+          secretApprovalUpdates.length !== updatedSecretApprovals.length ||
+          integrationAuthUpdates.length !== updatedIntegrationAuths.length
+        ) {
+          throw new Error("Parts of the upgrade failed. Some secrets were not updated");
+        }
+
+        await projectDAL.setProjectUpgradeStatus(data.projectId, null, tx);
+
+        //  await new Promise((resolve) => setTimeout(resolve, 15_000));
+        // throw new Error("Transaction was successful!");
+      });
+    } catch (err) {
+      const [project] = await projectDAL
+        .find({
+          id: data.projectId,
+          version: ProjectVersion.V1
+        })
+        .catch(() => [null]);
+
+      if (!project) {
+        logger.error("Failed to upgrade project, because no project was found", data);
+      } else {
+        await projectDAL.setProjectUpgradeStatus(data.projectId, ProjectUpgradeStatus.Failed);
+        logger.error(err, "Failed to upgrade project");
+      }
+
+      throw err;
+    }
+  });
+
+  queueService.listen(QueueName.UpgradeProjectToGhost, "failed", (job, err) => {
+    logger.error(err, "Upgrade project failed", job?.data);
+  });
+
+  return {
+    upgradeProject
+  };
+};

backend/src/services/project/project-service.ts

@@ -1,22 +1,40 @@
 import { ForbiddenError } from "@casl/ability";
 import slugify from "@sindresorhus/slugify";
 
-import { ProjectMembershipRole } from "@app/db/schemas";
+import { ProjectMembershipRole, ProjectVersion } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { getConfig } from "@app/lib/config/env";
 import { createSecretBlindIndex } from "@app/lib/crypto";
-import { BadRequestError } from "@app/lib/errors";
+import { infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
+import { BadRequestError, ForbiddenRequestError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
+import { TProjectPermission } from "@app/lib/types";
 
+import { ActorType } from "../auth/auth-type";
+import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
+import { TIdentityProjectDALFactory } from "../identity-project/identity-project-dal";
+import { TOrgServiceFactory } from "../org/org-service";
+import { TProjectBotDALFactory } from "../project-bot/project-bot-dal";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
+import { TProjectKeyDALFactory } from "../project-key/project-key-dal";
 import { TProjectMembershipDALFactory } from "../project-membership/project-membership-dal";
 import { TSecretBlindIndexDALFactory } from "../secret-blind-index/secret-blind-index-dal";
 import { ROOT_FOLDER_NAME, TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
+import { TUserDALFactory } from "../user/user-dal";
 import { TProjectDALFactory } from "./project-dal";
-import { TCreateProjectDTO, TDeleteProjectDTO, TGetProjectDTO } from "./project-types";
+import { assignWorkspaceKeysToMembers, createProjectKey } from "./project-fns";
+import { TProjectQueueFactory } from "./project-queue";
+import {
+  TCreateProjectDTO,
+  TDeleteProjectDTO,
+  TGetProjectDTO,
+  TUpdateProjectDTO,
+  TUpgradeProjectDTO
+} from "./project-types";
 
 export const DEFAULT_PROJECT_ENVS = [
   { name: "Development", slug: "dev" },
@@ -26,11 +44,18 @@ export const DEFAULT_PROJECT_ENVS = [
 
 type TProjectServiceFactoryDep = {
   projectDAL: TProjectDALFactory;
-  folderDAL: Pick<TSecretFolderDALFactory, "insertMany">;
-  projectEnvDAL: Pick<TProjectEnvDALFactory, "insertMany">;
-  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "create">;
+  projectQueue: TProjectQueueFactory;
+  userDAL: TUserDALFactory;
+  folderDAL: TSecretFolderDALFactory;
+  projectEnvDAL: Pick<TProjectEnvDALFactory, "insertMany" | "find">;
+  identityOrgMembershipDAL: TIdentityOrgDALFactory;
+  identityProjectDAL: TIdentityProjectDALFactory;
+  projectKeyDAL: Pick<TProjectKeyDALFactory, "create" | "findLatestProjectKey" | "delete" | "find" | "insertMany">;
+  projectBotDAL: Pick<TProjectBotDALFactory, "create" | "findById" | "delete" | "findOne">;
+  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "create" | "findProjectGhostUser" | "findOne">;
   secretBlindIndexDAL: Pick<TSecretBlindIndexDALFactory, "create">;
   permissionService: TPermissionServiceFactory;
+  orgService: Pick<TOrgServiceFactory, "addGhostUser">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
 };
 
@@ -38,8 +63,15 @@ export type TProjectServiceFactory = ReturnType<typeof projectServiceFactory>;
 
 export const projectServiceFactory = ({
   projectDAL,
+  projectQueue,
+  projectKeyDAL,
   permissionService,
+  userDAL,
   folderDAL,
+  orgService,
+  identityProjectDAL,
+  projectBotDAL,
+  identityOrgMembershipDAL,
   secretBlindIndexDAL,
   projectMembershipDAL,
   projectEnvDAL,
@@ -48,8 +80,13 @@ export const projectServiceFactory = ({
   /*
    * Create workspace. Make user the admin
    * */
-  const createProject = async ({ orgId, actor, actorId, actorOrgId, workspaceName }: TCreateProjectDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const createProject = async ({ orgId, actor, actorId, actorOrgId, workspaceName, slug }: TCreateProjectDTO) => {
+    const { permission, membership: orgMembership } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      orgId,
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Workspace);
 
     const appCfg = getConfig();
@@ -64,20 +101,28 @@ export const projectServiceFactory = ({
       });
     }
 
-    const newProject = projectDAL.transaction(async (tx) => {
+    const results = await projectDAL.transaction(async (tx) => {
+      const ghostUser = await orgService.addGhostUser(orgId, tx);
+
       const project = await projectDAL.create(
-        { name: workspaceName, orgId, slug: slugify(`${workspaceName}-${alphaNumericNanoId(4)}`) },
+        {
+          name: workspaceName,
+          orgId,
+          slug: slug || slugify(`${workspaceName}-${alphaNumericNanoId(4)}`),
+          version: ProjectVersion.V2
+        },
         tx
       );
-      // set user as admin member for proeject
+      // set ghost user as admin of project
       await projectMembershipDAL.create(
         {
-          userId: actorId,
+          userId: ghostUser.user.id,
           role: ProjectMembershipRole.Admin,
           projectId: project.id
         },
         tx
       );
+
       // generate the blind index for project
       await secretBlindIndexDAL.create(
         {
@@ -99,18 +144,165 @@ export const projectServiceFactory = ({
         envs.map(({ id }) => ({ name: ROOT_FOLDER_NAME, envId: id, version: 1 })),
         tx
       );
-      // _id for backward compat
-      return { ...project, environments: envs, _id: project.id };
+
+      // 3. Create a random key that we'll use as the project key.
+      const { key: encryptedProjectKey, iv: encryptedProjectKeyIv } = createProjectKey({
+        publicKey: ghostUser.keys.publicKey,
+        privateKey: ghostUser.keys.plainPrivateKey
+      });
+
+      // 4. Save the project key for the ghost user.
+      await projectKeyDAL.create(
+        {
+          projectId: project.id,
+          receiverId: ghostUser.user.id,
+          encryptedKey: encryptedProjectKey,
+          nonce: encryptedProjectKeyIv,
+          senderId: ghostUser.user.id
+        },
+        tx
+      );
+
+      const { iv, tag, ciphertext, encoding, algorithm } = infisicalSymmetricEncypt(ghostUser.keys.plainPrivateKey);
+
+      // 5. Create & a bot for the project
+      await projectBotDAL.create(
+        {
+          name: "Infisical Bot (Ghost)",
+          projectId: project.id,
+          tag,
+          iv,
+          encryptedProjectKey,
+          encryptedProjectKeyNonce: encryptedProjectKeyIv,
+          encryptedPrivateKey: ciphertext,
+          isActive: true,
+          publicKey: ghostUser.keys.publicKey,
+          senderId: ghostUser.user.id,
+          algorithm,
+          keyEncoding: encoding
+        },
+        tx
+      );
+
+      // Find the ghost users latest key
+      const latestKey = await projectKeyDAL.findLatestProjectKey(ghostUser.user.id, project.id, tx);
+
+      if (!latestKey) {
+        throw new Error("Latest key not found for user");
+      }
+
+      // If the project is being created by a user, add the user to the project as an admin
+      if (actor === ActorType.USER) {
+        // Find public key of user
+        const user = await userDAL.findUserEncKeyByUserId(actorId);
+
+        if (!user) {
+          throw new Error("User not found");
+        }
+
+        const [projectAdmin] = assignWorkspaceKeysToMembers({
+          decryptKey: latestKey,
+          userPrivateKey: ghostUser.keys.plainPrivateKey,
+          members: [
+            {
+              userPublicKey: user.publicKey,
+              orgMembershipId: orgMembership.id,
+              projectMembershipRole: ProjectMembershipRole.Admin
+            }
+          ]
+        });
+
+        // Create a membership for the user
+        await projectMembershipDAL.create(
+          {
+            projectId: project.id,
+            userId: user.id,
+            role: projectAdmin.projectRole
+          },
+          tx
+        );
+
+        // Create a project key for the user
+        await projectKeyDAL.create(
+          {
+            encryptedKey: projectAdmin.workspaceEncryptedKey,
+            nonce: projectAdmin.workspaceEncryptedNonce,
+            senderId: ghostUser.user.id,
+            receiverId: user.id,
+            projectId: project.id
+          },
+          tx
+        );
+      }
+
+      // If the project is being created by an identity, add the identity to the project as an admin
+      else if (actor === ActorType.IDENTITY) {
+        // Find identity org membership
+        const identityOrgMembership = await identityOrgMembershipDAL.findOne(
+          {
+            identityId: actorId,
+            orgId: project.orgId
+          },
+          tx
+        );
+
+        // If identity org membership not found, throw error
+        if (!identityOrgMembership) {
+          throw new BadRequestError({
+            message: `Failed to find identity with id ${actorId}`
+          });
+        }
+
+        // Get the role permission for the identity
+        const { permission: rolePermission, role: customRole } = await permissionService.getOrgPermissionByRole(
+          ProjectMembershipRole.Admin,
+          orgId
+        );
+
+        const hasPrivilege = isAtLeastAsPrivileged(permission, rolePermission);
+        if (!hasPrivilege)
+          throw new ForbiddenRequestError({
+            message: "Failed to add identity to project with more privileged role"
+          });
+        const isCustomRole = Boolean(customRole);
+
+        await identityProjectDAL.create(
+          {
+            identityId: actorId,
+            projectId: project.id,
+            role: isCustomRole ? ProjectMembershipRole.Custom : ProjectMembershipRole.Admin,
+            roleId: customRole?.id
+          },
+          tx
+        );
+      }
+
+      return {
+        ...project,
+        environments: envs,
+        _id: project.id
+      };
     });
 
-    return newProject;
+    return results;
   };
 
   const deleteProject = async ({ actor, actorId, actorOrgId, projectId }: TDeleteProjectDTO) => {
     const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Project);
 
-    const deletedProject = await projectDAL.deleteById(projectId);
+    const deletedProject = await projectDAL.transaction(async (tx) => {
+      const project = await projectDAL.deleteById(projectId, tx);
+      const projectGhostUser = await projectMembershipDAL.findProjectGhostUser(projectId).catch(() => null);
+
+      // Delete the org membership for the ghost user if it's found.
+      if (projectGhostUser) {
+        await userDAL.deleteById(projectGhostUser.id, tx);
+      }
+
+      return project;
+    });
+
     return deletedProject;
   };
 
@@ -124,6 +316,17 @@ export const projectServiceFactory = ({
     return projectDAL.findProjectById(projectId);
   };
 
+  const updateProject = async ({ projectId, actor, actorId, actorOrgId, update }: TUpdateProjectDTO) => {
+    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Settings);
+
+    const updatedProject = await projectDAL.updateById(projectId, {
+      name: update.name,
+      autoCapitalization: update.autoCapitalization
+    });
+    return updatedProject;
+  };
+
   const toggleAutoCapitalization = async ({
     projectId,
     actor,
@@ -146,12 +349,55 @@ export const projectServiceFactory = ({
     return updatedProject;
   };
 
+  const upgradeProject = async ({ projectId, actor, actorId, userPrivateKey }: TUpgradeProjectDTO) => {
+    const { permission, membership } = await permissionService.getProjectPermission(actor, actorId, projectId);
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Project);
+
+    if (membership?.role !== ProjectMembershipRole.Admin) {
+      throw new ForbiddenRequestError({
+        message: "User must be admin"
+      });
+    }
+
+    const encryptedPrivateKey = infisicalSymmetricEncypt(userPrivateKey);
+
+    await projectQueue.upgradeProject({
+      projectId,
+      startedByUserId: actorId,
+      encryptedPrivateKey: {
+        encryptedKey: encryptedPrivateKey.ciphertext,
+        encryptedKeyIv: encryptedPrivateKey.iv,
+        encryptedKeyTag: encryptedPrivateKey.tag,
+        keyEncoding: encryptedPrivateKey.encoding
+      }
+    });
+  };
+
+  const getProjectUpgradeStatus = async ({ projectId, actor, actorId }: TProjectPermission) => {
+    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId);
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Secrets);
+
+    const project = await projectDAL.findProjectById(projectId);
+
+    if (!project) {
+      throw new BadRequestError({
+        message: `Project with id ${projectId} not found`
+      });
+    }
+
+    return project.upgradeStatus || null;
+  };
+
   return {
     createProject,
     deleteProject,
     getProjects,
+    updateProject,
+    getProjectUpgradeStatus,
     getAProject,
     toggleAutoCapitalization,
-    updateName
+    updateName,
+    upgradeProject
   };
 };

backend/src/services/project/project-types.ts

@@ -1,3 +1,6 @@
+import { ProjectMembershipRole, TProjectKeys } from "@app/db/schemas";
+import { TProjectPermission } from "@app/lib/types";
+
 import { ActorType } from "../auth/auth-type";
 
 export type TCreateProjectDTO = {
@@ -6,6 +9,7 @@ export type TCreateProjectDTO = {
   actorOrgId?: string;
   orgId: string;
   workspaceName: string;
+  slug?: string;
 };
 
 export type TDeleteProjectDTO = {
@@ -21,3 +25,24 @@ export type TGetProjectDTO = {
   actorOrgId?: string;
   projectId: string;
 };
+
+export type TUpdateProjectDTO = {
+  update: {
+    name?: string;
+    autoCapitalization?: boolean;
+  };
+} & TProjectPermission;
+
+export type TUpgradeProjectDTO = {
+  userPrivateKey: string;
+} & TProjectPermission;
+
+export type AddUserToWsDTO = {
+  decryptKey: TProjectKeys & { sender: { publicKey: string } };
+  userPrivateKey: string;
+  members: {
+    orgMembershipId: string;
+    projectMembershipRole: ProjectMembershipRole;
+    userPublicKey: string;
+  }[];
+};

backend/src/services/secret-import/secret-import-service.ts

@@ -4,6 +4,7 @@ import { TPermissionServiceFactory } from "@app/ee/services/permission/permissio
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError } from "@app/lib/errors";
 
+import { TProjectDALFactory } from "../project/project-dal";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TSecretDALFactory } from "../secret/secret-dal";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
@@ -21,6 +22,7 @@ type TSecretImportServiceFactoryDep = {
   secretImportDAL: TSecretImportDALFactory;
   folderDAL: TSecretFolderDALFactory;
   secretDAL: Pick<TSecretDALFactory, "find">;
+  projectDAL: Pick<TProjectDALFactory, "checkProjectUpgradeStatus">;
   projectEnvDAL: TProjectEnvDALFactory;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
 };
@@ -34,6 +36,7 @@ export const secretImportServiceFactory = ({
   projectEnvDAL,
   permissionService,
   folderDAL,
+  projectDAL,
   secretDAL
 }: TSecretImportServiceFactoryDep) => {
   const createImport = async ({
@@ -62,6 +65,8 @@ export const secretImportServiceFactory = ({
       })
     );
 
+    await projectDAL.checkProjectUpgradeStatus(projectId);
+
     const folder = await folderDAL.findBySecretPath(projectId, environment, path);
     if (!folder) throw new BadRequestError({ message: "Folder not found", name: "Create import" });
 

backend/src/services/secret/secret-dal.ts

@@ -22,7 +22,11 @@ export const secretDALFactory = (db: TDbClient) => {
 
   // the idea is to use postgres specific function
   // insert with id this will cause a conflict then merge the data
-  const bulkUpdate = async (data: Array<{ filter: Partial<TSecrets>; data: TSecretsUpdate }>, tx?: Knex) => {
+  const bulkUpdate = async (
+    data: Array<{ filter: Partial<TSecrets>; data: TSecretsUpdate }>,
+
+    tx?: Knex
+  ) => {
     try {
       const secs = await Promise.all(
         data.map(async ({ filter, data: updateData }) => {
@@ -41,6 +45,35 @@ export const secretDALFactory = (db: TDbClient) => {
     }
   };
 
+  const bulkUpdateNoVersionIncrement = async (data: TSecrets[], tx?: Knex) => {
+    try {
+      const existingSecrets = await secretOrm.find(
+        {
+          $in: {
+            id: data.map((el) => el.id)
+          }
+        },
+        { tx }
+      );
+
+      if (existingSecrets.length !== data.length) {
+        throw new BadRequestError({ message: "Some of the secrets do not exist" });
+      }
+
+      if (data.length === 0) return [];
+
+      const updatedSecrets = await (tx || db)(TableName.Secret)
+        .insert(data)
+        .onConflict("id") // this will cause a conflict then merge the data
+        .merge() // Merge the data with the existing data
+        .returning("*");
+
+      return updatedSecrets;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "bulk update secret" });
+    }
+  };
+
   const deleteMany = async (
     data: Array<{ blindIndex: string; type: SecretType }>,
     folderId: string,
@@ -145,5 +178,13 @@ export const secretDALFactory = (db: TDbClient) => {
     }
   };
 
-  return { ...secretOrm, update, bulkUpdate, deleteMany, findByFolderId, findByBlindIndexes };
+  return {
+    ...secretOrm,
+    update,
+    bulkUpdate,
+    deleteMany,
+    bulkUpdateNoVersionIncrement,
+    findByFolderId,
+    findByBlindIndexes
+  };
 };

backend/src/services/secret/secret-service.ts

@@ -11,6 +11,7 @@ import { groupBy, pick } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
 
 import { ActorType } from "../auth/auth-type";
+import { TProjectDALFactory } from "../project/project-dal";
 import { TProjectBotServiceFactory } from "../project-bot/project-bot-service";
 import { TSecretBlindIndexDALFactory } from "../secret-blind-index/secret-blind-index-dal";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
@@ -49,6 +50,7 @@ type TSecretServiceFactoryDep = {
   secretTagDAL: TSecretTagDALFactory;
   secretVersionDAL: TSecretVersionDALFactory;
   folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath" | "updateById" | "findById" | "findByManySecretPath">;
+  projectDAL: Pick<TProjectDALFactory, "checkProjectUpgradeStatus">;
   secretBlindIndexDAL: TSecretBlindIndexDALFactory;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
   snapshotService: Pick<TSecretSnapshotServiceFactory, "performSnapshot">;
@@ -68,6 +70,7 @@ export const secretServiceFactory = ({
   permissionService,
   snapshotService,
   secretQueueService,
+  projectDAL,
   projectBotService,
   secretImportDAL,
   secretVersionTagDAL
@@ -281,6 +284,8 @@ export const secretServiceFactory = ({
       subject(ProjectPermissionSub.Secrets, { environment, secretPath: path })
     );
 
+    await projectDAL.checkProjectUpgradeStatus(projectId);
+
     const folder = await folderDAL.findBySecretPath(projectId, environment, path);
     if (!folder) throw new BadRequestError({ message: "Folder not  found", name: "Create secret" });
     const folderId = folder.id;
@@ -359,6 +364,8 @@ export const secretServiceFactory = ({
       subject(ProjectPermissionSub.Secrets, { environment, secretPath: path })
     );
 
+    await projectDAL.checkProjectUpgradeStatus(projectId);
+
     const folder = await folderDAL.findBySecretPath(projectId, environment, path);
     if (!folder) throw new BadRequestError({ message: "Folder not  found", name: "Create secret" });
     const folderId = folder.id;
@@ -459,6 +466,8 @@ export const secretServiceFactory = ({
       subject(ProjectPermissionSub.Secrets, { environment, secretPath: path })
     );
 
+    await projectDAL.checkProjectUpgradeStatus(projectId);
+
     const folder = await folderDAL.findBySecretPath(projectId, environment, path);
     if (!folder) throw new BadRequestError({ message: "Folder not  found", name: "Create secret" });
     const folderId = folder.id;
@@ -650,6 +659,8 @@ export const secretServiceFactory = ({
       subject(ProjectPermissionSub.Secrets, { environment, secretPath: path })
     );
 
+    await projectDAL.checkProjectUpgradeStatus(projectId);
+
     const folder = await folderDAL.findBySecretPath(projectId, environment, path);
     if (!folder) throw new BadRequestError({ message: "Folder not  found", name: "Create secret" });
     const folderId = folder.id;
@@ -705,6 +716,8 @@ export const secretServiceFactory = ({
       subject(ProjectPermissionSub.Secrets, { environment, secretPath: path })
     );
 
+    await projectDAL.checkProjectUpgradeStatus(projectId);
+
     const folder = await folderDAL.findBySecretPath(projectId, environment, path);
     if (!folder) throw new BadRequestError({ message: "Folder not  found", name: "Create secret" });
     const folderId = folder.id;
@@ -776,6 +789,8 @@ export const secretServiceFactory = ({
       subject(ProjectPermissionSub.Secrets, { environment, secretPath: path })
     );
 
+    await projectDAL.checkProjectUpgradeStatus(projectId);
+
     const folder = await folderDAL.findBySecretPath(projectId, environment, path);
     if (!folder) throw new BadRequestError({ message: "Folder not  found", name: "Create secret" });
     const folderId = folder.id;

backend/src/services/secret/secret-version-dal.ts

@@ -1,8 +1,8 @@
 import { Knex } from "knex";
 
 import { TDbClient } from "@app/db";
-import { TableName, TSecretVersions } from "@app/db/schemas";
-import { DatabaseError } from "@app/lib/errors";
+import { TableName, TSecretVersions, TSecretVersionsUpdate } from "@app/db/schemas";
+import { BadRequestError, DatabaseError } from "@app/lib/errors";
 import { ormify, selectAllTableCols } from "@app/lib/knex";
 
 export type TSecretVersionDALFactory = ReturnType<typeof secretVersionDALFactory>;
@@ -36,6 +36,57 @@ export const secretVersionDALFactory = (db: TDbClient) => {
     }
   };
 
+  const bulkUpdate = async (
+    data: Array<{ filter: Partial<TSecretVersions>; data: TSecretVersionsUpdate }>,
+    tx?: Knex
+  ) => {
+    try {
+      const secs = await Promise.all(
+        data.map(async ({ filter, data: updateData }) => {
+          const [doc] = await (tx || db)(TableName.SecretVersion)
+            .where(filter)
+            .update(updateData)
+            .increment("version", 1) // TODO: Is this really needed?
+            .returning("*");
+          if (!doc) throw new BadRequestError({ message: "Failed to update document" });
+          return doc;
+        })
+      );
+      return secs;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "bulk update secret" });
+    }
+  };
+
+  const bulkUpdateNoVersionIncrement = async (data: TSecretVersions[], tx?: Knex) => {
+    try {
+      const existingSecretVersions = await secretVersionOrm.find(
+        {
+          $in: {
+            id: data.map((el) => el.id)
+          }
+        },
+        { tx }
+      );
+
+      if (existingSecretVersions.length !== data.length) {
+        throw new BadRequestError({ message: "Some of the secret versions do not exist" });
+      }
+
+      if (data.length === 0) return [];
+
+      const updatedSecretVersions = await (tx || db)(TableName.SecretVersion)
+        .insert(data)
+        .onConflict("id") // this will cause a conflict then merge the data
+        .merge() // Merge the data with the existing data
+        .returning("*");
+
+      return updatedSecretVersions;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "bulk update secret" });
+    }
+  };
+
   const findLatestVersionMany = async (folderId: string, secretIds: string[], tx?: Knex) => {
     try {
       const docs: Array<TSecretVersions & { max: number }> = await (tx || db)(TableName.SecretVersion)
@@ -59,5 +110,11 @@ export const secretVersionDALFactory = (db: TDbClient) => {
     }
   };
 
-  return { ...secretVersionOrm, findLatestVersionMany, findLatestVersionByFolderId };
+  return {
+    ...secretVersionOrm,
+    findLatestVersionMany,
+    bulkUpdate,
+    findLatestVersionByFolderId,
+    bulkUpdateNoVersionIncrement
+  };
 };

backend/src/services/service-token/service-token-dal.ts

@@ -1,10 +1,32 @@
+import { Knex } from "knex";
+
 import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
+import { TableName, TUsers } from "@app/db/schemas";
+import { DatabaseError } from "@app/lib/errors";
+import { ormify, selectAllTableCols } from "@app/lib/knex";
 
 export type TServiceTokenDALFactory = ReturnType<typeof serviceTokenDALFactory>;
 
 export const serviceTokenDALFactory = (db: TDbClient) => {
   const stOrm = ormify(db, TableName.ServiceToken);
-  return stOrm;
+
+  const findById = async (id: string, tx?: Knex) => {
+    try {
+      const doc = await (tx || db)(TableName.ServiceToken)
+        .leftJoin<TUsers>(
+          TableName.Users,
+          `${TableName.Users}.id`,
+          db.raw(`${TableName.ServiceToken}."createdBy"::uuid`)
+        )
+        .where(`${TableName.ServiceToken}.id`, id)
+        .select(selectAllTableCols(TableName.ServiceToken))
+        .select(db.ref("email").withSchema(TableName.Users).as("createdByEmail"))
+        .first();
+      return doc;
+    } catch (err) {
+      throw new DatabaseError({ error: err, name: "FindById" });
+    }
+  };
+
+  return { ...stOrm, findById };
 };

backend/src/services/service-token/service-token-service.ts

@@ -142,7 +142,7 @@ export const serviceTokenServiceFactory = ({
     const updatedToken = await serviceTokenDAL.updateById(serviceToken.id, {
       lastUsed: new Date()
     });
-    return updatedToken;
+    return { ...serviceToken, lastUsed: updatedToken.lastUsed };
   };
 
   return {

backend/src/services/smtp/templates/workspaceInvitation.handlebars

@@ -1,15 +1,15 @@
-<!DOCTYPE html>
 <html>
-<head>
-    <meta charset="utf-8">
-    <meta http-equiv="x-ua-compatible" content="ie=edge">
+  <head>
+    <meta charset="utf-8" />
+    <meta http-equiv="x-ua-compatible" content="ie=edge" />
     <title>Project Invitation</title>
-</head>
-<body>
+  </head>
+  <body>
     <h2>Join your team on Infisical</h2>
-    <p>{{inviterFirstName}} ({{inviterEmail}}) has invited you to their Infisical project — {{workspaceName}}</p>
+    <p>You have been invited to a new Infisical project — {{workspaceName}}</p>
     <a href="{{callback_url}}">Join now</a>
     <h3>What is Infisical?</h3>
-    <p>Infisical is an easy-to-use end-to-end encrypted tool that enables developers to sync and manage their secrets and configs.</p>
-</body>
+    <p>Infisical is an easy-to-use end-to-end encrypted tool that enables developers to sync and manage their secrets
+      and configs.</p>
+  </body>
 </html>

backend/src/services/super-admin/super-admin-service.ts

@@ -70,6 +70,7 @@ export const superAdminServiceFactory = ({
           lastName,
           email,
           superAdmin: true,
+          isGhost: false,
           isAccepted: true,
           authMethods: [AuthMethod.EMAIL]
         },

backend/src/services/telemetry/telemetry-service.ts

@@ -61,8 +61,15 @@ To opt into telemetry, you can set "TELEMETRY_ENABLED=true" within the environme
     }
   };
 
+  const flushAll = async () => {
+    if (postHog) {
+      await postHog.shutdownAsync();
+    }
+  };
+
   return {
     sendLoopsEvent,
-    sendPostHogEvents
+    sendPostHogEvents,
+    flushAll
   };
 };

backend/src/services/telemetry/telemetry-types.ts

@@ -8,7 +8,11 @@ export enum PostHogEventTypes {
   UserSignedUp = "User Signed Up",
   SecretRotated = "secrets rotated",
   SecretScannerFull = "historical cloud secret scan",
-  SecretScannerPush = "cloud secret scan"
+  SecretScannerPush = "cloud secret scan",
+  ProjectCreated = "Project Created",
+  IntegrationCreated = "Integration Created",
+  MachineIdentityCreated = "Machine Identity Created",
+  UserOrgInvitation = "User Org Invitation"
 }
 
 export type TSecretModifiedEvent = {
@@ -53,9 +57,57 @@ export type TSecretScannerEvent = {
   };
 };
 
+export type TProjectCreateEvent = {
+  event: PostHogEventTypes.ProjectCreated;
+  properties: {
+    name: string;
+    orgId: string;
+  };
+};
+
+export type TMachineIdentityCreatedEvent = {
+  event: PostHogEventTypes.MachineIdentityCreated;
+  properties: {
+    name: string;
+    orgId: string;
+    identityId: string;
+  };
+};
+
+export type TIntegrationCreatedEvent = {
+  event: PostHogEventTypes.IntegrationCreated;
+  properties: {
+    projectId: string;
+    integrationId: string;
+    integration: string; // TODO: fix type
+    environment: string;
+    secretPath: string;
+    url?: string;
+    app?: string;
+    appId?: string;
+    targetEnvironment?: string;
+    targetEnvironmentId?: string;
+    targetService?: string;
+    targetServiceId?: string;
+    path?: string;
+    region?: string;
+  };
+};
+
+export type TUserOrgInvitedEvent = {
+  event: PostHogEventTypes.UserOrgInvitation;
+  properties: {
+    inviteeEmail: string;
+  };
+};
+
 export type TPostHogEvent = { distinctId: string } & (
   | TSecretModifiedEvent
   | TAdminInitEvent
   | TUserSignedUpEvent
   | TSecretScannerEvent
+  | TUserOrgInvitedEvent
+  | TMachineIdentityCreatedEvent
+  | TIntegrationCreatedEvent
+  | TProjectCreateEvent
 );

backend/src/services/user/user-dal.ts

@@ -23,7 +23,7 @@ export const userDALFactory = (db: TDbClient) => {
   const findUserEncKeyByEmail = async (email: string) => {
     try {
       return await db(TableName.Users)
-        .where({ email })
+        .where({ email, isGhost: false })
         .join(TableName.UserEncryptionKey, `${TableName.Users}.id`, `${TableName.UserEncryptionKey}.userId`)
         .first();
     } catch (error) {
@@ -47,6 +47,17 @@ export const userDALFactory = (db: TDbClient) => {
     }
   };
 
+  const findUserByProjectMembershipId = async (projectMembershipId: string) => {
+    try {
+      return await db(TableName.ProjectMembership)
+        .where({ [`${TableName.ProjectMembership}.id` as "id"]: projectMembershipId })
+        .join(TableName.Users, `${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`)
+        .first();
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find user by project membership id" });
+    }
+  };
+
   const createUserEncryption = async (data: TUserEncryptionKeysInsert, tx?: Knex) => {
     try {
       const [userEnc] = await (tx || db)(TableName.UserEncryptionKey).insert(data).returning("*");
@@ -111,6 +122,7 @@ export const userDALFactory = (db: TDbClient) => {
     findUserEncKeyByEmail,
     findUserEncKeyByUserId,
     updateUserEncryptionByUserId,
+    findUserByProjectMembershipId,
     upsertUserEncryptionKey,
     createUserEncryption,
     findOneUserAction,

docs/api-reference/endpoints/workspaces/create-workspace.mdx

@@ -0,0 +1,4 @@
+---
+title: "Create Project"
+openapi: "POST /api/v2/workspace"
+---

docs/api-reference/endpoints/workspaces/delete-workspace.mdx

@@ -0,0 +1,8 @@
+---
+title: "Delete Project"
+openapi: "DELETE /api/v1/workspace/{workspaceId}"
+---
+
+<Warning>
+    This operation is irreversible. All data associated with the project will be deleted. Please use with caution.
+</Warning>

docs/api-reference/endpoints/workspaces/get-workspace.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get Project"
+openapi: "GET /api/v1/workspace/{workspaceId}"
+---

docs/api-reference/endpoints/workspaces/invite-member-to-workspace.mdx

@@ -0,0 +1,4 @@
+---
+title: "Invite Member"
+openapi: "POST /api/v2/workspace/{projectId}/memberships"
+---

docs/api-reference/endpoints/workspaces/remove-member-from-workspace.mdx

@@ -0,0 +1,4 @@
+---
+title: "Remove Member"
+openapi: "DELETE /api/v2/workspace/{projectId}/memberships"
+---

docs/api-reference/endpoints/workspaces/update-workspace.mdx

@@ -0,0 +1,4 @@
+---
+title: "Update Project"
+openapi: "PATCH /api/v1/workspace/{workspaceId}"
+---

docs/documentation/guides/node.mdx

@@ -75,7 +75,7 @@ app.get("/", async (req, res) => {
 app.listen(PORT, async () => {
     // initialize client
 
-    console.log(`App listening on port ${port}`);
+    console.log(`App listening on port ${PORT}`);
 });
 ```
 

docs/mint.json

@@ -163,27 +163,18 @@
     {
       "group": "Self-host Infisical",
       "pages": [
+        "self-hosting/overview",
+        "self-hosting/configuration/requirements",
+        "self-hosting/configuration/schema-migrations",
         {
-          "group": "Deployment options",
+          "group": "Installation methods",
           "pages": [
-            "self-hosting/overview",
             "self-hosting/deployment-options/standalone-infisical",
             "self-hosting/deployment-options/docker-compose",
-            "self-hosting/deployment-options/kubernetes-helm",
-            "self-hosting/deployment-options/aws-ec2",
-            "self-hosting/deployment-options/aws-lightsail",
-            "self-hosting/deployment-options/gcp-cloud-run",
-            "self-hosting/deployment-options/azure-app-services",
-            "self-hosting/deployment-options/azure-container-instances",
-            "self-hosting/deployment-options/digital-ocean-marketplace",
-            "self-hosting/deployment-options/fly.io",
-            "self-hosting/deployment-options/railway"
+            "self-hosting/deployment-options/kubernetes-helm"
           ]
         },
         "self-hosting/configuration/envars",
-        "self-hosting/configuration/email",
-        "self-hosting/configuration/redis",
-        "self-hosting/configuration/sso",
         "self-hosting/faq"
       ]
     },
@@ -225,10 +216,6 @@
         "infisical-agent/overview"
       ]
     },
-    {
-      "group": "Integrations",
-      "pages": ["integrations/overview"]
-    },
     {
       "group": "Infrastructure Integrations",
       "pages": [
@@ -248,7 +235,7 @@
       ]
     },
     {
-      "group": "3rd-party Integrations",
+      "group": "Native Integrations",
       "pages": [
         {
           "group": "AWS",
@@ -261,39 +248,49 @@
           "group": "Digital Ocean",
           "pages": ["integrations/cloud/digital-ocean-app-platform"]
         },
-        "integrations/cloud/heroku",
         "integrations/cloud/vercel",
-        "integrations/cloud/netlify",
-        "integrations/cloud/render",
-        "integrations/cloud/railway",
-        "integrations/cloud/flyio",
-        "integrations/cloud/laravel-forge",
-        "integrations/cloud/supabase",
-        "integrations/cloud/northflank",
-        "integrations/cloud/hasura-cloud",
-        "integrations/cloud/terraform-cloud",
-        "integrations/cloud/cloudflare-pages",
-        "integrations/cloud/cloudflare-workers",
-        "integrations/cloud/qovery",
-        "integrations/cloud/hashicorp-vault",
         "integrations/cloud/azure-key-vault",
         "integrations/cloud/gcp-secret-manager",
-        "integrations/cloud/cloud-66",
-        "integrations/cloud/windmill"
+        {
+          "group": "View more",
+          "pages": [
+            "integrations/cloud/heroku",
+            "integrations/cloud/netlify",
+            "integrations/cloud/render",
+            "integrations/cloud/railway",
+            "integrations/cloud/flyio",
+            "integrations/cloud/laravel-forge",
+            "integrations/cloud/supabase",
+            "integrations/cloud/northflank",
+            "integrations/cloud/hasura-cloud",
+            "integrations/cloud/terraform-cloud",
+            "integrations/cloud/cloudflare-pages",
+            "integrations/cloud/cloudflare-workers",
+            "integrations/cloud/qovery",
+            "integrations/cloud/hashicorp-vault",
+            "integrations/cloud/cloud-66",
+            "integrations/cloud/windmill"
+          ]
+        }
       ]
     },
     {
       "group": "CI/CD Integrations",
       "pages": [
         "integrations/cloud/teamcity",
-        "integrations/cloud/checkly",
         "integrations/cicd/githubactions",
         "integrations/cicd/gitlab",
-        "integrations/cicd/circleci",
-        "integrations/cicd/travisci",
-        "integrations/cicd/bitbucket",
-        "integrations/cicd/codefresh",
-        "integrations/cicd/jenkins"
+        {
+          "group": "View more",
+          "pages": [
+            "integrations/cicd/circleci",
+            "integrations/cicd/travisci",
+            "integrations/cicd/bitbucket",
+            "integrations/cicd/codefresh",
+            "integrations/cicd/jenkins",
+            "integrations/cloud/checkly"
+          ]
+        }
       ]
     },
     {
@@ -303,20 +300,25 @@
         "integrations/frameworks/react",
         "integrations/frameworks/vue",
         "integrations/frameworks/express",
-        "integrations/frameworks/nextjs",
-        "integrations/frameworks/nestjs",
-        "integrations/frameworks/sveltekit",
-        "integrations/frameworks/nuxt",
-        "integrations/frameworks/gatsby",
-        "integrations/frameworks/remix",
-        "integrations/frameworks/vite",
-        "integrations/frameworks/fiber",
-        "integrations/frameworks/django",
-        "integrations/frameworks/flask",
-        "integrations/frameworks/laravel",
-        "integrations/frameworks/rails",
-        "integrations/frameworks/dotnet",
-        "integrations/platforms/pm2"
+        {
+          "group": "View more",
+          "pages": [
+            "integrations/frameworks/nextjs",
+            "integrations/frameworks/nestjs",
+            "integrations/frameworks/sveltekit",
+            "integrations/frameworks/nuxt",
+            "integrations/frameworks/gatsby",
+            "integrations/frameworks/remix",
+            "integrations/frameworks/vite",
+            "integrations/frameworks/fiber",
+            "integrations/frameworks/django",
+            "integrations/frameworks/flask",
+            "integrations/frameworks/laravel",
+            "integrations/frameworks/rails",
+            "integrations/frameworks/dotnet",
+            "integrations/platforms/pm2"
+          ]
+        }
       ]
     },
     {
@@ -386,9 +388,14 @@
         {
           "group": "Projects",
           "pages": [
+            "api-reference/endpoints/workspaces/create-workspace",
+            "api-reference/endpoints/workspaces/delete-workspace",
+            "api-reference/endpoints/workspaces/get-workspace",
+            "api-reference/endpoints/workspaces/update-workspace",
+            "api-reference/endpoints/workspaces/invite-member-to-workspace",
+            "api-reference/endpoints/workspaces/remove-member-from-workspace",
             "api-reference/endpoints/workspaces/memberships",
             "api-reference/endpoints/workspaces/update-membership",
-            "api-reference/endpoints/workspaces/delete-membership",
             "api-reference/endpoints/workspaces/list-identity-memberships",
             "api-reference/endpoints/workspaces/update-identity-membership",
             "api-reference/endpoints/workspaces/delete-identity-membership",

docs/sdks/languages/node.mdx

@@ -42,7 +42,7 @@ app.get("/", async (req, res) => {
 app.listen(PORT, async () => {
     // initialize client
 
-    console.log(`App listening on port ${port}`);
+    console.log(`App listening on port ${PORT}`);
 });
 ```
 

docs/self-hosting/configuration/email.mdx

@@ -1,242 +0,0 @@
----
-title: "Configure email service"
-description: "How to configure your email when self-hosting Infisical."
----
-
-By default, the core functions of Infisical work without any email service configuration. Without email service, basic sign up/login and secret operations will function without any issue.
-However, the following functionality will be disabled.
-
-- Multi-factor authentication
-- Sending invite links via email for projects to teammates
-- Sending alerts such as suspicious login attempts
-
-## Configuration
-
-If you choose to setup email service, you need to configure the following SMTP [environment variables](https://infisical.com/docs/self-hosting/configuration/envars):
-
-- `SMTP_HOST`: Hostname to connect to for establishing SMTP connections.
-- `SMTP_USERNAME`: Credential to connect to host (e.g. team@infisical.com)
-- `SMTP_PASSWORD`: Credential to connect to host.
-- `SMTP_PORT`: Port to connect to for establishing SMTP connections.
-- `SMTP_SECURE`: If `true`, the connection will use TLS when connecting to server with special configs for SendGrid and Mailgun. If `false` (the default) then TLS is used if server supports the STARTTLS extension.
-- `SMTP_FROM_ADDRESS`: Email address to be used for sending emails (e.g. team@infisical.com).
-- `SMTP_FROM_NAME`: Name label to be used in `From` field (e.g. Team).
-
-Below you will find details on how to configure common email providers:
-
-<AccordionGroup>
-<Accordion title="Resend">
-1. Create an account on [Resend](https://resend.com).
-2. Add a [Domain](https://resend.com/domains).
-
-![adding resend domain](../../images/self-hosting/configuration/email/email-resend-create-domain.png)
-
-3. Create an [API Key](https://resend.com/api-keys).
-
-![creating resend api key](../../images/self-hosting/configuration/email/email-resend-create-key.png)
-
-4. Go to the [SMTP page](https://resend.com/settings/smtp) and copy the values.
-
-![go to resend smtp settings](../../images/self-hosting/configuration/email/email-resend-smtp-settings.png)
-
-5. With the API Key, you can now set your SMTP environment variables variables:
-
-```
-SMTP_HOST=smtp.resend.com
-SMTP_USERNAME=resend
-SMTP_PASSWORD=YOUR_API_KEY
-SMTP_PORT=587
-SMTP_SECURE=true
-SMTP_FROM_ADDRESS=hey@example.com # your email address being used to send out emails
-SMTP_FROM_NAME=Infisical
-```
-  <Info>
-    Remember that you will need to restart Infisical for this to work properly.
-  </Info>
-</Accordion>
-
-<Accordion title="Twilio SendGrid">
-
-1. Create an account and configure [SendGrid](https://sendgrid.com) to send emails.
-2. Create a SendGrid API Key under Settings > [API Keys](https://app.sendgrid.com/settings/api_keys)
-3. Set a name for your API Key, we recommend using "Infisical," and select the "Restricted Key" option. You will need to enable the "Mail Send" permission as shown below:
-
-![creating sendgrid api key](../../images/self-hosting/configuration/email/email-sendgrid-create-key.png)
-
-![setting sendgrid api key restriction](../../images/self-hosting/configuration/email/email-sendgrid-restrictions.png)
-
-4. With the API Key, you can now set your SMTP environment variables:
-
-```
-SMTP_HOST=smtp.sendgrid.net
-SMTP_USERNAME=apikey
-SMTP_PASSWORD=SG.rqFsfjxYPiqE1lqZTgD_lz7x8IVLx # your SendGrid API Key from step above
-SMTP_PORT=587
-SMTP_SECURE=true
-SMTP_FROM_ADDRESS=hey@example.com # your email address being used to send out emails
-SMTP_FROM_NAME=Infisical
-```
-
-  <Info>
-    Remember that you will need to restart Infisical for this to work properly.
-  </Info>
-</Accordion>
-
-<Accordion title="Mailgun">
-
-1. Create an account and configure [Mailgun](https://www.mailgun.com) to send emails.
-2. Obtain your Mailgun credentials in Sending > Overview > SMTP
-
-![obtain mailhog api key estriction](../../images/self-hosting/configuration/email/email-mailhog-credentials.png)
-
-3. With your Mailgun credentials, you can now set up your SMTP environment variables:
-
-```
-SMTP_HOST=smtp.mailgun.org # obtained from credentials page
-SMTP_USERNAME=postmaster@example.mailgun.org # obtained from credentials page
-SMTP_PASSWORD=password # obtained from credentials page
-SMTP_PORT=587
-SMTP_SECURE=true
-SMTP_FROM_ADDRESS=hey@example.com # your email address being used to send out emails
-SMTP_FROM_NAME=Infisical
-```
-
-</Accordion>
-
-<Accordion title="AWS SES">
-
-1. Create an account and [configure AWS SES](https://aws.amazon.com/premiumsupport/knowledge-center/ses-set-up-connect-smtp/) to send emails in the Amazon SES console.
-2. Create an IAM user for SMTP authentication and obtain SMTP credentials in SMTP settings > Create SMTP credentials
-
-![opening AWS SES console](../../images/self-hosting/configuration/email/email-aws-ses-console.png)
-
-![creating AWS IAM SES user](../../images/self-hosting/configuration/email/email-aws-ses-user.png)
-
-3. With your AWS SES SMTP credentials, you can now set up your SMTP environment variables:
-
-```
-SMTP_HOST=email-smtp.ap-northeast-1.amazonaws.com # SMTP endpoint obtained from SMTP settings
-SMTP_USERNAME=xxx # your SMTP username
-SMTP_PASSWORD=xxx # your SMTP password
-SMTP_PORT=587
-SMTP_SECURE=true
-SMTP_FROM_ADDRESS=hey@example.com # your email address being used to send out emails
-SMTP_FROM_NAME=Infisical
-```
-
-<Info>
-  Remember that you will need to restart Infisical for this to work properly.
-</Info>
-</Accordion>
-
-<Accordion title="SocketLabs">
-
-1. Create an account and configure [SocketLabs](https://www.socketlabs.com/) to send emails.
-2. From the dashboard, navigate to SMTP Credentials > SMTP & APIs > SMTP Credentials to obtain your SocketLabs SMTP credentials.
-
-![opening SocketLabs dashboard](../../images/self-hosting/configuration/email/email-socketlabs-dashboard.png)
-
-![obtaining SocketLabs credentials](../../images/self-hosting/configuration/email/email-socketlabs-credentials.png)
-
-3. With your SocketLabs SMTP credentials, you can now set up your SMTP environment variables:
-
-```
-SMTP_HOST=smtp.socketlabs.com
-SMTP_USERNAME=username # obtained from your credentials
-SMTP_PASSWORD=password # obtained from your credentials
-SMTP_PORT=587
-SMTP_SECURE=true
-SMTP_FROM_ADDRESS=hey@example.com # your email address being used to send out emails
-SMTP_FROM_NAME=Infisical
-```
-
-<Note>
-  The `SMTP_FROM_ADDRESS` environment variable should be an email for an
-  authenticated domain under Configuration > Domain Management in SocketLabs.
-  For example, if you're using SocketLabs in sandbox mode, then you may use an
-  email like `team@sandbox.socketlabs.dev`.
-</Note>
-
-![SocketLabs domain management](../../images/self-hosting/configuration/email/email-socketlabs-domains.png)
-
-<Info>
-  Remember that you will need to restart Infisical for this to work properly.
-</Info>
-</Accordion>
-
-<Accordion title="Gmail">
-
-Create an account and enable "less secure app access" in Gmail Account Settings > Security. This will allow
-applications like Infisical to authenticate with Gmail via your username and password.
-
-![Gmail secure app access](../../images/self-hosting/configuration/email/email-gmail-app-access.png)
-
-With your Gmail username and password, you can set your SMTP environment variables:
-
-```
-SMTP_HOST=smtp.gmail.com
-SMTP_USERNAME=hey@gmail.com # your email
-SMTP_PASSWORD=password # your password
-SMTP_PORT=587
-SMTP_SECURE=true
-SMTP_FROM_ADDRESS=hey@gmail.com
-SMTP_FROM_NAME=Infisical
-```
-
-<Warning>
-  As per the [notice](https://support.google.com/accounts/answer/6010255?hl=en) by Google, you should note that using Gmail credentials for SMTP configuration
-  will only work for Google Workspace or Google Cloud Identity customers as of May 30, 2022.
-
-Put differently, the SMTP configuration is only possible with business (not personal) Gmail credentials.
-
-</Warning>
-
-</Accordion>
-
-<Accordion title="Office365">
-
-1. Create an account and configure [Office365](https://www.office.com/) to send emails.
-
-2. With your login credentials, you can now set up your SMTP environment variables:
-
-```
-SMTP_HOST=smtp.office365.com
-SMTP_USERNAME=username@yourdomain.com # your username
-SMTP_PASSWORD=password # your password
-SMTP_PORT=587
-SMTP_SECURE=true
-SMTP_FROM_ADDRESS=username@yourdomain.com
-SMTP_FROM_NAME=Infisical
-```
-
-</Accordion>
-
-<Accordion title="Zoho Mail">
-
-1. Create an account and configure [Zoho Mail](https://www.zoho.com/mail/) to send emails.
-
-2. With your email credentials, you can now set up your SMTP environment variables:
-
-```
-SMTP_HOST=smtp.zoho.com
-SMTP_USERNAME=username # your email
-SMTP_PASSWORD=password # your password
-SMTP_PORT=587
-SMTP_SECURE=true
-SMTP_FROM_ADDRESS=hey@example.com # your personal Zoho email or domain-based email linked to Zoho Mail
-SMTP_FROM_NAME=Infisical
-```
-
-<Note>
-  You can use either your personal Zoho email address like `you@zohomail.com` or
-  a domain-based email address like `you@yourdomain.com`. If using a
-  domain-based email address, then please make sure that you've configured and
-  verified it with Zoho Mail.
-</Note>
-
-<Info>
-  Remember that you will need to restart Infisical for this to work properly.
-</Info>
-</Accordion>
-
-</AccordionGroup>

docs/self-hosting/configuration/envars.mdx

@@ -1,188 +1,426 @@
 ---
-title: "All environment variables"
-description: "Configure your environment variables when self-hosting Infisical."
+title: "Configurations"
+description: "Configure environment variables for self-hosted Infisical"
 ---
 
-## Environment variables
 
-Depending on your chosen self hosted deployment method, you may need to configured at least the required environment variable listed below.
-Other environment variables are listed below to increase the functionality of your self hosted instance based on your use case.
+Infisical accepts all configurations via environment variables. For a basic self-hosted instance, at least `ENCRYPTION_KEY`, `AUTH_SECRET`, `DB_CONNECTION_URI` and `REDIS_URL` must be defined. 
+However, you can configure additional settings to activate more features as needed.
 
-<Tabs>
-  <Tab title="Required">
-    <ParamField query="ENCRYPTION_KEY" type="string" default="none" required>
-      Must be a random 16 byte hex string. Can be generated with `openssl rand -hex 16`
-    </ParamField>
+## General platform    
+Used to configure platform-specific security and operational settings
 
-    <ParamField query="AUTH_SECRET" type="string" default="none" required>
-      Must be a random 32 byte base64 string. Can be generated with `openssl rand -base64 32`
-    </ParamField>
-
-    <ParamField query="DB_CONNECTION_URI" type="string" default="none" required>
-      Postgres database connection string.
-    </ParamField>
-
-    <ParamField query="REDIS_URL" type="string" default="none" required>
-      Redis connection string
-    </ParamField>
-  </Tab>
-  <Tab title="Email service">
-    <Info>When email service is not configured, Infisical will have limited functionality</Info>
-
-    <ParamField query="SMTP_HOST" type="string" default="none" optional>
-      Hostname to connect to for establishing SMTP connections
-    </ParamField>
-
-    <ParamField query="SMTP_USERNAME" type="string" default="none" optional>
-      Credential to connect to host (e.g. team@infisical.com)
-    </ParamField>
-
-    <ParamField query="SMTP_PASSWORD" type="string" default="none" optional>
-      Credential to connect to host
-    </ParamField>
-
-    <ParamField query="SMTP_PORT" type="string" default="587" optional>
-        Port to connect to for establishing SMTP connections
-    </ParamField>
-
-    <ParamField query="SMTP_SECURE" type="string" default="none" optional>
-    If true, use TLS when connecting to host. If false, TLS will be used if STARTTLS is supported
-    </ParamField>
-
-    <ParamField query="SMTP_FROM_ADDRESS" type="string" default="none" optional>
-      Email address to be used for sending emails
-    </ParamField>
-
-    <ParamField query="SMTP_FROM_NAME" type="string" default="none" optional>
-      Name label to be used in From field (e.g. Team)
-    </ParamField>
-
-  </Tab>
-  <Tab title="Secret Integrations">
-    To sync secret to third party services, provide value for the related services
-
-    <ParamField query="CLIENT_ID_HEROKU" type="string" default="none" optional>
-      OAuth2 client ID for Heroku integration
-    </ParamField>
-
-    <ParamField query="CLIENT_SECRET_HEROKU" type="string" default="none" optional>
-      OAuth2 client secret for Heroku integration
-    </ParamField>
-
-    <ParamField query="CLIENT_ID_VERCEL" type="string" default="none" optional>
-      OAuth2 client ID for Vercel integration
-    </ParamField>
-
-    <ParamField query="CLIENT_SECRET_VERCEL" type="string" default="none" optional>
-      OAuth2 client secret for Vercel integration
-    </ParamField>
-
-    <ParamField query="CLIENT_ID_NETLIFY" type="string" default="none" optional>
-      OAuth2 client ID for Netlify integration
-    </ParamField>
-
-    <ParamField query="CLIENT_SECRET_NETLIFY" type="string" default="none" optional>
-      OAuth2 client secret for Netlify integration
-    </ParamField>
-
-    <ParamField query="CLIENT_ID_GITHUB" type="string" default="none" optional>
-      OAuth2 client ID for GitHub integration
-    </ParamField>
-
-    <ParamField query="CLIENT_SECRET_GITHUB" type="string" default="none" optional>
-      OAuth2 client secret for GitHub integration
-    </ParamField>
-
-    <ParamField query="CLIENT_SLUG_VERCEL" type="string" default="none" optional>
-      OAuth2 slug for Vercel integration
-    </ParamField>
-
-    <ParamField query="CLIENT_ID_BITBUCKET" type="string" default="none" optional>
-      OAuth2 client ID for BitBucket integration
-    </ParamField>
-
-    <ParamField query="CLIENT_SECRET_BITBUCKET" type="string" default="none" optional>
-      OAuth2 client secret for BitBucket integration
-    </ParamField>
-
-  </Tab>
-  <Tab title="Auth Integrations">
-    To integrate with external auth providers, provide value for the related keys
-    <ParamField query="CLIENT_ID_GOOGLE_LOGIN" type="string" default="none" optional>
-      OAuth2 client ID for Google login
-    </ParamField>
-    <ParamField query="CLIENT_SECRET_GOOGLE_LOGIN" type="string" default="none" optional>
-      OAuth2 client secret for Google login
-    </ParamField>
-    <ParamField query="CLIENT_ID_GITHUB_LOGIN" type="string" default="none" optional>
-      OAuth2 client ID for GitHub login
-    </ParamField>
-    <ParamField query="CLIENT_SECRET_GITHUB_LOGIN" type="string" default="none" optional>
-      OAuth2 client secret for GitHub login
-    </ParamField>
-    <ParamField query="CLIENT_ID_GITLAB_LOGIN" type="string" default="none" optional>
-      OAuth2 client ID for GitLab login
-    </ParamField>
-    <ParamField query="CLIENT_SECRET_GITLAB_LOGIN" type="string" default="none" optional>
-      OAuth2 client secret for GitLab login
-    </ParamField>
-    <ParamField query="URL_GITLAB_LOGIN" type="string" default="https://gitlab.com" optional>
-      URL of your self-hosted instance of GitLab where the OAuth application is registered
-    </ParamField>
-  </Tab>
-  <Tab title="Others">
-    #### JWT
-    <ParamField query="JWT_SIGNUP_LIFETIME" type="string" default="15m" optional>
-      JWT token lifetime expressed in seconds or a string describing a time span
-    </ParamField>
-
-    <ParamField query="JWT_REFRESH_LIFETIME" type="string" default="90d" optional>
-      JWT token lifetime expressed in seconds or a string describing a time span
-    </ParamField>
-
-    <ParamField query="JWT_AUTH_LIFETIME" type="string" default="10d" optional>
-      JWT token lifetime expressed in seconds or a string describing a time span
-    </ParamField>
-
-    <ParamField query="JWT_MFA_LIFETIME" type="string" default="5m" optional>
-      JWT token lifetime expressed in seconds or a string describing a time span
-    </ParamField>
-
-    <ParamField query="JWT_PROVIDER_AUTH_LIFETIME" type="string" default="5m" optional>
-      JWT token lifetime expressed in seconds or a string describing a time span
-    </ParamField>
-
-#### Logging
-
-Infisical uses Sentry to report error logs
-
-<ParamField
-  query="PINO_LOG_LEVEL"
-  type="string"
-  default="info"
-  optional
->
-  The minimum log level for application logging; can be one of `trace`, `debug`, `info`, `warn`, `error`, or `fatal`.
+<ParamField query="ENCRYPTION_KEY" type="string" default="none" required>
+  Must be a random 16 byte hex string. Can be generated with `openssl rand -hex 16`
 </ParamField>
 
-<ParamField
-  query="SENTRY_DSN"
-  type="string"
-  default="none"
-  optional
-></ParamField>
-
-#### Settings
-
-{" "}
-
-<ParamField query="INVITE_ONLY_SIGNUP" type="string" default="false" optional>
-  Only allow users who are invited to sign up
+<ParamField query="AUTH_SECRET" type="string" default="none" required>
+  Must be a random 32 byte base64 string. Can be generated with `openssl rand -base64 32`
 </ParamField>
 
-  <ParamField query="SITE_URL" type="string" default="none" optional>
-    Site URL - should be an absolute URL including the protocol (e.g. https://app.infisical.com)
+<ParamField query="SITE_URL" type="string" default="none" optional>
+  Must be an absolute URL including the protocol (e.g. https://app.infisical.com).
+</ParamField>
+
+## Data Layer 
+The platform utilizes Postgres to persist all of its data and Redis for caching and backgroud tasks
+
+<ParamField query="DB_CONNECTION_URI" type="string" default="" required>
+  Postgres database connection string. 
+</ParamField>
+
+<ParamField query="DB_ROOT_CERT" type="string" default="" optional>
+  Configure the SSL certificate for securing a Postgres connection by first encoding it in base64. 
+  Use the command below to encode your certificate:
+  `echo "<certificate>" | base64`
+</ParamField>
+
+<ParamField query="REDIS_URL" type="string" default="none" required>
+  Redis connection string.
+</ParamField>
+
+
+
+## Email service
+Without email configuration, Infisical's core functions like sign-up/login and secret operations work, but this disables multi-factor authentication, email invites for projects, alerts for suspicious logins, and all other email-dependent features.
+
+<Accordion title="Generic Configuration">
+  <ParamField query="SMTP_HOST" type="string" default="none" optional>
+    Hostname to connect to for establishing SMTP connections
   </ParamField>
-  <ParamField query="TELEMETRY_ENABLED" type="string" default="true" optional></ParamField>
-  </Tab>
-</Tabs>
+
+  <ParamField query="SMTP_USERNAME" type="string" default="none" optional>
+    Credential to connect to host (e.g. team@infisical.com)
+  </ParamField>
+
+  <ParamField query="SMTP_PASSWORD" type="string" default="none" optional>
+    Credential to connect to host
+  </ParamField>
+
+  <ParamField query="SMTP_PORT" type="string" default="587" optional>
+      Port to connect to for establishing SMTP connections
+  </ParamField>
+
+  <ParamField query="SMTP_SECURE" type="string" default="none" optional>
+  If true, use TLS when connecting to host. If false, TLS will be used if STARTTLS is supported
+  </ParamField>
+
+  <ParamField query="SMTP_FROM_ADDRESS" type="string" default="none" optional>
+    Email address to be used for sending emails
+  </ParamField>
+
+  <ParamField query="SMTP_FROM_NAME" type="string" default="none" optional>
+    Name label to be used in From field (e.g. Team)
+  </ParamField>
+</Accordion>
+
+<Accordion title="Twilio SendGrid">
+
+  1. Create an account and configure [SendGrid](https://sendgrid.com) to send emails.
+  2. Create a SendGrid API Key under Settings > [API Keys](https://app.sendgrid.com/settings/api_keys)
+  3. Set a name for your API Key, we recommend using "Infisical," and select the "Restricted Key" option. You will need to enable the "Mail Send" permission as shown below:
+
+  ![creating sendgrid api key](../../images/self-hosting/configuration/email/email-sendgrid-create-key.png)
+
+  ![setting sendgrid api key restriction](../../images/self-hosting/configuration/email/email-sendgrid-restrictions.png)
+
+  4. With the API Key, you can now set your SMTP environment variables:
+
+  ```
+  SMTP_HOST=smtp.sendgrid.net
+  SMTP_USERNAME=apikey
+  SMTP_PASSWORD=SG.rqFsfjxYPiqE1lqZTgD_lz7x8IVLx # your SendGrid API Key from step above
+  SMTP_PORT=587
+  SMTP_SECURE=true
+  SMTP_FROM_ADDRESS=hey@example.com # your email address being used to send out emails
+  SMTP_FROM_NAME=Infisical
+  ```
+
+  <Info>
+    Remember that you will need to restart Infisical for this to work properly.
+  </Info>
+</Accordion>
+
+<Accordion title="Mailgun">
+  1. Create an account and configure [Mailgun](https://www.mailgun.com) to send emails.
+  2. Obtain your Mailgun credentials in Sending > Overview > SMTP
+
+  ![obtain mailhog api key estriction](../../images/self-hosting/configuration/email/email-mailhog-credentials.png)
+
+  3. With your Mailgun credentials, you can now set up your SMTP environment variables:
+
+  ```
+  SMTP_HOST=smtp.mailgun.org # obtained from credentials page
+  SMTP_USERNAME=postmaster@example.mailgun.org # obtained from credentials page
+  SMTP_PASSWORD=password # obtained from credentials page
+  SMTP_PORT=587
+  SMTP_SECURE=true
+  SMTP_FROM_ADDRESS=hey@example.com # your email address being used to send out emails
+  SMTP_FROM_NAME=Infisical
+  ```
+</Accordion>
+
+<Accordion title="AWS SES">
+  1. Create an account and [configure AWS SES](https://aws.amazon.com/premiumsupport/knowledge-center/ses-set-up-connect-smtp/) to send emails in the Amazon SES console.
+  2. Create an IAM user for SMTP authentication and obtain SMTP credentials in SMTP settings > Create SMTP credentials
+
+  ![opening AWS SES console](../../images/self-hosting/configuration/email/email-aws-ses-console.png)
+
+  ![creating AWS IAM SES user](../../images/self-hosting/configuration/email/email-aws-ses-user.png)
+
+  3. With your AWS SES SMTP credentials, you can now set up your SMTP environment variables:
+
+  ```
+  SMTP_HOST=email-smtp.ap-northeast-1.amazonaws.com # SMTP endpoint obtained from SMTP settings
+  SMTP_USERNAME=xxx # your SMTP username
+  SMTP_PASSWORD=xxx # your SMTP password
+  SMTP_PORT=587
+  SMTP_SECURE=true
+  SMTP_FROM_ADDRESS=hey@example.com # your email address being used to send out emails
+  SMTP_FROM_NAME=Infisical
+  ```
+
+  <Info>
+    Remember that you will need to restart Infisical for this to work properly.
+  </Info>
+</Accordion>
+
+<Accordion title="SocketLabs">
+  1. Create an account and configure [SocketLabs](https://www.socketlabs.com/) to send emails.
+  2. From the dashboard, navigate to SMTP Credentials > SMTP & APIs > SMTP Credentials to obtain your SocketLabs SMTP credentials.
+
+  ![opening SocketLabs dashboard](../../images/self-hosting/configuration/email/email-socketlabs-dashboard.png)
+
+  ![obtaining SocketLabs credentials](../../images/self-hosting/configuration/email/email-socketlabs-credentials.png)
+
+  3. With your SocketLabs SMTP credentials, you can now set up your SMTP environment variables:
+
+  ```
+  SMTP_HOST=smtp.socketlabs.com
+  SMTP_USERNAME=username # obtained from your credentials
+  SMTP_PASSWORD=password # obtained from your credentials
+  SMTP_PORT=587
+  SMTP_SECURE=true
+  SMTP_FROM_ADDRESS=hey@example.com # your email address being used to send out emails
+  SMTP_FROM_NAME=Infisical
+  ```
+
+  <Note>
+    The `SMTP_FROM_ADDRESS` environment variable should be an email for an
+    authenticated domain under Configuration > Domain Management in SocketLabs.
+    For example, if you're using SocketLabs in sandbox mode, then you may use an
+    email like `team@sandbox.socketlabs.dev`.
+  </Note>
+
+  ![SocketLabs domain management](../../images/self-hosting/configuration/email/email-socketlabs-domains.png)
+
+  <Info>
+    Remember that you will need to restart Infisical for this to work properly.
+  </Info>
+</Accordion>
+
+<Accordion title="Resend">
+  1. Create an account on [Resend](https://resend.com).
+  2. Add a [Domain](https://resend.com/domains).
+
+  ![adding resend domain](../../images/self-hosting/configuration/email/email-resend-create-domain.png)
+
+  3. Create an [API Key](https://resend.com/api-keys).
+
+  ![creating resend api key](../../images/self-hosting/configuration/email/email-resend-create-key.png)
+
+  4. Go to the [SMTP page](https://resend.com/settings/smtp) and copy the values.
+
+  ![go to resend smtp settings](../../images/self-hosting/configuration/email/email-resend-smtp-settings.png)
+
+  5. With the API Key, you can now set your SMTP environment variables variables:
+
+  ```
+  SMTP_HOST=smtp.resend.com
+  SMTP_USERNAME=resend
+  SMTP_PASSWORD=YOUR_API_KEY
+  SMTP_PORT=587
+  SMTP_SECURE=true
+  SMTP_FROM_ADDRESS=hey@example.com # your email address being used to send out emails
+  SMTP_FROM_NAME=Infisical
+  ```
+    <Info>
+      Remember that you will need to restart Infisical for this to work properly.
+    </Info>
+</Accordion>
+
+<Accordion title="Gmail">
+  Create an account and enable "less secure app access" in Gmail Account Settings > Security. This will allow
+  applications like Infisical to authenticate with Gmail via your username and password.
+
+  ![Gmail secure app access](../../images/self-hosting/configuration/email/email-gmail-app-access.png)
+
+  With your Gmail username and password, you can set your SMTP environment variables:
+
+  ```
+  SMTP_HOST=smtp.gmail.com
+  SMTP_USERNAME=hey@gmail.com # your email
+  SMTP_PASSWORD=password # your password
+  SMTP_PORT=587
+  SMTP_SECURE=true
+  SMTP_FROM_ADDRESS=hey@gmail.com
+  SMTP_FROM_NAME=Infisical
+  ```
+
+  <Warning>
+    As per the [notice](https://support.google.com/accounts/answer/6010255?hl=en) by Google, you should note that using Gmail credentials for SMTP configuration
+    will only work for Google Workspace or Google Cloud Identity customers as of May 30, 2022.
+
+  Put differently, the SMTP configuration is only possible with business (not personal) Gmail credentials.
+
+  </Warning>
+</Accordion>
+
+<Accordion title="Office365">
+  1. Create an account and configure [Office365](https://www.office.com/) to send emails.
+
+  2. With your login credentials, you can now set up your SMTP environment variables:
+
+  ```
+  SMTP_HOST=smtp.office365.com
+  SMTP_USERNAME=username@yourdomain.com # your username
+  SMTP_PASSWORD=password # your password
+  SMTP_PORT=587
+  SMTP_SECURE=true
+  SMTP_FROM_ADDRESS=username@yourdomain.com
+  SMTP_FROM_NAME=Infisical
+  ```
+</Accordion>
+
+<Accordion title="Zoho Mail">
+  1. Create an account and configure [Zoho Mail](https://www.zoho.com/mail/) to send emails.
+
+  2. With your email credentials, you can now set up your SMTP environment variables:
+
+  ```
+  SMTP_HOST=smtp.zoho.com
+  SMTP_USERNAME=username # your email
+  SMTP_PASSWORD=password # your password
+  SMTP_PORT=587
+  SMTP_SECURE=true
+  SMTP_FROM_ADDRESS=hey@example.com # your personal Zoho email or domain-based email linked to Zoho Mail
+  SMTP_FROM_NAME=Infisical
+  ```
+
+  <Note>
+    You can use either your personal Zoho email address like `you@zohomail.com` or
+    a domain-based email address like `you@yourdomain.com`. If using a
+    domain-based email address, then please make sure that you've configured and
+    verified it with Zoho Mail.
+  </Note>
+
+  <Info>
+    Remember that you will need to restart Infisical for this to work properly.
+  </Info>
+</Accordion>
+
+
+
+
+
+## SSO based login
+By default, users can only login via email/password based login method.
+To login into Infisical with OAuth providers such as Google, configure the associated variables.
+
+<Accordion title="Google">
+  Follow detailed guide to configure [Google SSO](/documentation/platform/sso/google)
+
+  <ParamField query="CLIENT_ID_GOOGLE_LOGIN" type="string" default="none" optional>
+  OAuth2 client ID for Google login
+  </ParamField>
+  <ParamField query="CLIENT_SECRET_GOOGLE_LOGIN" type="string" default="none" optional>
+    OAuth2 client secret for Google login
+  </ParamField>
+</Accordion>
+
+<Accordion title="Github">
+  Follow detailed guide to configure [GitHub SSO](/documentation/platform/sso/github)
+
+  <ParamField query="CLIENT_ID_GITHUB_LOGIN" type="string" default="none" optional>
+    OAuth2 client ID for GitHub login
+  </ParamField>
+  <ParamField query="CLIENT_SECRET_GITHUB_LOGIN" type="string" default="none" optional>
+    OAuth2 client secret for GitHub login
+  </ParamField>
+</Accordion>
+
+<Accordion title="Gitlab">
+  Follow detailed guide to configure [GitLab SSO](/documentation/platform/sso/gitlab)
+
+  <ParamField query="CLIENT_ID_GITLAB_LOGIN" type="string" default="none" optional>
+    OAuth2 client ID for GitLab login
+  </ParamField>
+  <ParamField query="CLIENT_SECRET_GITLAB_LOGIN" type="string" default="none" optional>
+    OAuth2 client secret for GitLab login
+  </ParamField>
+  <ParamField query="URL_GITLAB_LOGIN" type="string" default="https://gitlab.com" optional>
+    URL of your self-hosted instance of GitLab where the OAuth application is registered
+  </ParamField>
+</Accordion>
+
+<Accordion title="Okta SAML">
+  Requires enterprise license. Please contact team@infisical.com to get more information.
+</Accordion>
+
+<Accordion title="Azure SAML">
+  Requires enterprise license. Please contact team@infisical.com to get more information.
+</Accordion>
+
+<Accordion title="JumpCloud SAML">
+  Requires enterprise license. Please contact team@infisical.com to get more information.
+</Accordion>
+
+
+
+
+
+## Native secret integrations
+To help you sync secrets from Infisical to services such as Github and Gitlab, Infisical provides native integrations out of the box.
+
+<Accordion title="Heroku">
+  <ParamField query="CLIENT_ID_HEROKU" type="string" default="none" optional>
+    OAuth2 client ID for Heroku integration
+  </ParamField>
+  <ParamField query="CLIENT_SECRET_HEROKU" type="string" default="none" optional>
+    OAuth2 client secret for Heroku integration
+  </ParamField>
+</Accordion>
+
+<Accordion title="Vercel">
+  <ParamField query="CLIENT_ID_VERCEL" type="string" default="none" optional>
+    OAuth2 client ID for Vercel integration
+  </ParamField>
+
+  <ParamField query="CLIENT_SECRET_VERCEL" type="string" default="none" optional>
+    OAuth2 client secret for Vercel integration
+  </ParamField>
+
+  <ParamField query="CLIENT_SLUG_VERCEL" type="string" default="none" optional>
+    OAuth2 slug for Vercel integration
+  </ParamField>
+</Accordion>
+
+<Accordion title="Netlify">
+  <ParamField query="CLIENT_ID_NETLIFY" type="string" default="none" optional>
+    OAuth2 client ID for Netlify integration
+  </ParamField>
+
+  <ParamField query="CLIENT_SECRET_NETLIFY" type="string" default="none" optional>
+    OAuth2 client secret for Netlify integration
+  </ParamField>
+</Accordion>
+
+<Accordion title="Github">
+  <ParamField query="CLIENT_ID_GITHUB" type="string" default="none" optional>
+    OAuth2 client ID for GitHub integration
+  </ParamField>
+
+  <ParamField query="CLIENT_SECRET_GITHUB" type="string" default="none" optional>
+    OAuth2 client secret for GitHub integration
+  </ParamField>
+</Accordion>
+
+<Accordion title="Bitbucket">
+  <ParamField query="CLIENT_ID_BITBUCKET" type="string" default="none" optional>
+    OAuth2 client ID for BitBucket integration
+  </ParamField>
+
+  <ParamField query="CLIENT_SECRET_BITBUCKET" type="string" default="none" optional>
+    OAuth2 client secret for BitBucket integration
+  </ParamField>
+</Accordion>
+
+<Accordion title="GCP Secrets Manager">
+  <ParamField query="CLIENT_ID_GCP_SECRET_MANAGER" type="string" default="none" optional>
+    OAuth2 client id for GCP secrets manager integration
+  </ParamField>
+
+  <ParamField query="CLIENT_SECRET_GCP_SECRET_MANAGER" type="string" default="none" optional>
+    OAuth2 client secret for GCP secrets manager integration
+  </ParamField>
+</Accordion>
+
+<Accordion title="Azure">
+  <ParamField query="CLIENT_ID_AZURE" type="string" default="none" optional>
+    OAuth2 client id for Azure integration
+  </ParamField>
+
+  <ParamField query="CLIENT_SECRET_AZURE" type="string" default="none" optional>
+    OAuth2 client secret for Azure integration
+  </ParamField>
+</Accordion>
+
+<Accordion title="Gitlab">
+  <ParamField query="CLIENT_ID_GITLAB" type="string" default="none" optional>
+    OAuth2 client id for Gitlab integration
+  </ParamField>
+
+  <ParamField query="CLIENT_SECRET_GITLAB" type="string" default="none" optional>
+    OAuth2 client secret for Gitlab integration
+  </ParamField>
+</Accordion>

docs/self-hosting/configuration/redis.mdx

@@ -1,83 +0,0 @@
----
-title: "Configure Redis"
-description: "Learn to configure Redis with your self hosted Infisical"
----
-
-## Why Redis?
-As the features and use case of Infisical have grown, the need for a fast and reliable in-memory data storage has become clear. 
-By adding Redis to Infisical, we can now support more complex workflows such as queuing system to run long running asynchronous tasks, cron jobs, and access reliable cache to speed up frequently used resources. 
-
-<Info>
-  Starting with Infisical version v0.31.0, Redis will be required to fully use Infisical
-</Info>
-
-### Adding Redis to your self hosted instance of Infisical
-To add Redis to your self hosted instance, follow the instructions for the deployment method you used.
-
-<Tabs>
-  <Tab title="Kubernetes Helm chart">
-    ### In cluster Redis
-    By default, new versions of the Infisical Helm chart already comes with an in-cluster Redis instance. To deploy a in-cluster Redis instance along with your Infisical instance, update your Infisical chart then redeploy/upgrade your release. 
-    This will spin up a Redis instance and automatically configure it with your Infisical backend. 
-
-    1. Update Infisical Helm chart 
-    ```bash
-    helm repo update
-    ```
-
-    2. Upgrade Infisical release
-    ```bash
-    helm upgrade <infisical release name> infisical-helm-charts/infisical  --values <path to your values file>
-    ```
-    ### External Redis 
-    If you want to use an external Redis instance, please add a Redis connection URL under the backend environments variables and then upgrade/redeploy your Infisical instance.
-
-    1. Update your helm values file 
-    ```yaml your-values.yaml
-    backendEnvironmentVariables:
-      REDIS_URL=<your redis connection string>
-    ```
-
-    2. Upgrade Infisical release
-    ```bash
-    helm upgrade <infisical release name> infisical-helm-charts/infisical  --values <path to your values file>
-    ``` 
-  </Tab>
-  <Tab title="Docker compose">
-    ### Internal Redis service
-    By default, new versions of the docker compose file already comes with a Redis service. To use the pre-configured Redis service, please update your docker compose file to the latest version.
-
-    1. Download the new docker compose file
-    ```
-    wget -O docker-compose.yml https://raw.githubusercontent.com/Infisical/infisical/main/docker-compose.yml
-    ```
-    2. Add Redis environment variable to your .env file
-    ```.env .env
-      REDIS_URL=redis://redis:6379
-    ```
-
-    3. Restart your docker compose services 
-  </Tab>
-  <Tab title="Standalone Docker image">
-    This standalone version of Infisical does not have an internal Redis service. To configure Redis with your Infisical instance, you must connect to a external Redis service by setting the connection string as an environment variable.
-
-    Example: 
-
-    ```bash 
-    docker run -p 80:80  \
-    -e ENCRYPTION_KEY=f40c9178624764ad85a6830b37ce239a \
-    -e JWT_SIGNUP_SECRET=38ea90fb7998b92176080f457d890392 \
-    -e JWT_REFRESH_SECRET=7764c7bbf3928ad501591a3e005eb364 \
-    -e JWT_AUTH_SECRET=5239fea3a4720c0e524f814a540e14a2 \
-    -e JWT_SERVICE_SECRET=8509fb8b90c9b53e9e61d1e35826dcb5  \
-    -e REDIS_URL=<> \
-    -e MONGO_URL="<>" \
-    infisical/infisical:latest
-    ```
-
-    Redis environment variable name: `REDIS_URL`
-  </Tab>
-</Tabs>
-
-## Support 
-If you have questions or need support, please join our [slack channel](https://infisical-users.slack.com) and one of our teammates will be happy to guide you.

docs/self-hosting/configuration/requirements.mdx

@@ -0,0 +1,71 @@
+---
+title: "Requirements"
+description: ""
+---
+
+This page details the minimum requirements necessary for installing and using Infisical. 
+The actual resource requirements will vary in direct proportion to the operations performed by Infisical and the level of utilization by the end users.
+
+
+
+## Deployment Sizes
+
+**Small** suitable for most initial production setups, as well as development and testing scenarios.
+
+**Large** suitable for high-demand production environments, characterized by either a high volume of transactions, large number of secrets, or both.
+
+
+## Hardware Requirements
+
+### Storage
+
+Infisical doesn’t require file storage as all persisted data is saved in the database. 
+However, its logs and metrics are saved to disk for later viewing. As a result, we recommend provisioning 1-2 GB of storage.
+
+### CPU
+
+CPU requirements vary heavily on the volume of secret operations (reads and writes) you anticipate. 
+Processing large volumes of secrets frequently and consistently will require higher CPU.
+
+Recommended minimum CPU hardware for different sizes of deployments:
+
+- **small:** 2-4 core is the **recommended** minimum
+- **large:** 4-8 cores are suitable for larger deployments
+
+### Memory Allocation
+
+Memory needs depend on expected workload, including factors like user activity, automation level, and the frequency of secret operations.
+
+Recommended minimum memory hardware for different sizes of deployments:
+- **small:** 4-8 GB is the **recommended** minimum
+- **large:** 16-32 GB are suitable for larger deployments
+
+## Database & caching layer
+
+### Postgres
+
+PostgreSQL is the only database supported by Infisical. Infisical has been extensively tested with Postgres version 16. We recommend using versions 14 and up for optimal compatibility.
+
+Recommended resource allocation based on deployment size:
+- **small:** 1 vCPU / 2 GB RAM / 10 GB Disk
+- **large:** 4vCPU / 16 GB RAM / 100 GB Disk
+
+### Redis
+
+Redis is utilized for session management and background tasks in Infisical.
+
+Redis requirements:
+
+- Use Redis versions 6.x or 7.x. We advise upgrading to at least Redis 6.2.
+- Redis Cluster mode is currently not supported; use Redis Standalone, with or without High Availability (HA).
+- Redis storage needs are minimal: a setup with 1 vCPU, 1 GB RAM, and 1GB SSD will be sufficient for most deployments.
+
+## Supported Web Browsers
+
+Infisical supports a range of web browsers. However, features such as browser-based CLI login only work on Google Chrome and Firefox at the moment.
+
+- [Mozilla Firefox](https://www.mozilla.org/en-US/firefox/new/)
+- [Google Chrome](https://www.google.com/chrome/) 
+- [Chromium](https://www.chromium.org/getting-involved/dev-channel/)
+- [Apple Safari](https://www.apple.com/safari/)
+- [Microsoft Edge](https://www.microsoft.com/en-us/edge?form=MA13FJ)

docs/self-hosting/configuration/schema-migrations.mdx

@@ -0,0 +1,60 @@
+---
+title: "Schema migration"
+description: "Run Postgres schema migrations"
+---
+
+Running schema migrations is a requirement before deploying Infisical. 
+Each time you decide to upgrade your version of Infisical, it's necessary to run schema migrations for that specific version. 
+The guide below outlines a step-by-step guide to help you through this process.
+
+### Prerequisites
+- Docker installed on your machine
+- An active PostgreSQL database
+- Postgres database connection string
+
+<Steps>
+  <Step title="Pull the Infisical Docker Image">
+    First, ensure you have the correct version of the Infisical Docker image. You can pull it from Docker Hub using the following command:
+    ```bash
+    docker pull infisical/infisical:<version>
+    ```
+    Replace `<version>` with the specific version number you intend to deploy. View available versions [here](https://hub.docker.com/r/infisical/infisical/tags)
+  </Step>
+
+  <Step title="Set Up the Environment Variable">
+    The Docker image requires a `DB_CONNECTION_URI` environment variable. This connection string should point to your PostgreSQL database. The format generally looks like this: `postgresql://username:password@host:port/database`.
+  </Step>
+
+  <Step title="Run the Migration ">
+    To run the schema migration for the version of Infisical you want to deploy, use the following Docker command:
+
+    ```bash
+    docker run --env DB_CONNECTION_URI=<your_connection_string> infisical/infisical:<version> npm run migration:latest
+    ```
+    Replace `<your_connection_string>` with your actual PostgreSQL connection string, and `<version>` with the desired version number.
+  </Step>
+
+  <Step title="Verify the Migration">
+    After running the migration, it's good practice to check if the migration was successful. You can do this by checking the logs or accessing your database to ensure the schema has been updated accordingly.
+  </Step>
+  <Step title="Rollback If Needed">
+    If you need to rollback a migration by one step, use the following command:
+
+    ```bash
+    docker run --env DB_CONNECTION_URI=<your_connection_string> infisical/infisical:<version> npm run migration:rollback
+    ```
+  </Step>
+
+  <Step title="Repeat for Each Version">
+    It's important to run schema migrations for each version of the Infisical you deploy. For instance, if you're updating from `infisical/infisical:1` to `infisical/infisical:2`, ensure you run the schema migrations for `infisical/infisical:2` before deploying it.
+  </Step>
+</Steps>
+
+<Tip>
+  In a production setting, we recommend a more structured approach to deploying migrations prior to upgrading Infisical. This can be accomplished via CI automation.
+</Tip>
+
+### Additional discussion 
+- Always back up your database before running migrations, especially in a production environment.
+- Test the migration process in a staging environment before applying it to production.
+- Keep track of the versions and their corresponding migrations to avoid any inconsistencies.

docs/self-hosting/configuration/sso.mdx

@@ -1,21 +0,0 @@
----
-title: "Configure SSO"
-description: "How to configure SSO when self-hosting Infisical."
----
-
-<Warning>
-  Infisical offers Google SSO and GitHub SSO for free.
-  
-  Infisical also offers SAML SSO authentication but as paid features that can be unlocked via enterprise license; if this is of interest, please contact team@infisical.com.
-  On this front, we currently support Okta, Azure AD, and JumpCloud and are expanding support for other IdPs in the coming months; stay tuned and feel free to request a IdP at this
-  [issue](https://github.com/Infisical/infisical/issues/442).
-</Warning>
-
-You can view specific documentation for how to set up each SSO authentication method below:
-
-- [Google SSO](/documentation/platform/sso/google)
-- [GitHub SSO](/documentation/platform/sso/github)
-- [GitLab SSO](/documentation/platform/sso/gitlab)
-- [Okta SAML](/documentation/platform/sso/okta)
-- [Azure SAML](/documentation/platform/sso/azure)
-- [JumpCloud SAML](/documentation/platform/sso/jumpcloud)

docs/self-hosting/deployment-options/docker-compose.mdx

@@ -67,7 +67,8 @@ View all available configurations [here](/self-hosting/configuration/envars).
 
 <Warning>
   The default .env file contains credentials that are intended solely for testing purposes.
-  For production use, please generate a new `ENCRYPTION_KEY` and `AUTH_SECRET`. Instructions to do so, can be found [here](/self-hosting/configuration/envars)
+  Please generate a new `ENCRYPTION_KEY` and `AUTH_SECRET` for use outside of testing. 
+  Instructions to do so, can be found [here](/self-hosting/configuration/envars).
 </Warning>
 
 ## Start Infisical
@@ -77,4 +78,6 @@ Run the command below to start Infisical and all related services.
 docker-compose -f docker-compose.prod.yml up
 ```
 
-Your Infisical instance should now be running on port `80`. To access your instance, visit `http://localhost:80`.
+Your Infisical instance should now be running on port `80`. To access your instance, visit `http://localhost:80`.
+
+![self host sign up](images/self-hosting/applicable-to-all/selfhost-signup.png)

docs/self-hosting/deployment-options/kubernetes-helm.mdx

@@ -1,163 +1,183 @@
 ---
 title: "Kubernetes via Helm Chart"
-description: "Use our Helm chart to Install Infisical on your Kubernetes cluster"
+description: "Use Helm chart to install Infisical on your Kubernetes cluster"
 --- 
 **Prerequisites**
-- You have understanding of [Kubernetes](https://kubernetes.io/)
+- You have extensive understanding of [Kubernetes](https://kubernetes.io/)
 - Installed [Helm package manager](https://helm.sh/) version v3.11.3 or greater
 - You have [kubectl](https://kubernetes.io/docs/reference/kubectl/kubectl/) installed and connected to your kubernetes cluster
 
-By deploying Infisical on Kubernetes, you can take advantage of its features to ensure that the application is fault-tolerant, highly available, and scalable.
-To make the installation process easier and more streamlined, we have created a Helm chart that you can use to install Infisical on Kubernetes. 
-
-Helm is a package manager for Kubernetes that simplifies the installation and management of Kubernetes applications. 
-With our Helm chart, you can easily install Infisical on Kubernetes, configure it to your liking, and scale it up or down as needed. 
-
-## Install Infisical Helm repository 
-
-```bash
-helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/' 
-  
-helm repo update
-```
-
-## Add Helm values 
-
-Create a values.yaml file to configure various installation settings, such as the docker image tags and environment variables. To explore all configurable properties for your values file, [visit this page](https://github.com/Infisical/infisical/tree/main/helm-charts/infisical).
-
-#### Set image tags
-
-By default, the application will use the `latest` docker image tag. This is okay for test environments; however, for production deployments it is important to pin your deployment to a particular docker image tag to prevent receiving unintended changes.
-<Tip>
-  To find the latest version number of Infisical, click [here](https://hub.docker.com/r/infisical/infisical/tags)
-</Tip>
-
-```yaml simple-values-example.yaml 
-backend:
-  replicaCount: 2
-  image:
-    tag: "v0.39.5" # <--- update to the newest version found here https://hub.docker.com/r/infisical/infisical/tags
-    pullPolicy: Always
-```
-
-#### Configure environment variables
-
-You can configure environment variables for your instance of Infisical though the Helm values file under the property `backendEnvironmentVariables`. View configurable [environment variables](../configuration/envars).
-
-Infisical requires the following backend environment variables to be defined: _`ENCRYPTION_KEY`_, _`JWT_SIGNUP_SECRET`_, _`JWT_REFRESH_SECRET`_, _`JWT_AUTH_SECRET`_, _`JWT_MFA_SECRET`_ and _`JWT_SERVICE_SECRET`_. 
-
-<Info>
-Each of the above environment variables can be generated by running the command `openssl rand -hex 16` in your terminal. 
-</Info>
-
-However, when the above environment variables are not defined, the Helm chart 
-will automatically generate these environment variables for you. The generated environment variables will be saved to a Kubernetes secret and will be preserved between upgrades or uninstalls. 
-
-```yaml simple-values-example.yaml 
-...
-backendEnvironmentVariables:
-  HTTPS_ENABLED: true
-  INVITE_ONLY_SIGNUP: false
-  ...
-```
-
-<Info>
-  Infisical assumes that you have configured HTTPS. If you didn't configure HTTPS, set `HTTPS_ENABLED` to `false` in the backend environment variable to avoid frequent logouts.
-</Info>
-
-#### Routing external traffic
-By default, Infisical takes all traffic coming to your external load balancer's IP address and routes them Infisical's services. 
-Infisical uses Nginx to route external traffic. You can install Nginx along with Infisical by setting `ingress.enabled` to `true` in the Helm values file. View all [properties for ingress](https://github.com/Infisical/infisical/tree/main/helm-charts/infisical).
-
-```yaml simple-values-example.yaml 
-...
-ingress:
-  nginx:
-    enabled: true #<-- if you would like to install nginx along with Infisical
-```
-
-#### Database 
-Infisical uses a MongoDB as its persistence layer. With this Helm chart, a MongoDB instance is automatically spun up for use with Infisical. 
-When persistence is enabled, the data will be stored as Kubernetes Persistence Volume. View all [properties for mongodb](https://github.com/Infisical/infisical/tree/main/helm-charts/infisical).
-
-```yaml simple-values-example.yaml 
-mongodb:
-  enabled: true
-  persistence:
-    enabled: false
-```
-
-To achieve high availability and data redundancy, we recommend that you use a managed document database service such as AWS Document DB, MongoDB or similar services instead of the in cluster database. 
-Managed database connection string can be set in the `backendEnvironmentVariables`.
-
-#### Example helm values
-```yaml simple-values-example.yaml 
-backend:
-  replicaCount: 2
-  image:
-    tag: "v0.39.5"
-    pullPolicy: Always
-
-backendEnvironmentVariables:
-  HTTPS_ENABLED: true
-
-ingress:
-  nginx:
-    enabled: true
-
-```
-
-<Accordion title="Full helm values example">
-  ```yaml values.yaml 
-  ingress:
-    nginx:
-      enabled: true
-
-  backend:
-    enabled: true
-    name: backend
-    podAnnotations: {}
-    deploymentAnnotations: {}
-    replicaCount: 4
-    image:
-      tag: "v0.39.5"
-      pullPolicy: IfNotPresent
-    kubeSecretRef: null
-    service:
-      annotations: {}
-      type: ClusterIP
-      nodePort: ""
-  
-  # View all environment variables https://infisical.com/docs/self-hosting/configuration/envars
-  backendEnvironmentVariables:
-    MONGO_URL: <>
-    HTTPS_ENABLED: <>
+<Steps>
+  <Step title="Install Infisical Helm repository ">
+    ```bash
+    helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/' 
+    ```
+    ```
+    helm repo update
+    ```
+  </Step>
+  <Step title="Add Helm values">
+    Create a `values.yaml` file. This will be used to configure settings for the Infisical Helm chart.
+    To explore all configurable properties for your values file, [visit this page](https://raw.githubusercontent.com/Infisical/infisical/main/helm-charts/infisical-standalone-postgres/values.yaml).
+  </Step>
+  <Step title="Select Infisical version">
+    By default, the Infisical version set in your helm chart will likely be outdated. 
+    Choose the latest Infisical docker image tag from here [here](https://hub.docker.com/r/infisical/infisical/tags).
     
 
-  ## Mongo DB persistence 
-  mongodb:
-    enabled: true
-    persistence:
-      enabled: true
-  ```
-</Accordion>
+    ```yaml values.yaml
+    infisical:
+      image:
+        repository: infisical/infisical
+        tag: "v0.46.2-postgres" #<-- update
+        pullPolicy: IfNotPresent
+    ```
+    <Warning>
+      Do you not use the latest docker image tag in production deployments as they can introduce unexpected changes
+    </Warning>
+  </Step>
 
-## Install the Helm chart 
+  <Step title="Configure environment variables">
 
-By default, the helm chart will be installed on your default namespace. If you wish to install the Chart on a different namespace, you may specify
-that by adding the `--namespace <namespace-to-install-to>` to your `helm install` command.
+    To deploy this Helm chart, a Kubernetes secret named `infisical-secrets` must be present in the same namespace where the chart is being deployed.
 
-```bash
-## Installs to default namespace
-helm install infisical-helm-charts/infisical --generate-name --values /path/to/values.yaml
-```
+    For a minimal installation of Infisical, you need to configure `ENCRYPTION_KEY`, `AUTH_SECRET`, `DB_CONNECTION_URI`, and `REDIS_URL`. [Learn more about configuration settings](/self-hosting/configuration/envars).
 
-## Access Infisical
-Allow 3-5 minutes for the deployment to complete. Once done, you should now be able to access Infisical on the IP address exposed via Ingress on your load balancer. If you are not sure what the IP address is run `kubectl get ingress` to view the external IP address exposing Infisical.
-  
-<Info>
-Once installation is complete, you will have to create the first account. No default account is provided.
-</Info>
 
-## Related blogs
-- [Set up Infisical in a development cluster](https://iamunnip.hashnode.dev/infisical-open-source-secretops-kubernetes-setup)
+    <Tabs>
+      <Tab title="Proof of concept deployment">
+          For test or proof-of-concept purposes, you may omit `DB_CONNECTION_URI` and `REDIS_URL` from `infisical-secrets`. This is because the Helm chart will automatically provision and connect to the in-cluster instances of Postgres and Redis by default.
+
+      </Tab>
+      <Tab title="Production deployment">
+        For production environments, we recommend using Cloud-based Platform as a Service (PaaS) solutions for PostgreSQL and Redis to ensure high availability. In on-premise setups, it's recommended to configure Redis and Postgres for high availability, either by using Bitnami charts or a custom configuration.
+
+      </Tab>
+    </Tabs>
+
+    ```yaml simple-values-example.yaml 
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: infisical-secrets
+      type: Opaque
+      stringData:
+        AUTH_SECRET: <>
+        ENCRYPTION_KEY: <>
+        REDIS_URL: <>
+        DB_CONNECTION_URI: <>
+    ```
+  </Step>
+
+  <Step title="Database schema migration ">
+    Infisical relies a relational database, which means that database schemas need to be migrated before the instance can become operational. 
+    
+    To automate this process, the chart includes a option named `infisical.autoDatabaseSchemaMigration`.
+    When this option is enabled, a deployment/upgrade will only occur _after_ a successful schema migration.
+
+    <Info>
+      If you are using in-cluster Postgres, you may notice the migration job failing initially.
+      This is expected as it is waiting for the database to be in ready state.
+    </Info>
+  </Step>
+
+  <Step title="Routing traffic to Infisical">
+    By default, this chart uses Nginx as its Ingress controller to direct traffic to Infisical services.
+
+    ```yaml values.yaml 
+    ingress:
+      nginx:
+        enabled: true 
+    ```
+  </Step>
+
+  <Step title="Install the Helm chart ">
+    Once you are done configuring your `values.yaml` file, run the command below.
+
+    ```bash
+    helm upgrade --install infisical infisical-helm-charts/infisical-standalone --values /path/to/values.yaml
+    ```
+
+    <Accordion title="Full helm values example">
+      ```yaml values.yaml
+
+      nameOverride: "infisical"
+      fullnameOverride: "infisical"
+
+      infisical:
+        enabled: true
+        name: infisical
+        autoDatabaseSchemaMigration: true
+        fullnameOverride: ""
+        podAnnotations: {}
+        deploymentAnnotations: {}
+        replicaCount: 6
+
+        image:
+          repository: infisical/infisical
+          tag: "v0.46.2-postgres"
+          pullPolicy: IfNotPresent
+
+        affinity: {}
+        kubeSecretRef: "infisical-secrets"
+        service:
+          annotations: {}
+          type: ClusterIP
+          nodePort: ""
+
+        resources:
+          limits:
+            memory: 210Mi
+          requests:
+            cpu: 200m
+
+      ingress:
+        enabled: true
+        hostName: ""
+        ingressClassName: nginx
+        nginx:
+          enabled: true
+        annotations: {}
+        tls: []
+
+      postgresql:
+        enabled: true
+        name: "postgresql"
+        fullnameOverride: "postgresql"
+        auth:
+          username: infisical
+          password: root
+          database: infisicalDB
+
+      redis:
+        enabled: true
+        name: "redis"
+        fullnameOverride: "redis"
+        cluster:
+          enabled: false
+        usePassword: true
+        auth:
+          password: "mysecretpassword"
+        architecture: standalone
+      ```
+      </Accordion>
+  </Step>
+
+  <Step title="Access Infisical">
+    After deployment, please wait for 2-5 minutes for all pods to reach a running state. Once a significant number of pods are operational, access the IP address revealed through Ingress by your load balancer. 
+    You can find the IP address/hostname by executing the command `kubectl get ingress`.
+    ![self host sign up](images/self-hosting/applicable-to-all/selfhost-signup.png)
+  </Step>
+  <Step title="Upgrade your instance">
+    To upgrade your instance of Infisical simply update the docker image tag in your Halm values and rerun the command below.
+
+    ```bash
+    helm upgrade --install infisical infisical-helm-charts/infisical-standalone --values /path/to/values.yaml
+    ```
+
+    <Tip>
+      Always back up your database before each upgrade, especially in a production environment
+    </Tip>
+
+  </Step>
+</Steps>

docs/self-hosting/deployment-options/standalone-infisical.mdx

@@ -7,19 +7,32 @@ Prerequisites:
 - Basic knowledge of [Docker](https://www.docker.com/)
 - Have Docker installed on your system. If not, follow the installation guide [here](https://docs.docker.com/get-docker/).
 
+Infisical is available as a single Docker image to ease deployment.
+This Docker image only includes the application code, meaning you must supply a connection to a Postgres database and a Redis instance.
+The following guide provides a detailed step-by-step walkthrough on how you can deploy Infisical with Docker.
+
 <Steps>
   <Step title="Pull the Infisical Docker image">
-    Run the following command in your terminal to pull the Infisical Docker image:
+    Visit [Docker Hub](https://hub.docker.com/r/infisical/infisical/tags) and select a version of Infisical image you would like to deploy.
+    Then run the following command in your terminal to pull the specific Infisical Docker image.
     
     ```
-    docker pull infisical/infisical:latest
+    docker pull infisical/infisical:<version>
     ```
+    
+    Remember to replace `<version>` with the docker image tag of your choice.
+  </Step>
+  <Step title="Run Postgres schema migration ">
+    Before you can start the instance of Infisical, you need to run the database schema migrations. 
+    Follow the step by [step guide here](/self-hosting/configuration/schema-migrations) on running schema migrations for Infisical.
+    
   </Step>
   <Step title="Start Infisical">
-    2.1. Running Infisical requires a few environment variables to be set.
-    At minimum, Infisical requires that you set the variables `ENCRYPTION_KEY`, `AUTH_SECRET`, `MONGO_URL`, and `REDIS_URL`
-    which you can read more about [here](/self-hosting/configuration/envars).
+    For a minimal installation of Infisical, you must configure `ENCRYPTION_KEY`, `AUTH_SECRET`, `DB_CONNECTION_URI`, and `REDIS_URL`.     [View all available configurations](/self-hosting/configuration/envars).
     
+
+    We recommend using Cloud-based Platform as a Service (PaaS) solutions for PostgreSQL and Redis to ensure high availability. 
+
     Once you have added the required environment variables to your docker run command, execute it in your terminal to get Infisical up and running.
     
     For example:
@@ -28,22 +41,22 @@ Prerequisites:
     docker run -p 80:8080  \
     -e ENCRYPTION_KEY=f40c9178624764ad85a6830b37ce239a \
     -e AUTH_SECRET="q6LRi7c717a3DQ8JUxlWYkZpMhG4+RHLoFUVt3Bvo2U=" \
-    -e MONGO_URL="<>" \
-    infisical/infisical:latest
+    -e DB_CONNECTION_URI="<>" \
+    -e REDIS_URL="<>" \
+    infisical/infisical:<version>
     ```
     
     <Warning>
       The above environment variable values are only to be used as an example and should not be used in production 
     </Warning>
     
-    2.2. Once the container is running, verify the installation by opening your web browser and navigating to `http://localhost:80`.
+      Once the container is running, verify the installation by opening your web browser and navigating to `http://localhost:80`.
+
+      ![self host sign up](images/self-hosting/applicable-to-all/selfhost-signup.png)
   </Step>
 </Steps>
 
-<AccordionGroup>
-  <Accordion title="What are the system requirements for running Infisical?">
-    To have a functional deployment, we recommended compute with 2GB of RAM and 1 CPU.
-    
-    However, depending on your usage, you may need to further scale up system resources to meet demand.
-  </Accordion>
-</AccordionGroup>
+### Additional discussion 
+It's important to note that the above is a basic example of deploying Infisical using Docker. 
+In practice, for production deployments, you may want to use container orchestration platforms such as AWS ECS, Google Cloud Run, or Kubernetes. 
+These platforms offer additional features like scalability, load balancing, and automated deployment, making them suitable for handling production-level traffic and providing high availability.

docs/self-hosting/deployments/kubernetes.mdx

@@ -1,138 +0,0 @@
----
-title: "Kubernetes"
-description: "How to deploy Infisical with Kubernetes"
----
-
-<Info>
-Self-host vs. Infisical Cloud
-
-Self-hosting Infisical means managing the service yourself, taking care of upgrades, scaling, security, etc.
-
-If you're less technical and looking for a hands-free experience with minimal overhead then we recommend Infisical Cloud.
-
-</Info>
-
-**Prerequisites**
-- You have understanding of [Kubernetes](https://kubernetes.io/)
-- You have understanding of [Helm package manager](https://helm.sh/) 
-- You have [kubectl](https://kubernetes.io/docs/reference/kubectl/kubectl/) installed and connected to your kubernetes cluster
-
-
-#### 1. Fill our environment variables
-
-Before you can deploy the Helm chart, you must fill out the required environment variables. To do so, please copy the below file to a `.yaml` file. 
-Refer to the available [environment variables](../../self-hosting/configuration/envars) to learn more
-
-<Accordion title="values.yaml">
-[View all available Helm chart values parameters](https://github.com/Infisical/infisical/tree/main/helm-charts/infisical)
-```yaml
-frontend:
-  enabled: true
-  name: frontend
-  podAnnotations: {}
-  deploymentAnnotations: {}
-  replicaCount: 2
-  image:
-    repository: infisical/frontend
-    tag: "latest"
-    pullPolicy: IfNotPresent
-  kubeSecretRef: ""
-  service:
-    annotations: {}
-    type: ClusterIP
-    nodePort: ""
-
-frontendEnvironmentVariables:
-  SITE_URL: infisical.local
-
-backend:
-  enabled: true
-  name: backend
-  podAnnotations: {}
-  deploymentAnnotations: {}
-  replicaCount: 2
-  image:
-    repository: infisical/backend
-    tag: "latest"
-    pullPolicy: IfNotPresent
-  kubeSecretRef: ""
-  service:
-    annotations: {}
-    type: ClusterIP
-    nodePort: ""
-
-backendEnvironmentVariables:
-  ENCRYPTION_KEY: MUST_REPLACE
-  JWT_SIGNUP_SECRET: MUST_REPLACE
-  JWT_REFRESH_SECRET: MUST_REPLACE
-  JWT_AUTH_SECRET: MUST_REPLACE
-  JWT_SERVICE_SECRET: MUST_REPLACE
-  SMTP_HOST: MUST_REPLACE
-  SMTP_PORT: 587
-  SMTP_SECURE: false
-  SMTP_FROM_NAME: Infisical
-  SMTP_FROM_ADDRESS: MUST_REPLACE
-  SMTP_USERNAME: MUST_REPLACE
-  SMTP_PASSWORD: MUST_REPLACE
-  SITE_URL: infisical.local
-
-## Mongo DB persistence
-mongodb:
-  enabled: true
-
-## By default the backend will be connected to a Mongo instance within the cluster
-## However, it is recommended to add a managed document DB connection string for production-use (DBaaS)
-## Learn about connection string type here https://www.mongodb.com/docs/manual/reference/connection-string/
-## e.g. "mongodb://<user>:<pass>@<host>:<port>/<database-name>"
-mongodbConnection:
-  externalMongoDBConnectionString: ""
-
-ingress:
-  enabled: true
-  annotations:
-    kubernetes.io/ingress.class: "nginx"
-    # cert-manager.io/issuer: letsencrypt-nginx
-  hostName: infisical.local   ## <- Replace with your own domain 
-  frontend:
-    path: /
-    pathType: Prefix
-  backend:
-    path: /api
-    pathType: Prefix
-  tls: []
-    # - secretName: letsencrypt-nginx
-    #   hosts:
-    #     - infisical.local
-
-mailhog:
-  enabled: false
-```
-</Accordion>
-
-Once you have a local copy of the values file, fill our the required environment variables and save the file.
-
-
-#### 2. Install Infisical Helm repository 
-
-```bash
-helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/' 
-  
-helm repo update
-```
-
-#### 3. Install the Helm chart 
-
-By default, the helm chart will be installed on your default namespace. If you wish to install the Chart on a different namespace, you may specify
-that by adding the `--namespace <namespace-to-install-to>` to your `helm install` command.
-
-```bash
-## Installs to default namespace
-helm install infisical-helm-charts/infisical --generate-name --values <path to the values.yaml you downloaded/created in step 2>
-```
-
-<Note>
-If you have not filled out all of the required environment variables, you will see an error message prompting you to 
-do so. 
-</Note>
-
-#### 4. Your Infisical installation is complete and should be running on the host name you specified in Ingress in `values.yaml`.

docs/self-hosting/deployments/linux.mdx

@@ -1,53 +0,0 @@
----
-title: "Linux VM"
-description: "How to deploy Infisical with Docker-Compose"
----
-
-<Info>
-Self-host vs. Infisical Cloud
-
-Self-hosting Infisical means managing the service yourself, taking care of upgrades, scaling, security, etc.
-
-If you're less technical and looking for a hands-free experience with minimal overhead then we recommend Infisical Cloud.
-
-</Info>
-
-We provide a docker-compose deployment option for those who want to deploy Infisical onto a Linux VM easily.
-
-1. Install Docker on your VM
-
-```bash
-# Example in ubuntu
-apt-get update
-apt-get upgrade
-apt install docker-compose
-```
-
-2. Download the required files
-
-```bash
-# Download env file template
-wget -O .env https://raw.githubusercontent.com/Infisical/infisical/main/.env.example
-
-# Download docker compose template
-wget -O docker-compose.yml https://raw.githubusercontent.com/Infisical/infisical/main/docker-compose.yml
-
-# Download nginx config
-mkdir nginx && wget -O ./nginx/default.conf https://raw.githubusercontent.com/Infisical/infisical/main/nginx/default.dev.conf
-```
-
-3. Tweak the `.env` according to your preferences. Refer to the available [environment variables](../../self-hosting/configuration/envars)
-
-```bash
-# update environment variables like mongo login
-nano .env
-```
-
-4. Get the service up and running.
-
-```bash
-# Start up services in detached mode
-docker-compose -f docker-compose.yml up -d
-```
-
-5. Your Infisical installation is complete and should be running on [http://localhost:80](http://localhost:80). Please note that the containers are not exposed to the internet and only bind to the localhost. It's up to you to configure a firewall, SSL certificates, and implement any additional security measures.

docs/self-hosting/faq.mdx

@@ -15,13 +15,3 @@ However, in the event you choose to use Infisical without SSL, you can do so by
 [Learn more about secure cookies](https://really-simple-ssl.com/definition/what-are-secure-cookies/)
 </Accordion>
 
-<Accordion title="Is self hosted Infisical HA?">
- Infisical leverages the robust container orchestration capabilities of Kubernetes and the inherent high availability features of Bitnami MongoDB to ensure resilience and fault tolerance. 
- By deploying multiple replicas of Infisical application on Kubernetes, operations can continue even if a single instance fails. 
-
- Additionally, Bitnami MongoDB supports replica sets, which provide data redundancy and automatic failover for the underlying database. 
- Kubernetes Services facilitate load balancing, effectively distributing traffic across your application's instances and ensuring optimal performance. 
- The combination of Kubernetes' self-healing mechanisms and Bitnami MongoDB's failover capabilities work together to create a highly available and fault-tolerant application capable of recovering gracefully from unexpected failures.
-
- To further increase data redundancy, we recommend that you use a managed MongoDB service for your self hosted instance of Infisical.
-</Accordion>

docs/self-hosting/overview.mdx

@@ -14,13 +14,6 @@ Choose from a variety of deployment options listed below to get started.
   Use the fully packaged docker image to deploy Infisical anywhere
 </Card>
 <CardGroup cols={2}>
-  <Card
-    title="Digital Ocean"
-    color="#16a34a"
-    href="deployment-options/digital-ocean-marketplace"
-  >
-    Automatically create and deploy Infisical on to a Kubernetes cluster
-  </Card>
   <Card
     title="Docker Compose"
     color="#0285c7"
@@ -35,53 +28,4 @@ Choose from a variety of deployment options listed below to get started.
   >
   Use our Helm chart to Install Infisical on your Kubernetes cluster
   </Card>
-  <Card 
-    title="AWS EC2" 
-    color="#0285c7" 
-    href="deployment-options/aws-ec2"
-  >
-    Install infisical with just a few clicks using our Cloud Formation template
-  </Card>
-  <Card 
-    title="AWS Lightsail" 
-    color="#0285c7" 
-    href="deployment-options/aws-lightsail"
-  >
-    Deploy Infisical with AWS Lightsail
-  </Card>
-  <Card
-    title="GCP Cloud Run"
-    color="#ea5a0c"
-    href="deployment-options/gcp-cloud-run"
-  >
-    Deploy Infisical with GCP Cloud Run
-  </Card>
-  <Card
-    title="Azure App Services"
-    color="#ea5a0c"
-    href="deployment-options/azure-app-services"
-  >
-    Deploy Infisical with Azure App Services
-  </Card>
-  <Card
-    title="Azure Container Instances"
-    color="#ea5a0c"
-    href="deployment-options/azure-container-instances"
-  >
-    Deploy Infisical with Azure Container Instances
-  </Card>
-  <Card
-    title="Fly.io"
-    color="#ea5a0c"
-    href="deployment-options/fly.io"
-  >
-    Deploy Infisical with Fly.io
-  </Card>
-  <Card
-    title="Railway"
-    color="#ea5a0c"
-    href="deployment-options/railway"
-  >
-    Deploy Infisical with Railway
-  </Card>
 </CardGroup>

frontend/package-lock.json

@@ -1,5 +1,5 @@
 {
-  "name": "npm-proj-1708142380787-0.9952765718063858vJAsWg",
+  "name": "npm-proj-1708687711895-0.8280111363176879xoEiUg",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
@@ -82,7 +82,7 @@
         "react-markdown": "^8.0.3",
         "react-redux": "^8.0.2",
         "react-table": "^7.8.0",
-        "sanitize-html": "^2.11.0",
+        "sanitize-html": "^2.12.1",
         "set-cookie-parser": "^2.5.1",
         "sharp": "^0.33.2",
         "styled-components": "^5.3.7",
@@ -21111,9 +21111,9 @@
       "dev": true
     },
     "node_modules/sanitize-html": {
-      "version": "2.11.0",
-      "resolved": "https://registry.npmjs.org/sanitize-html/-/sanitize-html-2.11.0.tgz",
-      "integrity": "sha512-BG68EDHRaGKqlsNjJ2xUB7gpInPA8gVx/mvjO743hZaeMCZ2DwzW7xvsqZ+KNU4QKwj86HJ3uu2liISf2qBBUA==",
+      "version": "2.12.1",
+      "resolved": "https://registry.npmjs.org/sanitize-html/-/sanitize-html-2.12.1.tgz",
+      "integrity": "sha512-Plh+JAn0UVDpBRP/xEjsk+xDCoOvMBwQUf/K+/cBAVuTbtX8bj2VB7S1sL1dssVpykqp0/KPSesHrqXtokVBpA==",
       "dependencies": {
         "deepmerge": "^4.2.2",
         "escape-string-regexp": "^4.0.0",

frontend/package.json

@@ -90,7 +90,7 @@
     "react-markdown": "^8.0.3",
     "react-redux": "^8.0.2",
     "react-table": "^7.8.0",
-    "sanitize-html": "^2.11.0",
+    "sanitize-html": "^2.12.1",
     "set-cookie-parser": "^2.5.1",
     "sharp": "^0.33.2",
     "styled-components": "^5.3.7",

frontend/src/components/basic/table/ProjectUsersTable.tsx

@@ -59,8 +59,8 @@ const ProjectUsersTable = ({ userData, changeData, myUser, filter, isUserListLoa
   const workspaceId = router.query.id as string;
   // Delete the row in the table (e.g. a user)
   // #TODO: Add a pop-up that warns you that the user is going to be deleted.
-  const handleDelete = async (membershipId: string) => {
-    await deleteUserFromWorkspaceMutateAsync({ membershipId, workspaceId });
+  const handleDelete = async (email: string) => {
+    await deleteUserFromWorkspaceMutateAsync({ emails: [email], workspaceId });
   };
 
   const handleRoleUpdate = async (index: number, e: string) => {
@@ -368,7 +368,7 @@ const ProjectUsersTable = ({ userData, changeData, myUser, filter, isUserListLoa
                     myRole !== "member" ? (
                       <div className="mt-0.5 flex items-center opacity-50 hover:opacity-100">
                         <Button
-                          onButtonPressed={() => handleDelete(row.membershipId)}
+                          onButtonPressed={() => handleDelete(row.email)}
                           color="red"
                           size="icon-sm"
                           icon={faX}

frontend/src/components/signup/EnterEmailStep.tsx

@@ -1,7 +1,9 @@
 import React, { useState } from "react";
 import { useTranslation } from "react-i18next";
 import Link from "next/link";
+import axios from "axios";
 
+import { useNotificationContext } from "@app/components/context/Notifications/NotificationProvider";
 import { useSendVerificationEmail } from "@app/hooks/api";
 
 import { Button, Input } from "../v2";
@@ -25,6 +27,7 @@ export default function EnterEmailStep({
   setEmail,
   incrementStep
 }: DownloadBackupPDFStepProps): JSX.Element {
+  const { createNotification } = useNotificationContext();
   const { mutateAsync } = useSendVerificationEmail();
   const [emailError, setEmailError] = useState(false);
   const { t } = useTranslation();
@@ -46,8 +49,18 @@ export default function EnterEmailStep({
 
     // If everything is correct, go to the next step
     if (!emailCheckBool) {
-      await mutateAsync({ email });
-      incrementStep();
+      try {
+        await mutateAsync({ email });
+        incrementStep();
+      } catch(e) {
+        if (axios.isAxiosError(e)) {
+          const { message = "Something went wrong" } = e.response?.data as { message: string};
+          createNotification({
+            type: "error",
+            text:  message
+          })
+        }
+      }
     }
   };
 

frontend/src/components/utilities/cryptography/crypto.ts

@@ -13,12 +13,12 @@ nacl.util = require("tweetnacl-util");
  */
 const generateKeyPair = () => {
   const pair = nacl.box.keyPair();
-  
-  return ({
-		publicKey: nacl.util.encodeBase64(pair.publicKey),
-		privateKey: nacl.util.encodeBase64(pair.secretKey)
-  });
-}
+
+  return {
+    publicKey: nacl.util.encodeBase64(pair.publicKey),
+    privateKey: nacl.util.encodeBase64(pair.secretKey)
+  };
+};
 
 type EncryptAsymmetricProps = {
   plaintext: string;
@@ -29,27 +29,19 @@ type EncryptAsymmetricProps = {
 /**
  * Verify that private key [privateKey] is the one that corresponds to
  * the public key [publicKey]
- * @param {Object} 
+ * @param {Object}
  * @param {String} - base64-encoded Nacl private key
  * @param {String} - base64-encoded Nacl public key
  */
-const verifyPrivateKey = ({
-  privateKey,
-  publicKey
-}: {
-  privateKey: string;
-  publicKey: string;
-}) => {
+const verifyPrivateKey = ({ privateKey, publicKey }: { privateKey: string; publicKey: string }) => {
   const derivedPublicKey = nacl.util.encodeBase64(
-    nacl.box.keyPair.fromSecretKey(
-      nacl.util.decodeBase64(privateKey)
-    ).publicKey
+    nacl.box.keyPair.fromSecretKey(nacl.util.decodeBase64(privateKey)).publicKey
   );
-  
+
   if (derivedPublicKey !== publicKey) {
     throw new Error("Failed to verify private key");
   }
-}
+};
 
 /**
  * Derive a key from password [password] and salt [salt] using Argon2id
@@ -229,7 +221,8 @@ export {
   decryptAssymmetric,
   decryptSymmetric,
   deriveArgonKey,
-  encryptAssymmetric, 
+  encryptAssymmetric,
   encryptSymmetric,
   generateKeyPair,
-  verifyPrivateKey};
+  verifyPrivateKey
+};