Fix: Add height and remove extra spacing

Makefile

@@ -7,9 +7,6 @@ push:
 up-dev:
 	docker compose -f docker-compose.dev.yml up --build
 
-up-dev-ldap:
-	docker compose -f docker-compose.dev.yml --profile ldap up --build
-
 up-prod:
 	docker-compose -f docker-compose.prod.yml up --build
 

backend/package.json

@@ -70,7 +70,6 @@
     "vitest": "^1.2.2"
   },
   "dependencies": {
-    "@aws-sdk/client-iam": "^3.525.0",
     "@aws-sdk/client-secrets-manager": "^3.504.0",
     "@casl/ability": "^6.5.0",
     "@fastify/cookie": "^9.3.1",
@@ -107,7 +106,6 @@
     "knex": "^3.0.1",
     "libsodium-wrappers": "^0.7.13",
     "lodash.isequal": "^4.5.0",
-    "ms": "^2.1.3",
     "mysql2": "^3.9.1",
     "nanoid": "^5.0.4",
     "nodemailer": "^6.9.9",
@@ -115,9 +113,7 @@
     "passport-github": "^1.1.0",
     "passport-gitlab2": "^5.0.0",
     "passport-google-oauth20": "^2.0.0",
-    "passport-ldapauth": "^3.0.1",
     "pg": "^8.11.3",
-    "pg-query-stream": "^4.5.3",
     "picomatch": "^3.0.1",
     "pino": "^8.16.2",
     "posthog-node": "^3.6.2",

backend/src/@types/fastify.d.ts

@@ -3,7 +3,6 @@ import "fastify";
 import { TUsers } from "@app/db/schemas";
 import { TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-service";
 import { TCreateAuditLogDTO } from "@app/ee/services/audit-log/audit-log-types";
-import { TLdapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-config-service";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { TSamlConfigServiceFactory } from "@app/ee/services/saml-config/saml-config-service";
@@ -70,7 +69,6 @@ declare module "fastify" {
     };
     auditLogInfo: Pick<TCreateAuditLogDTO, "userAgent" | "userAgentType" | "ipAddress" | "actor">;
     ssoConfig: Awaited<ReturnType<TSamlConfigServiceFactory["getSaml"]>>;
-    ldapConfig: Awaited<ReturnType<TLdapConfigServiceFactory["getLdapCfg"]>>;
   }
 
   interface FastifyInstance {
@@ -109,7 +107,6 @@ declare module "fastify" {
       snapshot: TSecretSnapshotServiceFactory;
       saml: TSamlConfigServiceFactory;
       scim: TScimServiceFactory;
-      ldap: TLdapConfigServiceFactory;
       auditLog: TAuditLogServiceFactory;
       secretScanning: TSecretScanningServiceFactory;
       license: TLicenseServiceFactory;

backend/src/@types/knex.d.ts

@@ -32,9 +32,6 @@ import {
   TIdentityOrgMemberships,
   TIdentityOrgMembershipsInsert,
   TIdentityOrgMembershipsUpdate,
-  TIdentityProjectMembershipRole,
-  TIdentityProjectMembershipRoleInsert,
-  TIdentityProjectMembershipRoleUpdate,
   TIdentityProjectMemberships,
   TIdentityProjectMembershipsInsert,
   TIdentityProjectMembershipsUpdate,
@@ -53,9 +50,6 @@ import {
   TIntegrations,
   TIntegrationsInsert,
   TIntegrationsUpdate,
-  TLdapConfigs,
-  TLdapConfigsInsert,
-  TLdapConfigsUpdate,
   TOrganizations,
   TOrganizationsInsert,
   TOrganizationsUpdate,
@@ -86,9 +80,6 @@ import {
   TProjects,
   TProjectsInsert,
   TProjectsUpdate,
-  TProjectUserMembershipRoles,
-  TProjectUserMembershipRolesInsert,
-  TProjectUserMembershipRolesUpdate,
   TSamlConfigs,
   TSamlConfigsInsert,
   TSamlConfigsUpdate,
@@ -170,9 +161,6 @@ import {
   TUserActions,
   TUserActionsInsert,
   TUserActionsUpdate,
-  TUserAliases,
-  TUserAliasesInsert,
-  TUserAliasesUpdate,
   TUserEncryptionKeys,
   TUserEncryptionKeysInsert,
   TUserEncryptionKeysUpdate,
@@ -187,7 +175,6 @@ import {
 declare module "knex/types/tables" {
   interface Tables {
     [TableName.Users]: Knex.CompositeTableType<TUsers, TUsersInsert, TUsersUpdate>;
-    [TableName.UserAliases]: Knex.CompositeTableType<TUserAliases, TUserAliasesInsert, TUserAliasesUpdate>;
     [TableName.UserEncryptionKey]: Knex.CompositeTableType<
       TUserEncryptionKeys,
       TUserEncryptionKeysInsert,
@@ -227,11 +214,6 @@ declare module "knex/types/tables" {
       TProjectEnvironmentsUpdate
     >;
     [TableName.ProjectBot]: Knex.CompositeTableType<TProjectBots, TProjectBotsInsert, TProjectBotsUpdate>;
-    [TableName.ProjectUserMembershipRole]: Knex.CompositeTableType<
-      TProjectUserMembershipRoles,
-      TProjectUserMembershipRolesInsert,
-      TProjectUserMembershipRolesUpdate
-    >;
     [TableName.ProjectRoles]: Knex.CompositeTableType<TProjectRoles, TProjectRolesInsert, TProjectRolesUpdate>;
     [TableName.ProjectKeys]: Knex.CompositeTableType<TProjectKeys, TProjectKeysInsert, TProjectKeysUpdate>;
     [TableName.Secret]: Knex.CompositeTableType<TSecrets, TSecretsInsert, TSecretsUpdate>;
@@ -283,11 +265,6 @@ declare module "knex/types/tables" {
       TIdentityProjectMembershipsInsert,
       TIdentityProjectMembershipsUpdate
     >;
-    [TableName.IdentityProjectMembershipRole]: Knex.CompositeTableType<
-      TIdentityProjectMembershipRole,
-      TIdentityProjectMembershipRoleInsert,
-      TIdentityProjectMembershipRoleUpdate
-    >;
     [TableName.ScimToken]: Knex.CompositeTableType<TScimTokens, TScimTokensInsert, TScimTokensUpdate>;
     [TableName.SecretApprovalPolicy]: Knex.CompositeTableType<
       TSecretApprovalPolicies,
@@ -341,7 +318,6 @@ declare module "knex/types/tables" {
       TSecretSnapshotFoldersUpdate
     >;
     [TableName.SamlConfig]: Knex.CompositeTableType<TSamlConfigs, TSamlConfigsInsert, TSamlConfigsUpdate>;
-    [TableName.LdapConfig]: Knex.CompositeTableType<TLdapConfigs, TLdapConfigsInsert, TLdapConfigsUpdate>;
     [TableName.OrgBot]: Knex.CompositeTableType<TOrgBots, TOrgBotsInsert, TOrgBotsUpdate>;
     [TableName.AuditLog]: Knex.CompositeTableType<TAuditLogs, TAuditLogsInsert, TAuditLogsUpdate>;
     [TableName.GitAppInstallSession]: Knex.CompositeTableType<

backend/src/db/instance.ts

@@ -6,13 +6,6 @@ export const initDbConnection = ({ dbConnectionUri, dbRootCert }: { dbConnection
     client: "pg",
     connection: {
       connectionString: dbConnectionUri,
-      host: process.env.DB_HOST,
-      // @ts-expect-error I have no clue why only for the port there is a type error
-      // eslint-disable-next-line
-      port: process.env.DB_PORT,
-      user: process.env.DB_USER,
-      database: process.env.DB_NAME,
-      password: process.env.DB_PASSWORD,
       ssl: dbRootCert
         ? {
             rejectUnauthorized: true,

backend/src/db/knexfile.ts

@@ -7,22 +7,18 @@ import path from "path";
 
 // Update with your config settings. .
 dotenv.config({
-  path: path.join(__dirname, "../../../.env.migration")
+  path: path.join(__dirname, "../../../.env.migration"),
+  debug: true
 });
 dotenv.config({
-  path: path.join(__dirname, "../../../.env")
+  path: path.join(__dirname, "../../../.env"),
+  debug: true
 });
-
 export default {
   development: {
     client: "postgres",
     connection: {
       connectionString: process.env.DB_CONNECTION_URI,
-      host: process.env.DB_HOST,
-      port: process.env.DB_PORT,
-      user: process.env.DB_USER,
-      database: process.env.DB_NAME,
-      password: process.env.DB_PASSWORD,
       ssl: process.env.DB_ROOT_CERT
         ? {
             rejectUnauthorized: true,
@@ -45,11 +41,6 @@ export default {
     client: "postgres",
     connection: {
       connectionString: process.env.DB_CONNECTION_URI,
-      host: process.env.DB_HOST,
-      port: process.env.DB_PORT,
-      user: process.env.DB_USER,
-      database: process.env.DB_NAME,
-      password: process.env.DB_PASSWORD,
       ssl: process.env.DB_ROOT_CERT
         ? {
             rejectUnauthorized: true,

backend/src/db/migrations/20240311210135_ldap-config.ts

@@ -1,68 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.LdapConfig))) {
-    await knex.schema.createTable(TableName.LdapConfig, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("orgId").notNullable().unique();
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      t.boolean("isActive").notNullable();
-      t.string("url").notNullable();
-      t.string("encryptedBindDN").notNullable();
-      t.string("bindDNIV").notNullable();
-      t.string("bindDNTag").notNullable();
-      t.string("encryptedBindPass").notNullable();
-      t.string("bindPassIV").notNullable();
-      t.string("bindPassTag").notNullable();
-      t.string("searchBase").notNullable();
-      t.text("encryptedCACert").notNullable();
-      t.string("caCertIV").notNullable();
-      t.string("caCertTag").notNullable();
-      t.timestamps(true, true, true);
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.LdapConfig);
-
-  if (!(await knex.schema.hasTable(TableName.UserAliases))) {
-    await knex.schema.createTable(TableName.UserAliases, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("userId").notNullable();
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-      t.string("username").notNullable();
-      t.string("aliasType").notNullable();
-      t.string("externalId").notNullable();
-      t.specificType("emails", "text[]");
-      t.uuid("orgId").nullable();
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.UserAliases);
-
-  await knex.schema.alterTable(TableName.Users, (t) => {
-    t.string("username").unique();
-    t.string("email").nullable().alter();
-    t.dropUnique(["email"]);
-  });
-
-  await knex(TableName.Users).update("username", knex.ref("email"));
-
-  await knex.schema.alterTable(TableName.Users, (t) => {
-    t.string("username").notNullable().alter();
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.LdapConfig);
-  await knex.schema.dropTableIfExists(TableName.UserAliases);
-  await knex.schema.alterTable(TableName.Users, (t) => {
-    t.dropColumn("username");
-    // t.string("email").notNullable().alter();
-  });
-  await dropOnUpdateTrigger(knex, TableName.LdapConfig);
-}

backend/src/db/migrations/20240312162549_temp-roles.ts

@@ -1,50 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesTableExist = await knex.schema.hasTable(TableName.ProjectUserMembershipRole);
-  if (!doesTableExist) {
-    await knex.schema.createTable(TableName.ProjectUserMembershipRole, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("role").notNullable();
-      t.uuid("projectMembershipId").notNullable();
-      t.foreign("projectMembershipId").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
-      // until role is changed/removed the role should not deleted
-      t.uuid("customRoleId");
-      t.foreign("customRoleId").references("id").inTable(TableName.ProjectRoles);
-      t.boolean("isTemporary").notNullable().defaultTo(false);
-      t.string("temporaryMode");
-      t.string("temporaryRange"); // could be cron or relative time like 1H or 1minute etc
-      t.datetime("temporaryAccessStartTime");
-      t.datetime("temporaryAccessEndTime");
-      t.timestamps(true, true, true);
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.ProjectUserMembershipRole);
-
-  const projectMemberships = await knex(TableName.ProjectMembership).select(
-    "id",
-    "role",
-    "createdAt",
-    "updatedAt",
-    knex.ref("roleId").withSchema(TableName.ProjectMembership).as("customRoleId")
-  );
-  if (projectMemberships.length)
-    await knex.batchInsert(
-      TableName.ProjectUserMembershipRole,
-      projectMemberships.map((data) => ({ ...data, projectMembershipId: data.id }))
-    );
-  // will be dropped later
-  // await knex.schema.alterTable(TableName.ProjectMembership, (t) => {
-  //   t.dropColumn("roleId");
-  //   t.dropColumn("role");
-  // });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.ProjectUserMembershipRole);
-  await dropOnUpdateTrigger(knex, TableName.ProjectUserMembershipRole);
-}

backend/src/db/migrations/20240312162556_temp-role-identity.ts

@@ -1,52 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesTableExist = await knex.schema.hasTable(TableName.IdentityProjectMembershipRole);
-  if (!doesTableExist) {
-    await knex.schema.createTable(TableName.IdentityProjectMembershipRole, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("role").notNullable();
-      t.uuid("projectMembershipId").notNullable();
-      t.foreign("projectMembershipId")
-        .references("id")
-        .inTable(TableName.IdentityProjectMembership)
-        .onDelete("CASCADE");
-      // until role is changed/removed the role should not deleted
-      t.uuid("customRoleId");
-      t.foreign("customRoleId").references("id").inTable(TableName.ProjectRoles);
-      t.boolean("isTemporary").notNullable().defaultTo(false);
-      t.string("temporaryMode");
-      t.string("temporaryRange"); // could be cron or relative time like 1H or 1minute etc
-      t.datetime("temporaryAccessStartTime");
-      t.datetime("temporaryAccessEndTime");
-      t.timestamps(true, true, true);
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.IdentityProjectMembershipRole);
-
-  const identityMemberships = await knex(TableName.IdentityProjectMembership).select(
-    "id",
-    "role",
-    "createdAt",
-    "updatedAt",
-    knex.ref("roleId").withSchema(TableName.IdentityProjectMembership).as("customRoleId")
-  );
-  if (identityMemberships.length)
-    await knex.batchInsert(
-      TableName.IdentityProjectMembershipRole,
-      identityMemberships.map((data) => ({ ...data, projectMembershipId: data.id }))
-    );
-  // await knex.schema.alterTable(TableName.IdentityProjectMembership, (t) => {
-  //   t.dropColumn("roleId");
-  //   t.dropColumn("role");
-  // });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IdentityProjectMembershipRole);
-  await dropOnUpdateTrigger(knex, TableName.IdentityProjectMembershipRole);
-}

backend/src/db/schemas/identity-project-membership-role.ts

@@ -1,31 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const IdentityProjectMembershipRoleSchema = z.object({
-  id: z.string().uuid(),
-  role: z.string(),
-  projectMembershipId: z.string().uuid(),
-  customRoleId: z.string().uuid().nullable().optional(),
-  isTemporary: z.boolean().default(false),
-  temporaryMode: z.string().nullable().optional(),
-  temporaryRange: z.string().nullable().optional(),
-  temporaryAccessStartTime: z.date().nullable().optional(),
-  temporaryAccessEndTime: z.date().nullable().optional(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TIdentityProjectMembershipRole = z.infer<typeof IdentityProjectMembershipRoleSchema>;
-export type TIdentityProjectMembershipRoleInsert = Omit<
-  z.input<typeof IdentityProjectMembershipRoleSchema>,
-  TImmutableDBKeys
->;
-export type TIdentityProjectMembershipRoleUpdate = Partial<
-  Omit<z.input<typeof IdentityProjectMembershipRoleSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/index.ts

@@ -8,14 +8,12 @@ export * from "./git-app-org";
 export * from "./identities";
 export * from "./identity-access-tokens";
 export * from "./identity-org-memberships";
-export * from "./identity-project-membership-role";
 export * from "./identity-project-memberships";
 export * from "./identity-ua-client-secrets";
 export * from "./identity-universal-auths";
 export * from "./incident-contacts";
 export * from "./integration-auths";
 export * from "./integrations";
-export * from "./ldap-configs";
 export * from "./models";
 export * from "./org-bots";
 export * from "./org-memberships";
@@ -26,7 +24,6 @@ export * from "./project-environments";
 export * from "./project-keys";
 export * from "./project-memberships";
 export * from "./project-roles";
-export * from "./project-user-membership-roles";
 export * from "./projects";
 export * from "./saml-configs";
 export * from "./scim-tokens";
@@ -55,7 +52,6 @@ export * from "./service-tokens";
 export * from "./super-admin";
 export * from "./trusted-ips";
 export * from "./user-actions";
-export * from "./user-aliases";
 export * from "./user-encryption-keys";
 export * from "./users";
 export * from "./webhooks";

backend/src/db/schemas/ldap-configs.ts

@@ -1,31 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const LdapConfigsSchema = z.object({
-  id: z.string().uuid(),
-  orgId: z.string().uuid(),
-  isActive: z.boolean(),
-  url: z.string(),
-  encryptedBindDN: z.string(),
-  bindDNIV: z.string(),
-  bindDNTag: z.string(),
-  encryptedBindPass: z.string(),
-  bindPassIV: z.string(),
-  bindPassTag: z.string(),
-  searchBase: z.string(),
-  encryptedCACert: z.string(),
-  caCertIV: z.string(),
-  caCertTag: z.string(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TLdapConfigs = z.infer<typeof LdapConfigsSchema>;
-export type TLdapConfigsInsert = Omit<z.input<typeof LdapConfigsSchema>, TImmutableDBKeys>;
-export type TLdapConfigsUpdate = Partial<Omit<z.input<typeof LdapConfigsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/models.ts

@@ -2,7 +2,6 @@ import { z } from "zod";
 
 export enum TableName {
   Users = "users",
-  UserAliases = "user_aliases",
   UserEncryptionKey = "user_encryption_keys",
   AuthTokens = "auth_tokens",
   AuthTokenSession = "auth_token_sessions",
@@ -20,7 +19,6 @@ export enum TableName {
   Environment = "project_environments",
   ProjectMembership = "project_memberships",
   ProjectRoles = "project_roles",
-  ProjectUserMembershipRole = "project_user_membership_roles",
   ProjectKeys = "project_keys",
   Secret = "secrets",
   SecretBlindIndex = "secret_blind_indexes",
@@ -42,7 +40,6 @@ export enum TableName {
   IdentityUaClientSecret = "identity_ua_client_secrets",
   IdentityOrgMembership = "identity_org_memberships",
   IdentityProjectMembership = "identity_project_memberships",
-  IdentityProjectMembershipRole = "identity_project_membership_role",
   ScimToken = "scim_tokens",
   SecretApprovalPolicy = "secret_approval_policies",
   SecretApprovalPolicyApprover = "secret_approval_policies_approvers",
@@ -53,7 +50,6 @@ export enum TableName {
   SecretRotation = "secret_rotations",
   SecretRotationOutput = "secret_rotation_outputs",
   SamlConfig = "saml_configs",
-  LdapConfig = "ldap_configs",
   AuditLog = "audit_logs",
   GitAppInstallSession = "git_app_install_sessions",
   GitAppOrg = "git_app_org",

backend/src/db/schemas/project-user-membership-roles.ts

@@ -1,31 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const ProjectUserMembershipRolesSchema = z.object({
-  id: z.string().uuid(),
-  role: z.string(),
-  projectMembershipId: z.string().uuid(),
-  customRoleId: z.string().uuid().nullable().optional(),
-  isTemporary: z.boolean().default(false),
-  temporaryMode: z.string().nullable().optional(),
-  temporaryRange: z.string().nullable().optional(),
-  temporaryAccessStartTime: z.date().nullable().optional(),
-  temporaryAccessEndTime: z.date().nullable().optional(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TProjectUserMembershipRoles = z.infer<typeof ProjectUserMembershipRolesSchema>;
-export type TProjectUserMembershipRolesInsert = Omit<
-  z.input<typeof ProjectUserMembershipRolesSchema>,
-  TImmutableDBKeys
->;
-export type TProjectUserMembershipRolesUpdate = Partial<
-  Omit<z.input<typeof ProjectUserMembershipRolesSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/user-aliases.ts

@@ -1,24 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const UserAliasesSchema = z.object({
-  id: z.string().uuid(),
-  userId: z.string().uuid(),
-  username: z.string(),
-  aliasType: z.string(),
-  externalId: z.string(),
-  emails: z.string().array().nullable().optional(),
-  orgId: z.string().uuid().nullable().optional(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TUserAliases = z.infer<typeof UserAliasesSchema>;
-export type TUserAliasesInsert = Omit<z.input<typeof UserAliasesSchema>, TImmutableDBKeys>;
-export type TUserAliasesUpdate = Partial<Omit<z.input<typeof UserAliasesSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/users.ts

@@ -9,7 +9,7 @@ import { TImmutableDBKeys } from "./models";
 
 export const UsersSchema = z.object({
   id: z.string().uuid(),
-  email: z.string().nullable().optional(),
+  email: z.string(),
   authMethods: z.string().array().nullable().optional(),
   superAdmin: z.boolean().default(false).nullable().optional(),
   firstName: z.string().nullable().optional(),
@@ -20,8 +20,7 @@ export const UsersSchema = z.object({
   devices: z.unknown().nullable().optional(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  isGhost: z.boolean().default(false),
-  username: z.string()
+  isGhost: z.boolean().default(false)
 });
 
 export type TUsers = z.infer<typeof UsersSchema>;

backend/src/db/seed-data.ts

@@ -21,7 +21,6 @@ export let userPublicKey: string | undefined;
 
 export const seedData1 = {
   id: "3dafd81d-4388-432b-a4c5-f735616868c1",
-  username: process.env.TEST_USER_USERNAME || "test@localhost.local",
   email: process.env.TEST_USER_EMAIL || "test@localhost.local",
   password: process.env.TEST_USER_PASSWORD || "testInfisical@1",
   organization: {

backend/src/db/seeds/1-user.ts

@@ -22,7 +22,6 @@ export async function seed(knex: Knex): Promise<void> {
         // eslint-disable-next-line
         // @ts-ignore
         id: seedData1.id,
-        username: seedData1.username,
         email: seedData1.email,
         superAdmin: true,
         firstName: "test",

backend/src/db/seeds/3-project.ts

@@ -4,7 +4,7 @@ import { Knex } from "knex";
 
 import { encryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
 
-import { ProjectMembershipRole, SecretEncryptionAlgo, SecretKeyEncoding, TableName } from "../schemas";
+import { OrgMembershipRole, SecretEncryptionAlgo, SecretKeyEncoding, TableName } from "../schemas";
 import { buildUserProjectKey, getUserPrivateKey, seedData1 } from "../seed-data";
 
 export const DEFAULT_PROJECT_ENVS = [
@@ -30,16 +30,10 @@ export async function seed(knex: Knex): Promise<void> {
     })
     .returning("*");
 
-  const projectMembership = await knex(TableName.ProjectMembership)
-    .insert({
-      projectId: project.id,
-      userId: seedData1.id,
-      role: ProjectMembershipRole.Admin
-    })
-    .returning("*");
-  await knex(TableName.ProjectUserMembershipRole).insert({
-    role: ProjectMembershipRole.Admin,
-    projectMembershipId: projectMembership[0].id
+  await knex(TableName.ProjectMembership).insert({
+    projectId: project.id,
+    role: OrgMembershipRole.Admin,
+    userId: seedData1.id
   });
 
   const user = await knex(TableName.UserEncryptionKey).where({ userId: seedData1.id }).first();

backend/src/db/seeds/4-machine-identity.ts

@@ -75,16 +75,9 @@ export async function seed(knex: Knex): Promise<void> {
     }
   ]);
 
-  const identityProjectMembership = await knex(TableName.IdentityProjectMembership)
-    .insert({
-      identityId: seedData1.machineIdentity.id,
-      projectId: seedData1.project.id,
-      role: ProjectMembershipRole.Admin
-    })
-    .returning("*");
-
-  await knex(TableName.IdentityProjectMembershipRole).insert({
+  await knex(TableName.IdentityProjectMembership).insert({
+    identityId: seedData1.machineIdentity.id,
     role: ProjectMembershipRole.Admin,
-    projectMembershipId: identityProjectMembership[0].id
+    projectId: seedData1.project.id
   });
 }

backend/src/ee/routes/v1/index.ts

@@ -1,4 +1,3 @@
-import { registerLdapRouter } from "./ldap-router";
 import { registerLicenseRouter } from "./license-router";
 import { registerOrgRoleRouter } from "./org-role-router";
 import { registerProjectRoleRouter } from "./project-role-router";
@@ -36,7 +35,6 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
   });
   await server.register(registerSamlRouter, { prefix: "/sso" });
   await server.register(registerScimRouter, { prefix: "/scim" });
-  await server.register(registerLdapRouter, { prefix: "/ldap" });
   await server.register(registerSecretScanningRouter, { prefix: "/secret-scanning" });
   await server.register(registerSecretRotationRouter, { prefix: "/secret-rotations" });
   await server.register(registerSecretVersionRouter, { prefix: "/secret" });

backend/src/ee/routes/v1/ldap-router.ts

@@ -1,194 +0,0 @@
-/* eslint-disable @typescript-eslint/no-explicit-any */
-/* eslint-disable @typescript-eslint/no-unsafe-return */
-/* eslint-disable @typescript-eslint/no-unsafe-member-access */
-/* eslint-disable @typescript-eslint/no-unsafe-assignment */
-/* eslint-disable @typescript-eslint/no-unsafe-call */
-/* eslint-disable @typescript-eslint/no-unsafe-argument */
-// All the any rules are disabled because passport typesense with fastify is really poor
-
-import { IncomingMessage } from "node:http";
-
-import { Authenticator } from "@fastify/passport";
-import fastifySession from "@fastify/session";
-import { FastifyRequest } from "fastify";
-import LdapStrategy from "passport-ldapauth";
-import { z } from "zod";
-
-import { LdapConfigsSchema } from "@app/db/schemas";
-import { getConfig } from "@app/lib/config/env";
-import { logger } from "@app/lib/logger";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-
-export const registerLdapRouter = async (server: FastifyZodProvider) => {
-  const appCfg = getConfig();
-  const passport = new Authenticator({ key: "ldap", userProperty: "passportUser" });
-  await server.register(fastifySession, { secret: appCfg.COOKIE_SECRET_SIGN_KEY });
-  await server.register(passport.initialize());
-  await server.register(passport.secureSession());
-
-  const getLdapPassportOpts = (req: FastifyRequest, done: any) => {
-    const { organizationSlug } = req.body as {
-      organizationSlug: string;
-    };
-
-    process.nextTick(async () => {
-      try {
-        const { opts, ldapConfig } = await server.services.ldap.bootLdap(organizationSlug);
-        req.ldapConfig = ldapConfig;
-        done(null, opts);
-      } catch (err) {
-        done(err);
-      }
-    });
-  };
-
-  passport.use(
-    new LdapStrategy(
-      getLdapPassportOpts as any,
-      // eslint-disable-next-line
-      async (req: IncomingMessage, user, cb) => {
-        try {
-          const { isUserCompleted, providerAuthToken } = await server.services.ldap.ldapLogin({
-            externalId: user.uidNumber,
-            username: user.uid,
-            firstName: user.givenName,
-            lastName: user.sn,
-            emails: user.mail ? [user.mail] : [],
-            relayState: ((req as unknown as FastifyRequest).body as { RelayState?: string }).RelayState,
-            orgId: (req as unknown as FastifyRequest).ldapConfig.organization
-          });
-
-          return cb(null, { isUserCompleted, providerAuthToken });
-        } catch (err) {
-          logger.error(err);
-          return cb(err, false);
-        }
-      }
-    )
-  );
-
-  server.route({
-    url: "/login",
-    method: "POST",
-    schema: {
-      body: z.object({
-        organizationSlug: z.string().trim()
-      })
-    },
-    preValidation: passport.authenticate("ldapauth", {
-      session: false
-      // failureFlash: true,
-      // failureRedirect: "/login/provider/error"
-      // this is due to zod type difference
-    }) as any,
-    handler: (req, res) => {
-      let nextUrl;
-      if (req.passportUser.isUserCompleted) {
-        nextUrl = `${appCfg.SITE_URL}/login/sso?token=${encodeURIComponent(req.passportUser.providerAuthToken)}`;
-      } else {
-        nextUrl = `${appCfg.SITE_URL}/signup/sso?token=${encodeURIComponent(req.passportUser.providerAuthToken)}`;
-      }
-
-      return res.status(200).send({
-        nextUrl
-      });
-    }
-  });
-
-  server.route({
-    url: "/config",
-    method: "GET",
-    onRequest: verifyAuth([AuthMode.JWT]),
-    schema: {
-      querystring: z.object({
-        organizationId: z.string().trim()
-      }),
-      response: {
-        200: z.object({
-          id: z.string(),
-          organization: z.string(),
-          isActive: z.boolean(),
-          url: z.string(),
-          bindDN: z.string(),
-          bindPass: z.string(),
-          searchBase: z.string(),
-          caCert: z.string()
-        })
-      }
-    },
-    handler: async (req) => {
-      const ldap = await server.services.ldap.getLdapCfgWithPermissionCheck({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        orgId: req.query.organizationId,
-        actorOrgId: req.permission.orgId
-      });
-      return ldap;
-    }
-  });
-
-  server.route({
-    url: "/config",
-    method: "POST",
-    onRequest: verifyAuth([AuthMode.JWT]),
-    schema: {
-      body: z.object({
-        organizationId: z.string().trim(),
-        isActive: z.boolean(),
-        url: z.string().trim(),
-        bindDN: z.string().trim(),
-        bindPass: z.string().trim(),
-        searchBase: z.string().trim(),
-        caCert: z.string().trim().default("")
-      }),
-      response: {
-        200: LdapConfigsSchema
-      }
-    },
-    handler: async (req) => {
-      const ldap = await server.services.ldap.createLdapCfg({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        orgId: req.body.organizationId,
-        actorOrgId: req.permission.orgId,
-        ...req.body
-      });
-
-      return ldap;
-    }
-  });
-
-  server.route({
-    url: "/config",
-    method: "PATCH",
-    onRequest: verifyAuth([AuthMode.JWT]),
-    schema: {
-      body: z
-        .object({
-          isActive: z.boolean(),
-          url: z.string().trim(),
-          bindDN: z.string().trim(),
-          bindPass: z.string().trim(),
-          searchBase: z.string().trim(),
-          caCert: z.string().trim()
-        })
-        .partial()
-        .merge(z.object({ organizationId: z.string() })),
-      response: {
-        200: LdapConfigsSchema
-      }
-    },
-    handler: async (req) => {
-      const ldap = await server.services.ldap.updateLdapCfg({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        orgId: req.body.organizationId,
-        actorOrgId: req.permission.orgId,
-        ...req.body
-      });
-
-      return ldap;
-    }
-  });
-};

backend/src/ee/routes/v1/org-role-router.ts

@@ -1,7 +1,6 @@
-import slugify from "@sindresorhus/slugify";
 import { z } from "zod";
 
-import { OrgMembershipRole, OrgMembershipsSchema, OrgRolesSchema } from "@app/db/schemas";
+import { OrgMembershipsSchema, OrgRolesSchema } from "@app/db/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 
@@ -14,17 +13,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
         organizationId: z.string().trim()
       }),
       body: z.object({
-        slug: z
-          .string()
-          .min(1)
-          .trim()
-          .refine(
-            (val) => Object.keys(OrgMembershipRole).includes(val),
-            "Please choose a different slug, the slug you have entered is reserved"
-          )
-          .refine((v) => slugify(v) === v, {
-            message: "Slug must be a valid"
-          }),
+        slug: z.string().trim(),
         name: z.string().trim(),
         description: z.string().trim().optional(),
         permissions: z.any().array()
@@ -56,17 +45,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
         roleId: z.string().trim()
       }),
       body: z.object({
-        slug: z
-          .string()
-          .trim()
-          .optional()
-          .refine(
-            (val) => typeof val === "undefined" || Object.keys(OrgMembershipRole).includes(val),
-            "Please choose a different slug, the slug you have entered is reserved."
-          )
-          .refine((val) => typeof val === "undefined" || slugify(val) === val, {
-            message: "Slug must be a valid"
-          }),
+        slug: z.string().trim().optional(),
         name: z.string().trim().optional(),
         description: z.string().trim().optional(),
         permissions: z.any().array()

backend/src/ee/routes/v1/project-router.ts

@@ -2,7 +2,6 @@ import { z } from "zod";
 
 import { AuditLogsSchema, SecretSnapshotsSchema } from "@app/db/schemas";
 import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
-import { AUDIT_LOGS, PROJECTS } from "@app/lib/api-docs";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -20,13 +19,13 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        workspaceId: z.string().trim().describe(PROJECTS.GET_SNAPSHOTS.workspaceId)
+        workspaceId: z.string().trim()
       }),
       querystring: z.object({
-        environment: z.string().trim().describe(PROJECTS.GET_SNAPSHOTS.environment),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(PROJECTS.GET_SNAPSHOTS.path),
-        offset: z.coerce.number().default(0).describe(PROJECTS.GET_SNAPSHOTS.offset),
-        limit: z.coerce.number().default(20).describe(PROJECTS.GET_SNAPSHOTS.limit)
+        environment: z.string().trim(),
+        path: z.string().trim().default("/").transform(removeTrailingSlash),
+        offset: z.coerce.number().default(0),
+        limit: z.coerce.number().default(20)
       }),
       response: {
         200: z.object({
@@ -90,16 +89,16 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        workspaceId: z.string().trim().describe(AUDIT_LOGS.EXPORT.workspaceId)
+        workspaceId: z.string().trim()
       }),
       querystring: z.object({
-        eventType: z.nativeEnum(EventType).optional().describe(AUDIT_LOGS.EXPORT.eventType),
-        userAgentType: z.nativeEnum(UserAgentType).optional().describe(AUDIT_LOGS.EXPORT.userAgentType),
-        startDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.startDate),
-        endDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.endDate),
-        offset: z.coerce.number().default(0).describe(AUDIT_LOGS.EXPORT.offset),
-        limit: z.coerce.number().default(20).describe(AUDIT_LOGS.EXPORT.limit),
-        actor: z.string().optional().describe(AUDIT_LOGS.EXPORT.actor)
+        eventType: z.nativeEnum(EventType).optional(),
+        userAgentType: z.nativeEnum(UserAgentType).optional(),
+        startDate: z.string().datetime().optional(),
+        endDate: z.string().datetime().optional(),
+        offset: z.coerce.number().default(0),
+        limit: z.coerce.number().default(20),
+        actor: z.string().optional()
       }),
       response: {
         200: z.object({

backend/src/ee/routes/v1/saml-router.ts

@@ -99,14 +99,14 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
       async (req, profile, cb) => {
         try {
           if (!profile) throw new BadRequestError({ message: "Missing profile" });
+          const { firstName } = profile;
           const email = profile?.email ?? (profile?.emailAddress as string); // emailRippling is added because in Rippling the field `email` reserved
 
-          if (!profile.email || !profile.firstName) {
+          if (!email || !firstName) {
             throw new BadRequestError({ message: "Invalid request. Missing email or first name" });
           }
 
           const { isUserCompleted, providerAuthToken } = await server.services.saml.samlLogin({
-            username: profile.nameID ?? email,
             email,
             firstName: profile.firstName as string,
             lastName: profile.lastName as string,

backend/src/ee/routes/v1/scim-router.ts

@@ -122,7 +122,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
               emails: z.array(
                 z.object({
                   primary: z.boolean(),
-                  value: z.string(),
+                  value: z.string().email(),
                   type: z.string().trim()
                 })
               ),
@@ -168,7 +168,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
           emails: z.array(
             z.object({
               primary: z.boolean(),
-              value: z.string(),
+              value: z.string().email(),
               type: z.string().trim()
             })
           ),
@@ -198,15 +198,13 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
           familyName: z.string().trim(),
           givenName: z.string().trim()
         }),
-        emails: z
-          .array(
-            z.object({
-              primary: z.boolean(),
-              value: z.string().email(),
-              type: z.string().trim()
-            })
-          )
-          .optional(),
+        // emails: z.array( // optional?
+        //   z.object({
+        //     primary: z.boolean(),
+        //     value: z.string().email(),
+        //     type: z.string().trim()
+        //   })
+        // ),
         // displayName: z.string().trim(),
         active: z.boolean()
       }),
@@ -233,11 +231,8 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
     handler: async (req) => {
-      const primaryEmail = req.body.emails?.find((email) => email.primary)?.value;
-
       const user = await req.server.services.scim.createScimUser({
-        username: req.body.userName,
-        email: primaryEmail,
+        email: req.body.userName,
         firstName: req.body.name.givenName,
         lastName: req.body.name.familyName,
         orgId: req.permission.orgId as string

backend/src/ee/routes/v1/snapshot-router.ts

@@ -1,7 +1,6 @@
 import { z } from "zod";
 
 import { SecretSnapshotsSchema, SecretTagsSchema, SecretVersionsSchema } from "@app/db/schemas";
-import { PROJECTS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 
@@ -66,7 +65,7 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretSnapshotId: z.string().trim().describe(PROJECTS.ROLLBACK_TO_SNAPSHOT.secretSnapshotId)
+        secretSnapshotId: z.string().trim()
       }),
       response: {
         200: z.object({

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -92,8 +92,7 @@ export enum EventType {
 
 interface UserActorMetadata {
   userId: string;
-  email?: string | null;
-  username: string;
+  email: string;
 }
 
 interface ServiceActorMetadata {

backend/src/ee/services/ldap-config/ldap-config-dal.ts

@@ -1,11 +0,0 @@
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
-
-export type TLdapConfigDALFactory = ReturnType<typeof ldapConfigDALFactory>;
-
-export const ldapConfigDALFactory = (db: TDbClient) => {
-  const ldapCfgOrm = ormify(db, TableName.LdapConfig);
-
-  return { ...ldapCfgOrm };
-};

backend/src/ee/services/ldap-config/ldap-config-service.ts

@@ -1,429 +0,0 @@
-import { ForbiddenError } from "@casl/ability";
-import jwt from "jsonwebtoken";
-
-import { OrgMembershipRole, OrgMembershipStatus, SecretKeyEncoding, TLdapConfigsUpdate } from "@app/db/schemas";
-import { getConfig } from "@app/lib/config/env";
-import {
-  decryptSymmetric,
-  encryptSymmetric,
-  generateAsymmetricKeyPair,
-  generateSymmetricKey,
-  infisicalSymmetricDecrypt,
-  infisicalSymmetricEncypt
-} from "@app/lib/crypto/encryption";
-import { BadRequestError } from "@app/lib/errors";
-import { TOrgPermission } from "@app/lib/types";
-import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
-import { TOrgBotDALFactory } from "@app/services/org/org-bot-dal";
-import { TOrgDALFactory } from "@app/services/org/org-dal";
-import { TUserDALFactory } from "@app/services/user/user-dal";
-import { normalizeUsername } from "@app/services/user/user-fns";
-import { TUserAliasDALFactory } from "@app/services/user-alias/user-alias-dal";
-
-import { TLicenseServiceFactory } from "../license/license-service";
-import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
-import { TPermissionServiceFactory } from "../permission/permission-service";
-import { TLdapConfigDALFactory } from "./ldap-config-dal";
-import { TCreateLdapCfgDTO, TLdapLoginDTO, TUpdateLdapCfgDTO } from "./ldap-config-types";
-
-type TLdapConfigServiceFactoryDep = {
-  ldapConfigDAL: TLdapConfigDALFactory;
-  orgDAL: Pick<
-    TOrgDALFactory,
-    "createMembership" | "updateMembershipById" | "findMembership" | "findOrgById" | "findOne" | "updateById"
-  >;
-  orgBotDAL: Pick<TOrgBotDALFactory, "findOne" | "create" | "transaction">;
-  userDAL: Pick<TUserDALFactory, "create" | "findOne" | "transaction" | "updateById">;
-  userAliasDAL: Pick<TUserAliasDALFactory, "create" | "findOne">;
-  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
-  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
-};
-
-export type TLdapConfigServiceFactory = ReturnType<typeof ldapConfigServiceFactory>;
-
-export const ldapConfigServiceFactory = ({
-  ldapConfigDAL,
-  orgDAL,
-  orgBotDAL,
-  userDAL,
-  userAliasDAL,
-  permissionService,
-  licenseService
-}: TLdapConfigServiceFactoryDep) => {
-  const createLdapCfg = async ({
-    actor,
-    actorId,
-    orgId,
-    actorOrgId,
-    isActive,
-    url,
-    bindDN,
-    bindPass,
-    searchBase,
-    caCert
-  }: TCreateLdapCfgDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Ldap);
-
-    const plan = await licenseService.getPlan(orgId);
-    if (!plan.ldap)
-      throw new BadRequestError({
-        message:
-          "Failed to create LDAP configuration due to plan restriction. Upgrade plan to create LDAP configuration."
-      });
-
-    const orgBot = await orgBotDAL.transaction(async (tx) => {
-      const doc = await orgBotDAL.findOne({ orgId }, tx);
-      if (doc) return doc;
-
-      const { privateKey, publicKey } = generateAsymmetricKeyPair();
-      const key = generateSymmetricKey();
-      const {
-        ciphertext: encryptedPrivateKey,
-        iv: privateKeyIV,
-        tag: privateKeyTag,
-        encoding: privateKeyKeyEncoding,
-        algorithm: privateKeyAlgorithm
-      } = infisicalSymmetricEncypt(privateKey);
-      const {
-        ciphertext: encryptedSymmetricKey,
-        iv: symmetricKeyIV,
-        tag: symmetricKeyTag,
-        encoding: symmetricKeyKeyEncoding,
-        algorithm: symmetricKeyAlgorithm
-      } = infisicalSymmetricEncypt(key);
-
-      return orgBotDAL.create(
-        {
-          name: "Infisical org bot",
-          publicKey,
-          privateKeyIV,
-          encryptedPrivateKey,
-          symmetricKeyIV,
-          symmetricKeyTag,
-          encryptedSymmetricKey,
-          symmetricKeyAlgorithm,
-          orgId,
-          privateKeyTag,
-          privateKeyAlgorithm,
-          privateKeyKeyEncoding,
-          symmetricKeyKeyEncoding
-        },
-        tx
-      );
-    });
-
-    const key = infisicalSymmetricDecrypt({
-      ciphertext: orgBot.encryptedSymmetricKey,
-      iv: orgBot.symmetricKeyIV,
-      tag: orgBot.symmetricKeyTag,
-      keyEncoding: orgBot.symmetricKeyKeyEncoding as SecretKeyEncoding
-    });
-
-    const { ciphertext: encryptedBindDN, iv: bindDNIV, tag: bindDNTag } = encryptSymmetric(bindDN, key);
-    const { ciphertext: encryptedBindPass, iv: bindPassIV, tag: bindPassTag } = encryptSymmetric(bindPass, key);
-    const { ciphertext: encryptedCACert, iv: caCertIV, tag: caCertTag } = encryptSymmetric(caCert, key);
-
-    const ldapConfig = await ldapConfigDAL.create({
-      orgId,
-      isActive,
-      url,
-      encryptedBindDN,
-      bindDNIV,
-      bindDNTag,
-      encryptedBindPass,
-      bindPassIV,
-      bindPassTag,
-      searchBase,
-      encryptedCACert,
-      caCertIV,
-      caCertTag
-    });
-
-    return ldapConfig;
-  };
-
-  const updateLdapCfg = async ({
-    actor,
-    actorId,
-    orgId,
-    actorOrgId,
-    isActive,
-    url,
-    bindDN,
-    bindPass,
-    searchBase,
-    caCert
-  }: TUpdateLdapCfgDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Ldap);
-
-    const plan = await licenseService.getPlan(orgId);
-    if (!plan.ldap)
-      throw new BadRequestError({
-        message:
-          "Failed to update LDAP configuration due to plan restriction. Upgrade plan to update LDAP configuration."
-      });
-
-    const updateQuery: TLdapConfigsUpdate = {
-      isActive,
-      url,
-      searchBase
-    };
-
-    const orgBot = await orgBotDAL.findOne({ orgId });
-    if (!orgBot) throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
-    const key = infisicalSymmetricDecrypt({
-      ciphertext: orgBot.encryptedSymmetricKey,
-      iv: orgBot.symmetricKeyIV,
-      tag: orgBot.symmetricKeyTag,
-      keyEncoding: orgBot.symmetricKeyKeyEncoding as SecretKeyEncoding
-    });
-
-    if (bindDN !== undefined) {
-      const { ciphertext: encryptedBindDN, iv: bindDNIV, tag: bindDNTag } = encryptSymmetric(bindDN, key);
-      updateQuery.encryptedBindDN = encryptedBindDN;
-      updateQuery.bindDNIV = bindDNIV;
-      updateQuery.bindDNTag = bindDNTag;
-    }
-
-    if (bindPass !== undefined) {
-      const { ciphertext: encryptedBindPass, iv: bindPassIV, tag: bindPassTag } = encryptSymmetric(bindPass, key);
-      updateQuery.encryptedBindPass = encryptedBindPass;
-      updateQuery.bindPassIV = bindPassIV;
-      updateQuery.bindPassTag = bindPassTag;
-    }
-
-    if (caCert !== undefined) {
-      const { ciphertext: encryptedCACert, iv: caCertIV, tag: caCertTag } = encryptSymmetric(caCert, key);
-      updateQuery.encryptedCACert = encryptedCACert;
-      updateQuery.caCertIV = caCertIV;
-      updateQuery.caCertTag = caCertTag;
-    }
-
-    const [ldapConfig] = await ldapConfigDAL.update({ orgId }, updateQuery);
-
-    return ldapConfig;
-  };
-
-  const getLdapCfg = async (filter: { orgId: string; isActive?: boolean }) => {
-    const ldapConfig = await ldapConfigDAL.findOne(filter);
-    if (!ldapConfig) throw new BadRequestError({ message: "Failed to find organization LDAP data" });
-
-    const orgBot = await orgBotDAL.findOne({ orgId: ldapConfig.orgId });
-    if (!orgBot) throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
-
-    const key = infisicalSymmetricDecrypt({
-      ciphertext: orgBot.encryptedSymmetricKey,
-      iv: orgBot.symmetricKeyIV,
-      tag: orgBot.symmetricKeyTag,
-      keyEncoding: orgBot.symmetricKeyKeyEncoding as SecretKeyEncoding
-    });
-
-    const {
-      encryptedBindDN,
-      bindDNIV,
-      bindDNTag,
-      encryptedBindPass,
-      bindPassIV,
-      bindPassTag,
-      encryptedCACert,
-      caCertIV,
-      caCertTag
-    } = ldapConfig;
-
-    let bindDN = "";
-    if (encryptedBindDN && bindDNIV && bindDNTag) {
-      bindDN = decryptSymmetric({
-        ciphertext: encryptedBindDN,
-        key,
-        tag: bindDNTag,
-        iv: bindDNIV
-      });
-    }
-
-    let bindPass = "";
-    if (encryptedBindPass && bindPassIV && bindPassTag) {
-      bindPass = decryptSymmetric({
-        ciphertext: encryptedBindPass,
-        key,
-        tag: bindPassTag,
-        iv: bindPassIV
-      });
-    }
-
-    let caCert = "";
-    if (encryptedCACert && caCertIV && caCertTag) {
-      caCert = decryptSymmetric({
-        ciphertext: encryptedCACert,
-        key,
-        tag: caCertTag,
-        iv: caCertIV
-      });
-    }
-
-    return {
-      id: ldapConfig.id,
-      organization: ldapConfig.orgId,
-      isActive: ldapConfig.isActive,
-      url: ldapConfig.url,
-      bindDN,
-      bindPass,
-      searchBase: ldapConfig.searchBase,
-      caCert
-    };
-  };
-
-  const getLdapCfgWithPermissionCheck = async ({ actor, actorId, orgId, actorOrgId }: TOrgPermission) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Ldap);
-    return getLdapCfg({
-      orgId
-    });
-  };
-
-  const bootLdap = async (organizationSlug: string) => {
-    const organization = await orgDAL.findOne({ slug: organizationSlug });
-    if (!organization) throw new BadRequestError({ message: "Org not found" });
-
-    const ldapConfig = await getLdapCfg({
-      orgId: organization.id,
-      isActive: true
-    });
-
-    const opts = {
-      server: {
-        url: ldapConfig.url,
-        bindDN: ldapConfig.bindDN,
-        bindCredentials: ldapConfig.bindPass,
-        searchBase: ldapConfig.searchBase,
-        searchFilter: "(uid={{username}})",
-        searchAttributes: ["uid", "uidNumber", "givenName", "sn", "mail"],
-        ...(ldapConfig.caCert !== ""
-          ? {
-              tlsOptions: {
-                ca: [ldapConfig.caCert]
-              }
-            }
-          : {})
-      },
-      passReqToCallback: true
-    };
-
-    return { opts, ldapConfig };
-  };
-
-  const ldapLogin = async ({ externalId, username, firstName, lastName, emails, orgId, relayState }: TLdapLoginDTO) => {
-    const appCfg = getConfig();
-    let userAlias = await userAliasDAL.findOne({
-      externalId,
-      orgId,
-      aliasType: AuthMethod.LDAP
-    });
-
-    const organization = await orgDAL.findOrgById(orgId);
-    if (!organization) throw new BadRequestError({ message: "Org not found" });
-
-    if (userAlias) {
-      await userDAL.transaction(async (tx) => {
-        const [orgMembership] = await orgDAL.findMembership({ userId: userAlias.userId }, { tx });
-        if (!orgMembership) {
-          await orgDAL.createMembership(
-            {
-              userId: userAlias.userId,
-              orgId,
-              role: OrgMembershipRole.Member,
-              status: OrgMembershipStatus.Accepted
-            },
-            tx
-          );
-        } else if (orgMembership.status === OrgMembershipStatus.Invited) {
-          await orgDAL.updateMembershipById(
-            orgMembership.id,
-            {
-              status: OrgMembershipStatus.Accepted
-            },
-            tx
-          );
-        }
-      });
-    } else {
-      userAlias = await userDAL.transaction(async (tx) => {
-        const uniqueUsername = await normalizeUsername(username, userDAL);
-        const newUser = await userDAL.create(
-          {
-            username: uniqueUsername,
-            email: emails[0],
-            firstName,
-            lastName,
-            authMethods: [AuthMethod.LDAP],
-            isGhost: false
-          },
-          tx
-        );
-        const newUserAlias = await userAliasDAL.create(
-          {
-            userId: newUser.id,
-            username,
-            aliasType: AuthMethod.LDAP,
-            externalId,
-            emails,
-            orgId
-          },
-          tx
-        );
-
-        await orgDAL.createMembership(
-          {
-            userId: newUser.id,
-            orgId,
-            role: OrgMembershipRole.Member,
-            status: OrgMembershipStatus.Invited
-          },
-          tx
-        );
-
-        return newUserAlias;
-      });
-    }
-
-    const user = await userDAL.findOne({ id: userAlias.userId });
-
-    const isUserCompleted = Boolean(user.isAccepted);
-
-    const providerAuthToken = jwt.sign(
-      {
-        authTokenType: AuthTokenType.PROVIDER_TOKEN,
-        userId: user.id,
-        username: user.username,
-        firstName,
-        lastName,
-        organizationName: organization.name,
-        organizationId: organization.id,
-        authMethod: AuthMethod.LDAP,
-        isUserCompleted,
-        ...(relayState
-          ? {
-              callbackPort: (JSON.parse(relayState) as { callbackPort: string }).callbackPort
-            }
-          : {})
-      },
-      appCfg.AUTH_SECRET,
-      {
-        expiresIn: appCfg.JWT_PROVIDER_AUTH_LIFETIME
-      }
-    );
-
-    return { isUserCompleted, providerAuthToken };
-  };
-
-  return {
-    createLdapCfg,
-    updateLdapCfg,
-    getLdapCfgWithPermissionCheck,
-    getLdapCfg,
-    // getLdapPassportOpts,
-    ldapLogin,
-    bootLdap
-  };
-};

backend/src/ee/services/ldap-config/ldap-config-types.ts

@@ -1,30 +0,0 @@
-import { TOrgPermission } from "@app/lib/types";
-
-export type TCreateLdapCfgDTO = {
-  isActive: boolean;
-  url: string;
-  bindDN: string;
-  bindPass: string;
-  searchBase: string;
-  caCert: string;
-} & TOrgPermission;
-
-export type TUpdateLdapCfgDTO = Partial<{
-  isActive: boolean;
-  url: string;
-  bindDN: string;
-  bindPass: string;
-  searchBase: string;
-  caCert: string;
-}> &
-  TOrgPermission;
-
-export type TLdapLoginDTO = {
-  externalId: string;
-  username: string;
-  firstName: string;
-  lastName: string;
-  emails: string[];
-  orgId: string;
-  relayState?: string;
-};

backend/src/ee/services/license/__mocks__/licence-fns.ts

@@ -17,9 +17,7 @@ export const getDefaultOnPremFeatures = () => {
     customAlerts: false,
     auditLogs: false,
     auditLogsRetentionDays: 0,
-    samlSSO: true,
-    scim: false,
-    ldap: false,
+    samlSSO: false,
     status: null,
     trial_end: null,
     has_used_trial: true,

backend/src/ee/services/license/licence-fns.ts

@@ -23,9 +23,8 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   customAlerts: false,
   auditLogs: false,
   auditLogsRetentionDays: 0,
-  samlSSO: true,
+  samlSSO: false,
   scim: false,
-  ldap: false,
   status: null,
   trial_end: null,
   has_used_trial: true,

backend/src/ee/services/license/license-service.ts

@@ -8,7 +8,6 @@ import { ForbiddenError } from "@casl/ability";
 
 import { TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
-import { verifyOfflineLicense } from "@app/lib/crypto";
 import { BadRequestError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
@@ -27,7 +26,6 @@ import {
   TFeatureSet,
   TGetOrgBillInfoDTO,
   TGetOrgTaxIdDTO,
-  TOfflineLicenseContents,
   TOrgInvoiceDTO,
   TOrgLicensesDTO,
   TOrgPlanDTO,
@@ -98,36 +96,6 @@ export const licenseServiceFactory = ({
         }
         return;
       }
-
-      if (appCfg.LICENSE_KEY_OFFLINE) {
-        let isValidOfflineLicense = true;
-        const contents: TOfflineLicenseContents = JSON.parse(
-          Buffer.from(appCfg.LICENSE_KEY_OFFLINE, "base64").toString("utf8")
-        );
-        const isVerified = await verifyOfflineLicense(JSON.stringify(contents.license), contents.signature);
-
-        if (!isVerified) {
-          isValidOfflineLicense = false;
-          logger.warn(`Infisical EE offline license verification failed`);
-        }
-
-        if (contents.license.terminatesAt) {
-          const terminationDate = new Date(contents.license.terminatesAt);
-          if (terminationDate < new Date()) {
-            isValidOfflineLicense = false;
-            logger.warn(`Infisical EE offline license has expired`);
-          }
-        }
-
-        if (isValidOfflineLicense) {
-          onPremFeatures = contents.license.features;
-          instanceType = InstanceType.EnterpriseOnPrem;
-          logger.info(`Instance type: ${InstanceType.EnterpriseOnPrem}`);
-          isValidLicense = true;
-          return;
-        }
-      }
-
       // this means this is self hosted oss version
       // else it would reach catch statement
       isValidLicense = true;
@@ -179,14 +147,14 @@ export const licenseServiceFactory = ({
     }
   };
 
-  const generateOrgCustomerId = async (orgName: string, email?: string | null) => {
+  const generateOrgCustomerId = async (orgName: string, email: string) => {
     if (instanceType === InstanceType.Cloud) {
       const {
         data: { customerId }
       } = await licenseServerCloudApi.request.post<{ customerId: string }>(
         "/api/license-server/v1/customers",
         {
-          email: email ?? "",
+          email,
           name: orgName
         },
         { timeout: 5000, signal: AbortSignal.timeout(5000) }

backend/src/ee/services/license/license-types.ts

@@ -6,21 +6,6 @@ export enum InstanceType {
   Cloud = "cloud"
 }
 
-export type TOfflineLicenseContents = {
-  license: TOfflineLicense;
-  signature: string;
-};
-
-export type TOfflineLicense = {
-  issuedTo: string;
-  licenseId: string;
-  customerId: string | null;
-  issuedAt: string;
-  expiresAt: string | null;
-  terminatesAt: string | null;
-  features: TFeatureSet;
-};
-
 export type TFeatureSet = {
   _id: null;
   slug: null;
@@ -39,9 +24,8 @@ export type TFeatureSet = {
   customAlerts: false;
   auditLogs: false;
   auditLogsRetentionDays: 0;
-  samlSSO: true;
+  samlSSO: false;
   scim: false;
-  ldap: false;
   status: null;
   trial_end: null;
   has_used_trial: true;

backend/src/ee/services/permission/org-permission.ts

@@ -17,7 +17,6 @@ export enum OrgPermissionSubjects {
   IncidentAccount = "incident-contact",
   Sso = "sso",
   Scim = "scim",
-  Ldap = "ldap",
   Billing = "billing",
   SecretScanning = "secret-scanning",
   Identity = "identity"
@@ -32,7 +31,6 @@ export type OrgPermissionSet =
   | [OrgPermissionActions, OrgPermissionSubjects.IncidentAccount]
   | [OrgPermissionActions, OrgPermissionSubjects.Sso]
   | [OrgPermissionActions, OrgPermissionSubjects.Scim]
-  | [OrgPermissionActions, OrgPermissionSubjects.Ldap]
   | [OrgPermissionActions, OrgPermissionSubjects.SecretScanning]
   | [OrgPermissionActions, OrgPermissionSubjects.Billing]
   | [OrgPermissionActions, OrgPermissionSubjects.Identity];
@@ -78,11 +76,6 @@ const buildAdminPermission = () => {
   can(OrgPermissionActions.Edit, OrgPermissionSubjects.Scim);
   can(OrgPermissionActions.Delete, OrgPermissionSubjects.Scim);
 
-  can(OrgPermissionActions.Read, OrgPermissionSubjects.Ldap);
-  can(OrgPermissionActions.Create, OrgPermissionSubjects.Ldap);
-  can(OrgPermissionActions.Edit, OrgPermissionSubjects.Ldap);
-  can(OrgPermissionActions.Delete, OrgPermissionSubjects.Ldap);
-
   can(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
   can(OrgPermissionActions.Create, OrgPermissionSubjects.Billing);
   can(OrgPermissionActions.Edit, OrgPermissionSubjects.Billing);

backend/src/ee/services/permission/permission-dal.ts

@@ -1,9 +1,7 @@
-import { z } from "zod";
-
 import { TDbClient } from "@app/db";
-import { IdentityProjectMembershipRoleSchema, ProjectUserMembershipRolesSchema, TableName } from "@app/db/schemas";
+import { TableName } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
-import { selectAllTableCols, sqlNestRelationships } from "@app/lib/knex";
+import { selectAllTableCols } from "@app/lib/knex";
 
 export type TPermissionDALFactory = ReturnType<typeof permissionDALFactory>;
 
@@ -45,72 +43,21 @@ export const permissionDALFactory = (db: TDbClient) => {
 
   const getProjectPermission = async (userId: string, projectId: string) => {
     try {
-      const docs = await db(TableName.ProjectMembership)
-        .join(
-          TableName.ProjectUserMembershipRole,
-          `${TableName.ProjectUserMembershipRole}.projectMembershipId`,
-          `${TableName.ProjectMembership}.id`
-        )
-        .leftJoin(
-          TableName.ProjectRoles,
-          `${TableName.ProjectUserMembershipRole}.customRoleId`,
-          `${TableName.ProjectRoles}.id`
-        )
+      const membership = await db(TableName.ProjectMembership)
+        .leftJoin(TableName.ProjectRoles, `${TableName.ProjectMembership}.roleId`, `${TableName.ProjectRoles}.id`)
         .join(TableName.Project, `${TableName.ProjectMembership}.projectId`, `${TableName.Project}.id`)
         .join(TableName.Organization, `${TableName.Project}.orgId`, `${TableName.Organization}.id`)
         .where("userId", userId)
         .where(`${TableName.ProjectMembership}.projectId`, projectId)
-        .select(selectAllTableCols(TableName.ProjectUserMembershipRole))
+        .select(selectAllTableCols(TableName.ProjectMembership))
         .select(
-          db.ref("id").withSchema(TableName.ProjectMembership).as("membershipId"),
-          // TODO(roll-forward-migration): remove this field when we drop this in next migration after a week
-          db.ref("role").withSchema(TableName.ProjectMembership).as("oldRoleField"),
-          db.ref("createdAt").withSchema(TableName.ProjectMembership).as("membershipCreatedAt"),
-          db.ref("updatedAt").withSchema(TableName.ProjectMembership).as("membershipUpdatedAt"),
           db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
-          db.ref("orgId").withSchema(TableName.Project),
-          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug")
+          db.ref("orgId").withSchema(TableName.Project)
         )
-        .select("permissions");
+        .select("permissions")
+        .first();
 
-      const permission = sqlNestRelationships({
-        data: docs,
-        key: "membershipId",
-        parentMapper: ({
-          orgId,
-          orgAuthEnforced,
-          membershipId,
-          membershipCreatedAt,
-          membershipUpdatedAt,
-          oldRoleField
-        }) => ({
-          orgId,
-          orgAuthEnforced,
-          userId,
-          role: oldRoleField,
-          id: membershipId,
-          projectId,
-          createdAt: membershipCreatedAt,
-          updatedAt: membershipUpdatedAt
-        }),
-        childrenMapper: [
-          {
-            key: "id",
-            label: "roles" as const,
-            mapper: (data) =>
-              ProjectUserMembershipRolesSchema.extend({
-                permissions: z.unknown(),
-                customRoleSlug: z.string().optional().nullable()
-              }).parse(data)
-          }
-        ]
-      });
-      // when introducting cron mode change it here
-      const activeRoles = permission?.[0]?.roles.filter(
-        ({ isTemporary, temporaryAccessEndTime }) =>
-          !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
-      );
-      return permission?.[0] ? { ...permission[0], roles: activeRoles } : undefined;
+      return membership;
     } catch (error) {
       throw new DatabaseError({ error, name: "GetProjectPermission" });
     }
@@ -118,62 +65,18 @@ export const permissionDALFactory = (db: TDbClient) => {
 
   const getProjectIdentityPermission = async (identityId: string, projectId: string) => {
     try {
-      const docs = await db(TableName.IdentityProjectMembership)
-        .join(
-          TableName.IdentityProjectMembershipRole,
-          `${TableName.IdentityProjectMembershipRole}.projectMembershipId`,
-          `${TableName.IdentityProjectMembership}.id`
-        )
+      const membership = await db(TableName.IdentityProjectMembership)
         .leftJoin(
           TableName.ProjectRoles,
-          `${TableName.IdentityProjectMembershipRole}.customRoleId`,
+          `${TableName.IdentityProjectMembership}.roleId`,
           `${TableName.ProjectRoles}.id`
         )
         .where("identityId", identityId)
         .where(`${TableName.IdentityProjectMembership}.projectId`, projectId)
-        .select(selectAllTableCols(TableName.IdentityProjectMembershipRole))
-        .select(
-          db.ref("id").withSchema(TableName.IdentityProjectMembership).as("membershipId"),
-          db.ref("role").withSchema(TableName.IdentityProjectMembership).as("oldRoleField"),
-          db.ref("createdAt").withSchema(TableName.IdentityProjectMembership).as("membershipCreatedAt"),
-          db.ref("updatedAt").withSchema(TableName.IdentityProjectMembership).as("membershipUpdatedAt"),
-          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug")
-        )
-        .select("permissions");
-
-      const permission = sqlNestRelationships({
-        data: docs,
-        key: "membershipId",
-        parentMapper: ({ membershipId, membershipCreatedAt, membershipUpdatedAt, oldRoleField }) => ({
-          id: membershipId,
-          identityId,
-          projectId,
-          role: oldRoleField,
-          createdAt: membershipCreatedAt,
-          updatedAt: membershipUpdatedAt,
-          // just a prefilled value
-          orgAuthEnforced: false,
-          orgId: ""
-        }),
-        childrenMapper: [
-          {
-            key: "id",
-            label: "roles" as const,
-            mapper: (data) =>
-              IdentityProjectMembershipRoleSchema.extend({
-                permissions: z.unknown(),
-                customRoleSlug: z.string().optional().nullable()
-              }).parse(data)
-          }
-        ]
-      });
-
-      // when introducting cron mode change it here
-      const activeRoles = permission?.[0]?.roles.filter(
-        ({ isTemporary, temporaryAccessEndTime }) =>
-          !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
-      );
-      return permission?.[0] ? { ...permission[0], roles: activeRoles } : undefined;
+        .select(selectAllTableCols(TableName.IdentityProjectMembership))
+        .select("permissions")
+        .first();
+      return membership;
     } catch (error) {
       throw new DatabaseError({ error, name: "GetProjectIdentityPermission" });
     }

backend/src/ee/services/permission/permission-service.ts

@@ -18,7 +18,6 @@ import { TServiceTokenDALFactory } from "@app/services/service-token/service-tok
 
 import { orgAdminPermissions, orgMemberPermissions, orgNoAccessPermissions, OrgPermissionSet } from "./org-permission";
 import { TPermissionDALFactory } from "./permission-dal";
-import { TBuildProjectPermissionDTO } from "./permission-types";
 import {
   buildServiceTokenProjectPermission,
   projectAdminPermissions,
@@ -65,35 +64,31 @@ export const permissionServiceFactory = ({
     }
   };
 
-  const buildProjectPermission = (projectUserRoles: TBuildProjectPermissionDTO) => {
-    const rules = projectUserRoles
-      .map(({ role, permissions }) => {
-        switch (role) {
-          case ProjectMembershipRole.Admin:
-            return projectAdminPermissions;
-          case ProjectMembershipRole.Member:
-            return projectMemberPermissions;
-          case ProjectMembershipRole.Viewer:
-            return projectViewerPermission;
-          case ProjectMembershipRole.NoAccess:
-            return projectNoAccessPermissions;
-          case ProjectMembershipRole.Custom: {
-            return unpackRules<RawRuleOf<MongoAbility<ProjectPermissionSet>>>(
-              permissions as PackRule<RawRuleOf<MongoAbility<ProjectPermissionSet>>>[]
-            );
+  const buildProjectPermission = (role: string, permission?: unknown) => {
+    switch (role) {
+      case ProjectMembershipRole.Admin:
+        return projectAdminPermissions;
+      case ProjectMembershipRole.Member:
+        return projectMemberPermissions;
+      case ProjectMembershipRole.Viewer:
+        return projectViewerPermission;
+      case ProjectMembershipRole.NoAccess:
+        return projectNoAccessPermissions;
+      case ProjectMembershipRole.Custom:
+        return createMongoAbility<ProjectPermissionSet>(
+          unpackRules<RawRuleOf<MongoAbility<ProjectPermissionSet>>>(
+            permission as PackRule<RawRuleOf<MongoAbility<ProjectPermissionSet>>>[]
+          ),
+          {
+            conditionsMatcher
           }
-          default:
-            throw new BadRequestError({
-              name: "ProjectRoleInvalid",
-              message: "Project role not found"
-            });
-        }
-      })
-      .reduce((curr, prev) => prev.concat(curr), []);
-
-    return createMongoAbility<ProjectPermissionSet>(rules, {
-      conditionsMatcher
-    });
+        );
+      default:
+        throw new BadRequestError({
+          name: "ProjectRoleInvalid",
+          message: "Project role not found"
+        });
+    }
   };
 
   /*
@@ -150,56 +145,33 @@ export const permissionServiceFactory = ({
   };
 
   // user permission for a project in an organization
-  const getUserProjectPermission = async (
-    userId: string,
-    projectId: string,
-    userOrgId?: string
-  ): Promise<TProjectPermissionRT<ActorType.USER>> => {
-    const userProjectPermission = await permissionDAL.getProjectPermission(userId, projectId);
-    if (!userProjectPermission) throw new UnauthorizedError({ name: "User not in project" });
-
-    if (
-      userProjectPermission.roles.some(({ role, permissions }) => role === ProjectMembershipRole.Custom && !permissions)
-    ) {
+  const getUserProjectPermission = async (userId: string, projectId: string, userOrgId?: string) => {
+    const membership = await permissionDAL.getProjectPermission(userId, projectId);
+    if (!membership) throw new UnauthorizedError({ name: "User not in project" });
+    if (membership.role === ProjectMembershipRole.Custom && !membership.permissions) {
       throw new BadRequestError({ name: "Custom permission not found" });
     }
 
-    if (userProjectPermission.orgAuthEnforced && userProjectPermission.orgId !== userOrgId) {
+    if (membership.orgAuthEnforced && membership.orgId !== userOrgId) {
       throw new BadRequestError({ name: "Cannot access org-scoped resource" });
     }
 
     return {
-      permission: buildProjectPermission(userProjectPermission.roles),
-      membership: userProjectPermission,
-      hasRole: (role: string) =>
-        userProjectPermission.roles.findIndex(
-          ({ role: slug, customRoleSlug }) => role === slug || slug === customRoleSlug
-        ) !== -1
+      permission: buildProjectPermission(membership.role, membership.permissions),
+      membership
     };
   };
 
-  const getIdentityProjectPermission = async (
-    identityId: string,
-    projectId: string
-  ): Promise<TProjectPermissionRT<ActorType.IDENTITY>> => {
-    const identityProjectPermission = await permissionDAL.getProjectIdentityPermission(identityId, projectId);
-    if (!identityProjectPermission) throw new UnauthorizedError({ name: "Identity not in project" });
-
-    if (
-      identityProjectPermission.roles.some(
-        ({ role, permissions }) => role === ProjectMembershipRole.Custom && !permissions
-      )
-    ) {
+  const getIdentityProjectPermission = async (identityId: string, projectId: string) => {
+    const membership = await permissionDAL.getProjectIdentityPermission(identityId, projectId);
+    if (!membership) throw new UnauthorizedError({ name: "Identity not in project" });
+    if (membership.role === ProjectMembershipRole.Custom && !membership.permissions) {
       throw new BadRequestError({ name: "Custom permission not found" });
     }
 
     return {
-      permission: buildProjectPermission(identityProjectPermission.roles),
-      membership: identityProjectPermission,
-      hasRole: (role: string) =>
-        identityProjectPermission.roles.findIndex(
-          ({ role: slug, customRoleSlug }) => role === slug || slug === customRoleSlug
-        ) !== -1
+      permission: buildProjectPermission(membership.role, membership.permissions),
+      membership
     };
   };
 
@@ -219,19 +191,14 @@ export const permissionServiceFactory = ({
   };
 
   type TProjectPermissionRT<T extends ActorType> = T extends ActorType.SERVICE
-    ? {
-        permission: MongoAbility<ProjectPermissionSet, MongoQuery>;
-        membership: undefined;
-        hasRole: (arg: string) => boolean;
-      } // service token doesn't have both membership and roles
+    ? { permission: MongoAbility<ProjectPermissionSet, MongoQuery>; membership: undefined }
     : {
         permission: MongoAbility<ProjectPermissionSet, MongoQuery>;
         membership: (T extends ActorType.USER ? TProjectMemberships : TIdentityProjectMemberships) & {
-          orgAuthEnforced: boolean | null | undefined;
+          orgAuthEnforced: boolean;
           orgId: string;
-          roles: Array<{ role: string }>;
+          permissions?: unknown;
         };
-        hasRole: (role: string) => boolean;
       };
 
   const getProjectPermission = async <T extends ActorType>(
@@ -261,13 +228,11 @@ export const permissionServiceFactory = ({
       const projectRole = await projectRoleDAL.findOne({ slug: role, projectId });
       if (!projectRole) throw new BadRequestError({ message: "Role not found" });
       return {
-        permission: buildProjectPermission([
-          { role: ProjectMembershipRole.Custom, permissions: projectRole.permissions }
-        ]),
+        permission: buildProjectPermission(ProjectMembershipRole.Custom, projectRole.permissions),
         role: projectRole
       };
     }
-    return { permission: buildProjectPermission([{ role, permissions: [] }]) };
+    return { permission: buildProjectPermission(role, []) };
   };
 
   return {

backend/src/ee/services/permission/permission-types.ts

@@ -1,4 +0,0 @@
-export type TBuildProjectPermissionDTO = {
-  permissions?: unknown;
-  role: string;
-}[];

backend/src/ee/services/permission/project-permission.ts

@@ -56,8 +56,8 @@ export type ProjectPermissionSet =
   | [ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback]
   | [ProjectPermissionActions.Create, ProjectPermissionSub.SecretRollback];
 
-const buildAdminPermissionRules = () => {
-  const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
+const buildAdminPermission = () => {
+  const { can, build } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
 
   can(ProjectPermissionActions.Read, ProjectPermissionSub.Secrets);
   can(ProjectPermissionActions.Create, ProjectPermissionSub.Secrets);
@@ -135,13 +135,13 @@ const buildAdminPermissionRules = () => {
   can(ProjectPermissionActions.Edit, ProjectPermissionSub.Project);
   can(ProjectPermissionActions.Delete, ProjectPermissionSub.Project);
 
-  return rules;
+  return build({ conditionsMatcher });
 };
 
-export const projectAdminPermissions = buildAdminPermissionRules();
+export const projectAdminPermissions = buildAdminPermission();
 
-const buildMemberPermissionRules = () => {
-  const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
+const buildMemberPermission = () => {
+  const { can, build } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
 
   can(ProjectPermissionActions.Read, ProjectPermissionSub.Secrets);
   can(ProjectPermissionActions.Create, ProjectPermissionSub.Secrets);
@@ -196,13 +196,13 @@ const buildMemberPermissionRules = () => {
   can(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);
 
-  return rules;
+  return build({ conditionsMatcher });
 };
 
-export const projectMemberPermissions = buildMemberPermissionRules();
+export const projectMemberPermissions = buildMemberPermission();
 
-const buildViewerPermissionRules = () => {
-  const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
+const buildViewerPermission = () => {
+  const { can, build } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
 
   can(ProjectPermissionActions.Read, ProjectPermissionSub.Secrets);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
@@ -220,14 +220,14 @@ const buildViewerPermissionRules = () => {
   can(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);
 
-  return rules;
+  return build({ conditionsMatcher });
 };
 
-export const projectViewerPermission = buildViewerPermissionRules();
+export const projectViewerPermission = buildViewerPermission();
 
 const buildNoAccessProjectPermission = () => {
-  const { rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
-  return rules;
+  const { build } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
+  return build({ conditionsMatcher });
 };
 
 export const buildServiceTokenProjectPermission = (

backend/src/ee/services/saml-config/saml-config-service.ts

@@ -5,7 +5,6 @@ import {
   OrgMembershipRole,
   OrgMembershipStatus,
   SecretKeyEncoding,
-  TableName,
   TSamlConfigs,
   TSamlConfigsUpdate
 } from "@app/db/schemas";
@@ -32,7 +31,7 @@ import { TCreateSamlCfgDTO, TGetSamlCfgDTO, TSamlLoginDTO, TUpdateSamlCfgDTO } f
 
 type TSamlConfigServiceFactoryDep = {
   samlConfigDAL: TSamlConfigDALFactory;
-  userDAL: Pick<TUserDALFactory, "create" | "findOne" | "transaction" | "updateById">;
+  userDAL: Pick<TUserDALFactory, "create" | "findUserByEmail" | "transaction" | "updateById">;
   orgDAL: Pick<
     TOrgDALFactory,
     "createMembership" | "updateMembershipById" | "findMembership" | "findOrgById" | "findOne" | "updateById"
@@ -70,7 +69,7 @@ export const samlConfigServiceFactory = ({
     if (!plan.samlSSO)
       throw new BadRequestError({
         message:
-          "Failed to create SAML SSO configuration due to plan restriction. Upgrade plan to create SSO configuration."
+          "Failed to update SAML SSO configuration due to plan restriction. Upgrade plan to update SSO configuration."
       });
 
     const orgBot = await orgBotDAL.transaction(async (tx) => {
@@ -123,6 +122,7 @@ export const samlConfigServiceFactory = ({
 
     const { ciphertext: encryptedEntryPoint, iv: entryPointIV, tag: entryPointTag } = encryptSymmetric(entryPoint, key);
     const { ciphertext: encryptedIssuer, iv: issuerIV, tag: issuerTag } = encryptSymmetric(issuer, key);
+
     const { ciphertext: encryptedCert, iv: certIV, tag: certTag } = encryptSymmetric(cert, key);
     const samlConfig = await samlConfigDAL.create({
       orgId,
@@ -172,7 +172,7 @@ export const samlConfigServiceFactory = ({
       keyEncoding: orgBot.symmetricKeyKeyEncoding as SecretKeyEncoding
     });
 
-    if (entryPoint !== undefined) {
+    if (entryPoint) {
       const {
         ciphertext: encryptedEntryPoint,
         iv: entryPointIV,
@@ -182,19 +182,18 @@ export const samlConfigServiceFactory = ({
       updateQuery.entryPointIV = entryPointIV;
       updateQuery.entryPointTag = entryPointTag;
     }
-    if (issuer !== undefined) {
+    if (issuer) {
       const { ciphertext: encryptedIssuer, iv: issuerIV, tag: issuerTag } = encryptSymmetric(issuer, key);
       updateQuery.encryptedIssuer = encryptedIssuer;
       updateQuery.issuerIV = issuerIV;
       updateQuery.issuerTag = issuerTag;
     }
-    if (cert !== undefined) {
+    if (cert) {
       const { ciphertext: encryptedCert, iv: certIV, tag: certTag } = encryptSymmetric(cert, key);
       updateQuery.encryptedCert = encryptedCert;
       updateQuery.certIV = certIV;
       updateQuery.certTag = certTag;
     }
-
     const [ssoConfig] = await samlConfigDAL.update({ orgId }, updateQuery);
     await orgDAL.updateById(orgId, { authEnforced: false, scimEnabled: false });
 
@@ -301,30 +300,16 @@ export const samlConfigServiceFactory = ({
     };
   };
 
-  const samlLogin = async ({
-    username,
-    email,
-    firstName,
-    lastName,
-    authProvider,
-    orgId,
-    relayState
-  }: TSamlLoginDTO) => {
+  const samlLogin = async ({ firstName, email, lastName, authProvider, orgId, relayState }: TSamlLoginDTO) => {
     const appCfg = getConfig();
-    let user = await userDAL.findOne({ username });
+    let user = await userDAL.findUserByEmail(email);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) throw new BadRequestError({ message: "Org not found" });
 
     if (user) {
       await userDAL.transaction(async (tx) => {
-        const [orgMembership] = await orgDAL.findMembership(
-          {
-            userId: user.id,
-            [`${TableName.OrgMembership}.orgId` as "id"]: orgId
-          },
-          { tx }
-        );
+        const [orgMembership] = await orgDAL.findMembership({ userId: user.id, orgId }, { tx });
         if (!orgMembership) {
           await orgDAL.createMembership(
             {
@@ -350,7 +335,6 @@ export const samlConfigServiceFactory = ({
       user = await userDAL.transaction(async (tx) => {
         const newUser = await userDAL.create(
           {
-            username,
             email,
             firstName,
             lastName,
@@ -373,7 +357,7 @@ export const samlConfigServiceFactory = ({
       {
         authTokenType: AuthTokenType.PROVIDER_TOKEN,
         userId: user.id,
-        username: user.username,
+        email: user.email,
         firstName,
         lastName,
         organizationName: organization.name,

backend/src/ee/services/saml-config/saml-config-types.ts

@@ -37,8 +37,7 @@ export type TGetSamlCfgDTO =
     };
 
 export type TSamlLoginDTO = {
-  username: string;
-  email?: string;
+  email: string;
   firstName: string;
   lastName?: string;
   authProvider: string;

backend/src/ee/services/scim/scim-fns.ts

@@ -20,38 +20,34 @@ export const buildScimUserList = ({
 
 export const buildScimUser = ({
   userId,
-  username,
-  email,
   firstName,
   lastName,
+  email,
   active
 }: {
   userId: string;
-  username: string;
-  email?: string | null;
   firstName: string;
   lastName: string;
+  email: string;
   active: boolean;
 }): TScimUser => {
-  const scimUser = {
+  return {
     schemas: ["urn:ietf:params:scim:schemas:core:2.0:User"],
     id: userId,
-    userName: username,
+    userName: email,
     displayName: `${firstName} ${lastName}`,
     name: {
       givenName: firstName,
       middleName: null,
       familyName: lastName
     },
-    emails: email
-      ? [
-          {
-            primary: true,
-            value: email,
-            type: "work"
-          }
-        ]
-      : [],
+    emails: [
+      {
+        primary: true,
+        value: email,
+        type: "work"
+      }
+    ],
     active,
     groups: [],
     meta: {
@@ -59,6 +55,4 @@ export const buildScimUser = ({
       location: null
     }
   };
-
-  return scimUser;
 };

backend/src/ee/services/scim/scim-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import jwt from "jsonwebtoken";
 
-import { OrgMembershipRole, OrgMembershipStatus, TableName } from "@app/db/schemas";
+import { OrgMembershipRole, OrgMembershipStatus } from "@app/db/schemas";
 import { TScimDALFactory } from "@app/ee/services/scim/scim-dal";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ScimRequestError, UnauthorizedError } from "@app/lib/errors";
@@ -146,16 +146,15 @@ export const scimServiceFactory = ({
 
     const users = await orgDAL.findMembership(
       {
-        [`${TableName.OrgMembership}.orgId` as "id"]: orgId,
+        orgId,
         ...parseFilter(filter)
       },
       findOpts
     );
 
-    const scimUsers = users.map(({ userId, username, firstName, lastName, email }) =>
+    const scimUsers = users.map(({ userId, firstName, lastName, email }) =>
       buildScimUser({
         userId: userId ?? "",
-        username,
         firstName: firstName ?? "",
         lastName: lastName ?? "",
         email,
@@ -174,7 +173,7 @@ export const scimServiceFactory = ({
     const [membership] = await orgDAL
       .findMembership({
         userId,
-        [`${TableName.OrgMembership}.orgId` as "id"]: orgId
+        orgId
       })
       .catch(() => {
         throw new ScimRequestError({
@@ -197,15 +196,14 @@ export const scimServiceFactory = ({
 
     return buildScimUser({
       userId: membership.userId as string,
-      username: membership.username,
-      email: membership.email ?? "",
       firstName: membership.firstName as string,
       lastName: membership.lastName as string,
+      email: membership.email,
       active: true
     });
   };
 
-  const createScimUser = async ({ username, email, firstName, lastName, orgId }: TCreateScimUserDTO) => {
+  const createScimUser = async ({ firstName, lastName, email, orgId }: TCreateScimUserDTO) => {
     const org = await orgDAL.findById(orgId);
 
     if (!org)
@@ -221,18 +219,12 @@ export const scimServiceFactory = ({
       });
 
     let user = await userDAL.findOne({
-      username
+      email
     });
 
     if (user) {
       await userDAL.transaction(async (tx) => {
-        const [orgMembership] = await orgDAL.findMembership(
-          {
-            userId: user.id,
-            [`${TableName.OrgMembership}.orgId` as "id"]: orgId
-          },
-          { tx }
-        );
+        const [orgMembership] = await orgDAL.findMembership({ userId: user.id, orgId }, { tx });
         if (orgMembership)
           throw new ScimRequestError({
             detail: "User already exists in the database",
@@ -256,7 +248,6 @@ export const scimServiceFactory = ({
       user = await userDAL.transaction(async (tx) => {
         const newUser = await userDAL.create(
           {
-            username,
             email,
             firstName,
             lastName,
@@ -281,25 +272,21 @@ export const scimServiceFactory = ({
     }
 
     const appCfg = getConfig();
-
-    if (email) {
-      await smtpService.sendMail({
-        template: SmtpTemplates.ScimUserProvisioned,
-        subjectLine: "Infisical organization invitation",
-        recipients: [email],
-        substitutions: {
-          organizationName: org.name,
-          callback_url: `${appCfg.SITE_URL}/api/v1/sso/redirect/saml2/organizations/${org.slug}`
-        }
-      });
-    }
+    await smtpService.sendMail({
+      template: SmtpTemplates.ScimUserProvisioned,
+      subjectLine: "Infisical organization invitation",
+      recipients: [email],
+      substitutions: {
+        organizationName: org.name,
+        callback_url: `${appCfg.SITE_URL}/api/v1/sso/redirect/saml2/organizations/${org.slug}`
+      }
+    });
 
     return buildScimUser({
       userId: user.id,
-      username: user.username,
       firstName: user.firstName as string,
       lastName: user.lastName as string,
-      email: user.email ?? "",
+      email: user.email,
       active: true
     });
   };
@@ -308,7 +295,7 @@ export const scimServiceFactory = ({
     const [membership] = await orgDAL
       .findMembership({
         userId,
-        [`${TableName.OrgMembership}.orgId` as "id"]: orgId
+        orgId
       })
       .catch(() => {
         throw new ScimRequestError({
@@ -355,10 +342,9 @@ export const scimServiceFactory = ({
 
     return buildScimUser({
       userId: membership.userId as string,
-      username: membership.username,
-      email: membership.email,
       firstName: membership.firstName as string,
       lastName: membership.lastName as string,
+      email: membership.email,
       active
     });
   };
@@ -367,7 +353,7 @@ export const scimServiceFactory = ({
     const [membership] = await orgDAL
       .findMembership({
         userId,
-        [`${TableName.OrgMembership}.orgId` as "id"]: orgId
+        orgId
       })
       .catch(() => {
         throw new ScimRequestError({
@@ -401,10 +387,9 @@ export const scimServiceFactory = ({
 
     return buildScimUser({
       userId: membership.userId as string,
-      username: membership.username,
-      email: membership.email,
       firstName: membership.firstName as string,
       lastName: membership.lastName as string,
+      email: membership.email,
       active
     });
   };

backend/src/ee/services/scim/scim-types.ts

@@ -32,8 +32,7 @@ export type TGetScimUserDTO = {
 };
 
 export type TCreateScimUserDTO = {
-  username: string;
-  email?: string;
+  email: string;
   firstName: string;
   lastName: string;
   orgId: string;

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -129,14 +129,14 @@ export const secretApprovalRequestServiceFactory = ({
     if (!secretApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });
 
     const { policy } = secretApprovalRequest;
-    const { membership, hasRole } = await permissionService.getProjectPermission(
+    const { membership } = await permissionService.getProjectPermission(
       actor,
       actorId,
       secretApprovalRequest.projectId,
       actorOrgId
     );
     if (
-      !hasRole(ProjectMembershipRole.Admin) &&
+      membership.role !== ProjectMembershipRole.Admin &&
       secretApprovalRequest.committerId !== membership.id &&
       !policy.approvers.find((approverId) => approverId === membership.id)
     ) {
@@ -156,14 +156,14 @@ export const secretApprovalRequestServiceFactory = ({
     if (actor !== ActorType.USER) throw new BadRequestError({ message: "Must be a user" });
 
     const { policy } = secretApprovalRequest;
-    const { membership, hasRole } = await permissionService.getProjectPermission(
+    const { membership } = await permissionService.getProjectPermission(
       ActorType.USER,
       actorId,
       secretApprovalRequest.projectId,
       actorOrgId
     );
     if (
-      !hasRole(ProjectMembershipRole.Admin) &&
+      membership.role !== ProjectMembershipRole.Admin &&
       secretApprovalRequest.committerId !== membership.id &&
       !policy.approvers.find((approverId) => approverId === membership.id)
     ) {
@@ -198,14 +198,14 @@ export const secretApprovalRequestServiceFactory = ({
     if (actor !== ActorType.USER) throw new BadRequestError({ message: "Must be a user" });
 
     const { policy } = secretApprovalRequest;
-    const { membership, hasRole } = await permissionService.getProjectPermission(
+    const { membership } = await permissionService.getProjectPermission(
       ActorType.USER,
       actorId,
       secretApprovalRequest.projectId,
       actorOrgId
     );
     if (
-      !hasRole(ProjectMembershipRole.Admin) &&
+      membership.role !== ProjectMembershipRole.Admin &&
       secretApprovalRequest.committerId !== membership.id &&
       !policy.approvers.find((approverId) => approverId === membership.id)
     ) {
@@ -236,14 +236,9 @@ export const secretApprovalRequestServiceFactory = ({
     if (actor !== ActorType.USER) throw new BadRequestError({ message: "Must be a user" });
 
     const { policy, folderId, projectId } = secretApprovalRequest;
-    const { membership, hasRole } = await permissionService.getProjectPermission(
-      ActorType.USER,
-      actorId,
-      projectId,
-      actorOrgId
-    );
+    const { membership } = await permissionService.getProjectPermission(ActorType.USER, actorId, projectId, actorOrgId);
     if (
-      !hasRole(ProjectMembershipRole.Admin) &&
+      membership.role !== ProjectMembershipRole.Admin &&
       secretApprovalRequest.committerId !== membership.id &&
       !policy.approvers.find((approverId) => approverId === membership.id)
     ) {

backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts

@@ -1,10 +1,3 @@
-import {
-  CreateAccessKeyCommand,
-  DeleteAccessKeyCommand,
-  GetAccessKeyLastUsedCommand,
-  IAMClient
-} from "@aws-sdk/client-iam";
-
 import { SecretKeyEncoding, SecretType } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import {
@@ -25,12 +18,7 @@ import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 
 import { TSecretRotationDALFactory } from "../secret-rotation-dal";
 import { rotationTemplates } from "../templates";
-import {
-  TAwsProviderSystems,
-  TDbProviderClients,
-  TProviderFunctionTypes,
-  TSecretRotationProviderTemplate
-} from "../templates/types";
+import { TDbProviderClients, TProviderFunctionTypes, TSecretRotationProviderTemplate } from "../templates/types";
 import {
   getDbSetQuery,
   secretRotationDbFn,
@@ -139,10 +127,7 @@ export const secretRotationQueueFactory = ({
         internal: {}
       };
 
-      /* Rotation Function For Database
-       * A database like sql cannot have multiple password for a user
-       * thus we ask users to create two users with required permission and then we keep cycling between these two db users
-       */
+      // when its a database we keep cycling the variables accordingly
       if (provider.template.type === TProviderFunctionTypes.DB) {
         const lastCred = variables.creds.at(-1);
         if (lastCred && variables.creds.length === 1) {
@@ -185,65 +170,6 @@ export const secretRotationQueueFactory = ({
         if (variables.creds.length === 2) variables.creds.pop();
       }
 
-      /*
-       * Rotation Function For AWS Services
-       * Due to complexity in AWS Authorization hashing signature process we keep it as seperate entity instead of http template mode
-       * We first delete old key before creating a new one because aws iam has a quota limit of 2 keys
-       * */
-      if (provider.template.type === TProviderFunctionTypes.AWS) {
-        if (provider.template.client === TAwsProviderSystems.IAM) {
-          const client = new IAMClient({
-            region: newCredential.inputs.manager_user_aws_region as string,
-            credentials: {
-              accessKeyId: newCredential.inputs.manager_user_access_key as string,
-              secretAccessKey: newCredential.inputs.manager_user_secret_key as string
-            }
-          });
-
-          const iamUserName = newCredential.inputs.iam_username as string;
-
-          if (variables.creds.length === 2) {
-            const deleteCycleCredential = variables.creds.pop();
-            if (deleteCycleCredential) {
-              const deletedIamAccessKey = await client.send(
-                new DeleteAccessKeyCommand({
-                  UserName: iamUserName,
-                  AccessKeyId: deleteCycleCredential.outputs.iam_user_access_key as string
-                })
-              );
-
-              if (
-                !deletedIamAccessKey?.$metadata?.httpStatusCode ||
-                deletedIamAccessKey?.$metadata?.httpStatusCode > 300
-              ) {
-                throw new DisableRotationErrors({
-                  message: "Failed to delete aws iam access key. Check managed iam user policy"
-                });
-              }
-            }
-          }
-
-          const newIamAccessKey = await client.send(new CreateAccessKeyCommand({ UserName: iamUserName }));
-          if (!newIamAccessKey.AccessKey)
-            throw new DisableRotationErrors({ message: "Failed to create access key. Check managed iam user policy" });
-
-          // test
-          const testAccessKey = await client.send(
-            new GetAccessKeyLastUsedCommand({ AccessKeyId: newIamAccessKey.AccessKey.AccessKeyId })
-          );
-          if (testAccessKey?.UserName !== iamUserName)
-            throw new DisableRotationErrors({ message: "Failed to create access key. Check managed iam user policy" });
-
-          newCredential.outputs.iam_user_access_key = newIamAccessKey.AccessKey.AccessKeyId;
-          newCredential.outputs.iam_user_secret_key = newIamAccessKey.AccessKey.SecretAccessKey;
-        }
-      }
-
-      /* Rotation function of HTTP infisical template
-       * This is a generic http based template system for rotation
-       * we use this for sendgrid and for custom secret rotation
-       * This will ensure user provided rotation is easier to make
-       * */
       if (provider.template.type === TProviderFunctionTypes.HTTP) {
         if (provider.template.functions.set?.pre) {
           secretRotationPreSetFn(provider.template.functions.set.pre, newCredential);
@@ -259,9 +185,6 @@ export const secretRotationQueueFactory = ({
           }
         }
       }
-
-      // insert the new variables to start
-      // encrypt the data - save it
       variables.creds.unshift({
         outputs: newCredential.outputs,
         internal: newCredential.internal
@@ -277,7 +200,6 @@ export const secretRotationQueueFactory = ({
           key
         )
       }));
-      // map the final values to output keys in the board
       await secretRotationDAL.transaction(async (tx) => {
         await secretRotationDAL.updateById(
           rotationId,

backend/src/ee/services/secret-rotation/templates/aws-iam.ts

@@ -1,21 +0,0 @@
-import { TAwsProviderSystems, TProviderFunctionTypes } from "./types";
-
-export const AWS_IAM_TEMPLATE = {
-  type: TProviderFunctionTypes.AWS as const,
-  client: TAwsProviderSystems.IAM,
-  inputs: {
-    type: "object" as const,
-    properties: {
-      manager_user_access_key: { type: "string" as const },
-      manager_user_secret_key: { type: "string" as const },
-      manager_user_aws_region: { type: "string" as const },
-      iam_username: { type: "string" as const }
-    },
-    required: ["manager_user_access_key", "manager_user_secret_key", "manager_user_aws_region", "iam_username"],
-    additionalProperties: false
-  },
-  outputs: {
-    iam_user_access_key: { type: "string" },
-    iam_user_secret_key: { type: "string" }
-  }
-};

backend/src/ee/services/secret-rotation/templates/index.ts

@@ -1,4 +1,3 @@
-import { AWS_IAM_TEMPLATE } from "./aws-iam";
 import { MYSQL_TEMPLATE } from "./mysql";
 import { POSTGRES_TEMPLATE } from "./postgres";
 import { SENDGRID_TEMPLATE } from "./sendgrid";
@@ -25,12 +24,5 @@ export const rotationTemplates: TSecretRotationProviderTemplate[] = [
     image: "mysql.png",
     description: "Rotate MySQL@7/MariaDB user credentials",
     template: MYSQL_TEMPLATE
-  },
-  {
-    name: "aws-iam",
-    title: "AWS IAM",
-    image: "aws-iam.svg",
-    description: "Rotate AWS IAM User credentials",
-    template: AWS_IAM_TEMPLATE
   }
 ];

backend/src/ee/services/secret-rotation/templates/types.ts

@@ -1,7 +1,6 @@
 export enum TProviderFunctionTypes {
   HTTP = "http",
-  DB = "database",
-  AWS = "aws"
+  DB = "database"
 }
 
 export enum TDbProviderClients {
@@ -11,10 +10,6 @@ export enum TDbProviderClients {
   MySql = "mysql"
 }
 
-export enum TAwsProviderSystems {
-  IAM = "iam"
-}
-
 export enum TAssignOp {
   Direct = "direct",
   JmesPath = "jmesopath"
@@ -47,7 +42,7 @@ export type TSecretRotationProviderTemplate = {
   title: string;
   image?: string;
   description?: string;
-  template: THttpProviderTemplate | TDbProviderTemplate | TAwsProviderTemplate;
+  template: THttpProviderTemplate | TDbProviderTemplate;
 };
 
 export type THttpProviderTemplate = {
@@ -75,14 +70,3 @@ export type TDbProviderTemplate = {
   };
   outputs: Record<string, unknown>;
 };
-
-export type TAwsProviderTemplate = {
-  type: TProviderFunctionTypes.AWS;
-  client: TAwsProviderSystems;
-  inputs: {
-    type: "object";
-    properties: Record<string, { type: string; [x: string]: unknown; desc?: string }>;
-    required?: string[];
-  };
-  outputs: Record<string, unknown>;
-};

backend/src/ee/services/secret-scanning/secret-scanning-queue/secret-scanning-queue.ts

@@ -64,7 +64,7 @@ export const secretScanningQueueFactory = ({
       orgId: organizationId,
       role: OrgMembershipRole.Admin
     });
-    return adminsOfWork.filter((userObject) => userObject.email).map((userObject) => userObject.email as string);
+    return adminsOfWork.map((userObject) => userObject.email);
   };
 
   queueService.start(QueueName.SecretPushEventScan, async (job) => {
@@ -149,7 +149,7 @@ export const secretScanningQueueFactory = ({
       await smtpService.sendMail({
         template: SmtpTemplates.SecretLeakIncident,
         subjectLine: `Incident alert: leaked secrets found in Github repository ${repository.fullName}`,
-        recipients: adminEmails.filter((email) => email).map((email) => email),
+        recipients: adminEmails,
         substitutions: {
           numberOfSecrets: Object.keys(allFindingsByFingerprint).length,
           pusher_email: pusher.email,
@@ -221,7 +221,7 @@ export const secretScanningQueueFactory = ({
       await smtpService.sendMail({
         template: SmtpTemplates.SecretLeakIncident,
         subjectLine: `Incident alert: leaked secrets found in Github repository ${repository.fullName}`,
-        recipients: adminEmails.filter((email) => email).map((email) => email),
+        recipients: adminEmails,
         substitutions: {
           numberOfSecrets: findings.length
         }

backend/src/lib/api-docs/constants.ts

@@ -1,286 +0,0 @@
-export const IDENTITIES = {
-  CREATE: {
-    name: "The name of the identity to create.",
-    organizationId: "The organization ID to which the identity belongs.",
-    role: "The role of the identity. Possible values are 'no-access', 'member', and 'admin'."
-  },
-  UPDATE: {
-    identityId: "The ID of the identity to update.",
-    name: "The new name of the identity.",
-    role: "The new role of the identity."
-  },
-  DELETE: {
-    identityId: "The ID of the identity to delete."
-  }
-} as const;
-
-export const UNIVERSAL_AUTH = {
-  LOGIN: {
-    clientId: "Your Machine Identity Client ID.",
-    clientSecret: "Your Machine Identity Client Secret."
-  },
-  ATTACH: {
-    identityId: "The ID of the identity to attach the configuration onto.",
-    clientSecretTrustedIps:
-      "A list of IPs or CIDR ranges that the Client Secret can be used from together with the Client ID to get back an access token. You can use 0.0.0.0/0, to allow usage from any network address.",
-    accessTokenTrustedIps:
-      "A list of IPs or CIDR ranges that access tokens can be used from. You can use 0.0.0.0/0, to allow usage from any network address.",
-    accessTokenTTL: "The lifetime for an access token in seconds. This value will be referenced at renewal time.",
-    accessTokenMaxTTL:
-      "The maximum lifetime for an access token in seconds. This value will be referenced at renewal time.",
-    accessTokenNumUsesLimit:
-      "The maximum number of times that an access token can be used; a value of 0 implies infinite number of uses."
-  },
-  RETRIEVE: {
-    identityId: "The ID of the identity to retrieve."
-  },
-  UPDATE: {
-    identityId: "The ID of the identity to update.",
-    clientSecretTrustedIps: "The new list of IPs or CIDR ranges that the Client Secret can be used from.",
-    accessTokenTrustedIps: "The new list of IPs or CIDR ranges that access tokens can be used from.",
-    accessTokenTTL: "The new lifetime for an access token in seconds.",
-    accessTokenMaxTTL: "The new maximum lifetime for an access token in seconds.",
-    accessTokenNumUsesLimit: "The new maximum number of times that an access token can be used."
-  },
-  CREATE_CLIENT_SECRET: {
-    identityId: "The ID of the identity to create a client secret for.",
-    description: "The description of the client secret.",
-    numUsesLimit:
-      "The maximum number of times that the client secret can be used; a value of 0 implies infinite number of uses.",
-    ttl: "The lifetime for the client secret in seconds."
-  },
-  LIST_CLIENT_SECRETS: {
-    identityId: "The ID of the identity to list client secrets for."
-  },
-  REVOKE_CLIENT_SECRET: {
-    identityId: "The ID of the identity to revoke the client secret from.",
-    clientSecretId: "The ID of the client secret to revoke."
-  },
-  RENEW_ACCESS_TOKEN: {
-    accessToken: "The access token to renew."
-  }
-} as const;
-
-export const ORGANIZATIONS = {
-  LIST_USER_MEMBERSHIPS: {
-    organizationId: "The ID of the organization to get memberships from."
-  },
-  UPDATE_USER_MEMBERSHIP: {
-    organizationId: "The ID of the organization to update the membership for.",
-    membershipId: "The ID of the membership to update.",
-    role: "The new role of the membership."
-  },
-  DELETE_USER_MEMBERSHIP: {
-    organizationId: "The ID of the organization to delete the membership from.",
-    membershipId: "The ID of the membership to delete."
-  },
-  LIST_IDENTITY_MEMBERSHIPS: {
-    orgId: "The ID of the organization to get identity memberships from."
-  },
-  GET_PROJECTS: {
-    organizationId: "The ID of the organization to get projects from."
-  }
-} as const;
-
-export const PROJECTS = {
-  CREATE: {
-    organizationId: "The ID of the organization to create the project in.",
-    projectName: "The name of the project to create.",
-    slug: "An optional slug for the project."
-  },
-  DELETE: {
-    workspaceId: "The ID of the project to delete."
-  },
-  GET: {
-    workspaceId: "The ID of the project."
-  },
-  UPDATE: {
-    workspaceId: "The ID of the project to update.",
-    name: "The new name of the project.",
-    autoCapitalization: "Disable or enable auto-capitalization for the project."
-  },
-  INVITE_MEMBER: {
-    projectId: "The ID of the project to invite the member to.",
-    emails: "A list of organization member emails to invite to the project.",
-    usernames: "A list of usernames to invite to the project."
-  },
-  REMOVE_MEMBER: {
-    projectId: "The ID of the project to remove the member from.",
-    emails: "A list of organization member emails to remove from the project.",
-    usernames: "A list of usernames to remove from the project."
-  },
-  GET_USER_MEMBERSHIPS: {
-    workspaceId: "The ID of the project to get memberships from."
-  },
-  UPDATE_USER_MEMBERSHIP: {
-    workspaceId: "The ID of the project to update the membership for.",
-    membershipId: "The ID of the membership to update.",
-    roles: "A list of roles to update the membership to."
-  },
-  LIST_IDENTITY_MEMBERSHIPS: {
-    projectId: "The ID of the project to get identity memberships from."
-  },
-  UPDATE_IDENTITY_MEMBERSHIP: {
-    projectId: "The ID of the project to update the identity membership for.",
-    identityId: "The ID of the identity to update the membership for.",
-    roles: "A list of roles to update the membership to."
-  },
-  DELETE_IDENTITY_MEMBERSHIP: {
-    projectId: "The ID of the project to delete the identity membership from.",
-    identityId: "The ID of the identity to delete the membership from."
-  },
-  GET_KEY: {
-    workspaceId: "The ID of the project to get the key from."
-  },
-  GET_SNAPSHOTS: {
-    workspaceId: "The ID of the project to get snapshots from.",
-    environment: "The environment to get snapshots from.",
-    path: "The secret path to get snapshots from.",
-    offset: "The offset to start from. If you enter 10, it will start from the 10th snapshot.",
-    limit: "The number of snapshots to return."
-  },
-  ROLLBACK_TO_SNAPSHOT: {
-    secretSnapshotId: "The ID of the snapshot to rollback to."
-  }
-} as const;
-
-export const ENVIRONMENTS = {
-  CREATE: {
-    workspaceId: "The ID of the project to create the environment in.",
-    name: "The name of the environment to create.",
-    slug: "The slug of the environment to create."
-  },
-  UPDATE: {
-    workspaceId: "The ID of the project to update the environment in.",
-    id: "The ID of the environment to update.",
-    name: "The new name of the environment.",
-    slug: "The new slug of the environment.",
-    position: "The new position of the environment. The lowest number will be displayed as the first environment."
-  },
-  DELETE: {
-    workspaceId: "The ID of the project to delete the environment from.",
-    id: "The ID of the environment to delete."
-  }
-} as const;
-
-export const FOLDERS = {
-  LIST: {
-    workspaceId: "The ID of the project to list folders from.",
-    environment: "The slug of the environment to list folders from.",
-    path: "The path to list folders from.",
-    directory: "The directory to list folders from. (Deprecated in favor of path)"
-  },
-  CREATE: {
-    workspaceId: "The ID of the project to create the folder in.",
-    environment: "The slug of the environment to create the folder in.",
-    name: "The name of the folder to create.",
-    path: "The path of the folder to create.",
-    directory: "The directory of the folder to create. (Deprecated in favor of path)"
-  },
-  UPDATE: {
-    folderId: "The ID of the folder to update.",
-    environment: "The slug of the environment where the folder is located.",
-    name: "The new name of the folder.",
-    path: "The path of the folder to update.",
-    directory: "The new directory of the folder to update. (Deprecated in favor of path)",
-    workspaceId: "The ID of the project where the folder is located."
-  },
-  DELETE: {
-    folderIdOrName: "The ID or name of the folder to delete.",
-    workspaceId: "The ID of the project to delete the folder from.",
-    environment: "The slug of the environment where the folder is located.",
-    directory: "The directory of the folder to delete. (Deprecated in favor of path)",
-    path: "The path of the folder to delete."
-  }
-} as const;
-
-export const RAW_SECRETS = {
-  LIST: {
-    workspaceId: "The ID of the project to list secrets from.",
-    environment: "The slug of the environment to list secrets from.",
-    secretPath: "The secret path to list secrets from.",
-    includeImports: "Weather to include imported secrets or not."
-  },
-  CREATE: {
-    secretName: "The name of the secret to create.",
-    environment: "The slug of the environment to create the secret in.",
-    secretComment: "Attach a comment to the secret.",
-    secretPath: "The path to create the secret in.",
-    secretValue: "The value of the secret to create.",
-    skipMultilineEncoding: "Skip multiline encoding for the secret value.",
-    type: "The type of the secret to create.",
-    workspaceId: "The ID of the project to create the secret in."
-  },
-  GET: {
-    secretName: "The name of the secret to get.",
-    workspaceId: "The ID of the project to get the secret from.",
-    environment: "The slug of the environment to get the secret from.",
-    secretPath: "The path of the secret to get.",
-    version: "The version of the secret to get.",
-    type: "The type of the secret to get.",
-    includeImports: "Weather to include imported secrets or not."
-  },
-  UPDATE: {
-    secretName: "The name of the secret to update.",
-    environment: "The slug of the environment where the secret is located.",
-    secretPath: "The path of the secret to update",
-    secretValue: "The new value of the secret.",
-    skipMultilineEncoding: "Skip multiline encoding for the secret value.",
-    type: "The type of the secret to update.",
-    workspaceId: "The ID of the project to update the secret in."
-  },
-  DELETE: {
-    secretName: "The name of the secret to delete.",
-    environment: "The slug of the environment where the secret is located.",
-    secretPath: "The path of the secret.",
-    type: "The type of the secret to delete.",
-    workspaceId: "The ID of the project where the secret is located."
-  }
-} as const;
-
-export const SECRET_IMPORTS = {
-  LIST: {
-    workspaceId: "The ID of the project to list secret imports from.",
-    environment: "The slug of the environment to list secret imports from.",
-    path: "The path to list secret imports from."
-  },
-  CREATE: {
-    environment: "The slug of the environment to import into.",
-    path: "The path to import into.",
-    workspaceId: "The ID of the project you are working in.",
-    import: {
-      environment: "The slug of the environment to import from.",
-      path: "The path to import from."
-    }
-  },
-  UPDATE: {
-    secretImportId: "The ID of the secret import to update.",
-    environment: "The slug of the environment where the secret import is located.",
-    import: {
-      environment: "The new environment slug to import from.",
-      path: "The new path to import from.",
-      position: "The new position of the secret import. The lowest number will be displayed as the first import."
-    },
-    path: "The path of the secret import to update.",
-    workspaceId: "The ID of the project where the secret import is located."
-  },
-  DELETE: {
-    workspaceId: "The ID of the project to delete the secret import from.",
-    secretImportId: "The ID of the secret import to delete.",
-    environment: "The slug of the environment where the secret import is located.",
-    path: "The path of the secret import to delete."
-  }
-} as const;
-
-export const AUDIT_LOGS = {
-  EXPORT: {
-    workspaceId: "The ID of the project to export audit logs from.",
-    eventType: "The type of the event to export.",
-    userAgentType: "Choose which consuming application to export audit logs for.",
-    startDate: "The date to start the export from.",
-    endDate: "The date to end the export at.",
-    offset: "The offset to start from. If you enter 10, it will start from the 10th audit log.",
-    limit: "The number of audit logs to return.",
-    actor: "The actor to filter the audit logs by."
-  }
-} as const;

backend/src/lib/api-docs/index.ts

@@ -1 +0,0 @@
-export * from "./constants";

backend/src/lib/config/env.ts

@@ -15,16 +15,8 @@ const envSchema = z
     PORT: z.coerce.number().default(4000),
     REDIS_URL: zpStr(z.string()),
     HOST: zpStr(z.string().default("localhost")),
-    DB_CONNECTION_URI: zpStr(z.string().describe("Postgres database connection string")).default(
-      `postgresql://${process.env.DB_USER}:${process.env.DB_PASSWORD}@${process.env.DB_HOST}:${process.env.DB_PORT}/${process.env.DB_NAME}`
-    ),
+    DB_CONNECTION_URI: zpStr(z.string().describe("Postgres database connection string")),
     DB_ROOT_CERT: zpStr(z.string().describe("Postgres database base64-encoded CA cert").optional()),
-    DB_HOST: zpStr(z.string().describe("Postgres database host").optional()),
-    DB_PORT: zpStr(z.string().describe("Postgres database port").optional()).default("5432"),
-    DB_USER: zpStr(z.string().describe("Postgres database username").optional()),
-    DB_PASSWORD: zpStr(z.string().describe("Postgres database password").optional()),
-    DB_NAME: zpStr(z.string().describe("Postgres database name").optional()),
-
     NODE_ENV: z.enum(["development", "test", "production"]).default("production"),
     SALT_ROUNDS: z.coerce.number().default(10),
     INITIAL_ORGANIZATION_NAME: zpStr(z.string().optional()),
@@ -106,7 +98,6 @@ const envSchema = z
     LICENSE_SERVER_URL: zpStr(z.string().optional().default("https://portal.infisical.com")),
     LICENSE_SERVER_KEY: zpStr(z.string().optional()),
     LICENSE_KEY: zpStr(z.string().optional()),
-    LICENSE_KEY_OFFLINE: zpStr(z.string().optional()),
 
     // GENERIC
     STANDALONE_MODE: z

backend/src/lib/crypto/index.ts

@@ -17,5 +17,4 @@ export {
   decryptSecrets,
   decryptSecretVersions
 } from "./secret-encryption";
-export { verifyOfflineLicense } from "./signing";
 export { generateSrpServerKey, srpCheckClientProof } from "./srp";

backend/src/lib/crypto/license_public_key.pem

@@ -1,8 +0,0 @@
------BEGIN RSA PUBLIC KEY-----
-MIIBCgKCAQEApchBY3BXTu4zWGBguB7nM/pjpVLY3V7VGZOAxmR5ueQTJOwiGM13
-5HN3EM9fDlQnZu9VSc0OFqRM/bUeUaI1oLPE6WzTHjdHyKjDI/S+TLx3VGEsvhM1
-uukZpYX+3KX2w4wzRHBaBWyglFy0CVNth9UJhhpD+KKfv7dzcRmsbyoUWi9wGfJu
-wLYCwaCwZRXIt1sLGmMncPz14vfwdnm2a5Tj1Jbt0GTyBl+1/ZqLbO6SsslLg2G+
-o7FfGS9z8OUTkvDdu16qxL+p2wCEFZMnOz5BB4oakuT2gS9iOO2l5AOPcT4WzPzy
-PYbX3d7cN9BkOY9I5z0cX4wzqHjQTvGNLQIDAQAB
------END RSA PUBLIC KEY-----

backend/src/lib/crypto/signing.ts

@@ -1,22 +0,0 @@
-import crypto, { KeyObject } from "crypto";
-import fs from "fs/promises";
-import path from "path";
-
-export const verifySignature = (data: string, signature: Buffer, publicKey: KeyObject) => {
-  const verify = crypto.createVerify("SHA256");
-  verify.update(data);
-  verify.end();
-  return verify.verify(publicKey, signature);
-};
-
-export const verifyOfflineLicense = async (licenseContents: string, signature: string) => {
-  const publicKeyPem = await fs.readFile(path.join(__dirname, "license_public_key.pem"), "utf8");
-
-  const publicKey = crypto.createPublicKey({
-    key: publicKeyPem,
-    format: "pem",
-    type: "pkcs1"
-  });
-
-  return verifySignature(licenseContents, Buffer.from(signature, "base64"), publicKey);
-};

backend/src/server/lib/telemetry.ts

@@ -5,7 +5,7 @@ import { ActorType } from "@app/services/auth/auth-type";
 // this is a unique id for sending posthog event
 export const getTelemetryDistinctId = (req: FastifyRequest) => {
   if (req.auth.actor === ActorType.USER) {
-    return req.auth.user.username;
+    return req.auth.user.email;
   }
   if (req.auth.actor === ActorType.IDENTITY) {
     return `identity-${req.auth.identityId}`;

backend/src/server/plugins/audit-log.ts

@@ -44,7 +44,6 @@ export const injectAuditLogInfo = fp(async (server: FastifyZodProvider) => {
         type: ActorType.USER,
         metadata: {
           email: req.auth.user.email,
-          username: req.auth.user.username,
           userId: req.permission.id
         }
       };

backend/src/server/routes/index.ts

@@ -5,8 +5,6 @@ import { registerV1EERoutes } from "@app/ee/routes/v1";
 import { auditLogDALFactory } from "@app/ee/services/audit-log/audit-log-dal";
 import { auditLogQueueServiceFactory } from "@app/ee/services/audit-log/audit-log-queue";
 import { auditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-service";
-import { ldapConfigDALFactory } from "@app/ee/services/ldap-config/ldap-config-dal";
-import { ldapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-config-service";
 import { licenseDALFactory } from "@app/ee/services/license/license-dal";
 import { licenseServiceFactory } from "@app/ee/services/license/license-service";
 import { permissionDALFactory } from "@app/ee/services/permission/permission-dal";
@@ -53,7 +51,6 @@ import { identityServiceFactory } from "@app/services/identity/identity-service"
 import { identityAccessTokenDALFactory } from "@app/services/identity-access-token/identity-access-token-dal";
 import { identityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
 import { identityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
-import { identityProjectMembershipRoleDALFactory } from "@app/services/identity-project/identity-project-membership-role-dal";
 import { identityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
 import { identityUaClientSecretDALFactory } from "@app/services/identity-ua/identity-ua-client-secret-dal";
 import { identityUaDALFactory } from "@app/services/identity-ua/identity-ua-dal";
@@ -79,7 +76,6 @@ import { projectKeyDALFactory } from "@app/services/project-key/project-key-dal"
 import { projectKeyServiceFactory } from "@app/services/project-key/project-key-service";
 import { projectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
 import { projectMembershipServiceFactory } from "@app/services/project-membership/project-membership-service";
-import { projectUserMembershipRoleDALFactory } from "@app/services/project-membership/project-user-membership-role-dal";
 import { projectRoleDALFactory } from "@app/services/project-role/project-role-dal";
 import { projectRoleServiceFactory } from "@app/services/project-role/project-role-service";
 import { secretDALFactory } from "@app/services/secret/secret-dal";
@@ -106,7 +102,6 @@ import { telemetryQueueServiceFactory } from "@app/services/telemetry/telemetry-
 import { telemetryServiceFactory } from "@app/services/telemetry/telemetry-service";
 import { userDALFactory } from "@app/services/user/user-dal";
 import { userServiceFactory } from "@app/services/user/user-service";
-import { userAliasDALFactory } from "@app/services/user-alias/user-alias-dal";
 import { webhookDALFactory } from "@app/services/webhook/webhook-dal";
 import { webhookServiceFactory } from "@app/services/webhook/webhook-service";
 
@@ -131,7 +126,6 @@ export const registerRoutes = async (
 
   // db layers
   const userDAL = userDALFactory(db);
-  const userAliasDAL = userAliasDALFactory(db);
   const authDAL = authDALFactory(db);
   const authTokenDAL = tokenDALFactory(db);
   const orgDAL = orgDALFactory(db);
@@ -143,7 +137,6 @@ export const registerRoutes = async (
 
   const projectDAL = projectDALFactory(db);
   const projectMembershipDAL = projectMembershipDALFactory(db);
-  const projectUserMembershipRoleDAL = projectUserMembershipRoleDALFactory(db);
   const projectRoleDAL = projectRoleDALFactory(db);
   const projectEnvDAL = projectEnvDALFactory(db);
   const projectKeyDAL = projectKeyDALFactory(db);
@@ -167,20 +160,18 @@ export const registerRoutes = async (
   const identityAccessTokenDAL = identityAccessTokenDALFactory(db);
   const identityOrgMembershipDAL = identityOrgDALFactory(db);
   const identityProjectDAL = identityProjectDALFactory(db);
-  const identityProjectMembershipRoleDAL = identityProjectMembershipRoleDALFactory(db);
 
   const identityUaDAL = identityUaDALFactory(db);
   const identityUaClientSecretDAL = identityUaClientSecretDALFactory(db);
 
   const auditLogDAL = auditLogDALFactory(db);
   const trustedIpDAL = trustedIpDALFactory(db);
+  const scimDAL = scimDALFactory(db);
   const telemetryDAL = telemetryDALFactory(db);
 
   // ee db layer ops
   const permissionDAL = permissionDALFactory(db);
   const samlConfigDAL = samlConfigDALFactory(db);
-  const scimDAL = scimDALFactory(db);
-  const ldapConfigDAL = ldapConfigDALFactory(db);
   const sapApproverDAL = secretApprovalPolicyApproverDALFactory(db);
   const secretApprovalPolicyDAL = secretApprovalPolicyDALFactory(db);
   const secretApprovalRequestDAL = secretApprovalRequestDALFactory(db);
@@ -244,16 +235,6 @@ export const registerRoutes = async (
     smtpService
   });
 
-  const ldapService = ldapConfigServiceFactory({
-    ldapConfigDAL,
-    orgDAL,
-    orgBotDAL,
-    userDAL,
-    userAliasDAL,
-    permissionService,
-    licenseService
-  });
-
   const telemetryService = telemetryServiceFactory({
     keyStore,
     licenseService
@@ -325,7 +306,6 @@ export const registerRoutes = async (
 
   const projectMembershipService = projectMembershipServiceFactory({
     projectMembershipDAL,
-    projectUserMembershipRoleDAL,
     projectDAL,
     permissionService,
     projectBotDAL,
@@ -357,8 +337,7 @@ export const registerRoutes = async (
     projectBotDAL,
     projectMembershipDAL,
     secretApprovalRequestDAL,
-    secretApprovalSecretDAL: sarSecretDAL,
-    projectUserMembershipRoleDAL
+    secretApprovalSecretDAL: sarSecretDAL
   });
 
   const projectService = projectServiceFactory({
@@ -375,11 +354,8 @@ export const registerRoutes = async (
     orgService,
     projectMembershipDAL,
     folderDAL,
-    licenseService,
-    projectUserMembershipRoleDAL,
-    identityProjectMembershipRoleDAL
+    licenseService
   });
-
   const projectEnvService = projectEnvServiceFactory({
     permissionService,
     projectEnvDAL,
@@ -530,9 +506,7 @@ export const registerRoutes = async (
     permissionService,
     projectDAL,
     identityProjectDAL,
-    identityOrgMembershipDAL,
-    identityProjectMembershipRoleDAL,
-    projectRoleDAL
+    identityOrgMembershipDAL
   });
   const identityUaService = identityUaServiceFactory({
     identityOrgMembershipDAL,
@@ -587,7 +561,6 @@ export const registerRoutes = async (
     secretRotation: secretRotationService,
     snapshot: snapshotService,
     saml: samlService,
-    ldap: ldapService,
     auditLog: auditLogService,
     secretScanning: secretScanningService,
     license: licenseService,

backend/src/server/routes/v1/admin-router.ts

@@ -92,10 +92,9 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
 
       await server.services.telemetry.sendPostHogEvents({
         event: PostHogEventTypes.AdminInit,
-        distinctId: user.user.username ?? "",
+        distinctId: user.user.email,
         properties: {
-          username: user.user.username,
-          email: user.user.email ?? "",
+          email: user.user.email,
           lastName: user.user.lastName || "",
           firstName: user.user.firstName || ""
         }

backend/src/server/routes/v1/identity-access-token-router.ts

@@ -1,7 +1,5 @@
 import { z } from "zod";
 
-import { UNIVERSAL_AUTH } from "@app/lib/api-docs";
-
 export const registerIdentityAccessTokenRouter = async (server: FastifyZodProvider) => {
   server.route({
     url: "/token/renew",
@@ -9,7 +7,7 @@ export const registerIdentityAccessTokenRouter = async (server: FastifyZodProvid
     schema: {
       description: "Renew access token",
       body: z.object({
-        accessToken: z.string().trim().describe(UNIVERSAL_AUTH.RENEW_ACCESS_TOKEN.accessToken)
+        accessToken: z.string().trim()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/identity-router.ts

@@ -2,7 +2,6 @@ import { z } from "zod";
 
 import { IdentitiesSchema, OrgMembershipRole } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { IDENTITIES } from "@app/lib/api-docs";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -21,9 +20,9 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
         }
       ],
       body: z.object({
-        name: z.string().trim().describe(IDENTITIES.CREATE.name),
-        organizationId: z.string().trim().describe(IDENTITIES.CREATE.organizationId),
-        role: z.string().trim().min(1).default(OrgMembershipRole.NoAccess).describe(IDENTITIES.CREATE.role)
+        name: z.string().trim(),
+        organizationId: z.string().trim(),
+        role: z.string().trim().min(1).default(OrgMembershipRole.NoAccess)
       }),
       response: {
         200: z.object({
@@ -79,11 +78,11 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        identityId: z.string().describe(IDENTITIES.UPDATE.identityId)
+        identityId: z.string()
       }),
       body: z.object({
-        name: z.string().trim().optional().describe(IDENTITIES.UPDATE.name),
-        role: z.string().trim().min(1).optional().describe(IDENTITIES.UPDATE.role)
+        name: z.string().trim().optional(),
+        role: z.string().trim().min(1).optional()
       }),
       response: {
         200: z.object({
@@ -128,7 +127,7 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        identityId: z.string().describe(IDENTITIES.DELETE.identityId)
+        identityId: z.string()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/identity-ua.ts

@@ -2,7 +2,6 @@ import { z } from "zod";
 
 import { IdentityUaClientSecretsSchema, IdentityUniversalAuthsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { UNIVERSAL_AUTH } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
@@ -27,8 +26,8 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
     schema: {
       description: "Login with Universal Auth",
       body: z.object({
-        clientId: z.string().trim().describe(UNIVERSAL_AUTH.LOGIN.clientId),
-        clientSecret: z.string().trim().describe(UNIVERSAL_AUTH.LOGIN.clientSecret)
+        clientId: z.string().trim(),
+        clientSecret: z.string().trim()
       }),
       response: {
         200: z.object({
@@ -77,7 +76,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        identityId: z.string().trim().describe(UNIVERSAL_AUTH.ATTACH.identityId)
+        identityId: z.string().trim()
       }),
       body: z.object({
         clientSecretTrustedIps: z
@@ -86,16 +85,14 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
           })
           .array()
           .min(1)
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
-          .describe(UNIVERSAL_AUTH.ATTACH.clientSecretTrustedIps),
+          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
         accessTokenTrustedIps: z
           .object({
             ipAddress: z.string().trim()
           })
           .array()
           .min(1)
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
-          .describe(UNIVERSAL_AUTH.ATTACH.accessTokenTrustedIps),
+          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
         accessTokenTTL: z
           .number()
           .int()
@@ -103,22 +100,15 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
           .refine((value) => value !== 0, {
             message: "accessTokenTTL must have a non zero number"
           })
-          .default(2592000)
-          .describe(UNIVERSAL_AUTH.ATTACH.accessTokenTTL), // 30 days
+          .default(2592000),
         accessTokenMaxTTL: z
           .number()
           .int()
           .refine((value) => value !== 0, {
             message: "accessTokenMaxTTL must have a non zero number"
           })
-          .default(2592000)
-          .describe(UNIVERSAL_AUTH.ATTACH.accessTokenMaxTTL), // 30 days
-        accessTokenNumUsesLimit: z
-          .number()
-          .int()
-          .min(0)
-          .default(0)
-          .describe(UNIVERSAL_AUTH.ATTACH.accessTokenNumUsesLimit)
+          .default(2592000), // 30 days
+        accessTokenNumUsesLimit: z.number().int().min(0).default(0)
       }),
       response: {
         200: z.object({
@@ -166,7 +156,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        identityId: z.string().describe(UNIVERSAL_AUTH.UPDATE.identityId)
+        identityId: z.string()
       }),
       body: z.object({
         clientSecretTrustedIps: z
@@ -175,23 +165,16 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
           })
           .array()
           .min(1)
-          .optional()
-          .describe(UNIVERSAL_AUTH.UPDATE.clientSecretTrustedIps),
+          .optional(),
         accessTokenTrustedIps: z
           .object({
             ipAddress: z.string().trim()
           })
           .array()
           .min(1)
-          .optional()
-          .describe(UNIVERSAL_AUTH.UPDATE.accessTokenTrustedIps),
-        accessTokenTTL: z.number().int().min(0).optional().describe(UNIVERSAL_AUTH.UPDATE.accessTokenTTL),
-        accessTokenNumUsesLimit: z
-          .number()
-          .int()
-          .min(0)
-          .optional()
-          .describe(UNIVERSAL_AUTH.UPDATE.accessTokenNumUsesLimit),
+          .optional(),
+        accessTokenTTL: z.number().int().min(0).optional(),
+        accessTokenNumUsesLimit: z.number().int().min(0).optional(),
         accessTokenMaxTTL: z
           .number()
           .int()
@@ -199,7 +182,6 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
             message: "accessTokenMaxTTL must have a non zero number"
           })
           .optional()
-          .describe(UNIVERSAL_AUTH.UPDATE.accessTokenMaxTTL)
       }),
       response: {
         200: z.object({
@@ -248,7 +230,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        identityId: z.string().describe(UNIVERSAL_AUTH.RETRIEVE.identityId)
+        identityId: z.string()
       }),
       response: {
         200: z.object({
@@ -291,12 +273,12 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        identityId: z.string().describe(UNIVERSAL_AUTH.CREATE_CLIENT_SECRET.identityId)
+        identityId: z.string()
       }),
       body: z.object({
-        description: z.string().trim().default("").describe(UNIVERSAL_AUTH.CREATE_CLIENT_SECRET.description),
-        numUsesLimit: z.number().min(0).default(0).describe(UNIVERSAL_AUTH.CREATE_CLIENT_SECRET.numUsesLimit),
-        ttl: z.number().min(0).default(0).describe(UNIVERSAL_AUTH.CREATE_CLIENT_SECRET.ttl)
+        description: z.string().trim().default(""),
+        numUsesLimit: z.number().min(0).default(0),
+        ttl: z.number().min(0).default(0)
       }),
       response: {
         200: z.object({
@@ -342,7 +324,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        identityId: z.string().describe(UNIVERSAL_AUTH.LIST_CLIENT_SECRETS.identityId)
+        identityId: z.string()
       }),
       response: {
         200: z.object({
@@ -384,8 +366,8 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        identityId: z.string().describe(UNIVERSAL_AUTH.REVOKE_CLIENT_SECRET.identityId),
-        clientSecretId: z.string().describe(UNIVERSAL_AUTH.REVOKE_CLIENT_SECRET.clientSecretId)
+        identityId: z.string(),
+        clientSecretId: z.string()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/organization-router.ts

@@ -58,7 +58,6 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
           users: OrgMembershipsSchema.merge(
             z.object({
               user: UsersSchema.pick({
-                username: true,
                 email: true,
                 firstName: true,
                 lastName: true,

backend/src/server/routes/v1/project-env-router.ts

@@ -2,7 +2,6 @@ import { z } from "zod";
 
 import { ProjectEnvironmentsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { ENVIRONMENTS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 
@@ -19,11 +18,11 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        workspaceId: z.string().trim().describe(ENVIRONMENTS.CREATE.workspaceId)
+        workspaceId: z.string().trim()
       }),
       body: z.object({
-        name: z.string().trim().describe(ENVIRONMENTS.CREATE.name),
-        slug: z.string().trim().describe(ENVIRONMENTS.CREATE.slug)
+        name: z.string().trim(),
+        slug: z.string().trim()
       }),
       response: {
         200: z.object({
@@ -74,13 +73,13 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        workspaceId: z.string().trim().describe(ENVIRONMENTS.UPDATE.workspaceId),
-        id: z.string().trim().describe(ENVIRONMENTS.UPDATE.id)
+        workspaceId: z.string().trim(),
+        id: z.string().trim()
       }),
       body: z.object({
-        slug: z.string().trim().optional().describe(ENVIRONMENTS.UPDATE.slug),
-        name: z.string().trim().optional().describe(ENVIRONMENTS.UPDATE.name),
-        position: z.number().optional().describe(ENVIRONMENTS.UPDATE.position)
+        slug: z.string().trim().optional(),
+        name: z.string().trim().optional(),
+        position: z.number().optional()
       }),
       response: {
         200: z.object({
@@ -137,8 +136,8 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        workspaceId: z.string().trim().describe(ENVIRONMENTS.DELETE.workspaceId),
-        id: z.string().trim().describe(ENVIRONMENTS.DELETE.id)
+        workspaceId: z.string().trim(),
+        id: z.string().trim()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/project-membership-router.ts

@@ -1,18 +1,15 @@
-import ms from "ms";
 import { z } from "zod";
 
 import {
   OrgMembershipsSchema,
+  ProjectMembershipRole,
   ProjectMembershipsSchema,
-  ProjectUserMembershipRolesSchema,
   UserEncryptionKeysSchema,
   UsersSchema
 } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { PROJECTS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
-import { ProjectUserMembershipTemporaryMode } from "@app/services/project-membership/project-membership-types";
 
 export const registerProjectMembershipRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -27,35 +24,20 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
         }
       ],
       params: z.object({
-        workspaceId: z.string().trim().describe(PROJECTS.GET_USER_MEMBERSHIPS.workspaceId)
+        workspaceId: z.string().trim()
       }),
       response: {
         200: z.object({
-          memberships: ProjectMembershipsSchema.omit({ role: true })
-            .merge(
-              z.object({
-                user: UsersSchema.pick({
-                  email: true,
-                  firstName: true,
-                  lastName: true,
-                  id: true
-                }).merge(UserEncryptionKeysSchema.pick({ publicKey: true })),
-                roles: z.array(
-                  z.object({
-                    id: z.string(),
-                    role: z.string(),
-                    customRoleId: z.string().optional().nullable(),
-                    customRoleName: z.string().optional().nullable(),
-                    customRoleSlug: z.string().optional().nullable(),
-                    isTemporary: z.boolean(),
-                    temporaryMode: z.string().optional().nullable(),
-                    temporaryRange: z.string().nullable().optional(),
-                    temporaryAccessStartTime: z.date().nullable().optional(),
-                    temporaryAccessEndTime: z.date().nullable().optional()
-                  })
-                )
-              })
-            )
+          memberships: ProjectMembershipsSchema.merge(
+            z.object({
+              user: UsersSchema.pick({
+                email: true,
+                firstName: true,
+                lastName: true,
+                id: true
+              }).merge(UserEncryptionKeysSchema.pick({ publicKey: true }))
+            })
+          )
             .omit({ createdAt: true, updatedAt: true })
             .array()
         })
@@ -104,7 +86,10 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
         actor: req.permission.type,
         actorOrgId: req.permission.orgId,
         projectId: req.params.workspaceId,
-        members: req.body.members
+        members: req.body.members.map((member) => ({
+          ...member,
+          projectRole: ProjectMembershipRole.Member
+        }))
       });
 
       await server.services.auditLog.createAuditLog({
@@ -135,61 +120,43 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
         }
       ],
       params: z.object({
-        workspaceId: z.string().trim().describe(PROJECTS.UPDATE_USER_MEMBERSHIP.workspaceId),
-        membershipId: z.string().trim().describe(PROJECTS.UPDATE_USER_MEMBERSHIP.membershipId)
+        workspaceId: z.string().trim(),
+        membershipId: z.string().trim()
       }),
       body: z.object({
-        roles: z
-          .array(
-            z.union([
-              z.object({
-                role: z.string(),
-                isTemporary: z.literal(false).default(false)
-              }),
-              z.object({
-                role: z.string(),
-                isTemporary: z.literal(true),
-                temporaryMode: z.nativeEnum(ProjectUserMembershipTemporaryMode),
-                temporaryRange: z.string().refine((val) => ms(val) > 0, "Temporary range must be a positive number"),
-                temporaryAccessStartTime: z.string().datetime()
-              })
-            ])
-          )
-          .min(1)
-          .refine((data) => data.some(({ isTemporary }) => !isTemporary), "At least long lived role is required")
-          .describe(PROJECTS.UPDATE_USER_MEMBERSHIP.roles)
+        role: z.string().trim()
       }),
       response: {
         200: z.object({
-          roles: ProjectUserMembershipRolesSchema.array()
+          membership: ProjectMembershipsSchema
         })
       }
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
-      const roles = await server.services.projectMembership.updateProjectMembership({
+      const membership = await server.services.projectMembership.updateProjectMembership({
         actorId: req.permission.id,
         actor: req.permission.type,
         actorOrgId: req.permission.orgId,
         projectId: req.params.workspaceId,
         membershipId: req.params.membershipId,
-        roles: req.body.roles
+        role: req.body.role
       });
 
-      // await server.services.auditLog.createAuditLog({
-      //   ...req.auditLogInfo,
-      //   projectId: req.params.workspaceId,
-      //   event: {
-      //     type: EventType.UPDATE_USER_WORKSPACE_ROLE,
-      //     metadata: {
-      //       userId: membership.userId,
-      //       newRole: req.body.role,
-      //       oldRole: membership.role,
-      //       email: ""
-      //     }
-      //   }
-      // });
-      return { roles };
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: req.params.workspaceId,
+        event: {
+          type: EventType.UPDATE_USER_WORKSPACE_ROLE,
+          metadata: {
+            userId: membership.userId,
+            newRole: req.body.role,
+            oldRole: membership.role,
+            email: ""
+          }
+        }
+      });
+      return { membership };
     }
   });
 

backend/src/server/routes/v1/project-router.ts

@@ -7,7 +7,6 @@ import {
   UserEncryptionKeysSchema,
   UsersSchema
 } from "@app/db/schemas";
-import { PROJECTS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 
@@ -61,32 +60,16 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
       }),
       response: {
         200: z.object({
-          users: ProjectMembershipsSchema.omit({ role: true })
-            .merge(
-              z.object({
-                user: UsersSchema.pick({
-                  username: true,
-                  email: true,
-                  firstName: true,
-                  lastName: true,
-                  id: true
-                }).merge(UserEncryptionKeysSchema.pick({ publicKey: true })),
-                roles: z.array(
-                  z.object({
-                    id: z.string(),
-                    role: z.string(),
-                    customRoleId: z.string().optional().nullable(),
-                    customRoleName: z.string().optional().nullable(),
-                    customRoleSlug: z.string().optional().nullable(),
-                    isTemporary: z.boolean(),
-                    temporaryMode: z.string().optional().nullable(),
-                    temporaryRange: z.string().nullable().optional(),
-                    temporaryAccessStartTime: z.date().nullable().optional(),
-                    temporaryAccessEndTime: z.date().nullable().optional()
-                  })
-                )
-              })
-            )
+          users: ProjectMembershipsSchema.merge(
+            z.object({
+              user: UsersSchema.pick({
+                email: true,
+                firstName: true,
+                lastName: true,
+                id: true
+              }).merge(UserEncryptionKeysSchema.pick({ publicKey: true }))
+            })
+          )
             .omit({ createdAt: true, updatedAt: true })
             .array()
         })
@@ -126,7 +109,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
     method: "GET",
     schema: {
       params: z.object({
-        workspaceId: z.string().trim().describe(PROJECTS.GET.workspaceId)
+        workspaceId: z.string().trim()
       }),
       response: {
         200: z.object({
@@ -178,7 +161,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
     method: "DELETE",
     schema: {
       params: z.object({
-        workspaceId: z.string().trim().describe(PROJECTS.DELETE.workspaceId)
+        workspaceId: z.string().trim()
       }),
       response: {
         200: z.object({
@@ -236,16 +219,11 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
     method: "PATCH",
     schema: {
       params: z.object({
-        workspaceId: z.string().trim().describe(PROJECTS.UPDATE.workspaceId)
+        workspaceId: z.string().trim()
       }),
       body: z.object({
-        name: z
-          .string()
-          .trim()
-          .max(64, { message: "Name must be 64 or fewer characters" })
-          .optional()
-          .describe(PROJECTS.UPDATE.name),
-        autoCapitalization: z.boolean().optional().describe(PROJECTS.UPDATE.autoCapitalization)
+        name: z.string().trim().max(64, { message: "Name must be 64 or fewer characters" }).optional(),
+        autoCapitalization: z.boolean().optional()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/secret-folder-router.ts

@@ -2,7 +2,6 @@ import { z } from "zod";
 
 import { SecretFoldersSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { FOLDERS } from "@app/lib/api-docs";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -20,12 +19,12 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
         }
       ],
       body: z.object({
-        workspaceId: z.string().trim().describe(FOLDERS.CREATE.workspaceId),
-        environment: z.string().trim().describe(FOLDERS.CREATE.environment),
-        name: z.string().trim().describe(FOLDERS.CREATE.name),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.CREATE.path),
+        workspaceId: z.string().trim(),
+        environment: z.string().trim(),
+        name: z.string().trim(),
+        path: z.string().trim().default("/").transform(removeTrailingSlash),
         // backward compatiability with cli
-        directory: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.CREATE.directory)
+        directory: z.string().trim().default("/").transform(removeTrailingSlash)
       }),
       response: {
         200: z.object({
@@ -74,15 +73,15 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
       ],
       params: z.object({
         // old way this was name
-        folderId: z.string().describe(FOLDERS.UPDATE.folderId)
+        folderId: z.string()
       }),
       body: z.object({
-        workspaceId: z.string().trim().describe(FOLDERS.UPDATE.workspaceId),
-        environment: z.string().trim().describe(FOLDERS.UPDATE.environment),
-        name: z.string().trim().describe(FOLDERS.UPDATE.name),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.UPDATE.path),
+        workspaceId: z.string().trim(),
+        environment: z.string().trim(),
+        name: z.string().trim(),
+        path: z.string().trim().default("/").transform(removeTrailingSlash),
         // backward compatiability with cli
-        directory: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.UPDATE.directory)
+        directory: z.string().trim().default("/").transform(removeTrailingSlash)
       }),
       response: {
         200: z.object({
@@ -120,7 +119,6 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
     }
   });
 
-  // TODO(daniel): Expose this route in api reference and write docs for it.
   server.route({
     url: "/:folderIdOrName",
     method: "DELETE",
@@ -133,14 +131,14 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
         }
       ],
       params: z.object({
-        folderIdOrName: z.string().describe(FOLDERS.DELETE.folderIdOrName)
+        folderIdOrName: z.string()
       }),
       body: z.object({
-        workspaceId: z.string().trim().describe(FOLDERS.DELETE.workspaceId),
-        environment: z.string().trim().describe(FOLDERS.DELETE.environment),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.DELETE.path),
+        workspaceId: z.string().trim(),
+        environment: z.string().trim(),
+        path: z.string().trim().default("/").transform(removeTrailingSlash),
         // keep this here as cli need directory
-        directory: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.DELETE.directory)
+        directory: z.string().trim().default("/").transform(removeTrailingSlash)
       }),
       response: {
         200: z.object({
@@ -189,11 +187,11 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
         }
       ],
       querystring: z.object({
-        workspaceId: z.string().trim().describe(FOLDERS.LIST.workspaceId),
-        environment: z.string().trim().describe(FOLDERS.LIST.environment),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.LIST.path),
+        workspaceId: z.string().trim(),
+        environment: z.string().trim(),
+        path: z.string().trim().default("/").transform(removeTrailingSlash),
         // backward compatiability with cli
-        directory: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.LIST.directory)
+        directory: z.string().trim().default("/").transform(removeTrailingSlash)
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/secret-import-router.ts

@@ -2,7 +2,6 @@ import { z } from "zod";
 
 import { SecretImportsSchema, SecretsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { SECRET_IMPORTS } from "@app/lib/api-docs";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -20,12 +19,12 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
         }
       ],
       body: z.object({
-        workspaceId: z.string().trim().describe(SECRET_IMPORTS.CREATE.workspaceId),
-        environment: z.string().trim().describe(SECRET_IMPORTS.CREATE.environment),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(SECRET_IMPORTS.CREATE.path),
+        workspaceId: z.string().trim(),
+        environment: z.string().trim(),
+        path: z.string().trim().default("/").transform(removeTrailingSlash),
         import: z.object({
-          environment: z.string().trim().describe(SECRET_IMPORTS.CREATE.import.environment),
-          path: z.string().trim().transform(removeTrailingSlash).describe(SECRET_IMPORTS.CREATE.import.path)
+          environment: z.string().trim(),
+          path: z.string().trim().transform(removeTrailingSlash)
         })
       }),
       response: {
@@ -81,21 +80,20 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
         }
       ],
       params: z.object({
-        secretImportId: z.string().trim().describe(SECRET_IMPORTS.UPDATE.secretImportId)
+        secretImportId: z.string().trim()
       }),
       body: z.object({
-        workspaceId: z.string().trim().describe(SECRET_IMPORTS.UPDATE.workspaceId),
-        environment: z.string().trim().describe(SECRET_IMPORTS.UPDATE.environment),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(SECRET_IMPORTS.UPDATE.path),
+        workspaceId: z.string().trim(),
+        environment: z.string().trim(),
+        path: z.string().trim().default("/").transform(removeTrailingSlash),
         import: z.object({
-          environment: z.string().trim().optional().describe(SECRET_IMPORTS.UPDATE.import.environment),
+          environment: z.string().trim().optional(),
           path: z
             .string()
             .trim()
             .optional()
-            .transform((val) => (val ? removeTrailingSlash(val) : val))
-            .describe(SECRET_IMPORTS.UPDATE.import.path),
-          position: z.number().optional().describe(SECRET_IMPORTS.UPDATE.import.position)
+            .transform((val) => (val ? removeTrailingSlash(val) : val)),
+          position: z.number().optional()
         })
       }),
       response: {
@@ -152,12 +150,12 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
         }
       ],
       params: z.object({
-        secretImportId: z.string().trim().describe(SECRET_IMPORTS.DELETE.secretImportId)
+        secretImportId: z.string().trim()
       }),
       body: z.object({
-        workspaceId: z.string().trim().describe(SECRET_IMPORTS.DELETE.workspaceId),
-        environment: z.string().trim().describe(SECRET_IMPORTS.DELETE.environment),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(SECRET_IMPORTS.DELETE.path)
+        workspaceId: z.string().trim(),
+        environment: z.string().trim(),
+        path: z.string().trim().default("/").transform(removeTrailingSlash)
       }),
       response: {
         200: z.object({
@@ -212,9 +210,9 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
         }
       ],
       querystring: z.object({
-        workspaceId: z.string().trim().describe(SECRET_IMPORTS.LIST.workspaceId),
-        environment: z.string().trim().describe(SECRET_IMPORTS.LIST.environment),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(SECRET_IMPORTS.LIST.path)
+        workspaceId: z.string().trim(),
+        environment: z.string().trim(),
+        path: z.string().trim().default("/").transform(removeTrailingSlash)
       }),
       response: {
         200: z.object({

backend/src/server/routes/v2/identity-org-router.ts

@@ -1,7 +1,6 @@
 import { z } from "zod";
 
 import { IdentitiesSchema, IdentityOrgMembershipsSchema, OrgRolesSchema } from "@app/db/schemas";
-import { ORGANIZATIONS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 
@@ -19,7 +18,7 @@ export const registerIdentityOrgRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        orgId: z.string().trim().describe(ORGANIZATIONS.LIST_IDENTITY_MEMBERSHIPS.orgId)
+        orgId: z.string().trim()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v2/identity-project-router.ts

@@ -1,16 +1,13 @@
-import ms from "ms";
 import { z } from "zod";
 
 import {
   IdentitiesSchema,
   IdentityProjectMembershipsSchema,
   ProjectMembershipRole,
-  ProjectUserMembershipRolesSchema
+  ProjectRolesSchema
 } from "@app/db/schemas";
-import { PROJECTS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
-import { ProjectUserMembershipTemporaryMode } from "@app/services/project-membership/project-membership-types";
 
 export const registerIdentityProjectRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -56,45 +53,28 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
         }
       ],
       params: z.object({
-        projectId: z.string().trim().describe(PROJECTS.UPDATE_IDENTITY_MEMBERSHIP.projectId),
-        identityId: z.string().trim().describe(PROJECTS.UPDATE_IDENTITY_MEMBERSHIP.identityId)
+        projectId: z.string().trim(),
+        identityId: z.string().trim()
       }),
       body: z.object({
-        roles: z
-          .array(
-            z.union([
-              z.object({
-                role: z.string(),
-                isTemporary: z.literal(false).default(false)
-              }),
-              z.object({
-                role: z.string(),
-                isTemporary: z.literal(true),
-                temporaryMode: z.nativeEnum(ProjectUserMembershipTemporaryMode),
-                temporaryRange: z.string().refine((val) => ms(val) > 0, "Temporary range must be a positive number"),
-                temporaryAccessStartTime: z.string().datetime()
-              })
-            ])
-          )
-          .min(1)
-          .describe(PROJECTS.UPDATE_IDENTITY_MEMBERSHIP.roles)
+        role: z.string().trim().min(1).default(ProjectMembershipRole.NoAccess)
       }),
       response: {
         200: z.object({
-          roles: ProjectUserMembershipRolesSchema.array()
+          identityMembership: IdentityProjectMembershipsSchema
         })
       }
     },
     handler: async (req) => {
-      const roles = await server.services.identityProject.updateProjectIdentity({
+      const identityMembership = await server.services.identityProject.updateProjectIdentity({
         actor: req.permission.type,
         actorId: req.permission.id,
         actorOrgId: req.permission.orgId,
         identityId: req.params.identityId,
         projectId: req.params.projectId,
-        roles: req.body.roles
+        role: req.body.role
       });
-      return { roles };
+      return { identityMembership };
     }
   });
 
@@ -110,8 +90,8 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
         }
       ],
       params: z.object({
-        projectId: z.string().trim().describe(PROJECTS.DELETE_IDENTITY_MEMBERSHIP.projectId),
-        identityId: z.string().trim().describe(PROJECTS.DELETE_IDENTITY_MEMBERSHIP.identityId)
+        projectId: z.string().trim(),
+        identityId: z.string().trim()
       }),
       response: {
         200: z.object({
@@ -143,33 +123,22 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
         }
       ],
       params: z.object({
-        projectId: z.string().trim().describe(PROJECTS.LIST_IDENTITY_MEMBERSHIPS.projectId)
+        projectId: z.string().trim()
       }),
       response: {
         200: z.object({
-          identityMemberships: z
-            .object({
-              id: z.string(),
-              identityId: z.string(),
-              createdAt: z.date(),
-              updatedAt: z.date(),
-              roles: z.array(
-                z.object({
-                  id: z.string(),
-                  role: z.string(),
-                  customRoleId: z.string().optional().nullable(),
-                  customRoleName: z.string().optional().nullable(),
-                  customRoleSlug: z.string().optional().nullable(),
-                  isTemporary: z.boolean(),
-                  temporaryMode: z.string().optional().nullable(),
-                  temporaryRange: z.string().nullable().optional(),
-                  temporaryAccessStartTime: z.date().nullable().optional(),
-                  temporaryAccessEndTime: z.date().nullable().optional()
-                })
-              ),
+          identityMemberships: IdentityProjectMembershipsSchema.merge(
+            z.object({
+              customRole: ProjectRolesSchema.pick({
+                id: true,
+                name: true,
+                slug: true,
+                permissions: true,
+                description: true
+              }).optional(),
               identity: IdentitiesSchema.pick({ name: true, id: true, authMethod: true })
             })
-            .array()
+          ).array()
         })
       }
     },

backend/src/server/routes/v2/organization-router.ts

@@ -1,7 +1,6 @@
 import { z } from "zod";
 
 import { OrganizationsSchema, OrgMembershipsSchema, UserEncryptionKeysSchema, UsersSchema } from "@app/db/schemas";
-import { ORGANIZATIONS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { ActorType, AuthMode } from "@app/services/auth/auth-type";
 
@@ -18,14 +17,13 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        organizationId: z.string().trim().describe(ORGANIZATIONS.LIST_USER_MEMBERSHIPS.organizationId)
+        organizationId: z.string().trim()
       }),
       response: {
         200: z.object({
           users: OrgMembershipsSchema.merge(
             z.object({
               user: UsersSchema.pick({
-                username: true,
                 email: true,
                 firstName: true,
                 lastName: true,
@@ -63,7 +61,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        organizationId: z.string().trim().describe(ORGANIZATIONS.GET_PROJECTS.organizationId)
+        organizationId: z.string().trim()
       }),
       response: {
         200: z.object({
@@ -107,12 +105,9 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
           apiKeyAuth: []
         }
       ],
-      params: z.object({
-        organizationId: z.string().trim().describe(ORGANIZATIONS.UPDATE_USER_MEMBERSHIP.organizationId),
-        membershipId: z.string().trim().describe(ORGANIZATIONS.UPDATE_USER_MEMBERSHIP.membershipId)
-      }),
+      params: z.object({ organizationId: z.string().trim(), membershipId: z.string().trim() }),
       body: z.object({
-        role: z.string().trim().describe(ORGANIZATIONS.UPDATE_USER_MEMBERSHIP.role)
+        role: z.string().trim()
       }),
       response: {
         200: z.object({
@@ -146,10 +141,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
           apiKeyAuth: []
         }
       ],
-      params: z.object({
-        organizationId: z.string().trim().describe(ORGANIZATIONS.DELETE_USER_MEMBERSHIP.organizationId),
-        membershipId: z.string().trim().describe(ORGANIZATIONS.DELETE_USER_MEMBERSHIP.membershipId)
-      }),
+      params: z.object({ organizationId: z.string().trim(), membershipId: z.string().trim() }),
       response: {
         200: z.object({
           membership: OrgMembershipsSchema
@@ -187,12 +179,11 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
     handler: async (req) => {
       if (req.auth.actor !== ActorType.USER) return;
 
-      const organization = await server.services.org.createOrganization({
-        userId: req.permission.id,
-        userEmail: req.auth.user.email,
-        orgName: req.body.name
-      });
-
+      const organization = await server.services.org.createOrganization(
+        req.permission.id,
+        req.auth.user.email,
+        req.body.name
+      );
       return { organization };
     }
   });

backend/src/server/routes/v2/project-membership-router.ts

@@ -2,7 +2,6 @@ import { z } from "zod";
 
 import { ProjectMembershipsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { PROJECTS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 
@@ -12,11 +11,10 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
     url: "/:projectId/memberships",
     schema: {
       params: z.object({
-        projectId: z.string().describe(PROJECTS.INVITE_MEMBER.projectId)
+        projectId: z.string().describe("The ID of the project.")
       }),
       body: z.object({
-        emails: z.string().email().array().default([]).describe(PROJECTS.INVITE_MEMBER.emails),
-        usernames: z.string().array().default([]).describe(PROJECTS.INVITE_MEMBER.usernames)
+        emails: z.string().email().array().describe("Emails of the users to add to the project.")
       }),
       response: {
         200: z.object({
@@ -30,8 +28,7 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
         projectId: req.params.projectId,
         actorId: req.permission.id,
         actor: req.permission.type,
-        emails: req.body.emails,
-        usernames: req.body.usernames
+        emails: req.body.emails
       });
 
       await server.services.auditLog.createAuditLog({
@@ -56,12 +53,11 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
     url: "/:projectId/memberships",
     schema: {
       params: z.object({
-        projectId: z.string().describe(PROJECTS.REMOVE_MEMBER.projectId)
+        projectId: z.string().describe("The ID of the project.")
       }),
 
       body: z.object({
-        emails: z.string().email().array().default([]).describe(PROJECTS.REMOVE_MEMBER.emails),
-        usernames: z.string().array().default([]).describe(PROJECTS.REMOVE_MEMBER.usernames)
+        emails: z.string().email().array().describe("Emails of the users to remove from the project.")
       }),
       response: {
         200: z.object({
@@ -76,8 +72,7 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
         actor: req.permission.type,
         actorOrgId: req.permission.orgId,
         projectId: req.params.projectId,
-        emails: req.body.emails,
-        usernames: req.body.usernames
+        emails: req.body.emails
       });
 
       for (const membership of memberships) {

backend/src/server/routes/v2/project-router.ts

@@ -3,7 +3,6 @@ import { z } from "zod";
 
 import { ProjectKeysSchema, ProjectsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { PROJECTS } from "@app/lib/api-docs";
 import { authRateLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -30,7 +29,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        workspaceId: z.string().trim().describe(PROJECTS.GET_KEY.workspaceId)
+        workspaceId: z.string().trim()
       }),
       response: {
         200: ProjectKeysSchema.merge(
@@ -128,7 +127,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
     },
     schema: {
       body: z.object({
-        projectName: z.string().trim().describe(PROJECTS.CREATE.projectName),
+        projectName: z.string().trim(),
         slug: z
           .string()
           .min(5)
@@ -136,9 +135,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
           .refine((v) => slugify(v) === v, {
             message: "Slug must be a valid slug"
           })
-          .optional()
-          .describe(PROJECTS.CREATE.slug),
-        organizationId: z.string().trim().describe(PROJECTS.CREATE.organizationId)
+          .optional(),
+        organizationId: z.string().trim()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v3/login-router.ts

@@ -12,7 +12,7 @@ export const registerLoginRouter = async (server: FastifyZodProvider) => {
     },
     schema: {
       body: z.object({
-        email: z.string().trim(),
+        email: z.string().email().trim(),
         providerAuthToken: z.string().trim().optional(),
         clientPublicKey: z.string().trim()
       }),
@@ -42,7 +42,7 @@ export const registerLoginRouter = async (server: FastifyZodProvider) => {
     },
     schema: {
       body: z.object({
-        email: z.string().trim(),
+        email: z.string().email().trim(),
         providerAuthToken: z.string().trim().optional(),
         clientProof: z.string().trim()
       }),

backend/src/server/routes/v3/secret-router.ts

@@ -10,7 +10,6 @@ import {
 } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { CommitType } from "@app/ee/services/secret-approval-request/secret-approval-request-types";
-import { RAW_SECRETS } from "@app/lib/api-docs";
 import { BadRequestError } from "@app/lib/errors";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
@@ -34,14 +33,13 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       querystring: z.object({
-        workspaceId: z.string().trim().optional().describe(RAW_SECRETS.LIST.workspaceId),
-        environment: z.string().trim().optional().describe(RAW_SECRETS.LIST.environment),
-        secretPath: z.string().trim().default("/").transform(removeTrailingSlash).describe(RAW_SECRETS.LIST.secretPath),
+        workspaceId: z.string().trim().optional(),
+        environment: z.string().trim().optional(),
+        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
         include_imports: z
           .enum(["true", "false"])
           .default("false")
           .transform((value) => value === "true")
-          .describe(RAW_SECRETS.LIST.includeImports)
       }),
       response: {
         200: z.object({
@@ -125,19 +123,18 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretName: z.string().trim().describe(RAW_SECRETS.GET.secretName)
+        secretName: z.string().trim()
       }),
       querystring: z.object({
-        workspaceId: z.string().trim().optional().describe(RAW_SECRETS.GET.workspaceId),
-        environment: z.string().trim().optional().describe(RAW_SECRETS.GET.environment),
-        secretPath: z.string().trim().default("/").transform(removeTrailingSlash).describe(RAW_SECRETS.GET.secretPath),
-        version: z.coerce.number().optional().describe(RAW_SECRETS.GET.version),
-        type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.GET.type),
+        workspaceId: z.string().trim().optional(),
+        environment: z.string().trim().optional(),
+        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
+        version: z.coerce.number().optional(),
+        type: z.nativeEnum(SecretType).default(SecretType.Shared),
         include_imports: z
           .enum(["true", "false"])
           .default("false")
           .transform((value) => value === "true")
-          .describe(RAW_SECRETS.GET.includeImports)
       }),
       response: {
         200: z.object({
@@ -216,24 +213,16 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretName: z.string().trim().describe(RAW_SECRETS.CREATE.secretName)
+        secretName: z.string().trim()
       }),
       body: z.object({
-        workspaceId: z.string().trim().describe(RAW_SECRETS.CREATE.workspaceId),
-        environment: z.string().trim().describe(RAW_SECRETS.CREATE.environment),
-        secretPath: z
-          .string()
-          .trim()
-          .default("/")
-          .transform(removeTrailingSlash)
-          .describe(RAW_SECRETS.CREATE.secretPath),
-        secretValue: z
-          .string()
-          .transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim()))
-          .describe(RAW_SECRETS.CREATE.secretValue),
-        secretComment: z.string().trim().optional().default("").describe(RAW_SECRETS.CREATE.secretComment),
-        skipMultilineEncoding: z.boolean().optional().describe(RAW_SECRETS.CREATE.skipMultilineEncoding),
-        type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.CREATE.type)
+        workspaceId: z.string().trim(),
+        environment: z.string().trim(),
+        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
+        secretValue: z.string().transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim())),
+        secretComment: z.string().trim().optional().default(""),
+        skipMultilineEncoding: z.boolean().optional(),
+        type: z.nativeEnum(SecretType).default(SecretType.Shared)
       }),
       response: {
         200: z.object({
@@ -301,23 +290,15 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretName: z.string().trim().describe(RAW_SECRETS.UPDATE.secretName)
+        secretName: z.string().trim()
       }),
       body: z.object({
-        workspaceId: z.string().trim().describe(RAW_SECRETS.UPDATE.workspaceId),
-        environment: z.string().trim().describe(RAW_SECRETS.UPDATE.environment),
-        secretValue: z
-          .string()
-          .transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim()))
-          .describe(RAW_SECRETS.UPDATE.secretValue),
-        secretPath: z
-          .string()
-          .trim()
-          .default("/")
-          .transform(removeTrailingSlash)
-          .describe(RAW_SECRETS.UPDATE.secretPath),
-        skipMultilineEncoding: z.boolean().optional().describe(RAW_SECRETS.UPDATE.skipMultilineEncoding),
-        type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.UPDATE.type)
+        workspaceId: z.string().trim(),
+        environment: z.string().trim(),
+        secretValue: z.string().transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim())),
+        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
+        skipMultilineEncoding: z.boolean().optional(),
+        type: z.nativeEnum(SecretType).default(SecretType.Shared)
       }),
       response: {
         200: z.object({
@@ -383,18 +364,13 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretName: z.string().trim().describe(RAW_SECRETS.DELETE.secretName)
+        secretName: z.string().trim()
       }),
       body: z.object({
-        workspaceId: z.string().trim().describe(RAW_SECRETS.DELETE.workspaceId),
-        environment: z.string().trim().describe(RAW_SECRETS.DELETE.environment),
-        secretPath: z
-          .string()
-          .trim()
-          .default("/")
-          .transform(removeTrailingSlash)
-          .describe(RAW_SECRETS.DELETE.secretPath),
-        type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.DELETE.type)
+        workspaceId: z.string().trim(),
+        environment: z.string().trim(),
+        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
+        type: z.nativeEnum(SecretType).default(SecretType.Shared)
       }),
       response: {
         200: z.object({

backend/src/server/routes/v3/signup-router.ts

@@ -88,7 +88,7 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
     },
     schema: {
       body: z.object({
-        email: z.string().trim(),
+        email: z.string().email().trim(),
         firstName: z.string().trim(),
         lastName: z.string().trim().optional(),
         protectedKey: z.string().trim(),
@@ -131,16 +131,13 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
         authorization: req.headers.authorization as string
       });
 
-      if (user.email) {
-        void server.services.telemetry.sendLoopsEvent(user.email, user.firstName || "", user.lastName || "");
-      }
+      void server.services.telemetry.sendLoopsEvent(user.email, user.firstName || "", user.lastName || "");
 
       void server.services.telemetry.sendPostHogEvents({
         event: PostHogEventTypes.UserSignedUp,
-        distinctId: user.username ?? "",
+        distinctId: user.email,
         properties: {
-          username: user.username,
-          email: user.email ?? "",
+          email: user.email,
           attributionSource: req.body.attributionSource
         }
       });
@@ -197,16 +194,13 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
         authorization: req.headers.authorization as string
       });
 
-      if (user.email) {
-        void server.services.telemetry.sendLoopsEvent(user.email, user.firstName || "", user.lastName || "");
-      }
+      void server.services.telemetry.sendLoopsEvent(user.email, user.firstName || "", user.lastName || "");
 
       void server.services.telemetry.sendPostHogEvents({
         event: PostHogEventTypes.UserSignedUp,
-        distinctId: user.username ?? "",
+        distinctId: user.email,
         properties: {
-          username: user.username,
-          email: user.email ?? "",
+          email: user.email,
           attributionSource: "Team Invite"
         }
       });

backend/src/services/auth/auth-fns.ts

@@ -5,14 +5,13 @@ import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
 
 import { AuthModeProviderJwtTokenPayload, AuthModeProviderSignUpTokenPayload, AuthTokenType } from "./auth-type";
 
-export const validateProviderAuthToken = (providerToken: string, username?: string) => {
+export const validateProviderAuthToken = (providerToken: string, email: string) => {
   if (!providerToken) throw new UnauthorizedError();
   const appCfg = getConfig();
   const decodedToken = jwt.verify(providerToken, appCfg.AUTH_SECRET) as AuthModeProviderJwtTokenPayload;
 
   if (decodedToken.authTokenType !== AuthTokenType.PROVIDER_TOKEN) throw new UnauthorizedError();
-
-  if (decodedToken.username !== username) throw new Error("Invalid auth credentials");
+  if (decodedToken.email !== email) throw new Error("Invalid auth credentials");
 
   if (decodedToken.organizationId) {
     return { orgId: decodedToken.organizationId };

backend/src/services/auth/auth-login-service.ts

@@ -39,19 +39,17 @@ export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }:
     if (!isDeviceSeen) {
       const newDeviceList = devices.concat([{ ip, userAgent }]);
       await userDAL.updateById(user.id, { devices: JSON.stringify(newDeviceList) });
-      if (user.email) {
-        await smtpService.sendMail({
-          template: SmtpTemplates.NewDeviceJoin,
-          subjectLine: "Successful login from new device",
-          recipients: [user.email],
-          substitutions: {
-            email: user.email,
-            timestamp: new Date().toString(),
-            ip,
-            userAgent
-          }
-        });
-      }
+      await smtpService.sendMail({
+        template: SmtpTemplates.NewDeviceJoin,
+        subjectLine: "Successful login from new device",
+        recipients: [user.email],
+        substitutions: {
+          email: user.email,
+          timestamp: new Date().toString(),
+          ip,
+          userAgent
+        }
+      });
     }
   };
 
@@ -133,9 +131,7 @@ export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }:
     providerAuthToken,
     clientPublicKey
   }: TLoginGenServerPublicKeyDTO) => {
-    const userEnc = await userDAL.findUserEncKeyByUsername({
-      username: email
-    });
+    const userEnc = await userDAL.findUserEncKeyByEmail(email);
     if (!userEnc || (userEnc && !userEnc.isAccepted)) {
       throw new Error("Failed to find  user");
     }
@@ -162,9 +158,7 @@ export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }:
     ip,
     userAgent
   }: TLoginClientProofDTO) => {
-    const userEnc = await userDAL.findUserEncKeyByUsername({
-      username: email
-    });
+    const userEnc = await userDAL.findUserEncKeyByEmail(email);
     if (!userEnc) throw new Error("Failed to find user");
     const cfg = getConfig();
 
@@ -193,7 +187,7 @@ export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }:
       clientPublicKey: null
     });
     // send multi factor auth token if they it enabled
-    if (userEnc.isMfaEnabled && userEnc.email) {
+    if (userEnc.isMfaEnabled) {
       const mfaToken = jwt.sign(
         {
           authTokenType: AuthTokenType.MFA_TOKEN,
@@ -233,7 +227,7 @@ export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }:
    */
   const resendMfaToken = async (userId: string) => {
     const user = await userDAL.findById(userId);
-    if (!user || !user.email) return;
+    if (!user) return;
     await sendUserMfaCode({
       userId: user.id,
       email: user.email
@@ -269,7 +263,7 @@ export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }:
    * OAuth2 login for google,github, and other oauth2 provider
    * */
   const oauth2Login = async ({ email, firstName, lastName, authMethod, callbackPort }: TOauthLoginDTO) => {
-    let user = await userDAL.findUserByUsername(email);
+    let user = await userDAL.findUserByEmail(email);
     const serverCfg = await getServerCfg();
 
     const appCfg = getConfig();
@@ -288,14 +282,7 @@ export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }:
           });
       }
 
-      user = await userDAL.create({
-        username: email,
-        email,
-        firstName,
-        lastName,
-        authMethods: [authMethod],
-        isGhost: false
-      });
+      user = await userDAL.create({ email, firstName, lastName, authMethods: [authMethod], isGhost: false });
     }
     const isLinkingRequired = !user?.authMethods?.includes(authMethod);
     const isUserCompleted = user.isAccepted;
@@ -303,7 +290,7 @@ export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }:
       {
         authTokenType: AuthTokenType.PROVIDER_TOKEN,
         userId: user.id,
-        username: user.username,
+        email: user.email,
         firstName: user.firstName,
         lastName: user.lastName,
         authMethod,

backend/src/services/auth/auth-password-service.ts

@@ -99,7 +99,7 @@ export const authPaswordServiceFactory = ({
    * Email password reset flow via email. Step 1 send email
    */
   const sendPasswordResetEmail = async (email: string) => {
-    const user = await userDAL.findUserByUsername(email);
+    const user = await userDAL.findUserByEmail(email);
     // ignore as user is not found to avoid an outside entity to identify infisical registered accounts
     if (!user || (user && !user.isAccepted)) return;
 
@@ -126,7 +126,7 @@ export const authPaswordServiceFactory = ({
    * */
   const verifyPasswordResetEmail = async (email: string, code: string) => {
     const cfg = getConfig();
-    const user = await userDAL.findUserByUsername(email);
+    const user = await userDAL.findUserByEmail(email);
     // ignore as user is not found to avoid an outside entity to identify infisical registered accounts
     if (!user || (user && !user.isAccepted)) {
       throw new Error("Failed email verification for pass reset");

backend/src/services/auth/auth-signup-service.ts

@@ -44,13 +44,13 @@ export const authSignupServiceFactory = ({
       throw new Error("Provided a disposable email");
     }
 
-    let user = await userDAL.findUserByUsername(email);
+    let user = await userDAL.findUserByEmail(email);
     if (user && user.isAccepted) {
       // TODO(akhilmhdh-pg): copy as old one. this needs to be changed due to security issues
       throw new Error("Failed to send verification code for complete account");
     }
     if (!user) {
-      user = await userDAL.create({ authMethods: [AuthMethod.EMAIL], username: email, email, isGhost: false });
+      user = await userDAL.create({ authMethods: [AuthMethod.EMAIL], email, isGhost: false });
     }
     if (!user) throw new Error("Failed to create user");
 
@@ -70,7 +70,7 @@ export const authSignupServiceFactory = ({
   };
 
   const verifyEmailSignup = async (email: string, code: string) => {
-    const user = await userDAL.findUserByUsername(email);
+    const user = await userDAL.findUserByEmail(email);
     if (!user || (user && user.isAccepted)) {
       // TODO(akhilmhdh): copy as old one. this needs to be changed due to security issues
       throw new Error("Failed to send verification code for complete account");
@@ -115,14 +115,14 @@ export const authSignupServiceFactory = ({
     userAgent,
     authorization
   }: TCompleteAccountSignupDTO) => {
-    const user = await userDAL.findOne({ username: email });
+    const user = await userDAL.findUserByEmail(email);
     if (!user || (user && user.isAccepted)) {
       throw new Error("Failed to complete account for complete user");
     }
 
     let organizationId;
     if (providerAuthToken) {
-      const { orgId } = validateProviderAuthToken(providerAuthToken, user.username);
+      const { orgId } = validateProviderAuthToken(providerAuthToken, user.email);
       organizationId = orgId;
     } else {
       validateSignUpAuthorization(authorization, user.id);
@@ -150,11 +150,7 @@ export const authSignupServiceFactory = ({
     });
 
     if (!organizationId) {
-      await orgService.createOrganization({
-        userId: user.id,
-        userEmail: user.email ?? user.username,
-        orgName: organizationName
-      });
+      await orgService.createOrganization(user.id, user.email, organizationName);
     }
 
     const updatedMembersips = await orgDAL.updateMembership(
@@ -219,7 +215,7 @@ export const authSignupServiceFactory = ({
     encryptedPrivateKeyTag,
     authorization
   }: TCompleteAccountInviteDTO) => {
-    const user = await userDAL.findUserByUsername(email);
+    const user = await userDAL.findUserByEmail(email);
     if (!user || (user && user.isAccepted)) {
       throw new Error("Failed to complete account for complete user");
     }

backend/src/services/auth/auth-type.ts

@@ -5,8 +5,7 @@ export enum AuthMethod {
   GITLAB = "gitlab",
   OKTA_SAML = "okta-saml",
   AZURE_SAML = "azure-saml",
-  JUMPCLOUD_SAML = "jumpcloud-saml",
-  LDAP = "ldap"
+  JUMPCLOUD_SAML = "jumpcloud-saml"
 }
 
 export enum AuthTokenType {
@@ -62,7 +61,7 @@ export type AuthModeRefreshJwtTokenPayload = {
 
 export type AuthModeProviderJwtTokenPayload = {
   authTokenType: AuthTokenType.PROVIDER_TOKEN;
-  username: string;
+  email: string;
   organizationId?: string;
 };
 

backend/src/services/identity-project/identity-project-dal.ts

@@ -3,7 +3,7 @@ import { Knex } from "knex";
 import { TDbClient } from "@app/db";
 import { TableName } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
-import { ormify, sqlNestRelationships } from "@app/lib/knex";
+import { ormify, selectAllTableCols } from "@app/lib/knex";
 
 export type TIdentityProjectDALFactory = ReturnType<typeof identityProjectDALFactory>;
 
@@ -15,81 +15,52 @@ export const identityProjectDALFactory = (db: TDbClient) => {
       const docs = await (tx || db)(TableName.IdentityProjectMembership)
         .where(`${TableName.IdentityProjectMembership}.projectId`, projectId)
         .join(TableName.Identity, `${TableName.IdentityProjectMembership}.identityId`, `${TableName.Identity}.id`)
-        .join(
-          TableName.IdentityProjectMembershipRole,
-          `${TableName.IdentityProjectMembershipRole}.projectMembershipId`,
-          `${TableName.IdentityProjectMembership}.id`
-        )
         .leftJoin(
           TableName.ProjectRoles,
-          `${TableName.IdentityProjectMembershipRole}.customRoleId`,
+          `${TableName.IdentityProjectMembership}.roleId`,
           `${TableName.ProjectRoles}.id`
         )
-        .select(
-          db.ref("id").withSchema(TableName.IdentityProjectMembership),
-          db.ref("createdAt").withSchema(TableName.IdentityProjectMembership),
-          db.ref("updatedAt").withSchema(TableName.IdentityProjectMembership),
-          db.ref("authMethod").as("identityAuthMethod").withSchema(TableName.Identity),
-          db.ref("id").as("identityId").withSchema(TableName.Identity),
-          db.ref("name").as("identityName").withSchema(TableName.Identity),
-          db.ref("id").withSchema(TableName.IdentityProjectMembership),
-          db.ref("role").withSchema(TableName.IdentityProjectMembershipRole),
-          db.ref("id").withSchema(TableName.IdentityProjectMembershipRole).as("membershipRoleId"),
-          db.ref("customRoleId").withSchema(TableName.IdentityProjectMembershipRole),
-          db.ref("name").withSchema(TableName.ProjectRoles).as("customRoleName"),
-          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug"),
-          db.ref("temporaryMode").withSchema(TableName.IdentityProjectMembershipRole),
-          db.ref("isTemporary").withSchema(TableName.IdentityProjectMembershipRole),
-          db.ref("temporaryRange").withSchema(TableName.IdentityProjectMembershipRole),
-          db.ref("temporaryAccessStartTime").withSchema(TableName.IdentityProjectMembershipRole),
-          db.ref("temporaryAccessEndTime").withSchema(TableName.IdentityProjectMembershipRole)
-        );
-
-      const members = sqlNestRelationships({
-        data: docs,
-        parentMapper: ({ identityId, identityName, identityAuthMethod, id, createdAt, updatedAt }) => ({
-          id,
+        .select(selectAllTableCols(TableName.IdentityProjectMembership))
+        // cr stands for custom role
+        .select(db.ref("id").as("crId").withSchema(TableName.ProjectRoles))
+        .select(db.ref("name").as("crName").withSchema(TableName.ProjectRoles))
+        .select(db.ref("slug").as("crSlug").withSchema(TableName.ProjectRoles))
+        .select(db.ref("description").as("crDescription").withSchema(TableName.ProjectRoles))
+        .select(db.ref("permissions").as("crPermission").withSchema(TableName.ProjectRoles))
+        .select(db.ref("permissions").as("crPermission").withSchema(TableName.ProjectRoles))
+        .select(db.ref("id").as("identityId").withSchema(TableName.Identity))
+        .select(db.ref("name").as("identityName").withSchema(TableName.Identity))
+        .select(db.ref("authMethod").as("identityAuthMethod").withSchema(TableName.Identity));
+      return docs.map(
+        ({
+          crId,
+          crDescription,
+          crSlug,
+          crPermission,
+          crName,
+          identityId,
+          identityName,
+          identityAuthMethod,
+          ...el
+        }) => ({
+          ...el,
           identityId,
-          createdAt,
-          updatedAt,
           identity: {
             id: identityId,
             name: identityName,
             authMethod: identityAuthMethod
-          }
-        }),
-        key: "id",
-        childrenMapper: [
-          {
-            label: "roles" as const,
-            key: "membershipRoleId",
-            mapper: ({
-              role,
-              customRoleId,
-              customRoleName,
-              customRoleSlug,
-              membershipRoleId,
-              temporaryRange,
-              temporaryMode,
-              temporaryAccessEndTime,
-              temporaryAccessStartTime,
-              isTemporary
-            }) => ({
-              id: membershipRoleId,
-              role,
-              customRoleId,
-              customRoleName,
-              customRoleSlug,
-              temporaryRange,
-              temporaryMode,
-              temporaryAccessEndTime,
-              temporaryAccessStartTime,
-              isTemporary
-            })
-          }
-        ]
-      });
-      return members;
+          },
+          customRole: el.roleId
+            ? {
+                id: crId,
+                name: crName,
+                slug: crSlug,
+                permissions: crPermission,
+                description: crDescription
+              }
+            : undefined
+        })
+      );
     } catch (error) {
       throw new DatabaseError({ error, name: "FindByProjectId" });
     }

backend/src/services/identity-project/identity-project-membership-role-dal.ts

@@ -1,10 +0,0 @@
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
-
-export type TIdentityProjectMembershipRoleDALFactory = ReturnType<typeof identityProjectMembershipRoleDALFactory>;
-
-export const identityProjectMembershipRoleDALFactory = (db: TDbClient) => {
-  const orm = ormify(db, TableName.IdentityProjectMembershipRole);
-  return orm;
-};

backend/src/services/identity-project/identity-project-service.ts

@@ -1,20 +1,15 @@
 import { ForbiddenError } from "@casl/ability";
-import ms from "ms";
 
-import { ProjectMembershipRole } from "@app/db/schemas";
+import { ProjectMembershipRole, TProjectRoles } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError } from "@app/lib/errors";
-import { groupBy } from "@app/lib/fn";
 
 import { ActorType } from "../auth/auth-type";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TProjectDALFactory } from "../project/project-dal";
-import { ProjectUserMembershipTemporaryMode } from "../project-membership/project-membership-types";
-import { TProjectRoleDALFactory } from "../project-role/project-role-dal";
 import { TIdentityProjectDALFactory } from "./identity-project-dal";
-import { TIdentityProjectMembershipRoleDALFactory } from "./identity-project-membership-role-dal";
 import {
   TCreateProjectIdentityDTO,
   TDeleteProjectIdentityDTO,
@@ -24,12 +19,7 @@ import {
 
 type TIdentityProjectServiceFactoryDep = {
   identityProjectDAL: TIdentityProjectDALFactory;
-  identityProjectMembershipRoleDAL: Pick<
-    TIdentityProjectMembershipRoleDALFactory,
-    "create" | "transaction" | "insertMany" | "delete"
-  >;
   projectDAL: Pick<TProjectDALFactory, "findById">;
-  projectRoleDAL: Pick<TProjectRoleDALFactory, "find">;
   identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission" | "getProjectPermissionByRole">;
 };
@@ -40,9 +30,7 @@ export const identityProjectServiceFactory = ({
   identityProjectDAL,
   permissionService,
   identityOrgMembershipDAL,
-  identityProjectMembershipRoleDAL,
-  projectDAL,
-  projectRoleDAL
+  projectDAL
 }: TIdentityProjectServiceFactoryDep) => {
   const createProjectIdentity = async ({
     identityId,
@@ -82,26 +70,11 @@ export const identityProjectServiceFactory = ({
       });
     const isCustomRole = Boolean(customRole);
 
-    const projectIdentity = await identityProjectDAL.transaction(async (tx) => {
-      const identityProjectMembership = await identityProjectDAL.create(
-        {
-          identityId,
-          projectId: project.id,
-          role: isCustomRole ? ProjectMembershipRole.Custom : role,
-          roleId: customRole?.id
-        },
-        tx
-      );
-
-      await identityProjectMembershipRoleDAL.create(
-        {
-          projectMembershipId: identityProjectMembership.id,
-          role: isCustomRole ? ProjectMembershipRole.Custom : role,
-          customRoleId: customRole?.id
-        },
-        tx
-      );
-      return identityProjectMembership;
+    const projectIdentity = await identityProjectDAL.create({
+      identityId,
+      projectId: project.id,
+      role: isCustomRole ? ProjectMembershipRole.Custom : role,
+      roleId: customRole?.id
     });
     return projectIdentity;
   };
@@ -109,7 +82,7 @@ export const identityProjectServiceFactory = ({
   const updateProjectIdentity = async ({
     projectId,
     identityId,
-    roles,
+    role,
     actor,
     actorId,
     actorOrgId
@@ -133,51 +106,28 @@ export const identityProjectServiceFactory = ({
     if (!hasRequiredPriviledges)
       throw new ForbiddenRequestError({ message: "Failed to delete more privileged identity" });
 
-    // validate custom roles input
-    const customInputRoles = roles.filter(
-      ({ role }) => !Object.values(ProjectMembershipRole).includes(role as ProjectMembershipRole)
-    );
-    const hasCustomRole = Boolean(customInputRoles.length);
-    const customRoles = hasCustomRole
-      ? await projectRoleDAL.find({
-          projectId,
-          $in: { slug: customInputRoles.map(({ role }) => role) }
-        })
-      : [];
-    if (customRoles.length !== customInputRoles.length) throw new BadRequestError({ message: "Custom role not found" });
+    let customRole: TProjectRoles | undefined;
+    if (role) {
+      const { permission: rolePermission, role: customOrgRole } = await permissionService.getProjectPermissionByRole(
+        role,
+        projectIdentity.projectId
+      );
 
-    const customRolesGroupBySlug = groupBy(customRoles, ({ slug }) => slug);
+      const isCustomRole = Boolean(customOrgRole);
+      const hasRequiredNewRolePermission = isAtLeastAsPrivileged(permission, rolePermission);
+      if (!hasRequiredNewRolePermission)
+        throw new BadRequestError({ message: "Failed to create a more privileged identity" });
+      if (isCustomRole) customRole = customOrgRole;
+    }
 
-    const santiziedProjectMembershipRoles = roles.map((inputRole) => {
-      const isCustomRole = Boolean(customRolesGroupBySlug?.[inputRole.role]?.[0]);
-      if (!inputRole.isTemporary) {
-        return {
-          projectMembershipId: projectIdentity.id,
-          role: isCustomRole ? ProjectMembershipRole.Custom : inputRole.role,
-          customRoleId: customRolesGroupBySlug[inputRole.role] ? customRolesGroupBySlug[inputRole.role][0].id : null
-        };
+    const [updatedProjectIdentity] = await identityProjectDAL.update(
+      { projectId, identityId: projectIdentity.identityId },
+      {
+        role: customRole ? ProjectMembershipRole.Custom : role,
+        roleId: customRole ? customRole.id : null
       }
-
-      // check cron or relative here later for now its just relative
-      const relativeTimeInMs = ms(inputRole.temporaryRange);
-      return {
-        projectMembershipId: projectIdentity.id,
-        role: isCustomRole ? ProjectMembershipRole.Custom : inputRole.role,
-        customRoleId: customRolesGroupBySlug[inputRole.role] ? customRolesGroupBySlug[inputRole.role][0].id : null,
-        isTemporary: true,
-        temporaryMode: ProjectUserMembershipTemporaryMode.Relative,
-        temporaryRange: inputRole.temporaryRange,
-        temporaryAccessStartTime: new Date(inputRole.temporaryAccessStartTime),
-        temporaryAccessEndTime: new Date(new Date(inputRole.temporaryAccessStartTime).getTime() + relativeTimeInMs)
-      };
-    });
-
-    const updatedRoles = await identityProjectMembershipRoleDAL.transaction(async (tx) => {
-      await identityProjectMembershipRoleDAL.delete({ projectMembershipId: projectIdentity.id }, tx);
-      return identityProjectMembershipRoleDAL.insertMany(santiziedProjectMembershipRoles, tx);
-    });
-
-    return updatedRoles;
+    );
+    return updatedProjectIdentity;
   };
 
   const deleteProjectIdentity = async ({

backend/src/services/identity-project/identity-project-types.ts

@@ -1,26 +1,12 @@
 import { TProjectPermission } from "@app/lib/types";
 
-import { ProjectUserMembershipTemporaryMode } from "../project-membership/project-membership-types";
-
 export type TCreateProjectIdentityDTO = {
   identityId: string;
   role: string;
 } & TProjectPermission;
 
 export type TUpdateProjectIdentityDTO = {
-  roles: (
-    | {
-        role: string;
-        isTemporary?: false;
-      }
-    | {
-        role: string;
-        isTemporary: true;
-        temporaryMode: ProjectUserMembershipTemporaryMode.Relative;
-        temporaryRange: string;
-        temporaryAccessStartTime: string;
-      }
-  )[];
+  role: string;
   identityId: string;
 } & TProjectPermission;
 

backend/src/services/integration-auth/integration-app-list.ts

@@ -260,44 +260,20 @@ const getAppsGithub = async ({ accessToken }: { accessToken: string }) => {
  * Return list of services for Render integration
  */
 const getAppsRender = async ({ accessToken }: { accessToken: string }) => {
-  const apps: Array<{ name: string; appId: string }> = [];
-  let hasMorePages = true;
-  const perPage = 100;
-  let cursor;
+  const res = (
+    await request.get<{ service: { name: string; id: string } }[]>(`${IntegrationUrls.RENDER_API_URL}/v1/services`, {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        Accept: "application/json",
+        "Accept-Encoding": "application/json"
+      }
+    })
+  ).data;
 
-  interface RenderService {
-    cursor: string;
-    service: { name: string; id: string };
-  }
-
-  while (hasMorePages) {
-    const res: RenderService[] = (
-      await request.get<RenderService[]>(`${IntegrationUrls.RENDER_API_URL}/v1/services`, {
-        params: new URLSearchParams({
-          ...(cursor ? { cursor: String(cursor) } : {}),
-          limit: String(perPage)
-        }),
-        headers: {
-          Authorization: `Bearer ${accessToken}`,
-          Accept: "application/json",
-          "Accept-Encoding": "application/json"
-        }
-      })
-    ).data;
-
-    res.forEach((a) => {
-      apps.push({
-        name: a.service.name,
-        appId: a.service.id
-      });
-    });
-
-    if (res.length < perPage) {
-      hasMorePages = false;
-    } else {
-      cursor = res[res.length - 1].cursor;
-    }
-  }
+  const apps = res.map((a) => ({
+    name: a.service.name,
+    appId: a.service.id
+  }));
 
   return apps;
 };

backend/src/services/integration-auth/integration-sync-secret.ts

@@ -459,7 +459,7 @@ const syncSecretsAWSParameterStore = async ({
 
   const params = {
     Path: integration.path as string,
-    Recursive: false,
+    Recursive: true,
     WithDecryption: true
   };
 

backend/src/services/org/org-dal.ts

@@ -57,7 +57,7 @@ export const orgDALFactory = (db: TDbClient) => {
   const findAllOrgMembers = async (orgId: string) => {
     try {
       const members = await db(TableName.OrgMembership)
-        .where(`${TableName.OrgMembership}.orgId`, orgId)
+        .where({ orgId })
         .join(TableName.Users, `${TableName.OrgMembership}.userId`, `${TableName.Users}.id`)
         .leftJoin<TUserEncryptionKeys>(
           TableName.UserEncryptionKey,
@@ -72,27 +72,25 @@ export const orgDALFactory = (db: TDbClient) => {
           db.ref("roleId").withSchema(TableName.OrgMembership),
           db.ref("status").withSchema(TableName.OrgMembership),
           db.ref("email").withSchema(TableName.Users),
-          db.ref("username").withSchema(TableName.Users),
           db.ref("firstName").withSchema(TableName.Users),
           db.ref("lastName").withSchema(TableName.Users),
           db.ref("id").withSchema(TableName.Users).as("userId"),
           db.ref("publicKey").withSchema(TableName.UserEncryptionKey)
         )
         .where({ isGhost: false }); // MAKE SURE USER IS NOT A GHOST USER
-
-      return members.map(({ email, username, firstName, lastName, userId, publicKey, ...data }) => ({
+      return members.map(({ email, firstName, lastName, userId, publicKey, ...data }) => ({
         ...data,
-        user: { email, username, firstName, lastName, id: userId, publicKey }
+        user: { email, firstName, lastName, id: userId, publicKey }
       }));
     } catch (error) {
       throw new DatabaseError({ error, name: "Find all org members" });
     }
   };
 
-  const findOrgMembersByUsername = async (orgId: string, usernames: string[]) => {
+  const findOrgMembersByEmail = async (orgId: string, emails: string[]) => {
     try {
       const members = await db(TableName.OrgMembership)
-        .where(`${TableName.OrgMembership}.orgId`, orgId)
+        .where({ orgId })
         .join(TableName.Users, `${TableName.OrgMembership}.userId`, `${TableName.Users}.id`)
         .leftJoin<TUserEncryptionKeys>(
           TableName.UserEncryptionKey,
@@ -106,7 +104,6 @@ export const orgDALFactory = (db: TDbClient) => {
           db.ref("role").withSchema(TableName.OrgMembership),
           db.ref("roleId").withSchema(TableName.OrgMembership),
           db.ref("status").withSchema(TableName.OrgMembership),
-          db.ref("username").withSchema(TableName.Users),
           db.ref("email").withSchema(TableName.Users),
           db.ref("firstName").withSchema(TableName.Users),
           db.ref("lastName").withSchema(TableName.Users),
@@ -114,7 +111,7 @@ export const orgDALFactory = (db: TDbClient) => {
           db.ref("publicKey").withSchema(TableName.UserEncryptionKey)
         )
         .where({ isGhost: false })
-        .whereIn("username", usernames);
+        .whereIn("email", emails);
       return members.map(({ email, firstName, lastName, userId, publicKey, ...data }) => ({
         ...data,
         user: { email, firstName, lastName, id: userId, publicKey }
@@ -246,13 +243,10 @@ export const orgDALFactory = (db: TDbClient) => {
         .select(
           selectAllTableCols(TableName.OrgMembership),
           db.ref("email").withSchema(TableName.Users),
-          db.ref("username").withSchema(TableName.Users),
           db.ref("firstName").withSchema(TableName.Users),
           db.ref("lastName").withSchema(TableName.Users),
           db.ref("scimEnabled").withSchema(TableName.Organization)
-        )
-        .where({ isGhost: false });
-
+        );
       if (limit) void query.limit(limit);
       if (offset) void query.offset(offset);
       if (sort) {
@@ -272,7 +266,7 @@ export const orgDALFactory = (db: TDbClient) => {
     findOrgById,
     findAllOrgsByUserId,
     ghostUserExists,
-    findOrgMembersByUsername,
+    findOrgMembersByEmail,
     findOrgGhostUser,
     create,
     updateById,

backend/src/services/org/org-role-service.ts

@@ -58,7 +58,7 @@ export const orgRoleServiceFactory = ({ orgRoleDAL, permissionService }: TOrgRol
       { id: roleId, orgId },
       { ...data, permissions: data.permissions ? JSON.stringify(data.permissions) : undefined }
     );
-    if (!updatedRole) throw new BadRequestError({ message: "Role not found", name: "Update role" });
+    if (!updateRole) throw new BadRequestError({ message: "Role not found", name: "Update role" });
     return updatedRole;
   };
 
@@ -66,7 +66,7 @@ export const orgRoleServiceFactory = ({ orgRoleDAL, permissionService }: TOrgRol
     const { permission } = await permissionService.getUserOrgPermission(userId, orgId, actorOrgId);
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Delete, OrgPermissionSubjects.Role);
     const [deletedRole] = await orgRoleDAL.delete({ id: roleId, orgId });
-    if (!deletedRole) throw new BadRequestError({ message: "Role not found", name: "Update role" });
+    if (!deleteRole) throw new BadRequestError({ message: "Role not found", name: "Update role" });
 
     return deletedRole;
   };

backend/src/services/org/org-service.ts

@@ -103,11 +103,11 @@ export const orgServiceFactory = ({
     return members;
   };
 
-  const findOrgMembersByUsername = async ({ actor, actorId, orgId, emails }: TFindOrgMembersByEmailDTO) => {
+  const findOrgMembersByEmail = async ({ actor, actorId, orgId, emails }: TFindOrgMembersByEmailDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId);
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Member);
 
-    const members = await orgDAL.findOrgMembersByUsername(orgId, emails);
+    const members = await orgDAL.findOrgMembersByEmail(orgId, emails);
 
     return members;
   };
@@ -145,7 +145,6 @@ export const orgServiceFactory = ({
       {
         isGhost: true,
         authMethods: [AuthMethod.EMAIL],
-        username: email,
         email,
         isAccepted: true
       },
@@ -240,15 +239,7 @@ export const orgServiceFactory = ({
   /*
    * Create organization
    * */
-  const createOrganization = async ({
-    userId,
-    userEmail,
-    orgName
-  }: {
-    userId: string;
-    orgName: string;
-    userEmail?: string | null;
-  }) => {
+  const createOrganization = async (userId: string, userEmail: string, orgName: string) => {
     const { privateKey, publicKey } = generateAsymmetricKeyPair();
     const key = generateSymmetricKey();
     const {
@@ -376,7 +367,7 @@ export const orgServiceFactory = ({
       });
     }
     const invitee = await orgDAL.transaction(async (tx) => {
-      const inviteeUser = await userDAL.findUserByUsername(inviteeEmail, tx);
+      const inviteeUser = await userDAL.findUserByEmail(inviteeEmail, tx);
       if (inviteeUser) {
         // if user already exist means its already part of infisical
         // Thus the signup flow is not needed anymore
@@ -412,7 +403,6 @@ export const orgServiceFactory = ({
       // not invited before
       const user = await userDAL.create(
         {
-          username: inviteeEmail,
           email: inviteeEmail,
           isAccepted: false,
           authMethods: [AuthMethod.EMAIL],
@@ -447,7 +437,7 @@ export const orgServiceFactory = ({
       recipients: [inviteeEmail],
       substitutions: {
         inviterFirstName: user.firstName,
-        inviterUsername: user.username,
+        inviterEmail: user.email,
         organizationName: org?.name,
         email: inviteeEmail,
         organizationId: org?.id.toString(),
@@ -467,7 +457,7 @@ export const orgServiceFactory = ({
    * magic link and issue a temporary signup token for user to complete setting up their account
    */
   const verifyUserToOrg = async ({ orgId, email, code }: TVerifyUserToOrgDTO) => {
-    const user = await userDAL.findUserByUsername(email);
+    const user = await userDAL.findUserByEmail(email);
     if (!user) {
       throw new BadRequestError({ message: "Invalid request", name: "Verify user to org" });
     }
@@ -605,7 +595,7 @@ export const orgServiceFactory = ({
     inviteUserToOrganization,
     verifyUserToOrg,
     updateOrg,
-    findOrgMembersByUsername,
+    findOrgMembersByEmail,
     createOrganization,
     deleteOrganizationById,
     deleteOrgMembership,

backend/src/services/project-membership/project-membership-dal.ts

@@ -1,7 +1,7 @@
 import { TDbClient } from "@app/db";
 import { TableName, TUserEncryptionKeys } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
-import { ormify, selectAllTableCols, sqlNestRelationships } from "@app/lib/knex";
+import { ormify, selectAllTableCols } from "@app/lib/knex";
 
 export type TProjectMembershipDALFactory = ReturnType<typeof projectMembershipDALFactory>;
 
@@ -11,86 +11,31 @@ export const projectMembershipDALFactory = (db: TDbClient) => {
   // special query
   const findAllProjectMembers = async (projectId: string) => {
     try {
-      const docs = await db(TableName.ProjectMembership)
-        .where({ [`${TableName.ProjectMembership}.projectId` as "projectId"]: projectId })
+      const members = await db(TableName.ProjectMembership)
+        .where({ projectId })
         .join(TableName.Users, `${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`)
         .join<TUserEncryptionKeys>(
           TableName.UserEncryptionKey,
           `${TableName.UserEncryptionKey}.userId`,
           `${TableName.Users}.id`
         )
-        .join(
-          TableName.ProjectUserMembershipRole,
-          `${TableName.ProjectUserMembershipRole}.projectMembershipId`,
-          `${TableName.ProjectMembership}.id`
-        )
-        .leftJoin(
-          TableName.ProjectRoles,
-          `${TableName.ProjectUserMembershipRole}.customRoleId`,
-          `${TableName.ProjectRoles}.id`
-        )
         .select(
           db.ref("id").withSchema(TableName.ProjectMembership),
+          db.ref("projectId").withSchema(TableName.ProjectMembership),
+          db.ref("role").withSchema(TableName.ProjectMembership),
+          db.ref("roleId").withSchema(TableName.ProjectMembership),
           db.ref("isGhost").withSchema(TableName.Users),
-          db.ref("username").withSchema(TableName.Users),
           db.ref("email").withSchema(TableName.Users),
           db.ref("publicKey").withSchema(TableName.UserEncryptionKey),
           db.ref("firstName").withSchema(TableName.Users),
           db.ref("lastName").withSchema(TableName.Users),
-          db.ref("id").withSchema(TableName.Users).as("userId"),
-          db.ref("role").withSchema(TableName.ProjectUserMembershipRole),
-          db.ref("id").withSchema(TableName.ProjectUserMembershipRole).as("membershipRoleId"),
-          db.ref("customRoleId").withSchema(TableName.ProjectUserMembershipRole),
-          db.ref("name").withSchema(TableName.ProjectRoles).as("customRoleName"),
-          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug"),
-          db.ref("temporaryMode").withSchema(TableName.ProjectUserMembershipRole),
-          db.ref("isTemporary").withSchema(TableName.ProjectUserMembershipRole),
-          db.ref("temporaryRange").withSchema(TableName.ProjectUserMembershipRole),
-          db.ref("temporaryAccessStartTime").withSchema(TableName.ProjectUserMembershipRole),
-          db.ref("temporaryAccessEndTime").withSchema(TableName.ProjectUserMembershipRole)
+          db.ref("id").withSchema(TableName.Users).as("userId")
         )
         .where({ isGhost: false });
-
-      const members = sqlNestRelationships({
-        data: docs,
-        parentMapper: ({ email, firstName, username, lastName, publicKey, isGhost, id, userId }) => ({
-          id,
-          userId,
-          projectId,
-          user: { email, username, firstName, lastName, id: userId, publicKey, isGhost }
-        }),
-        key: "id",
-        childrenMapper: [
-          {
-            label: "roles" as const,
-            key: "membershipRoleId",
-            mapper: ({
-              role,
-              customRoleId,
-              customRoleName,
-              customRoleSlug,
-              membershipRoleId,
-              temporaryRange,
-              temporaryMode,
-              temporaryAccessEndTime,
-              temporaryAccessStartTime,
-              isTemporary
-            }) => ({
-              id: membershipRoleId,
-              role,
-              customRoleId,
-              customRoleName,
-              customRoleSlug,
-              temporaryRange,
-              temporaryMode,
-              temporaryAccessEndTime,
-              temporaryAccessStartTime,
-              isTemporary
-            })
-          }
-        ]
-      });
-      return members;
+      return members.map(({ email, firstName, lastName, publicKey, isGhost, ...data }) => ({
+        ...data,
+        user: { email, firstName, lastName, id: data.userId, publicKey, isGhost }
+      }));
     } catch (error) {
       throw new DatabaseError({ error, name: "Find all project members" });
     }
@@ -111,7 +56,7 @@ export const projectMembershipDALFactory = (db: TDbClient) => {
     }
   };
 
-  const findMembershipsByUsername = async (projectId: string, usernames: string[]) => {
+  const findMembershipsByEmail = async (projectId: string, emails: string[]) => {
     try {
       const members = await db(TableName.ProjectMembership)
         .where({ projectId })
@@ -124,13 +69,13 @@ export const projectMembershipDALFactory = (db: TDbClient) => {
         .select(
           selectAllTableCols(TableName.ProjectMembership),
           db.ref("id").withSchema(TableName.Users).as("userId"),
-          db.ref("username").withSchema(TableName.Users)
+          db.ref("email").withSchema(TableName.Users)
         )
-        .whereIn("username", usernames)
+        .whereIn("email", emails)
         .where({ isGhost: false });
-      return members.map(({ userId, username, ...data }) => ({
+      return members.map(({ userId, email, ...data }) => ({
         ...data,
-        user: { id: userId, username }
+        user: { id: userId, email }
       }));
     } catch (error) {
       throw new DatabaseError({ error, name: "Find members by email" });
@@ -155,7 +100,7 @@ export const projectMembershipDALFactory = (db: TDbClient) => {
     ...projectMemberOrm,
     findAllProjectMembers,
     findProjectGhostUser,
-    findMembershipsByUsername,
+    findMembershipsByEmail,
     findProjectMembershipsByUserId
   };
 };

backend/src/services/project-membership/project-membership-service.ts

@@ -1,13 +1,14 @@
 /* eslint-disable no-await-in-loop */
 import { ForbiddenError } from "@casl/ability";
-import ms from "ms";
 
 import {
+  OrgMembershipStatus,
   ProjectMembershipRole,
   ProjectVersion,
   SecretKeyEncoding,
   TableName,
-  TProjectMemberships
+  TProjectMemberships,
+  TUsers
 } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
@@ -28,25 +29,23 @@ import { SmtpTemplates, TSmtpService } from "../smtp/smtp-service";
 import { TUserDALFactory } from "../user/user-dal";
 import { TProjectMembershipDALFactory } from "./project-membership-dal";
 import {
-  ProjectUserMembershipTemporaryMode,
   TAddUsersToWorkspaceDTO,
   TAddUsersToWorkspaceNonE2EEDTO,
   TDeleteProjectMembershipOldDTO,
   TDeleteProjectMembershipsDTO,
   TGetProjectMembershipDTO,
+  TInviteUserToProjectDTO,
   TUpdateProjectMembershipDTO
 } from "./project-membership-types";
-import { TProjectUserMembershipRoleDALFactory } from "./project-user-membership-role-dal";
 
 type TProjectMembershipServiceFactoryDep = {
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
   smtpService: TSmtpService;
   projectBotDAL: TProjectBotDALFactory;
   projectMembershipDAL: TProjectMembershipDALFactory;
-  projectUserMembershipRoleDAL: Pick<TProjectUserMembershipRoleDALFactory, "insertMany" | "find" | "delete">;
   userDAL: Pick<TUserDALFactory, "findById" | "findOne" | "findUserByProjectMembershipId" | "find">;
-  projectRoleDAL: Pick<TProjectRoleDALFactory, "find">;
-  orgDAL: Pick<TOrgDALFactory, "findMembership" | "findOrgMembersByUsername">;
+  projectRoleDAL: Pick<TProjectRoleDALFactory, "findOne">;
+  orgDAL: Pick<TOrgDALFactory, "findMembership" | "findOrgMembersByEmail">;
   projectDAL: Pick<TProjectDALFactory, "findById" | "findProjectGhostUser" | "transaction">;
   projectKeyDAL: Pick<TProjectKeyDALFactory, "findLatestProjectKey" | "delete" | "insertMany">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
@@ -57,7 +56,6 @@ export type TProjectMembershipServiceFactory = ReturnType<typeof projectMembersh
 export const projectMembershipServiceFactory = ({
   permissionService,
   projectMembershipDAL,
-  projectUserMembershipRoleDAL,
   smtpService,
   projectRoleDAL,
   projectBotDAL,
@@ -74,6 +72,82 @@ export const projectMembershipServiceFactory = ({
     return projectMembershipDAL.findAllProjectMembers(projectId);
   };
 
+  const inviteUserToProject = async ({ actorId, actor, actorOrgId, projectId, emails }: TInviteUserToProjectDTO) => {
+    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Member);
+
+    const invitees: TUsers[] = [];
+
+    const project = await projectDAL.findById(projectId);
+    const users = await userDAL.find({
+      $in: { email: emails }
+    });
+
+    await projectDAL.transaction(async (tx) => {
+      for (const invitee of users) {
+        if (!invitee.isAccepted)
+          throw new BadRequestError({
+            message: "Failed to validate invitee",
+            name: "Invite user to project"
+          });
+
+        const inviteeMembership = await projectMembershipDAL.findOne(
+          {
+            userId: invitee.id,
+            projectId
+          },
+          tx
+        );
+
+        if (inviteeMembership) {
+          throw new BadRequestError({
+            message: "Existing member of project",
+            name: "Invite user to project"
+          });
+        }
+
+        const inviteeMembershipOrg = await orgDAL.findMembership({
+          userId: invitee.id,
+          orgId: project.orgId,
+          status: OrgMembershipStatus.Accepted
+        });
+
+        if (!inviteeMembershipOrg) {
+          throw new BadRequestError({
+            message: "Failed to validate invitee org membership",
+            name: "Invite user to project"
+          });
+        }
+
+        await projectMembershipDAL.create(
+          {
+            userId: invitee.id,
+            projectId,
+            role: ProjectMembershipRole.Member
+          },
+          tx
+        );
+
+        invitees.push(invitee);
+      }
+
+      const appCfg = getConfig();
+      await smtpService.sendMail({
+        template: SmtpTemplates.WorkspaceInvite,
+        subjectLine: "Infisical workspace invitation",
+        recipients: invitees.map((i) => i.email),
+        substitutions: {
+          workspaceName: project.name,
+          callback_url: `${appCfg.SITE_URL}/login`
+        }
+      });
+    });
+
+    const latestKey = await projectKeyDAL.findLatestProjectKey(actorId, projectId);
+
+    return { invitees, latestKey };
+  };
+
   const addUsersToProject = async ({
     projectId,
     actorId,
@@ -102,16 +176,17 @@ export const projectMembershipServiceFactory = ({
     if (existingMembers.length) throw new BadRequestError({ message: "Some users are already part of project" });
 
     await projectMembershipDAL.transaction(async (tx) => {
-      const projectMemberships = await projectMembershipDAL.insertMany(
-        orgMembers.map(({ userId }) => ({
-          projectId,
-          userId: userId as string,
-          role: ProjectMembershipRole.Member
-        })),
-        tx
-      );
-      await projectUserMembershipRoleDAL.insertMany(
-        projectMemberships.map(({ id }) => ({ projectMembershipId: id, role: ProjectMembershipRole.Member })),
+      await projectMembershipDAL.insertMany(
+        orgMembers.map(({ userId, id: membershipId }) => {
+          const role =
+            members.find((i) => i.orgMembershipId === membershipId)?.projectRole || ProjectMembershipRole.Member;
+
+          return {
+            projectId,
+            userId: userId as string,
+            role
+          };
+        }),
         tx
       );
       const encKeyGroupByOrgMembId = groupBy(members, (i) => i.orgMembershipId);
@@ -131,8 +206,8 @@ export const projectMembershipServiceFactory = ({
       const appCfg = getConfig();
       await smtpService.sendMail({
         template: SmtpTemplates.WorkspaceInvite,
-        subjectLine: "Infisical project invitation",
-        recipients: orgMembers.filter((i) => i.email).map((i) => i.email as string),
+        subjectLine: "Infisical workspace invitation",
+        recipients: orgMembers.map(({ email }) => email).filter(Boolean),
         substitutions: {
           workspaceName: project.name,
           callback_url: `${appCfg.SITE_URL}/login`
@@ -147,7 +222,6 @@ export const projectMembershipServiceFactory = ({
     actorId,
     actor,
     emails,
-    usernames,
     sendEmails = true
   }: TAddUsersToWorkspaceNonE2EEDTO) => {
     const project = await projectDAL.findById(projectId);
@@ -160,14 +234,9 @@ export const projectMembershipServiceFactory = ({
     const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId);
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Member);
 
-    const usernamesAndEmails = [...emails, ...usernames];
+    const orgMembers = await orgDAL.findOrgMembersByEmail(project.orgId, emails);
 
-    const orgMembers = await orgDAL.findOrgMembersByUsername(project.orgId, [
-      ...new Set(usernamesAndEmails.map((element) => element.toLowerCase()))
-    ]);
-
-    if (orgMembers.length !== usernamesAndEmails.length)
-      throw new BadRequestError({ message: "Some users are not part of org" });
+    if (orgMembers.length !== emails.length) throw new BadRequestError({ message: "Some users are not part of org" });
 
     if (!orgMembers.length) return [];
 
@@ -221,7 +290,7 @@ export const projectMembershipServiceFactory = ({
     const members: TProjectMemberships[] = [];
 
     await projectMembershipDAL.transaction(async (tx) => {
-      const projectMemberships = await projectMembershipDAL.insertMany(
+      const result = await projectMembershipDAL.insertMany(
         orgMembers.map(({ user }) => ({
           projectId,
           userId: user.id,
@@ -229,12 +298,8 @@ export const projectMembershipServiceFactory = ({
         })),
         tx
       );
-      await projectUserMembershipRoleDAL.insertMany(
-        projectMemberships.map(({ id }) => ({ projectMembershipId: id, role: ProjectMembershipRole.Member })),
-        tx
-      );
 
-      members.push(...projectMemberships);
+      members.push(...result);
 
       const encKeyGroupByOrgMembId = groupBy(newWsMembers, (i) => i.orgMembershipId);
       await projectKeyDAL.insertMany(
@@ -250,21 +315,16 @@ export const projectMembershipServiceFactory = ({
     });
 
     if (sendEmails) {
-      const recipients = orgMembers.filter((i) => i.user.email).map((i) => i.user.email as string);
-
       const appCfg = getConfig();
-
-      if (recipients.length) {
-        await smtpService.sendMail({
-          template: SmtpTemplates.WorkspaceInvite,
-          subjectLine: "Infisical project invitation",
-          recipients: orgMembers.filter((i) => i.user.email).map((i) => i.user.email as string),
-          substitutions: {
-            workspaceName: project.name,
-            callback_url: `${appCfg.SITE_URL}/login`
-          }
-        });
-      }
+      await smtpService.sendMail({
+        template: SmtpTemplates.WorkspaceInvite,
+        subjectLine: "Infisical workspace invitation",
+        recipients: orgMembers.map(({ user }) => user.email).filter(Boolean),
+        substitutions: {
+          workspaceName: project.name,
+          callback_url: `${appCfg.SITE_URL}/login`
+        }
+      });
     }
     return members;
   };
@@ -275,71 +335,43 @@ export const projectMembershipServiceFactory = ({
     actorOrgId,
     projectId,
     membershipId,
-    roles
+    role
   }: TUpdateProjectMembershipDTO) => {
     const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);
 
     const membershipUser = await userDAL.findUserByProjectMembershipId(membershipId);
-    if (membershipUser?.isGhost || membershipUser?.projectId !== projectId) {
+
+    if (membershipUser?.isGhost) {
       throw new BadRequestError({
         message: "Unauthorized member update",
         name: "Update project membership"
       });
     }
 
-    // validate custom roles input
-    const customInputRoles = roles.filter(
-      ({ role }) => !Object.values(ProjectMembershipRole).includes(role as ProjectMembershipRole)
-    );
-    const hasCustomRole = Boolean(customInputRoles.length);
-    if (hasCustomRole) {
-      const plan = await licenseService.getPlan(actorOrgId as string);
+    const isCustomRole = !Object.values(ProjectMembershipRole).includes(role as ProjectMembershipRole);
+    if (isCustomRole) {
+      const customRole = await projectRoleDAL.findOne({ slug: role, projectId });
+      if (!customRole) throw new BadRequestError({ name: "Update project membership", message: "Role not found" });
+      const project = await projectDAL.findById(customRole.projectId);
+      const plan = await licenseService.getPlan(project.orgId);
       if (!plan?.rbac)
         throw new BadRequestError({
           message: "Failed to assign custom role due to RBAC restriction. Upgrade plan to assign custom role to member."
         });
+
+      const [membership] = await projectMembershipDAL.update(
+        { id: membershipId, projectId },
+        {
+          role: ProjectMembershipRole.Custom,
+          roleId: customRole.id
+        }
+      );
+      return membership;
     }
 
-    const customRoles = hasCustomRole
-      ? await projectRoleDAL.find({
-          projectId,
-          $in: { slug: customInputRoles.map(({ role }) => role) }
-        })
-      : [];
-    if (customRoles.length !== customInputRoles.length) throw new BadRequestError({ message: "Custom role not found" });
-    const customRolesGroupBySlug = groupBy(customRoles, ({ slug }) => slug);
-
-    const santiziedProjectMembershipRoles = roles.map((inputRole) => {
-      const isCustomRole = Boolean(customRolesGroupBySlug?.[inputRole.role]?.[0]);
-      if (!inputRole.isTemporary) {
-        return {
-          projectMembershipId: membershipId,
-          role: isCustomRole ? ProjectMembershipRole.Custom : inputRole.role,
-          customRoleId: customRolesGroupBySlug[inputRole.role] ? customRolesGroupBySlug[inputRole.role][0].id : null
-        };
-      }
-
-      // check cron or relative here later for now its just relative
-      const relativeTimeInMs = ms(inputRole.temporaryRange);
-      return {
-        projectMembershipId: membershipId,
-        role: isCustomRole ? ProjectMembershipRole.Custom : inputRole.role,
-        customRoleId: customRolesGroupBySlug[inputRole.role] ? customRolesGroupBySlug[inputRole.role][0].id : null,
-        isTemporary: true,
-        temporaryMode: ProjectUserMembershipTemporaryMode.Relative,
-        temporaryRange: inputRole.temporaryRange,
-        temporaryAccessStartTime: new Date(inputRole.temporaryAccessStartTime),
-        temporaryAccessEndTime: new Date(new Date(inputRole.temporaryAccessStartTime).getTime() + relativeTimeInMs)
-      };
-    });
-
-    const updatedRoles = await projectMembershipDAL.transaction(async (tx) => {
-      await projectUserMembershipRoleDAL.delete({ projectMembershipId: membershipId }, tx);
-      return projectUserMembershipRoleDAL.insertMany(santiziedProjectMembershipRoles, tx);
-    });
-
-    return updatedRoles;
+    const [membership] = await projectMembershipDAL.update({ id: membershipId, projectId }, { role, roleId: null });
+    return membership;
   };
 
   // This is old and should be removed later. Its not used anywhere, but it is exposed in our API. So to avoid breaking changes, we are keeping it for now.
@@ -375,8 +407,7 @@ export const projectMembershipServiceFactory = ({
     actor,
     actorOrgId,
     projectId,
-    emails,
-    usernames
+    emails
   }: TDeleteProjectMembershipsDTO) => {
     const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Member);
@@ -390,13 +421,9 @@ export const projectMembershipServiceFactory = ({
       });
     }
 
-    const usernamesAndEmails = [...emails, ...usernames];
+    const projectMembers = await projectMembershipDAL.findMembershipsByEmail(projectId, emails);
 
-    const projectMembers = await projectMembershipDAL.findMembershipsByUsername(projectId, [
-      ...new Set(usernamesAndEmails.map((element) => element.toLowerCase()))
-    ]);
-
-    if (projectMembers.length !== usernamesAndEmails.length) {
+    if (projectMembers.length !== emails.length) {
       throw new BadRequestError({
         message: "Some users are not part of project",
         name: "Delete project membership"
@@ -438,6 +465,7 @@ export const projectMembershipServiceFactory = ({
 
   return {
     getProjectMemberships,
+    inviteUserToProject,
     updateProjectMembership,
     addUsersToProjectNonE2EE,
     deleteProjectMemberships,

backend/src/services/project-membership/project-membership-types.ts

@@ -1,9 +1,7 @@
+import { ProjectMembershipRole } from "@app/db/schemas";
 import { TProjectPermission } from "@app/lib/types";
 
 export type TGetProjectMembershipDTO = TProjectPermission;
-export enum ProjectUserMembershipTemporaryMode {
-  Relative = "relative"
-}
 
 export type TInviteUserToProjectDTO = {
   emails: string[];
@@ -11,19 +9,7 @@ export type TInviteUserToProjectDTO = {
 
 export type TUpdateProjectMembershipDTO = {
   membershipId: string;
-  roles: (
-    | {
-        role: string;
-        isTemporary?: false;
-      }
-    | {
-        role: string;
-        isTemporary: true;
-        temporaryMode: ProjectUserMembershipTemporaryMode.Relative;
-        temporaryRange: string;
-        temporaryAccessStartTime: string;
-      }
-  )[];
+  role: string;
 } & TProjectPermission;
 
 export type TDeleteProjectMembershipOldDTO = {
@@ -32,7 +18,6 @@ export type TDeleteProjectMembershipOldDTO = {
 
 export type TDeleteProjectMembershipsDTO = {
   emails: string[];
-  usernames: string[];
 } & TProjectPermission;
 
 export type TAddUsersToWorkspaceDTO = {
@@ -41,11 +26,11 @@ export type TAddUsersToWorkspaceDTO = {
     orgMembershipId: string;
     workspaceEncryptedKey: string;
     workspaceEncryptedNonce: string;
+    projectRole: ProjectMembershipRole;
   }[];
 } & TProjectPermission;
 
 export type TAddUsersToWorkspaceNonE2EEDTO = {
   sendEmails?: boolean;
   emails: string[];
-  usernames: string[];
 } & TProjectPermission;

backend/src/services/project-membership/project-user-membership-role-dal.ts

@@ -1,10 +0,0 @@
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
-
-export type TProjectUserMembershipRoleDALFactory = ReturnType<typeof projectUserMembershipRoleDALFactory>;
-
-export const projectUserMembershipRoleDALFactory = (db: TDbClient) => {
-  const orm = ormify(db, TableName.ProjectUserMembershipRole);
-  return orm;
-};

backend/src/services/project-role/project-role-service.ts

@@ -76,7 +76,7 @@ export const projectRoleServiceFactory = ({ projectRoleDAL, permissionService }:
     const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Role);
     const [deletedRole] = await projectRoleDAL.delete({ id: roleId, projectId });
-    if (!deletedRole) throw new BadRequestError({ message: "Role not found", name: "Update role" });
+    if (!deleteRole) throw new BadRequestError({ message: "Role not found", name: "Update role" });
 
     return deletedRole;
   };
@@ -92,7 +92,7 @@ export const projectRoleServiceFactory = ({ projectRoleDAL, permissionService }:
         name: "Admin",
         slug: ProjectMembershipRole.Admin,
         description: "Complete administration access over the project",
-        permissions: packRules(projectAdminPermissions),
+        permissions: packRules(projectAdminPermissions.rules),
         createdAt: new Date(),
         updatedAt: new Date()
       },
@@ -102,7 +102,7 @@ export const projectRoleServiceFactory = ({ projectRoleDAL, permissionService }:
         name: "Developer",
         slug: ProjectMembershipRole.Member,
         description: "Non-administrative role in an project",
-        permissions: packRules(projectMemberPermissions),
+        permissions: packRules(projectMemberPermissions.rules),
         createdAt: new Date(),
         updatedAt: new Date()
       },
@@ -112,7 +112,7 @@ export const projectRoleServiceFactory = ({ projectRoleDAL, permissionService }:
         name: "Viewer",
         slug: ProjectMembershipRole.Viewer,
         description: "Non-administrative role in an project",
-        permissions: packRules(projectViewerPermission),
+        permissions: packRules(projectViewerPermission.rules),
         createdAt: new Date(),
         updatedAt: new Date()
       },
@@ -122,7 +122,7 @@ export const projectRoleServiceFactory = ({ projectRoleDAL, permissionService }:
         name: "No Access",
         slug: "no-access",
         description: "No access to any resources in the project",
-        permissions: packRules(projectNoAccessPermissions),
+        permissions: packRules(projectNoAccessPermissions.rules),
         createdAt: new Date(),
         updatedAt: new Date()
       },

backend/src/services/project/project-queue.ts

@@ -38,7 +38,6 @@ import { TProjectBotDALFactory } from "../project-bot/project-bot-dal";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TProjectKeyDALFactory } from "../project-key/project-key-dal";
 import { TProjectMembershipDALFactory } from "../project-membership/project-membership-dal";
-import { TProjectUserMembershipRoleDALFactory } from "../project-membership/project-user-membership-role-dal";
 import { TSecretDALFactory } from "../secret/secret-dal";
 import { TSecretVersionDALFactory } from "../secret/secret-version-dal";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
@@ -59,9 +58,9 @@ type TProjectQueueFactoryDep = {
   projectBotDAL: Pick<TProjectBotDALFactory, "findOne" | "delete" | "create">;
   orgService: Pick<TOrgServiceFactory, "addGhostUser">;
   projectMembershipDAL: Pick<TProjectMembershipDALFactory, "create">;
-  projectUserMembershipRoleDAL: Pick<TProjectUserMembershipRoleDALFactory, "create">;
   integrationAuthDAL: TIntegrationAuthDALFactory;
   userDAL: Pick<TUserDALFactory, "findUserEncKeyByUserId">;
+
   projectEnvDAL: Pick<TProjectEnvDALFactory, "find">;
   projectDAL: Pick<TProjectDALFactory, "findOne" | "transaction" | "updateById" | "setProjectUpgradeStatus" | "find">;
   orgDAL: Pick<TOrgDALFactory, "findMembership">;
@@ -82,8 +81,7 @@ export const projectQueueFactory = ({
   orgDAL,
   projectDAL,
   orgService,
-  projectMembershipDAL,
-  projectUserMembershipRoleDAL
+  projectMembershipDAL
 }: TProjectQueueFactoryDep) => {
   const upgradeProject = async (dto: TQueueJobTypes["upgrade-project-to-ghost"]["payload"]) => {
     await queueService.queue(QueueName.UpgradeProjectToGhost, QueueJobs.UpgradeProjectToGhost, dto, {
@@ -229,7 +227,7 @@ export const projectQueueFactory = ({
         );
 
         // Create a membership for the ghost user
-        const projectMembership = await projectMembershipDAL.create(
+        await projectMembershipDAL.create(
           {
             projectId: project.id,
             userId: ghostUser.user.id,
@@ -237,10 +235,6 @@ export const projectQueueFactory = ({
           },
           tx
         );
-        await projectUserMembershipRoleDAL.create(
-          { projectMembershipId: projectMembership.id, role: ProjectMembershipRole.Admin },
-          tx
-        );
 
         // If a bot already exists, delete it
         if (existingBot) {

backend/src/services/project/project-service.ts

@@ -17,13 +17,11 @@ import { TProjectPermission } from "@app/lib/types";
 import { ActorType } from "../auth/auth-type";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityProjectDALFactory } from "../identity-project/identity-project-dal";
-import { TIdentityProjectMembershipRoleDALFactory } from "../identity-project/identity-project-membership-role-dal";
 import { TOrgServiceFactory } from "../org/org-service";
 import { TProjectBotDALFactory } from "../project-bot/project-bot-dal";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TProjectKeyDALFactory } from "../project-key/project-key-dal";
 import { TProjectMembershipDALFactory } from "../project-membership/project-membership-dal";
-import { TProjectUserMembershipRoleDALFactory } from "../project-membership/project-user-membership-role-dal";
 import { TSecretBlindIndexDALFactory } from "../secret-blind-index/secret-blind-index-dal";
 import { ROOT_FOLDER_NAME, TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TUserDALFactory } from "../user/user-dal";
@@ -52,11 +50,9 @@ type TProjectServiceFactoryDep = {
   projectEnvDAL: Pick<TProjectEnvDALFactory, "insertMany" | "find">;
   identityOrgMembershipDAL: TIdentityOrgDALFactory;
   identityProjectDAL: TIdentityProjectDALFactory;
-  identityProjectMembershipRoleDAL: Pick<TIdentityProjectMembershipRoleDALFactory, "create">;
   projectKeyDAL: Pick<TProjectKeyDALFactory, "create" | "findLatestProjectKey" | "delete" | "find" | "insertMany">;
   projectBotDAL: Pick<TProjectBotDALFactory, "create" | "findById" | "delete" | "findOne">;
   projectMembershipDAL: Pick<TProjectMembershipDALFactory, "create" | "findProjectGhostUser" | "findOne">;
-  projectUserMembershipRoleDAL: Pick<TProjectUserMembershipRoleDALFactory, "create">;
   secretBlindIndexDAL: Pick<TSecretBlindIndexDALFactory, "create">;
   permissionService: TPermissionServiceFactory;
   orgService: Pick<TOrgServiceFactory, "addGhostUser">;
@@ -79,9 +75,7 @@ export const projectServiceFactory = ({
   secretBlindIndexDAL,
   projectMembershipDAL,
   projectEnvDAL,
-  licenseService,
-  projectUserMembershipRoleDAL,
-  identityProjectMembershipRoleDAL
+  licenseService
 }: TProjectServiceFactoryDep) => {
   /*
    * Create workspace. Make user the admin
@@ -120,18 +114,14 @@ export const projectServiceFactory = ({
         tx
       );
       // set ghost user as admin of project
-      const projectMembership = await projectMembershipDAL.create(
+      await projectMembershipDAL.create(
         {
           userId: ghostUser.user.id,
-          projectId: project.id,
-          role: ProjectMembershipRole.Admin
+          role: ProjectMembershipRole.Admin,
+          projectId: project.id
         },
         tx
       );
-      await projectUserMembershipRoleDAL.create(
-        { projectMembershipId: projectMembership.id, role: ProjectMembershipRole.Admin },
-        tx
-      );
 
       // generate the blind index for project
       await secretBlindIndexDAL.create(
@@ -223,7 +213,7 @@ export const projectServiceFactory = ({
         });
 
         // Create a membership for the user
-        const userProjectMembership = await projectMembershipDAL.create(
+        await projectMembershipDAL.create(
           {
             projectId: project.id,
             userId: user.id,
@@ -231,10 +221,6 @@ export const projectServiceFactory = ({
           },
           tx
         );
-        await projectUserMembershipRoleDAL.create(
-          { projectMembershipId: userProjectMembership.id, role: projectAdmin.projectRole },
-          tx
-        );
 
         // Create a project key for the user
         await projectKeyDAL.create(
@@ -280,7 +266,7 @@ export const projectServiceFactory = ({
           });
         const isCustomRole = Boolean(customRole);
 
-        const identityProjectMembership = await identityProjectDAL.create(
+        await identityProjectDAL.create(
           {
             identityId: actorId,
             projectId: project.id,
@@ -289,15 +275,6 @@ export const projectServiceFactory = ({
           },
           tx
         );
-
-        await identityProjectMembershipRoleDAL.create(
-          {
-            projectMembershipId: identityProjectMembership.id,
-            role: isCustomRole ? ProjectMembershipRole.Custom : ProjectMembershipRole.Admin,
-            customRoleId: customRole?.id
-          },
-          tx
-        );
       }
 
       return {
@@ -373,11 +350,11 @@ export const projectServiceFactory = ({
   };
 
   const upgradeProject = async ({ projectId, actor, actorId, userPrivateKey }: TUpgradeProjectDTO) => {
-    const { permission, hasRole } = await permissionService.getProjectPermission(actor, actorId, projectId);
+    const { permission, membership } = await permissionService.getProjectPermission(actor, actorId, projectId);
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Project);
 
-    if (!hasRole(ProjectMembershipRole.Admin)) {
+    if (membership?.role !== ProjectMembershipRole.Admin) {
       throw new ForbiddenRequestError({
         message: "User must be admin"
       });