Merge pull request #620 from Infisical/single-rate-limit-store

use mongo rate limit store

.dockerignore

@@ -0,0 +1,2 @@
+backend/node_modules
+frontend/node_modules

.env.example

@@ -1,5 +1,6 @@
 # Keys
 # Required key for platform encryption/decryption ops
+# THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NOT BE USED FOR PRODUCTION
 ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218
 
 # JWT
@@ -8,6 +9,7 @@ JWT_SIGNUP_SECRET=3679e04ca949f914c03332aaaeba805a
 JWT_REFRESH_SECRET=5f2f3c8f0159068dc2bbb3a652a716ff
 JWT_AUTH_SECRET=4be6ba5602e0fa0ac6ac05c3cd4d247f
 JWT_SERVICE_SECRET=f32f716d70a42c5703f4656015e76200
+JWT_PROVIDER_AUTH_SECRET=f32f716d70a42c5703f4656015e76201
 
 # JWT lifetime
 # Optional lifetimes for JWT tokens expressed in seconds or a string 
@@ -15,6 +17,7 @@ JWT_SERVICE_SECRET=f32f716d70a42c5703f4656015e76200
 JWT_AUTH_LIFETIME=
 JWT_REFRESH_LIFETIME=
 JWT_SIGNUP_LIFETIME=
+JWT_PROVIDER_AUTH_LIFETIME=
 
 # MongoDB
 # Backend will connect to the MongoDB instance at connection string MONGO_URL which can either be a ref
@@ -30,14 +33,12 @@ MONGO_PASSWORD=example
 # Required
 SITE_URL=http://localhost:8080
 
-# Mail/SMTP
-SMTP_HOST= # required
-SMTP_USERNAME= # required
-SMTP_PASSWORD= # required
-SMTP_PORT=587
-SMTP_SECURE=false
-SMTP_FROM_ADDRESS= # required
-SMTP_FROM_NAME=Infisical
+# Mail/SMTP 
+SMTP_HOST=
+SMTP_PORT=
+SMTP_NAME=
+SMTP_USERNAME=
+SMTP_PASSWORD=
 
 # Integration
 # Optional only if integration is used
@@ -66,4 +67,7 @@ STRIPE_WEBHOOK_SECRET=
 STRIPE_PRODUCT_STARTER=
 STRIPE_PRODUCT_TEAM=
 STRIPE_PRODUCT_PRO=
-NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=
+NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=
+
+CLIENT_ID_GOOGLE=
+CLIENT_SECRET_GOOGLE=

.github/pull_request_template.md

@@ -1,6 +1,6 @@
 # Description 📣
 
-*Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.*
+<!-- Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change. -->
 
 ## Type ✨
 
@@ -11,7 +11,7 @@
 
 # Tests 🛠️
 
-*Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration. You may want to add screenshots when relevant and possible*
+<!-- Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration. You may want to add screenshots when relevant and possible -->
 
 ```sh
 # Here's some code block to paste some code snippets

.github/resources/docker-compose.be-test.yml

@@ -13,6 +13,7 @@ services:
       - MONGO_URL=mongodb://test:example@mongo:27017/?authSource=admin
       - MONGO_USERNAME=test
       - MONGO_PASSWORD=example
+      - ENCRYPTION_KEY=a984ecdf82ec779e55dbcc21303a900f
     networks:
       - infisical-test
 

.github/workflows/check-be-pull-request.yml

@@ -13,6 +13,7 @@ jobs:
   check-be-pr:
     name: Check
     runs-on: ubuntu-latest
+    timeout-minutes: 15
 
     steps:
       - name: ☁️ Checkout source
@@ -26,17 +27,17 @@ jobs:
       - name: 📦 Install dependencies
         run: npm ci --only-production
         working-directory: backend
-      - name: 🧪 Run tests
-        run: npm run test:ci
-        working-directory: backend
-      - name: 📁 Upload test results
-        uses: actions/upload-artifact@v3
-        if: always()
-        with:
-          name: be-test-results
-          path: |
-            ./backend/reports
-            ./backend/coverage
+      # - name: 🧪 Run tests
+      #   run: npm run test:ci
+      #   working-directory: backend
+      # - name: 📁 Upload test results
+      #   uses: actions/upload-artifact@v3
+      #   if: always()
+      #   with:
+      #     name: be-test-results
+      #     path: |
+      #       ./backend/reports
+      #       ./backend/coverage
       - name: 🏗️ Run build
         run: npm run build
         working-directory: backend

.github/workflows/check-fe-pull-request.yml

@@ -2,40 +2,35 @@ name: Check Frontend Pull Request
 
 on:
   pull_request:
-    types: [ opened, synchronize ]
+    types: [opened, synchronize]
     paths:
-      - 'frontend/**'
-      - '!frontend/README.md'
-      - '!frontend/.*'
-      - 'frontend/.eslintrc.js'
-
+      - "frontend/**"
+      - "!frontend/README.md"
+      - "!frontend/.*"
+      - "frontend/.eslintrc.js"
 
 jobs:
-
   check-fe-pr:
     name: Check
     runs-on: ubuntu-latest
+    timeout-minutes: 15
 
     steps:
-      -
-        name: ☁️ Checkout source
+      - name: ☁️ Checkout source
         uses: actions/checkout@v3
-      -
-        name: 🔧 Setup Node 16
+      - name: 🔧 Setup Node 16
         uses: actions/setup-node@v3
         with:
-          node-version: '16'
-          cache: 'npm'
+          node-version: "16"
+          cache: "npm"
           cache-dependency-path: frontend/package-lock.json
-      -
-        name: 📦 Install dependencies
+      - name: 📦 Install dependencies
         run: npm ci --only-production --ignore-scripts
         working-directory: frontend
       # -
       #   name: 🧪 Run tests
       #   run: npm run test:ci
       #   working-directory: frontend
-      -
-        name: 🏗️ Run build
+      - name: 🏗️ Run build
         run: npm run build
         working-directory: frontend

.github/workflows/docker-image.yml

@@ -1,14 +1,25 @@
 name: Build, Publish and Deploy to Gamma
-on: [workflow_dispatch]
+on:
+  push:
+    tags:
+      - "infisical/v*.*.*"
 
 jobs:
   backend-image:
     name: Build backend image
     runs-on: ubuntu-latest
-
     steps:
+      - name: Extract version from tag
+        id: extract_version
+        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
       - name: ☁️ Checkout source
         uses: actions/checkout@v3
+      - name: 📦 Install dependencies to test all dependencies
+        run: npm ci --only-production
+        working-directory: backend
+      - name: 🧪 Run tests
+        run: npm run test:ci
+        working-directory: backend
       - name: Save commit hashes for tag
         id: commit
         uses: pr-mpt/actions-commit-hash@v2
@@ -45,15 +56,19 @@ jobs:
           token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
           push: true
           context: backend
-          tags: infisical/backend:${{ steps.commit.outputs.short }}, 
-                infisical/backend:latest
+          tags: |
+            infisical/backend:${{ steps.commit.outputs.short }}
+            infisical/backend:latest
+            infisical/backend:${{ steps.extract_version.outputs.version }}
           platforms: linux/amd64,linux/arm64
 
   frontend-image:
     name: Build frontend image
     runs-on: ubuntu-latest
-
     steps:
+      - name: Extract version from tag
+        id: extract_version
+        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
       - name: ☁️ Checkout source
         uses: actions/checkout@v3
       - name: Save commit hashes for tag
@@ -94,8 +109,10 @@ jobs:
           push: true
           token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
           context: frontend
-          tags: infisical/frontend:${{ steps.commit.outputs.short }}, 
-                infisical/frontend:latest
+          tags: |
+            infisical/frontend:${{ steps.commit.outputs.short }}
+            infisical/frontend:latest
+            infisical/frontend:${{ steps.extract_version.outputs.version }}
           platforms: linux/amd64,linux/arm64
           build-args: |
             POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
@@ -122,7 +139,7 @@ jobs:
           token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
       - name: Save DigitalOcean kubeconfig with short-lived credentials
         run: doctl kubernetes cluster kubeconfig save --expiry-seconds 600 k8s-1-25-4-do-0-nyc1-1670645170179
-      - name: switch to gamma namespace 
+      - name: switch to gamma namespace
         run: kubectl config set-context --current --namespace=gamma
       - name: test kubectl
         run: kubectl get ingress
@@ -135,4 +152,4 @@ jobs:
             exit 1
           else
             echo "Helm upgrade was successful"
-          fi
+          fi

.github/workflows/release-standalone-docker-img.yml

@@ -0,0 +1,68 @@
+name: Release standalone docker image
+on: [workflow_dispatch]
+
+jobs:
+  infisical-standalone:
+    name: Build infisical standalone image
+    runs-on: ubuntu-latest
+    steps:
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: 📦 Install dependencies to test all dependencies
+        run: npm ci --only-production
+        working-directory: backend
+      - uses: paulhatch/semantic-version@v5.0.2
+        id: version
+        with:
+          # The prefix to use to identify tags
+          tag_prefix: "infisical-standalone/v"
+          # A string which, if present in a git commit, indicates that a change represents a
+          # major (breaking) change, supports regular expressions wrapped with '/'
+          major_pattern: "(MAJOR)"
+          # Same as above except indicating a minor change, supports regular expressions wrapped with '/'
+          minor_pattern: "(MINOR)"
+          # A string to determine the format of the version output
+          version_format: "${major}.${minor}.${patch}-prerelease${increment}"
+          # Optional path to check for changes. If any changes are detected in the path the
+          # 'changed' output will true. Enter multiple paths separated by spaces.
+          change_path: "backend,frontend"
+          # Prevents pre-v1.0.0 version from automatically incrementing the major version.
+          # If enabled, when the major version is 0, major releases will be treated as minor and minor as patch. Note that the version_type output is unchanged.
+          enable_prerelease_mode: true
+      # - name: 🧪 Run tests
+      #   run: npm run test:ci
+      #   working-directory: backend
+      - name: version output
+        run: |
+          echo "Output Value: ${{ steps.version.outputs.major }}"
+          echo "Output Value: ${{ steps.version.outputs.minor }}"
+          echo "Output Value: ${{ steps.version.outputs.patch }}"
+          echo "Output Value: ${{ steps.version.outputs.version }}"
+          echo "Output Value: ${{ steps.version.outputs.version_type }}"
+          echo "Output Value: ${{ steps.version.outputs.increment }}"
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
+      - name: 📦 Build backend and export to Docker
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          push: true
+          context: .
+          tags: |
+            infisical/infisical:latest
+            infisical/infisical:${{ steps.commit.outputs.short }}
+          platforms: linux/amd64,linux/arm64
+          file: Dockerfile.standalone-infisical

.github/workflows/release_build.yml

@@ -4,7 +4,7 @@ on:
   push:
     # run only against tags
     tags:
-      - "v*"
+      - "infisical-cli/v*.*.*"
 
 permissions:
   contents: write
@@ -41,13 +41,15 @@ jobs:
           git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
       - uses: goreleaser/goreleaser-action@v4
         with:
-          distribution: goreleaser
+          distribution: goreleaser-pro
           version: latest
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
+          POSTHOG_API_KEY_FOR_CLI: ${{ secrets.POSTHOG_API_KEY_FOR_CLI }}
           FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
           AUR_KEY: ${{ secrets.AUR_KEY }}
+          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
       - uses: actions/setup-python@v4
       - run: pip install --upgrade cloudsmith-cli
       - name: Publish to CloudSmith

.goreleaser.yaml

@@ -11,10 +11,16 @@ before:
     - ./cli/scripts/completions.sh
     - ./cli/scripts/manpages.sh
 
+monorepo:
+  tag_prefix: infisical-cli/
+  dir: cli
+
 builds:
   - id: darwin-build
     binary: infisical
-    ldflags: -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+    ldflags:
+      - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+      - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
     flags:
       - -trimpath
     env:
@@ -32,7 +38,9 @@ builds:
     env:
       - CGO_ENABLED=0
     binary: infisical
-    ldflags: -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+    ldflags:
+      - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+      - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
     flags:
       - -trimpath
     goos:
@@ -61,10 +69,10 @@ archives:
       - goos: windows
         format: zip
     files:
-      - README*
-      - LICENSE*
-      - manpages/*
-      - completions/*
+      - ../README*
+      - ../LICENSE*
+      - ../manpages/*
+      - ../completions/*
 
 release:
   replace_existing_draft: true
@@ -74,14 +82,7 @@ checksum:
   name_template: "checksums.txt"
 
 snapshot:
-  name_template: "{{ incpatch .Version }}-devel"
-
-changelog:
-  sort: asc
-  filters:
-    exclude:
-      - "^docs:"
-      - "^test:"
+  name_template: "{{ .Version }}-devel"
 
 # publishers:
 #   - name: fury.io
@@ -164,7 +165,7 @@ aurs:
       mkdir -p "${pkgdir}/usr/share/zsh/site-functions/"
       mkdir -p "${pkgdir}/usr/share/fish/vendor_completions.d/"
       install -Dm644 "./completions/infisical.bash" "${pkgdir}/usr/share/bash-completion/completions/infisical"
-      install -Dm644 "./completions/infisical.zsh" "${pkgdir}/usr/share/zsh/site-functions/infisical"
+      install -Dm644 "./completions/infisical.zsh" "${pkgdir}/usr/share/zsh/site-functions/_infisical"
       install -Dm644 "./completions/infisical.fish" "${pkgdir}/usr/share/fish/vendor_completions.d/infisical.fish"
       # man pages
       install -Dm644 "./manpages/infisical.1.gz" "${pkgdir}/usr/share/man/man1/infisical.1.gz"

.husky/pre-commit

@@ -3,3 +3,5 @@
 . "$(dirname -- "$0")/_/husky.sh"
 
 npx lint-staged
+
+infisical scan git-changes --staged -v

.infisicalignore

@@ -0,0 +1 @@
+.github/resources/docker-compose.be-test.yml:generic-api-key:16

Dockerfile.standalone-infisical

@@ -0,0 +1,102 @@
+ARG POSTHOG_HOST=https://app.posthog.com
+ARG POSTHOG_API_KEY=posthog-api-key
+
+FROM node:16-alpine AS frontend-dependencies
+
+WORKDIR /app
+
+COPY frontend/package.json frontend/package-lock.json frontend/next.config.js ./
+
+# Install dependencies
+RUN npm ci --only-production --ignore-scripts
+
+# Rebuild the source code only when needed
+FROM node:16-alpine AS frontend-builder
+WORKDIR /app
+
+# Copy dependencies
+COPY --from=frontend-dependencies /app/node_modules ./node_modules
+# Copy all files 
+COPY /frontend .
+
+ENV NODE_ENV production
+ENV NEXT_PUBLIC_ENV production
+ARG POSTHOG_HOST
+ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
+ARG POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
+
+# Build
+RUN npm run build
+
+# Production image
+FROM node:16-alpine AS frontend-runner
+WORKDIR /app
+
+RUN addgroup --system --gid 1001 nodejs
+RUN adduser --system --uid 1001 nextjs
+
+RUN mkdir -p /app/.next/cache/images && chown nextjs:nodejs /app/.next/cache/images
+VOLUME /app/.next/cache/images
+
+ARG POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
+  BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
+
+COPY --chown=nextjs:nodejs --chmod=555 frontend/scripts ./scripts
+COPY --from=frontend-builder /app/public ./public
+RUN chown nextjs:nodejs ./public/data
+COPY --from=frontend-builder --chown=nextjs:nodejs /app/.next/standalone ./
+COPY --from=frontend-builder --chown=nextjs:nodejs /app/.next/static ./.next/static
+
+USER nextjs
+
+ENV NEXT_TELEMETRY_DISABLED 1
+
+##
+## BACKEND
+##
+FROM node:16-alpine AS backend-build
+
+WORKDIR /app
+
+COPY backend/package*.json ./
+RUN npm ci --only-production
+
+COPY /backend .
+RUN npm run build
+
+# Production stage
+FROM node:16-alpine AS backend-runner
+
+WORKDIR /app
+
+COPY backend/package*.json ./
+RUN npm ci --only-production
+
+COPY --from=backend-build /app .
+
+# Production stage
+FROM node:16-alpine AS production
+
+WORKDIR / 
+
+# Install PM2
+RUN npm install -g pm2
+# Copy ecosystem.config.js
+COPY ecosystem.config.js .
+
+RUN apk add --no-cache nginx
+
+COPY nginx/default-stand-alone-docker.conf /etc/nginx/nginx.conf
+
+COPY --from=backend-runner /app /backend
+
+COPY --from=frontend-runner /app/ /app/
+
+EXPOSE 80
+ENV HTTPS_ENABLED false 
+
+CMD ["pm2-runtime", "start", "ecosystem.config.js"]
+
+

SECURITY.md

@@ -1,9 +1,13 @@
 # Security Policy
 
-## Supported Versions
+## Supported versions
 
 We always recommend using the latest version of Infisical to ensure you get all security updates.
 
-## Reporting a Vulnerability
+## Reporting vulnerabilities
 
-Please report security vulnerabilities or concerns to team@infisical.com.
+Please do not file GitHub issues or post on our public forum for security vulnerabilities, as they are public!
+
+Infisical takes security issues very seriously. If you have any concerns about Infisical or believe you have uncovered a vulnerability, please get in touch via the e-mail address security@infisical.com. In the message, try to provide a description of the issue and ideally a way of reproducing it. The security team will get back to you as soon as possible.
+
+Note that this security address should be used only for undisclosed vulnerabilities. Please report any security problems to us before disclosing it publicly.

backend/package.json

@@ -1,43 +1,49 @@
 {
   "dependencies": {
-    "@aws-sdk/client-secrets-manager": "^3.267.0",
-    "@godaddy/terminus": "^4.11.2",
+    "@aws-sdk/client-secrets-manager": "^3.319.0",
+    "@godaddy/terminus": "^4.12.0",
     "@octokit/rest": "^19.0.5",
-    "@sentry/node": "^7.14.0",
-    "@sentry/tracing": "^7.19.0",
+    "@sentry/node": "^7.49.0",
+    "@sentry/tracing": "^7.48.0",
     "@types/crypto-js": "^4.1.1",
     "@types/libsodium-wrappers": "^0.7.10",
+    "argon2": "^0.30.3",
     "await-to-js": "^3.0.0",
-    "aws-sdk": "^2.1311.0",
-    "axios": "^1.1.3",
+    "aws-sdk": "^2.1364.0",
+    "axios": "^1.3.5",
     "axios-retry": "^3.4.0",
     "bcrypt": "^5.1.0",
-    "bigint-conversion": "^2.2.2",
+    "bigint-conversion": "^2.4.0",
     "builder-pattern": "^2.2.0",
     "cookie-parser": "^1.4.6",
     "cors": "^2.8.5",
     "crypto-js": "^4.1.1",
     "dotenv": "^16.0.1",
     "express": "^4.18.1",
+    "express-async-errors": "^3.1.1",
     "express-rate-limit": "^6.7.0",
     "express-validator": "^6.14.2",
     "handlebars": "^4.7.7",
     "helmet": "^5.1.1",
-    "infisical-node": "^1.0.37",
+    "infisical-node": "^1.2.1",
     "js-yaml": "^4.1.0",
     "jsonwebtoken": "^9.0.0",
     "jsrp": "^0.2.4",
     "libsodium-wrappers": "^0.7.10",
     "lodash": "^4.17.21",
-    "mongoose": "^6.7.2",
+    "mongoose": "^6.10.5",
+    "node-cache": "^5.1.2",
     "nodemailer": "^6.8.0",
-    "posthog-node": "^2.2.2",
+    "passport": "^0.6.0",
+    "passport-google-oauth20": "^2.0.0",
+    "posthog-node": "^2.6.0",
     "query-string": "^7.1.3",
+    "rate-limit-mongo": "^2.3.2",
     "request-ip": "^3.3.0",
     "rimraf": "^3.0.2",
     "stripe": "^10.7.0",
     "swagger-autogen": "^2.22.0",
-    "swagger-ui-express": "^4.6.0",
+    "swagger-ui-express": "^4.6.2",
     "tweetnacl": "^1.0.3",
     "tweetnacl-util": "^0.15.1",
     "typescript": "^4.9.3",
@@ -57,7 +63,7 @@
     "lint-and-fix": "eslint . --ext .ts --fix",
     "lint-staged": "lint-staged",
     "pretest": "docker compose -f test-resources/docker-compose.test.yml up -d",
-    "test": "cross-env NODE_ENV=test jest --testTimeout=10000 --detectOpenHandles",
+    "test": "cross-env NODE_ENV=test jest --verbose --testTimeout=10000 --detectOpenHandles; npm run posttest",
     "test:ci": "npm test -- --watchAll=false --ci --reporters=default --reporters=jest-junit --reporters=github-actions --coverage --testLocationInResults --json --outputFile=coverage/report.json",
     "posttest": "docker compose -f test-resources/docker-compose.test.yml down"
   },
@@ -80,11 +86,12 @@
     "@types/cookie-parser": "^1.4.3",
     "@types/cors": "^2.8.12",
     "@types/express": "^4.17.14",
-    "@types/jest": "^29.2.4",
+    "@types/jest": "^29.5.0",
     "@types/jsonwebtoken": "^8.5.9",
     "@types/lodash": "^4.14.191",
     "@types/node": "^18.11.3",
     "@types/nodemailer": "^6.4.6",
+    "@types/passport": "^1.0.12",
     "@types/supertest": "^2.0.12",
     "@types/swagger-jsdoc": "^6.0.1",
     "@types/swagger-ui-express": "^4.1.3",

backend/spec.json

@@ -1532,7 +1532,15 @@
     "/api/v1/invite-org/signup": {
       "post": {
         "description": "",
-        "parameters": [],
+        "parameters": [
+          {
+            "name": "host",
+            "in": "header",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
         "responses": {
           "200": {
             "description": "OK"
@@ -2071,6 +2079,15 @@
                   "targetEnvironment": {
                     "example": "any"
                   },
+                  "targetEnvironmentId": {
+                    "example": "any"
+                  },
+                  "targetService": {
+                    "example": "any"
+                  },
+                  "targetServiceId": {
+                    "example": "any"
+                  },
                   "owner": {
                     "example": "any"
                   },
@@ -2297,6 +2314,13 @@
             "schema": {
               "type": "string"
             }
+          },
+          {
+            "name": "teamId",
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
           }
         ],
         "responses": {
@@ -2309,6 +2333,107 @@
         }
       }
     },
+    "/api/v1/integration-auth/{integrationAuthId}/teams": {
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "integrationAuthId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
+    "/api/v1/integration-auth/{integrationAuthId}/vercel/branches": {
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "integrationAuthId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "appId",
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
+    "/api/v1/integration-auth/{integrationAuthId}/railway/environments": {
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "integrationAuthId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "appId",
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
+    "/api/v1/integration-auth/{integrationAuthId}/railway/services": {
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "integrationAuthId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "appId",
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
     "/api/v2/signup/complete-account/signup": {
       "post": {
         "description": "",
@@ -2870,9 +2995,6 @@
                 }
               }
             }
-          },
-          "400": {
-            "description": "Bad Request"
           }
         },
         "security": [
@@ -2882,6 +3004,26 @@
         ]
       }
     },
+    "/api/v2/organizations/{organizationId}/service-accounts": {
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "organizationId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
     "/api/v2/workspace/{workspaceId}/environments": {
       "post": {
         "description": "",
@@ -4018,9 +4160,6 @@
         "responses": {
           "200": {
             "description": "OK"
-          },
-          "400": {
-            "description": "Bad Request"
           }
         },
         "requestBody": {
@@ -4073,6 +4212,138 @@
             }
           }
         ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
+    "/api/v2/service-accounts/me": {
+      "get": {
+        "description": "",
+        "parameters": [],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
+    "/api/v2/service-accounts/{serviceAccountId}": {
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "serviceAccountId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      },
+      "delete": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "serviceAccountId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
+    "/api/v2/service-accounts/": {
+      "post": {
+        "description": "",
+        "parameters": [],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
+    "/api/v2/service-accounts/{serviceAccountId}/name": {
+      "patch": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "serviceAccountId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        },
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "type": "object",
+                "properties": {
+                  "name": {
+                    "example": "any"
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    },
+    "/api/v2/service-accounts/{serviceAccountId}/permissions/workspace": {
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "serviceAccountId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      },
+      "post": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "serviceAccountId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
         "responses": {
           "200": {
             "description": "OK"
@@ -4080,6 +4351,90 @@
           "400": {
             "description": "Bad Request"
           }
+        },
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "type": "object",
+                "properties": {
+                  "environment": {
+                    "example": "any"
+                  },
+                  "workspaceId": {
+                    "example": "any"
+                  },
+                  "read": {
+                    "example": "any"
+                  },
+                  "write": {
+                    "example": "any"
+                  },
+                  "encryptedKey": {
+                    "example": "any"
+                  },
+                  "nonce": {
+                    "example": "any"
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    },
+    "/api/v2/service-accounts/{serviceAccountId}/permissions/workspace/{serviceAccountWorkspacePermissionId}": {
+      "delete": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "serviceAccountId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "serviceAccountWorkspacePermissionId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
+    "/api/v2/service-accounts/{serviceAccountId}/keys": {
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "serviceAccountId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "workspaceId",
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
         }
       }
     },
@@ -4149,6 +4504,297 @@
         }
       }
     },
+    "/api/v3/secrets/": {
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "workspaceId",
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "environment",
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
+    "/api/v3/secrets/{secretName}": {
+      "post": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "secretName",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        },
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "type": "object",
+                "properties": {
+                  "workspaceId": {
+                    "example": "any"
+                  },
+                  "environment": {
+                    "example": "any"
+                  },
+                  "type": {
+                    "example": "any"
+                  },
+                  "secretKeyCiphertext": {
+                    "example": "any"
+                  },
+                  "secretKeyIV": {
+                    "example": "any"
+                  },
+                  "secretKeyTag": {
+                    "example": "any"
+                  },
+                  "secretValueCiphertext": {
+                    "example": "any"
+                  },
+                  "secretValueIV": {
+                    "example": "any"
+                  },
+                  "secretValueTag": {
+                    "example": "any"
+                  },
+                  "secretCommentCiphertext": {
+                    "example": "any"
+                  },
+                  "secretCommentIV": {
+                    "example": "any"
+                  },
+                  "secretCommentTag": {
+                    "example": "any"
+                  }
+                }
+              }
+            }
+          }
+        }
+      },
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "secretName",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "workspaceId",
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "environment",
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "type",
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      },
+      "patch": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "secretName",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        },
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "type": "object",
+                "properties": {
+                  "workspaceId": {
+                    "example": "any"
+                  },
+                  "environment": {
+                    "example": "any"
+                  },
+                  "type": {
+                    "example": "any"
+                  },
+                  "secretValueCiphertext": {
+                    "example": "any"
+                  },
+                  "secretValueIV": {
+                    "example": "any"
+                  },
+                  "secretValueTag": {
+                    "example": "any"
+                  }
+                }
+              }
+            }
+          }
+        }
+      },
+      "delete": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "secretName",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        },
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "type": "object",
+                "properties": {
+                  "workspaceId": {
+                    "example": "any"
+                  },
+                  "environment": {
+                    "example": "any"
+                  },
+                  "type": {
+                    "example": "any"
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    },
+    "/api/v3/workspaces/{workspaceId}/secrets/blind-index-status": {
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "workspaceId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
+    "/api/v3/workspaces/{workspaceId}/secrets": {
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "workspaceId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
+    "/api/v3/workspaces/{workspaceId}/secrets/names": {
+      "post": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "workspaceId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        },
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "type": "object",
+                "properties": {
+                  "secretsToUpdate": {
+                    "example": "any"
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    },
     "/api/status": {
       "get": {
         "description": "",

backend/src/config/index.ts

@@ -1,51 +1,93 @@
-import infisical from 'infisical-node';
-export const getPort = () => infisical.get('PORT')! || 4000;
-export const getInviteOnlySignup = () => infisical.get('INVITE_ONLY_SIGNUP')! == undefined ? false : infisical.get('INVITE_ONLY_SIGNUP');
-export const getEncryptionKey = () => infisical.get('ENCRYPTION_KEY')!;
-export const getSaltRounds = () => parseInt(infisical.get('SALT_ROUNDS')!) || 10;
-export const getJwtAuthLifetime = () => infisical.get('JWT_AUTH_LIFETIME')! || '10d';
-export const getJwtAuthSecret = () => infisical.get('JWT_AUTH_SECRET')!;
-export const getJwtMfaLifetime = () => infisical.get('JWT_MFA_LIFETIME')! || '5m';
-export const getJwtMfaSecret = () => infisical.get('JWT_MFA_LIFETIME')! || '5m';
-export const getJwtRefreshLifetime = () => infisical.get('JWT_REFRESH_LIFETIME')! || '90d';
-export const getJwtRefreshSecret = () => infisical.get('JWT_REFRESH_SECRET')!;
-export const getJwtServiceSecret = () => infisical.get('JWT_SERVICE_SECRET')!;
-export const getJwtSignupLifetime = () => infisical.get('JWT_SIGNUP_LIFETIME')! || '15m';
-export const getJwtSignupSecret = () => infisical.get('JWT_SIGNUP_SECRET')!;
-export const getMongoURL = () => infisical.get('MONGO_URL')!;
-export const getNodeEnv = () => infisical.get('NODE_ENV')!;
-export const getVerboseErrorOutput = () => infisical.get('VERBOSE_ERROR_OUTPUT')! === 'true' && true;
-export const getLokiHost = () => infisical.get('LOKI_HOST')!;
-export const getClientIdAzure = () => infisical.get('CLIENT_ID_AZURE')!;
-export const getClientIdHeroku = () => infisical.get('CLIENT_ID_HEROKU')!;
-export const getClientIdVercel = () => infisical.get('CLIENT_ID_VERCEL')!;
-export const getClientIdNetlify = () => infisical.get('CLIENT_ID_NETLIFY')!;
-export const getClientIdGitHub = () => infisical.get('CLIENT_ID_GITHUB')!;
-export const getClientIdGitLab = () => infisical.get('CLIENT_ID_GITLAB')!;
-export const getClientSecretAzure = () => infisical.get('CLIENT_SECRET_AZURE')!;
-export const getClientSecretHeroku = () => infisical.get('CLIENT_SECRET_HEROKU')!;
-export const getClientSecretVercel = () => infisical.get('CLIENT_SECRET_VERCEL')!;
-export const getClientSecretNetlify = () => infisical.get('CLIENT_SECRET_NETLIFY')!;
-export const getClientSecretGitHub = () => infisical.get('CLIENT_SECRET_GITHUB')!;
-export const getClientSecretGitLab = () => infisical.get('CLIENT_SECRET_GITLAB')!;
-export const getClientSlugVercel = () => infisical.get('CLIENT_SLUG_VERCEL')!;
-export const getPostHogHost = () => infisical.get('POSTHOG_HOST')! || 'https://app.posthog.com';
-export const getPostHogProjectApiKey = () => infisical.get('POSTHOG_PROJECT_API_KEY')! || 'phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE';
-export const getSentryDSN = () => infisical.get('SENTRY_DSN')!;
-export const getSiteURL = () => infisical.get('SITE_URL')!;
-export const getSmtpHost = () => infisical.get('SMTP_HOST')!;
-export const getSmtpSecure = () => infisical.get('SMTP_SECURE')! === 'true' || false;
-export const getSmtpPort = () => parseInt(infisical.get('SMTP_PORT')!) || 587;
-export const getSmtpUsername = () => infisical.get('SMTP_USERNAME')!;
-export const getSmtpPassword = () => infisical.get('SMTP_PASSWORD')!;
-export const getSmtpFromAddress = () => infisical.get('SMTP_FROM_ADDRESS')!;
-export const getSmtpFromName = () => infisical.get('SMTP_FROM_NAME')! || 'Infisical';
-export const getStripeProductStarter = () => infisical.get('STRIPE_PRODUCT_STARTER')!;
-export const getStripeProductPro = () => infisical.get('STRIPE_PRODUCT_PRO')!;
-export const getStripeProductTeam = () => infisical.get('STRIPE_PRODUCT_TEAM')!;
-export const getStripePublishableKey = () => infisical.get('STRIPE_PUBLISHABLE_KEY')!;
-export const getStripeSecretKey = () => infisical.get('STRIPE_SECRET_KEY')!;
-export const getStripeWebhookSecret = () => infisical.get('STRIPE_WEBHOOK_SECRET')!;
-export const getTelemetryEnabled = () => infisical.get('TELEMETRY_ENABLED')! !== 'false' && true;
-export const getLoopsApiKey = () => infisical.get('LOOPS_API_KEY')!;
-export const getSmtpConfigured = () => infisical.get('SMTP_HOST') == '' || infisical.get('SMTP_HOST') == undefined ? false : true
+import InfisicalClient from 'infisical-node';
+
+export const client = new InfisicalClient({
+  token: process.env.INFISICAL_TOKEN!
+});
+
+export const getPort = async () => (await client.getSecret('PORT')).secretValue || 4000;
+export const getEncryptionKey = async () => {
+  const secretValue = (await client.getSecret('ENCRYPTION_KEY')).secretValue;
+  return secretValue === '' ? undefined : secretValue;
+}
+export const getRootEncryptionKey = async () => {
+  const secretValue = (await client.getSecret('ROOT_ENCRYPTION_KEY')).secretValue; 
+  return secretValue === '' ? undefined : secretValue;
+}
+export const getInviteOnlySignup = async () => (await client.getSecret('INVITE_ONLY_SIGNUP')).secretValue === 'true'
+export const getSaltRounds = async () => parseInt((await client.getSecret('SALT_ROUNDS')).secretValue) || 10;
+export const getJwtAuthLifetime = async () => (await client.getSecret('JWT_AUTH_LIFETIME')).secretValue || '10d';
+export const getJwtAuthSecret = async () => (await client.getSecret('JWT_AUTH_SECRET')).secretValue;
+export const getJwtMfaLifetime = async () => (await client.getSecret('JWT_MFA_LIFETIME')).secretValue || '5m';
+export const getJwtMfaSecret = async () => (await client.getSecret('JWT_MFA_LIFETIME')).secretValue || '5m';
+export const getJwtRefreshLifetime = async () => (await client.getSecret('JWT_REFRESH_LIFETIME')).secretValue || '90d';
+export const getJwtRefreshSecret = async () => (await client.getSecret('JWT_REFRESH_SECRET')).secretValue;
+export const getJwtServiceSecret = async () => (await client.getSecret('JWT_SERVICE_SECRET')).secretValue;
+export const getJwtSignupLifetime = async () => (await client.getSecret('JWT_SIGNUP_LIFETIME')).secretValue || '15m';
+export const getJwtProviderAuthSecret = async () => (await client.getSecret('JWT_PROVIDER_AUTH_SECRET')).secretValue;
+export const getJwtProviderAuthLifetime = async () => (await client.getSecret('JWT_PROVIDER_AUTH_LIFETIME')).secretValue || '15m';
+export const getJwtSignupSecret = async () => (await client.getSecret('JWT_SIGNUP_SECRET')).secretValue;
+export const getMongoURL = async () => (await client.getSecret('MONGO_URL')).secretValue;
+export const getNodeEnv = async () => (await client.getSecret('NODE_ENV')).secretValue || 'production';
+export const getVerboseErrorOutput = async () => (await client.getSecret('VERBOSE_ERROR_OUTPUT')).secretValue === 'true' && true;
+export const getLokiHost = async () => (await client.getSecret('LOKI_HOST')).secretValue;
+export const getClientIdAzure = async () => (await client.getSecret('CLIENT_ID_AZURE')).secretValue;
+export const getClientIdHeroku = async () => (await client.getSecret('CLIENT_ID_HEROKU')).secretValue;
+export const getClientIdVercel = async () => (await client.getSecret('CLIENT_ID_VERCEL')).secretValue;
+export const getClientIdNetlify = async () => (await client.getSecret('CLIENT_ID_NETLIFY')).secretValue;
+export const getClientIdGitHub = async () => (await client.getSecret('CLIENT_ID_GITHUB')).secretValue;
+export const getClientIdGitLab = async () => (await client.getSecret('CLIENT_ID_GITLAB')).secretValue;
+export const getClientIdGoogle = async () => (await client.getSecret('CLIENT_ID_GOOGLE')).secretValue;
+export const getClientSecretAzure = async () => (await client.getSecret('CLIENT_SECRET_AZURE')).secretValue;
+export const getClientSecretHeroku = async () => (await client.getSecret('CLIENT_SECRET_HEROKU')).secretValue;
+export const getClientSecretVercel = async () => (await client.getSecret('CLIENT_SECRET_VERCEL')).secretValue;
+export const getClientSecretNetlify = async () => (await client.getSecret('CLIENT_SECRET_NETLIFY')).secretValue;
+export const getClientSecretGitHub = async () => (await client.getSecret('CLIENT_SECRET_GITHUB')).secretValue;
+export const getClientSecretGitLab = async () => (await client.getSecret('CLIENT_SECRET_GITLAB')).secretValue;
+export const getClientSecretGoogle = async () => (await client.getSecret('CLIENT_SECRET_GOOGLE')).secretValue;
+export const getClientSlugVercel = async () => (await client.getSecret('CLIENT_SLUG_VERCEL')).secretValue;
+export const getPostHogHost = async () => (await client.getSecret('POSTHOG_HOST')).secretValue || 'https://app.posthog.com';
+export const getPostHogProjectApiKey = async () => (await client.getSecret('POSTHOG_PROJECT_API_KEY')).secretValue || 'phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE';
+export const getSentryDSN = async () => (await client.getSecret('SENTRY_DSN')).secretValue;
+export const getSiteURL = async () => (await client.getSecret('SITE_URL')).secretValue;
+export const getSmtpHost = async () => (await client.getSecret('SMTP_HOST')).secretValue;
+export const getSmtpSecure = async () => (await client.getSecret('SMTP_SECURE')).secretValue === 'true' || false;
+export const getSmtpPort = async () => parseInt((await client.getSecret('SMTP_PORT')).secretValue) || 587;
+export const getSmtpUsername = async () => (await client.getSecret('SMTP_USERNAME')).secretValue;
+export const getSmtpPassword = async () => (await client.getSecret('SMTP_PASSWORD')).secretValue;
+export const getSmtpFromAddress = async () => (await client.getSecret('SMTP_FROM_ADDRESS')).secretValue;
+export const getSmtpFromName = async () => (await client.getSecret('SMTP_FROM_NAME')).secretValue || 'Infisical';
+
+export const getLicenseKey = async () => {
+  const secretValue = (await client.getSecret('LICENSE_KEY')).secretValue;
+  return secretValue === '' ? undefined : secretValue;
+}
+export const getLicenseServerKey = async () => {
+  const secretValue = (await client.getSecret('LICENSE_SERVER_KEY')).secretValue;
+  return secretValue === '' ? undefined : secretValue;
+}
+export const getLicenseServerUrl = async () => (await client.getSecret('LICENSE_SERVER_URL')).secretValue || 'https://portal.infisical.com';
+
+// TODO: deprecate from here
+export const getStripeProductStarter = async () => (await client.getSecret('STRIPE_PRODUCT_STARTER')).secretValue;
+export const getStripeProductPro = async () => (await client.getSecret('STRIPE_PRODUCT_PRO')).secretValue;
+export const getStripeProductTeam = async () => (await client.getSecret('STRIPE_PRODUCT_TEAM')).secretValue;
+export const getStripePublishableKey = async () => (await client.getSecret('STRIPE_PUBLISHABLE_KEY')).secretValue;
+export const getStripeSecretKey = async () => (await client.getSecret('STRIPE_SECRET_KEY')).secretValue;
+export const getStripeWebhookSecret = async () => (await client.getSecret('STRIPE_WEBHOOK_SECRET')).secretValue;
+
+export const getTelemetryEnabled = async () => (await client.getSecret('TELEMETRY_ENABLED')).secretValue !== 'false' && true;
+export const getLoopsApiKey = async () => (await client.getSecret('LOOPS_API_KEY')).secretValue;
+export const getSmtpConfigured = async () => (await client.getSecret('SMTP_HOST')).secretValue == '' || (await client.getSecret('SMTP_HOST')).secretValue == undefined ? false : true
+export const getHttpsEnabled = async () => {
+  if ((await getNodeEnv()) != "production") {
+    // no https for anything other than prod
+    return false
+  }
+
+  if ((await client.getSecret('HTTPS_ENABLED')).secretValue == undefined || (await client.getSecret('HTTPS_ENABLED')).secretValue == "") {
+    // default when no value present
+    return true
+  }
+
+  return (await client.getSecret('HTTPS_ENABLED')).secretValue === 'true' && true
+}

backend/src/config/request.ts

@@ -1,10 +1,24 @@
 import axios from 'axios';
 import axiosRetry from 'axios-retry';
+import {
+  getLicenseServerKeyAuthToken,
+  setLicenseServerKeyAuthToken,
+  getLicenseKeyAuthToken,
+  setLicenseKeyAuthToken
+} from './storage';
+import {
+  getLicenseKey,
+  getLicenseServerKey, 
+  getLicenseServerUrl
+} from './index';
 
-const axiosInstance = axios.create();
+// should have JWT to interact with the license server
+export const licenseServerKeyRequest = axios.create();
+export const licenseKeyRequest = axios.create();
+export const standardRequest = axios.create();
 
 // add retry functionality to the axios instance
-axiosRetry(axiosInstance, {
+axiosRetry(standardRequest, {
   retries: 3,
   retryDelay: axiosRetry.exponentialDelay, // exponential back-off delay between retries
   retryCondition: (error) => {
@@ -13,4 +27,98 @@ axiosRetry(axiosInstance, {
   },
 });
 
-export default axiosInstance;
+export const refreshLicenseServerKeyToken = async () => {
+  const licenseServerKey = await getLicenseServerKey();
+  const licenseServerUrl = await getLicenseServerUrl();
+
+  const { data: { token } } = await standardRequest.post(
+    `${licenseServerUrl}/api/auth/v1/license-server-login`, {},
+    {
+      headers: {
+        'X-API-KEY': licenseServerKey
+      }
+    }
+  );
+
+  setLicenseServerKeyAuthToken(token);
+
+  return token;
+}
+
+export const refreshLicenseKeyToken = async () => {
+  const licenseKey = await getLicenseKey();
+  const licenseServerUrl = await getLicenseServerUrl();
+
+  const { data: { token } } = await standardRequest.post(
+    `${licenseServerUrl}/api/auth/v1/license-login`, {},
+    {
+      headers: {
+        'X-API-KEY': licenseKey
+      }
+    }
+  );
+
+  setLicenseKeyAuthToken(token);
+
+  return token;
+}
+
+licenseServerKeyRequest.interceptors.request.use((config) => {
+  const token = getLicenseServerKeyAuthToken();
+
+  if (token && config.headers) {
+      // eslint-disable-next-line no-param-reassign
+      config.headers.Authorization = `Bearer ${token}`;
+  }
+  return config;
+}, (err) => {
+  return Promise.reject(err);
+});
+
+licenseServerKeyRequest.interceptors.response.use((response) => {
+  return response
+}, async function (err) {
+  const originalRequest = err.config;
+  
+  if (err.response.status === 401 && !originalRequest._retry) {
+    originalRequest._retry = true;
+    
+    // refresh
+    const token = await refreshLicenseServerKeyToken();            
+    
+    axios.defaults.headers.common['Authorization'] = 'Bearer ' + token;
+    return licenseServerKeyRequest(originalRequest);
+  }
+
+  return Promise.reject(err);
+});
+
+licenseKeyRequest.interceptors.request.use((config) => {
+  const token = getLicenseKeyAuthToken();
+
+  if (token && config.headers) {
+      // eslint-disable-next-line no-param-reassign
+      config.headers.Authorization = `Bearer ${token}`;
+  }
+  return config;
+}, (err) => {
+  return Promise.reject(err);
+});
+
+licenseKeyRequest.interceptors.response.use((response) => {
+  return response
+}, async function (err) {
+  const originalRequest = err.config;
+  
+  if (err.response.status === 401 && !originalRequest._retry) {
+    originalRequest._retry = true;
+    
+    // refresh
+    const token = await refreshLicenseKeyToken();            
+    
+    axios.defaults.headers.common['Authorization'] = 'Bearer ' + token;
+    return licenseKeyRequest(originalRequest);
+  }
+
+  return Promise.reject(err);
+});

backend/src/config/storage.ts

@@ -0,0 +1,30 @@
+const MemoryLicenseServerKeyTokenStorage = () => {
+    let authToken: string;
+  
+    return {
+      setToken: (token: string) => {
+        authToken = token;
+      },
+      getToken: () => authToken
+    };
+};
+
+const MemoryLicenseKeyTokenStorage = () => {
+    let authToken: string;
+  
+    return {
+      setToken: (token: string) => {
+        authToken = token;
+      },
+      getToken: () => authToken
+    };
+};
+
+const licenseServerTokenStorage = MemoryLicenseServerKeyTokenStorage();
+const licenseTokenStorage = MemoryLicenseKeyTokenStorage();
+
+export const getLicenseServerKeyAuthToken = licenseServerTokenStorage.getToken;
+export const setLicenseServerKeyAuthToken = licenseServerTokenStorage.setToken;
+
+export const getLicenseKeyAuthToken = licenseTokenStorage.getToken;
+export const setLicenseKeyAuthToken = licenseTokenStorage.setToken;

backend/src/controllers/v1/authController.ts

@@ -15,10 +15,10 @@ import { BadRequestError } from '../../utils/errors';
 import { EELogService } from '../../ee/services';
 import { getChannelFromUserAgent } from '../../utils/posthog'; // TODO: move this
 import {
-  getNodeEnv,
   getJwtRefreshSecret,
   getJwtAuthLifetime,
-  getJwtAuthSecret
+  getJwtAuthSecret,
+  getHttpsEnabled
 } from '../../config';
 
 declare module 'jsonwebtoken' {
@@ -126,21 +126,21 @@ export const login2 = async (req: Request, res: Response) => {
             httpOnly: true,
             path: '/',
             sameSite: 'strict',
-            secure: getNodeEnv() === 'production' ? true : false
+            secure: await getHttpsEnabled()
           });
 
           const loginAction = await EELogService.createAction({
             name: ACTION_LOGIN,
             userId: user._id
           });
-          
+
           loginAction && await EELogService.createLog({
             userId: user._id,
             actions: [loginAction],
             channel: getChannelFromUserAgent(req.headers['user-agent']),
             ipAddress: req.ip
           });
-          
+
           // return (access) token in response
           return res.status(200).send({
             token: tokens.token,
@@ -182,14 +182,14 @@ export const logout = async (req: Request, res: Response) => {
       httpOnly: true,
       path: '/',
       sameSite: 'strict',
-      secure: getNodeEnv() === 'production' ? true : false
+      secure: (await getHttpsEnabled()) as boolean
     });
 
     const logoutAction = await EELogService.createAction({
       name: ACTION_LOGOUT,
       userId: req.user._id
     });
-    
+
     logoutAction && await EELogService.createLog({
       userId: req.user._id,
       actions: [logoutAction],
@@ -237,7 +237,7 @@ export const getNewToken = async (req: Request, res: Response) => {
     }
 
     const decodedToken = <jwt.UserIDJwtPayload>(
-      jwt.verify(refreshToken, getJwtRefreshSecret())
+      jwt.verify(refreshToken, await getJwtRefreshSecret())
     );
 
     const user = await User.findOne({
@@ -252,8 +252,8 @@ export const getNewToken = async (req: Request, res: Response) => {
       payload: {
         userId: decodedToken.userId
       },
-      expiresIn: getJwtAuthLifetime(),
-      secret: getJwtAuthSecret()
+      expiresIn: await getJwtAuthLifetime(),
+      secret: await getJwtAuthSecret()
     });
 
     return res.status(200).send({
@@ -267,3 +267,7 @@ export const getNewToken = async (req: Request, res: Response) => {
     });
   }
 };
+
+export const handleAuthProviderCallback = (req: Request, res: Response) => {
+  res.redirect(`/login/provider/success?token=${encodeURIComponent(req.providerAuthToken)}`);
+}

backend/src/controllers/v1/botController.ts

@@ -1,4 +1,5 @@
 import { Request, Response } from 'express';
+import { Types } from 'mongoose';
 import * as Sentry from '@sentry/node';
 import { Bot, BotKey } from '../../models';
 import { createBot } from '../../helpers/bot';
@@ -29,7 +30,7 @@ export const getBotByWorkspaceId = async (req: Request, res: Response) => {
             // -> create a new bot and return it
             bot = await createBot({
                 name: 'Infisical Bot',
-                workspaceId
+                workspaceId: new Types.ObjectId(workspaceId)
             });
         }
 	} catch (err) {

backend/src/controllers/v1/integrationAuthController.ts

@@ -5,13 +5,18 @@ import {
 	IntegrationAuth,
 	Bot 
 } from '../../models';
-import { INTEGRATION_SET, getIntegrationOptions as getIntegrationOptionsFunc } from '../../variables';
+import { ALGORITHM_AES_256_GCM, ENCODING_SCHEME_UTF8, INTEGRATION_SET, getIntegrationOptions as getIntegrationOptionsFunc } from '../../variables';
 import { IntegrationService } from '../../services';
 import {
 	getApps, 
 	getTeams,
 	revokeAccess 
 } from '../../integrations';
+import {
+	INTEGRATION_VERCEL_API_URL,
+	INTEGRATION_RAILWAY_API_URL
+} from '../../variables';
+import { standardRequest } from '../../config/request';
 
 /***
  * Return integration authorization with id [integrationAuthId]
@@ -39,7 +44,7 @@ export const getIntegrationAuth = async (req: Request, res: Response) => {
 }
 
 export const getIntegrationOptions = async (req: Request, res: Response) => {
-	const INTEGRATION_OPTIONS = getIntegrationOptionsFunc();
+	const INTEGRATION_OPTIONS = await getIntegrationOptionsFunc();
 
 	return res.status(200).send({
 		integrationOptions: INTEGRATION_OPTIONS,
@@ -124,7 +129,9 @@ export const saveIntegrationAccessToken = async (
             integration
         }, {
             workspace: new Types.ObjectId(workspaceId),
-            integration
+            integration,
+			algorithm: ALGORITHM_AES_256_GCM,
+			keyEncoding: ENCODING_SCHEME_UTF8
 		}, {
             new: true,
             upsert: true
@@ -188,22 +195,203 @@ export const getIntegrationAuthApps = async (req: Request, res: Response) => {
  * @returns 
  */
 export const getIntegrationAuthTeams = async (req: Request, res: Response) => {
-	let teams;
-	try {
-		teams = await getTeams({
-			integrationAuth: req.integrationAuth,
-			accessToken: req.accessToken
+	const teams = await getTeams({
+		integrationAuth: req.integrationAuth,
+		accessToken: req.accessToken
+	});
+	
+	return res.status(200).send({
+		teams
+	});
+}
+
+/**
+ * Return list of available Vercel (preview) branches for Vercel project with
+ * id [appId]
+ * @param req 
+ * @param res 
+ */
+export const getIntegrationAuthVercelBranches = async (req: Request, res: Response) => {
+	const { integrationAuthId } = req.params;
+	const appId = req.query.appId as string;
+	
+	interface VercelBranch {
+		ref: string;
+		lastCommit: string;
+		isProtected: boolean;
+	}
+
+	const params = new URLSearchParams({
+		projectId: appId,
+		...(req.integrationAuth.teamId ? {
+			teamId: req.integrationAuth.teamId
+		} : {})
+	});
+
+	let branches: string[] = [];
+	
+	if (appId && appId !== '') {
+		const { data }: { data: VercelBranch[] } = await standardRequest.get(
+			`${INTEGRATION_VERCEL_API_URL}/v1/integrations/git-branches`,
+			{
+				params,
+				headers: {
+					Authorization: `Bearer ${req.accessToken}`,
+					'Accept-Encoding': 'application/json'
+				}
+			}
+		);
+		
+		branches = data.map((b) => b.ref);
+	}
+
+	return res.status(200).send({
+		branches
+	});
+}
+
+/**
+ * Return list of Railway environments for Railway project with
+ * id [appId]
+ * @param req 
+ * @param res 
+ */
+export const getIntegrationAuthRailwayEnvironments = async (req: Request, res: Response) => {
+	const { integrationAuthId } = req.params;
+	const appId = req.query.appId as string;
+	
+	interface RailwayEnvironment {
+		node: {
+			id: string;
+			name: string;
+			isEphemeral: boolean;
+		}
+	}
+	
+	interface Environment {
+		environmentId: string;
+		name: string;
+	}
+	
+	let environments: Environment[] = [];
+
+	if (appId && appId !== '') {
+		const query = `
+			query GetEnvironments($projectId: String!, $after: String, $before: String, $first: Int, $isEphemeral: Boolean, $last: Int) {
+				environments(projectId: $projectId, after: $after, before: $before, first: $first, isEphemeral: $isEphemeral, last: $last) {
+				edges {
+					node {
+					id
+					name
+					isEphemeral
+					}
+				}
+				}
+			}
+			`;
+		
+		const variables = {
+			projectId: appId
+		}
+		
+		const { data: { data: { environments: { edges } } } } = await standardRequest.post(INTEGRATION_RAILWAY_API_URL, {
+			query,
+			variables,
+		}, {
+			headers: {
+				'Authorization': `Bearer ${req.accessToken}`,
+				'Content-Type': 'application/json',
+			},
 		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-		message: "Failed to get integration authorization teams"
+		
+		environments = edges.map((e: RailwayEnvironment) => {
+			return ({
+				name: e.node.name,
+				environmentId: e.node.id
+			});
 		});
 	}
 	
 	return res.status(200).send({
-		teams
+		environments
+	});
+}
+
+/**
+ * Return list of Railway services for Railway project with id
+ * [appId]
+ * @param req 
+ * @param res 
+ */
+export const getIntegrationAuthRailwayServices = async (req: Request, res: Response) => {
+	const { integrationAuthId } = req.params;
+	const appId = req.query.appId as string;
+	
+	interface RailwayService {
+		node: {
+			id: string;
+			name: string;
+		}
+	}
+	
+	interface Service {
+		name: string;
+		serviceId: string;
+	}
+	
+	let services: Service[] = [];
+	
+	const query = `
+      query project($id: String!) {
+        project(id: $id) {
+          createdAt
+          deletedAt
+          id
+          description
+          expiredAt
+          isPublic
+          isTempProject
+          isUpdatable
+          name
+          prDeploys
+          teamId
+          updatedAt
+          upstreamUrl
+		  services {
+			edges {
+				node {
+					id
+					name
+				}
+			}
+		  }
+        }
+      }
+    `;
+
+	if (appId && appId !== '') {
+		const variables = {
+			id: appId
+		}
+		
+		const { data: { data: { project: { services: { edges } } } } } = await standardRequest.post(INTEGRATION_RAILWAY_API_URL, {
+			query,
+			variables
+		}, {
+			headers: {
+				'Authorization': `Bearer ${req.accessToken}`,
+				'Content-Type': 'application/json',
+			},
+		});
+		
+		services = edges.map((e: RailwayService) => ({
+			name: e.node.name,
+			serviceId: e.node.id
+		}));
+	}
+	
+	return res.status(200).send({
+		services
 	});
 }
 

backend/src/controllers/v1/integrationController.ts

@@ -24,6 +24,9 @@ export const createIntegration = async (req: Request, res: Response) => {
 			isActive,
 			sourceEnvironment,
 			targetEnvironment,
+			targetEnvironmentId,
+      targetService,
+      targetServiceId,
 			owner,
 			path,
 			region
@@ -39,18 +42,22 @@ export const createIntegration = async (req: Request, res: Response) => {
       app,
 			appId,
 			targetEnvironment,
+			targetEnvironmentId,
+      targetService,
+      targetServiceId,
 			owner,
 			path,
 			region,
       integration: req.integrationAuth.integration,
       integrationAuth: new Types.ObjectId(integrationAuthId)
-      }).save();
+    }).save();
 		
 		if (integration) {
 			// trigger event - push secrets
 			EventService.handleEvent({
 				event: eventPushSecrets({
-					workspaceId: integration.workspace.toString()
+					workspaceId: integration.workspace,
+          environment: sourceEnvironment
 				})
 			});
 		}
@@ -111,7 +118,8 @@ export const updateIntegration = async (req: Request, res: Response) => {
       // trigger event - push secrets
       EventService.handleEvent({
         event: eventPushSecrets({
-          workspaceId: integration.workspace.toString(),
+          workspaceId: integration.workspace,
+          environment
         }),
       });
     }

backend/src/controllers/v1/membershipController.ts

@@ -215,7 +215,7 @@ export const inviteUserToWorkspace = async (req: Request, res: Response) => {
 				inviterFirstName: req.user.firstName,
 				inviterEmail: req.user.email,
 				workspaceName: req.membership.workspace.name,
-				callback_url: getSiteURL() + '/login'
+				callback_url: (await getSiteURL()) + '/login'
 			}
 		});
 	} catch (err) {

backend/src/controllers/v1/membershipOrgController.ts

@@ -1,3 +1,4 @@
+import { Types } from 'mongoose';
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
 import { MembershipOrg, Organization, User } from '../../models';
@@ -134,12 +135,13 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 			}
 
 			if (!inviteeMembershipOrg) {
+				
 				await new MembershipOrg({
 					user: invitee,
 					inviteEmail: inviteeEmail,
 					organization: organizationId,
 					role: MEMBER,
-					status: invitee?.publicKey ? ACCEPTED : INVITED
+					status: INVITED
 				}).save();
 			}
 		} else {
@@ -164,6 +166,7 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 		const organization = await Organization.findOne({ _id: organizationId });
 
 		if (organization) {
+
 			const token = await TokenService.createToken({
 				type: TOKEN_EMAIL_ORG_INVITATION,
 				email: inviteeEmail,
@@ -179,13 +182,14 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 					inviterEmail: req.user.email,
 					organizationName: organization.name,
 					email: inviteeEmail,
+					organizationId: organization._id.toString(),
 					token,
-					callback_url: getSiteURL() + '/signupinvite'
+					callback_url: (await getSiteURL()) + '/signupinvite'
 				}
 			});
 
-			if (!getSmtpConfigured()) {
-				completeInviteLink = `${siteUrl + '/signupinvite'}?token=${token}&to=${inviteeEmail}`
+			if (!(await getSmtpConfigured())) {
+				completeInviteLink = `${siteUrl + '/signupinvite'}?token=${token}&to=${inviteeEmail}&organization_id=${organization._id}`
 			}
 		}
 
@@ -214,13 +218,18 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 export const verifyUserToOrganization = async (req: Request, res: Response) => {
 	let user, token;
 	try {
-		const { email, code } = req.body;
+		const {
+			email,
+			organizationId,
+			code
+		} = req.body;
 
 		user = await User.findOne({ email }).select('+publicKey');
 
 		const membershipOrg = await MembershipOrg.findOne({
 			inviteEmail: email,
-			status: INVITED
+			status: INVITED,
+			organization: new Types.ObjectId(organizationId)
 		});
 
 		if (!membershipOrg)
@@ -238,6 +247,10 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
 			// membership can be approved and redirected to login/dashboard
 			membershipOrg.status = ACCEPTED;
 			await membershipOrg.save();
+			
+			await updateSubscriptionOrgQuantity({
+				organizationId
+			});
 
 			return res.status(200).send({
 				message: 'Successfully verified email',
@@ -257,8 +270,8 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
 			payload: {
 				userId: user._id.toString()
 			},
-			expiresIn: getJwtSignupLifetime(),
-			secret: getJwtSignupSecret()
+			expiresIn: await getJwtSignupLifetime(),
+			secret: await getJwtSignupSecret()
 		});
 	} catch (err) {
 		Sentry.setUser(null);

backend/src/controllers/v1/organizationController.ts

@@ -19,7 +19,8 @@ export const getOrganizations = async (req: Request, res: Response) => {
 	try {
 		organizations = (
 			await MembershipOrg.find({
-				user: req.user._id
+				user: req.user._id,
+				status: ACCEPTED
 			}).populate('organization')
 		).map((m) => m.organization);
 	} catch (err) {
@@ -85,7 +86,7 @@ export const createOrganization = async (req: Request, res: Response) => {
 export const getOrganization = async (req: Request, res: Response) => {
 	let organization;
 	try {
-		organization = req.membershipOrg.organization;
+		organization = req.organization
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);
@@ -317,29 +318,29 @@ export const createOrganizationPortalSession = async (
 ) => {
 	let session;
 	try {
-		const stripe = new Stripe(getStripeSecretKey(), {
+		const stripe = new Stripe(await getStripeSecretKey(), {
 			apiVersion: '2022-08-01'
 		});
 
 		// check if there is a payment method on file
 		const paymentMethods = await stripe.paymentMethods.list({
-			customer: req.membershipOrg.organization.customerId,
+			customer: req.organization.customerId,
 			type: 'card'
 		});
-
+		
 		if (paymentMethods.data.length < 1) {
 			// case: no payment method on file
 			session = await stripe.checkout.sessions.create({
-				customer: req.membershipOrg.organization.customerId,
+				customer: req.organization.customerId,
 				mode: 'setup',
 				payment_method_types: ['card'],
-				success_url: getSiteURL() + '/dashboard',
-				cancel_url: getSiteURL() + '/dashboard'
+				success_url: (await getSiteURL()) + '/dashboard',
+				cancel_url: (await getSiteURL()) + '/dashboard'
 			});
 		} else {
 			session = await stripe.billingPortal.sessions.create({
-				customer: req.membershipOrg.organization.customerId,
-				return_url: getSiteURL() + '/dashboard'
+				customer: req.organization.customerId,
+				return_url: (await getSiteURL()) + '/dashboard'
 			});
 		}
 
@@ -365,12 +366,12 @@ export const getOrganizationSubscriptions = async (
 ) => {
 	let subscriptions;
 	try {
-		const stripe = new Stripe(getStripeSecretKey(), {
+		const stripe = new Stripe(await getStripeSecretKey(), {
 			apiVersion: '2022-08-01'
 		});
 		
 		subscriptions = await stripe.subscriptions.list({
-			customer: req.membershipOrg.organization.customerId
+			customer: req.organization.customerId
 		});
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });

backend/src/controllers/v1/passwordController.ts

@@ -44,7 +44,7 @@ export const emailPasswordReset = async (req: Request, res: Response) => {
 			substitutions: {
 				email,
 				token,
-				callback_url: getSiteURL() + '/password-reset'
+				callback_url: (await getSiteURL()) + '/password-reset'
 			}
 		});
 	} catch (err) {
@@ -91,8 +91,8 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => {
 			payload: {
 				userId: user._id.toString()
 			},
-			expiresIn: getJwtSignupLifetime(),
-			secret: getJwtSignupSecret()
+			expiresIn: await getJwtSignupLifetime(),
+			secret: await getJwtSignupSecret()
 		});
 	} catch (err) {
 		Sentry.setUser(null);

backend/src/controllers/v1/secretController.ts

@@ -1,5 +1,6 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
 import { Key, Secret } from '../../models';
 import {
 	v1PushSecrets as push,
@@ -9,7 +10,7 @@ import {
 import { pushKeys } from '../../helpers/key';
 import { eventPushSecrets } from '../../events';
 import { EventService } from '../../services';
-import { getPostHogClient } from '../../services';
+import { TelemetryService } from '../../services';
 
 interface PushSecret {
 	ciphertextKey: string;
@@ -38,7 +39,7 @@ export const pushSecrets = async (req: Request, res: Response) => {
 	// upload (encrypted) secrets to workspace with id [workspaceId]
 
 	try {
-		const postHogClient = getPostHogClient();
+		const postHogClient = await TelemetryService.getPostHogClient();
 		let { secrets }: { secrets: PushSecret[] } = req.body;
 		const { keys, environment, channel } = req.body;
 		const { workspaceId } = req.params;
@@ -84,7 +85,8 @@ export const pushSecrets = async (req: Request, res: Response) => {
 		// trigger event - push secrets
 		EventService.handleEvent({
 			event: eventPushSecrets({
-				workspaceId
+				workspaceId: new Types.ObjectId(workspaceId),
+				environment
 			})
 		});
 
@@ -112,7 +114,7 @@ export const pullSecrets = async (req: Request, res: Response) => {
 	let secrets;
 	let key;
 	try {
-		const postHogClient = getPostHogClient();
+		const postHogClient = await TelemetryService.getPostHogClient();
 		const environment: string = req.query.environment as string;
 		const channel: string = req.query.channel as string;
 		const { workspaceId } = req.params;
@@ -181,7 +183,7 @@ export const pullSecretsServiceToken = async (req: Request, res: Response) => {
 	let secrets;
 	let key;
 	try {
-		const postHogClient = getPostHogClient();
+		const postHogClient = await TelemetryService.getPostHogClient();
 		const environment: string = req.query.environment as string;
 		const channel: string = req.query.channel as string;
 		const { workspaceId } = req.params;

backend/src/controllers/v1/secretsFolderController.ts

@@ -0,0 +1,107 @@
+import { Request, Response } from 'express';
+import { Secret } from '../../models';
+import Folder from '../../models/folder';
+import { BadRequestError } from '../../utils/errors';
+import { ROOT_FOLDER_PATH, getFolderPath, getParentPath, normalizePath, validateFolderName } from '../../utils/folder';
+import { ADMIN, MEMBER } from '../../variables';
+import { validateMembership } from '../../helpers/membership';
+
+// TODO
+// verify workspace id/environment
+export const createFolder = async (req: Request, res: Response) => {
+  const { workspaceId, environment, folderName, parentFolderId } = req.body
+  if (!validateFolderName(folderName)) {
+    throw BadRequestError({ message: "Folder name cannot contain spaces. Only underscore and dashes" })
+  }
+
+  if (parentFolderId) {
+    const parentFolder = await Folder.find({ environment: environment, workspace: workspaceId, id: parentFolderId });
+    if (!parentFolder) {
+      throw BadRequestError({ message: "The parent folder doesn't exist" })
+    }
+  }
+
+  let completePath = await getFolderPath(parentFolderId)
+  if (completePath == ROOT_FOLDER_PATH) {
+    completePath = ""
+  }
+
+  const currentFolderPath = completePath + "/" + folderName // construct new path with current folder to be created
+  const normalizedCurrentPath = normalizePath(currentFolderPath)
+  const normalizedParentPath = getParentPath(normalizedCurrentPath)
+
+  const existingFolder = await Folder.findOne({
+    name: folderName,
+    workspace: workspaceId,
+    environment: environment,
+    parent: parentFolderId,
+    path: normalizedCurrentPath
+  });
+
+  if (existingFolder) {
+    return res.json(existingFolder)
+  }
+
+  const newFolder = new Folder({
+    name: folderName,
+    workspace: workspaceId,
+    environment: environment,
+    parent: parentFolderId,
+    path: normalizedCurrentPath,
+    parentPath: normalizedParentPath
+  });
+
+  await newFolder.save();
+
+  return res.json(newFolder)
+}
+
+export const deleteFolder = async (req: Request, res: Response) => {
+  const { folderId } = req.params
+  const queue: any[] = [folderId];
+
+  const folder = await Folder.findById(folderId);
+  if (!folder) {
+    throw BadRequestError({ message: "The folder doesn't exist" })
+  }
+
+  // check that user is a member of the workspace
+  await validateMembership({
+    userId: req.user._id.toString(),
+    workspaceId: folder.workspace as any,
+    acceptedRoles: [ADMIN, MEMBER]
+  });
+
+  while (queue.length > 0) {
+    const currentFolderId = queue.shift();
+
+    const childFolders = await Folder.find({ parent: currentFolderId });
+    for (const childFolder of childFolders) {
+      queue.push(childFolder._id);
+    }
+
+    await Secret.deleteMany({ folder: currentFolderId });
+
+    await Folder.deleteOne({ _id: currentFolderId });
+  }
+
+  res.send()
+}
+
+// TODO: validate workspace
+export const getFolderById = async (req: Request, res: Response) => {
+  const { folderId } = req.params
+
+  const folder = await Folder.findById(folderId);
+  if (!folder) {
+    throw BadRequestError({ message: "The folder doesn't exist" })
+  }
+  // check that user is a member of the workspace
+  await validateMembership({
+    userId: req.user._id.toString(),
+    workspaceId: folder.workspace as any,
+    acceptedRoles: [ADMIN, MEMBER]
+  });
+
+  res.send({ folder })
+}

backend/src/controllers/v1/serviceTokenController.ts

@@ -61,7 +61,7 @@ export const createServiceToken = async (req: Request, res: Response) => {
 				workspaceId
 			},
 			expiresIn: expiresIn,
-			secret: getJwtServiceSecret()
+			secret: await getJwtServiceSecret()
 		});
 	} catch (err) {
 		return res.status(400).send({

backend/src/controllers/v1/signupController.ts

@@ -21,14 +21,6 @@ export const beginEmailSignup = async (req: Request, res: Response) => {
 	try {
 		email = req.body.email;
 
-		if (getInviteOnlySignup()) {
-			// Only one user can create an account without being invited. The rest need to be invited in order to make an account
-			const userCount = await User.countDocuments({})
-			if (userCount != 0) {
-				throw BadRequestError({ message: "New user sign ups are not allowed at this time. You must be invited to sign up." })
-			}
-		}
-
 		const user = await User.findOne({ email }).select('+publicKey');
 		if (user && user?.publicKey) {
 			// case: user has already completed account
@@ -47,7 +39,7 @@ export const beginEmailSignup = async (req: Request, res: Response) => {
 			error: 'Failed to send email verification code'
 		});
 	}
-
+	
 	return res.status(200).send({
 		message: `Sent an email verification code to ${email}`
 	});
@@ -74,8 +66,16 @@ export const verifyEmailSignup = async (req: Request, res: Response) => {
 			});
 		}
 
+		if (await getInviteOnlySignup()) {
+			// Only one user can create an account without being invited. The rest need to be invited in order to make an account
+			const userCount = await User.countDocuments({})
+			if (userCount != 0) {
+				throw BadRequestError({ message: "New user sign ups are not allowed at this time. You must be invited to sign up." })
+			}
+		}
+
 		// verify email
-		if (getSmtpConfigured()) {
+		if (await getSmtpConfigured()) {
 			await checkEmailVerification({
 				email,
 				code
@@ -93,8 +93,8 @@ export const verifyEmailSignup = async (req: Request, res: Response) => {
 			payload: {
 				userId: user._id.toString()
 			},
-			expiresIn: getJwtSignupLifetime(),
-			secret: getJwtSignupSecret()
+			expiresIn: await getJwtSignupLifetime(),
+			secret: await getJwtSignupSecret()
 		});
 	} catch (err) {
 		Sentry.setUser(null);

backend/src/controllers/v1/stripeController.ts

@@ -13,7 +13,7 @@ export const handleWebhook = async (req: Request, res: Response) => {
 	let event;
 	try {
 		// check request for valid stripe signature
-		const stripe = new Stripe(getStripeSecretKey(), {
+		const stripe = new Stripe(await getStripeSecretKey(), {
 			apiVersion: '2022-08-01'
 		});
 
@@ -21,7 +21,7 @@ export const handleWebhook = async (req: Request, res: Response) => {
 		event = stripe.webhooks.constructEvent(
 			req.body,
 			sig,
-			getStripeWebhookSecret()
+			await getStripeWebhookSecret()
 		);
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });

backend/src/controllers/v2/apiKeyDataController.ts

@@ -43,13 +43,14 @@ export const createAPIKeyData = async (req: Request, res: Response) => {
         const { name, expiresIn } = req.body;
         
         const secret = crypto.randomBytes(16).toString('hex');
-        const secretHash = await bcrypt.hash(secret, getSaltRounds());
+        const secretHash = await bcrypt.hash(secret, await getSaltRounds());
         
 		const expiresAt = new Date();
 		expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
         
         apiKeyData = await new APIKeyData({
             name,
+            lastUsed: new Date(),
             expiresAt,
             user: req.user._id,
             secretHash

backend/src/controllers/v2/authController.ts

@@ -17,9 +17,9 @@ import {
 } from '../../variables';
 import { getChannelFromUserAgent } from '../../utils/posthog'; // TODO: move this
 import {
-  getNodeEnv,
   getJwtMfaLifetime,
-  getJwtMfaSecret
+  getJwtMfaSecret,
+  getHttpsEnabled
 } from '../../config';
 
 declare module 'jsonwebtoken' {
@@ -124,8 +124,8 @@ export const login2 = async (req: Request, res: Response) => {
               payload: {
                 userId: user._id.toString()
               },
-              expiresIn: getJwtMfaLifetime(),
-              secret: getJwtMfaSecret()
+              expiresIn: await getJwtMfaLifetime(),
+              secret: await getJwtMfaSecret()
             });
 
             const code = await TokenService.createToken({
@@ -163,7 +163,7 @@ export const login2 = async (req: Request, res: Response) => {
             httpOnly: true,
             path: '/',
             sameSite: 'strict',
-            secure: getNodeEnv() === 'production' ? true : false
+            secure: await getHttpsEnabled()
           });
 
           // case: user does not have MFA enablgged
@@ -288,6 +288,8 @@ export const verifyMfaToken = async (req: Request, res: Response) => {
 
   if (!user) throw new Error('Failed to find user');
 
+  await LoginSRPDetail.deleteOne({ userId: user.id })
+
   await checkUserDevice({
     user,
     ip: req.ip,
@@ -302,7 +304,7 @@ export const verifyMfaToken = async (req: Request, res: Response) => {
     httpOnly: true,
     path: '/',
     sameSite: 'strict',
-    secure: getNodeEnv() === 'production' ? true : false
+    secure: await getHttpsEnabled()
   });
 
   interface VerifyMfaTokenRes {

backend/src/controllers/v2/environmentController.ts

@@ -11,7 +11,7 @@ import {
 import { SecretVersion } from '../../ee/models';
 import { BadRequestError } from '../../utils/errors';
 import _ from 'lodash';
-import { ABILITY_READ, ABILITY_WRITE } from '../../variables/organization';
+import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from '../../variables';
 
 /**
  * Create new workspace environment named [environmentName] under workspace with id
@@ -244,8 +244,8 @@ export const getAllAccessibleEnvironmentsOfWorkspace = async (
     throw BadRequestError()
   }
   relatedWorkspace.environments.forEach(environment => {
-    const isReadBlocked = _.some(deniedPermission, { environmentSlug: environment.slug, ability: ABILITY_READ })
-    const isWriteBlocked = _.some(deniedPermission, { environmentSlug: environment.slug, ability: ABILITY_WRITE })
+    const isReadBlocked = _.some(deniedPermission, { environmentSlug: environment.slug, ability: PERMISSION_READ_SECRETS })
+    const isWriteBlocked = _.some(deniedPermission, { environmentSlug: environment.slug, ability: PERMISSION_WRITE_SECRETS })
     if (isReadBlocked && isWriteBlocked) {
       return
     } else {

backend/src/controllers/v2/index.ts

@@ -7,6 +7,7 @@ import * as serviceTokenDataController from './serviceTokenDataController';
 import * as apiKeyDataController from './apiKeyDataController';
 import * as secretController from './secretController';
 import * as secretsController from './secretsController';
+import * as serviceAccountsController from './serviceAccountsController';
 import * as environmentController from './environmentController';
 import * as tagController from './tagController';
 
@@ -20,6 +21,7 @@ export {
     apiKeyDataController,
     secretController,
     secretsController,
+    serviceAccountsController,
     environmentController,
     tagController
 }

backend/src/controllers/v2/organizationsController.ts

@@ -1,9 +1,11 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
 import { 
     MembershipOrg,
     Membership,
-    Workspace
+    Workspace,
+    ServiceAccount
 } from '../../models';
 import { deleteMembershipOrg } from '../../helpers/membershipOrg';
 import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
@@ -260,37 +262,45 @@ export const getOrganizationWorkspaces = async (req: Request, res: Response) =>
         }
     }   
     */
-    let workspaces;
-    try {
-        const { organizationId } = req.params;
+    const { organizationId } = req.params;
 
-		const workspacesSet = new Set(
-			(
-				await Workspace.find(
-					{
-						organization: organizationId
-					},
-					'_id'
-				)
-			).map((w) => w._id.toString())
-		);
+    const workspacesSet = new Set(
+        (
+            await Workspace.find(
+                {
+                    organization: organizationId
+                },
+                '_id'
+            )
+        ).map((w) => w._id.toString())
+    );
 
-		workspaces = (
-			await Membership.find({
-				user: req.user._id
-			}).populate('workspace')
-		)
-			.filter((m) => workspacesSet.has(m.workspace._id.toString()))
-			.map((m) => m.workspace);
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get organization workspaces'
-		});	
-    }
-    
-    return res.status(200).send({
+    const workspaces = (
+        await Membership.find({
+            user: req.user._id
+        }).populate('workspace')
+    )
+    .filter((m) => workspacesSet.has(m.workspace._id.toString()))
+    .map((m) => m.workspace);
+
+return res.status(200).send({
         workspaces
     });
+}
+
+/**
+ * Return service accounts for organization with id [organizationId]
+ * @param req 
+ * @param res 
+ */
+export const getOrganizationServiceAccounts = async (req: Request, res: Response) => {
+    const { organizationId } = req.params;
+    
+    const serviceAccounts = await ServiceAccount.find({
+        organization: new Types.ObjectId(organizationId)
+    });
+    
+    return res.status(200).send({
+        serviceAccounts
+    });
 }

backend/src/controllers/v2/secretController.ts

@@ -6,8 +6,10 @@ import { CreateSecretRequestBody, ModifySecretRequestBody, SanitizedSecretForCre
 const { ValidationError } = mongoose.Error;
 import { BadRequestError, InternalServerError, UnauthorizedRequestError, ValidationError as RouteValidationError } from '../../utils/errors';
 import { AnyBulkWriteOperation } from 'mongodb';
-import { SECRET_PERSONAL, SECRET_SHARED } from "../../variables";
-import { getPostHogClient } from '../../services';
+import { ALGORITHM_AES_256_GCM, ENCODING_SCHEME_UTF8, SECRET_PERSONAL, SECRET_SHARED } from "../../variables";
+import { TelemetryService } from '../../services';
+import { User } from "../../models";
+import { AccountNotFoundError } from '../../utils/errors';
 
 /**
  * Create secret for workspace with id [workspaceId] and environment [environment]
@@ -15,7 +17,7 @@ import { getPostHogClient } from '../../services';
  * @param res 
  */
 export const createSecret = async (req: Request, res: Response) => {
-  const postHogClient = getPostHogClient();
+  const postHogClient = await TelemetryService.getPostHogClient();
   const secretToCreate: CreateSecretRequestBody = req.body.secret;
   const { workspaceId, environment } = req.params
   const sanitizedSecret: SanitizedSecretForCreate = {
@@ -34,7 +36,9 @@ export const createSecret = async (req: Request, res: Response) => {
     workspace: new Types.ObjectId(workspaceId),
     environment,
     type: secretToCreate.type,
-    user: new Types.ObjectId(req.user._id)
+    user: new Types.ObjectId(req.user._id),
+    algorithm: ALGORITHM_AES_256_GCM,
+    keyEncoding: ENCODING_SCHEME_UTF8
   }
 
 
@@ -68,7 +72,7 @@ export const createSecret = async (req: Request, res: Response) => {
  * @param res 
  */
 export const createSecrets = async (req: Request, res: Response) => {
-  const postHogClient = getPostHogClient();
+  const postHogClient = await TelemetryService.getPostHogClient();
   const secretsToCreate: CreateSecretRequestBody[] = req.body.secrets;
   const { workspaceId, environment } = req.params
   const sanitizedSecretesToCreate: SanitizedSecretForCreate[] = []
@@ -90,7 +94,9 @@ export const createSecrets = async (req: Request, res: Response) => {
       workspace: new Types.ObjectId(workspaceId),
       environment,
       type: rawSecret.type,
-      user: new Types.ObjectId(req.user._id)
+      user: new Types.ObjectId(req.user._id),
+      algorithm: ALGORITHM_AES_256_GCM,
+      keyEncoding: ENCODING_SCHEME_UTF8
     }
 
     sanitizedSecretesToCreate.push(safeUpdateFields)
@@ -130,7 +136,7 @@ export const createSecrets = async (req: Request, res: Response) => {
  * @param res 
  */
 export const deleteSecrets = async (req: Request, res: Response) => {
-  const postHogClient = getPostHogClient();
+  const postHogClient = await TelemetryService.getPostHogClient();
   const { workspaceId, environmentName } = req.params
   const secretIdsToDelete: string[] = req.body.secretIds
 
@@ -184,7 +190,7 @@ export const deleteSecrets = async (req: Request, res: Response) => {
  * @param res
  */
 export const deleteSecret = async (req: Request, res: Response) => {
-  const postHogClient = getPostHogClient();
+  const postHogClient = await TelemetryService.getPostHogClient();
   await Secret.findByIdAndDelete(req._secret._id)
 
   if (postHogClient) {
@@ -213,7 +219,7 @@ export const deleteSecret = async (req: Request, res: Response) => {
  * @returns 
  */
 export const updateSecrets = async (req: Request, res: Response) => {
-  const postHogClient = getPostHogClient();
+  const postHogClient = await TelemetryService.getPostHogClient();
   const { workspaceId, environmentName } = req.params
   const secretsModificationsRequested: ModifySecretRequestBody[] = req.body.secrets;
   const [secretIdsUserCanModifyError, secretIdsUserCanModify] = await to(Secret.find({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
@@ -281,7 +287,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
  * @returns 
  */
 export const updateSecret = async (req: Request, res: Response) => {
-  const postHogClient = getPostHogClient();
+  const postHogClient = await TelemetryService.getPostHogClient();
   const { workspaceId, environmentName } = req.params
   const secretModificationsRequested: ModifySecretRequestBody = req.body.secret;
 
@@ -335,20 +341,23 @@ export const updateSecret = async (req: Request, res: Response) => {
  * @returns 
  */
 export const getSecrets = async (req: Request, res: Response) => {
-  const postHogClient = getPostHogClient();
+  const postHogClient = await TelemetryService.getPostHogClient();
   const { environment } = req.query;
   const { workspaceId } = req.params;
 
   let userId: Types.ObjectId | undefined = undefined // used for getting personal secrets for user
-  let userEmail: Types.ObjectId | undefined = undefined // used for posthog 
+  let userEmail: string | undefined = undefined // used for posthog 
   if (req.user) {
     userId = req.user._id;
     userEmail = req.user.email;
   }
 
   if (req.serviceTokenData) {
-    userId = req.serviceTokenData.user._id
-    userEmail = req.serviceTokenData.user.email;
+    userId = req.serviceTokenData.user;
+    
+    const user = await User.findById(req.serviceTokenData.user, 'email');
+    if (!user) throw AccountNotFoundError();
+    userEmail = user.email;
   }
 
   const [err, secrets] = await to(Secret.find(

backend/src/controllers/v2/secretsController.ts

@@ -1,23 +1,23 @@
-import to from 'await-to-js';
 import { Types } from 'mongoose';
 import { Request, Response } from 'express';
-import { ISecret, Secret } from '../../models';
-import { IAction } from '../../ee/models';
+import { ISecret, Secret, Workspace } from '../../models';
+import { IAction, SecretVersion } from '../../ee/models';
 import {
     SECRET_PERSONAL,
-    SECRET_SHARED,
     ACTION_ADD_SECRETS,
     ACTION_READ_SECRETS,
     ACTION_UPDATE_SECRETS,
-    ACTION_DELETE_SECRETS
+    ACTION_DELETE_SECRETS,
+    ALGORITHM_AES_256_GCM,
+    ENCODING_SCHEME_UTF8
 } from '../../variables';
-import { UnauthorizedRequestError, ValidationError } from '../../utils/errors';
+import { UnauthorizedRequestError, WorkspaceNotFoundError } from '../../utils/errors';
 import { EventService } from '../../services';
 import { eventPushSecrets } from '../../events';
-import { EESecretService, EELogService } from '../../ee/services';
-import { getPostHogClient } from '../../services';
+import { EESecretService, EELogService, EELicenseService } from '../../ee/services';
+import { TelemetryService, SecretService } from '../../services';
 import { getChannelFromUserAgent } from '../../utils/posthog';
-import { ABILITY_READ, ABILITY_WRITE } from '../../variables/organization';
+import { PERMISSION_WRITE_SECRETS } from '../../variables';
 import { userHasNoAbility, userHasWorkspaceAccess, userHasWriteOnlyAbility } from '../../ee/helpers/checkMembershipPermissions';
 import Tag from '../../models/tag';
 import _ from 'lodash';
@@ -25,15 +25,19 @@ import {
     BatchSecretRequest,
     BatchSecret
 } from '../../types/secret';
+import { getFolderPath, getFoldersInDirectory, normalizePath } from '../../utils/folder';
+import { ROOT_FOLDER_PATH } from '../../utils/folder';
 
 /**
  * Peform a batch of any specified CUD secret operations
+ * (used by dashboard)
  * @param req 
  * @param res 
  */
 export const batchSecrets = async (req: Request, res: Response) => {
+
     const channel = getChannelFromUserAgent(req.headers['user-agent']);
-    const postHogClient = getPostHogClient();
+    const postHogClient = await TelemetryService.getPostHogClient();
 
     const {
         workspaceId,
@@ -44,34 +48,71 @@ export const batchSecrets = async (req: Request, res: Response) => {
         environment: string;
         requests: BatchSecretRequest[];
     } = req.body;
+    
+    const workspace = await Workspace.findById(workspaceId);
+    if (!workspace) throw WorkspaceNotFoundError();
+    
+    const orgPlan = await EELicenseService.getOrganizationPlan(workspace.organization.toString());
+    const isPaid = orgPlan.tier >= 1;
 
     const createSecrets: BatchSecret[] = [];
     const updateSecrets: BatchSecret[] = [];
     const deleteSecrets: Types.ObjectId[] = [];
     const actions: IAction[] = [];
 
-    requests.forEach((request) => {
+    // get secret blind index salt
+    const salt = await SecretService.getSecretBlindIndexSalt({
+        workspaceId: new Types.ObjectId(workspaceId)
+    });
+
+    for await (const request of requests) {
+        const folderId = request.secret.folderId
+
+        // TODO: need to auth folder
+        const fullFolderPath = await getFolderPath(folderId)
+
+        let secretBlindIndex = '';
         switch (request.method) {
             case 'POST':
+                secretBlindIndex = await SecretService.generateSecretBlindIndexWithSalt({
+                    secretName: request.secret.secretName,
+                    salt
+                });
+
                 createSecrets.push({
                     ...request.secret,
                     version: 1,
                     user: request.secret.type === SECRET_PERSONAL ? req.user : undefined,
                     environment,
-                    workspace: new Types.ObjectId(workspaceId)
+                    workspace: new Types.ObjectId(workspaceId),
+                    path: fullFolderPath,
+                    folder: folderId,
+                    secretBlindIndex,
+                    algorithm: ALGORITHM_AES_256_GCM,
+                    keyEncoding: ENCODING_SCHEME_UTF8
                 });
                 break;
             case 'PATCH':
+                secretBlindIndex = await SecretService.generateSecretBlindIndexWithSalt({
+                    secretName: request.secret.secretName,
+                    salt,
+                });
+
                 updateSecrets.push({
                     ...request.secret,
-                    _id: new Types.ObjectId(request.secret._id)
+                    _id: new Types.ObjectId(request.secret._id),
+                    secretBlindIndex,
+                    folder: folderId,
+                    path: fullFolderPath,
+                    algorithm: ALGORITHM_AES_256_GCM,
+                    keyEncoding: ENCODING_SCHEME_UTF8
                 });
                 break;
             case 'DELETE':
                 deleteSecrets.push(new Types.ObjectId(request.secret._id));
                 break;
         }
-    });
+    }
 
     // handle create secrets
     let createdSecrets: ISecret[] = [];
@@ -91,7 +132,9 @@ export const batchSecrets = async (req: Request, res: Response) => {
 
         const addAction = await EELogService.createAction({
             name: ACTION_ADD_SECRETS,
-            userId: req.user._id,
+            userId: req.user?._id,
+            serviceAccountId: req.serviceAccount?._id,
+            serviceTokenDataId: req.serviceTokenData?._id,
             workspaceId: new Types.ObjectId(workspaceId),
             secretIds: createdSecrets.map((n) => n._id)
         }) as IAction;
@@ -106,7 +149,9 @@ export const batchSecrets = async (req: Request, res: Response) => {
                     environment,
                     workspaceId,
                     channel,
-                    userAgent: req.headers?.['user-agent']
+                    userAgent: req.headers?.['user-agent'],
+                    isPaid,
+                    email: req.user.email
                 }
             });
         }
@@ -130,7 +175,10 @@ export const batchSecrets = async (req: Request, res: Response) => {
 
         const updateOperations = updateSecrets.map((u) => ({
             updateOne: {
-                filter: { _id: new Types.ObjectId(u._id) },
+                filter: {
+                    _id: new Types.ObjectId(u._id),
+                    workspace: new Types.ObjectId(workspaceId)
+                },
                 update: {
                     $inc: {
                         version: 1
@@ -143,13 +191,14 @@ export const batchSecrets = async (req: Request, res: Response) => {
 
         await Secret.bulkWrite(updateOperations);
 
-        const secretVersions = updateSecrets.map((u) => ({
+        const secretVersions = updateSecrets.map((u) => new SecretVersion({
             secret: new Types.ObjectId(u._id),
             version: listedSecretsObj[u._id.toString()].version,
             workspace: new Types.ObjectId(workspaceId),
             type: listedSecretsObj[u._id.toString()].type,
             environment,
             isDeleted: false,
+            secretBlindIndex: u.secretBlindIndex,
             secretKeyCiphertext: u.secretKeyCiphertext,
             secretKeyIV: u.secretKeyIV,
             secretKeyTag: u.secretKeyTag,
@@ -159,6 +208,8 @@ export const batchSecrets = async (req: Request, res: Response) => {
             secretCommentCiphertext: u.secretCommentCiphertext,
             secretCommentIV: u.secretCommentIV,
             secretCommentTag: u.secretCommentTag,
+            algorithm: ALGORITHM_AES_256_GCM,
+            keyEncoding: ENCODING_SCHEME_UTF8,
             tags: u.tags
         }));
 
@@ -189,7 +240,9 @@ export const batchSecrets = async (req: Request, res: Response) => {
                     environment,
                     workspaceId,
                     channel,
-                    userAgent: req.headers?.['user-agent']
+                    userAgent: req.headers?.['user-agent'],
+                    isPaid,
+                    email: req.user.email
                 }
             });
         }
@@ -224,7 +277,9 @@ export const batchSecrets = async (req: Request, res: Response) => {
                     environment,
                     workspaceId,
                     channel: channel,
-                    userAgent: req.headers?.['user-agent']
+                    userAgent: req.headers?.['user-agent'],
+                    isPaid,
+                    email: req.user.email
                 }
             });
         }
@@ -244,13 +299,13 @@ export const batchSecrets = async (req: Request, res: Response) => {
     // // trigger event - push secrets
     await EventService.handleEvent({
         event: eventPushSecrets({
-            workspaceId
+            workspaceId: new Types.ObjectId(workspaceId)
         })
     });
 
     // (EE) take a secret snapshot
     await EESecretService.takeSecretSnapshot({
-        workspaceId
+        workspaceId: new Types.ObjectId(workspaceId)
     });
 
     const resObj: { [key: string]: ISecret[] | string[] } = {}
@@ -328,16 +383,23 @@ export const createSecrets = async (req: Request, res: Response) => {
         }
     }   
     */
-   const postHogClient = getPostHogClient();
 
     const channel = getChannelFromUserAgent(req.headers['user-agent'])
     const { workspaceId, environment }: { workspaceId: string, environment: string } = req.body;
 
-    const hasAccess = await userHasWorkspaceAccess(req.user, workspaceId, environment, ABILITY_WRITE)
-    if (!hasAccess) {
-        throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
+    if (req.user) {
+        const hasAccess = await userHasWorkspaceAccess(req.user, new Types.ObjectId(workspaceId), environment, PERMISSION_WRITE_SECRETS)
+        if (!hasAccess) {
+            throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
+        }
     }
 
+    const workspace = await Workspace.findById(workspaceId);
+    if (!workspace) throw WorkspaceNotFoundError();
+    
+    const orgPlan = await EELicenseService.getOrganizationPlan(workspace.organization.toString());
+    const isPaid = orgPlan.tier >= 1;
+
     let listOfSecretsToCreate;
     if (Array.isArray(req.body.secrets)) {
         // case: create multiple secrets
@@ -347,8 +409,14 @@ export const createSecrets = async (req: Request, res: Response) => {
         listOfSecretsToCreate = [req.body.secrets];
     }
 
+    // get secret blind index salt
+    const salt = await SecretService.getSecretBlindIndexSalt({
+        workspaceId: new Types.ObjectId(workspaceId)
+    });
+
     type secretsToCreateType = {
         type: string;
+        secretName?: string;
         secretKeyCiphertext: string;
         secretKeyIV: string;
         secretKeyTag: string;
@@ -361,25 +429,10 @@ export const createSecrets = async (req: Request, res: Response) => {
         tags: string[]
     }
 
-    const secretsToInsert: ISecret[] = listOfSecretsToCreate.map(({
-        type,
-        secretKeyCiphertext,
-        secretKeyIV,
-        secretKeyTag,
-        secretValueCiphertext,
-        secretValueIV,
-        secretValueTag,
-        secretCommentCiphertext,
-        secretCommentIV,
-        secretCommentTag,
-        tags
-    }: secretsToCreateType) => {
-        return ({
-            version: 1,
-            workspace: new Types.ObjectId(workspaceId),
+    const secretsToInsert: ISecret[] = await Promise.all(
+        listOfSecretsToCreate.map(async ({
             type,
-            user: type === SECRET_PERSONAL ? req.user : undefined,
-            environment,
+            secretName,
             secretKeyCiphertext,
             secretKeyIV,
             secretKeyTag,
@@ -390,8 +443,37 @@ export const createSecrets = async (req: Request, res: Response) => {
             secretCommentIV,
             secretCommentTag,
             tags
-        });
-    })
+        }: secretsToCreateType) => {
+            let secretBlindIndex;
+            if (secretName) {
+                secretBlindIndex = await SecretService.generateSecretBlindIndexWithSalt({
+                    secretName,
+                    salt
+                });
+            }
+
+            return ({
+                version: 1,
+                workspace: new Types.ObjectId(workspaceId),
+                type,
+                ...(secretBlindIndex ? { secretBlindIndex } : {}),
+                user: (req.user && type === SECRET_PERSONAL) ? req.user : undefined,
+                environment,
+                secretKeyCiphertext,
+                secretKeyIV,
+                secretKeyTag,
+                secretValueCiphertext,
+                secretValueIV,
+                secretValueTag,
+                secretCommentCiphertext,
+                secretCommentIV,
+                secretCommentTag,
+                algorithm: ALGORITHM_AES_256_GCM,
+                keyEncoding: ENCODING_SCHEME_UTF8,
+                tags
+            });
+        })
+    );
 
     const newlyCreatedSecrets: ISecret[] = (await Secret.insertMany(secretsToInsert)).map((insertedSecret) => insertedSecret.toObject());
 
@@ -399,7 +481,7 @@ export const createSecrets = async (req: Request, res: Response) => {
         // trigger event - push secrets
         await EventService.handleEvent({
             event: eventPushSecrets({
-                workspaceId
+                workspaceId: new Types.ObjectId(workspaceId)
             })
         });
     }, 5000);
@@ -413,24 +495,21 @@ export const createSecrets = async (req: Request, res: Response) => {
             type,
             user,
             environment,
+            secretBlindIndex,
             secretKeyCiphertext,
             secretKeyIV,
             secretKeyTag,
             secretValueCiphertext,
             secretValueIV,
-            secretValueTag,
-            secretCommentCiphertext,
-            secretCommentIV,
-            secretCommentTag,
-            tags
-        }) => ({
-            _id: new Types.ObjectId(),
+            secretValueTag
+        }) => new SecretVersion({
             secret: _id,
             version,
             workspace,
             type,
             user,
             environment,
+            secretBlindIndex,
             isDeleted: false,
             secretKeyCiphertext,
             secretKeyIV,
@@ -438,23 +517,25 @@ export const createSecrets = async (req: Request, res: Response) => {
             secretValueCiphertext,
             secretValueIV,
             secretValueTag,
-            secretCommentCiphertext,
-            secretCommentIV,
-            secretCommentTag,
-            tags
+            algorithm: ALGORITHM_AES_256_GCM,
+            keyEncoding: ENCODING_SCHEME_UTF8
         }))
     });
 
     const addAction = await EELogService.createAction({
         name: ACTION_ADD_SECRETS,
-        userId: req.user._id,
+        userId: req.user?._id,
+        serviceAccountId: req.serviceAccount?._id,
+        serviceTokenDataId: req.serviceTokenData?._id,
         workspaceId: new Types.ObjectId(workspaceId),
         secretIds: newlyCreatedSecrets.map((n) => n._id)
     });
 
     // (EE) create (audit) log
     addAction && await EELogService.createLog({
-        userId: req.user._id.toString(),
+        userId: req.user?._id,
+        serviceAccountId: req.serviceAccount?._id,
+        serviceTokenDataId: req.serviceTokenData?._id,
         workspaceId: new Types.ObjectId(workspaceId),
         actions: [addAction],
         channel,
@@ -463,19 +544,26 @@ export const createSecrets = async (req: Request, res: Response) => {
 
     // (EE) take a secret snapshot
     await EESecretService.takeSecretSnapshot({
-        workspaceId
+        workspaceId: new Types.ObjectId(workspaceId)
     });
 
+    const postHogClient = await TelemetryService.getPostHogClient();
     if (postHogClient) {
         postHogClient.capture({
             event: 'secrets added',
-            distinctId: req.user.email,
+            distinctId: await TelemetryService.getDistinctId({
+                authData: req.authData
+            }),
             properties: {
                 numberOfSecrets: listOfSecretsToCreate.length,
                 environment,
                 workspaceId,
                 channel: channel,
-                userAgent: req.headers?.['user-agent']
+                userAgent: req.headers?.['user-agent'],
+                isPaid,
+                email: await TelemetryService.getDistinctId({
+                    authData: req.authData
+                })
             }
         });
     }
@@ -533,156 +621,162 @@ export const getSecrets = async (req: Request, res: Response) => {
     }   
     */
 
-    const postHogClient = getPostHogClient();
+    const { tagSlugs, secretsPath } = req.query;
+    const workspaceId = req.query.workspaceId as string;
+    const environment = req.query.environment as string;
+    const normalizedPath = normalizePath(secretsPath as string)
+    const folders = await getFoldersInDirectory(workspaceId as string, environment as string, normalizedPath)
 
-    const { workspaceId, environment, tagSlugs } = req.query;
+    const workspace = await Workspace.findById(workspaceId);
+    if (!workspace) throw WorkspaceNotFoundError();
+    
+    const orgPlan = await EELicenseService.getOrganizationPlan(workspace.organization.toString());
+    const isPaid = orgPlan.tier >= 1;
+
+    // secrets to return 
+    let secrets: ISecret[] = [];
+
+    // query tags table to get all tags ids for the tag names for the given workspace
+    let tagIds = [];
     const tagNamesList = typeof tagSlugs === 'string' && tagSlugs !== '' ? tagSlugs.split(',') : [];
-    let userId = "" // used for getting personal secrets for user
-    let userEmail = "" // used for posthog 
-    if (req.user) {
-        userId = req.user._id;
-        userEmail = req.user.email;
-    }
-
-    if (req.serviceTokenData) {
-        userId = req.serviceTokenData.user._id
-        userEmail = req.serviceTokenData.user.email;
-    }
-
-    // none service token case as service tokens are already scoped to env and project
-    let hasWriteOnlyAccess
-    if (!req.serviceTokenData) {
-        hasWriteOnlyAccess = await userHasWriteOnlyAbility(userId, workspaceId, environment)
-        const hasNoAccess = await userHasNoAbility(userId, workspaceId, environment)
-        if (hasNoAccess) {
-            throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
-        }
-    }
-    let secrets: any
-    let secretQuery: any
-
     if (tagNamesList != undefined && tagNamesList.length != 0) {
-        const workspaceFromDB = await Tag.find({ workspace: workspaceId })
-
-        const tagIds = _.map(tagNamesList, (tagName) => {
+        const workspaceFromDB = await Tag.find({ workspace: workspaceId });
+        tagIds = _.map(tagNamesList, (tagName) => {
             const tag = _.find(workspaceFromDB, { slug: tagName });
             return tag ? tag.id : null;
         });
+    }
 
-        secretQuery = {
-            workspace: workspaceId,
-            environment,
-            $or: [
-                { user: userId },
-                { user: { $exists: false } }
-            ],
-            tags: { $in: tagIds },
-            type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
+    if (req.user) {
+        // case: client authorization is via JWT
+        const hasWriteOnlyAccess = await userHasWriteOnlyAbility(req.user._id, new Types.ObjectId(workspaceId), environment)
+        const hasNoAccess = await userHasNoAbility(req.user._id, new Types.ObjectId(workspaceId), environment)
+        if (hasNoAccess) {
+            throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
         }
-    } else {
-        secretQuery = {
+
+        const secretQuery: any = {
             workspace: workspaceId,
             environment,
             $or: [
-                { user: userId },
-                { user: { $exists: false } }
-            ],
-            type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
+                { user: req.user._id }, // personal secrets for this user
+                { user: { $exists: false } } // shared secrets from workspace
+            ]
+        }
+
+        if (normalizedPath == ROOT_FOLDER_PATH) {
+            secretQuery.path = { $in: [ROOT_FOLDER_PATH, null, undefined] }
+        } else if (normalizedPath) {
+            secretQuery.path = normalizedPath
+        }
+
+        if (tagIds.length > 0) {
+            secretQuery.tags = { $in: tagIds };
+        }
+
+        if (hasWriteOnlyAccess) {
+            // only return the secret keys and not the values since user does not have right to see values
+            secrets = await Secret.find(secretQuery).select("secretKeyCiphertext secretKeyIV secretKeyTag").populate("tags")
+        } else {
+            secrets = await Secret.find(secretQuery).populate("tags")
         }
     }
 
-    if (hasWriteOnlyAccess) {
-        secrets = await Secret.find(secretQuery).select("secretKeyCiphertext secretKeyIV secretKeyTag")
-    } else {
-        secrets = await Secret.find(secretQuery).populate("tags")
+    // case: client authorization is via service token
+    if (req.serviceTokenData) {
+        const userId = req.serviceTokenData.user;
+
+        const secretQuery: any = {
+            workspace: workspaceId,
+            environment,
+            $or: [
+                { user: userId }, // personal secrets for this user
+                { user: { $exists: false } } // shared secrets from workspace
+            ]
+        }
+
+        // TODO: check if user can query for given path
+        if (normalizedPath == ROOT_FOLDER_PATH) {
+            secretQuery.path = { $in: [ROOT_FOLDER_PATH, null, undefined] }
+        } else if (normalizedPath) {
+            secretQuery.path = normalizedPath
+        }
+
+        if (tagIds.length > 0) {
+            secretQuery.tags = { $in: tagIds };
+        }
+
+        // TODO check if service token has write only permission 
+
+        secrets = await Secret.find(secretQuery).populate("tags");
+    }
+
+    // case: client authorization is via service account
+    if (req.serviceAccount) {
+        const secretQuery: any = {
+            workspace: workspaceId,
+            environment,
+            user: { $exists: false } // shared secrets only from workspace
+        }
+
+        if (normalizedPath == ROOT_FOLDER_PATH) {
+            secretQuery.path = { $in: [ROOT_FOLDER_PATH, null, undefined] }
+        } else if (normalizedPath) {
+            secretQuery.path = normalizedPath
+        }
+
+        if (tagIds.length > 0) {
+            secretQuery.tags = { $in: tagIds };
+        }
+
+        secrets = await Secret.find(secretQuery).populate("tags");
     }
 
     const channel = getChannelFromUserAgent(req.headers['user-agent'])
 
     const readAction = await EELogService.createAction({
         name: ACTION_READ_SECRETS,
-        userId: new Types.ObjectId(userId),
+        userId: req.user?._id,
+        serviceAccountId: req.serviceAccount?._id,
+        serviceTokenDataId: req.serviceTokenData?._id,
         workspaceId: new Types.ObjectId(workspaceId as string),
         secretIds: secrets.map((n: any) => n._id)
     });
 
     readAction && await EELogService.createLog({
-        userId: new Types.ObjectId(userId),
+        userId: req.user?._id,
+        serviceAccountId: req.serviceAccount?._id,
+        serviceTokenDataId: req.serviceTokenData?._id,
         workspaceId: new Types.ObjectId(workspaceId as string),
         actions: [readAction],
         channel,
         ipAddress: req.ip
     });
 
+    const postHogClient = await TelemetryService.getPostHogClient();
     if (postHogClient) {
         postHogClient.capture({
             event: 'secrets pulled',
-            distinctId: userEmail,
+            distinctId: await TelemetryService.getDistinctId({
+                authData: req.authData
+            }),
             properties: {
                 numberOfSecrets: secrets.length,
                 environment,
                 workspaceId,
                 channel,
-                userAgent: req.headers?.['user-agent']
+                userAgent: req.headers?.['user-agent'],
+                isPaid,
+                email: await TelemetryService.getDistinctId({
+                    authData: req.authData
+                })
             }
         });
     }
 
     return res.status(200).send({
-        secrets
-    });
-}
-
-
-export const getOnlySecretKeys = async (req: Request, res: Response) => {
-    const { workspaceId, environment } = req.query;
-
-    let userId = "" // used for getting personal secrets for user
-    let userEmail = "" // used for posthog 
-    if (req.user) {
-        userId = req.user._id;
-        userEmail = req.user.email;
-    }
-
-    if (req.serviceTokenData) {
-        userId = req.serviceTokenData.user._id
-        userEmail = req.serviceTokenData.user.email;
-    }
-
-    // none service token case as service tokens are already scoped
-    if (!req.serviceTokenData) {
-        const hasAccess = await userHasWorkspaceAccess(userId, workspaceId, environment, ABILITY_READ)
-        if (!hasAccess) {
-            throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
-        }
-    }
-
-    const [err, secretKeys] = await to(Secret.find(
-        {
-            workspace: workspaceId,
-            environment,
-            $or: [
-                { user: userId },
-                { user: { $exists: false } }
-            ],
-            type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
-        }
-    )
-        .select("secretKeyIV secretKeyTag secretKeyCiphertext")
-        .then())
-
-    if (err) throw ValidationError({ message: 'Failed to get secrets', stack: err.stack });
-
-    // readAction && await EELogService.createLog({
-    //     userId: new Types.ObjectId(userId),
-    //     workspaceId: new Types.ObjectId(workspaceId as string),
-    //     actions: [readAction],
-    //     channel,
-    //     ipAddress: req.ip
-    // });
-
-    return res.status(200).send({
-        secretKeys
+        secrets,
+        folders
     });
 }
 
@@ -736,10 +830,8 @@ export const updateSecrets = async (req: Request, res: Response) => {
         }
     }
     */
-    const postHogClient = getPostHogClient();
     const channel = req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli';
 
-    // TODO: move type
     interface PatchSecret {
         id: string;
         secretKeyCiphertext: string;
@@ -781,6 +873,8 @@ export const updateSecrets = async (req: Request, res: Response) => {
                     secretValueCiphertext,
                     secretValueIV,
                     secretValueTag,
+                    algorithm: ALGORITHM_AES_256_GCM,
+                    keyEncoding: ENCODING_SCHEME_UTF8,
                     tags,
                     ...((
                         secretCommentCiphertext !== undefined &&
@@ -834,6 +928,8 @@ export const updateSecrets = async (req: Request, res: Response) => {
                 secretCommentCiphertext: secretCommentCiphertext ? secretCommentCiphertext : secret.secretCommentCiphertext,
                 secretCommentIV: secretCommentIV ? secretCommentIV : secret.secretCommentIV,
                 secretCommentTag: secretCommentTag ? secretCommentTag : secret.secretCommentTag,
+                algorithm: ALGORITHM_AES_256_GCM,
+                keyEncoding: ENCODING_SCHEME_UTF8,
                 tags: tags ? tags : secret.tags
             });
         })
@@ -858,21 +954,25 @@ export const updateSecrets = async (req: Request, res: Response) => {
         setTimeout(async () => {
             await EventService.handleEvent({
                 event: eventPushSecrets({
-                    workspaceId: key
+                    workspaceId: new Types.ObjectId(key)
                 })
             });
         }, 10000);
 
         const updateAction = await EELogService.createAction({
             name: ACTION_UPDATE_SECRETS,
-            userId: req.user._id,
+            userId: req.user?._id,
+            serviceAccountId: req.serviceAccount?._id,
+            serviceTokenDataId: req.serviceTokenData?._id,
             workspaceId: new Types.ObjectId(key),
             secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id)
         });
 
         // (EE) create (audit) log
         updateAction && await EELogService.createLog({
-            userId: req.user._id.toString(),
+            userId: req.user?._id,
+            serviceAccountId: req.serviceAccount?._id,
+            serviceTokenDataId: req.serviceTokenData?._id,
             workspaceId: new Types.ObjectId(key),
             actions: [updateAction],
             channel,
@@ -881,19 +981,32 @@ export const updateSecrets = async (req: Request, res: Response) => {
 
         // (EE) take a secret snapshot
         await EESecretService.takeSecretSnapshot({
-            workspaceId: key
+            workspaceId: new Types.ObjectId(key)
         })
 
+        const workspace = await Workspace.findById(key);
+        if (!workspace) throw WorkspaceNotFoundError();
+        
+        const orgPlan = await EELicenseService.getOrganizationPlan(workspace.organization.toString());
+        const isPaid = orgPlan.tier >= 1;
+
+        const postHogClient = await TelemetryService.getPostHogClient();
         if (postHogClient) {
             postHogClient.capture({
                 event: 'secrets modified',
-                distinctId: req.user.email,
+                distinctId: await TelemetryService.getDistinctId({
+                    authData: req.authData
+                }),
                 properties: {
                     numberOfSecrets: workspaceSecretObj[key].length,
                     environment: workspaceSecretObj[key][0].environment,
                     workspaceId: key,
                     channel: channel,
-                    userAgent: req.headers?.['user-agent']
+                    userAgent: req.headers?.['user-agent'],
+                    isPaid,
+                    email: await TelemetryService.getDistinctId({
+                        authData: req.authData
+                    })
                 }
             });
         }
@@ -909,7 +1022,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
 }
 
 /**
- * Delete secret(s) with id [workspaceId] and environment [environment]
+ * Delete secret(s)
  * @param req 
  * @param res 
  */
@@ -958,7 +1071,7 @@ export const deleteSecrets = async (req: Request, res: Response) => {
         }
     }   
     */
-    const postHogClient = getPostHogClient();
+
     const channel = getChannelFromUserAgent(req.headers['user-agent'])
     const toDelete = req.secrets.map((s: any) => s._id);
 
@@ -987,19 +1100,23 @@ export const deleteSecrets = async (req: Request, res: Response) => {
         // trigger event - push secrets
         await EventService.handleEvent({
             event: eventPushSecrets({
-                workspaceId: key
+                workspaceId: new Types.ObjectId(key)
             })
         });
         const deleteAction = await EELogService.createAction({
             name: ACTION_DELETE_SECRETS,
-            userId: req.user._id,
+            userId: req.user?._id,
+            serviceAccountId: req.serviceAccount?._id,
+            serviceTokenDataId: req.serviceTokenData?._id,
             workspaceId: new Types.ObjectId(key),
             secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id)
         });
 
         // (EE) create (audit) log
         deleteAction && await EELogService.createLog({
-            userId: req.user._id.toString(),
+            userId: req.user?._id,
+            serviceAccountId: req.serviceAccount?._id,
+            serviceTokenDataId: req.serviceTokenData?._id,
             workspaceId: new Types.ObjectId(key),
             actions: [deleteAction],
             channel,
@@ -1008,19 +1125,32 @@ export const deleteSecrets = async (req: Request, res: Response) => {
 
         // (EE) take a secret snapshot
         await EESecretService.takeSecretSnapshot({
-            workspaceId: key
-        })
+            workspaceId: new Types.ObjectId(key)
+        });
 
+        const workspace = await Workspace.findById(key);
+        if (!workspace) throw WorkspaceNotFoundError();
+        
+        const orgPlan = await EELicenseService.getOrganizationPlan(workspace.organization.toString());
+        const isPaid = orgPlan.tier >= 1;
+
+        const postHogClient = await TelemetryService.getPostHogClient();
         if (postHogClient) {
             postHogClient.capture({
                 event: 'secrets deleted',
-                distinctId: req.user.email,
+                distinctId: await TelemetryService.getDistinctId({
+                    authData: req.authData
+                }),
                 properties: {
                     numberOfSecrets: workspaceSecretObj[key].length,
                     environment: workspaceSecretObj[key][0].environment,
                     workspaceId: key,
                     channel: channel,
-                    userAgent: req.headers?.['user-agent']
+                    userAgent: req.headers?.['user-agent'],
+                    isPaid,
+                    email: await TelemetryService.getDistinctId({
+                        authData: req.authData
+                    })
                 }
             });
         }

backend/src/controllers/v2/serviceAccountsController.ts

@@ -0,0 +1,306 @@
+import { Request, Response } from 'express';
+import { Types } from 'mongoose';
+import crypto from 'crypto';
+import bcrypt from 'bcrypt';
+import { 
+    ServiceAccount,
+    ServiceAccountKey,
+    ServiceAccountOrganizationPermission,
+    ServiceAccountWorkspacePermission
+} from '../../models';
+import {
+    CreateServiceAccountDto
+} from '../../interfaces/serviceAccounts/dto';
+import { BadRequestError, ServiceAccountNotFoundError } from '../../utils/errors';
+import { getSaltRounds } from '../../config';
+
+/**
+ * Return service account tied to the request (service account) client
+ * @param req
+ * @param res
+ */
+export const getCurrentServiceAccount = async (req: Request, res: Response) => {
+    const serviceAccount = await ServiceAccount.findById(req.serviceAccount._id);
+    
+    if (!serviceAccount) {
+        throw ServiceAccountNotFoundError({ message: 'Failed to find service account' });
+    }
+    
+    return res.status(200).send({
+        serviceAccount
+    });
+}
+
+/**
+ * Return service account with id [serviceAccountId]
+ * @param req 
+ * @param res 
+ */
+export const getServiceAccountById = async (req: Request, res: Response) => {
+    const { serviceAccountId } = req.params;
+    
+    const serviceAccount = await ServiceAccount.findById(serviceAccountId);
+    
+    if (!serviceAccount) {
+        throw ServiceAccountNotFoundError({ message: 'Failed to find service account' });
+    }
+    
+    return res.status(200).send({
+        serviceAccount
+    });
+}
+
+/**
+ * Create a new service account under organization with id [organizationId]
+ * that has access to workspaces [workspaces]
+ * @param req 
+ * @param res 
+ * @returns
+ */
+export const createServiceAccount = async (req: Request, res: Response) => {
+    const {
+        name,
+        organizationId,
+        publicKey,
+        expiresIn,
+    }: CreateServiceAccountDto = req.body;
+
+    let expiresAt;
+    if (expiresIn) {
+        expiresAt = new Date();
+        expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
+    }
+
+    const secret = crypto.randomBytes(16).toString('base64');
+    const secretHash = await bcrypt.hash(secret, await getSaltRounds());
+    
+    // create service account
+    const serviceAccount = await new ServiceAccount({
+        name,
+        organization: new Types.ObjectId(organizationId),
+        user: req.user,
+        publicKey,
+        lastUsed: new Date(),
+        expiresAt,
+        secretHash
+    }).save();
+    
+    const serviceAccountObj = serviceAccount.toObject();
+    
+    delete serviceAccountObj.secretHash;
+
+    // provision default org-level permission for service account
+    await new ServiceAccountOrganizationPermission({
+        serviceAccount: serviceAccount._id
+    }).save();
+    
+    const secretId = Buffer.from(serviceAccount._id.toString(), 'hex').toString('base64');
+
+    return res.status(200).send({
+        serviceAccountAccessKey: `sa.${secretId}.${secret}`,
+        serviceAccount: serviceAccountObj
+    });
+}
+
+/**
+ * Change name of service account with id [serviceAccountId] to [name]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const changeServiceAccountName = async (req: Request, res: Response) => {
+    const { serviceAccountId } = req.params;
+    const { name } = req.body;
+    
+    const serviceAccount = await ServiceAccount.findOneAndUpdate(
+        {
+            _id: new Types.ObjectId(serviceAccountId)
+        },
+        {
+            name
+        },
+        {
+            new: true
+        }
+    );
+    
+    return res.status(200).send({
+        serviceAccount
+    });
+}
+
+/**
+ * Add a service account key to service account with id [serviceAccountId]
+ * for workspace with id [workspaceId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const addServiceAccountKey = async (req: Request, res: Response) => {
+    const {
+        workspaceId,
+        encryptedKey,
+        nonce
+    } = req.body;
+    
+    const serviceAccountKey = await new ServiceAccountKey({
+        encryptedKey,
+        nonce,
+        sender: req.user._id,
+        serviceAccount: req.serviceAccount._d,
+        workspace: new Types.ObjectId(workspaceId)
+    }).save();
+
+    return serviceAccountKey;
+}
+
+/**
+ * Return workspace-level permission for service account with id [serviceAccountId]
+ * @param req 
+ * @param res 
+ */
+export const getServiceAccountWorkspacePermissions = async (req: Request, res: Response) => {
+    const serviceAccountWorkspacePermissions = await ServiceAccountWorkspacePermission.find({
+        serviceAccount: req.serviceAccount._id
+    }).populate('workspace');
+    
+    return res.status(200).send({
+        serviceAccountWorkspacePermissions
+    });
+}
+
+/**
+ * Add a workspace permission to service account with id [serviceAccountId]
+ * @param req 
+ * @param res 
+ */
+export const addServiceAccountWorkspacePermission = async (req: Request, res: Response) => {
+    const { serviceAccountId } = req.params;
+    const {
+        environment,
+        workspaceId,
+        read = false,
+        write = false,
+        encryptedKey,
+        nonce
+    } = req.body;
+    
+    if (!req.membership.workspace.environments.some((e: { name: string; slug: string }) => e.slug === environment)) {
+        return res.status(400).send({
+            message: 'Failed to validate workspace environment'
+        });
+    }
+    
+    const existingPermission = await ServiceAccountWorkspacePermission.findOne({
+        serviceAccount: new Types.ObjectId(serviceAccountId),
+        workspace: new Types.ObjectId(workspaceId),
+        environment
+    });
+    
+    if (existingPermission) throw BadRequestError({ message: 'Failed to add workspace permission to service account due to already-existing ' });
+
+    const serviceAccountWorkspacePermission = await new ServiceAccountWorkspacePermission({
+        serviceAccount: new Types.ObjectId(serviceAccountId),
+        workspace: new Types.ObjectId(workspaceId),
+        environment,
+        read,
+        write
+    }).save();
+    
+    const existingServiceAccountKey = await ServiceAccountKey.findOne({
+        serviceAccount: new Types.ObjectId(serviceAccountId),
+        workspace: new Types.ObjectId(workspaceId) 
+    });
+    
+    if (!existingServiceAccountKey) {
+        await new ServiceAccountKey({
+            encryptedKey,
+            nonce,
+            sender: req.user._id,
+            serviceAccount: new Types.ObjectId(serviceAccountId),
+            workspace: new Types.ObjectId(workspaceId)
+        }).save();
+    }
+
+    return res.status(200).send({
+        serviceAccountWorkspacePermission
+    });
+}
+
+/**
+ * Delete workspace permission from service account with id [serviceAccountId]
+ * @param req 
+ * @param res 
+ */
+export const deleteServiceAccountWorkspacePermission = async (req: Request, res: Response) => {
+    const { serviceAccountWorkspacePermissionId } = req.params;
+    const serviceAccountWorkspacePermission = await ServiceAccountWorkspacePermission.findByIdAndDelete(serviceAccountWorkspacePermissionId);
+
+    if (serviceAccountWorkspacePermission) {
+        const { serviceAccount, workspace } = serviceAccountWorkspacePermission;
+        const count = await ServiceAccountWorkspacePermission.countDocuments({
+            serviceAccount,
+            workspace
+        });
+        
+        if (count === 0) {
+            await ServiceAccountKey.findOneAndDelete({
+                serviceAccount,
+                workspace
+            });
+        }
+    }
+
+    return res.status(200).send({
+        serviceAccountWorkspacePermission
+    });
+}
+
+/**
+ * Delete service account with id [serviceAccountId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const deleteServiceAccount = async (req: Request, res: Response) => {
+    const { serviceAccountId } = req.params;
+
+    const serviceAccount = await ServiceAccount.findByIdAndDelete(serviceAccountId);
+
+    if (serviceAccount) {
+        await ServiceAccountKey.deleteMany({
+            serviceAccount: serviceAccount._id
+        });
+
+        await ServiceAccountOrganizationPermission.deleteMany({
+            serviceAccount: new Types.ObjectId(serviceAccountId)
+        });
+
+        await ServiceAccountWorkspacePermission.deleteMany({
+            serviceAccount: new Types.ObjectId(serviceAccountId)
+        });
+    }
+
+    return res.status(200).send({
+        serviceAccount
+    });
+}
+
+/**
+ * Return service account keys for service account with id [serviceAccountId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getServiceAccountKeys = async (req: Request, res: Response) => {
+    const workspaceId = req.query.workspaceId as string;
+    
+    const serviceAccountKeys = await ServiceAccountKey.find({
+        serviceAccount: req.serviceAccount._id,
+        ...(workspaceId ? { workspace: new Types.ObjectId(workspaceId) } : {})
+    });
+    
+    return res.status(200).send({
+        serviceAccountKeys
+    });
+}

backend/src/controllers/v2/serviceTokenDataController.ts

@@ -3,11 +3,19 @@ import { Request, Response } from 'express';
 import crypto from 'crypto';
 import bcrypt from 'bcrypt';
 import {
+    User,
+    ServiceAccount,
     ServiceTokenData
 } from '../../models';
 import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';
-import { ABILITY_READ } from '../../variables/organization';
+import { 
+    PERMISSION_READ_SECRETS,
+    AUTH_MODE_JWT,
+    AUTH_MODE_SERVICE_ACCOUNT,
+    AUTH_MODE_SERVICE_TOKEN
+} from '../../variables';
 import { getSaltRounds } from '../../config';
+import { BadRequestError } from '../../utils/errors';
 
 /**
  * Return service token data associated with service token on request
@@ -42,7 +50,16 @@ export const getServiceTokenData = async (req: Request, res: Response) => {
     }   
     */
 
-    return res.status(200).json(req.serviceTokenData);
+    if (!(req.authData.authPayload instanceof ServiceTokenData)) throw BadRequestError({
+        message: 'Failed accepted client validation for service token data'
+    });
+
+    const serviceTokenData = await ServiceTokenData
+        .findById(req.authData.authPayload._id)
+        .select('+encryptedKey +iv +tag')
+        .populate('user');
+
+    return res.status(200).json(serviceTokenData);
 }
 
 /**
@@ -53,59 +70,60 @@ export const getServiceTokenData = async (req: Request, res: Response) => {
  * @returns 
  */
 export const createServiceTokenData = async (req: Request, res: Response) => {
-    let serviceToken, serviceTokenData;
+    let serviceTokenData;
 
-    try {
-        const {
-            name,
-            workspaceId,
-            environment,
-            encryptedKey,
-            iv,
-            tag,
-            expiresIn,
-            permissions
-        } = req.body;
+    const {
+        name,
+        workspaceId,
+        environment,
+        encryptedKey,
+        iv,
+        tag,
+        expiresIn,
+        permissions
+    } = req.body;
 
-        const hasAccess = await userHasWorkspaceAccess(req.user, workspaceId, environment, ABILITY_READ)
-        if (!hasAccess) {
-            throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
-        }
+    const secret = crypto.randomBytes(16).toString('hex');
+    const secretHash = await bcrypt.hash(secret, await getSaltRounds());
 
-        const secret = crypto.randomBytes(16).toString('hex');
-        const secretHash = await bcrypt.hash(secret, getSaltRounds());
-
-        const expiresAt = new Date();
+    let expiresAt; 
+    if (expiresIn) {
+        expiresAt = new Date()
         expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
-
-        serviceTokenData = await new ServiceTokenData({
-            name,
-            workspace: workspaceId,
-            environment,
-            user: req.user._id,
-            expiresAt,
-            secretHash,
-            encryptedKey,
-            iv,
-            tag,
-            permissions
-        }).save();
-
-        // return service token data without sensitive data
-        serviceTokenData = await ServiceTokenData.findById(serviceTokenData._id);
-
-        if (!serviceTokenData) throw new Error('Failed to find service token data');
-
-        serviceToken = `st.${serviceTokenData._id.toString()}.${secret}`;
-
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-        Sentry.captureException(err);
-        return res.status(400).send({
-            message: 'Failed to create service token data'
-        });
     }
 
+    let user, serviceAccount;
+    
+    if (req.authData.authMode === AUTH_MODE_JWT && req.authData.authPayload instanceof User) {
+        user = req.authData.authPayload._id;
+    }
+
+    if (req.authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && req.authData.authPayload instanceof ServiceAccount) {
+        serviceAccount = req.authData.authPayload._id;
+    }
+        
+    serviceTokenData = await new ServiceTokenData({
+        name,
+        workspace: workspaceId,
+        environment,
+        user,
+        serviceAccount,
+        lastUsed: new Date(),
+        expiresAt,
+        secretHash,
+        encryptedKey,
+        iv,
+        tag,
+        permissions
+    }).save();
+
+    // return service token data without sensitive data
+    serviceTokenData = await ServiceTokenData.findById(serviceTokenData._id);
+
+    if (!serviceTokenData) throw new Error('Failed to find service token data');
+
+    const serviceToken = `st.${serviceTokenData._id.toString()}.${secret}`;
+
     return res.status(200).send({
         serviceToken,
         serviceTokenData
@@ -119,25 +137,11 @@ export const createServiceTokenData = async (req: Request, res: Response) => {
  * @returns 
  */
 export const deleteServiceTokenData = async (req: Request, res: Response) => {
-    let serviceTokenData;
-    try {
-        const { serviceTokenDataId } = req.params;
+    const { serviceTokenDataId } = req.params;
 
-        serviceTokenData = await ServiceTokenData.findByIdAndDelete(serviceTokenDataId);
-
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-        Sentry.captureException(err);
-        return res.status(400).send({
-            message: 'Failed to delete service token data'
-        });
-    }
+    const serviceTokenData = await ServiceTokenData.findByIdAndDelete(serviceTokenDataId);
 
     return res.status(200).send({
         serviceTokenData
     });
-}
-
-function UnauthorizedRequestError(arg0: { message: string; }) {
-    throw new Error('Function not implemented.');
 }

backend/src/controllers/v2/signupController.ts

@@ -7,8 +7,9 @@ import {
 } from '../../helpers/signup';
 import { issueAuthTokens } from '../../helpers/auth';
 import { INVITED, ACCEPTED } from '../../variables';
-import request from '../../config/request';
-import { getNodeEnv, getLoopsApiKey } from '../../config';
+import { standardRequest } from '../../config/request';
+import { getLoopsApiKey, getHttpsEnabled } from '../../config';
+import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
 
 /**
  * Complete setting up user by adding their personal and auth information as part of the
@@ -24,9 +25,9 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 			email,
 			firstName,
 			lastName,
-            protectedKey,
-            protectedKeyIV,
-            protectedKeyTag,
+			protectedKey,
+			protectedKeyIV,
+			protectedKeyTag,
 			publicKey,
 			encryptedPrivateKey,
 			encryptedPrivateKeyIV,
@@ -38,9 +39,9 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 			email: string;
 			firstName: string;
 			lastName: string;
-            protectedKey: string;
-            protectedKeyIV: string;
-            protectedKeyTag: string;
+			protectedKey: string;
+			protectedKeyIV: string;
+			protectedKeyTag: string;
 			publicKey: string;
 			encryptedPrivateKey: string;
 			encryptedPrivateKeyIV: string;
@@ -48,11 +49,11 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 			salt: string;
 			verifier: string;
 			organizationName: string;
-        } = req.body;
+		} = req.body;
 
 		// get user
 		user = await User.findOne({ email });
-		
+
 		if (!user || (user && user?.publicKey)) {
 			// case 1: user doesn't exist.
 			// case 2: user has already completed account
@@ -66,10 +67,10 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 			userId: user._id.toString(),
 			firstName,
 			lastName,
-            encryptionVersion: 2,
-            protectedKey,
-            protectedKeyIV,
-            protectedKeyTag,
+			encryptionVersion: 2,
+			protectedKey,
+			protectedKeyIV,
+			protectedKeyTag,
 			publicKey,
 			encryptedPrivateKey,
 			encryptedPrivateKeyIV,
@@ -87,6 +88,19 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 			user
 		});
 
+		// update organization membership statuses that are
+		// invited to completed with user attached
+		const membershipsToUpdate = await MembershipOrg.find({
+			inviteEmail: email,
+			status: INVITED
+		});
+		
+		membershipsToUpdate.forEach(async (membership) => {
+			await updateSubscriptionOrgQuantity({
+				organizationId: membership.organization.toString()
+			});
+		});
+
 		// update organization membership statuses that are
 		// invited to completed with user attached
 		await MembershipOrg.updateMany(
@@ -108,8 +122,8 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 		token = tokens.token;
 
 		// sending a welcome email to new users
-		if (getLoopsApiKey()) {
-			await request.post("https://app.loops.so/api/v1/events/send", {
+		if (await getLoopsApiKey()) {
+			await standardRequest.post("https://app.loops.so/api/v1/events/send", {
 				"email": email,
 				"eventName": "Sign Up",
 				"firstName": firstName,
@@ -117,7 +131,7 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 			}, {
 				headers: {
 					"Accept": "application/json",
-					"Authorization": "Bearer " + getLoopsApiKey()
+					"Authorization": "Bearer " + (await getLoopsApiKey())
 				},
 			});
 		}
@@ -127,7 +141,7 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 			httpOnly: true,
 			path: '/',
 			sameSite: 'strict',
-			secure: getNodeEnv() === 'production' ? true : false
+			secure: await getHttpsEnabled()
 		});
 	} catch (err) {
 		Sentry.setUser(null);
@@ -158,9 +172,9 @@ export const completeAccountInvite = async (req: Request, res: Response) => {
 			email,
 			firstName,
 			lastName,
-            protectedKey,
-            protectedKeyIV,
-            protectedKeyTag,
+			protectedKey,
+			protectedKeyIV,
+			protectedKeyTag,
 			publicKey,
 			encryptedPrivateKey,
 			encryptedPrivateKeyIV,
@@ -192,10 +206,10 @@ export const completeAccountInvite = async (req: Request, res: Response) => {
 			userId: user._id.toString(),
 			firstName,
 			lastName,
-            encryptionVersion: 2,
-            protectedKey,
-            protectedKeyIV,
-            protectedKeyTag,
+			encryptionVersion: 2,
+			protectedKey,
+			protectedKeyIV,
+			protectedKeyTag,
 			publicKey,
 			encryptedPrivateKey,
 			encryptedPrivateKeyIV,
@@ -206,9 +220,20 @@ export const completeAccountInvite = async (req: Request, res: Response) => {
 
 		if (!user)
 			throw new Error('Failed to complete account for non-existent user');
-
+		
 		// update organization membership statuses that are
 		// invited to completed with user attached
+		const membershipsToUpdate = await MembershipOrg.find({
+			inviteEmail: email,
+			status: INVITED
+		});
+		
+		membershipsToUpdate.forEach(async (membership) => {
+			await updateSubscriptionOrgQuantity({
+				organizationId: membership.organization.toString()
+			});
+		});
+
 		await MembershipOrg.updateMany(
 			{
 				inviteEmail: email,
@@ -232,7 +257,7 @@ export const completeAccountInvite = async (req: Request, res: Response) => {
 			httpOnly: true,
 			path: '/',
 			sameSite: 'strict',
-			secure: getNodeEnv() === 'production' ? true : false
+			secure: await getHttpsEnabled()
 		});
 	} catch (err) {
 		Sentry.setUser(null);
@@ -241,7 +266,7 @@ export const completeAccountInvite = async (req: Request, res: Response) => {
 			message: 'Failed to complete account setup'
 		});
 	}
-	
+
 	return res.status(200).send({
 		message: 'Successfully set up account',
 		user,

backend/src/controllers/v2/workspaceController.ts

@@ -19,7 +19,7 @@ import {
 	reformatPullSecrets
 } from '../../helpers/secret';
 import { pushKeys } from '../../helpers/key';
-import { getPostHogClient, EventService } from '../../services';
+import { TelemetryService, EventService } from '../../services';
 import { eventPushSecrets } from '../../events';
 
 interface V2PushSecret {
@@ -48,7 +48,7 @@ interface V2PushSecret {
 export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
 	// upload (encrypted) secrets to workspace with id [workspaceId]
 	try {
-		const postHogClient = getPostHogClient();
+		const postHogClient = await TelemetryService.getPostHogClient();
 		let { secrets }: { secrets: V2PushSecret[] } = req.body;
 		const { keys, environment, channel } = req.body;
 		const { workspaceId } = req.params;
@@ -95,7 +95,8 @@ export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
 		// trigger event - push secrets
 		EventService.handleEvent({
 			event: eventPushSecrets({
-				workspaceId
+				workspaceId: new Types.ObjectId(workspaceId),
+				environment
 			})
 		});
 
@@ -122,7 +123,7 @@ export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
 export const pullSecrets = async (req: Request, res: Response) => {
 	let secrets;
 	try {
-		const postHogClient = getPostHogClient();
+		const postHogClient = await TelemetryService.getPostHogClient();
 		const environment: string = req.query.environment as string;
 		const channel: string = req.query.channel as string;
 		const { workspaceId } = req.params;
@@ -131,7 +132,7 @@ export const pullSecrets = async (req: Request, res: Response) => {
 		if (req.user) {
 			userId = req.user._id.toString();
 		} else if (req.serviceTokenData) {
-			userId = req.serviceTokenData.user._id
+			userId = req.serviceTokenData.user.toString();
 		}
 		// validate environment
 		const workspaceEnvs = req.membership.workspace.environments;
@@ -506,5 +507,4 @@ export const toggleAutoCapitalization = async (req: Request, res: Response) => {
 		message: 'Successfully changed autoCapitalization setting',
 		workspace
 	});
-};
-
+};

backend/src/controllers/v3/authController.ts

@@ -0,0 +1,260 @@
+/* eslint-disable @typescript-eslint/no-var-requires */
+import { Request, Response } from 'express';
+import jwt from 'jsonwebtoken';
+import * as Sentry from '@sentry/node';
+import * as bigintConversion from 'bigint-conversion';
+const jsrp = require('jsrp');
+import { User, LoginSRPDetail } from '../../models';
+import { issueAuthTokens, createToken, validateProviderAuthToken } from '../../helpers/auth';
+import { checkUserDevice } from '../../helpers/user';
+import { sendMail } from '../../helpers/nodemailer';
+import { TokenService } from '../../services';
+import { EELogService } from '../../ee/services';
+import { BadRequestError, InternalServerError } from '../../utils/errors';
+import {
+    TOKEN_EMAIL_MFA,
+    ACTION_LOGIN
+} from '../../variables';
+import { getChannelFromUserAgent } from '../../utils/posthog'; // TODO: move this
+import {
+    getJwtMfaLifetime,
+    getJwtMfaSecret,
+    getHttpsEnabled,
+} from '../../config';
+import { AuthProvider } from '../../models/user';
+
+declare module 'jsonwebtoken' {
+    export interface ProviderAuthJwtPayload extends jwt.JwtPayload {
+        userId: string;
+        email: string;
+        authProvider: AuthProvider;
+        isUserCompleted: boolean,
+    }
+}
+
+/**
+ * Log in user step 1: Return [salt] and [serverPublicKey] as part of step 1 of SRP protocol
+ * @param req
+ * @param res
+ * @returns
+ */
+export const login1 = async (req: Request, res: Response) => {
+    try {
+        const {
+            email,
+            providerAuthToken,
+            clientPublicKey
+        }: {
+            email: string;
+            clientPublicKey: string,
+            providerAuthToken?: string;
+        } = req.body;
+
+        const user = await User.findOne({
+            email,
+        }).select('+salt +verifier');
+
+        if (!user) throw new Error('Failed to find user');
+
+        if (user.authProvider) {
+            await validateProviderAuthToken({
+                email,
+                user,
+                providerAuthToken,
+            })
+        }
+
+        const server = new jsrp.server();
+        server.init(
+            {
+                salt: user.salt,
+                verifier: user.verifier
+            },
+            async () => {
+                // generate server-side public key
+                const serverPublicKey = server.getPublicKey();
+                await LoginSRPDetail.findOneAndReplace({
+                    email: email
+                }, {
+                    email,
+                    userId: user.id,
+                    clientPublicKey: clientPublicKey,
+                    serverBInt: bigintConversion.bigintToBuf(server.bInt),
+                }, { upsert: true, returnNewDocument: false });
+
+                return res.status(200).send({
+                    serverPublicKey,
+                    salt: user.salt
+                });
+            }
+        );
+    } catch (err) {
+        Sentry.setUser(null);
+        Sentry.captureException(err);
+        return res.status(400).send({
+            message: 'Failed to start authentication process'
+        });
+    }
+};
+
+/**
+ * Log in user step 2: complete step 2 of SRP protocol and return token and their (encrypted)
+ * private key
+ * @param req
+ * @param res
+ * @returns
+ */
+export const login2 = async (req: Request, res: Response) => {
+    try {
+
+        if (!req.headers['user-agent']) throw InternalServerError({ message: 'User-Agent header is required' });
+
+        const { email, clientProof, providerAuthToken } = req.body;
+
+        const user = await User.findOne({
+            email,
+        }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag');
+
+        if (!user) throw new Error('Failed to find user');
+
+        if (user.authProvider) {
+            await validateProviderAuthToken({
+                email,
+                user,
+                providerAuthToken,
+            })
+        }
+
+        const loginSRPDetail = await LoginSRPDetail.findOneAndDelete({ email: email })
+
+        if (!loginSRPDetail) {
+            return BadRequestError(Error("Failed to find login details for SRP"))
+        }
+
+        const server = new jsrp.server();
+        server.init(
+            {
+                salt: user.salt,
+                verifier: user.verifier,
+                b: loginSRPDetail.serverBInt
+            },
+            async () => {
+                server.setClientPublicKey(loginSRPDetail.clientPublicKey);
+
+                // compare server and client shared keys
+                if (server.checkClientProof(clientProof)) {
+
+                    if (user.isMfaEnabled) {
+                        // case: user has MFA enabled
+
+                        // generate temporary MFA token
+                        const token = createToken({
+                            payload: {
+                                userId: user._id.toString()
+                            },
+                            expiresIn: await getJwtMfaLifetime(),
+                            secret: await getJwtMfaSecret()
+                        });
+
+                        const code = await TokenService.createToken({
+                            type: TOKEN_EMAIL_MFA,
+                            email
+                        });
+
+                        // send MFA code [code] to [email]
+                        await sendMail({
+                            template: 'emailMfa.handlebars',
+                            subjectLine: 'Infisical MFA code',
+                            recipients: [user.email],
+                            substitutions: {
+                                code
+                            }
+                        });
+
+                        return res.status(200).send({
+                            mfaEnabled: true,
+                            token
+                        });
+                    }
+
+                    await checkUserDevice({
+                        user,
+                        ip: req.ip,
+                        userAgent: req.headers['user-agent'] ?? ''
+                    });
+
+                    // issue tokens
+                    const tokens = await issueAuthTokens({ userId: user._id.toString() });
+
+                    // store (refresh) token in httpOnly cookie
+                    res.cookie('jid', tokens.refreshToken, {
+                        httpOnly: true,
+                        path: '/',
+                        sameSite: 'strict',
+                        secure: await getHttpsEnabled()
+                    });
+
+                    // case: user does not have MFA enablgged
+                    // return (access) token in response
+
+                    interface ResponseData {
+                        mfaEnabled: boolean;
+                        encryptionVersion: any;
+                        protectedKey?: string;
+                        protectedKeyIV?: string;
+                        protectedKeyTag?: string;
+                        token: string;
+                        publicKey?: string;
+                        encryptedPrivateKey?: string;
+                        iv?: string;
+                        tag?: string;
+                    }
+
+                    const response: ResponseData = {
+                        mfaEnabled: false,
+                        encryptionVersion: user.encryptionVersion,
+                        token: tokens.token,
+                        publicKey: user.publicKey,
+                        encryptedPrivateKey: user.encryptedPrivateKey,
+                        iv: user.iv,
+                        tag: user.tag
+                    }
+
+                    if (
+                        user?.protectedKey &&
+                        user?.protectedKeyIV &&
+                        user?.protectedKeyTag
+                    ) {
+                        response.protectedKey = user.protectedKey;
+                        response.protectedKeyIV = user.protectedKeyIV
+                        response.protectedKeyTag = user.protectedKeyTag;
+                    }
+
+                    const loginAction = await EELogService.createAction({
+                        name: ACTION_LOGIN,
+                        userId: user._id
+                    });
+
+                    loginAction && await EELogService.createLog({
+                        userId: user._id,
+                        actions: [loginAction],
+                        channel: getChannelFromUserAgent(req.headers['user-agent']),
+                        ipAddress: req.ip
+                    });
+
+                    return res.status(200).send(response);
+                }
+
+                return res.status(400).send({
+                    message: 'Failed to authenticate. Try again?'
+                });
+            }
+        );
+    } catch (err) {
+        Sentry.setUser(null);
+        Sentry.captureException(err);
+        return res.status(400).send({
+            message: 'Failed to authenticate. Try again?'
+        });
+    }
+};

backend/src/controllers/v3/index.ts

@@ -0,0 +1,11 @@
+import * as secretsController from './secretsController';
+import * as workspacesController from './workspacesController';
+import * as authController from './authController';
+import * as signupController from './signupController';
+
+export {
+    authController,
+    secretsController,
+    signupController,
+    workspacesController,
+}

backend/src/controllers/v3/secretsController.ts

@@ -0,0 +1,183 @@
+import { Request, Response } from 'express';
+import { Types } from 'mongoose';
+import { 
+    SecretService, 
+    TelemetryService,
+    EventService
+} from '../../services';
+import { eventPushSecrets } from '../../events';
+import { getAuthDataPayloadIdObj } from '../../utils/auth';
+import { BadRequestError } from '../../utils/errors';
+
+/**
+ * Get secrets for workspace with id [workspaceId] and environment
+ * [environment]
+ * @param req 
+ * @param res 
+ */
+export const getSecrets = async (req: Request, res: Response) => {
+    const workspaceId = req.query.workspaceId as string;
+    const environment = req.query.environment as string;
+
+    const secrets = await SecretService.getSecrets({
+        workspaceId: new Types.ObjectId(workspaceId),
+        environment,
+        authData: req.authData
+    });
+
+    return res.status(200).send({
+        secrets
+    });
+}
+
+/**
+ * Get secret with name [secretName]
+ * @param req 
+ * @param res 
+ */
+export const getSecretByName = async (req: Request, res: Response) => {
+    const { secretName } = req.params;
+    const workspaceId = req.query.workspaceId as string;
+    const environment = req.query.environment as string;
+    const type = req.query.type as 'shared' | 'personal' | undefined;
+
+    const secret = await SecretService.getSecret({
+        secretName,
+        workspaceId: new Types.ObjectId(workspaceId),
+        environment,
+        type,
+        authData: req.authData
+    });
+    
+    return res.status(200).send({
+        secret
+    });
+}
+
+/**
+ * Create secret with name [secretName]
+ * @param req 
+ * @param res 
+ */
+export const createSecret = async (req: Request, res: Response) => {
+    const { secretName } = req.params;
+    const { 
+        workspaceId,
+        environment,
+        type,
+        secretKeyCiphertext,
+        secretKeyIV,
+        secretKeyTag,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag,
+        secretCommentCiphertext,
+        secretCommentIV,
+        secretCommentTag
+    } = req.body;
+    
+    const secret = await SecretService.createSecret({
+        secretName,
+        workspaceId: new Types.ObjectId(workspaceId),
+        environment,
+        type,
+        authData: req.authData,
+        secretKeyCiphertext,
+        secretKeyIV,
+        secretKeyTag,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag,
+        ...((secretCommentCiphertext && secretCommentIV && secretCommentTag) ? {
+            secretCommentCiphertext,
+            secretCommentIV,
+            secretCommentTag
+        } : {})
+    });
+
+    await EventService.handleEvent({
+        event: eventPushSecrets({
+            workspaceId: new Types.ObjectId(workspaceId),
+            environment
+        })
+    });
+
+    const secretWithoutBlindIndex = secret.toObject();
+    delete secretWithoutBlindIndex.secretBlindIndex;
+    
+    return res.status(200).send({
+        secret: secretWithoutBlindIndex
+    });
+}
+
+/**
+ * Update secret with name [secretName]
+ * @param req
+ * @param res 
+ */
+export const updateSecretByName = async (req: Request, res: Response) => {
+    const { secretName } = req.params;
+    const {
+        workspaceId,
+        environment,
+        type,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag
+    } = req.body;
+
+    const secret = await SecretService.updateSecret({
+        secretName,
+        workspaceId,
+        environment,
+        type,
+        authData: req.authData,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag
+    });
+    
+    await EventService.handleEvent({
+        event: eventPushSecrets({
+            workspaceId: new Types.ObjectId(workspaceId),
+            environment
+        })
+    });
+
+    return res.status(200).send({
+        secret
+    });
+}
+
+/**
+ * Delete secret with name [secretName]
+ * @param req 
+ * @param res 
+ */
+export const deleteSecretByName = async (req: Request, res: Response) => {
+    const { secretName } = req.params;
+    const {
+        workspaceId,
+        environment,
+        type
+    } = req.body;
+    
+    const { secret, secrets } = await SecretService.deleteSecret({
+        secretName,
+        workspaceId,
+        environment,
+        type,
+        authData: req.authData
+    });
+
+    await EventService.handleEvent({
+        event: eventPushSecrets({
+            workspaceId: new Types.ObjectId(workspaceId),
+            environment
+        })
+    });
+
+    return res.status(200).send({
+        secret
+    });
+}

backend/src/controllers/v3/signupController.ts

@@ -0,0 +1,192 @@
+import jwt from 'jsonwebtoken';
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { User, MembershipOrg } from '../../models';
+import { completeAccount } from '../../helpers/user';
+import {
+	initializeDefaultOrg
+} from '../../helpers/signup';
+import { issueAuthTokens, validateProviderAuthToken } from '../../helpers/auth';
+import { INVITED, ACCEPTED } from '../../variables';
+import { standardRequest } from '../../config/request';
+import { getLoopsApiKey, getHttpsEnabled, getJwtSignupSecret } from '../../config';
+import { BadRequestError } from '../../utils/errors';
+import { TelemetryService } from '../../services';
+
+/**
+ * Complete setting up user by adding their personal and auth information as part of the
+ * signup flow
+ * @param req
+ * @param res
+ * @returns
+ */
+export const completeAccountSignup = async (req: Request, res: Response) => {
+	let user, token, refreshToken;
+	try {
+		const {
+			email,
+			firstName,
+			lastName,
+			protectedKey,
+			protectedKeyIV,
+			protectedKeyTag,
+			publicKey,
+			encryptedPrivateKey,
+			encryptedPrivateKeyIV,
+			encryptedPrivateKeyTag,
+			salt,
+			verifier,
+			organizationName,
+			providerAuthToken,
+			attributionSource,
+		}: {
+			email: string;
+			firstName: string;
+			lastName: string;
+			protectedKey: string;
+			protectedKeyIV: string;
+			protectedKeyTag: string;
+			publicKey: string;
+			encryptedPrivateKey: string;
+			encryptedPrivateKeyIV: string;
+			encryptedPrivateKeyTag: string;
+			salt: string;
+			verifier: string;
+			organizationName: string;
+			providerAuthToken?: string;
+			attributionSource?: string;
+		} = req.body;
+
+		user = await User.findOne({ email });
+
+		if (!user || (user && user?.publicKey)) {
+			// case 1: user doesn't exist.
+			// case 2: user has already completed account
+			return res.status(403).send({
+				error: 'Failed to complete account for complete user'
+			});
+		}
+
+		if (providerAuthToken) {
+			await validateProviderAuthToken({
+				email,
+				providerAuthToken,
+				user,
+			});
+		} else {
+			const [AUTH_TOKEN_TYPE, AUTH_TOKEN_VALUE] = <[string, string]>req.headers['authorization']?.split(' ', 2) ?? [null, null]
+			if (AUTH_TOKEN_TYPE === null) {
+				throw BadRequestError({ message: `Missing Authorization Header in the request header.` });
+			}
+			if (AUTH_TOKEN_TYPE.toLowerCase() !== 'bearer') {
+				throw BadRequestError({ message: `The provided authentication type '${AUTH_TOKEN_TYPE}' is not supported.` })
+			}
+			if (AUTH_TOKEN_VALUE === null) {
+				throw BadRequestError({
+					message: 'Missing Authorization Body in the request header',
+				})
+			}
+
+			const decodedToken = <jwt.UserIDJwtPayload>(
+				jwt.verify(AUTH_TOKEN_VALUE, await getJwtSignupSecret())
+			);
+
+			if (decodedToken.userId !== user.id) {
+				throw BadRequestError();
+			}
+		}
+
+		// complete setting up user's account
+		user = await completeAccount({
+			userId: user._id.toString(),
+			firstName,
+			lastName,
+			encryptionVersion: 2,
+			protectedKey,
+			protectedKeyIV,
+			protectedKeyTag,
+			publicKey,
+			encryptedPrivateKey,
+			encryptedPrivateKeyIV,
+			encryptedPrivateKeyTag,
+			salt,
+			verifier
+		});
+
+		if (!user)
+			throw new Error('Failed to complete account for non-existent user'); // ensure user is non-null
+
+		// initialize default organization and workspace
+		await initializeDefaultOrg({
+			organizationName,
+			user
+		});
+
+		// update organization membership statuses that are
+		// invited to completed with user attached
+		await MembershipOrg.updateMany(
+			{
+				inviteEmail: email,
+				status: INVITED
+			},
+			{
+				user,
+				status: ACCEPTED
+			}
+		);
+
+		// issue tokens
+		const tokens = await issueAuthTokens({
+			userId: user._id.toString()
+		});
+
+		token = tokens.token;
+
+		// sending a welcome email to new users
+		if (await getLoopsApiKey()) {
+			await standardRequest.post("https://app.loops.so/api/v1/events/send", {
+				"email": email,
+				"eventName": "Sign Up",
+				"firstName": firstName,
+				"lastName": lastName
+			}, {
+				headers: {
+					"Accept": "application/json",
+					"Authorization": "Bearer " + (await getLoopsApiKey())
+				},
+			});
+		}
+
+		// store (refresh) token in httpOnly cookie
+		res.cookie('jid', tokens.refreshToken, {
+			httpOnly: true,
+			path: '/',
+			sameSite: 'strict',
+			secure: await getHttpsEnabled()
+		});
+
+		const postHogClient = await TelemetryService.getPostHogClient();
+		if (postHogClient) {
+			postHogClient.capture({
+				event: 'User Signed Up',
+				distinctId: email,
+				properties: {
+					email,
+					attributionSource
+				}
+			});
+		}
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to complete account setup'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully set up account',
+		user,
+		token
+	});
+};

backend/src/controllers/v3/workspacesController.ts

@@ -0,0 +1,90 @@
+import { Request, Response } from 'express';
+import { Types } from 'mongoose';
+import { Secret } from '../../models';
+import { SecretService } from'../../services';
+
+/**
+ * Return whether or not all secrets in workspace with id [workspaceId]
+ * are blind-indexed
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getWorkspaceBlindIndexStatus = async (req: Request, res: Response) => {
+    const { workspaceId } = req.params;
+
+    const secretsWithoutBlindIndex = await Secret.countDocuments({
+        workspace: new Types.ObjectId(workspaceId),
+        secretBlindIndex: {
+            $exists: false
+        }
+    });
+
+    return res.status(200).send(secretsWithoutBlindIndex === 0);
+}
+
+/**
+ * Get all secrets for workspace with id [workspaceId]
+ */
+export const getWorkspaceSecrets = async (req: Request, res: Response) => {
+    const { workspaceId } = req.params;
+
+    const secrets = await Secret.find({
+        workspace: new Types.ObjectId (workspaceId)
+    });
+    
+    return res.status(200).send({
+        secrets
+    });
+}
+
+/**
+ * Update blind indices for secrets in workspace with id [workspaceId]
+ * @param req 
+ * @param res 
+ */
+export const nameWorkspaceSecrets = async (req: Request, res: Response) => {
+    interface SecretToUpdate {
+        secretName: string;
+        _id: string;
+    }
+
+    const { workspaceId } = req.params;
+    const { 
+        secretsToUpdate 
+    }: {
+        secretsToUpdate: SecretToUpdate[];
+    } = req.body;
+
+    // get secret blind index salt
+    const salt = await SecretService.getSecretBlindIndexSalt({
+        workspaceId: new Types.ObjectId(workspaceId)
+    });
+
+    // update secret blind indices
+    const operations = await Promise.all(
+        secretsToUpdate.map(async (secretToUpdate: SecretToUpdate) => {
+            const secretBlindIndex = await SecretService.generateSecretBlindIndexWithSalt({
+                secretName: secretToUpdate.secretName,
+                salt
+            });
+    
+            return ({
+                updateOne: {
+                    filter: {
+                        _id: new Types.ObjectId(secretToUpdate._id)
+                    },
+                    update: {
+                        secretBlindIndex
+                    }
+                }
+            });
+        })
+    );
+
+    await Secret.bulkWrite(operations);
+
+    return res.status(200).send({
+        message: 'Successfully named workspace secrets'
+    });
+}

backend/src/ee/controllers/v1/cloudProductsController.ts

@@ -0,0 +1,34 @@
+import * as Sentry from '@sentry/node';
+import { Request, Response } from 'express';
+import { EELicenseService } from '../../services';
+import { getLicenseServerUrl } from '../../../config';
+import { licenseServerKeyRequest } from '../../../config/request';
+
+/**
+ * Return available cloud product information.
+ * Note: Nicely formatted to easily construct a table from
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getCloudProducts = async (req: Request, res: Response) => {
+    try {
+        const billingCycle = req.query['billing-cycle'] as string;
+
+        if (EELicenseService.instanceType === 'cloud') {
+            const { data } = await licenseServerKeyRequest.get(
+                `${await getLicenseServerUrl()}/api/license-server/v1/cloud-products?billing-cycle=${billingCycle}`
+            ); 
+
+            return res.status(200).send(data);
+        }
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+        Sentry.captureException(err);
+    }
+    
+    return res.status(200).send({
+        head: [],
+        rows: []
+    });
+}

backend/src/ee/controllers/v1/index.ts

@@ -1,15 +1,19 @@
 import * as stripeController from './stripeController';
 import * as secretController from './secretController';
 import * as secretSnapshotController from './secretSnapshotController';
+import * as organizationsController from './organizationsController';
 import * as workspaceController from './workspaceController';
 import * as actionController from './actionController';
 import * as membershipController from './membershipController';
+import * as cloudProductsController from './cloudProductsController';
 
 export {
     stripeController,
     secretController,
     secretSnapshotController,
+    organizationsController,
     workspaceController,
     actionController,
-    membershipController
+    membershipController,
+    cloudProductsController
 }

backend/src/ee/controllers/v1/membershipController.ts

@@ -2,7 +2,8 @@ import { Request, Response } from "express";
 import { Membership, Workspace } from "../../../models";
 import { IMembershipPermission } from "../../../models/membership";
 import { BadRequestError, UnauthorizedRequestError } from "../../../utils/errors";
-import { ABILITY_READ, ABILITY_WRITE, ADMIN, MEMBER } from "../../../variables/organization";
+import { ADMIN, MEMBER } from "../../../variables/organization";
+import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from '../../../variables';
 import { Builder } from "builder-pattern"
 import _ from "lodash";
 
@@ -10,7 +11,7 @@ export const denyMembershipPermissions = async (req: Request, res: Response) =>
   const { membershipId } = req.params;
   const { permissions } = req.body;
   const sanitizedMembershipPermissions: IMembershipPermission[] = permissions.map((permission: IMembershipPermission) => {
-    if (!permission.ability || !permission.environmentSlug || ![ABILITY_READ, ABILITY_WRITE].includes(permission.ability)) {
+    if (!permission.ability || !permission.environmentSlug || ![PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS].includes(permission.ability)) {
       throw BadRequestError({ message: "One or more required fields are missing from the request or have incorrect type" })
     }
 

backend/src/ee/controllers/v1/organizationsController.ts

@@ -0,0 +1,83 @@
+import { Request, Response } from 'express';
+import { getLicenseServerUrl } from '../../../config';
+import { licenseServerKeyRequest } from '../../../config/request';
+import { EELicenseService } from '../../services';
+
+/**
+ * Return the organization's current plan and allowed feature set
+ */
+export const getOrganizationPlan = async (req: Request, res: Response) => {
+    const { organizationId } = req.params;
+
+    const plan = await EELicenseService.getOrganizationPlan(organizationId);
+
+    return res.status(200).send({
+        plan,
+    });
+}
+
+/**
+ * Update the organization plan to product with id [productId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const updateOrganizationPlan = async (req: Request, res: Response) => {
+    const {
+        productId
+    } = req.body;
+
+    const { data  } = await licenseServerKeyRequest.patch(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/cloud-plan`,
+        {
+            productId
+        }
+    ); 
+    
+    return res.status(200).send(data);
+}
+
+/**
+ * Return the organization's payment methods on file
+ */
+export const getOrganizationPmtMethods = async (req: Request, res: Response) => {
+    const { data: { pmtMethods } } = await licenseServerKeyRequest.get(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/payment-methods`
+    );
+
+    return res.status(200).send({
+        pmtMethods
+    }); 
+}
+
+/**
+ * Return a Stripe session URL to add payment method for organization
+ */
+export const addOrganizationPmtMethod = async (req: Request, res: Response) => {
+    const {
+        success_url,
+        cancel_url
+    } = req.body;
+    
+    const { data: { url } } = await licenseServerKeyRequest.post(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/payment-methods`,
+        {
+            success_url,
+            cancel_url
+        }
+    );
+    
+    return res.status(200).send({
+        url
+    }); 
+}
+
+export const deleteOrganizationPmtMethod = async (req: Request, res: Response) => {
+    const { pmtMethodId } = req.params;
+
+    const { data } = await licenseServerKeyRequest.delete(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/payment-methods/${pmtMethodId}`,
+    );
+        
+    return res.status(200).send(data);
+}

backend/src/ee/controllers/v1/secretController.ts

@@ -146,7 +146,7 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
 		const oldSecretVersion = await SecretVersion.findOne({
 			secret: secretId,
 			version
-		});
+		}).select('+secretBlindIndex')
 		
 		if (!oldSecretVersion) throw new Error('Failed to find secret version');
 		
@@ -155,12 +155,15 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
 			type,
 			user,
 			environment,
+			secretBlindIndex,
 			secretKeyCiphertext,
 			secretKeyIV,
 			secretKeyTag,
 			secretValueCiphertext,
 			secretValueIV,
 			secretValueTag,
+			algorithm,
+			keyEncoding
 		} = oldSecretVersion;
 		
 		// update secret
@@ -174,12 +177,15 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
 				type,
 				user,
 				environment,
+				...(secretBlindIndex ? { secretBlindIndex } : {}),
 				secretKeyCiphertext,
 				secretKeyIV,
 				secretKeyTag,
 				secretValueCiphertext,
 				secretValueIV,
 				secretValueTag,
+				algorithm,
+				keyEncoding
 			},
 			{
 				new: true
@@ -197,17 +203,20 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
 			user,
 			environment,
 			isDeleted: false,
+			...(secretBlindIndex ? { secretBlindIndex } : {}),
 			secretKeyCiphertext,
 			secretKeyIV,
 			secretKeyTag,
 			secretValueCiphertext,
 			secretValueIV,
-			secretValueTag
+			secretValueTag,
+			algorithm,
+			keyEncoding
 		}).save();
 		
 		// take secret snapshot
 		await EESecretService.takeSecretSnapshot({
-			workspaceId: secret.workspace.toString()
+			workspaceId: secret.workspace
 		});
 		
 	} catch (err) {

backend/src/ee/controllers/v1/secretSnapshotController.ts

@@ -15,16 +15,10 @@ export const getSecretSnapshot = async (req: Request, res: Response) => {
 
         secretSnapshot = await SecretSnapshot
             .findById(secretSnapshotId)
-            .populate({
-                path: 'secretVersions',
-                populate: {
-                    path: 'tags',
-                    model: 'Tag',
-                }
-            });
+            .populate('secretVersions');
         
         if (!secretSnapshot) throw new Error('Failed to find secret snapshot');
-        
+
     } catch (err) {
         Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);

backend/src/ee/controllers/v1/stripeController.ts

@@ -12,7 +12,7 @@ import { getStripeSecretKey, getStripeWebhookSecret } from '../../../config';
 export const handleWebhook = async (req: Request, res: Response) => {
 	let event;
 	try {
-		const stripe = new Stripe(getStripeSecretKey(), {
+		const stripe = new Stripe(await getStripeSecretKey(), {
 			apiVersion: '2022-08-01'
 		});
 
@@ -21,7 +21,7 @@ export const handleWebhook = async (req: Request, res: Response) => {
 		event = stripe.webhooks.constructEvent(
 			req.body,
 			sig,
-			getStripeWebhookSecret()
+			await getStripeWebhookSecret()
 		);
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });

backend/src/ee/controllers/v1/workspaceController.ts

@@ -173,6 +173,7 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
         }
     }   
     */
+	
 	let secrets;
     try {	
         const { workspaceId } = req.params;
@@ -182,7 +183,10 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
 		const secretSnapshot = await SecretSnapshot.findOne({
 			workspace: workspaceId,
 			version
-		}).populate<{ secretVersions: ISecretVersion[]}>('secretVersions');
+		}).populate<{ secretVersions: ISecretVersion[]}>({
+			path: 'secretVersions',
+			select: '+secretBlindIndex'
+		});
         
         if (!secretSnapshot) throw new Error('Failed to find secret snapshot');
 
@@ -222,6 +226,7 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
 					type,
 					user,
 					environment,
+					secretBlindIndex,
 					secretKeyCiphertext,
 					secretKeyIV,
 					secretKeyTag,
@@ -240,6 +245,7 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
 					type,
 					user,
 					environment,
+					secretBlindIndex: secretBlindIndex ?? undefined,
 					secretKeyCiphertext,
 					secretKeyIV,
 					secretKeyTag,
@@ -257,7 +263,7 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
 		);
 		
 		// add secret versions
-		await SecretVersion.insertMany(
+		const secretV = await SecretVersion.insertMany(
 			secrets.map(({
 				_id,
 				version,
@@ -265,6 +271,7 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
 				type,
 				user,
 				environment,
+				secretBlindIndex,
 				secretKeyCiphertext,
 				secretKeyIV,
 				secretKeyTag,
@@ -282,6 +289,7 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
 				user,
 				environment,
 				isDeleted: false,
+				secretBlindIndex: secretBlindIndex ?? undefined,
 				secretKeyCiphertext,
 				secretKeyIV,
 				secretKeyTag,
@@ -304,7 +312,7 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
 		
         // take secret snapshot
 		await EESecretService.takeSecretSnapshot({
-			workspaceId
+			workspaceId: new Types.ObjectId(workspaceId)
 		});
     } catch (err) {
         Sentry.setUser({ email: req.user.email });
@@ -418,7 +426,7 @@ export const getWorkspaceLogs = async (req: Request, res: Response) => {
 		.skip(offset)
 		.limit(limit)
 		.populate('actions')
-		.populate('user');
+		.populate('user serviceAccount serviceTokenData');
 
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });

backend/src/ee/helpers/action.ts

@@ -1,4 +1,3 @@
-import * as Sentry from '@sentry/node';
 import { Types } from 'mongoose';
 import { Action } from '../models';
 import { 
@@ -24,39 +23,37 @@ import {
 const createActionUpdateSecret = async ({
     name,
     userId,
+    serviceAccountId,
+    serviceTokenDataId,
     workspaceId,
     secretIds
 }: {
     name: string;
-    userId: Types.ObjectId;
+    userId?: Types.ObjectId;
+    serviceAccountId?: Types.ObjectId;
+    serviceTokenDataId?: Types.ObjectId;
     workspaceId: Types.ObjectId;
     secretIds: Types.ObjectId[];
 }) => {
-    let action;
-    try {
-        const latestSecretVersions = (await getLatestNSecretSecretVersionIds({
-                secretIds,
-                n: 2
-            }))
-            .map((s) => ({
-                oldSecretVersion: s.versions[0]._id,
-                newSecretVersion: s.versions[1]._id
-            }));
-        
-        action = await new Action({
-            name,
-            user: userId,
-            workspace: workspaceId,
-            payload: {
-                secretVersions: latestSecretVersions
-            }
-        }).save();
-
-    } catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-        throw new Error('Failed to create update secret action');
-    }
+    const latestSecretVersions = (await getLatestNSecretSecretVersionIds({
+            secretIds,
+            n: 2
+        }))
+        .map((s) => ({
+            oldSecretVersion: s.versions[0]._id,
+            newSecretVersion: s.versions[1]._id
+        }));
+    
+    const action = await new Action({
+        name,
+        user: userId,
+        serviceAccount: serviceAccountId,
+        serviceTokenData: serviceTokenDataId,
+        workspace: workspaceId,
+        payload: {
+            secretVersions: latestSecretVersions
+        }
+    }).save();
     
     return action;
 }
@@ -72,68 +69,66 @@ const createActionUpdateSecret = async ({
 const createActionSecret = async ({
     name,
     userId,
+    serviceAccountId,
+    serviceTokenDataId,
     workspaceId,
     secretIds
 }: {
     name: string;
-    userId: Types.ObjectId;
+    userId?: Types.ObjectId;
+    serviceAccountId?: Types.ObjectId;
+    serviceTokenDataId?: Types.ObjectId;
     workspaceId: Types.ObjectId;
     secretIds: Types.ObjectId[];
 }) => {
-    let action;
-    try {
-        // case: action is adding, deleting, or reading secrets
-        // -> add new secret versions
-        const latestSecretVersions = (await getLatestSecretVersionIds({
-            secretIds
-        }))
-        .map((s) => ({
-            newSecretVersion: s.versionId
-        }));
-        
-       action = await new Action({
-            name,
-            user: userId,
-            workspace: workspaceId,
-            payload: {
-                secretVersions: latestSecretVersions
-            }
-        }).save(); 
-
-    } catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-        throw new Error('Failed to create action create/read/delete secret action');
-    }
+    // case: action is adding, deleting, or reading secrets
+    // -> add new secret versions
+    const latestSecretVersions = (await getLatestSecretVersionIds({
+        secretIds
+    }))
+    .map((s) => ({
+        newSecretVersion: s.versionId
+    }));
+    
+   const action = await new Action({
+        name,
+        user: userId,
+        serviceAccount: serviceAccountId,
+        serviceTokenData: serviceTokenDataId,
+        workspace: workspaceId,
+        payload: {
+            secretVersions: latestSecretVersions
+        }
+    }).save(); 
     
     return action;
 }
 
 /**
- * Create an (audit) action for user with id [userId]
+ * Create an (audit) action for client with id [userId],
+ * [serviceAccountId], or [serviceTokenDataId]
  * @param {Object} obj 
  * @param {String} obj.name - name of action
  * @param {String} obj.userId - id of user associated with action
  * @returns 
  */
-const createActionUser = ({
+const createActionClient = ({
     name,
-    userId
+    userId,
+    serviceAccountId,
+    serviceTokenDataId
 }: {
     name: string;
-    userId: Types.ObjectId;
+    userId?: Types.ObjectId;
+    serviceAccountId?: Types.ObjectId;
+    serviceTokenDataId?: Types.ObjectId;
 }) => {
-    let action;
-    try {
-        action = new Action({
-            name,
-            user: userId
-        }).save();
-    } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-        throw new Error('Failed to create user action');
-    }
+    const action = new Action({
+        name,
+        user: userId,
+        serviceAccount: serviceAccountId,
+        serviceTokenData: serviceTokenDataId
+    }).save();
 
     return action; 
 }
@@ -149,49 +144,47 @@ const createActionUser = ({
 const createActionHelper = async ({
     name,
     userId,
+    serviceAccountId,
+    serviceTokenDataId,
     workspaceId,
     secretIds,
 }: {
     name: string;
-    userId: Types.ObjectId;
+    userId?: Types.ObjectId;
+    serviceAccountId?: Types.ObjectId;
+    serviceTokenDataId?: Types.ObjectId;
     workspaceId?: Types.ObjectId;
     secretIds?: Types.ObjectId[];
 }) => {
     let action;
-    try {
-        switch (name) {
-            case ACTION_LOGIN:
-            case ACTION_LOGOUT:
-                action = await createActionUser({
-                    name,
-                    userId
-                });
-                break;
-            case ACTION_ADD_SECRETS:
-            case ACTION_READ_SECRETS:
-            case ACTION_DELETE_SECRETS:
-                if (!workspaceId || !secretIds) throw new Error('Missing required params workspace id or secret ids to create action secret');
-                action = await createActionSecret({
-                    name,
-                    userId,
-                    workspaceId,
-                    secretIds
-                });
-                break;
-            case ACTION_UPDATE_SECRETS:
-                if (!workspaceId || !secretIds) throw new Error('Missing required params workspace id or secret ids to create action secret');
-                action = await createActionUpdateSecret({
-                    name,
-                    userId,
-                    workspaceId,
-                    secretIds
-                });
-                break;
-        }
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-        throw new Error('Failed to create action');
+    switch (name) {
+        case ACTION_LOGIN:
+        case ACTION_LOGOUT:
+            action = await createActionClient({
+                name,
+                userId
+            });
+            break;
+        case ACTION_ADD_SECRETS:
+        case ACTION_READ_SECRETS:
+        case ACTION_DELETE_SECRETS:
+            if (!workspaceId || !secretIds) throw new Error('Missing required params workspace id or secret ids to create action secret');
+            action = await createActionSecret({
+                name,
+                userId,
+                workspaceId,
+                secretIds
+            });
+            break;
+        case ACTION_UPDATE_SECRETS:
+            if (!workspaceId || !secretIds) throw new Error('Missing required params workspace id or secret ids to create action secret');
+            action = await createActionUpdateSecret({
+                name,
+                userId,
+                workspaceId,
+                secretIds
+            });
+            break;
     }
     
     return action;
@@ -199,4 +192,4 @@ const createActionHelper = async ({
 
 export { 
     createActionHelper
-};
+};

backend/src/ee/helpers/checkMembershipPermissions.ts

@@ -1,8 +1,9 @@
+import { Types } from 'mongoose';
 import _ from "lodash";
 import { Membership } from "../../models";
-import { ABILITY_READ, ABILITY_WRITE } from "../../variables/organization";
+import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from '../../variables';
 
-export const userHasWorkspaceAccess = async (userId: any, workspaceId: any, environment: any, action: any) => {
+export const userHasWorkspaceAccess = async (userId: Types.ObjectId, workspaceId: Types.ObjectId, environment: string, action: any) => {
   const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })
   if (!membershipForWorkspace) {
     return false
@@ -18,15 +19,15 @@ export const userHasWorkspaceAccess = async (userId: any, workspaceId: any, envi
   return true
 }
 
-export const userHasWriteOnlyAbility = async (userId: any, workspaceId: any, environment: any) => {
+export const userHasWriteOnlyAbility = async (userId: Types.ObjectId, workspaceId: Types.ObjectId, environment: string) => {
   const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })
   if (!membershipForWorkspace) {
     return false
   }
 
   const deniedMembershipPermissions = membershipForWorkspace.deniedPermissions;
-  const isWriteDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: ABILITY_WRITE });
-  const isReadDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: ABILITY_READ });
+  const isWriteDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: PERMISSION_WRITE_SECRETS });
+  const isReadDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: PERMISSION_READ_SECRETS });
 
   // case: you have write only if read is blocked and write is not
   if (isReadDisallowed && !isWriteDisallowed) {
@@ -36,15 +37,15 @@ export const userHasWriteOnlyAbility = async (userId: any, workspaceId: any, env
   return false
 }
 
-export const userHasNoAbility = async (userId: any, workspaceId: any, environment: any) => {
+export const userHasNoAbility = async (userId: Types.ObjectId, workspaceId: Types.ObjectId, environment: string) => {
   const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })
   if (!membershipForWorkspace) {
     return true
   }
 
   const deniedMembershipPermissions = membershipForWorkspace.deniedPermissions;
-  const isWriteDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: ABILITY_WRITE });
-  const isReadBlocked = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: ABILITY_READ });
+  const isWriteDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: PERMISSION_WRITE_SECRETS });
+  const isReadBlocked = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: PERMISSION_READ_SECRETS });
 
   if (isReadBlocked && isWriteDisallowed) {
     return true

backend/src/ee/helpers/log.ts

@@ -1,9 +1,9 @@
-import * as Sentry from '@sentry/node';
 import { Types } from 'mongoose';
 import { 
     Log,
     IAction
 } from '../models';
+
 /**
  * Create an (audit) log
  * @param {Object} obj
@@ -16,36 +16,35 @@ import {
  */
 const createLogHelper = async ({
     userId,
+    serviceAccountId,
+    serviceTokenDataId,
     workspaceId,
     actions,
     channel,
     ipAddress
 }: {
-    userId: Types.ObjectId;
+    userId?: Types.ObjectId;
+    serviceAccountId?: Types.ObjectId;
+    serviceTokenDataId?: Types.ObjectId;
     workspaceId?: Types.ObjectId;
     actions: IAction[];
     channel: string;
     ipAddress: string;
 }) => {
-    let log;
-    try {
-        log = await new Log({
-            user: userId,
-            workspace: workspaceId ?? undefined,
-            actionNames: actions.map((a) => a.name),
-            actions,
-            channel,
-            ipAddress
-        }).save();
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to create log');
-    }
+    const log = await new Log({
+        user: userId,
+        serviceAccount: serviceAccountId,
+        serviceTokenData: serviceTokenDataId,
+        workspace: workspaceId ?? undefined,
+        actionNames: actions.map((a) => a.name),
+        actions,
+        channel,
+        ipAddress
+    }).save();
 
     return log;
 }
 
 export {
     createLogHelper
-}
+}

backend/src/ee/helpers/secret.ts

@@ -1,14 +1,6 @@
-import { Types } from 'mongoose';
-import * as Sentry from '@sentry/node';
-import {
-	Secret,
-	ISecret
-} from '../../models';
-import {
-	SecretSnapshot,
-	SecretVersion,
-	ISecretVersion
-} from '../models';
+import { Types } from "mongoose";
+import { Secret, ISecret } from "../../models";
+import { SecretSnapshot, SecretVersion, ISecretVersion } from "../models";
 
 /**
  * Save a secret snapshot that is a copy of the current state of secrets in workspace with id
@@ -19,56 +11,53 @@ import {
  * @returns {SecretSnapshot} secretSnapshot - new secret snapshot
  */
 const takeSecretSnapshotHelper = async ({
-	workspaceId
+  workspaceId,
 }: {
-	workspaceId: string;
+  workspaceId: Types.ObjectId;
 }) => {
+  const secretIds = (
+    await Secret.find(
+      {
+        workspace: workspaceId,
+      },
+      "_id"
+    )
+  ).map((s) => s._id);
 
-	let secretSnapshot;
-	try {
-		const secretIds = (await Secret.find({
-			workspace: workspaceId
-		}, '_id')).map((s) => s._id);
+  const latestSecretVersions = (
+    await SecretVersion.aggregate([
+      {
+        $match: {
+          secret: {
+            $in: secretIds,
+          },
+        },
+      },
+      {
+        $group: {
+          _id: "$secret",
+          version: { $max: "$version" },
+          versionId: { $max: "$_id" }, // secret version id
+        },
+      },
+      {
+        $sort: { version: -1 },
+      },
+    ]).exec()
+  ).map((s) => s.versionId);
 
-		const latestSecretVersions = (await SecretVersion.aggregate([
-			{
-				$match: {
-					secret: {
-						$in: secretIds
-					}
-				}
-			},
-			{
-				$group: {
-					_id: '$secret',
-					version: { $max: '$version' },
-					versionId: { $max: '$_id' } // secret version id
-				}
-			},
-			{
-				$sort: { version: -1 }
-			}
-		])
-			.exec())
-			.map((s) => s.versionId);
+  const latestSecretSnapshot = await SecretSnapshot.findOne({
+    workspace: workspaceId,
+  }).sort({ version: -1 });
 
-		const latestSecretSnapshot = await SecretSnapshot.findOne({
-			workspace: workspaceId
-		}).sort({ version: -1 });
+  const secretSnapshot = await new SecretSnapshot({
+    workspace: workspaceId,
+    version: latestSecretSnapshot ? latestSecretSnapshot.version + 1 : 1,
+    secretVersions: latestSecretVersions,
+  }).save();
 
-		secretSnapshot = await new SecretSnapshot({
-			workspace: workspaceId,
-			version: latestSecretSnapshot ? latestSecretSnapshot.version + 1 : 1,
-			secretVersions: latestSecretVersions
-		}).save();
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to take a secret snapshot');
-	}
-
-	return secretSnapshot;
-}
+  return secretSnapshot;
+};
 
 /**
  * Add secret versions [secretVersions] to the SecretVersion collection.
@@ -77,93 +66,35 @@ const takeSecretSnapshotHelper = async ({
  * @returns {SecretVersion[]} newSecretVersions - new secret versions
  */
 const addSecretVersionsHelper = async ({
-	secretVersions
+  secretVersions,
 }: {
-	secretVersions: ISecretVersion[]
+  secretVersions: ISecretVersion[];
 }) => {
-	let newSecretVersions;
-	try {
-		newSecretVersions = await SecretVersion.insertMany(secretVersions);
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error(`Failed to add secret versions [err=${err}]`);
-	}
+  const newSecretVersions = await SecretVersion.insertMany(secretVersions);
 
-	return newSecretVersions;
-}
+  return newSecretVersions;
+};
 
 const markDeletedSecretVersionsHelper = async ({
-	secretIds
+  secretIds,
 }: {
-	secretIds: Types.ObjectId[];
+  secretIds: Types.ObjectId[];
 }) => {
-	try {
-		await SecretVersion.updateMany({
-			secret: { $in: secretIds }
-		}, {
-			isDeleted: true
-		}, {
-			new: true
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to mark secret versions as deleted');
-	}
-}
-
-/**
- * Initialize secret versioning by setting previously unversioned
- * secrets to version 1 and begin populating secret versions.
- */
-const initSecretVersioningHelper = async () => {
-	try {
-
-		await Secret.updateMany(
-			{ version: { $exists: false } },
-			{ $set: { version: 1 } }
-		);
-
-		const unversionedSecrets: ISecret[] = await Secret.aggregate([
-			{
-				$lookup: {
-					from: 'secretversions',
-					localField: '_id',
-					foreignField: 'secret',
-					as: 'versions',
-				},
-			},
-			{
-				$match: {
-					versions: { $size: 0 },
-				},
-			},
-		]);
-
-		if (unversionedSecrets.length > 0) {
-			await addSecretVersionsHelper({
-				secretVersions: unversionedSecrets.map((s, idx) => ({
-					...s,
-					secret: s._id,
-					version: s.version ? s.version : 1,
-					isDeleted: false,
-					workspace: s.workspace,
-					environment: s.environment
-				}))
-			});
-		}
-
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to ensure that secrets are versioned');
-	}
-}
+  await SecretVersion.updateMany(
+    {
+      secret: { $in: secretIds },
+    },
+    {
+      isDeleted: true,
+    },
+    {
+      new: true,
+    }
+  );
+};
 
 export {
-	takeSecretSnapshotHelper,
-	addSecretVersionsHelper,
-	markDeletedSecretVersionsHelper,
-	initSecretVersioningHelper
-}
+  takeSecretSnapshotHelper,
+  addSecretVersionsHelper,
+  markDeletedSecretVersionsHelper
+};

backend/src/ee/helpers/secretVersion.ts

@@ -1,4 +1,3 @@
-import * as Sentry from '@sentry/node';
 import { Types } from 'mongoose';
 import { SecretVersion } from '../models';
 
@@ -13,41 +12,32 @@ const getLatestSecretVersionIds = async ({
 }: {
     secretIds: Types.ObjectId[];
 }) => {
-    
     interface LatestSecretVersionId {
         _id: Types.ObjectId;
         version: number;
         versionId: Types.ObjectId;
     }
     
-    let latestSecretVersionIds: LatestSecretVersionId[];
-    try {
-        latestSecretVersionIds = (await SecretVersion.aggregate([
-            {
-                $match: { 
-                    secret: { 
-                        $in: secretIds 
-                    } 
-                }
-            },
-            {
-                $group: {
-                    _id: '$secret',
-                    version: { $max: '$version' },
-                    versionId: { $max: '$_id' } // id of latest secret version
-                }
-            },
-            {
-                $sort: { version: -1 }
+    const latestSecretVersionIds = (await SecretVersion.aggregate([
+        {
+            $match: { 
+                secret: { 
+                    $in: secretIds 
+                } 
             }
-            ])
-            .exec());
-            
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-        throw new Error('Failed to get latest secret versions');
-    }
+        },
+        {
+            $group: {
+                _id: '$secret',
+                version: { $max: '$version' },
+                versionId: { $max: '$_id' } // id of latest secret version
+            }
+        },
+        {
+            $sort: { version: -1 }
+        }
+        ])
+        .exec());
     
     return latestSecretVersionIds;
 }
@@ -66,40 +56,32 @@ const getLatestNSecretSecretVersionIds = async ({
     secretIds: Types.ObjectId[];
     n: number;
 }) => {
-    
     // TODO: optimize query
-    let latestNSecretVersions;
-    try {
-        latestNSecretVersions = (await SecretVersion.aggregate([
-            {
-                $match: {
-                secret: {
-                    $in: secretIds,
-                },
-                },
+    const latestNSecretVersions = (await SecretVersion.aggregate([
+        {
+            $match: {
+            secret: {
+                $in: secretIds,
             },
-            {
-                $sort: { version: -1 },
             },
-            {
-                $group: {
-                _id: "$secret",
-                versions: { $push: "$$ROOT" },
-                },
+        },
+        {
+            $sort: { version: -1 },
+        },
+        {
+            $group: {
+            _id: "$secret",
+            versions: { $push: "$$ROOT" },
             },
-            {
-                $project: {
-                _id: 0,
-                secret: "$_id",
-                versions: { $slice: ["$versions", n] },
-                },
-            }
-        ]));
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-        throw new Error('Failed to get latest n secret versions');
-    }
+        },
+        {
+            $project: {
+            _id: 0,
+            secret: "$_id",
+            versions: { $slice: ["$versions", n] },
+            },
+        }
+    ]));
     
     return latestNSecretVersions;
 }

backend/src/ee/middleware/requireSecretSnapshotAuth.ts

@@ -15,32 +15,28 @@ import {
 const requireSecretSnapshotAuth = ({
     acceptedRoles,
 }: {
-    acceptedRoles: string[];
+    acceptedRoles: Array<'admin' | 'member'>;
 }) => {
     return async (req: Request, res: Response, next: NextFunction) => {
-        try {
-            const { secretSnapshotId } = req.params;
-            
-            const secretSnapshot = await SecretSnapshot.findById(secretSnapshotId);
-            
-            if (!secretSnapshot) {
-                return next(SecretSnapshotNotFoundError({
-                    message: 'Failed to find secret snapshot'
-                }));
-            }
-            
-            await validateMembership({
-                userId: req.user._id.toString(),
-                workspaceId: secretSnapshot.workspace.toString(),
-                acceptedRoles
-            });
-            
-            req.secretSnapshot = secretSnapshot as any;
-
-            next();
-        } catch (err) {
-            return next(UnauthorizedRequestError({ message: 'Unable to authenticate secret snapshot' }));
+        const { secretSnapshotId } = req.params;
+        
+        const secretSnapshot = await SecretSnapshot.findById(secretSnapshotId);
+        
+        if (!secretSnapshot) {
+            return next(SecretSnapshotNotFoundError({
+                message: 'Failed to find secret snapshot'
+            }));
         }
+        
+        await validateMembership({
+            userId: req.user._id,
+            workspaceId: secretSnapshot.workspace,
+            acceptedRoles
+        });
+        
+        req.secretSnapshot = secretSnapshot as any;
+
+        next();
     }
 }
 

backend/src/ee/models/action.ts

@@ -11,6 +11,8 @@ import {
 export interface IAction {
     name: string;
     user?: Types.ObjectId,
+    serviceAccount?: Types.ObjectId,
+    serviceTokenData?: Types.ObjectId,
     workspace?: Types.ObjectId,
     payload?: {
         secretVersions?: Types.ObjectId[]
@@ -33,8 +35,15 @@ const actionSchema = new Schema<IAction>(
         },
         user: {
             type: Schema.Types.ObjectId,
-            ref: 'User',
-            required: true
+            ref: 'User'
+        },
+        serviceAccount: {
+            type: Schema.Types.ObjectId,
+            ref: 'ServiceAccount'
+        },
+        serviceTokenData: {
+            type: Schema.Types.ObjectId,
+            ref: 'ServiceTokenData'
         },
         workspace: {
             type: Schema.Types.ObjectId,

backend/src/ee/models/log.ts

@@ -11,6 +11,8 @@ import {
 export interface ILog {
     _id: Types.ObjectId;
     user?: Types.ObjectId;
+    serviceAccount?: Types.ObjectId;
+    serviceTokenData?: Types.ObjectId;
     workspace?: Types.ObjectId;
     actionNames: string[];
     actions: Types.ObjectId[];
@@ -24,6 +26,14 @@ const logSchema = new Schema<ILog>(
             type: Schema.Types.ObjectId,
             ref: 'User'
         },
+        serviceAccount: {
+            type: Schema.Types.ObjectId,
+            ref: 'ServiceAccount'
+        },
+        serviceTokenData: {
+            type: Schema.Types.ObjectId,
+            ref: 'ServiceTokenData'
+        },
         workspace: {
             type: Schema.Types.ObjectId,
             ref: 'Workspace'

backend/src/ee/models/secretVersion.ts

@@ -2,9 +2,13 @@ import { Schema, model, Types } from 'mongoose';
 import {
 	SECRET_SHARED,
 	SECRET_PERSONAL,
+	ALGORITHM_AES_256_GCM,
+	ENCODING_SCHEME_UTF8,
+	ENCODING_SCHEME_BASE64
 } from '../../variables';
 
 export interface ISecretVersion {
+	_id: Types.ObjectId;
 	secret: Types.ObjectId;
 	version: number;
 	workspace: Types.ObjectId; // new
@@ -12,13 +16,15 @@ export interface ISecretVersion {
 	user?: Types.ObjectId; // new
 	environment: string; // new
 	isDeleted: boolean;
+	secretBlindIndex?: string;
 	secretKeyCiphertext: string;
 	secretKeyIV: string;
 	secretKeyTag: string;
 	secretValueCiphertext: string;
 	secretValueIV: string;
 	secretValueTag: string;
-	tags?: string[];
+	algorithm: 'aes-256-gcm';
+	keyEncoding: 'utf8' | 'base64';
 }
 
 const secretVersionSchema = new Schema<ISecretVersion>(
@@ -57,6 +63,10 @@ const secretVersionSchema = new Schema<ISecretVersion>(
 			default: false,
 			required: true
 		},
+		secretBlindIndex: {
+			type: String,
+			select: false
+		},
 		secretKeyCiphertext: {
 			type: String,
 			required: true
@@ -81,10 +91,18 @@ const secretVersionSchema = new Schema<ISecretVersion>(
 			type: String, // symmetric
 			required: true
 		},
-		tags: {
-			ref: 'Tag',
-			type: [Schema.Types.ObjectId],
-			default: []
+		algorithm: { // the encryption algorithm used
+			type: String,
+			enum: [ALGORITHM_AES_256_GCM],
+			required: true
+		},
+		keyEncoding: {
+			type: String,
+			enum: [
+				ENCODING_SCHEME_UTF8,
+				ENCODING_SCHEME_BASE64
+			],
+			required: true
 		},
 	},
 	{

backend/src/ee/routes/v1/cloudProducts.ts

@@ -0,0 +1,20 @@
+import express from 'express';
+const router = express.Router();
+import {
+    requireAuth,
+    validateRequest
+} from '../../../middleware';
+import { query } from 'express-validator';
+import { cloudProductsController } from '../../controllers/v1';
+
+router.get(
+    '/',
+    requireAuth({
+		acceptedAuthModes: ['jwt', 'apiKey']
+	}),
+    query('billing-cycle').exists().isIn(['monthly', 'yearly']),
+    validateRequest,
+    cloudProductsController.getCloudProducts 
+);
+
+export default router;

backend/src/ee/routes/v1/index.ts

@@ -1,11 +1,15 @@
 import secret from './secret';
 import secretSnapshot from './secretSnapshot';
+import organizations from './organizations';
 import workspace from './workspace';
 import action from './action';
+import cloudProducts from './cloudProducts';
 
 export {
     secret,
     secretSnapshot,
+    organizations,
     workspace,
-    action
+    action,
+    cloudProducts
 }

backend/src/ee/routes/v1/organizations.ts

@@ -0,0 +1,87 @@
+import express from 'express';
+const router = express.Router();
+import {
+    requireAuth,
+    requireOrganizationAuth,
+    validateRequest
+} from '../../../middleware';
+import { param, body } from 'express-validator';
+import { organizationsController } from '../../controllers/v1';
+import {
+    OWNER, ADMIN, MEMBER, ACCEPTED
+} from '../../../variables';
+
+router.get(
+    '/:organizationId/plan',
+    requireAuth({
+		acceptedAuthModes: ['jwt', 'apiKey']
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED]
+    }),
+    param('organizationId').exists().trim(),
+    validateRequest,
+    organizationsController.getOrganizationPlan
+);
+
+router.patch(
+    '/:organizationId/plan',
+    requireAuth({
+		acceptedAuthModes: ['jwt', 'apiKey']
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED]
+    }),
+    param('organizationId').exists().trim(),
+    body('productId').exists().isString(),
+    validateRequest,
+    organizationsController.updateOrganizationPlan
+);
+
+router.get(
+    '/:organizationId/billing-details/payment-methods',
+    requireAuth({
+		acceptedAuthModes: ['jwt', 'apiKey']
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED]
+    }),
+    param('organizationId').exists().trim(),
+    validateRequest,
+    organizationsController.getOrganizationPmtMethods
+);
+
+router.post(
+    '/:organizationId/billing-details/payment-methods',
+    requireAuth({
+		acceptedAuthModes: ['jwt', 'apiKey']
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED]
+    }),
+    param('organizationId').exists().trim(),
+    body('success_url').exists().isString(),
+    body('cancel_url').exists().isString(),
+    validateRequest,
+    organizationsController.addOrganizationPmtMethod
+);
+
+router.delete(
+    '/:organizationId/billing-details/payment-methods/:pmtMethodId',
+    requireAuth({
+		acceptedAuthModes: ['jwt', 'apiKey']
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED]
+    }),
+    param('organizationId').exists().trim(),
+    validateRequest,
+    organizationsController.deleteOrganizationPmtMethod
+);
+
+export default router;

backend/src/ee/routes/v1/secret.ts

@@ -7,7 +7,12 @@ import {
 } from '../../../middleware';
 import { query, param, body } from 'express-validator';
 import { secretController } from '../../controllers/v1';
-import { ADMIN, MEMBER } from '../../../variables';
+import {
+	ADMIN, 
+	MEMBER,
+	PERMISSION_READ_SECRETS,
+	PERMISSION_WRITE_SECRETS
+} from '../../../variables';
 
 router.get(
 	'/:secretId/secret-versions',
@@ -15,7 +20,8 @@ router.get(
 		acceptedAuthModes: ['jwt', 'apiKey']
 	}),
 	requireSecretAuth({
-		acceptedRoles: [ADMIN, MEMBER]
+		acceptedRoles: [ADMIN, MEMBER],
+		requiredPermissions: [PERMISSION_READ_SECRETS]
 	}),
 	param('secretId').exists().trim(),
 	query('offset').exists().isInt(),
@@ -30,7 +36,8 @@ router.post(
 		acceptedAuthModes: ['jwt', 'apiKey']
 	}),
 	requireSecretAuth({
-		acceptedRoles: [ADMIN, MEMBER]
+		acceptedRoles: [ADMIN, MEMBER],
+		requiredPermissions: [PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS]
 	}),
 	param('secretId').exists().trim(),
 	body('version').exists().isInt(),

backend/src/ee/routes/v1/secretSnapshot.ts

@@ -7,7 +7,7 @@ import {
     requireAuth,
     validateRequest
 } from '../../../middleware';
-import { param, body } from 'express-validator';
+import { param } from 'express-validator';
 import { ADMIN, MEMBER } from '../../../variables';
 import { secretSnapshotController } from '../../controllers/v1';
 

backend/src/ee/routes/v1/workspace.ts

@@ -15,7 +15,8 @@ router.get(
 		acceptedAuthModes: ['jwt', 'apiKey']
 	}),
 	requireWorkspaceAuth({
-		acceptedRoles: [ADMIN, MEMBER]
+		acceptedRoles: [ADMIN, MEMBER],
+		locationWorkspaceId: 'params'
 	}),
 	param('workspaceId').exists().trim(),
 	query('offset').exists().isInt(),
@@ -30,7 +31,8 @@ router.get(
 		acceptedAuthModes: ['jwt']
 	}),
 	requireWorkspaceAuth({
-		acceptedRoles: [ADMIN, MEMBER]
+		acceptedRoles: [ADMIN, MEMBER],
+		locationWorkspaceId: 'params'
 	}),
 	param('workspaceId').exists().trim(),
 	validateRequest,
@@ -43,7 +45,8 @@ router.post(
 		acceptedAuthModes: ['jwt', 'apiKey']
 	}),
 	requireWorkspaceAuth({
-		acceptedRoles: [ADMIN, MEMBER]
+		acceptedRoles: [ADMIN, MEMBER],
+		locationWorkspaceId: 'params'
 	}),
 	param('workspaceId').exists().trim(),
 	body('version').exists().isInt(),
@@ -57,7 +60,8 @@ router.get(
 		acceptedAuthModes: ['jwt', 'apiKey']
 	}),
 	requireWorkspaceAuth({
-		acceptedRoles: [ADMIN, MEMBER]
+		acceptedRoles: [ADMIN, MEMBER],
+		locationWorkspaceId: 'params'
 	}),
 	param('workspaceId').exists().trim(),
 	query('offset').exists().isInt(),

backend/src/ee/services/EELicenseService.ts

@@ -1,12 +1,133 @@
+import NodeCache from 'node-cache';
+import * as Sentry from '@sentry/node';
+import { 
+    getLicenseKey,
+    getLicenseServerKey,
+    getLicenseServerUrl
+} from '../../config';
+import { 
+    licenseKeyRequest,
+    licenseServerKeyRequest,
+    refreshLicenseServerKeyToken,
+    refreshLicenseKeyToken
+} from '../../config/request';
+import { Organization } from '../../models';
+import { OrganizationNotFoundError } from '../../utils/errors';
+
+interface FeatureSet {
+    _id: string | null;
+    slug: 'starter' | 'team' | 'pro' | 'enterprise' | null;
+    tier: number;
+    workspaceLimit: number | null;
+    workspacesUsed: number;
+    memberLimit: number | null;
+    membersUsed: number;
+    secretVersioning: boolean;
+    pitRecovery: boolean;
+    rbac: boolean;
+    customRateLimits: boolean;
+    customAlerts: boolean;
+    auditLogs: boolean;
+}
+
 /**
- * Class to handle Enterprise Edition license actions
+ * Class to handle license/plan configurations:
+ * - Infisical Cloud: Fetch and cache customer plans in [localFeatureSet]
+ * - Self-hosted regular: Use default global feature set
+ * - Self-hosted enterprise: Fetch and update global feature set
  */
 class EELicenseService {
     
-    private readonly _isLicenseValid: boolean;
+    private readonly _isLicenseValid: boolean; // TODO: deprecate
+
+    public instanceType: 'self-hosted' | 'enterprise-self-hosted' | 'cloud' = 'self-hosted';
+
+    public globalFeatureSet: FeatureSet = {
+        _id: null,
+        slug: null,
+        tier: -1,
+        workspaceLimit: null,
+        workspacesUsed: 0,
+        memberLimit: null,
+        membersUsed: 0,
+        secretVersioning: true,
+        pitRecovery: true,
+        rbac: true,
+        customRateLimits: true,
+        customAlerts: true,
+        auditLogs: false
+    }
+
+    public localFeatureSet: NodeCache;
     
-    constructor(licenseKey: string) {
+    constructor() {
         this._isLicenseValid = true;
+        this.localFeatureSet = new NodeCache({
+            stdTTL: 300
+        });
+    }
+    
+    public async getOrganizationPlan(organizationId: string): Promise<FeatureSet> {
+        try {
+            if (this.instanceType === 'cloud') {
+                const cachedPlan = this.localFeatureSet.get<FeatureSet>(organizationId);
+                if (cachedPlan) {
+                    return cachedPlan;
+                }
+
+                const organization = await Organization.findById(organizationId);
+                if (!organization) throw OrganizationNotFoundError();
+
+                const { data: { currentPlan } } = await licenseServerKeyRequest.get(
+                    `${await getLicenseServerUrl()}/api/license-server/v1/customers/${organization.customerId}/cloud-plan`
+                );
+
+                // cache fetched plan for organization
+                this.localFeatureSet.set(organizationId, currentPlan);
+
+                return currentPlan;
+            }
+        } catch (err) {
+            return this.globalFeatureSet;
+        }
+
+        return this.globalFeatureSet;
+    }
+
+    public async initGlobalFeatureSet() {
+        const licenseServerKey = await getLicenseServerKey();
+        const licenseKey = await getLicenseKey();
+
+        try {
+            if (licenseServerKey) {
+                // license server key is present -> validate it
+                const token = await refreshLicenseServerKeyToken()
+                    
+                if (token) {
+                    this.instanceType = 'cloud';
+                }
+                
+                return;
+            }
+            
+            if (licenseKey) {
+                // license key is present -> validate it
+                const token = await refreshLicenseKeyToken();
+                    
+                if (token) {
+                    const { data: { currentPlan } } = await licenseKeyRequest.get(
+                        `${await getLicenseServerUrl()}/api/license/v1/plan`
+                    );
+                    
+                    this.globalFeatureSet = currentPlan;
+                    this.instanceType = 'enterprise-self-hosted';
+                }
+            }
+        } catch (err) {
+            // case: self-hosted free
+            Sentry.setUser(null);
+            Sentry.captureException(err);
+        }
     }
 
     public get isLicenseValid(): boolean {
@@ -14,4 +135,4 @@ class EELicenseService {
     }
 }
 
-export default new EELicenseService('N/A');
+export default new EELicenseService();

backend/src/ee/services/EELogService.ts

@@ -26,12 +26,16 @@ class EELogService {
      */
     static async createLog({
         userId,
+        serviceAccountId,
+        serviceTokenDataId,
         workspaceId,
         actions,
         channel,
         ipAddress
     }: {
-        userId: Types.ObjectId;
+        userId?: Types.ObjectId;
+        serviceAccountId?: Types.ObjectId;
+        serviceTokenDataId?: Types.ObjectId;
         workspaceId?: Types.ObjectId;
         actions: IAction[];
         channel: string;
@@ -40,6 +44,8 @@ class EELogService {
         if (!EELicenseService.isLicenseValid) return null;
         return await createLogHelper({
             userId,
+            serviceAccountId,
+            serviceTokenDataId,
             workspaceId,
             actions,
             channel,
@@ -59,17 +65,23 @@ class EELogService {
     static async createAction({
         name,
         userId,
+        serviceAccountId,
+        serviceTokenDataId,
         workspaceId,
         secretIds
     }: {
         name: string;
-        userId: Types.ObjectId;
+        userId?: Types.ObjectId;
+        serviceAccountId?: Types.ObjectId;
+        serviceTokenDataId?: Types.ObjectId;
         workspaceId?: Types.ObjectId;
         secretIds?: Types.ObjectId[];
     }) {
         return await createActionHelper({
             name,
             userId,
+            serviceAccountId,
+            serviceTokenDataId,
             workspaceId,
             secretIds
         });

backend/src/ee/services/EESecretService.ts

@@ -3,8 +3,7 @@ import { ISecretVersion } from '../models';
 import { 
     takeSecretSnapshotHelper,
     addSecretVersionsHelper,
-    markDeletedSecretVersionsHelper,
-    initSecretVersioningHelper
+    markDeletedSecretVersionsHelper
 } from '../helpers/secret';
 import EELicenseService from './EELicenseService';
 
@@ -25,7 +24,7 @@ class EESecretService {
     static async takeSecretSnapshot({
         workspaceId
     }: {
-        workspaceId: string;
+        workspaceId: Types.ObjectId;
     }) {
         if (!EELicenseService.isLicenseValid) return;
         return await takeSecretSnapshotHelper({ workspaceId });
@@ -64,15 +63,6 @@ class EESecretService {
             secretIds
         });
     }
-    
-    /**
-     * Initialize secret versioning by setting previously unversioned
-     * secrets to version 1 and begin populating secret versions.
-     */
-    static async initSecretVersioning() {
-        if (!EELicenseService.isLicenseValid) return; 
-        await initSecretVersioningHelper();
-    }
 }
 
 export default EESecretService;

backend/src/events/secret.ts

@@ -1,3 +1,4 @@
+import { Types } from 'mongoose';
 import { 
     EVENT_PUSH_SECRETS, 
     EVENT_PULL_SECRETS 
@@ -22,13 +23,16 @@ interface PushSecret {
  * @returns 
  */
 const eventPushSecrets = ({
-    workspaceId
+    workspaceId,
+    environment
 }: {
-    workspaceId: string;
+    workspaceId: Types.ObjectId;
+    environment?: string;
 }) => {
     return ({
         name: EVENT_PUSH_SECRETS,
         workspaceId,
+        environment,
         payload: {
 
         }

backend/src/helpers/auth.ts

@@ -1,15 +1,17 @@
-import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
 import jwt from 'jsonwebtoken';
 import bcrypt from 'bcrypt';
 import {
 	IUser,
 	User,
 	ServiceTokenData,
+	ServiceAccount,
 	APIKeyData
 } from '../models';
 import {
 	AccountNotFoundError,
 	ServiceTokenDataNotFoundError,
+	ServiceAccountNotFoundError,
 	APIKeyDataNotFoundError,
 	UnauthorizedRequestError,
 	BadRequestError
@@ -17,9 +19,16 @@ import {
 import {
 	getJwtAuthLifetime,
 	getJwtAuthSecret,
+	getJwtProviderAuthSecret,
 	getJwtRefreshLifetime,
 	getJwtRefreshSecret
 } from '../config';
+import {
+	AUTH_MODE_JWT,
+	AUTH_MODE_SERVICE_ACCOUNT,
+	AUTH_MODE_SERVICE_TOKEN,
+	AUTH_MODE_API_KEY
+} from '../variables';
 
 /**
  * 
@@ -33,11 +42,10 @@ const validateAuthMode = ({
 	headers: { [key: string]: string | string[] | undefined },
 	acceptedAuthModes: string[]
 }) => {
-	// TODO: refactor middleware
 	const apiKey = headers['x-api-key'];
 	const authHeader = headers['authorization'];
-
-	let authTokenType, authTokenValue;
+	
+	let authMode, authTokenValue;
 	if (apiKey === undefined && authHeader === undefined) {
 		// case: no auth or X-API-KEY header present
 		throw BadRequestError({ message: 'Missing Authorization or X-API-KEY in request header.' });
@@ -45,7 +53,7 @@ const validateAuthMode = ({
 
 	if (typeof apiKey === 'string') {
 		// case: treat request authentication type as via X-API-KEY (i.e. API Key)
-		authTokenType = 'apiKey';
+		authMode = AUTH_MODE_API_KEY;
 		authTokenValue = apiKey;
 	}
 
@@ -61,20 +69,24 @@ const validateAuthMode = ({
 
 		switch (tokenValue.split('.', 1)[0]) {
 			case 'st':
-				authTokenType = 'serviceToken';
+				authMode = AUTH_MODE_SERVICE_TOKEN;
+				break;
+			case 'sa':
+				authMode = AUTH_MODE_SERVICE_ACCOUNT;
 				break;
 			default:
-				authTokenType = 'jwt';
+				authMode = AUTH_MODE_JWT;
 		}
+
 		authTokenValue = tokenValue;
 	}
 
-	if (!authTokenType || !authTokenValue) throw BadRequestError({ message: 'Missing valid Authorization or X-API-KEY in request header.' });
+	if (!authMode || !authTokenValue) throw BadRequestError({ message: 'Missing valid Authorization or X-API-KEY in request header.' });
 
-	if (!acceptedAuthModes.includes(authTokenType)) throw BadRequestError({ message: 'The provided authentication type is not supported.' });
+	if (!acceptedAuthModes.includes(authMode)) throw BadRequestError({ message: 'The provided authentication type is not supported.' });
 
 	return ({
-		authTokenType,
+		authMode,
 		authTokenValue
 	});
 }
@@ -90,25 +102,17 @@ const getAuthUserPayload = async ({
 }: {
 	authTokenValue: string;
 }) => {
-	let user;
-	try {
-		const decodedToken = <jwt.UserIDJwtPayload>(
-			jwt.verify(authTokenValue, getJwtAuthSecret())
-		);
+	const decodedToken = <jwt.UserIDJwtPayload>(
+		jwt.verify(authTokenValue, await getJwtAuthSecret())
+	);
 
-		user = await User.findOne({
-			_id: decodedToken.userId
-		}).select('+publicKey');
+	const user = await User.findOne({
+		_id: decodedToken.userId
+	}).select('+publicKey');
 
-		if (!user) throw AccountNotFoundError({ message: 'Failed to find User' });
+	if (!user) throw AccountNotFoundError({ message: 'Failed to find User' });
 
-		if (!user?.publicKey) throw UnauthorizedRequestError({ message: 'Failed to authenticate User with partially set up account' });
-
-	} catch (err) {
-		throw UnauthorizedRequestError({
-			message: 'Failed to authenticate JWT token'
-		});
-	}
+	if (!user?.publicKey) throw UnauthorizedRequestError({ message: 'Failed to authenticate User with partially set up account' });
 
 	return user;
 }
@@ -124,45 +128,70 @@ const getAuthSTDPayload = async ({
 }: {
 	authTokenValue: string;
 }) => {
-	let serviceTokenData;
-	try {
-		const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split('.', 3);
+	const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split('.', 3);
 
-		// TODO: optimize double query
-		serviceTokenData = await ServiceTokenData
-			.findById(TOKEN_IDENTIFIER, '+secretHash +expiresAt');
+	let serviceTokenData = await ServiceTokenData
+		.findById(TOKEN_IDENTIFIER, '+secretHash +expiresAt');
 
-		if (!serviceTokenData) {
-			throw ServiceTokenDataNotFoundError({ message: 'Failed to find service token data' });
-		} else if (serviceTokenData?.expiresAt && new Date(serviceTokenData.expiresAt) < new Date()) {
-			// case: service token expired
-			await ServiceTokenData.findByIdAndDelete(serviceTokenData._id);
-			throw UnauthorizedRequestError({
-				message: 'Failed to authenticate expired service token'
-			});
-		}
-
-		const isMatch = await bcrypt.compare(TOKEN_SECRET, serviceTokenData.secretHash);
-		if (!isMatch) throw UnauthorizedRequestError({
-			message: 'Failed to authenticate service token'
-		});
-
-		serviceTokenData = await ServiceTokenData
-			.findById(TOKEN_IDENTIFIER)
-			.select('+encryptedKey +iv +tag')
-			.populate<{user: IUser}>('user');
-		
-		if (!serviceTokenData) throw ServiceTokenDataNotFoundError({ message: 'Failed to find service token data' });
-
-	} catch (err) {
+	if (!serviceTokenData) {
+		throw ServiceTokenDataNotFoundError({ message: 'Failed to find service token data' });
+	} else if (serviceTokenData?.expiresAt && new Date(serviceTokenData.expiresAt) < new Date()) {
+		// case: service token expired
+		await ServiceTokenData.findByIdAndDelete(serviceTokenData._id);
 		throw UnauthorizedRequestError({
-			message: 'Failed to authenticate service token'
+			message: 'Failed to authenticate expired service token'
 		});
 	}
 
+	const isMatch = await bcrypt.compare(TOKEN_SECRET, serviceTokenData.secretHash);
+	if (!isMatch) throw UnauthorizedRequestError({
+		message: 'Failed to authenticate service token'
+	});
+
+	serviceTokenData = await ServiceTokenData
+		.findOneAndUpdate({
+			_id: new Types.ObjectId(TOKEN_IDENTIFIER)
+		}, {
+			lastUsed: new Date()
+		}, {
+			new: true
+		})
+		.select('+encryptedKey +iv +tag');
+
+	if (!serviceTokenData) throw ServiceTokenDataNotFoundError({ message: 'Failed to find service token data' });
+
 	return serviceTokenData;
 }
 
+/**
+ * Return service account access key payload
+ * @param {Object} obj
+ * @param {String} obj.authTokenValue - service account access token value
+ * @returns {ServiceAccount} serviceAccount
+ */
+const getAuthSAAKPayload = async ({
+	authTokenValue
+}: {
+	authTokenValue: string;
+}) => {
+	const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split('.', 3);
+
+	const serviceAccount = await ServiceAccount.findById(
+		Buffer.from(TOKEN_IDENTIFIER, 'base64').toString('hex')
+	).select('+secretHash');
+
+	if (!serviceAccount) {
+		throw ServiceAccountNotFoundError({ message: 'Failed to find service account' });
+	}
+
+	const result = await bcrypt.compare(TOKEN_SECRET, serviceAccount.secretHash);
+	if (!result) throw UnauthorizedRequestError({
+		message: 'Failed to authenticate service account access key'
+	});
+
+	return serviceAccount;
+}
+
 /**
  * Return API key data payload corresponding to API key [authTokenValue]
  * @param {Object} obj
@@ -174,33 +203,44 @@ const getAuthAPIKeyPayload = async ({
 }: {
 	authTokenValue: string;
 }) => {
-	let user;
-	try {
-		const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split('.', 3);
+	const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split('.', 3);
 
-		const apiKeyData = await APIKeyData
-			.findById(TOKEN_IDENTIFIER, '+secretHash +expiresAt')
-			.populate('user', '+publicKey');
+	let apiKeyData = await APIKeyData
+		.findById(TOKEN_IDENTIFIER, '+secretHash +expiresAt')
+		.populate<{ user: IUser }>('user', '+publicKey');
 
-		if (!apiKeyData) {
-			throw APIKeyDataNotFoundError({ message: 'Failed to find API key data' });
-		} else if (apiKeyData?.expiresAt && new Date(apiKeyData.expiresAt) < new Date()) {
-			// case: API key expired
-			await APIKeyData.findByIdAndDelete(apiKeyData._id);
-			throw UnauthorizedRequestError({
-				message: 'Failed to authenticate expired API key'
-			});
-		}
-
-		const isMatch = await bcrypt.compare(TOKEN_SECRET, apiKeyData.secretHash);
-		if (!isMatch) throw UnauthorizedRequestError({
-			message: 'Failed to authenticate API key'
-		});
-
-		user = apiKeyData.user;
-	} catch (err) {
+	if (!apiKeyData) {
+		throw APIKeyDataNotFoundError({ message: 'Failed to find API key data' });
+	} else if (apiKeyData?.expiresAt && new Date(apiKeyData.expiresAt) < new Date()) {
+		// case: API key expired
+		await APIKeyData.findByIdAndDelete(apiKeyData._id);
 		throw UnauthorizedRequestError({
-			message: 'Failed to authenticate API key'
+			message: 'Failed to authenticate expired API key'
+		});
+	}
+
+	const isMatch = await bcrypt.compare(TOKEN_SECRET, apiKeyData.secretHash);
+	if (!isMatch) throw UnauthorizedRequestError({
+		message: 'Failed to authenticate API key'
+	});
+
+	apiKeyData = await APIKeyData.findOneAndUpdate({
+		_id: new Types.ObjectId(TOKEN_IDENTIFIER)
+	}, {
+		lastUsed: new Date()
+	}, {
+		new: true
+	});
+
+	if (!apiKeyData) {
+		throw APIKeyDataNotFoundError({ message: 'Failed to find API key data' });
+	}
+
+	const user = await User.findById(apiKeyData.user).select('+publicKey');
+
+	if (!user) {
+		throw AccountNotFoundError({
+			message: 'Failed to find user'
 		});
 	}
 
@@ -216,30 +256,23 @@ const getAuthAPIKeyPayload = async ({
  * @return {String} obj.refreshToken - issued refresh token
  */
 const issueAuthTokens = async ({ userId }: { userId: string }) => {
-	let token: string;
-	let refreshToken: string;
-	try {
-		// issue tokens
-		token = createToken({
-			payload: {
-				userId
-			},
-			expiresIn: getJwtAuthLifetime(),
-			secret: getJwtAuthSecret()
-		});
 
-		refreshToken = createToken({
-			payload: {
-				userId
-			},
-			expiresIn: getJwtRefreshLifetime(),
-			secret: getJwtRefreshSecret()
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to issue tokens');
-	}
+	// issue tokens
+	const token = createToken({
+		payload: {
+			userId
+		},
+		expiresIn: await getJwtAuthLifetime(),
+		secret: await getJwtAuthSecret()
+	});
+
+	const refreshToken = createToken({
+		payload: {
+			userId
+		},
+		expiresIn: await getJwtRefreshLifetime(),
+		secret: await getJwtRefreshSecret()
+	});
 
 	return {
 		token,
@@ -253,19 +286,14 @@ const issueAuthTokens = async ({ userId }: { userId: string }) => {
  * @param {String} obj.userId - id of user whose tokens are cleared.
  */
 const clearTokens = async ({ userId }: { userId: string }): Promise<void> => {
-	try {
-		// increment refreshVersion on user by 1
-		User.findOneAndUpdate({
-			_id: userId
-		}, {
-			$inc: {
-				refreshVersion: 1
-			}
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-	}
+	// increment refreshVersion on user by 1
+	User.findOneAndUpdate({
+		_id: userId
+	}, {
+		$inc: {
+			refreshVersion: 1
+		}
+	});
 };
 
 /**
@@ -285,21 +313,42 @@ const createToken = ({
 	expiresIn: string | number;
 	secret: string;
 }) => {
-	try {
-		return jwt.sign(payload, secret, {
-			expiresIn
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to create a token');
-	}
+	return jwt.sign(payload, secret, {
+		expiresIn
+	});
 };
 
+const validateProviderAuthToken = async ({
+	email,
+	user,
+	providerAuthToken,
+}: {
+	email: string;
+	user: IUser,
+	providerAuthToken?: string;
+}) => {
+	if (!providerAuthToken) {
+		throw new Error('Invalid authentication request.');
+	}
+
+	const decodedToken = <jwt.ProviderAuthJwtPayload>(
+		jwt.verify(providerAuthToken, await getJwtProviderAuthSecret())
+	);
+	
+	if (
+		decodedToken.authProvider !== user.authProvider ||
+		decodedToken.email !== email
+	) {
+		throw new Error('Invalid authentication credentials.')
+	}
+}
+
 export {
 	validateAuthMode,
+	validateProviderAuthToken,
 	getAuthUserPayload,
 	getAuthSTDPayload,
+	getAuthSAAKPayload,
 	getAuthAPIKeyPayload,
 	createToken,
 	issueAuthTokens,

backend/src/helpers/bot.ts

@@ -1,58 +1,90 @@
-import * as Sentry from '@sentry/node';
+import { Types } from "mongoose";
 import {
-    Bot,
-    BotKey,
-    Secret,
-    ISecret,
-    IUser
-} from '../models';
-import { 
-    generateKeyPair, 
-    encryptSymmetric,
-    decryptSymmetric,
-    decryptAsymmetric
+  Bot,
+  BotKey,
+  Secret,
+  ISecret,
+  IUser
+} from "../models";
+import {
+  generateKeyPair,
+  encryptSymmetric128BitHexKeyUTF8,
+  decryptSymmetric128BitHexKeyUTF8,
+  decryptAsymmetric
 } from '../utils/crypto';
-import { SECRET_SHARED } from '../variables';
-import { getEncryptionKey } from '../config';
+import {
+  SECRET_SHARED,
+  ALGORITHM_AES_256_GCM,
+  ENCODING_SCHEME_UTF8,
+  ENCODING_SCHEME_BASE64
+} from "../variables";
+import { 
+  getEncryptionKey, 
+  getRootEncryptionKey,
+  client
+} from "../config";
+import { InternalServerError } from "../utils/errors";
 
 /**
  * Create an inactive bot with name [name] for workspace with id [workspaceId]
- * @param {Object} obj 
+ * @param {Object} obj
  * @param {String} obj.name - name of bot
  * @param {String} obj.workspaceId - id of workspace that bot belongs to
  */
 const createBot = async ({
-    name,
-    workspaceId,
+  name,
+  workspaceId,
 }: {
-    name: string;
-    workspaceId: string;
+  name: string;
+  workspaceId: Types.ObjectId;
 }) => {
-    let bot;
-    try {
-        const { publicKey, privateKey } = generateKeyPair();
-        const { ciphertext, iv, tag } = encryptSymmetric({
-            plaintext: privateKey,
-            key: getEncryptionKey()
-        });
+  const encryptionKey = await getEncryptionKey();
+  const rootEncryptionKey = await getRootEncryptionKey();
+  
+  const { publicKey, privateKey } = generateKeyPair();
+  
+  if (rootEncryptionKey) {
+    const { 
+      ciphertext, 
+      iv, 
+      tag 
+    } = client.encryptSymmetric(privateKey, rootEncryptionKey);
 
-        bot = await new Bot({
-            name,
-            workspace: workspaceId,
-            isActive: false,
-            publicKey,
-            encryptedPrivateKey: ciphertext,
-            iv,
-            tag
-        }).save();
-    } catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to create bot');
-    }
-    
-    return bot;
-}
+    return await new Bot({
+      name,
+      workspace: workspaceId,
+      isActive: false,
+      publicKey,
+      encryptedPrivateKey: ciphertext,
+      iv,
+      tag,
+      algorithm: ALGORITHM_AES_256_GCM,
+      keyEncoding: ENCODING_SCHEME_BASE64
+    }).save();
+  
+  } else if (encryptionKey) {
+    const { ciphertext, iv, tag } = encryptSymmetric128BitHexKeyUTF8({
+      plaintext: privateKey,
+      key: await getEncryptionKey(),
+    });
+
+    return await new Bot({
+      name,
+      workspace: workspaceId,
+      isActive: false,
+      publicKey,
+      encryptedPrivateKey: ciphertext,
+      iv,
+      tag,
+      algorithm: ALGORITHM_AES_256_GCM,
+      keyEncoding: ENCODING_SCHEME_UTF8
+    }).save();
+  }
+
+  throw InternalServerError({
+    message: 'Failed to create new bot due to missing encryption key'
+  });
+};
 
 /**
  * Return decrypted secrets for workspace with id [workspaceId]
@@ -62,125 +94,125 @@ const createBot = async ({
  * @param {String} obj.environment - environment
  */
 const getSecretsHelper = async ({
-    workspaceId,
-    environment
+  workspaceId,
+  environment,
 }: {
-    workspaceId: string;
-    environment: string;
+  workspaceId: Types.ObjectId;
+  environment: string;
 }) => {
-    const content = {} as any;
-    try {
-        const key = await getKey({ workspaceId });
-        const secrets = await Secret.find({
-            workspace: workspaceId,
-            environment,
-            type: SECRET_SHARED
-        });
-        
-        secrets.forEach((secret: ISecret) => {
-            const secretKey = decryptSymmetric({
-                ciphertext: secret.secretKeyCiphertext,
-                iv: secret.secretKeyIV,
-                tag: secret.secretKeyTag,
-                key
-            });
+  const content = {} as any;
+  const key = await getKey({ workspaceId: workspaceId.toString() });
+  const secrets = await Secret.find({
+    workspace: workspaceId,
+    environment,
+    type: SECRET_SHARED,
+  });
 
-            const secretValue = decryptSymmetric({
-                ciphertext: secret.secretValueCiphertext,
-                iv: secret.secretValueIV,
-                tag: secret.secretValueTag,
-                key
-            });
+  secrets.forEach((secret: ISecret) => {
+    const secretKey = decryptSymmetric128BitHexKeyUTF8({
+      ciphertext: secret.secretKeyCiphertext,
+      iv: secret.secretKeyIV,
+      tag: secret.secretKeyTag,
+      key,
+    });
 
-            content[secretKey] = secretValue;
-        });
-    } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-        throw new Error('Failed to get secrets');
-    }
+    const secretValue = decryptSymmetric128BitHexKeyUTF8({
+      ciphertext: secret.secretValueCiphertext,
+      iv: secret.secretValueIV,
+      tag: secret.secretValueTag,
+      key,
+    });
 
-    return content;
-}
+    content[secretKey] = secretValue;
+  });
+
+  return content;
+};
 
 /**
- * Return bot's copy of the workspace key for workspace 
+ * Return bot's copy of the workspace key for workspace
  * with id [workspaceId]
  * @param {Object} obj
  * @param {String} obj.workspaceId - id of workspace
  * @returns {String} key - decrypted workspace key
  */
 const getKey = async ({ workspaceId }: { workspaceId: string }) => {
-    let key;
-    try {
-        const botKey = await BotKey.findOne({
-            workspace: workspaceId
-        }).populate<{ sender: IUser }>('sender', 'publicKey');
-        
-        if (!botKey) throw new Error('Failed to find bot key');
-        
-        const bot = await Bot.findOne({
-            workspace: workspaceId
-        }).select('+encryptedPrivateKey +iv +tag');
-        
-        if (!bot) throw new Error('Failed to find bot');
-        if (!bot.isActive) throw new Error('Bot is not active');
-        
-        const privateKeyBot = decryptSymmetric({
-            ciphertext: bot.encryptedPrivateKey,
-            iv: bot.iv,
-            tag: bot.tag,
-            key: getEncryptionKey()
-        });
-        
-        key = decryptAsymmetric({
-            ciphertext: botKey.encryptedKey,
-            nonce: botKey.nonce,
-            publicKey: botKey.sender.publicKey as string,
-            privateKey: privateKeyBot
-        });
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to get workspace key');
-    }
+  const encryptionKey = await getEncryptionKey();
+  const rootEncryptionKey = await getRootEncryptionKey();
+
+  const botKey = await BotKey.findOne({
+    workspace: workspaceId,
+  })
+  .populate<{ sender: IUser }>("sender", "publicKey");
+
+  if (!botKey) throw new Error("Failed to find bot key");
+
+  const bot = await Bot.findOne({
+    workspace: workspaceId,
+  }).select("+encryptedPrivateKey +iv +tag +algorithm +keyEncoding");
+
+  if (!bot) throw new Error("Failed to find bot");
+  if (!bot.isActive) throw new Error("Bot is not active");
+
+  if (rootEncryptionKey && bot.keyEncoding === ENCODING_SCHEME_BASE64) {
+    // case: encoding scheme is base64
+    const privateKeyBot = client.decryptSymmetric(bot.encryptedPrivateKey, rootEncryptionKey, bot.iv, bot.tag);
+
+    return decryptAsymmetric({
+      ciphertext: botKey.encryptedKey,
+      nonce: botKey.nonce,
+      publicKey: botKey.sender.publicKey as string,
+      privateKey: privateKeyBot,
+    });
+  } else if (encryptionKey && bot.keyEncoding === ENCODING_SCHEME_UTF8) {
     
-    return key;
-}
+    // case: encoding scheme is utf8
+    const privateKeyBot = decryptSymmetric128BitHexKeyUTF8({
+      ciphertext: bot.encryptedPrivateKey,
+      iv: bot.iv,
+      tag: bot.tag,
+      key: encryptionKey
+    });
+    
+    return decryptAsymmetric({
+      ciphertext: botKey.encryptedKey,
+      nonce: botKey.nonce,
+      publicKey: botKey.sender.publicKey as string,
+      privateKey: privateKeyBot,
+    });
+  }
+
+  throw InternalServerError({
+    message: "Failed to obtain bot's copy of workspace key needed for bot operations"
+  });
+};
 
 /**
  * Return symmetrically encrypted [plaintext] using the
- * key for workspace with id [workspaceId] 
+ * key for workspace with id [workspaceId]
  * @param {Object} obj1
  * @param {String} obj1.workspaceId - id of workspace
  * @param {String} obj1.plaintext - plaintext to encrypt
  */
 const encryptSymmetricHelper = async ({
-    workspaceId,
-    plaintext
+  workspaceId,
+  plaintext,
 }: {
-    workspaceId: string;
-    plaintext: string;
+  workspaceId: Types.ObjectId;
+  plaintext: string;
 }) => {
-    
-    try {
-        const key = await getKey({ workspaceId });
-        const { ciphertext, iv, tag } = encryptSymmetric({
-            plaintext,
-            key
-        });
-        
-        return ({
-            ciphertext,
-            iv,
-            tag
-        });
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to perform symmetric encryption with bot');
-    }
-}
+  const key = await getKey({ workspaceId: workspaceId.toString() });
+  const { ciphertext, iv, tag } = encryptSymmetric128BitHexKeyUTF8({
+    plaintext,
+    key,
+  });
+
+  return {
+    ciphertext,
+    iv,
+    tag,
+  };
+};
 /**
  * Return symmetrically decrypted [ciphertext] using the
  * key for workspace with id [workspaceId]
@@ -191,39 +223,30 @@ const encryptSymmetricHelper = async ({
  * @param {String} obj.tag - tag
  */
 const decryptSymmetricHelper = async ({
-    workspaceId,
+  workspaceId,
+  ciphertext,
+  iv,
+  tag,
+}: {
+  workspaceId: Types.ObjectId;
+  ciphertext: string;
+  iv: string;
+  tag: string;
+}) => {
+  const key = await getKey({ workspaceId: workspaceId.toString() });
+  const plaintext = decryptSymmetric128BitHexKeyUTF8({
     ciphertext,
     iv,
-    tag
-}: {
-    workspaceId: string;
-    ciphertext: string;
-    iv: string;
-    tag: string;
-}) => {
-    let plaintext;
-    try {
-        const key = await getKey({ workspaceId });
-        const plaintext = decryptSymmetric({
-            ciphertext,
-            iv,
-            tag,
-            key
-        });
-        
-        return plaintext;
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to perform symmetric decryption with bot');
-    }
-    
-    return plaintext;
-}
+    tag,
+    key,
+  });
+
+  return plaintext;
+};
 
 export {
-    createBot,
-    getSecretsHelper,
-    encryptSymmetricHelper,
-    decryptSymmetricHelper
-}
+  createBot,
+  getSecretsHelper,
+  encryptSymmetricHelper,
+  decryptSymmetricHelper
+};

backend/src/helpers/database.ts

@@ -1,5 +1,4 @@
 import mongoose from 'mongoose';
-import { EESecretService } from '../ee/services';
 import { getLogger } from '../utils/logger';
 
 /**
@@ -19,11 +18,10 @@ const initDatabaseHelper = async ({
         // allow empty strings to pass the required validator
         mongoose.Schema.Types.String.checkRequired(v => typeof v === 'string');
 
-        getLogger("database").info("Database connection established");
-        
-        await EESecretService.initSecretVersioning();
+        (await getLogger("database")).info("Database connection established");
+
     } catch (err) {
-        getLogger("database").error(`Unable to establish Database connection due to the error.\n${err}`);
+        (await getLogger("database")).error(`Unable to establish Database connection due to the error.\n${err}`);
     }
 
     return mongoose.connection;

backend/src/helpers/event.ts

@@ -1,12 +1,13 @@
-import { Bot, IBot } from '../models';
-import * as Sentry from '@sentry/node';
-import { EVENT_PUSH_SECRETS } from '../variables';
-import { IntegrationService } from '../services';
+import { Types } from "mongoose";
+import { Bot, IBot } from "../models";
+import { EVENT_PUSH_SECRETS } from "../variables";
+import { IntegrationService } from "../services";
 
 interface Event {
-    name: string;
-    workspaceId: string;
-    payload: any;
+  name: string;
+  workspaceId: Types.ObjectId;
+  environment?: string;
+  payload: any;
 }
 
 /**
@@ -17,35 +18,25 @@ interface Event {
  * @param {String} obj.event.workspaceId - id of workspace that event is part of
  * @param {Object} obj.event.payload - payload of event (depends on event)
  */
-const handleEventHelper = async ({
-    event
-}: {
-    event: Event;
-}) => {
-    const { workspaceId } = event;
-    
-    // TODO: moduralize bot check into separate function
-    const bot = await Bot.findOne({
-        workspace: workspaceId,
-        isActive: true
-    });
-    
-    if (!bot) return;
-    
-    try {
-        switch (event.name) {
-            case EVENT_PUSH_SECRETS:
-                IntegrationService.syncIntegrations({
-                    workspaceId
-                });
-                break;
-        }
-    } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-    }
-}
+const handleEventHelper = async ({ event }: { event: Event }) => {
+  const { workspaceId, environment } = event;
 
-export {
-    handleEventHelper
-}
+  // TODO: moduralize bot check into separate function
+  const bot = await Bot.findOne({
+    workspace: workspaceId,
+    isActive: true,
+  });
+
+  if (!bot) return;
+
+  switch (event.name) {
+    case EVENT_PUSH_SECRETS:
+      IntegrationService.syncIntegrations({
+        workspaceId,
+        environment,
+      });
+      break;
+  }
+};
+
+export { handleEventHelper };

backend/src/helpers/integration.ts

@@ -1,16 +1,21 @@
 import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
 import {
     Bot,
     Integration,
-    IntegrationAuth,
+    IntegrationAuth
 } from '../models';
 import { exchangeCode, exchangeRefresh, syncSecrets } from '../integrations';
 import { BotService } from '../services';
 import {
     INTEGRATION_VERCEL,
-    INTEGRATION_NETLIFY
+    INTEGRATION_NETLIFY,
+    ALGORITHM_AES_256_GCM,
+    ENCODING_SCHEME_UTF8
 } from '../variables';
-import { UnauthorizedRequestError } from '../utils/errors';
+import { 
+    UnauthorizedRequestError,
+} from '../utils/errors';
 import RequestError from '../utils/requestError';
 
 interface Update {
@@ -114,14 +119,19 @@ const handleOAuthExchangeHelper = async ({
  * @param {Object} obj.workspaceId - id of workspace
  */
 const syncIntegrationsHelper = async ({
-    workspaceId
+    workspaceId,
+    environment
 }: {
-    workspaceId: string;
+    workspaceId: Types.ObjectId;
+    environment?: string;
 }) => {
     let integrations;
     try {
         integrations = await Integration.find({
             workspace: workspaceId,
+            ...(environment ? {
+                environment
+            } : {}),
             isActive: true,
             app: { $ne: null }
         });
@@ -131,7 +141,7 @@ const syncIntegrationsHelper = async ({
         for await (const integration of integrations) {
             // get workspace, environment (shared) secrets
             const secrets = await BotService.getSecrets({ // issue here?
-                workspaceId: integration.workspace.toString(),
+                workspaceId: integration.workspace,
                 environment: integration.environment
             });
 
@@ -140,7 +150,7 @@ const syncIntegrationsHelper = async ({
             
             // get integration auth access token
             const access = await getIntegrationAuthAccessHelper({
-                integrationAuthId: integration.integrationAuth.toString()
+                integrationAuthId: integration.integrationAuth
             });
 
             // sync secrets to integration
@@ -148,7 +158,7 @@ const syncIntegrationsHelper = async ({
                 integration,
                 integrationAuth,
                 secrets,
-                accessId: access.accessId,
+                accessId: access.accessId === undefined ? null : access.accessId,
                 accessToken: access.accessToken
             });
         }
@@ -167,7 +177,7 @@ const syncIntegrationsHelper = async ({
  * @param {String} obj.integrationAuthId - id of integration auth
  * @param {String} refreshToken - decrypted refresh token
  */
- const getIntegrationAuthRefreshHelper = async ({ integrationAuthId }: { integrationAuthId: string }) => {
+ const getIntegrationAuthRefreshHelper = async ({ integrationAuthId }: { integrationAuthId: Types.ObjectId }) => {
     let refreshToken;
 	
     try {
@@ -178,7 +188,7 @@ const syncIntegrationsHelper = async ({
         if (!integrationAuth) throw UnauthorizedRequestError({message: 'Failed to locate Integration Authentication credentials'});
 
         refreshToken = await BotService.decryptSymmetric({
-            workspaceId: integrationAuth.workspace.toString(),
+            workspaceId: integrationAuth.workspace,
             ciphertext: integrationAuth.refreshCiphertext as string,
             iv: integrationAuth.refreshIV as string,
             tag: integrationAuth.refreshTag as string
@@ -204,7 +214,7 @@ const syncIntegrationsHelper = async ({
  * @param {String} obj.integrationAuthId - id of integration auth
  * @returns {String} accessToken - decrypted access token
  */
-const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrationAuthId: string }) => {
+const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrationAuthId: Types.ObjectId }) => {
     let accessId;
     let accessToken;
     try {
@@ -215,7 +225,7 @@ const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrati
         if (!integrationAuth) throw UnauthorizedRequestError({message: 'Failed to locate Integration Authentication credentials'});
 
         accessToken = await BotService.decryptSymmetric({
-            workspaceId: integrationAuth.workspace.toString(),
+            workspaceId: integrationAuth.workspace,
             ciphertext: integrationAuth.accessCiphertext as string,
             iv: integrationAuth.accessIV as string,
             tag: integrationAuth.accessTag as string
@@ -237,7 +247,7 @@ const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrati
         
         if (integrationAuth?.accessIdCiphertext && integrationAuth?.accessIdIV && integrationAuth?.accessIdTag) {
             accessId = await BotService.decryptSymmetric({
-                workspaceId: integrationAuth.workspace.toString(),
+                workspaceId: integrationAuth.workspace,
                 ciphertext: integrationAuth.accessIdCiphertext as string,
                 iv: integrationAuth.accessIdIV as string,
                 tag: integrationAuth.accessIdTag as string
@@ -283,7 +293,7 @@ const setIntegrationAuthRefreshHelper = async ({
         if (!integrationAuth) throw new Error('Failed to find integration auth');
         
         const obj = await BotService.encryptSymmetric({
-            workspaceId: integrationAuth.workspace.toString(),
+            workspaceId: integrationAuth.workspace,
             plaintext: refreshToken
         });
         
@@ -292,7 +302,9 @@ const setIntegrationAuthRefreshHelper = async ({
         }, {
             refreshCiphertext: obj.ciphertext,
             refreshIV: obj.iv,
-            refreshTag: obj.tag
+            refreshTag: obj.tag,
+            algorithm: ALGORITHM_AES_256_GCM,
+            keyEncoding: ENCODING_SCHEME_UTF8
         }, {
             new: true
         });
@@ -332,14 +344,14 @@ const setIntegrationAuthAccessHelper = async ({
         if (!integrationAuth) throw new Error('Failed to find integration auth');
         
         const encryptedAccessTokenObj = await BotService.encryptSymmetric({
-            workspaceId: integrationAuth.workspace.toString(),
+            workspaceId: integrationAuth.workspace,
             plaintext: accessToken
         });
         
         let encryptedAccessIdObj;
         if (accessId) {
             encryptedAccessIdObj = await BotService.encryptSymmetric({
-                workspaceId: integrationAuth.workspace.toString(),
+                workspaceId: integrationAuth.workspace,
                 plaintext: accessId
             }); 
         }
@@ -353,7 +365,9 @@ const setIntegrationAuthAccessHelper = async ({
             accessCiphertext: encryptedAccessTokenObj.ciphertext,
             accessIV: encryptedAccessTokenObj.iv,
             accessTag: encryptedAccessTokenObj.tag,
-            accessExpiresAt
+            accessExpiresAt,
+            algorithm: ALGORITHM_AES_256_GCM,
+            keyEncoding: ENCODING_SCHEME_UTF8
         }, {
             new: true
         });
@@ -373,4 +387,4 @@ export {
     getIntegrationAuthAccessHelper,
     setIntegrationAuthRefreshHelper,
     setIntegrationAuthAccessHelper
-}
+}

backend/src/helpers/key.ts

@@ -1,4 +1,3 @@
-import * as Sentry from '@sentry/node';
 import { Key, IKey } from '../models';
 
 interface Key {
@@ -27,36 +26,30 @@ const pushKeys = async ({
 	workspaceId: string;
 	keys: Key[];
 }): Promise<void> => {
-	try {
-		// filter out already-inserted keys
-		const keysSet = new Set(
-			(
-				await Key.find(
-					{
-						workspace: workspaceId
-					},
-					'receiver'
-				)
-			).map((k: IKey) => k.receiver.toString())
-		);
+  // filter out already-inserted keys
+  const keysSet = new Set(
+    (
+      await Key.find(
+        {
+          workspace: workspaceId
+        },
+        'receiver'
+      )
+    ).map((k: IKey) => k.receiver.toString())
+  );
 
-		keys = keys.filter((key) => !keysSet.has(key.userId));
+  keys = keys.filter((key) => !keysSet.has(key.userId));
 
-		// add new shared keys only
-		await Key.insertMany(
-			keys.map((k) => ({
-				encryptedKey: k.encryptedKey,
-				nonce: k.nonce,
-				sender: userId,
-				receiver: k.userId,
-				workspace: workspaceId
-			}))
-		);
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to push access keys');
-	}
+  // add new shared keys only
+  await Key.insertMany(
+    keys.map((k) => ({
+      encryptedKey: k.encryptedKey,
+      nonce: k.nonce,
+      sender: userId,
+      receiver: k.userId,
+      workspace: workspaceId
+    }))
+  );
 };
 
 export { pushKeys };

backend/src/helpers/membership.ts

@@ -1,5 +1,13 @@
 import * as Sentry from '@sentry/node';
-import { Membership, Key } from '../models';
+import { Types } from 'mongoose';
+import { 
+	Membership, 
+	Key
+} from '../models';
+import {
+	MembershipNotFoundError,
+	BadRequestError
+} from '../utils/errors';
 
 /**
  * Validate that user with id [userId] is a member of workspace with id [workspaceId]
@@ -14,28 +22,24 @@ const validateMembership = async ({
 	workspaceId,
 	acceptedRoles,
 }: {
-	userId: string;
-	workspaceId: string;
-	acceptedRoles: string[];
+	userId: Types.ObjectId;
+	workspaceId: Types.ObjectId;
+	acceptedRoles?: Array<'admin' | 'member'>;
 }) => {
 	
-	let membership;
-	//TODO: Refactor code to take advantage of using RequestError. It's possible to create new types of errors for more detailed errors
-	try {
-		membership = await Membership.findOne({
-			user: userId,
-			workspace: workspaceId
-		}).populate("workspace");
-		
-		if (!membership) throw new Error('Failed to find membership');
-		
+	const membership = await Membership.findOne({
+		user: userId,
+		workspace: workspaceId
+	}).populate("workspace");
+	
+	if (!membership) {
+		throw MembershipNotFoundError({ message: 'Failed to find workspace membership' });
+	}
+	
+	if (acceptedRoles) {
 		if (!acceptedRoles.includes(membership.role)) {
-			throw new Error('Failed to validate membership role');
+			throw BadRequestError({ message: 'Failed authorization for membership role' });
 		}
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to validate membership');
 	}
 	
 	return membership;

backend/src/helpers/membershipOrg.ts

@@ -1,40 +1,56 @@
-import * as Sentry from '@sentry/node';
 import { Types } from 'mongoose';
-import { MembershipOrg, Workspace, Membership, Key } from '../models';
+import { 
+	MembershipOrg, 
+	Workspace, 
+	Membership, 
+	Key
+} from '../models';
+import {
+	MembershipOrgNotFoundError,
+	UnauthorizedRequestError
+} from '../utils/errors';
 
 /**
  * Validate that user with id [userId] is a member of organization with id [organizationId]
  * and has at least one of the roles in [acceptedRoles]
- *
+ * @param {Object} obj
+ * @param {Types.ObjectId} obj.userId
+ * @param {Types.ObjectId} obj.organizationId
+ * @param {String[]} obj.acceptedRoles
  */
-const validateMembership = async ({
+const validateMembershipOrg = async ({
 	userId,
 	organizationId,
-	acceptedRoles
+	acceptedRoles,
+	acceptedStatuses
 }: {
-	userId: string;
-	organizationId: string;
-	acceptedRoles: string[];
+	userId: Types.ObjectId;
+	organizationId: Types.ObjectId;
+	acceptedRoles?: Array<'owner' | 'admin' | 'member'>;
+	acceptedStatuses?: Array<'invited' | 'accepted'>;
 }) => {
-	let membership;
-	try {
-		membership = await MembershipOrg.findOne({
-			user: new Types.ObjectId(userId),
-			organization: new Types.ObjectId(organizationId)
-		});
-		
-		if (!membership) throw new Error('Failed to find organization membership');
-		
-		if (!acceptedRoles.includes(membership.role)) {
-			throw new Error('Failed to validate organization membership role');
-		}
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to validate organization membership');
+	const membershipOrg = await MembershipOrg.findOne({
+		user: userId,
+		organization: organizationId
+	});
+	
+	if (!membershipOrg) {
+		throw MembershipOrgNotFoundError({ message: 'Failed to find organization membership' });
 	}
 	
-	return membership;
+	if (acceptedRoles) {
+		if (!acceptedRoles.includes(membershipOrg.role)) {
+			throw UnauthorizedRequestError({ message: 'Failed to validate organization membership role' });
+		}
+	}
+	
+	if (acceptedStatuses) {
+		if (!acceptedStatuses.includes(membershipOrg.status)) {
+			throw UnauthorizedRequestError({ message: 'Failed to validate organization membership status' });
+		}
+	}
+	
+	return membershipOrg;
 }
 
 /**
@@ -44,15 +60,7 @@ const validateMembership = async ({
  * @return {Object} membershipOrg - membership
  */
 const findMembershipOrg = (queryObj: any) => {
-	let membershipOrg;
-	try {
-		membershipOrg = MembershipOrg.findOne(queryObj);
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to find organization membership');
-	}
-
+	const membershipOrg = MembershipOrg.findOne(queryObj);
 	return membershipOrg;
 };
 
@@ -75,33 +83,27 @@ const addMembershipsOrg = async ({
 	roles: string[];
 	statuses: string[];
 }) => {
-	try {
-		const operations = userIds.map((userId, idx) => {
-			return {
-				updateOne: {
-					filter: {
-						user: userId,
-						organization: organizationId,
-						role: roles[idx],
-						status: statuses[idx]
-					},
-					update: {
-						user: userId,
-						organization: organizationId,
-						role: roles[idx],
-						status: statuses[idx]
-					},
-					upsert: true
-				}
-			};
-		});
+  const operations = userIds.map((userId, idx) => {
+    return {
+      updateOne: {
+        filter: {
+          user: userId,
+          organization: organizationId,
+          role: roles[idx],
+          status: statuses[idx]
+        },
+        update: {
+          user: userId,
+          organization: organizationId,
+          role: roles[idx],
+          status: statuses[idx]
+        },
+        upsert: true
+      }
+    };
+  });
 
-		await MembershipOrg.bulkWrite(operations as any);
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to add users to organization');
-	}
+  await MembershipOrg.bulkWrite(operations as any);
 };
 
 /**
@@ -114,49 +116,42 @@ const deleteMembershipOrg = async ({
 }: {
 	membershipOrgId: string;
 }) => {
-	let deletedMembershipOrg;
-	try {
-		deletedMembershipOrg = await MembershipOrg.findOneAndDelete({
-			_id: membershipOrgId
-		});
+  const deletedMembershipOrg = await MembershipOrg.findOneAndDelete({
+    _id: membershipOrgId
+  });
 
-		if (!deletedMembershipOrg) throw new Error('Failed to delete organization membership');
+  if (!deletedMembershipOrg) throw new Error('Failed to delete organization membership');
 
-		// delete keys associated with organization membership
-		if (deletedMembershipOrg?.user) {
-			// case: organization membership had a registered user
+  // delete keys associated with organization membership
+  if (deletedMembershipOrg?.user) {
+    // case: organization membership had a registered user
 
-			const workspaces = (
-				await Workspace.find({
-					organization: deletedMembershipOrg.organization
-				})
-			).map((w) => w._id.toString());
+    const workspaces = (
+      await Workspace.find({
+        organization: deletedMembershipOrg.organization
+      })
+    ).map((w) => w._id.toString());
 
-			await Membership.deleteMany({
-				user: deletedMembershipOrg.user,
-				workspace: {
-					$in: workspaces
-				}
-			});
+    await Membership.deleteMany({
+      user: deletedMembershipOrg.user,
+      workspace: {
+        $in: workspaces
+      }
+    });
 
-			await Key.deleteMany({
-				receiver: deletedMembershipOrg.user,
-				workspace: {
-					$in: workspaces
-				}
-			});
-		}
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to delete organization membership');
-	}
+    await Key.deleteMany({
+      receiver: deletedMembershipOrg.user,
+      workspace: {
+        $in: workspaces
+      }
+    });
+  }
 
 	return deletedMembershipOrg;
 };
 
 export {
-	validateMembership,
+	validateMembershipOrg,
 	findMembershipOrg,
 	addMembershipsOrg, 
 	deleteMembershipOrg 

backend/src/helpers/nodemailer.ts

@@ -25,7 +25,7 @@ const sendMail = async ({
   recipients: string[];
   substitutions: any;
 }) => {
-  if (getSmtpConfigured()) {
+  if (await getSmtpConfigured()) {
     try {
       const html = fs.readFileSync(
         path.resolve(__dirname, '../templates/' + template),
@@ -35,7 +35,7 @@ const sendMail = async ({
       const htmlToSend = temp(substitutions);
 
       await smtpTransporter.sendMail({
-        from: `"${getSmtpFromName()}" <${getSmtpFromAddress()}>`,
+        from: `"${await getSmtpFromName()}" <${await getSmtpFromAddress()}>`,
         to: recipients.join(', '),
         subject: subjectLine,
         html: htmlToSend

backend/src/helpers/organization.ts

@@ -1,14 +1,25 @@
-import * as Sentry from '@sentry/node';
-import Stripe from 'stripe';
-import { Types } from 'mongoose';
-import { ACCEPTED } from '../variables';
-import { Organization, MembershipOrg } from '../models';
-import { 
-	getStripeSecretKey,
-	getStripeProductPro,
-	getStripeProductTeam,
-	getStripeProductStarter
+import Stripe from "stripe";
+import { Types } from "mongoose";
+import { Organization, MembershipOrg } from "../models";
+import {
+  ACCEPTED
+} from "../variables";
+import {
+  getStripeSecretKey,
+  getStripeProductPro,
+  getStripeProductTeam,
+  getStripeProductStarter,
+} from "../config";
+import {
+  EELicenseService
+} from '../ee/services';
+import {
+  getLicenseServerUrl
 } from '../config';
+import {
+  licenseServerKeyRequest,
+  licenseKeyRequest
+} from '../config/request';
 
 /**
  * Create an organization with name [name]
@@ -18,43 +29,37 @@ import {
  * @param {Object} organization - new organization
  */
 const createOrganization = async ({
-	name,
-	email
+  name,
+  email,
 }: {
-	name: string;
-	email: string;
+  name: string;
+  email: string;
 }) => {
-	let organization;
-	try {
-		// register stripe account
-		const stripe = new Stripe(getStripeSecretKey(), {
-			apiVersion: '2022-08-01'
-		});
+  let organization;
+  // register stripe account
+  const stripe = new Stripe(await getStripeSecretKey(), {
+    apiVersion: "2022-08-01",
+  });
 
-		if (getStripeSecretKey()) {
-			const customer = await stripe.customers.create({
-				email,
-				description: name
-			});
+  if (await getStripeSecretKey()) {
+    const customer = await stripe.customers.create({
+      email,
+      description: name,
+    });
 
-			organization = await new Organization({
-				name,
-				customerId: customer.id
-			}).save();
-		} else {
-			organization = await new Organization({
-				name
-			}).save();
-		}
+    organization = await new Organization({
+      name,
+      customerId: customer.id,
+    }).save();
+  } else {
+    organization = await new Organization({
+      name,
+    }).save();
+  }
 
-		await initSubscriptionOrg({ organizationId: organization._id });
-	} catch (err) {
-		Sentry.setUser({ email });
-		Sentry.captureException(err);
-		throw new Error(`Failed to create organization [err=${err}]`);
-	}
+  await initSubscriptionOrg({ organizationId: organization._id });
 
-	return organization;
+  return organization;
 };
 
 /**
@@ -66,57 +71,52 @@ const createOrganization = async ({
  * @return {Subscription} obj.subscription - new subscription
  */
 const initSubscriptionOrg = async ({
-	organizationId
+  organizationId,
 }: {
-	organizationId: Types.ObjectId;
+  organizationId: Types.ObjectId;
 }) => {
-	let stripeSubscription;
-	let subscription;
-	try {
-		// find organization
-		const organization = await Organization.findOne({
-			_id: organizationId
-		});
+  let stripeSubscription;
+  let subscription;
 
-		if (organization) {
-			if (organization.customerId) {
-				// initialize starter subscription with quantity of 0
-				const stripe = new Stripe(getStripeSecretKey(), {
-					apiVersion: '2022-08-01'
-				});
+  // find organization
+  const organization = await Organization.findOne({
+    _id: organizationId,
+  });
 
-				const productToPriceMap = {
-					starter: getStripeProductStarter(),
-					team: getStripeProductTeam(),
-					pro: getStripeProductPro()
-				};
+  if (organization) {
+    if (organization.customerId) {
+      // initialize starter subscription with quantity of 0
+      const stripe = new Stripe(await getStripeSecretKey(), {
+        apiVersion: "2022-08-01",
+      });
 
-				stripeSubscription = await stripe.subscriptions.create({
-					customer: organization.customerId,
-					items: [
-						{
-							price: productToPriceMap['starter'],
-							quantity: 1
-						}
-					],
-					payment_behavior: 'default_incomplete',
-					proration_behavior: 'none',
-					expand: ['latest_invoice.payment_intent']
-				});
-			}
-		} else {
-			throw new Error('Failed to initialize free organization subscription');
-		}
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to initialize free organization subscription');
-	}
+      const productToPriceMap = {
+        starter: await getStripeProductStarter(),
+        team: await getStripeProductTeam(),
+        pro: await getStripeProductPro(),
+      };
 
-	return {
-		stripeSubscription,
-		subscription
-	};
+      stripeSubscription = await stripe.subscriptions.create({
+        customer: organization.customerId,
+        items: [
+          {
+            price: productToPriceMap["starter"],
+            quantity: 1,
+          },
+        ],
+        payment_behavior: "default_incomplete",
+        proration_behavior: "none",
+        expand: ["latest_invoice.payment_intent"],
+      });
+    }
+  } else {
+    throw new Error("Failed to initialize free organization subscription");
+  }
+
+  return {
+    stripeSubscription,
+    subscription,
+  };
 };
 
 /**
@@ -126,53 +126,55 @@ const initSubscriptionOrg = async ({
  * @param {Number} obj.organizationId - id of subscription's organization
  */
 const updateSubscriptionOrgQuantity = async ({
-	organizationId
+  organizationId,
 }: {
-	organizationId: string;
+  organizationId: string;
 }) => {
-	let stripeSubscription;
-	try {
-		// find organization
-		const organization = await Organization.findOne({
-			_id: organizationId
-		});
+  let stripeSubscription;
+  // find organization
+  const organization = await Organization.findOne({
+    _id: organizationId,
+  });
 
-		if (organization && organization.customerId) {
-			const quantity = await MembershipOrg.countDocuments({
-				organization: organizationId,
-				status: ACCEPTED
-			});
+  if (organization && organization.customerId) {
+    if (EELicenseService.instanceType === 'cloud') {
+      // instance of Infisical is a cloud instance
+      const quantity = await MembershipOrg.countDocuments({
+        organization: new Types.ObjectId(organizationId),
+        status: ACCEPTED,
+      });
+      
+      await licenseServerKeyRequest.patch(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${organization.customerId}/cloud-plan`,
+        {
+          quantity
+        }
+      );
 
-			const stripe = new Stripe(getStripeSecretKey(), {
-				apiVersion: '2022-08-01'
-			});
+      EELicenseService.localFeatureSet.del(organizationId);
+    }
+    
+    if (EELicenseService.instanceType === 'enterprise-self-hosted') {
+      // instance of Infisical is an enterprise self-hosted instance
+      
+      const usedSeats = await MembershipOrg.countDocuments({
+        status: ACCEPTED
+      });
 
-			const subscription = (
-				await stripe.subscriptions.list({
-					customer: organization.customerId
-				})
-			).data[0];
+      await licenseKeyRequest.patch(
+        `${await getLicenseServerUrl()}/api/license/v1/license`,
+        {
+          usedSeats
+        }
+      );
+    }
+  }
 
-			stripeSubscription = await stripe.subscriptions.update(subscription.id, {
-				items: [
-					{
-						id: subscription.items.data[0].id,
-						price: subscription.items.data[0].price.id,
-						quantity
-					}
-				]
-			});
-		}
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-	}
-
-	return stripeSubscription;
+  return stripeSubscription;
 };
 
 export {
-	createOrganization,
-	initSubscriptionOrg,
-	updateSubscriptionOrgQuantity
-};
+  createOrganization,
+  initSubscriptionOrg,
+  updateSubscriptionOrgQuantity
+};

backend/src/helpers/rateLimiter.ts

@@ -1,9 +1,16 @@
 import rateLimit from 'express-rate-limit';
+const MongoStore = require('rate-limit-mongo');
 
-// 120 requests per minute
+// 200 per minute
 const apiLimiter = rateLimit({
-  windowMs: 60 * 1000,
-  max: 240,
+  store: new MongoStore({
+    uri: process.env.MONGO_URL,
+    expireTimeMs: 1000 * 60,
+    collectionName: "expressRateRecords-apiLimiter",
+    errorHandler: console.error.bind(null, 'rate-limit-mongo')
+  }),
+  windowMs: 1000 * 60,
+  max: 200,
   standardHeaders: true,
   legacyHeaders: false,
   skip: (request) => {
@@ -14,10 +21,16 @@ const apiLimiter = rateLimit({
   }
 });
 
-// 10 requests per minute
-const authLimiter = rateLimit({
-  windowMs: 60 * 1000,
-  max: 10,
+// 50 requests per 1 hours
+const authLimit = rateLimit({
+  store: new MongoStore({
+    uri: process.env.MONGO_URL,
+    expireTimeMs: 1000 * 60 * 60,
+    errorHandler: console.error.bind(null, 'rate-limit-mongo'),
+    collectionName: "expressRateRecords-authLimit",
+  }),
+  windowMs: 1000 * 60 * 60,
+  max: 50,
   standardHeaders: true,
   legacyHeaders: false,
   keyGenerator: (req, res) => {
@@ -25,10 +38,16 @@ const authLimiter = rateLimit({
   }
 });
 
-// 10 requests per hour
+// 50 requests per 1 hour
 const passwordLimiter = rateLimit({
-  windowMs: 60 * 60 * 1000,
-  max: 10,
+  store: new MongoStore({
+    uri: process.env.MONGO_URL,
+    expireTimeMs: 1000 * 60 * 60,
+    errorHandler: console.error.bind(null, 'rate-limit-mongo'),
+    collectionName: "expressRateRecords-passwordLimiter",
+  }),
+  windowMs: 1000 * 60 * 60,
+  max: 50,
   standardHeaders: true,
   legacyHeaders: false,
   keyGenerator: (req, res) => {
@@ -36,8 +55,16 @@ const passwordLimiter = rateLimit({
   }
 });
 
-export { 
-  apiLimiter, 
-  authLimiter,
-  passwordLimiter 
+const authLimiter = (req: any, res: any, next: any) => {
+  if (process.env.NODE_ENV === 'production') {
+    authLimit(req, res, next);
+  } else {
+    next();
+  }
+};
+
+export {
+  apiLimiter,
+  authLimiter,
+  passwordLimiter
 };

backend/src/helpers/secrets.ts

@@ -0,0 +1,769 @@
+import { Types } from 'mongoose';
+import {
+    CreateSecretParams,
+    GetSecretsParams,
+    GetSecretParams,
+    UpdateSecretParams,
+    DeleteSecretParams
+} from '../interfaces/services/SecretService';
+import {
+    Secret,
+    ISecret,
+    SecretBlindIndexData,
+} from '../models';
+import { SecretVersion } from '../ee/models';
+import { 
+    BadRequestError, 
+    SecretNotFoundError,
+    SecretBlindIndexDataNotFoundError,
+    InternalServerError
+} from '../utils/errors';
+import {
+    SECRET_PERSONAL,
+    SECRET_SHARED,
+    ACTION_ADD_SECRETS,
+    ACTION_READ_SECRETS,
+    ACTION_UPDATE_SECRETS,
+    ACTION_DELETE_SECRETS,
+    ALGORITHM_AES_256_GCM,
+    ENCODING_SCHEME_UTF8,
+    ENCODING_SCHEME_BASE64
+} from '../variables';
+import crypto from 'crypto';
+import * as argon2 from 'argon2';
+import {
+    encryptSymmetric128BitHexKeyUTF8,
+    decryptSymmetric128BitHexKeyUTF8
+} from '../utils/crypto';
+import { getEncryptionKey, client, getRootEncryptionKey } from '../config';
+import { TelemetryService } from '../services';
+import {
+    EESecretService,
+    EELogService
+} from '../ee/services';
+import {
+    getAuthDataPayloadIdObj,
+    getAuthDataPayloadUserObj
+} from '../utils/auth';
+
+/**
+ * Create secret blind index data containing encrypted blind index [salt]
+ * for workspace with id [workspaceId]
+ * @param {Object} obj
+ * @param {Types.ObjectId} obj.workspaceId
+ */
+const createSecretBlindIndexDataHelper = async ({
+    workspaceId
+}: {
+    workspaceId: Types.ObjectId;
+}) => {
+
+    // initialize random blind index salt for workspace
+    const salt = crypto.randomBytes(16).toString('base64');
+
+    const encryptionKey = await getEncryptionKey();
+    const rootEncryptionKey = await getRootEncryptionKey();
+
+    if (rootEncryptionKey) {
+        const { 
+            ciphertext: encryptedSaltCiphertext,
+            iv: saltIV,
+            tag: saltTag
+        } = client.encryptSymmetric(salt, rootEncryptionKey);
+        
+        return await new SecretBlindIndexData({
+            workspace: workspaceId,
+            encryptedSaltCiphertext,
+            saltIV,
+            saltTag,
+            algorithm: ALGORITHM_AES_256_GCM,
+            keyEncoding: ENCODING_SCHEME_BASE64
+        }).save();
+    } else {
+        const { 
+            ciphertext: encryptedSaltCiphertext,
+            iv: saltIV,
+            tag: saltTag
+        } = encryptSymmetric128BitHexKeyUTF8({
+            plaintext: salt,
+            key: encryptionKey
+        });
+        
+        return await new SecretBlindIndexData({
+            workspace: workspaceId,
+            encryptedSaltCiphertext,
+            saltIV,
+            saltTag,
+            algorithm: ALGORITHM_AES_256_GCM,
+            keyEncoding: ENCODING_SCHEME_UTF8
+        }).save();
+    }
+}
+
+/**
+ * Get secret blind index salt for workspace with id [workspaceId]
+ * @param {Object} obj
+ * @param {Types.ObjectId} obj.workspaceId - id of workspace to get salt for
+ * @returns 
+ */
+const getSecretBlindIndexSaltHelper = async ({
+    workspaceId
+}: {
+    workspaceId: Types.ObjectId;
+}) => {
+    
+    const encryptionKey = await getEncryptionKey();
+    const rootEncryptionKey = await getRootEncryptionKey();
+
+    const secretBlindIndexData = await SecretBlindIndexData.findOne({
+        workspace: workspaceId
+    }).select('+algorithm +keyEncoding');
+    
+    if (!secretBlindIndexData) throw SecretBlindIndexDataNotFoundError();
+
+    if (rootEncryptionKey && secretBlindIndexData.keyEncoding === ENCODING_SCHEME_BASE64) {
+        return client.decryptSymmetric(
+            secretBlindIndexData.encryptedSaltCiphertext, 
+            rootEncryptionKey, 
+            secretBlindIndexData.saltIV, 
+            secretBlindIndexData.saltTag
+        );
+    } else if (encryptionKey && secretBlindIndexData.keyEncoding === ENCODING_SCHEME_UTF8) {
+        // decrypt workspace salt
+        return decryptSymmetric128BitHexKeyUTF8({
+            ciphertext: secretBlindIndexData.encryptedSaltCiphertext,
+            iv: secretBlindIndexData.saltIV,
+            tag: secretBlindIndexData.saltTag,
+            key: encryptionKey
+        });
+    }
+
+    throw InternalServerError({
+        message: 'Failed to obtain workspace salt needed for secret blind indexing'
+    });
+}
+
+/**
+ * Generate blind index for secret with name [secretName]
+ * and salt [salt]
+ * @param {Object} obj
+ * @param {String} obj.secretName - name of secret to generate blind index for
+ * @param {String} obj.salt - base64-salt
+ */
+ const generateSecretBlindIndexWithSaltHelper = async ({
+    secretName,
+    salt
+}: {
+    secretName: string;
+    salt: string;
+}) => {
+
+    // generate secret blind index
+    const secretBlindIndex = (await argon2.hash(secretName, {
+        type: argon2.argon2id,
+        salt: Buffer.from(salt, 'base64'),
+        saltLength: 16, // default 16 bytes
+        memoryCost: 65536, // default pool of 64 MiB per thread.
+        hashLength: 32,
+        parallelism: 1,
+        raw: true
+    })).toString('base64');
+
+    return secretBlindIndex;
+}
+
+/**
+ * Generate blind index for secret with name [secretName] 
+ * for workspace with id [workspaceId]
+ * @param {Object} obj
+ * @param {Stringj} obj.secretName - name of secret to generate blind index for
+ * @param {Types.ObjectId} obj.workspaceId - id of workspace that secret belongs to
+ */
+const generateSecretBlindIndexHelper = async ({
+    secretName,
+    workspaceId
+}: {
+    secretName: string;
+    workspaceId: Types.ObjectId;
+}) => {
+
+    // check if workspace blind index data exists
+    const secretBlindIndexData = await SecretBlindIndexData.findOne({
+        workspace: workspaceId
+    });
+    
+    if (!secretBlindIndexData) throw SecretBlindIndexDataNotFoundError();
+    
+    // decrypt workspace salt
+    const salt = decryptSymmetric128BitHexKeyUTF8({
+        ciphertext: secretBlindIndexData.encryptedSaltCiphertext,
+        iv: secretBlindIndexData.saltIV,
+        tag: secretBlindIndexData.saltTag,
+        key: await getEncryptionKey()
+    });
+
+    const secretBlindIndex = await generateSecretBlindIndexWithSaltHelper({
+        secretName,
+        salt
+    });
+
+    return secretBlindIndex;
+}
+
+/**
+ * Create secret with name [secretName]
+ * @param {Object} obj
+ * @param {String} obj.secretName - name of secret to create
+ * @param {Types.ObjectId} obj.workspaceId - id of workspace to create secret for
+ * @param {String} obj.environment - environment in workspace to create secret for
+ * @param {'shared' | 'personal'} obj.type - type of secret
+ * @param {AuthData} obj.authData - authentication data on request
+ * @returns 
+ */
+const createSecretHelper = async ({
+    secretName,
+    workspaceId,
+    environment,
+    type,
+    authData,
+    secretKeyCiphertext,
+    secretKeyIV,
+    secretKeyTag,
+    secretValueCiphertext,
+    secretValueIV,
+    secretValueTag,
+    secretCommentCiphertext,
+    secretCommentIV,
+    secretCommentTag
+}: CreateSecretParams) => {
+    const secretBlindIndex = await generateSecretBlindIndexHelper({
+        secretName,
+        workspaceId: new Types.ObjectId(workspaceId)
+    });
+
+    const exists = await Secret.exists({
+        secretBlindIndex,
+        workspace: new Types.ObjectId(workspaceId),
+        type,
+        ...(type === SECRET_PERSONAL ? getAuthDataPayloadUserObj(authData) : {})
+    });
+    
+    if (exists) throw BadRequestError({
+        message: 'Failed to create secret that already exists'
+    });
+    
+    if (type === SECRET_PERSONAL) {
+        // case: secret type is personal -> check if a corresponding shared secret 
+        // with the same blind index [secretBlindIndex] exists
+
+        const exists = await Secret.exists({
+            secretBlindIndex,
+            workspace: new Types.ObjectId(workspaceId),
+            type: SECRET_SHARED
+        });
+        
+        if (!exists) throw BadRequestError({
+            message: 'Failed to create personal secret override for no corresponding shared secret'
+        });
+    }
+    
+    // create secret
+    const secret = await new Secret({
+        version: 1,
+        workspace: new Types.ObjectId(workspaceId),
+        environment,
+        type,
+        ...(type === SECRET_PERSONAL ? getAuthDataPayloadUserObj(authData) : {}),
+        secretBlindIndex,
+        secretKeyCiphertext,
+        secretKeyIV,
+        secretKeyTag,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag,
+        secretCommentCiphertext,
+        secretCommentIV,
+        secretCommentTag,
+        algorithm: ALGORITHM_AES_256_GCM,
+        keyEncoding: ENCODING_SCHEME_UTF8
+    }).save();
+    
+    const secretVersion = new SecretVersion({
+        secret: secret._id,
+        version: secret.version,
+        workspace: secret.workspace,
+        type,
+        ...(type === SECRET_PERSONAL ? getAuthDataPayloadUserObj(authData) : {}),
+        environment: secret.environment,
+        isDeleted: false,
+        secretBlindIndex,
+        secretKeyCiphertext,
+        secretKeyIV,
+        secretKeyTag,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag,
+        algorithm: ALGORITHM_AES_256_GCM,
+        keyEncoding: ENCODING_SCHEME_UTF8
+    });
+
+    // // (EE) add version for new secret
+    await EESecretService.addSecretVersions({
+        secretVersions: [secretVersion]
+    });
+
+    // (EE) create (audit) log
+    const action = await EELogService.createAction({
+        name: ACTION_ADD_SECRETS,
+        ...getAuthDataPayloadIdObj(authData),
+        workspaceId,
+        secretIds: [secret._id]
+    });
+    
+    action && await EELogService.createLog({
+        ...getAuthDataPayloadIdObj(authData),
+        workspaceId,
+        actions: [action],
+        channel: authData.authChannel,
+        ipAddress: authData.authIP
+    });
+    
+    // (EE) take a secret snapshot
+    await EESecretService.takeSecretSnapshot({
+        workspaceId
+    });
+
+    const postHogClient = await TelemetryService.getPostHogClient();
+
+    if (postHogClient) {
+        postHogClient.capture({
+            event: 'secrets added',
+            distinctId: await TelemetryService.getDistinctId({
+                authData
+            }),
+            properties: {
+                numberOfSecrets: 1,
+                environment,
+                workspaceId,
+                channel: authData.authChannel,
+                userAgent: authData.authUserAgent
+            }
+        });
+    }
+    
+    return secret;
+}
+
+/**
+ * Get secrets for workspace with id [workspaceId] and environment [environment]
+ * @param {Object} obj
+ * @param {Types.ObjectId} obj.workspaceId - id of workspace
+ * @param {String} obj.environment - environment in workspace
+ * @param {AuthData} obj.authData - authentication data on request
+ * @returns 
+ */
+const getSecretsHelper = async ({
+    workspaceId,
+    environment,
+    authData
+}: GetSecretsParams) => {
+    let secrets: ISecret[] = [];
+
+    // get personal secrets first
+    secrets = await Secret.find({
+        workspace: new Types.ObjectId(workspaceId),
+        environment,
+        type: SECRET_PERSONAL,
+        ...getAuthDataPayloadUserObj(authData)
+    });
+
+    // concat with shared secrets
+    secrets = secrets.concat(await Secret.find({
+        workspace: new Types.ObjectId(workspaceId),
+        environment,
+        type: SECRET_SHARED,
+        secretBlindIndex: {
+            $nin: secrets.map((secret) => secret.secretBlindIndex)
+        }
+    }));
+
+    // (EE) create (audit) log
+    const action = await EELogService.createAction({
+        name: ACTION_READ_SECRETS,
+        ...getAuthDataPayloadIdObj(authData),
+        workspaceId,
+        secretIds: secrets.map((secret) => secret._id)
+    });
+    
+    action && await EELogService.createLog({
+        ...getAuthDataPayloadIdObj(authData),
+        workspaceId,
+        actions: [action],
+        channel: authData.authChannel,
+        ipAddress: authData.authIP
+    });
+
+    const postHogClient = await TelemetryService.getPostHogClient();
+
+    if (postHogClient) {
+        postHogClient.capture({
+            event: 'secrets pulled',
+            distinctId: await TelemetryService.getDistinctId({
+                authData
+            }),
+            properties: {
+                numberOfSecrets: secrets.length,
+                environment,
+                workspaceId,
+                channel: authData.authChannel,
+                userAgent: authData.authUserAgent
+            }
+        });
+    }
+
+    return secrets;
+}
+
+/**
+ * Get secret with name [secretName]
+ * @param {Object} obj
+ * @param {String} obj.secretName - name of secret to get
+ * @param {Types.ObjectId} obj.workspaceId - id of workspace that secret belongs to
+ * @param {String} obj.environment - environment in workspace that secret belongs to
+ * @param {'shared' | 'personal'} obj.type - type of secret
+ * @param {AuthData} obj.authData - authentication data on request
+ * @returns 
+ */
+const getSecretHelper = async ({
+    secretName,
+    workspaceId,
+    environment,
+    type,
+    authData
+}: GetSecretParams) => {
+    const secretBlindIndex = await generateSecretBlindIndexHelper({
+        secretName,
+        workspaceId: new Types.ObjectId(workspaceId)
+    });
+    let secret: ISecret | null = null;
+    
+    // try getting personal secret first (if exists)
+    secret = await Secret.findOne({
+        secretBlindIndex,
+        workspace: new Types.ObjectId(workspaceId),
+        environment,
+        type: type ?? SECRET_PERSONAL,
+        ...(type === SECRET_PERSONAL ? getAuthDataPayloadUserObj(authData) : {})
+    });
+
+    if (!secret) {
+        // case: failed to find personal secret matching criteria
+        // -> find shared secret matching criteria
+        secret = await Secret.findOne({
+            secretBlindIndex,
+            workspace: new Types.ObjectId(workspaceId),
+            environment,
+            type: SECRET_SHARED
+        });
+    }
+    
+    if (!secret) throw SecretNotFoundError();
+    
+    // (EE) create (audit) log
+    const action = await EELogService.createAction({
+        name: ACTION_READ_SECRETS,
+        ...getAuthDataPayloadIdObj(authData),
+        workspaceId,
+        secretIds: [secret._id]
+    });
+    
+    action && await EELogService.createLog({
+        ...getAuthDataPayloadIdObj(authData),
+        workspaceId,
+        actions: [action],
+        channel: authData.authChannel,
+        ipAddress: authData.authIP
+    });
+
+    const postHogClient = await TelemetryService.getPostHogClient();
+
+    if (postHogClient) {
+        postHogClient.capture({
+            event: 'secrets pull',
+            distinctId: await TelemetryService.getDistinctId({
+                authData
+            }),
+            properties: {
+                numberOfSecrets: 1,
+                environment,
+                workspaceId,
+                channel: authData.authChannel,
+                userAgent: authData.authUserAgent
+            }
+        });
+    }
+
+    return secret;
+}
+
+/**
+ * Update secret with name [secretName]
+ * @param {Object} obj
+ * @param {String} obj.secretName - name of secret to update
+ * @param {Types.ObjectId} obj.workspaceId - id of workspace that secret belongs to
+ * @param {String} obj.environment - environment in workspace that secret belongs to
+ * @param {'shared' | 'personal'} obj.type - type of secret
+ * @param {String} obj.secretValueCiphertext - ciphertext of secret value
+ * @param {String} obj.secretValueIV - IV of secret value
+ * @param {String} obj.secretValueTag - tag of secret value
+ * @param {AuthData} obj.authData - authentication data on request
+ * @returns 
+ */
+const updateSecretHelper = async ({
+    secretName,
+    workspaceId,
+    environment,
+    type,
+    authData,
+    secretValueCiphertext,
+    secretValueIV,
+    secretValueTag
+}: UpdateSecretParams) => {
+    const secretBlindIndex = await generateSecretBlindIndexHelper({
+        secretName,
+        workspaceId: new Types.ObjectId(workspaceId)
+    });
+
+    let secret: ISecret | null = null;
+    
+    if (type === SECRET_SHARED) {
+        // case: update shared secret
+        secret = await Secret.findOneAndUpdate(
+            {
+                secretBlindIndex,
+                workspace: new Types.ObjectId(workspaceId),
+                environment,
+                type
+            },
+            {
+                secretValueCiphertext,
+                secretValueIV,
+                secretValueTag,
+                $inc: { version: 1 }
+            },
+            {
+                new: true
+            }
+        );
+    } else {
+        // case: update personal secret
+        
+        secret = await Secret.findOneAndUpdate(
+            {
+                secretBlindIndex,
+                workspace: new Types.ObjectId(workspaceId),
+                environment,
+                type,
+                ...getAuthDataPayloadUserObj(authData)
+            },
+            {
+                secretValueCiphertext,
+                secretValueIV,
+                secretValueTag,
+                $inc: { version: 1 }
+            },
+            {
+                new: true
+            }
+        );
+    }
+
+    if (!secret) throw SecretNotFoundError();
+
+    const secretVersion = new SecretVersion({
+        secret: secret._id,
+        version: secret.version,
+        workspace: secret.workspace,
+        type,
+        ...(type === SECRET_PERSONAL ? getAuthDataPayloadUserObj(authData) : {}),
+        environment: secret.environment,
+        isDeleted: false,
+        secretBlindIndex,
+        secretKeyCiphertext: secret.secretKeyCiphertext,
+        secretKeyIV: secret.secretKeyIV,
+        secretKeyTag: secret.secretKeyTag,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag,
+        algorithm: ALGORITHM_AES_256_GCM,
+        keyEncoding: ENCODING_SCHEME_UTF8
+    });
+
+    // (EE) add version for new secret
+    await EESecretService.addSecretVersions({
+        secretVersions: [secretVersion]
+    });
+
+    // (EE) create (audit) log
+    const action = await EELogService.createAction({
+        name: ACTION_UPDATE_SECRETS,
+        ...getAuthDataPayloadIdObj(authData),
+        workspaceId,
+        secretIds: [secret._id]
+    });
+    
+    action && await EELogService.createLog({
+        ...getAuthDataPayloadIdObj(authData),
+        workspaceId,
+        actions: [action],
+        channel: authData.authChannel,
+        ipAddress: authData.authIP
+    });
+    
+    // (EE) take a secret snapshot
+    await EESecretService.takeSecretSnapshot({
+        workspaceId
+    });
+
+    const postHogClient = await TelemetryService.getPostHogClient();
+
+    if (postHogClient) {
+        postHogClient.capture({
+            event: 'secrets modified',
+            distinctId: await TelemetryService.getDistinctId({
+                authData
+            }),
+            properties: {
+                numberOfSecrets: 1,
+                environment,
+                workspaceId,
+                channel: authData.authChannel,
+                userAgent: authData.authUserAgent
+            }
+        });
+    }
+
+    return secret;
+}
+
+/**
+ * Delete secret with name [secretName]
+ * @param {Object} obj
+ * @param {String} obj.secretName - name of secret to delete
+ * @param {Types.ObjectId} obj.workspaceId - id of workspace that secret belongs to
+ * @param {String} obj.environment - environment in workspace that secret belongs to
+ * @param {'shared' | 'personal'} obj.type - type of secret
+ * @param {AuthData} obj.authData - authentication data on request
+ * @returns 
+ */
+const deleteSecretHelper = async ({
+    secretName,
+    workspaceId,
+    environment,
+    type,
+    authData
+}: DeleteSecretParams) => {
+    const secretBlindIndex = await generateSecretBlindIndexHelper({
+        secretName,
+        workspaceId: new Types.ObjectId(workspaceId)
+    });
+
+    let secrets: ISecret[] = [];
+    let secret: ISecret | null = null;
+    
+    if (type === SECRET_SHARED) {
+        secrets = await Secret.find({
+            secretBlindIndex,
+            workspaceId: new Types.ObjectId(workspaceId),
+            environment
+        });
+        
+        secret = await Secret.findOneAndDelete({
+            secretBlindIndex,
+            workspaceId: new Types.ObjectId(workspaceId),
+            environment,
+            type
+        });
+        
+        await Secret.deleteMany({
+            secretBlindIndex,
+            workspaceId: new Types.ObjectId(workspaceId),
+            environment
+        });
+    } else {
+        secret = await Secret.findOneAndDelete({
+            secretBlindIndex,
+            workspaceId: new Types.ObjectId(workspaceId),
+            environment,
+            type,
+            ...getAuthDataPayloadUserObj(authData)
+        });
+        
+        if (secret) {
+            secrets = [secret];
+        }
+    }
+    
+    if (!secret) throw SecretNotFoundError();
+    
+    await EESecretService.markDeletedSecretVersions({
+        secretIds: secrets.map((secret) => secret._id)
+    });
+
+    // (EE) create (audit) log
+    const action = await EELogService.createAction({
+        name: ACTION_DELETE_SECRETS,
+        ...getAuthDataPayloadIdObj(authData),
+        workspaceId,
+        secretIds: secrets.map((secret) => secret._id)
+    });
+
+    // (EE) take a secret snapshot
+    action && await EELogService.createLog({
+        ...getAuthDataPayloadIdObj(authData),
+        workspaceId,
+        actions: [action],
+        channel: authData.authChannel,
+        ipAddress: authData.authIP
+    });
+
+    // (EE) take a secret snapshot
+    await EESecretService.takeSecretSnapshot({
+        workspaceId
+    });
+
+    const postHogClient = await TelemetryService.getPostHogClient();
+
+    if (postHogClient) {
+        postHogClient.capture({
+            event: 'secrets deleted',
+            distinctId: await TelemetryService.getDistinctId({
+                authData
+            }),
+            properties: {
+                numberOfSecrets: secrets.length,
+                environment,
+                workspaceId,
+                channel: authData.authChannel,
+                userAgent: authData.authUserAgent
+            }
+        });
+    }
+    
+    return ({
+        secrets,
+        secret
+    });
+}
+
+export {
+    createSecretBlindIndexDataHelper,
+    getSecretBlindIndexSaltHelper,
+    generateSecretBlindIndexWithSaltHelper,
+    generateSecretBlindIndexHelper,
+    createSecretHelper,
+    getSecretsHelper,
+    getSecretHelper,
+    updateSecretHelper,
+    deleteSecretHelper
+}

backend/src/helpers/token.ts

@@ -1,16 +1,15 @@
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
-import { TokenData } from '../models';
-import crypto from 'crypto';
-import bcrypt from 'bcrypt';
+import { Types } from "mongoose";
+import { TokenData } from "../models";
+import crypto from "crypto";
+import bcrypt from "bcrypt";
 import {
-    TOKEN_EMAIL_CONFIRMATION,
-    TOKEN_EMAIL_MFA,
-    TOKEN_EMAIL_ORG_INVITATION,
-    TOKEN_EMAIL_PASSWORD_RESET
-} from '../variables';
-import { UnauthorizedRequestError } from '../utils/errors';
-import { getSaltRounds } from '../config';
+  TOKEN_EMAIL_CONFIRMATION,
+  TOKEN_EMAIL_MFA,
+  TOKEN_EMAIL_ORG_INVITATION,
+  TOKEN_EMAIL_PASSWORD_RESET,
+} from "../variables";
+import { UnauthorizedRequestError } from "../utils/errors";
+import { getSaltRounds } from "../config";
 
 /**
  * Create and store a token in the database for purpose [type]
@@ -22,194 +21,197 @@ import { getSaltRounds } from '../config';
  * @returns {String} token - the created token
  */
 const createTokenHelper = async ({
-    type,
-    email,
-    phoneNumber,
-    organizationId
+  type,
+  email,
+  phoneNumber,
+  organizationId,
 }: {
-    type: 'emailConfirmation' | 'emailMfa' | 'organizationInvitation' | 'passwordReset';
+  type:
+    | "emailConfirmation"
+    | "emailMfa"
+    | "organizationInvitation"
+    | "passwordReset";
+  email?: string;
+  phoneNumber?: string;
+  organizationId?: Types.ObjectId;
+}) => {
+  let token, expiresAt, triesLeft;
+  // generate random token based on specified token use-case
+  // type [type]
+  switch (type) {
+    case TOKEN_EMAIL_CONFIRMATION:
+      // generate random 6-digit code
+      token = String(crypto.randomInt(Math.pow(10, 5), Math.pow(10, 6) - 1));
+      expiresAt = new Date(new Date().getTime() + 86400000);
+      break;
+    case TOKEN_EMAIL_MFA:
+      // generate random 6-digit code
+      token = String(crypto.randomInt(Math.pow(10, 5), Math.pow(10, 6) - 1));
+      triesLeft = 5;
+      expiresAt = new Date(new Date().getTime() + 300000);
+      break;
+    case TOKEN_EMAIL_ORG_INVITATION:
+      // generate random hex
+      token = crypto.randomBytes(16).toString("hex");
+      expiresAt = new Date(new Date().getTime() + 259200000);
+      break;
+    case TOKEN_EMAIL_PASSWORD_RESET:
+      // generate random hex
+      token = crypto.randomBytes(16).toString("hex");
+      expiresAt = new Date(new Date().getTime() + 86400000);
+      break;
+    default:
+      token = crypto.randomBytes(16).toString("hex");
+      expiresAt = new Date();
+      break;
+  }
+
+  interface TokenDataQuery {
+    type: string;
     email?: string;
     phoneNumber?: string;
-    organizationId?: Types.ObjectId
-}) => {
-    let token, expiresAt, triesLeft;
-    try {
-        // generate random token based on specified token use-case
-        // type [type]
-        switch (type) {
-            case TOKEN_EMAIL_CONFIRMATION:
-                // generate random 6-digit code
-                token = String(crypto.randomInt(Math.pow(10, 5), Math.pow(10, 6) - 1));
-                expiresAt = new Date((new Date()).getTime() + 86400000);
-                break;
-            case TOKEN_EMAIL_MFA:
-                // generate random 6-digit code
-                token = String(crypto.randomInt(Math.pow(10, 5), Math.pow(10, 6) - 1));
-                triesLeft = 5;
-                expiresAt = new Date((new Date()).getTime() + 300000);
-                break;
-            case TOKEN_EMAIL_ORG_INVITATION:
-                // generate random hex
-                token = crypto.randomBytes(16).toString('hex');
-                expiresAt = new Date((new Date()).getTime() + 259200000);
-                break;
-            case TOKEN_EMAIL_PASSWORD_RESET:
-                // generate random hex
-                token = crypto.randomBytes(16).toString('hex');
-                expiresAt = new Date((new Date()).getTime() + 86400000); 
-                break;
-            default:
-                token = crypto.randomBytes(16).toString('hex');
-                expiresAt = new Date();
-                break;
-        }
-        
-       interface TokenDataQuery {
-            type: string;
-            email?: string;
-            phoneNumber?: string;
-            organization?: Types.ObjectId;
-        }
-        
-        interface TokenDataUpdate {
-            type: string;
-            email?: string;
-            phoneNumber?: string;
-            organization?: Types.ObjectId;
-            tokenHash: string;
-            triesLeft?: number;
-            expiresAt: Date;
-        }
+    organization?: Types.ObjectId;
+  }
 
-        const query: TokenDataQuery = { type };
-        const update: TokenDataUpdate = {
-            type,
-            tokenHash: await bcrypt.hash(token, getSaltRounds()),
-            expiresAt
-        }
+  interface TokenDataUpdate {
+    type: string;
+    email?: string;
+    phoneNumber?: string;
+    organization?: Types.ObjectId;
+    tokenHash: string;
+    triesLeft?: number;
+    expiresAt: Date;
+  }
 
-        if (email) {
-            query.email = email; 
-            update.email = email; 
-        }
-        if (phoneNumber) { 
-            query.phoneNumber = phoneNumber; 
-            update.phoneNumber = phoneNumber; 
-        }
-        if (organizationId) { 
-            query.organization = organizationId 
-            update.organization = organizationId 
-        } 
-        
-        if (triesLeft) {
-            update.triesLeft = triesLeft;
-        }
-       
-        await TokenData.findOneAndUpdate(
-            query,
-            update,
-            {
-                new: true,
-                upsert: true
-            }
-        );
-    } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-        throw new Error(
-            "Failed to create token"
-        ); 
-    }
-    
-    return token;
-}
+  const query: TokenDataQuery = { type };
+  const update: TokenDataUpdate = {
+    type,
+    tokenHash: await bcrypt.hash(token, await getSaltRounds()),
+    expiresAt,
+  };
+
+  if (email) {
+    query.email = email;
+    update.email = email;
+  }
+  if (phoneNumber) {
+    query.phoneNumber = phoneNumber;
+    update.phoneNumber = phoneNumber;
+  }
+  if (organizationId) {
+    query.organization = organizationId;
+    update.organization = organizationId;
+  }
+
+  if (triesLeft) {
+    update.triesLeft = triesLeft;
+  }
+
+  await TokenData.findOneAndUpdate(query, update, {
+    new: true,
+    upsert: true,
+  });
+
+  return token;
+};
 
 /**
- * 
+ *
  * @param {Object} obj
  * @param {String} obj.email - email associated with the token
  * @param {String} obj.token - value of the token
  */
 const validateTokenHelper = async ({
-    type,
-    email,
-    phoneNumber,
-    organizationId,
-    token
+  type,
+  email,
+  phoneNumber,
+  organizationId,
+  token,
 }: {
-    type: 'emailConfirmation' | 'emailMfa' | 'organizationInvitation' | 'passwordReset';
+  type:
+    | "emailConfirmation"
+    | "emailMfa"
+    | "organizationInvitation"
+    | "passwordReset";
+  email?: string;
+  phoneNumber?: string;
+  organizationId?: Types.ObjectId;
+  token: string;
+}) => {
+  interface Query {
+    type: string;
     email?: string;
     phoneNumber?: string;
-    organizationId?: Types.ObjectId;
-    token: string;
-}) => {
-    interface Query {
-        type: string;
-        email?: string;
-        phoneNumber?: string;
-        organization?: Types.ObjectId;
-    }
+    organization?: Types.ObjectId;
+  }
 
-    const query: Query = { type };
+  const query: Query = { type };
 
-    if (email) { query.email = email; }
-    if (phoneNumber) { query.phoneNumber = phoneNumber; }
-    if (organizationId) { query.organization = organizationId; }
+  if (email) {
+    query.email = email;
+  }
+  if (phoneNumber) {
+    query.phoneNumber = phoneNumber;
+  }
+  if (organizationId) {
+    query.organization = organizationId;
+  }
 
-    const tokenData = await TokenData.findOne(query).select('+tokenHash');
-    
-    if (!tokenData) throw new Error('Failed to find token to validate');
-    
-    if (tokenData.expiresAt < new Date()) {
-        // case: token expired
-        await TokenData.findByIdAndDelete(tokenData._id);
-        throw UnauthorizedRequestError({
-            message: 'MFA session expired. Please log in again',
-            context: {
-                code: 'mfa_expired'
-            }
-        });
-    }
+  const tokenData = await TokenData.findOne(query).select("+tokenHash");
 
-    const isValid = await bcrypt.compare(token, tokenData.tokenHash);
-    if (!isValid) {
-        // case: token is not valid
-        if (tokenData?.triesLeft !== undefined) {
-            // case: token has a try-limit
-            if (tokenData.triesLeft === 1) {
-                // case: token is out of tries
-                await TokenData.findByIdAndDelete(tokenData._id);
-            } else {
-                // case: token has more than 1 try left
-                await TokenData.findByIdAndUpdate(tokenData._id, {
-                    triesLeft: tokenData.triesLeft - 1
-                }, {
-                    new: true
-                });
-            }
+  if (!tokenData) throw new Error("Failed to find token to validate");
 
-            throw UnauthorizedRequestError({
-                message: 'MFA code is invalid',
-                context: {
-                    code: 'mfa_invalid',
-                    triesLeft: tokenData.triesLeft - 1
-                }
-            });
-        }
-
-        throw UnauthorizedRequestError({
-            message: 'MFA code is invalid',
-            context: {
-                code: 'mfa_invalid'
-            }
-        });
-    }
-
-    // case: token is valid
+  if (tokenData.expiresAt < new Date()) {
+    // case: token expired
     await TokenData.findByIdAndDelete(tokenData._id);
-}
+    throw UnauthorizedRequestError({
+      message: "MFA session expired. Please log in again",
+      context: {
+        code: "mfa_expired",
+      },
+    });
+  }
 
-export {
-    createTokenHelper,
-    validateTokenHelper
-}
+  const isValid = await bcrypt.compare(token, tokenData.tokenHash);
+  if (!isValid) {
+    // case: token is not valid
+    if (tokenData?.triesLeft !== undefined) {
+      // case: token has a try-limit
+      if (tokenData.triesLeft === 1) {
+        // case: token is out of tries
+        await TokenData.findByIdAndDelete(tokenData._id);
+      } else {
+        // case: token has more than 1 try left
+        await TokenData.findByIdAndUpdate(
+          tokenData._id,
+          {
+            triesLeft: tokenData.triesLeft - 1,
+          },
+          {
+            new: true,
+          }
+        );
+      }
+
+      throw UnauthorizedRequestError({
+        message: "MFA code is invalid",
+        context: {
+          code: "mfa_invalid",
+          triesLeft: tokenData.triesLeft - 1,
+        },
+      });
+    }
+
+    throw UnauthorizedRequestError({
+      message: "MFA code is invalid",
+      context: {
+        code: "mfa_invalid",
+      },
+    });
+  }
+
+  // case: token is valid
+  await TokenData.findByIdAndDelete(tokenData._id);
+};
+
+export { createTokenHelper, validateTokenHelper };

backend/src/helpers/user.ts

@@ -1,5 +1,7 @@
-import * as Sentry from '@sentry/node';
-import { IUser, User } from '../models';
+import {
+	IUser, 
+	User,
+} from '../models';
 import { sendMail } from './nodemailer';
 
 /**
@@ -8,17 +10,10 @@ import { sendMail } from './nodemailer';
  * @param {String} obj.email - email of user to initialize
  * @returns {Object} user - the initialized user
  */
-const setupAccount = async ({ email }: { email: string }) => {
-	let user;
-	try {
-		user = await new User({
-			email
-		}).save();
-	} catch (err) {
-		Sentry.setUser({ email });
-		Sentry.captureException(err);
-		throw new Error('Failed to set up account');
-	}
+export const setupAccount = async ({ email }: { email: string }) => {
+  const user = await new User({
+    email
+  }).save();
 
 	return user;
 };
@@ -41,7 +36,7 @@ const setupAccount = async ({ email }: { email: string }) => {
  * @param {String} obj.verifier - verifier for auth SRP
  * @returns {Object} user - the completed user
  */
-const completeAccount = async ({
+export const completeAccount = async ({
 	userId,
 	firstName,
 	lastName,
@@ -70,34 +65,27 @@ const completeAccount = async ({
 	salt: string;
 	verifier: string;
 }) => {
-	let user;
-	try {
-		const options = {
-			new: true
-		};
-		user = await User.findByIdAndUpdate(
-			userId,
-			{
-				firstName,
-				lastName,
-				encryptionVersion,
-				protectedKey,
-				protectedKeyIV,
-				protectedKeyTag,
-				publicKey,
-				encryptedPrivateKey,
-				iv: encryptedPrivateKeyIV,
-				tag: encryptedPrivateKeyTag,
-				salt,
-				verifier
-			},
-			options
-		);
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to complete account set up');
-	}
+  const options = {
+    new: true
+  };
+  const user = await User.findByIdAndUpdate(
+    userId,
+    {
+      firstName,
+      lastName,
+      encryptionVersion,
+      protectedKey,
+      protectedKeyIV,
+      protectedKeyTag,
+      publicKey,
+      encryptedPrivateKey,
+      iv: encryptedPrivateKeyIV,
+      tag: encryptedPrivateKeyTag,
+      salt,
+      verifier
+    },
+    options
+  );
 
 	return user;
 };
@@ -109,7 +97,7 @@ const completeAccount = async ({
  * @param {String} obj.ip - login ip address
  * @param {String} obj.userAgent - login user-agent
  */
-const checkUserDevice = async ({
+export const checkUserDevice = async ({
 	user,
 	ip,
 	userAgent
@@ -144,6 +132,4 @@ const checkUserDevice = async ({
 			}
 		}); 
 	}
-}
-
-export { setupAccount, completeAccount, checkUserDevice };
+}

backend/src/helpers/workspace.ts

@@ -7,6 +7,7 @@ import {
 	Secret
 } from '../models';
 import { createBot } from '../helpers/bot';
+import { SecretService } from '../services';
 
 /**
  * Create a workspace with name [name] in organization with id [organizationId]
@@ -27,13 +28,21 @@ const createWorkspace = async ({
 		// create workspace
 		workspace = await new Workspace({
 			name,
-			organization: organizationId
+			organization: organizationId,
+			autoCapitalization: true
 		}).save();
 		
-		const bot = await createBot({
+		// initialize bot for workspace
+		await createBot({
 			name: 'Infisical Bot',
-			workspaceId: workspace._id.toString()
+			workspaceId: workspace._id
 		});
+		
+		// initialize blind index salt for workspace
+		await SecretService.createSecretBlindIndexData({
+			workspaceId: workspace._id
+		});
+
 	} catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
@@ -71,4 +80,7 @@ const deleteWorkspace = async ({ id }: { id: string }) => {
 	}
 };
 
-export { createWorkspace, deleteWorkspace };
+export {
+	createWorkspace, 
+	deleteWorkspace 
+};

backend/src/index.ts

@@ -1,20 +1,13 @@
-import mongoose from 'mongoose';
-import dotenv from 'dotenv';
+import dotenv from "dotenv";
 dotenv.config();
-import infisical from 'infisical-node';
 import express from 'express';
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+require('express-async-errors');
 import helmet from 'helmet';
 import cors from 'cors';
-import * as Sentry from '@sentry/node';
 import { DatabaseService } from './services';
+import { EELicenseService } from './ee/services';
 import { setUpHealthEndpoint } from './services/health';
-import { initSmtp } from './services/smtp';
-import { logTelemetryMessage } from './services';
-import { setTransporter } from './helpers/nodemailer';
-import { createTestUserForDevelopment } from './utils/addDevelopmentUser';
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const { patchRouterParam } = require('./utils/patchAsyncRoutes');
-
 import cookieParser from 'cookie-parser';
 import swaggerUi = require('swagger-ui-express');
 // eslint-disable-next-line @typescript-eslint/no-var-requires
@@ -23,161 +16,165 @@ const swaggerFile = require('../spec.json');
 const requestIp = require('request-ip');
 import { apiLimiter } from './helpers/rateLimiter';
 import {
-    workspace as eeWorkspaceRouter,
-    secret as eeSecretRouter,
-    secretSnapshot as eeSecretSnapshotRouter,
-    action as eeActionRouter
+  workspace as eeWorkspaceRouter,
+  secret as eeSecretRouter,
+  secretSnapshot as eeSecretSnapshotRouter,
+  action as eeActionRouter,
+  organizations as eeOrganizationsRouter,
+  cloudProducts as eeCloudProductsRouter
 } from './ee/routes/v1';
 import {
-    signup as v1SignupRouter,
-    auth as v1AuthRouter,
-    bot as v1BotRouter,
-    organization as v1OrganizationRouter,
-    workspace as v1WorkspaceRouter,
-    membershipOrg as v1MembershipOrgRouter,
-    membership as v1MembershipRouter,
-    key as v1KeyRouter,
-    inviteOrg as v1InviteOrgRouter,
-    user as v1UserRouter,
-    userAction as v1UserActionRouter,
-    secret as v1SecretRouter,
-    serviceToken as v1ServiceTokenRouter,
-    password as v1PasswordRouter,
-    stripe as v1StripeRouter,
-    integration as v1IntegrationRouter,
-    integrationAuth as v1IntegrationAuthRouter
+  signup as v1SignupRouter,
+  auth as v1AuthRouter,
+  bot as v1BotRouter,
+  organization as v1OrganizationRouter,
+  workspace as v1WorkspaceRouter,
+  membershipOrg as v1MembershipOrgRouter,
+  membership as v1MembershipRouter,
+  key as v1KeyRouter,
+  inviteOrg as v1InviteOrgRouter,
+  user as v1UserRouter,
+  userAction as v1UserActionRouter,
+  secret as v1SecretRouter,
+  serviceToken as v1ServiceTokenRouter,
+  password as v1PasswordRouter,
+  stripe as v1StripeRouter,
+  integration as v1IntegrationRouter,
+  integrationAuth as v1IntegrationAuthRouter,
+  secretsFolder as v1SecretsFolder
 } from './routes/v1';
 import {
-    signup as v2SignupRouter,
-    auth as v2AuthRouter,
-    users as v2UsersRouter,
-    organizations as v2OrganizationsRouter,
-    workspace as v2WorkspaceRouter,
-    secret as v2SecretRouter, // begin to phase out
-    secrets as v2SecretsRouter,
-    serviceTokenData as v2ServiceTokenDataRouter,
-    apiKeyData as v2APIKeyDataRouter,
-    environment as v2EnvironmentRouter,
-    tags as v2TagsRouter,
+  signup as v2SignupRouter,
+  auth as v2AuthRouter,
+  users as v2UsersRouter,
+  organizations as v2OrganizationsRouter,
+  workspace as v2WorkspaceRouter,
+  secret as v2SecretRouter, // begin to phase out
+  secrets as v2SecretsRouter,
+  serviceTokenData as v2ServiceTokenDataRouter,
+  serviceAccounts as v2ServiceAccountsRouter,
+  apiKeyData as v2APIKeyDataRouter,
+  environment as v2EnvironmentRouter,
+  tags as v2TagsRouter,
 } from './routes/v2';
+import {
+  auth as v3AuthRouter,
+  secrets as v3SecretsRouter,
+  signup as v3SignupRouter,
+  workspaces as v3WorkspacesRouter
+} from './routes/v3';
 import { healthCheck } from './routes/status';
 import { getLogger } from './utils/logger';
 import { RouteNotFoundError } from './utils/errors';
 import { requestErrorHandler } from './middleware/requestErrorHandler';
 import {
-    getMongoURL,
-    getNodeEnv,
-    getPort,
-    getSentryDSN,
-    getSiteURL
+  getNodeEnv,
+  getPort,
+  getSiteURL
 } from './config';
+import { setup } from './utils/setup';
 
 const main = async () => {
-    if (process.env.INFISICAL_TOKEN != "" || process.env.INFISICAL_TOKEN != undefined) {
-        await infisical.connect({
-            token: process.env.INFISICAL_TOKEN!
-        });
-    }
+  await setup();
 
-    logTelemetryMessage();
-    setTransporter(initSmtp());
+  await EELicenseService.initGlobalFeatureSet();
 
-    await DatabaseService.initDatabase(getMongoURL());
-    if (getNodeEnv() !== 'test') {
-        Sentry.init({
-            dsn: getSentryDSN(),
-            tracesSampleRate: 1.0,
-            debug: getNodeEnv() === 'production' ? false : true,
-            environment: getNodeEnv()
-        });
-    }
+  const app = express();
+  app.enable('trust proxy');
+  app.use(express.json());
+  app.use(cookieParser());
+  app.use(
+    cors({
+      credentials: true,
+      origin: await getSiteURL()
+    })
+  );
 
-    patchRouterParam();
-    const app = express();
-    app.enable('trust proxy');
-    app.use(express.json());
-    app.use(cookieParser());
-    app.use(
-        cors({
-            credentials: true,
-            origin: getSiteURL()
-        })
+  app.use(requestIp.mw());
+
+  if ((await getNodeEnv()) === 'production') {
+    // enable app-wide rate-limiting + helmet security
+    // in production
+    app.disable('x-powered-by');
+    app.use(apiLimiter);
+    app.use(helmet());
+  }
+
+  // (EE) routes
+  app.use('/api/v1/secret', eeSecretRouter);
+  app.use('/api/v1/secret-snapshot', eeSecretSnapshotRouter);
+  app.use('/api/v1/workspace', eeWorkspaceRouter);
+  app.use('/api/v1/action', eeActionRouter);
+  app.use('/api/v1/organizations', eeOrganizationsRouter);
+  app.use('/api/v1/cloud-products', eeCloudProductsRouter);
+
+  // v1 routes (default)
+  app.use('/api/v1/signup', v1SignupRouter);
+  app.use('/api/v1/auth', v1AuthRouter);
+  app.use('/api/v1/bot', v1BotRouter);
+  app.use('/api/v1/user', v1UserRouter);
+  app.use('/api/v1/user-action', v1UserActionRouter);
+  app.use('/api/v1/organization', v1OrganizationRouter);
+  app.use('/api/v1/workspace', v1WorkspaceRouter);
+  app.use('/api/v1/membership-org', v1MembershipOrgRouter);
+  app.use('/api/v1/membership', v1MembershipRouter);
+  app.use('/api/v1/key', v1KeyRouter);
+  app.use('/api/v1/invite-org', v1InviteOrgRouter);
+  app.use('/api/v1/secret', v1SecretRouter); // deprecate
+  app.use('/api/v1/service-token', v1ServiceTokenRouter); // deprecate
+  app.use('/api/v1/password', v1PasswordRouter);
+  app.use('/api/v1/stripe', v1StripeRouter);
+  app.use('/api/v1/integration', v1IntegrationRouter);
+  app.use('/api/v1/integration-auth', v1IntegrationAuthRouter);
+  app.use('/api/v1/folder', v1SecretsFolder)
+
+  // v2 routes (improvements)
+  app.use('/api/v2/signup', v2SignupRouter);
+  app.use('/api/v2/auth', v2AuthRouter);
+  app.use('/api/v2/users', v2UsersRouter);
+  app.use('/api/v2/organizations', v2OrganizationsRouter);
+  app.use('/api/v2/workspace', v2EnvironmentRouter);
+  app.use('/api/v2/workspace', v2TagsRouter);
+  app.use('/api/v2/workspace', v2WorkspaceRouter);
+  app.use('/api/v2/secret', v2SecretRouter); // deprecate
+  app.use('/api/v2/secrets', v2SecretsRouter); // note: in the process of moving to v3/secrets
+  app.use('/api/v2/service-token', v2ServiceTokenDataRouter);
+  app.use('/api/v2/service-accounts', v2ServiceAccountsRouter); // new
+  app.use('/api/v2/api-key', v2APIKeyDataRouter);
+
+  // v3 routes (experimental)
+  app.use("/api/v3/auth", v3AuthRouter);
+  app.use('/api/v3/secrets', v3SecretsRouter);
+  app.use('/api/v3/workspaces', v3WorkspacesRouter);
+  app.use("/api/v3/signup", v3SignupRouter);
+
+  // api docs 
+  app.use('/api-docs', swaggerUi.serve, swaggerUi.setup(swaggerFile))
+
+  // server status
+  app.use('/api', healthCheck)
+
+  //* Handle unrouted requests and respond with proper error message as well as status code
+  app.use((req, res, next) => {
+    if (res.headersSent) return next();
+    next(RouteNotFoundError({ message: `The requested source '(${req.method})${req.url}' was not found` }))
+  })
+
+  app.use(requestErrorHandler);
+
+  const server = app.listen(await getPort(), async () => {
+    (await getLogger("backend-main")).info(
+      `Server started listening at port ${await getPort()}`
     );
+  });
 
-    app.use(requestIp.mw());
+  setUpHealthEndpoint(server);
 
-    if (getNodeEnv() === 'production') {
-        // enable app-wide rate-limiting + helmet security
-        // in production
-        app.disable('x-powered-by');
-        app.use(apiLimiter);
-        app.use(helmet());
-    }
+  server.on("close", async () => {
+    await DatabaseService.closeDatabase();
+  });
 
-    // (EE) routes
-    app.use('/api/v1/secret', eeSecretRouter);
-    app.use('/api/v1/secret-snapshot', eeSecretSnapshotRouter);
-    app.use('/api/v1/workspace', eeWorkspaceRouter);
-    app.use('/api/v1/action', eeActionRouter);
+  return server;
+};
 
-    // v1 routes
-    app.use('/api/v1/signup', v1SignupRouter);
-    app.use('/api/v1/auth', v1AuthRouter);
-    app.use('/api/v1/bot', v1BotRouter);
-    app.use('/api/v1/user', v1UserRouter);
-    app.use('/api/v1/user-action', v1UserActionRouter);
-    app.use('/api/v1/organization', v1OrganizationRouter);
-    app.use('/api/v1/workspace', v1WorkspaceRouter);
-    app.use('/api/v1/membership-org', v1MembershipOrgRouter);
-    app.use('/api/v1/membership', v1MembershipRouter);
-    app.use('/api/v1/key', v1KeyRouter);
-    app.use('/api/v1/invite-org', v1InviteOrgRouter);
-    app.use('/api/v1/secret', v1SecretRouter);
-    app.use('/api/v1/service-token', v1ServiceTokenRouter); // deprecated
-    app.use('/api/v1/password', v1PasswordRouter);
-    app.use('/api/v1/stripe', v1StripeRouter);
-    app.use('/api/v1/integration', v1IntegrationRouter);
-    app.use('/api/v1/integration-auth', v1IntegrationAuthRouter);
-
-    // v2 routes
-    app.use('/api/v2/signup', v2SignupRouter);
-    app.use('/api/v2/auth', v2AuthRouter);
-    app.use('/api/v2/users', v2UsersRouter);
-    app.use('/api/v2/organizations', v2OrganizationsRouter);
-    app.use('/api/v2/workspace', v2EnvironmentRouter);
-    app.use('/api/v2/workspace', v2TagsRouter);
-    app.use('/api/v2/workspace', v2WorkspaceRouter);
-    app.use('/api/v2/secret', v2SecretRouter); // deprecated
-    app.use('/api/v2/secrets', v2SecretsRouter);
-    app.use('/api/v2/service-token', v2ServiceTokenDataRouter); // TODO: turn into plural route
-    app.use('/api/v2/api-key', v2APIKeyDataRouter);
-
-    // api docs 
-    app.use('/api-docs', swaggerUi.serve, swaggerUi.setup(swaggerFile))
-
-    // Server status
-    app.use('/api', healthCheck)
-
-    //* Handle unrouted requests and respond with proper error message as well as status code
-    app.use((req, res, next) => {
-        if (res.headersSent) return next();
-        next(RouteNotFoundError({ message: `The requested source '(${req.method})${req.url}' was not found` }))
-    })
-
-    app.use(requestErrorHandler)
-
-    const server = app.listen(getPort(), () => {
-        getLogger("backend-main").info(`Server started listening at port ${getPort()}`)
-    });
-
-    createTestUserForDevelopment();
-    setUpHealthEndpoint(server);
-
-    server.on('close', async () => {
-        await DatabaseService.closeDatabase();
-    })
-
-    return server;
-}
-
-export default main();
+export default main();

backend/src/integrations/apps.ts

@@ -1,7 +1,6 @@
-import * as Sentry from "@sentry/node";
 import { Octokit } from "@octokit/rest";
 import { IIntegrationAuth } from "../models";
-import request from '../config/request';
+import { standardRequest } from "../config/request";
 import {
   INTEGRATION_AZURE_KEY_VAULT,
   INTEGRATION_AWS_PARAMETER_STORE,
@@ -12,17 +11,21 @@ import {
   INTEGRATION_GITHUB,
   INTEGRATION_GITLAB,
   INTEGRATION_RENDER,
+  INTEGRATION_RAILWAY,
   INTEGRATION_FLYIO,
   INTEGRATION_CIRCLECI,
   INTEGRATION_TRAVISCI,
+  INTEGRATION_SUPABASE,
   INTEGRATION_HEROKU_API_URL,
   INTEGRATION_GITLAB_API_URL,
   INTEGRATION_VERCEL_API_URL,
   INTEGRATION_NETLIFY_API_URL,
   INTEGRATION_RENDER_API_URL,
+  INTEGRATION_RAILWAY_API_URL,
   INTEGRATION_FLYIO_API_URL,
   INTEGRATION_CIRCLECI_API_URL,
   INTEGRATION_TRAVISCI_API_URL,
+  INTEGRATION_SUPABASE_API_URL,
 } from "../variables";
 
 interface App {
@@ -43,77 +46,80 @@ interface App {
 const getApps = async ({
   integrationAuth,
   accessToken,
-  teamId
+  teamId,
 }: {
   integrationAuth: IIntegrationAuth;
   accessToken: string;
   teamId?: string;
 }) => {
-
   let apps: App[] = [];
-  try {
-    switch (integrationAuth.integration) {
-      case INTEGRATION_AZURE_KEY_VAULT:
-        apps = [];
-        break;
-      case INTEGRATION_AWS_PARAMETER_STORE:
-        apps = [];
-        break;
-      case INTEGRATION_AWS_SECRET_MANAGER:
-        apps = [];
-        break;
-      case INTEGRATION_HEROKU:
-        apps = await getAppsHeroku({
-          accessToken,
-        });
-        break;
-      case INTEGRATION_VERCEL:
-        apps = await getAppsVercel({
-          integrationAuth,
-          accessToken,
-        });
-        break;
-      case INTEGRATION_NETLIFY:
-        apps = await getAppsNetlify({
-          accessToken,
-        });
-        break;
-      case INTEGRATION_GITHUB:
-        apps = await getAppsGithub({
-          accessToken,
-        });
-        break;
-      case INTEGRATION_GITLAB:
-        apps = await getAppsGitlab({
-          accessToken,
-          teamId
-        });
-        break;
-      case INTEGRATION_RENDER:
-        apps = await getAppsRender({
-          accessToken,
-        });
-        break;
-      case INTEGRATION_FLYIO:
-        apps = await getAppsFlyio({
-          accessToken,
-        });
-        break;
-      case INTEGRATION_CIRCLECI:
-        apps = await getAppsCircleCI({
-          accessToken,
-        });
-        break;
-      case INTEGRATION_TRAVISCI:
-        apps = await getAppsTravisCI({
-          accessToken,
-        })
-        break;
-    }
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error("Failed to get integration apps");
+  switch (integrationAuth.integration) {
+    case INTEGRATION_AZURE_KEY_VAULT:
+      apps = [];
+      break;
+    case INTEGRATION_AWS_PARAMETER_STORE:
+      apps = [];
+      break;
+    case INTEGRATION_AWS_SECRET_MANAGER:
+      apps = [];
+      break;
+    case INTEGRATION_HEROKU:
+      apps = await getAppsHeroku({
+        accessToken,
+      });
+      break;
+    case INTEGRATION_VERCEL:
+      apps = await getAppsVercel({
+        integrationAuth,
+        accessToken,
+      });
+      break;
+    case INTEGRATION_NETLIFY:
+      apps = await getAppsNetlify({
+        accessToken,
+      });
+      break;
+    case INTEGRATION_GITHUB:
+      apps = await getAppsGithub({
+        accessToken,
+      });
+      break;
+    case INTEGRATION_GITLAB:
+      apps = await getAppsGitlab({
+        accessToken,
+        teamId,
+      });
+      break;
+    case INTEGRATION_RENDER:
+      apps = await getAppsRender({
+        accessToken,
+      });
+      break;
+    case INTEGRATION_RAILWAY:
+      apps = await getAppsRailway({
+        accessToken,
+      });
+      break;
+    case INTEGRATION_FLYIO:
+      apps = await getAppsFlyio({
+        accessToken,
+      });
+      break;
+    case INTEGRATION_CIRCLECI:
+      apps = await getAppsCircleCI({
+        accessToken,
+      });
+      break;
+    case INTEGRATION_TRAVISCI:
+      apps = await getAppsTravisCI({
+        accessToken,
+      });
+      break;
+    case INTEGRATION_SUPABASE:
+      apps = await getAppsSupabase({
+        accessToken,
+      });
+      break;
   }
 
   return apps;
@@ -127,25 +133,18 @@ const getApps = async ({
  * @returns {String} apps.name - name of Heroku app
  */
 const getAppsHeroku = async ({ accessToken }: { accessToken: string }) => {
-  let apps;
-  try {
-    const res = (
-      await request.get(`${INTEGRATION_HEROKU_API_URL}/apps`, {
-        headers: {
-          Accept: "application/vnd.heroku+json; version=3",
-          Authorization: `Bearer ${accessToken}`,
-        },
-      })
-    ).data;
+  const res = (
+    await standardRequest.get(`${INTEGRATION_HEROKU_API_URL}/apps`, {
+      headers: {
+        Accept: "application/vnd.heroku+json; version=3",
+        Authorization: `Bearer ${accessToken}`,
+      },
+    })
+  ).data;
 
-    apps = res.map((a: any) => ({
-      name: a.name,
-    }));
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error("Failed to get Heroku integration apps");
-  }
+  const apps = res.map((a: any) => ({
+    name: a.name,
+  }));
 
   return apps;
 };
@@ -164,32 +163,26 @@ const getAppsVercel = async ({
   integrationAuth: IIntegrationAuth;
   accessToken: string;
 }) => {
-  let apps;
-  try {
-    const res = (
-      await request.get(`${INTEGRATION_VERCEL_API_URL}/v9/projects`, {
-        headers: {
-          Authorization: `Bearer ${accessToken}`,
-          'Accept-Encoding': 'application/json'
-        },
-        ...(integrationAuth?.teamId
-          ? {
-              params: {
-                teamId: integrationAuth.teamId,
-              },
-            }
-          : {}),
-      })
-    ).data;
+  const res = (
+    await standardRequest.get(`${INTEGRATION_VERCEL_API_URL}/v9/projects`, {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Accept-Encoding": "application/json",
+      },
+      ...(integrationAuth?.teamId
+        ? {
+            params: {
+              teamId: integrationAuth.teamId,
+            },
+          }
+        : {}),
+    })
+  ).data;
 
-    apps = res.projects.map((a: any) => ({
-      name: a.name,
-    }));
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error("Failed to get Vercel integration apps");
-  }
+  const apps = res.projects.map((a: any) => ({
+    name: a.name,
+    appId: a.id,
+  }));
 
   return apps;
 };
@@ -203,43 +196,41 @@ const getAppsVercel = async ({
  */
 const getAppsNetlify = async ({ accessToken }: { accessToken: string }) => {
   const apps: any = [];
-  try {
-    let page = 1;
-    const perPage = 10;
-    let hasMorePages = true;
-    
-    // paginate through all sites
-    while (hasMorePages) {
-      const params = new URLSearchParams({
-        page: String(page),
-        per_page: String(perPage)
-      });
+  let page = 1;
+  const perPage = 10;
+  let hasMorePages = true;
 
-      const { data } = await request.get(`${INTEGRATION_NETLIFY_API_URL}/api/v1/sites`, {
+  // paginate through all sites
+  while (hasMorePages) {
+    const params = new URLSearchParams({
+      page: String(page),
+      per_page: String(perPage),
+      filter: 'all'
+    });
+
+    const { data } = await standardRequest.get(
+      `${INTEGRATION_NETLIFY_API_URL}/api/v1/sites`,
+      {
         params,
         headers: {
           Authorization: `Bearer ${accessToken}`,
-          'Accept-Encoding': 'application/json'
-        }
-      });
-      
-      data.map((a: any) => {
-        apps.push({
-          name: a.name,
-          appId: a.site_id
-        });
-      });
-      
-      if (data.length < perPage) {
-        hasMorePages = false;
+          "Accept-Encoding": "application/json",
+        },
       }
+    );
 
-      page++;
+    data.map((a: any) => {
+      apps.push({
+        name: a.name,
+        appId: a.site_id,
+      });
+    });
+
+    if (data.length < perPage) {
+      hasMorePages = false;
     }
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error("Failed to get Netlify integration apps");
+
+    page++;
   }
 
   return apps;
@@ -253,32 +244,58 @@ const getAppsNetlify = async ({ accessToken }: { accessToken: string }) => {
  * @returns {String} apps.name - name of Github site
  */
 const getAppsGithub = async ({ accessToken }: { accessToken: string }) => {
-  let apps;
-  try {
-    const octokit = new Octokit({
-      auth: accessToken,
-    });
+  interface GitHubApp {
+    id: string;
+    name: string;
+    permissions: {
+      admin: boolean;
+    };
+    owner: {
+      login: string;
+    };
+  }
 
-    const repos = (
-      await octokit.request(
+  const octokit = new Octokit({
+    auth: accessToken,
+  });
+
+  const getAllRepos = async () => {
+    let repos: GitHubApp[] = [];
+    let page = 1;
+    const per_page = 100;
+    let hasMore = true;
+
+    while (hasMore) {
+      const response = await octokit.request(
         "GET /user/repos{?visibility,affiliation,type,sort,direction,per_page,page,since,before}",
         {
-          per_page: 100,
+          per_page,
+          page,
         }
-      )
-    ).data;
+      );
 
-    apps = repos
-      .filter((a: any) => a.permissions.admin === true)
-      .map((a: any) => ({
+      if (response.data.length > 0) {
+        repos = repos.concat(response.data);
+        page++;
+      } else {
+        hasMore = false;
+      }
+    }
+
+    return repos;
+  };
+
+  const repos = await getAllRepos();
+
+  const apps = repos
+    .filter((a: GitHubApp) => a.permissions.admin === true)
+    .map((a: GitHubApp) => {
+      return {
+        appId: a.id,
         name: a.name,
         owner: a.owner.login,
-      }));
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error("Failed to get Github repos");
-  }
+      };
+    });
 
   return apps;
 };
@@ -292,29 +309,74 @@ const getAppsGithub = async ({ accessToken }: { accessToken: string }) => {
  * @returns {String} apps.appId - id of Render service
  */
 const getAppsRender = async ({ accessToken }: { accessToken: string }) => {
-  let apps: any;
-  try {
-    const res = (
-      await request.get(`${INTEGRATION_RENDER_API_URL}/v1/services`, {
-        headers: {
-          Authorization: `Bearer ${accessToken}`,
-          Accept: 'application/json',
-          'Accept-Encoding': 'application/json',
-        },
-      })
-    ).data;
-    
-    apps = res
-      .map((a: any) => ({
-        name: a.service.name,
-        appId: a.service.id
-      })); 
-    
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error("Failed to get Render services");
-  }
+  const res = (
+    await standardRequest.get(`${INTEGRATION_RENDER_API_URL}/v1/services`, {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        Accept: "application/json",
+        "Accept-Encoding": "application/json",
+      },
+    })
+  ).data;
+
+  const apps = res.map((a: any) => ({
+    name: a.service.name,
+    appId: a.service.id,
+  }));
+
+  return apps;
+};
+
+/**
+ * Return list of projects for Railway integration
+ * @param {Object} obj
+ * @param {String} obj.accessToken - access token for Railway API
+ * @returns {Object[]} apps - names and ids of Railway services
+ * @returns {String} apps.name - name of Railway project
+ * @returns {String} apps.appId - id of Railway project
+ *
+ */
+const getAppsRailway = async ({ accessToken }: { accessToken: string }) => {
+  const query = `
+    query GetProjects($userId: String, $teamId: String) {
+      projects(userId: $userId, teamId: $teamId) {
+        edges {
+          node {
+            id
+            name
+          }
+        }
+      }
+    }
+  `;
+
+  const variables = {};
+
+  const {
+    data: {
+      data: {
+        projects: { edges },
+      },
+    },
+  } = await standardRequest.post(
+    INTEGRATION_RAILWAY_API_URL,
+    {
+      query,
+      variables,
+    },
+    {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Content-Type": "application/json",
+        "Accept-Encoding": "application/json",
+      },
+    }
+  );
+
+  const apps = edges.map((e: any) => ({
+    name: e.node.name,
+    appId: e.node.id,
+  }));
 
   return apps;
 };
@@ -327,41 +389,40 @@ const getAppsRender = async ({ accessToken }: { accessToken: string }) => {
  * @returns {String} apps.name - name of Fly.io apps
  */
 const getAppsFlyio = async ({ accessToken }: { accessToken: string }) => {
-  let apps;
-  try {
-    const query = `
-      query($role: String) {
-        apps(type: "container", first: 400, role: $role) {
-          nodes {
-            id
-            name
-            hostname
-          }
+  const query = `
+    query($role: String) {
+      apps(type: "container", first: 400, role: $role) {
+        nodes {
+          id
+          name
+          hostname
         }
       }
-    `;
+    }
+  `;
 
-    const res = (await request.post(INTEGRATION_FLYIO_API_URL, {
-      query,
-      variables: {
-        role: null,
+  const res = (
+    await standardRequest.post(
+      INTEGRATION_FLYIO_API_URL,
+      {
+        query,
+        variables: {
+          role: null,
+        },
       },
-    }, {
-      headers: {
-        Authorization: "Bearer " + accessToken,
-        'Accept': 'application/json',
-        'Accept-Encoding': 'application/json',
-      },
-    })).data.data.apps.nodes;
+      {
+        headers: {
+          Authorization: "Bearer " + accessToken,
+          Accept: "application/json",
+          "Accept-Encoding": "application/json",
+        },
+      }
+    )
+  ).data.data.apps.nodes;
 
-    apps = res.map((a: any) => ({
-      name: a.name,
-    }));
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error("Failed to get Fly.io apps");
-  }
+  const apps = res.map((a: any) => ({
+    name: a.name,
+  }));
 
   return apps;
 };
@@ -374,63 +435,43 @@ const getAppsFlyio = async ({ accessToken }: { accessToken: string }) => {
  * @returns {String} apps.name - name of CircleCI apps
  */
 const getAppsCircleCI = async ({ accessToken }: { accessToken: string }) => {
-  let apps: any;
-  try {    
-    const res = (
-      await request.get(
-        `${INTEGRATION_CIRCLECI_API_URL}/v1.1/projects`,
-        {
-          headers: {
-            "Circle-Token": accessToken,
-            "Accept-Encoding": "application/json",
-          },
-        }
-      )
-    ).data
+  const res = (
+    await standardRequest.get(`${INTEGRATION_CIRCLECI_API_URL}/v1.1/projects`, {
+      headers: {
+        "Circle-Token": accessToken,
+        "Accept-Encoding": "application/json",
+      },
+    })
+  ).data;
+
+  const apps = res?.map((a: any) => {
+    return {
+      name: a?.reponame,
+    };
+  });
 
-    apps = res?.map((a: any) => {
-      return {
-        name: a?.reponame
-      }
-    });
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error("Failed to get CircleCI projects");
-  }
-  
   return apps;
 };
 
 const getAppsTravisCI = async ({ accessToken }: { accessToken: string }) => {
-  let apps: any;
-  try {
-    const res = (
-      await request.get(
-        `${INTEGRATION_TRAVISCI_API_URL}/repos`,
-        {
-          headers: {
-            "Authorization": `token ${accessToken}`,
-            "Accept-Encoding": "application/json",
-          },
-        }
-      )
-    ).data;
+  const res = (
+    await standardRequest.get(`${INTEGRATION_TRAVISCI_API_URL}/repos`, {
+      headers: {
+        Authorization: `token ${accessToken}`,
+        "Accept-Encoding": "application/json",
+      },
+    })
+  ).data;
+
+  const apps = res?.map((a: any) => {
+    return {
+      name: a?.slug?.split("/")[1],
+      appId: a?.id,
+    };
+  });
 
-    apps = res?.map((a: any) => {
-      return {
-        name: a?.slug?.split("/")[1],
-        appId: a?.id,
-      }
-    });
-  }catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error("Failed to get TravisCI projects");
-  }
-  
   return apps;
-}
+};
 
 /**
  * Return list of repositories for GitLab integration
@@ -439,110 +480,125 @@ const getAppsTravisCI = async ({ accessToken }: { accessToken: string }) => {
  * @returns {Object[]} apps - names of GitLab sites
  * @returns {String} apps.name - name of GitLab site
  */
-const getAppsGitlab = async ({ 
+const getAppsGitlab = async ({
   accessToken,
-  teamId
+  teamId,
 }: {
   accessToken: string;
   teamId?: string;
 }) => {
   const apps: App[] = [];
-  
+
   let page = 1;
   const perPage = 10;
   let hasMorePages = true;
-  try {
 
-    if (teamId) {
-      // case: fetch projects for group with id [teamId] in GitLab
-      
-      while (hasMorePages) {
-        const params = new URLSearchParams({
-          page: String(page),
-          per_page: String(perPage)
-        });
+  if (teamId) {
+    // case: fetch projects for group with id [teamId] in GitLab
 
-        const { data } = (
-          await request.get(
-            `${INTEGRATION_GITLAB_API_URL}/v4/groups/${teamId}/projects`,
-            {
-              params,
-              headers: {
-                "Authorization": `Bearer ${accessToken}`,
-                "Accept-Encoding": "application/json",
-              },
-            }
-          )
-        );
+    while (hasMorePages) {
+      const params = new URLSearchParams({
+        page: String(page),
+        per_page: String(perPage),
+      });
 
-        data.map((a: any) => {
-          apps.push({
-            name: a.name,
-            appId: a.id
-          });
-        });
-        
-        if (data.length < perPage) {
-          hasMorePages = false;
+      const { data } = await standardRequest.get(
+        `${INTEGRATION_GITLAB_API_URL}/v4/groups/${teamId}/projects`,
+        {
+          params,
+          headers: {
+            Authorization: `Bearer ${accessToken}`,
+            "Accept-Encoding": "application/json",
+          },
         }
-        
-        page++;
-      }
-    } else {
-      // case: fetch projects for individual in GitLab
-      
-      const { id } = (
-        await request.get(
-          `${INTEGRATION_GITLAB_API_URL}/v4/user`,
-          {
-            headers: {
-              "Authorization": `Bearer ${accessToken}`,
-              "Accept-Encoding": "application/json",
-            },
-          }
-        )
-      ).data;
-      
-      while (hasMorePages) {
-        const params = new URLSearchParams({
-          page: String(page),
-          per_page: String(perPage)
+      );
+
+      data.map((a: any) => {
+        apps.push({
+          name: a.name,
+          appId: a.id,
         });
+      });
 
-        const { data } = (
-          await request.get(
-            `${INTEGRATION_GITLAB_API_URL}/v4/users/${id}/projects`,
-            {
-              params,
-              headers: {
-                "Authorization": `Bearer ${accessToken}`,
-                "Accept-Encoding": "application/json",
-              },
-            }
-          )
-        );
-
-        data.map((a: any) => {
-          apps.push({
-            name: a.name,
-            appId: a.id
-          });
-        });
-
-        if (data.length < perPage) {
-          hasMorePages = false;
-        }
-        
-        page++;
+      if (data.length < perPage) {
+        hasMorePages = false;
       }
+
+      page++;
+    }
+  } else {
+    // case: fetch projects for individual in GitLab
+
+    const { id } = (
+      await standardRequest.get(`${INTEGRATION_GITLAB_API_URL}/v4/user`, {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          "Accept-Encoding": "application/json",
+        },
+      })
+    ).data;
+
+    while (hasMorePages) {
+      const params = new URLSearchParams({
+        page: String(page),
+        per_page: String(perPage),
+      });
+
+      const { data } = await standardRequest.get(
+        `${INTEGRATION_GITLAB_API_URL}/v4/users/${id}/projects`,
+        {
+          params,
+          headers: {
+            Authorization: `Bearer ${accessToken}`,
+            "Accept-Encoding": "application/json",
+          },
+        }
+      );
+
+      data.map((a: any) => {
+        apps.push({
+          name: a.name,
+          appId: a.id,
+        });
+      });
+
+      if (data.length < perPage) {
+        hasMorePages = false;
+      }
+
+      page++;
     }
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error("Failed to get GitLab projects");
   }
-  
+
   return apps;
-}
+};
+
+/**
+ * Return list of projects for Supabase integration
+ * @param {Object} obj
+ * @param {String} obj.accessToken - access token for Supabase API
+ * @returns {Object[]} apps - names of Supabase apps
+ * @returns {String} apps.name - name of Supabase app
+ */
+const getAppsSupabase = async ({ accessToken }: { accessToken: string }) => {
+  const { data } = await standardRequest.get(
+    `${INTEGRATION_SUPABASE_API_URL}/v1/projects`,
+    {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Accept-Encoding": "application/json",
+      },
+    }
+  );
+
+  const apps = data.map((a: any) => {
+    return {
+      name: a.name,
+      appId: a.id,
+    };
+  });
+
+  return apps;
+};
 
 export { getApps };

backend/src/integrations/exchange.ts

@@ -1,5 +1,4 @@
-import * as Sentry from '@sentry/node';
-import request from '../config/request';
+import { standardRequest } from "../config/request";
 import {
   INTEGRATION_AZURE_KEY_VAULT,
   INTEGRATION_HEROKU,
@@ -12,8 +11,8 @@ import {
   INTEGRATION_VERCEL_TOKEN_URL,
   INTEGRATION_NETLIFY_TOKEN_URL,
   INTEGRATION_GITHUB_TOKEN_URL,
-  INTEGRATION_GITLAB_TOKEN_URL
-} from '../variables';
+  INTEGRATION_GITLAB_TOKEN_URL,
+} from "../variables";
 import {
   getSiteURL,
   getClientIdAzure,
@@ -26,8 +25,8 @@ import {
   getClientIdGitHub,
   getClientSecretGitHub,
   getClientIdGitLab,
-  getClientSecretGitLab
-} from '../config';
+  getClientSecretGitLab,
+} from "../config";
 
 interface ExchangeCodeAzureResponse {
   token_type: string;
@@ -93,49 +92,43 @@ interface ExchangeCodeGitlabResponse {
  */
 const exchangeCode = async ({
   integration,
-  code
+  code,
 }: {
   integration: string;
   code: string;
 }) => {
   let obj = {} as any;
 
-  try {
-    switch (integration) {
-      case INTEGRATION_AZURE_KEY_VAULT:
-        obj = await exchangeCodeAzure({
-          code
-        });
-        break;
-      case INTEGRATION_HEROKU:
-        obj = await exchangeCodeHeroku({
-          code
-        });
-        break;
-      case INTEGRATION_VERCEL:
-        obj = await exchangeCodeVercel({
-          code
-        });
-        break;
-      case INTEGRATION_NETLIFY:
-        obj = await exchangeCodeNetlify({
-          code
-        });
-        break;
-      case INTEGRATION_GITHUB:
-        obj = await exchangeCodeGithub({
-          code
-        });
-        break;
-      case INTEGRATION_GITLAB:
-        obj = await exchangeCodeGitlab({
-          code
-        });
-    }
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed OAuth2 code-token exchange');
+  switch (integration) {
+    case INTEGRATION_AZURE_KEY_VAULT:
+      obj = await exchangeCodeAzure({
+        code,
+      });
+      break;
+    case INTEGRATION_HEROKU:
+      obj = await exchangeCodeHeroku({
+        code,
+      });
+      break;
+    case INTEGRATION_VERCEL:
+      obj = await exchangeCodeVercel({
+        code,
+      });
+      break;
+    case INTEGRATION_NETLIFY:
+      obj = await exchangeCodeNetlify({
+        code,
+      });
+      break;
+    case INTEGRATION_GITHUB:
+      obj = await exchangeCodeGithub({
+        code,
+      });
+      break;
+    case INTEGRATION_GITLAB:
+      obj = await exchangeCodeGitlab({
+        code,
+      });
   }
 
   return obj;
@@ -143,43 +136,33 @@ const exchangeCode = async ({
 
 /**
  * Return [accessToken] for Azure OAuth2 code-token exchange
- * @param param0 
+ * @param param0
  */
-const exchangeCodeAzure = async ({
-  code
-}: {
-  code: string;
-}) => {
+const exchangeCodeAzure = async ({ code }: { code: string }) => {
   const accessExpiresAt = new Date();
-  let res: ExchangeCodeAzureResponse;
-  try {
-    res = (await request.post(
+
+  const res: ExchangeCodeAzureResponse = (
+    await standardRequest.post(
       INTEGRATION_AZURE_TOKEN_URL,
       new URLSearchParams({
-        grant_type: 'authorization_code',
+        grant_type: "authorization_code",
         code: code,
-        scope: 'https://vault.azure.net/.default openid offline_access',
-        client_id: getClientIdAzure(),
-        client_secret: getClientSecretAzure(),
-        redirect_uri: `${getSiteURL()}/integrations/azure-key-vault/oauth2/callback`
+        scope: "https://vault.azure.net/.default openid offline_access",
+        client_id: await getClientIdAzure(),
+        client_secret: await getClientSecretAzure(),
+        redirect_uri: `${await getSiteURL()}/integrations/azure-key-vault/oauth2/callback`,
       } as any)
-    )).data;
+    )
+  ).data;
 
-    accessExpiresAt.setSeconds(
-      accessExpiresAt.getSeconds() + res.expires_in
-    );
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed OAuth2 code-token exchange with Azure');
-  }
+  accessExpiresAt.setSeconds(accessExpiresAt.getSeconds() + res.expires_in);
 
-  return ({
+  return {
     accessToken: res.access_token,
     refreshToken: res.refresh_token,
-    accessExpiresAt
-  });
-}
+    accessExpiresAt,
+  };
+};
 
 /**
  * Return [accessToken], [accessExpiresAt], and [refreshToken] for Heroku
@@ -191,38 +174,28 @@ const exchangeCodeAzure = async ({
  * @returns {String} obj2.refreshToken - refresh token for Heroku API
  * @returns {Date} obj2.accessExpiresAt - date of expiration for access token
  */
-const exchangeCodeHeroku = async ({
-  code
-}: {
-  code: string;
-}) => {
-  let res: ExchangeCodeHerokuResponse;
+const exchangeCodeHeroku = async ({ code }: { code: string }) => {
   const accessExpiresAt = new Date();
-  try {
-    res = (await request.post(
+
+  const res: ExchangeCodeHerokuResponse = (
+    await standardRequest.post(
       INTEGRATION_HEROKU_TOKEN_URL,
       new URLSearchParams({
-        grant_type: 'authorization_code',
+        grant_type: "authorization_code",
         code: code,
-        client_secret: getClientSecretHeroku()
+        client_secret: await getClientSecretHeroku(),
       } as any)
-    )).data;
+    )
+  ).data;
 
-    accessExpiresAt.setSeconds(
-      accessExpiresAt.getSeconds() + res.expires_in
-    );
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed OAuth2 code-token exchange with Heroku');
-  }
+  accessExpiresAt.setSeconds(accessExpiresAt.getSeconds() + res.expires_in);
 
-  return ({
+  return {
     accessToken: res.access_token,
     refreshToken: res.refresh_token,
-    accessExpiresAt
-  });
-}
+    accessExpiresAt,
+  };
+};
 
 /**
  * Return [accessToken], [accessExpiresAt], and [refreshToken] for Vercel
@@ -235,30 +208,23 @@ const exchangeCodeHeroku = async ({
  * @returns {Date} obj2.accessExpiresAt - date of expiration for access token
  */
 const exchangeCodeVercel = async ({ code }: { code: string }) => {
-  let res: ExchangeCodeVercelResponse;
-  try {
-    res = (
-      await request.post(
-        INTEGRATION_VERCEL_TOKEN_URL,
-        new URLSearchParams({
-          code: code,
-          client_id: getClientIdVercel(),
-          client_secret: getClientSecretVercel(),
-          redirect_uri: `${getSiteURL()}/integrations/vercel/oauth2/callback`
-        } as any)
-      )
-    ).data;
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error(`Failed OAuth2 code-token exchange with Vercel [err=${err}]`);
-  }
+  const res: ExchangeCodeVercelResponse = (
+    await standardRequest.post(
+      INTEGRATION_VERCEL_TOKEN_URL,
+      new URLSearchParams({
+        code: code,
+        client_id: await getClientIdVercel(),
+        client_secret: await getClientSecretVercel(),
+        redirect_uri: `${await getSiteURL()}/integrations/vercel/oauth2/callback`,
+      } as any)
+    )
+  ).data;
 
   return {
     accessToken: res.access_token,
     refreshToken: null,
     accessExpiresAt: null,
-    teamId: res.team_id
+    teamId: res.team_id,
   };
 };
 
@@ -273,47 +239,39 @@ const exchangeCodeVercel = async ({ code }: { code: string }) => {
  * @returns {Date} obj2.accessExpiresAt - date of expiration for access token
  */
 const exchangeCodeNetlify = async ({ code }: { code: string }) => {
-  let res: ExchangeCodeNetlifyResponse;
-  let accountId;
-  try {
-    res = (
-      await request.post(
-        INTEGRATION_NETLIFY_TOKEN_URL,
-        new URLSearchParams({
-          grant_type: 'authorization_code',
-          code: code,
-          client_id: getClientIdNetlify(),
-          client_secret: getClientSecretNetlify(),
-          redirect_uri: `${getSiteURL()}/integrations/netlify/oauth2/callback`
-        } as any)
-      )
-    ).data;
+  const res: ExchangeCodeNetlifyResponse = (
+    await standardRequest.post(
+      INTEGRATION_NETLIFY_TOKEN_URL,
+      new URLSearchParams({
+        grant_type: "authorization_code",
+        code: code,
+        client_id: await getClientIdNetlify(),
+        client_secret: await getClientSecretNetlify(),
+        redirect_uri: `${await getSiteURL()}/integrations/netlify/oauth2/callback`,
+      } as any)
+    )
+  ).data;
 
-    const res2 = await request.get('https://api.netlify.com/api/v1/sites', {
+  const res2 = await standardRequest.get("https://api.netlify.com/api/v1/sites", {
+    headers: {
+      Authorization: `Bearer ${res.access_token}`,
+    },
+  });
+
+  const res3 = (
+    await standardRequest.get("https://api.netlify.com/api/v1/accounts", {
       headers: {
-        Authorization: `Bearer ${res.access_token}`
-      }
-    });
+        Authorization: `Bearer ${res.access_token}`,
+      },
+    })
+  ).data;
 
-    const res3 = (
-      await request.get('https://api.netlify.com/api/v1/accounts', {
-        headers: {
-          Authorization: `Bearer ${res.access_token}`
-        }
-      })
-    ).data;
-
-    accountId = res3[0].id;
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed OAuth2 code-token exchange with Netlify');
-  }
+  const accountId = res3[0].id;
 
   return {
     accessToken: res.access_token,
     refreshToken: res.refresh_token,
-    accountId
+    accountId,
   };
 };
 
@@ -328,33 +286,25 @@ const exchangeCodeNetlify = async ({ code }: { code: string }) => {
  * @returns {Date} obj2.accessExpiresAt - date of expiration for access token
  */
 const exchangeCodeGithub = async ({ code }: { code: string }) => {
-  let res: ExchangeCodeGithubResponse;
-  try {
-    res = (
-      await request.get(INTEGRATION_GITHUB_TOKEN_URL, {
-        params: {
-          client_id: getClientIdGitHub(),
-          client_secret: getClientSecretGitHub(),
-          code: code,
-          redirect_uri: `${getSiteURL()}/integrations/github/oauth2/callback`
-        },
-        headers: {
-          'Accept': 'application/json',
-          'Accept-Encoding': 'application/json'
-        }
-      })
-    ).data;
-
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed OAuth2 code-token exchange with Github');
-  }
+  const res: ExchangeCodeGithubResponse = (
+    await standardRequest.get(INTEGRATION_GITHUB_TOKEN_URL, {
+      params: {
+        client_id: await getClientIdGitHub(),
+        client_secret: await getClientSecretGitHub(),
+        code: code,
+        redirect_uri: `${await getSiteURL()}/integrations/github/oauth2/callback`,
+      },
+      headers: {
+        Accept: "application/json",
+        "Accept-Encoding": "application/json",
+      },
+    })
+  ).data;
 
   return {
     accessToken: res.access_token,
     refreshToken: null,
-    accessExpiresAt: null
+    accessExpiresAt: null,
   };
 };
 
@@ -369,42 +319,32 @@ const exchangeCodeGithub = async ({ code }: { code: string }) => {
  * @returns {Date} obj2.accessExpiresAt - date of expiration for access token
  */
 const exchangeCodeGitlab = async ({ code }: { code: string }) => {
-  let res: ExchangeCodeGitlabResponse; 
   const accessExpiresAt = new Date();
-  
-  try {
-    res = (
-      await request.post(
-        INTEGRATION_GITLAB_TOKEN_URL,
-        new URLSearchParams({
-          grant_type: 'authorization_code',
-          code: code,
-          client_id: getClientIdGitLab(),
-          client_secret: getClientSecretGitLab(),
-          redirect_uri: `${getSiteURL()}/integrations/gitlab/oauth2/callback`
-        } as any),
-        {
-          headers: {
-            "Accept-Encoding": "application/json",
-          }
-        }
-      )
-    ).data;
-    
-    accessExpiresAt.setSeconds(
-      accessExpiresAt.getSeconds() + res.expires_in
-    );
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed OAuth2 code-token exchange with Gitlab');
-  }
+  const res: ExchangeCodeGitlabResponse = (
+    await standardRequest.post(
+      INTEGRATION_GITLAB_TOKEN_URL,
+      new URLSearchParams({
+        grant_type: "authorization_code",
+        code: code,
+        client_id: await getClientIdGitLab(),
+        client_secret: await getClientSecretGitLab(),
+        redirect_uri: `${await getSiteURL()}/integrations/gitlab/oauth2/callback`,
+      } as any),
+      {
+        headers: {
+          "Accept-Encoding": "application/json",
+        },
+      }
+    )
+  ).data;
+
+  accessExpiresAt.setSeconds(accessExpiresAt.getSeconds() + res.expires_in);
 
   return {
     accessToken: res.access_token,
     refreshToken: res.refresh_token,
-    accessExpiresAt
+    accessExpiresAt,
   };
-}
+};
 
 export { exchangeCode };

backend/src/integrations/refresh.ts

@@ -1,29 +1,24 @@
-import * as Sentry from '@sentry/node';
-import request from '../config/request';
+import { standardRequest } from "../config/request";
+import { IIntegrationAuth } from "../models";
 import {
-  IIntegrationAuth
-} from '../models';
-import {
-  INTEGRATION_AZURE_KEY_VAULT, 
+  INTEGRATION_AZURE_KEY_VAULT,
   INTEGRATION_HEROKU,
   INTEGRATION_GITLAB,
-} from '../variables';
+} from "../variables";
 import {
   INTEGRATION_AZURE_TOKEN_URL,
   INTEGRATION_HEROKU_TOKEN_URL,
-  INTEGRATION_GITLAB_TOKEN_URL
-} from '../variables';
-import {
-  IntegrationService
-} from '../services';
+  INTEGRATION_GITLAB_TOKEN_URL,
+} from "../variables";
+import { IntegrationService } from "../services";
 import {
   getSiteURL,
   getClientIdAzure,
   getClientSecretAzure,
   getClientSecretHeroku,
   getClientIdGitLab,
-  getClientSecretGitLab
-} from '../config';
+  getClientSecretGitLab,
+} from "../config";
 
 interface RefreshTokenAzureResponse {
   token_type: string;
@@ -60,60 +55,57 @@ interface RefreshTokenGitLabResponse {
  */
 const exchangeRefresh = async ({
   integrationAuth,
-  refreshToken
+  refreshToken,
 }: {
   integrationAuth: IIntegrationAuth;
   refreshToken: string;
 }) => {
-  
   interface TokenDetails {
     accessToken: string;
     refreshToken: string;
     accessExpiresAt: Date;
   }
-  
+
   let tokenDetails: TokenDetails;
-  try {
-    switch (integrationAuth.integration) {
-      case INTEGRATION_AZURE_KEY_VAULT:
-        tokenDetails = await exchangeRefreshAzure({
-          refreshToken
-        });
-        break;
-      case INTEGRATION_HEROKU:
-        tokenDetails = await exchangeRefreshHeroku({
-          refreshToken
-        });
-        break;
-      case INTEGRATION_GITLAB:
-        tokenDetails = await exchangeRefreshGitLab({
-          refreshToken
-        });
-        break;
-      default:
-        throw new Error('Failed to exchange token for incompatible integration');
-    }
-
-    if (tokenDetails?.accessToken && tokenDetails?.refreshToken && tokenDetails?.accessExpiresAt) {
-      await IntegrationService.setIntegrationAuthAccess({
-        integrationAuthId: integrationAuth._id.toString(),
-        accessId: null,
-        accessToken: tokenDetails.accessToken,
-        accessExpiresAt: tokenDetails.accessExpiresAt
+  switch (integrationAuth.integration) {
+    case INTEGRATION_AZURE_KEY_VAULT:
+      tokenDetails = await exchangeRefreshAzure({
+        refreshToken,
       });
-
-      await IntegrationService.setIntegrationAuthRefresh({
-        integrationAuthId: integrationAuth._id.toString(),
-        refreshToken: tokenDetails.refreshToken
+      break;
+    case INTEGRATION_HEROKU:
+      tokenDetails = await exchangeRefreshHeroku({
+        refreshToken,
       });
-    }
-
-    return tokenDetails.accessToken;
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed to get new OAuth2 access token');
+      break;
+    case INTEGRATION_GITLAB:
+      tokenDetails = await exchangeRefreshGitLab({
+        refreshToken,
+      });
+      break;
+    default:
+      throw new Error("Failed to exchange token for incompatible integration");
   }
+
+  if (
+    tokenDetails?.accessToken &&
+    tokenDetails?.refreshToken &&
+    tokenDetails?.accessExpiresAt
+  ) {
+    await IntegrationService.setIntegrationAuthAccess({
+      integrationAuthId: integrationAuth._id.toString(),
+      accessId: null,
+      accessToken: tokenDetails.accessToken,
+      accessExpiresAt: tokenDetails.accessExpiresAt,
+    });
+
+    await IntegrationService.setIntegrationAuthRefresh({
+      integrationAuthId: integrationAuth._id.toString(),
+      refreshToken: tokenDetails.refreshToken,
+    });
+  }
+
+  return tokenDetails.accessToken;
 };
 
 /**
@@ -124,38 +116,30 @@ const exchangeRefresh = async ({
  * @returns
  */
 const exchangeRefreshAzure = async ({
-  refreshToken
+  refreshToken,
 }: {
   refreshToken: string;
 }) => {
-  try {
-    const accessExpiresAt = new Date();
-    const { data }: { data: RefreshTokenAzureResponse } = await request.post(
-      INTEGRATION_AZURE_TOKEN_URL,
-       new URLSearchParams({
-        client_id: getClientIdAzure(),
-        scope: 'openid offline_access',
-        refresh_token: refreshToken,
-        grant_type: 'refresh_token',
-        client_secret: getClientSecretAzure()
-      } as any)
-    );
-    
-    accessExpiresAt.setSeconds(
-      accessExpiresAt.getSeconds() + data.expires_in
-    );
+  const accessExpiresAt = new Date();
+  const { data }: { data: RefreshTokenAzureResponse } = await standardRequest.post(
+    INTEGRATION_AZURE_TOKEN_URL,
+    new URLSearchParams({
+      client_id: await getClientIdAzure(),
+      scope: "openid offline_access",
+      refresh_token: refreshToken,
+      grant_type: "refresh_token",
+      client_secret: await getClientSecretAzure(),
+    } as any)
+  );
 
-    return ({
-      accessToken: data.access_token,
-      refreshToken: data.refresh_token,
-      accessExpiresAt
-    });
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed to get refresh OAuth2 access token for Azure'); 
-  }
-}
+  accessExpiresAt.setSeconds(accessExpiresAt.getSeconds() + data.expires_in);
+
+  return {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token,
+    accessExpiresAt,
+  };
+};
 
 /**
  * Return new access token by exchanging refresh token [refreshToken] for the
@@ -165,39 +149,31 @@ const exchangeRefreshAzure = async ({
  * @returns
  */
 const exchangeRefreshHeroku = async ({
-  refreshToken
+  refreshToken,
 }: {
   refreshToken: string;
 }) => {
-  try {
-    const accessExpiresAt = new Date();
-    const { 
-      data 
-    }: { 
-      data: RefreshTokenHerokuResponse 
-    } = await request.post(
-        INTEGRATION_HEROKU_TOKEN_URL,
-        new URLSearchParams({
-            grant_type: 'refresh_token',
-            refresh_token: refreshToken,
-            client_secret: getClientSecretHeroku()
-        } as any)
-    );
+  const accessExpiresAt = new Date();
+  const {
+    data,
+  }: {
+    data: RefreshTokenHerokuResponse;
+  } = await standardRequest.post(
+    INTEGRATION_HEROKU_TOKEN_URL,
+    new URLSearchParams({
+      grant_type: "refresh_token",
+      refresh_token: refreshToken,
+      client_secret: await getClientSecretHeroku(),
+    } as any)
+  );
 
-    accessExpiresAt.setSeconds(
-      accessExpiresAt.getSeconds() + data.expires_in
-    );
+  accessExpiresAt.setSeconds(accessExpiresAt.getSeconds() + data.expires_in);
 
-    return ({
-      accessToken: data.access_token,
-      refreshToken: data.refresh_token,
-      accessExpiresAt
-    });
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed to refresh OAuth2 access token for Heroku');
-  }
+  return {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token,
+    accessExpiresAt,
+  };
 };
 
 /**
@@ -208,45 +184,38 @@ const exchangeRefreshHeroku = async ({
  * @returns
  */
 const exchangeRefreshGitLab = async ({
-  refreshToken
+  refreshToken,
 }: {
   refreshToken: string;
 }) => {
-  try {
-    const accessExpiresAt = new Date();
-    const { 
-      data
-    }: { 
-      data: RefreshTokenGitLabResponse 
-    } = await request.post(
-      INTEGRATION_GITLAB_TOKEN_URL,
-      new URLSearchParams({
-        grant_type: 'refresh_token',
-        refresh_token: refreshToken,
-        client_id: getClientIdGitLab,
-        client_secret: getClientSecretGitLab(),
-        redirect_uri: `${getSiteURL()}/integrations/gitlab/oauth2/callback`
-      } as any),
-      {
-        headers: {
-          "Accept-Encoding": "application/json",
-        }
-      });
+  const accessExpiresAt = new Date();
+  const {
+    data,
+  }: {
+    data: RefreshTokenGitLabResponse;
+  } = await standardRequest.post(
+    INTEGRATION_GITLAB_TOKEN_URL,
+    new URLSearchParams({
+      grant_type: "refresh_token",
+      refresh_token: refreshToken,
+      client_id: await getClientIdGitLab(),
+      client_secret: await getClientSecretGitLab(),
+      redirect_uri: `${await getSiteURL()}/integrations/gitlab/oauth2/callback`,
+    } as any),
+    {
+      headers: {
+        "Accept-Encoding": "application/json",
+      },
+    }
+  );
 
-    accessExpiresAt.setSeconds(
-      accessExpiresAt.getSeconds() + data.expires_in
-    );
+  accessExpiresAt.setSeconds(accessExpiresAt.getSeconds() + data.expires_in);
 
-    return ({
-      accessToken: data.access_token,
-      refreshToken: data.refresh_token,
-      accessExpiresAt
-    });
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed to refresh OAuth2 access token for GitLab');
-  }
+  return {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token,
+    accessExpiresAt,
+  };
 };
 
 export { exchangeRefresh };