modify method to check for cli updates

login.tsx: Faster redirect from login to dashboard.

.env.example

@@ -64,7 +64,7 @@ POSTHOG_PROJECT_API_KEY=
 STRIPE_SECRET_KEY=
 STRIPE_PUBLISHABLE_KEY=
 STRIPE_WEBHOOK_SECRET=
-STRIPE_PRODUCT_CARD_AUTH=
-STRIPE_PRODUCT_PRO=
 STRIPE_PRODUCT_STARTER=
+STRIPE_PRODUCT_TEAM=
+STRIPE_PRODUCT_PRO=
 NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=

.eslintignore

@@ -1,3 +1,4 @@
 node_modules
 built
 healthcheck.js
+tailwind.config.js

.github/values.yaml

@@ -0,0 +1,93 @@
+#####
+# INFISICAL K8 DEFAULT VALUES FILE
+# PLEASE REPLACE VALUES/EDIT AS REQUIRED 
+#####
+
+nameOverride: ""
+
+frontend:
+  name: frontend
+  podAnnotations: {}
+  deploymentAnnotations:
+    secrets.infisical.com/auto-reload: "true"
+  replicaCount: 2
+  image:
+    repository: infisical/frontend
+    pullPolicy: Always 
+    tag: "latest"
+  kubeSecretRef: managed-secret-frontend
+  service:
+    # type of the frontend service
+    type: ClusterIP
+    # define the nodePort if service type is NodePort
+    # nodePort: 
+    annotations: {}
+
+backend:
+  name: backend
+  podAnnotations: {}
+  deploymentAnnotations:
+    secrets.infisical.com/auto-reload: "true"
+  replicaCount: 2
+  image:
+    repository: infisical/backend
+    pullPolicy: Always
+    tag: "latest"
+  kubeSecretRef: managed-backend-secret
+  service:
+    annotations: {}
+
+mongodb:
+  name: mongodb
+  podAnnotations: {}
+  image:
+    repository: mongo
+    pullPolicy: IfNotPresent
+    tag: "latest"
+  service:
+    annotations: {}
+
+# By default the backend will be connected to a Mongo instance in the cluster.
+# However, it is recommended to add a managed document DB connection string because the DB instance in the cluster does not have persistence yet ( data will be deleted on next deploy).
+# Learn about connection string type here https://www.mongodb.com/docs/manual/reference/connection-string/
+mongodbConnection: {}
+  # externalMongoDBConnectionString: <>
+
+ingress:
+  enabled: true
+  annotations:
+    kubernetes.io/ingress.class: "nginx"
+  hostName: gamma.infisical.com # replace with your domain 
+  frontend: 
+    path: /
+    pathType: Prefix
+  backend:
+    path: /api
+    pathType: Prefix
+  tls: []
+
+
+## Complete Ingress example 
+# ingress:
+#   enabled: true
+#   annotations:
+#     kubernetes.io/ingress.class: "nginx"
+#     cert-manager.io/issuer: letsencrypt-nginx
+#   hostName: k8.infisical.com
+#   frontend: 
+#     path: /
+#     pathType: Prefix
+#   backend:
+#     path: /api
+#     pathType: Prefix
+#   tls:
+#     - secretName: letsencrypt-nginx
+#       hosts:
+#         - k8.infisical.com
+
+###
+### YOU MUST FILL IN ALL SECRETS BELOW
+### 
+backendEnvironmentVariables: {}
+
+frontendEnvironmentVariables: {}

.github/workflows/check-be-pull-request.yml

@@ -24,7 +24,7 @@ jobs:
           cache: "npm"
           cache-dependency-path: backend/package-lock.json
       - name: 📦 Install dependencies
-        run: npm ci --only-production --ignore-scripts
+        run: npm ci --only-production
         working-directory: backend
       - name: 🧪 Run tests
         run: npm run test:ci

.github/workflows/docker-image.yml

@@ -1,5 +1,4 @@
-name: Push to Docker Hub
-
+name: Build, Publish and Deploy to Gamma
 on: [workflow_dispatch]
 
 jobs:
@@ -10,8 +9,9 @@ jobs:
     steps:
       - name: ☁️ Checkout source
         uses: actions/checkout@v3
-      - name: 🔧 Set up QEMU
-        uses: docker/setup-qemu-action@v2
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
       - name: 🔧 Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
       - name: 🐋 Login to Docker Hub
@@ -19,9 +19,13 @@ jobs:
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
       - name: 📦 Build backend and export to Docker
-        uses: docker/build-push-action@v3
+        uses: depot/build-push-action@v1
         with:
+          project: 64mmf0n610
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
           load: true
           context: backend
           tags: infisical/backend:test
@@ -35,11 +39,14 @@ jobs:
         run: |
           docker compose -f .github/resources/docker-compose.be-test.yml down
       - name: 🏗️ Build backend and push
-        uses: docker/build-push-action@v3
+        uses: depot/build-push-action@v1
         with:
+          project: 64mmf0n610
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
           push: true
           context: backend
-          tags: infisical/backend:latest
+          tags: infisical/backend:${{ steps.commit.outputs.short }}, 
+                infisical/backend:latest
           platforms: linux/amd64,linux/arm64
 
   frontend-image:
@@ -49,8 +56,9 @@ jobs:
     steps:
       - name: ☁️ Checkout source
         uses: actions/checkout@v3
-      - name: 🔧 Set up QEMU
-        uses: docker/setup-qemu-action@v2
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
       - name: 🔧 Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
       - name: 🐋 Login to Docker Hub
@@ -58,10 +66,14 @@ jobs:
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
       - name: 📦 Build frontend and export to Docker
-        uses: docker/build-push-action@v3
+        uses: depot/build-push-action@v1
         with:
           load: true
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          project: 64mmf0n610
           context: frontend
           tags: infisical/frontend:test
           build-args: |
@@ -76,11 +88,51 @@ jobs:
         run: |
           docker stop infisical-frontend-test
       - name: 🏗️ Build frontend and push
-        uses: docker/build-push-action@v3
+        uses: depot/build-push-action@v1
         with:
+          project: 64mmf0n610
           push: true
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
           context: frontend
-          tags: infisical/frontend:latest
+          tags: infisical/frontend:${{ steps.commit.outputs.short }}, 
+                infisical/frontend:latest
           platforms: linux/amd64,linux/arm64
           build-args: |
             POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
+  gamma-deployment:
+    name: Deploy to gamma
+    runs-on: ubuntu-latest
+    needs: [frontend-image, backend-image]
+    steps:
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+      - name: Install Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.10.0
+      - name: Install infisical helm chart
+        run: |
+          helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/'
+          helm repo update
+      - name: Install kubectl
+        uses: azure/setup-kubectl@v3
+      - name: Install doctl
+        uses: digitalocean/action-doctl@v2
+        with:
+          token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
+      - name: Save DigitalOcean kubeconfig with short-lived credentials
+        run: doctl kubernetes cluster kubeconfig save --expiry-seconds 600 k8s-1-25-4-do-0-nyc1-1670645170179
+      - name: switch to gamma namespace 
+        run: kubectl config set-context --current --namespace=gamma
+      - name: test kubectl
+        run: kubectl get ingress
+      - name: Download helm values to file and upgrade gamma deploy
+        run: |
+          wget https://raw.githubusercontent.com/Infisical/infisical/main/.github/values.yaml
+          helm upgrade infisical infisical-helm-charts/infisical  --values values.yaml --recreate-pods
+          if [[ $(helm status infisical) == *"FAILED"* ]]; then
+            echo "Helm upgrade failed"
+            exit 1
+          else
+            echo "Helm upgrade was successful"
+          fi

.github/workflows/release_build.yml

@@ -1,4 +1,4 @@
-name: Go releaser
+name: Build and release CLI
 
 on:
   push:
@@ -19,6 +19,7 @@ jobs:
         with:
           fetch-depth: 0
       - run: git fetch --force --tags
+      - run: echo "Ref name ${{github.ref_name}}"
       - uses: actions/setup-go@v3
         with:
           go-version: '>=1.19.3'
@@ -33,14 +34,15 @@ jobs:
         run: |
           mkdir ../../osxcross
           git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
-      - uses: goreleaser/goreleaser-action@v2
+      - uses: goreleaser/goreleaser-action@v4
         with:
           distribution: goreleaser
           version: latest
-          args: release --rm-dist
+          args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
           FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
+          AUR_KEY: ${{ secrets.AUR_KEY }}
       - uses: actions/setup-python@v4
       - run: pip install --upgrade cloudsmith-cli
       - name: Publish to CloudSmith 

.gitignore

@@ -12,6 +12,8 @@ node_modules
 .DS_Store
 
 /dist
+/completions/
+/manpages/
 
 # frontend
 

.goreleaser.yaml

@@ -6,9 +6,17 @@
 #     - cd cli && go mod tidy
 #     # you may remove this if you don't need go generate
 #     - cd cli && go generate ./...
+before:
+  hooks:
+    - ./cli/scripts/completions.sh
+    - ./cli/scripts/manpages.sh
+
 builds:
   - id: darwin-build
     binary: infisical
+    ldflags: -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+    flags:
+      - -trimpath
     env:
       - CGO_ENABLED=1
       - CC=/home/runner/work/osxcross/target/bin/o64-clang
@@ -19,10 +27,14 @@ builds:
       - goos: darwin
         goarch: "386"
     dir: ./cli
+
   - id: all-other-builds
     env:
       - CGO_ENABLED=0
     binary: infisical
+    ldflags: -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+    flags:
+      - -trimpath
     goos:
       - freebsd
       - linux
@@ -30,13 +42,13 @@ builds:
       - openbsd
       - windows
     goarch:
-      - 386
+      - "386"
       - amd64
       - arm
       - arm64
     goarm:
-      - 6
-      - 7
+      - "6"
+      - "7"
     ignore:
       - goos: windows
         goarch: "386"
@@ -44,14 +56,26 @@ builds:
         goarch: "386"
     dir: ./cli
 
+archives:
+  - format_overrides:
+      - goos: windows
+        format: zip
+    files:
+      - README*
+      - LICENSE*
+      - manpages/*
+      - completions/*
+
 release:
   replace_existing_draft: true
   mode: 'replace'
 
 checksum:
   name_template: 'checksums.txt'
+
 snapshot:
-  name_template: "{{ incpatch .Version }}"
+  name_template: "{{ incpatch .Version }}-devel"
+
 changelog:
   sort: asc
   filters:
@@ -65,6 +89,7 @@ changelog:
 #       - infisical
 #     dir: "{{ dir .ArtifactPath }}"
 #     cmd: curl -F package=@{{ .ArtifactName }} https://{{ .Env.FURY_TOKEN }}@push.fury.io/infisical/
+
 brews:
   - name: infisical
     tap:
@@ -76,6 +101,13 @@ brews:
     folder: Formula
     homepage: "https://infisical.com"
     description: "The official Infisical CLI"
+    install: |-
+      bin.install "infisical"
+      bash_completion.install "completions/infisical.bash" => "infisical"
+      zsh_completion.install "completions/infisical.zsh" => "_infisical"
+      fish_completion.install "completions/infisical.fish"
+      man1.install "manpages/infisical.1.gz"
+
 nfpms:
 - id: infisical
   package_name: infisical
@@ -85,13 +117,23 @@ nfpms:
   homepage: https://infisical.com/
   maintainer: Infisical, Inc
   description: The offical Infisical CLI
-  license: Apache 2.0
+  license: MIT
   formats:
   - rpm
   - deb
   - apk
   - archlinux
   bindir: /usr/bin
+  contents:
+    - src: ./completions/infisical.bash
+      dst: /etc/bash_completion.d/infisical
+    - src: ./completions/infisical.fish
+      dst: /usr/share/fish/vendor_completions.d/infisical.fish
+    - src: ./completions/infisical.zsh
+      dst: /usr/share/zsh/site-functions/_infisical
+    - src: ./manpages/infisical.1.gz
+      dst: /usr/share/man/man1/infisical.1.gz
+
 scoop:
   bucket:
     owner: Infisical
@@ -101,7 +143,32 @@ scoop:
     email: ai@infisical.com
   homepage: "https://infisical.com"
   description: "The official Infisical CLI"
-  license: Apache-2.0
+  license: MIT
+
+aurs:
+  -
+    name: infisical-bin
+    homepage: "https://infisical.com"
+    description: "The official Infisical CLI"
+    maintainers:
+      - Infisical, Inc <support@infisical.com>
+    license: MIT
+    private_key: '{{ .Env.AUR_KEY }}'
+    git_url: 'ssh://aur@aur.archlinux.org/infisical-bin.git'
+    package: |-
+      # bin
+      install -Dm755 "./infisical" "${pkgdir}/usr/bin/infisical"
+      # license
+      install -Dm644 "./LICENSE" "${pkgdir}/usr/share/licenses/infisical/LICENSE"
+      # completions
+      mkdir -p "${pkgdir}/usr/share/bash-completion/completions/"
+      mkdir -p "${pkgdir}/usr/share/zsh/site-functions/"
+      mkdir -p "${pkgdir}/usr/share/fish/vendor_completions.d/"
+      install -Dm644 "./completions/infisical.bash" "${pkgdir}/usr/share/bash-completion/completions/infisical"
+      install -Dm644 "./completions/infisical.zsh" "${pkgdir}/usr/share/zsh/site-functions/infisical"
+      install -Dm644 "./completions/infisical.fish" "${pkgdir}/usr/share/fish/vendor_completions.d/infisical.fish"
+      # man pages
+      install -Dm644 "./manpages/infisical.1.gz" "${pkgdir}/usr/share/man/man1/infisical.1.gz"
 # dockers:
 #   - dockerfile: goreleaser.dockerfile
 #     goos: linux

Makefile

@@ -7,6 +7,9 @@ push:
 up-dev:
 	docker-compose -f docker-compose.dev.yml up --build
 
+i-dev:
+	infisical run -- docker-compose -f docker-compose.dev.yml up --build
+
 up-prod:
 	docker-compose -f docker-compose.yml up --build
 

backend/Dockerfile

@@ -4,7 +4,10 @@ WORKDIR /app
 
 COPY package.json package-lock.json ./
 
-RUN npm ci --only-production --ignore-scripts
+# RUN npm ci --only-production --ignore-scripts
+# "prepare": "cd .. && npm install"
+
+RUN npm ci --only-production
 
 COPY . .
 

backend/environment.d.ts

@@ -3,8 +3,10 @@ export {};
 declare global {
   namespace NodeJS {
     interface ProcessEnv {
+      PORT: string;
       EMAIL_TOKEN_LIFETIME: string;
       ENCRYPTION_KEY: string;
+      SALT_ROUNDS: string;
       JWT_AUTH_LIFETIME: string;
       JWT_AUTH_SECRET: string;
       JWT_REFRESH_LIFETIME: string;
@@ -19,23 +21,31 @@ declare global {
       CLIENT_ID_HEROKU: string;
       CLIENT_ID_VERCEL: string;
       CLIENT_ID_NETLIFY: string;
+      CLIENT_ID_GITHUB: string;
       CLIENT_SECRET_HEROKU: string;
       CLIENT_SECRET_VERCEL: string;
       CLIENT_SECRET_NETLIFY: string;
+      CLIENT_SECRET_GITHUB: string;
+      CLIENT_SLUG_VERCEL: string;
 			POSTHOG_HOST: string;
 			POSTHOG_PROJECT_API_KEY: string;
       SENTRY_DSN: string;
       SITE_URL: string;
       SMTP_HOST: string;
-      SMTP_NAME: string;
-      SMTP_PASSWORD: string;
+      SMTP_SECURE: string;
+      SMTP_PORT: string;
       SMTP_USERNAME: string;
-      STRIPE_PRODUCT_CARD_AUTH: string;
-      STRIPE_PRODUCT_PRO: string;
+      SMTP_PASSWORD: string;
+      SMTP_FROM_ADDRESS: string;
+      SMTP_FROM_NAME: string;
       STRIPE_PRODUCT_STARTER: string;
+      STRIPE_PRODUCT_TEAM: string;
+      STRIPE_PRODUCT_PRO: string;
       STRIPE_PUBLISHABLE_KEY: string;
       STRIPE_SECRET_KEY: string;
       STRIPE_WEBHOOK_SECRET: string;
+      TELEMETRY_ENABLED: string;
+      LICENSE_KEY: string;
     }
   }
 }

backend/package.json

@@ -1,12 +1,10 @@
 {
   "dependencies": {
     "@godaddy/terminus": "^4.11.2",
-    "@octokit/rest": "^19.0.5",
-    "@sentry/node": "^7.14.0",
-    "@sentry/tracing": "^7.19.0",
+    "@sentry/node": "^7.21.1",
+    "@sentry/tracing": "^7.21.1",
     "@types/crypto-js": "^4.1.1",
-    "@types/libsodium-wrappers": "^0.7.10",
-    "axios": "^1.1.3",
+    "axios": "^1.2.0",
     "bigint-conversion": "^2.2.2",
     "cookie-parser": "^1.4.6",
     "cors": "^2.8.5",
@@ -17,28 +15,25 @@
     "express-validator": "^6.14.2",
     "handlebars": "^4.7.7",
     "helmet": "^5.1.1",
-    "jsonwebtoken": "^9.0.0",
+    "jsonwebtoken": "^8.5.1",
     "jsrp": "^0.2.4",
-    "libsodium-wrappers": "^0.7.10",
-    "mongoose": "^6.7.2",
+    "mongoose": "^6.7.3",
     "nodemailer": "^6.8.0",
-    "posthog-node": "^2.2.2",
+    "posthog-node": "^2.1.0",
     "query-string": "^7.1.3",
     "rimraf": "^3.0.2",
     "stripe": "^10.7.0",
     "tweetnacl": "^1.0.3",
     "tweetnacl-util": "^0.15.1",
-    "typescript": "^4.9.3",
-    "winston": "^3.8.2",
-    "winston-loki": "^6.0.6"
+    "typescript": "^4.9.3"
   },
   "name": "infisical-api",
   "version": "1.0.0",
   "main": "src/index.js",
   "scripts": {
-    "prepare": "cd .. && npm install",
     "start": "npm run build && node build/index.js",
     "dev": "nodemon",
+    "swagger-autogen": "node ./swagger/index.ts",
     "build": "rimraf ./build && tsc && cp -R ./src/templates ./build",
     "lint": "eslint . --ext .ts",
     "lint-and-fix": "eslint . --ext .ts --fix",
@@ -62,11 +57,14 @@
   "devDependencies": {
     "@jest/globals": "^29.3.1",
     "@posthog/plugin-scaffold": "^1.3.4",
+    "@types/bcrypt": "^5.0.0",
+    "@types/bcryptjs": "^2.4.2",
     "@types/cookie-parser": "^1.4.3",
     "@types/cors": "^2.8.12",
     "@types/express": "^4.17.14",
     "@types/jest": "^29.2.4",
     "@types/jsonwebtoken": "^8.5.9",
+    "@types/lodash": "^4.14.191",
     "@types/node": "^18.11.3",
     "@types/nodemailer": "^6.4.6",
     "@types/supertest": "^2.0.12",
@@ -104,5 +102,47 @@
     "suiteNameTemplate": "{filepath}",
     "classNameTemplate": "{classname}",
     "titleTemplate": "{title}"
+  },
+  "dependencies": {
+    "@godaddy/terminus": "^4.11.2",
+    "@octokit/rest": "^19.0.5",
+    "@sentry/node": "^7.14.0",
+    "@sentry/tracing": "^7.19.0",
+    "@types/crypto-js": "^4.1.1",
+    "@types/libsodium-wrappers": "^0.7.10",
+    "await-to-js": "^3.0.0",
+    "axios": "^1.1.3",
+    "bcrypt": "^5.1.0",
+    "bigint-conversion": "^2.2.2",
+    "builder-pattern": "^2.2.0",
+    "cookie-parser": "^1.4.6",
+    "cors": "^2.8.5",
+    "crypto-js": "^4.1.1",
+    "dotenv": "^16.0.1",
+    "express": "^4.18.1",
+    "express-rate-limit": "^6.7.0",
+    "express-validator": "^6.14.2",
+    "handlebars": "^4.7.7",
+    "helmet": "^5.1.1",
+    "js-yaml": "^4.1.0",
+    "jsonwebtoken": "^9.0.0",
+    "jsrp": "^0.2.4",
+    "libsodium-wrappers": "^0.7.10",
+    "lodash": "^4.17.21",
+    "mongoose": "^6.7.2",
+    "nodemailer": "^6.8.0",
+    "posthog-node": "^2.2.2",
+    "query-string": "^7.1.3",
+    "request-ip": "^3.3.0",
+    "rimraf": "^3.0.2",
+    "stripe": "^10.7.0",
+    "swagger-autogen": "^2.22.0",
+    "swagger-ui-express": "^4.6.0",
+    "tweetnacl": "^1.0.3",
+    "tweetnacl-util": "^0.15.1",
+    "typescript": "^4.9.3",
+    "utility-types": "^3.10.0",
+    "winston": "^3.8.2",
+    "winston-loki": "^6.0.6"
   }
 }

backend/src/app.ts

@@ -1,40 +1,65 @@
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const { patchRouterParam } = require('./utils/patchAsyncRoutes');
 
-import { patchRouterParam } from './utils/patchAsyncRoutes';
-import express from 'express';
+import express, { Request, Response } from 'express';
 import helmet from 'helmet';
 import cors from 'cors';
 import cookieParser from 'cookie-parser';
 import dotenv from 'dotenv';
+import swaggerUi = require('swagger-ui-express');
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const swaggerFile = require('../spec.json');
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const requestIp = require('request-ip');
 
 dotenv.config();
 import { PORT, NODE_ENV, SITE_URL } from './config';
 import { apiLimiter } from './helpers/rateLimiter';
 
 import {
-  signup as signupRouter,
-  auth as authRouter,
-  bot as botRouter,
-  organization as organizationRouter,
-  workspace as workspaceRouter,
-  membershipOrg as membershipOrgRouter,
-  membership as membershipRouter,
-  key as keyRouter,
-  inviteOrg as inviteOrgRouter,
-  user as userRouter,
-  userAction as userActionRouter,
-  secret as secretRouter,
-  serviceToken as serviceTokenRouter,
-  password as passwordRouter,
-  stripe as stripeRouter,
-  integration as integrationRouter,
-  integrationAuth as integrationAuthRouter
-} from './routes';
+  workspace as eeWorkspaceRouter,
+  secret as eeSecretRouter,
+  secretSnapshot as eeSecretSnapshotRouter,
+  action as eeActionRouter
+} from './ee/routes/v1';
+import {
+  signup as v1SignupRouter,
+  auth as v1AuthRouter,
+  bot as v1BotRouter,
+  organization as v1OrganizationRouter,
+  workspace as v1WorkspaceRouter,
+  membershipOrg as v1MembershipOrgRouter,
+  membership as v1MembershipRouter,
+  key as v1KeyRouter,
+  inviteOrg as v1InviteOrgRouter,
+  user as v1UserRouter,
+  userAction as v1UserActionRouter,
+  secret as v1SecretRouter,
+  serviceToken as v1ServiceTokenRouter,
+  password as v1PasswordRouter,
+  stripe as v1StripeRouter,
+  integration as v1IntegrationRouter,
+  integrationAuth as v1IntegrationAuthRouter
+} from './routes/v1';
+import {
+  users as v2UsersRouter,
+  organizations as v2OrganizationsRouter,
+  workspace as v2WorkspaceRouter,
+  secret as v2SecretRouter, // begin to phase out
+  secrets as v2SecretsRouter,
+  serviceTokenData as v2ServiceTokenDataRouter,
+  apiKeyData as v2APIKeyDataRouter,
+  environment as v2EnvironmentRouter,
+} from './routes/v2';
+
+import { healthCheck } from './routes/status';
+
 import { getLogger } from './utils/logger';
 import { RouteNotFoundError } from './utils/errors';
 import { requestErrorHandler } from './middleware/requestErrorHandler';
 
-//* Patch Async route params to handle Promise Rejections
-patchRouterParam()
+// patch async route params to handle Promise Rejections
+patchRouterParam();
 
 export const app = express();
 
@@ -48,6 +73,8 @@ app.use(
   })
 );
 
+app.use(requestIp.mw())
+
 if (NODE_ENV === 'production') {
   // enable app-wide rate-limiting + helmet security
   // in production
@@ -56,36 +83,56 @@ if (NODE_ENV === 'production') {
   app.use(helmet());
 }
 
-// routers
-app.use('/api/v1/signup', signupRouter);
-app.use('/api/v1/auth', authRouter);
-app.use('/api/v1/bot', botRouter);
-app.use('/api/v1/user', userRouter);
-app.use('/api/v1/user-action', userActionRouter);
-app.use('/api/v1/organization', organizationRouter);
-app.use('/api/v1/workspace', workspaceRouter);
-app.use('/api/v1/membership-org', membershipOrgRouter);
-app.use('/api/v1/membership', membershipRouter);
-app.use('/api/v1/key', keyRouter);
-app.use('/api/v1/invite-org', inviteOrgRouter);
-app.use('/api/v1/secret', secretRouter);
-app.use('/api/v1/service-token', serviceTokenRouter);
-app.use('/api/v1/password', passwordRouter);
-app.use('/api/v1/stripe', stripeRouter);
-app.use('/api/v1/integration', integrationRouter);
-app.use('/api/v1/integration-auth', integrationAuthRouter);
+// (EE) routes
+app.use('/api/v1/secret', eeSecretRouter);
+app.use('/api/v1/secret-snapshot', eeSecretSnapshotRouter);
+app.use('/api/v1/workspace', eeWorkspaceRouter);
+app.use('/api/v1/action', eeActionRouter);
 
+// v1 routes
+app.use('/api/v1/signup', v1SignupRouter);
+app.use('/api/v1/auth', v1AuthRouter);
+app.use('/api/v1/bot', v1BotRouter);
+app.use('/api/v1/user', v1UserRouter);
+app.use('/api/v1/user-action', v1UserActionRouter);
+app.use('/api/v1/organization', v1OrganizationRouter);
+app.use('/api/v1/workspace', v1WorkspaceRouter);
+app.use('/api/v1/membership-org', v1MembershipOrgRouter);
+app.use('/api/v1/membership', v1MembershipRouter);
+app.use('/api/v1/key', v1KeyRouter);
+app.use('/api/v1/invite-org', v1InviteOrgRouter);
+app.use('/api/v1/secret', v1SecretRouter);
+app.use('/api/v1/service-token', v1ServiceTokenRouter); // deprecated
+app.use('/api/v1/password', v1PasswordRouter);
+app.use('/api/v1/stripe', v1StripeRouter);
+app.use('/api/v1/integration', v1IntegrationRouter);
+app.use('/api/v1/integration-auth', v1IntegrationAuthRouter);
+
+// v2 routes
+app.use('/api/v2/users', v2UsersRouter);
+app.use('/api/v2/organizations', v2OrganizationsRouter);
+app.use('/api/v2/workspace', v2EnvironmentRouter);
+app.use('/api/v2/workspace', v2WorkspaceRouter);
+app.use('/api/v2/secret', v2SecretRouter); // deprecated
+app.use('/api/v2/secrets', v2SecretsRouter);
+app.use('/api/v2/service-token', v2ServiceTokenDataRouter); // TODO: turn into plural route
+app.use('/api/v2/api-key', v2APIKeyDataRouter);
+
+// api docs 
+app.use('/api-docs', swaggerUi.serve, swaggerUi.setup(swaggerFile))
+
+// Server status
+app.use('/api', healthCheck)
 
 //* Handle unrouted requests and respond with proper error message as well as status code
-app.use((req, res, next)=>{
-  if(res.headersSent) return next();
-  next(RouteNotFoundError({message: `The requested source '(${req.method})${req.url}' was not found`}))
+app.use((req, res, next) => {
+  if (res.headersSent) return next();
+  next(RouteNotFoundError({ message: `The requested source '(${req.method})${req.url}' was not found` }))
 })
 
 //* Error Handling Middleware (must be after all routing logic)
 app.use(requestErrorHandler)
 
-
 export const server = app.listen(PORT, () => {
   getLogger("backend-main").info(`Server started listening at port ${PORT}`)
 });

backend/src/config/index.ts

@@ -1,6 +1,7 @@
 const PORT = process.env.PORT || 4000;
 const EMAIL_TOKEN_LIFETIME = process.env.EMAIL_TOKEN_LIFETIME! || '86400';
 const ENCRYPTION_KEY = process.env.ENCRYPTION_KEY!;
+const SALT_ROUNDS = parseInt(process.env.SALT_ROUNDS!) || 10;
 const JWT_AUTH_LIFETIME = process.env.JWT_AUTH_LIFETIME! || '10d';
 const JWT_AUTH_SECRET = process.env.JWT_AUTH_SECRET!;
 const JWT_REFRESH_LIFETIME = process.env.JWT_REFRESH_LIFETIME! || '90d';
@@ -12,11 +13,11 @@ const MONGO_URL = process.env.MONGO_URL!;
 const NODE_ENV = process.env.NODE_ENV! || 'production';
 const VERBOSE_ERROR_OUTPUT = process.env.VERBOSE_ERROR_OUTPUT! === 'true' && true;
 const LOKI_HOST = process.env.LOKI_HOST || undefined;
-const CLIENT_SECRET_HEROKU = process.env.CLIENT_SECRET_HEROKU!;
 const CLIENT_ID_HEROKU = process.env.CLIENT_ID_HEROKU!;
 const CLIENT_ID_VERCEL = process.env.CLIENT_ID_VERCEL!;
 const CLIENT_ID_NETLIFY = process.env.CLIENT_ID_NETLIFY!;
 const CLIENT_ID_GITHUB = process.env.CLIENT_ID_GITHUB!;
+const CLIENT_SECRET_HEROKU = process.env.CLIENT_SECRET_HEROKU!;
 const CLIENT_SECRET_VERCEL = process.env.CLIENT_SECRET_VERCEL!;
 const CLIENT_SECRET_NETLIFY = process.env.CLIENT_SECRET_NETLIFY!;
 const CLIENT_SECRET_GITHUB = process.env.CLIENT_SECRET_GITHUB!;
@@ -34,18 +35,20 @@ const SMTP_USERNAME = process.env.SMTP_USERNAME!;
 const SMTP_PASSWORD = process.env.SMTP_PASSWORD!;
 const SMTP_FROM_ADDRESS = process.env.SMTP_FROM_ADDRESS!;
 const SMTP_FROM_NAME = process.env.SMTP_FROM_NAME! || 'Infisical';
-const STRIPE_PRODUCT_CARD_AUTH = process.env.STRIPE_PRODUCT_CARD_AUTH!;
-const STRIPE_PRODUCT_PRO = process.env.STRIPE_PRODUCT_PRO!;
 const STRIPE_PRODUCT_STARTER = process.env.STRIPE_PRODUCT_STARTER!;
+const STRIPE_PRODUCT_PRO = process.env.STRIPE_PRODUCT_PRO!;
+const STRIPE_PRODUCT_TEAM = process.env.STRIPE_PRODUCT_TEAM!;
 const STRIPE_PUBLISHABLE_KEY = process.env.STRIPE_PUBLISHABLE_KEY!;
 const STRIPE_SECRET_KEY = process.env.STRIPE_SECRET_KEY!;
 const STRIPE_WEBHOOK_SECRET = process.env.STRIPE_WEBHOOK_SECRET!;
 const TELEMETRY_ENABLED = process.env.TELEMETRY_ENABLED! !== 'false' && true;
+const LICENSE_KEY = process.env.LICENSE_KEY!;
 
 export {
   PORT,
   EMAIL_TOKEN_LIFETIME,
   ENCRYPTION_KEY,
+  SALT_ROUNDS,
   JWT_AUTH_LIFETIME,
   JWT_AUTH_SECRET,
   JWT_REFRESH_LIFETIME,
@@ -77,11 +80,12 @@ export {
   SMTP_PASSWORD,
   SMTP_FROM_ADDRESS,
   SMTP_FROM_NAME,
-  STRIPE_PRODUCT_CARD_AUTH,
-  STRIPE_PRODUCT_PRO,
   STRIPE_PRODUCT_STARTER,
+  STRIPE_PRODUCT_TEAM,
+  STRIPE_PRODUCT_PRO,
   STRIPE_PUBLISHABLE_KEY,
   STRIPE_SECRET_KEY,
   STRIPE_WEBHOOK_SECRET,
-  TELEMETRY_ENABLED
+  TELEMETRY_ENABLED,
+  LICENSE_KEY
 };

backend/src/controllers/integrationAuthController.ts

@@ -1,104 +0,0 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import axios from 'axios';
-import { readFileSync } from 'fs';
-import { IntegrationAuth, Integration } from '../models';
-import { INTEGRATION_SET, INTEGRATION_OPTIONS, ENV_DEV } from '../variables';
-import { IntegrationService } from '../services';
-import { getApps, revokeAccess } from '../integrations';
-
-export const getIntegrationOptions = async (
-	req: Request,
-	res: Response
-) => {
-	return res.status(200).send({
-		integrationOptions: INTEGRATION_OPTIONS
-	});
-}
-
-/**
- * Perform OAuth2 code-token exchange as part of integration [integration] for workspace with id [workspaceId]
- * @param req
- * @param res
- * @returns
- */
-export const oAuthExchange = async (
-	req: Request,
-	res: Response
-) => {
-	try {
-		const { workspaceId, code, integration } = req.body;
-
-		if (!INTEGRATION_SET.has(integration))
-			throw new Error('Failed to validate integration');
-	
-		await IntegrationService.handleOAuthExchange({
-			workspaceId,
-			integration,
-			code
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get OAuth2 code-token exchange'
-		});
-	}
-
-	return res.status(200).send({
-		message: 'Successfully enabled integration authorization'
-	});
-};
-
-/**
- * Return list of applications allowed for integration with integration authorization id [integrationAuthId]
- * @param req
- * @param res
- * @returns
- */
-export const getIntegrationAuthApps = async (req: Request, res: Response) => {
-	let apps;
-	try {
-		apps = await getApps({
-			integrationAuth: req.integrationAuth,
-			accessToken: req.accessToken
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-        Sentry.captureException(err);	
-		return res.status(400).send({
-			message: 'Failed to get integration authorization applications'
-		});
-	}
-
-	return res.status(200).send({
-		apps
-	});
-};
-
-/**
- * Delete integration authorization with id [integrationAuthId]
- * @param req
- * @param res
- * @returns
- */
-export const deleteIntegrationAuth = async (req: Request, res: Response) => {
-	try {
-		const { integrationAuthId } = req.params;
-
-		await revokeAccess({
-			integrationAuth: req.integrationAuth,
-			accessToken: req.accessToken
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-        Sentry.captureException(err);	
-		return res.status(400).send({
-			message: 'Failed to delete integration authorization'
-		});
-	}
-	
-	return res.status(200).send({
-		message: 'Successfully deleted integration authorization'
-	});
-}

backend/src/controllers/v1/authController.ts

@@ -4,14 +4,16 @@ import jwt from 'jsonwebtoken';
 import * as Sentry from '@sentry/node';
 import * as bigintConversion from 'bigint-conversion';
 const jsrp = require('jsrp');
-import { User } from '../models';
-import { createToken, issueTokens, clearTokens } from '../helpers/auth';
+import { User } from '../../models';
+import { createToken, issueTokens, clearTokens } from '../../helpers/auth';
 import {
   NODE_ENV,
   JWT_AUTH_LIFETIME,
   JWT_AUTH_SECRET,
   JWT_REFRESH_SECRET
-} from '../config';
+} from '../../config';
+import LoginSRPDetail from '../../models/LoginSRPDetail';
+import { BadRequestError } from '../../utils/errors';
 
 declare module 'jsonwebtoken' {
   export interface UserIDJwtPayload extends jwt.JwtPayload {
@@ -19,8 +21,6 @@ declare module 'jsonwebtoken' {
   }
 }
 
-const clientPublicKeys: any = {};
-
 /**
  * Log in user step 1: Return [salt] and [serverPublicKey] as part of step 1 of SRP protocol
  * @param req
@@ -46,13 +46,15 @@ export const login1 = async (req: Request, res: Response) => {
         salt: user.salt,
         verifier: user.verifier
       },
-      () => {
+      async () => {
         // generate server-side public key
         const serverPublicKey = server.getPublicKey();
-        clientPublicKeys[email] = {
-          clientPublicKey,
-          serverBInt: bigintConversion.bigintToBuf(server.bInt)
-        };
+
+        await LoginSRPDetail.findOneAndReplace({ email: email }, {
+          email: email,
+          clientPublicKey: clientPublicKey,
+          serverBInt: bigintConversion.bigintToBuf(server.bInt),
+        }, { upsert: true, returnNewDocument: false })
 
         return res.status(200).send({
           serverPublicKey,
@@ -85,15 +87,21 @@ export const login2 = async (req: Request, res: Response) => {
 
     if (!user) throw new Error('Failed to find user');
 
+    const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: email })
+
+    if (!loginSRPDetailFromDB) {
+      return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
+    }
+
     const server = new jsrp.server();
     server.init(
       {
         salt: user.salt,
         verifier: user.verifier,
-        b: clientPublicKeys[email].serverBInt
+        b: loginSRPDetailFromDB.serverBInt
       },
       async () => {
-        server.setClientPublicKey(clientPublicKeys[email].clientPublicKey);
+        server.setClientPublicKey(loginSRPDetailFromDB.clientPublicKey);
 
         // compare server and client shared keys
         if (server.checkClientProof(clientProof)) {
@@ -170,10 +178,11 @@ export const logout = async (req: Request, res: Response) => {
  * @param res
  * @returns
  */
-export const checkAuth = async (req: Request, res: Response) =>
-  res.status(200).send({
+export const checkAuth = async (req: Request, res: Response) => {
+  return res.status(200).send({
     message: 'Authenticated'
   });
+}
 
 /**
  * Return new token by redeeming refresh token

backend/src/controllers/v1/botController.ts

@@ -1,7 +1,7 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { Bot, BotKey } from '../models';
-import { createBot } from '../helpers/bot';
+import { Bot, BotKey } from '../../models';
+import { createBot } from '../../helpers/bot';
 
 interface BotKey {
     encryptedKey: string;

backend/src/controllers/v1/integrationAuthController.ts

@@ -0,0 +1,173 @@
+import { Request, Response } from 'express';
+import { Types } from 'mongoose';
+import * as Sentry from '@sentry/node';
+import {
+	Integration, 
+	IntegrationAuth,
+	Bot 
+} from '../../models';
+import { INTEGRATION_SET, INTEGRATION_OPTIONS } from '../../variables';
+import { IntegrationService } from '../../services';
+import { getApps, revokeAccess } from '../../integrations';
+
+export const getIntegrationOptions = async (
+	req: Request,
+	res: Response
+) => {
+	return res.status(200).send({
+		integrationOptions: INTEGRATION_OPTIONS
+	});
+}
+
+/**
+ * Perform OAuth2 code-token exchange as part of integration [integration] for workspace with id [workspaceId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const oAuthExchange = async (
+	req: Request,
+	res: Response
+) => {
+	try {
+		const { workspaceId, code, integration } = req.body;
+
+		if (!INTEGRATION_SET.has(integration))
+			throw new Error('Failed to validate integration');
+		
+		const environments = req.membership.workspace?.environments || [];
+		if(environments.length === 0){
+			throw new Error("Failed to get environments")
+		}
+	
+		await IntegrationService.handleOAuthExchange({
+			workspaceId,
+			integration,
+			code,
+			environment: environments[0].slug,
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get OAuth2 code-token exchange'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully enabled integration authorization'
+	});
+};
+
+/**
+ * Save integration access token as part of integration [integration] for workspace with id [workspaceId]
+ * @param req 
+ * @param res 
+ */
+export const saveIntegrationAccessToken = async (
+	req: Request,
+	res: Response
+) => {
+	// TODO: refactor
+	let integrationAuth;
+	try {
+		const {
+			workspaceId,
+			accessToken,
+			integration
+		}: {
+			workspaceId: string;
+			accessToken: string;
+			integration: string;
+		} = req.body;
+
+		integrationAuth = await IntegrationAuth.findOneAndUpdate({
+            workspace: new Types.ObjectId(workspaceId),
+            integration
+        }, {
+            workspace: new Types.ObjectId(workspaceId),
+            integration
+		}, {
+            new: true,
+            upsert: true
+        });
+
+		const bot = await Bot.findOne({
+            workspace: new Types.ObjectId(workspaceId),
+            isActive: true
+        });
+        
+        if (!bot) throw new Error('Bot must be enabled to save integration access token');
+		
+		// encrypt and save integration access token
+		integrationAuth = await IntegrationService.setIntegrationAuthAccess({
+			integrationAuthId: integrationAuth._id.toString(),
+			accessToken,
+			accessExpiresAt: undefined
+		});
+		
+		if (!integrationAuth) throw new Error('Failed to save integration access token');
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to save access token for integration'
+		});
+	}
+	
+	return res.status(200).send({
+		integrationAuth
+	});
+}
+
+/**
+ * Return list of applications allowed for integration with integration authorization id [integrationAuthId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getIntegrationAuthApps = async (req: Request, res: Response) => {
+	let apps;
+	try {
+		apps = await getApps({
+			integrationAuth: req.integrationAuth,
+			accessToken: req.accessToken
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+        Sentry.captureException(err);	
+		return res.status(400).send({
+			message: 'Failed to get integration authorization applications'
+		});
+	}
+
+	return res.status(200).send({
+		apps
+	});
+};
+
+/**
+ * Delete integration authorization with id [integrationAuthId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const deleteIntegrationAuth = async (req: Request, res: Response) => {
+	let integrationAuth;
+	try {
+		integrationAuth = await revokeAccess({
+			integrationAuth: req.integrationAuth,
+			accessToken: req.accessToken
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+        Sentry.captureException(err);	
+		return res.status(400).send({
+			message: 'Failed to delete integration authorization'
+		});
+	}
+	
+	return res.status(200).send({
+		integrationAuth
+	});
+}

backend/src/controllers/v1/integrationController.ts

@@ -1,25 +1,43 @@
 import { Request, Response } from 'express';
-import { readFileSync } from 'fs';
 import * as Sentry from '@sentry/node';
-import { Integration, Bot, BotKey } from '../models';
-import { EventService } from '../services';
-import { eventPushSecrets } from '../events';
+import { 
+	Integration, 
+	Workspace,
+	Bot, 
+	BotKey 
+} from '../../models';
+import { EventService } from '../../services';
+import { eventPushSecrets } from '../../events';
 
-interface Key {
-	encryptedKey: string;
-	nonce: string;
-}
+/**
+ * Create/initialize an (empty) integration for integration authorization
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const createIntegration = async (req: Request, res: Response) => {
+	let integration;
+	try {
+		// initialize new integration after saving integration access token
+        integration = await new Integration({
+            workspace: req.integrationAuth.workspace._id,
+            isActive: false,
+            app: null,
+            environment: req.integrationAuth.workspace?.environments[0].slug,
+            integration: req.integrationAuth.integration,
+            integrationAuth: req.integrationAuth._id
+        }).save();
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to create integration'
+		});
+	}
 
-interface PushSecret {
-	ciphertextKey: string;
-	ivKey: string;
-	tagKey: string;
-	hashKey: string;
-	ciphertextValue: string;
-	ivValue: string;
-	tagValue: string;
-	hashValue: string;
-	type: 'shared' | 'personal';
+	return res.status(200).send({
+		integration
+	});
 }
 
 /**
@@ -36,12 +54,12 @@ export const updateIntegration = async (req: Request, res: Response) => {
 	
 	try {
 		const { 
-			app, 
 			environment, 
 			isActive, 
-			target, // vercel-specific integration param
-			context, // netlify-specific integration param
-			siteId // netlify-specific integration param
+			app, 
+			appId,
+			targetEnvironment,
+			owner, // github-specific integration param
 		} = req.body;
 		
 		integration = await Integration.findOneAndUpdate(
@@ -52,9 +70,9 @@ export const updateIntegration = async (req: Request, res: Response) => {
 				environment,
 				isActive,
 				app,
-				target,
-				context,
-				siteId
+				appId,
+				targetEnvironment,
+				owner
 			},
 			{
 				new: true
@@ -90,36 +108,15 @@ export const updateIntegration = async (req: Request, res: Response) => {
  * @returns
  */
 export const deleteIntegration = async (req: Request, res: Response) => {
-	let deletedIntegration;
+	let integration;
 	try {
 		const { integrationId } = req.params;
 
-		deletedIntegration = await Integration.findOneAndDelete({
+		integration = await Integration.findOneAndDelete({
 			_id: integrationId
 		});
 		
-		if (!deletedIntegration) throw new Error('Failed to find integration');
-		
-		const integrations = await Integration.find({
-			workspace: deletedIntegration.workspace
-		});
-			
-		if (integrations.length === 0) {
-			// case: no integrations left, deactivate bot
-			const bot = await Bot.findOneAndUpdate({
-				workspace: deletedIntegration.workspace
-			}, {
-				isActive: false
-			}, {
-				new: true
-			});
-			
-			if (bot) {
-				await BotKey.deleteOne({
-					bot: bot._id
-				});
-			}
-		}
+		if (!integration) throw new Error('Failed to find integration');
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);
@@ -127,8 +124,8 @@ export const deleteIntegration = async (req: Request, res: Response) => {
 			message: 'Failed to delete integration'
 		});
 	}
-
+	
 	return res.status(200).send({
-		deletedIntegration
+		integration
 	});
 };

backend/src/controllers/v1/keyController.ts

@@ -1,8 +1,7 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { Key } from '../models';
-import { findMembership } from '../helpers/membership';
-import { GRANTED } from '../variables';
+import { Key } from '../../models';
+import { findMembership } from '../../helpers/membership';
 
 /**
  * Add (encrypted) copy of workspace key for workspace with id [workspaceId] for user with
@@ -26,9 +25,6 @@ export const uploadKey = async (req: Request, res: Response) => {
 			throw new Error('Failed receiver membership validation for workspace');
 		}
 
-		receiverMembership.status = GRANTED;
-		await receiverMembership.save();
-
 		await new Key({
 			encryptedKey: key.encryptedKey,
 			nonce: key.nonce,

backend/src/controllers/v1/membershipController.ts

@@ -1,13 +1,13 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { Membership, MembershipOrg, User, Key } from '../models';
+import { Membership, MembershipOrg, User, Key, IMembership, Workspace } from '../../models';
 import {
 	findMembership,
 	deleteMembership as deleteMember
-} from '../helpers/membership';
-import { sendMail } from '../helpers/nodemailer';
-import { SITE_URL } from '../config';
-import { ADMIN, MEMBER, GRANTED, ACCEPTED } from '../variables';
+} from '../../helpers/membership';
+import { sendMail } from '../../helpers/nodemailer';
+import { SITE_URL } from '../../config';
+import { ADMIN, MEMBER, ACCEPTED } from '../../variables';
 
 /**
  * Check that user is a member of workspace with id [workspaceId]
@@ -175,8 +175,7 @@ export const inviteUserToWorkspace = async (req: Request, res: Response) => {
 		// already a member of the workspace
 		const inviteeMembership = await Membership.findOne({
 			user: invitee._id,
-			workspace: workspaceId,
-			status: GRANTED
+			workspace: workspaceId
 		});
 
 		if (inviteeMembership)
@@ -205,8 +204,7 @@ export const inviteUserToWorkspace = async (req: Request, res: Response) => {
 		const m = await new Membership({
 			user: invitee._id,
 			workspace: workspaceId,
-			role: MEMBER,
-			status: GRANTED
+			role: MEMBER
 		}).save();
 
 		await sendMail({
@@ -232,4 +230,4 @@ export const inviteUserToWorkspace = async (req: Request, res: Response) => {
 		invitee,
 		latestKey
 	});
-};
+};

backend/src/controllers/v1/membershipOrgController.ts

@@ -1,14 +1,14 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
 import crypto from 'crypto';
-import { SITE_URL, JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET } from '../config';
-import { MembershipOrg, Organization, User, Token } from '../models';
-import { deleteMembershipOrg as deleteMemberFromOrg } from '../helpers/membershipOrg';
-import { checkEmailVerification } from '../helpers/signup';
-import { createToken } from '../helpers/auth';
-import { updateSubscriptionOrgQuantity } from '../helpers/organization';
-import { sendMail } from '../helpers/nodemailer';
-import { OWNER, ADMIN, MEMBER, ACCEPTED, INVITED } from '../variables';
+import { SITE_URL, JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET } from '../../config';
+import { MembershipOrg, Organization, User, Token } from '../../models';
+import { deleteMembershipOrg as deleteMemberFromOrg } from '../../helpers/membershipOrg';
+import { checkEmailVerification } from '../../helpers/signup';
+import { createToken } from '../../helpers/auth';
+import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
+import { sendMail } from '../../helpers/nodemailer';
+import { OWNER, ADMIN, MEMBER, ACCEPTED, INVITED } from '../../variables';
 
 /**
  * Delete organization membership with id [membershipOrgId] from organization
@@ -80,14 +80,14 @@ export const changeMembershipOrgRole = async (req: Request, res: Response) => {
 	// TODO
 
 	let membershipToChangeRole;
-	try {
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to change organization membership role'
-		});
-	}
+	// try {
+	// } catch (err) {
+	// 	Sentry.setUser({ email: req.user.email });
+	// 	Sentry.captureException(err);
+	// 	return res.status(400).send({
+	// 		message: 'Failed to change organization membership role'
+	// 	});
+	// }
 
 	return res.status(200).send({
 		membershipOrg: membershipToChangeRole
@@ -115,13 +115,14 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 		if (!membershipOrg) {
 			throw new Error('Failed to validate organization membership');
 		}
-
+		
 		invitee = await User.findOne({
 			email: inviteeEmail
-		});
+		}).select('+publicKey');
 
 		if (invitee) {
 			// case: invitee is an existing user
+			
 			inviteeMembershipOrg = await MembershipOrg.findOne({
 				user: invitee._id,
 				organization: organizationId
@@ -218,12 +219,6 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
 		const { email, code } = req.body;
 
 		user = await User.findOne({ email }).select('+publicKey');
-		if (user && user?.publicKey) {
-			// case: user has already completed account
-			return res.status(403).send({
-				error: 'Failed email magic link verification for complete account'
-			});
-		}
 
 		const membershipOrg = await MembershipOrg.findOne({
 			inviteEmail: email,
@@ -238,6 +233,18 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
 			code
 		});
 
+		if (user && user?.publicKey) {
+			// case: user has already completed account
+			// membership can be approved and redirected to login/dashboard
+			membershipOrg.status = ACCEPTED;
+			await membershipOrg.save();
+
+			return res.status(200).send({
+				message: 'Successfully verified email',
+				user,
+			});
+        }
+
 		if (!user) {
 			// initialize user account
 			user = await new User({

backend/src/controllers/v1/organizationController.ts

@@ -2,11 +2,8 @@ import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
 import {
 	SITE_URL,
-	STRIPE_SECRET_KEY,
-	STRIPE_PRODUCT_STARTER,
-	STRIPE_PRODUCT_PRO,
-	STRIPE_PRODUCT_CARD_AUTH
-} from '../config';
+	STRIPE_SECRET_KEY
+} from '../../config';
 import Stripe from 'stripe';
 
 const stripe = new Stripe(STRIPE_SECRET_KEY, {
@@ -18,23 +15,11 @@ import {
 	Organization,
 	Workspace,
 	IncidentContactOrg
-} from '../models';
-import { createOrganization as create } from '../helpers/organization';
-import { addMembershipsOrg } from '../helpers/membershipOrg';
-import { OWNER, ACCEPTED } from '../variables';
+} from '../../models';
+import { createOrganization as create } from '../../helpers/organization';
+import { addMembershipsOrg } from '../../helpers/membershipOrg';
+import { OWNER, ACCEPTED } from '../../variables';
 
-const productToPriceMap = {
-	starter: STRIPE_PRODUCT_STARTER,
-	pro: STRIPE_PRODUCT_PRO,
-	cardAuth: STRIPE_PRODUCT_CARD_AUTH
-};
-
-/**
- * Return organizations that user is part of
- * @param req
- * @param res
- * @returns
- */
 export const getOrganizations = async (req: Request, res: Response) => {
 	let organizations;
 	try {
@@ -346,7 +331,6 @@ export const createOrganizationPortalSession = async (
 
 		if (paymentMethods.data.length < 1) {
 			// case: no payment method on file
-			productToPriceMap['cardAuth'];
 			session = await stripe.checkout.sessions.create({
 				customer: req.membershipOrg.organization.customerId,
 				mode: 'setup',

backend/src/controllers/v1/passwordController.ts

@@ -1,15 +1,16 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
 import crypto from 'crypto';
+// eslint-disable-next-line @typescript-eslint/no-var-requires
 const jsrp = require('jsrp');
 import * as bigintConversion from 'bigint-conversion';
-import { User, Token, BackupPrivateKey } from '../models';
-import { checkEmailVerification } from '../helpers/signup';
-import { createToken } from '../helpers/auth';
-import { sendMail } from '../helpers/nodemailer';
-import { JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET, SITE_URL } from '../config';
-
-const clientPublicKeys: any = {};
+import { User, Token, BackupPrivateKey } from '../../models';
+import { checkEmailVerification } from '../../helpers/signup';
+import { createToken } from '../../helpers/auth';
+import { sendMail } from '../../helpers/nodemailer';
+import { JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET, SITE_URL } from '../../config';
+import LoginSRPDetail from '../../models/LoginSRPDetail';
+import { BadRequestError } from '../../utils/errors';
 
 /**
  * Password reset step 1: Send email verification link to email [email] 
@@ -31,7 +32,7 @@ export const emailPasswordReset = async (req: Request, res: Response) => {
 				error: 'Failed to send email verification for password reset'
 			});
 		}
-		
+
 		const token = crypto.randomBytes(16).toString('hex');
 
 		await Token.findOneAndUpdate(
@@ -43,7 +44,7 @@ export const emailPasswordReset = async (req: Request, res: Response) => {
 			},
 			{ upsert: true, new: true }
 		);
-		
+
 		await sendMail({
 			template: 'passwordReset.handlebars',
 			subjectLine: 'Infisical password reset',
@@ -54,15 +55,15 @@ export const emailPasswordReset = async (req: Request, res: Response) => {
 				callback_url: SITE_URL + '/password-reset'
 			}
 		});
-		
+
 	} catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
 		return res.status(400).send({
 			message: 'Failed to send email for account recovery'
-		});	
+		});
 	}
-	
+
 	return res.status(200).send({
 		message: `Sent an email for account recovery to ${email}`
 	});
@@ -78,7 +79,7 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => {
 	let user, token;
 	try {
 		const { email, code } = req.body;
-		
+
 		user = await User.findOne({ email }).select('+publicKey');
 		if (!user || !user?.publicKey) {
 			// case: user doesn't exist with email [email] or 
@@ -92,7 +93,7 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => {
 			email,
 			code
 		});
-		
+
 		// generate temporary password-reset token
 		token = createToken({
 			payload: {
@@ -106,7 +107,7 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => {
 		Sentry.captureException(err);
 		return res.status(400).send({
 			message: 'Failed email verification for password reset'
-		});	
+		});
 	}
 
 	return res.status(200).send({
@@ -129,7 +130,7 @@ export const srp1 = async (req: Request, res: Response) => {
 		const user = await User.findOne({
 			email: req.user.email
 		}).select('+salt +verifier');
-		
+
 		if (!user) throw new Error('Failed to find user');
 
 		const server = new jsrp.server();
@@ -138,13 +139,15 @@ export const srp1 = async (req: Request, res: Response) => {
 				salt: user.salt,
 				verifier: user.verifier
 			},
-			() => {
+			async () => {
 				// generate server-side public key
 				const serverPublicKey = server.getPublicKey();
-				clientPublicKeys[req.user.email] = {
-					clientPublicKey,
-					serverBInt: bigintConversion.bigintToBuf(server.bInt)
-				};
+
+				await LoginSRPDetail.findOneAndReplace({ email: req.user.email }, {
+					email: req.user.email,
+					clientPublicKey: clientPublicKey,
+					serverBInt: bigintConversion.bigintToBuf(server.bInt),
+				}, { upsert: true, returnNewDocument: false })
 
 				return res.status(200).send({
 					serverPublicKey,
@@ -179,17 +182,21 @@ export const changePassword = async (req: Request, res: Response) => {
 
 		if (!user) throw new Error('Failed to find user');
 
+		const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email })
+
+		if (!loginSRPDetailFromDB) {
+			return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
+		}
+
 		const server = new jsrp.server();
 		server.init(
 			{
 				salt: user.salt,
 				verifier: user.verifier,
-				b: clientPublicKeys[req.user.email].serverBInt
+				b: loginSRPDetailFromDB.serverBInt
 			},
 			async () => {
-				server.setClientPublicKey(
-					clientPublicKeys[req.user.email].clientPublicKey
-				);
+				server.setClientPublicKey(loginSRPDetailFromDB.clientPublicKey);
 
 				// compare server and client shared keys
 				if (server.checkClientProof(clientProof)) {
@@ -248,16 +255,22 @@ export const createBackupPrivateKey = async (req: Request, res: Response) => {
 
 		if (!user) throw new Error('Failed to find user');
 
+		const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email })
+
+		if (!loginSRPDetailFromDB) {
+			return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
+		}
+
 		const server = new jsrp.server();
 		server.init(
 			{
 				salt: user.salt,
 				verifier: user.verifier,
-				b: clientPublicKeys[req.user.email].serverBInt
+				b: loginSRPDetailFromDB.serverBInt
 			},
 			async () => {
 				server.setClientPublicKey(
-					clientPublicKeys[req.user.email].clientPublicKey
+					loginSRPDetailFromDB.clientPublicKey
 				);
 
 				// compare server and client shared keys
@@ -310,16 +323,16 @@ export const getBackupPrivateKey = async (req: Request, res: Response) => {
 		backupPrivateKey = await BackupPrivateKey.findOne({
 			user: req.user._id
 		}).select('+encryptedPrivateKey +iv +tag');
-		
+
 		if (!backupPrivateKey) throw new Error('Failed to find backup private key');
 	} catch (err) {
-		Sentry.setUser({ email: req.user.email});
+		Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);
 		return res.status(400).send({
 			message: 'Failed to get backup private key'
 		});
 	}
-	
+
 	return res.status(200).send({
 		backupPrivateKey
 	});
@@ -347,15 +360,15 @@ export const resetPassword = async (req: Request, res: Response) => {
 			{
 				new: true
 			}
-		);	
+		);
 	} catch (err) {
-		Sentry.setUser({ email: req.user.email});
+		Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);
 		return res.status(400).send({
 			message: 'Failed to get backup private key'
-		});	
+		});
 	}
-	
+
 	return res.status(200).send({
 		message: 'Successfully reset password'
 	});

backend/src/controllers/v1/secretController.ts

@@ -1,16 +1,15 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { Key } from '../models';
+import { Key, Secret } from '../../models';
 import {
-	pushSecrets as push,
+	v1PushSecrets as push,
 	pullSecrets as pull,
 	reformatPullSecrets
-} from '../helpers/secret';
-import { pushKeys } from '../helpers/key';
-import { eventPushSecrets } from '../events';
-import { EventService } from '../services';
-import { ENV_SET } from '../variables';
-import { postHogClient } from '../services';
+} from '../../helpers/secret';
+import { pushKeys } from '../../helpers/key';
+import { eventPushSecrets } from '../../events';
+import { EventService } from '../../services';
+import { postHogClient } from '../../services';
 
 interface PushSecret {
 	ciphertextKey: string;
@@ -21,6 +20,10 @@ interface PushSecret {
 	ivValue: string;
 	tagValue: string;
 	hashValue: string;
+	ciphertextComment: string;
+	ivComment: string;
+	tagComment: string;
+	hashComment: string;
 	type: 'shared' | 'personal';
 }
 
@@ -40,7 +43,8 @@ export const pushSecrets = async (req: Request, res: Response) => {
 		const { workspaceId } = req.params;
 
 		// validate environment
-		if (!ENV_SET.has(environment)) {
+		const workspaceEnvs = req.membership.workspace.environments;
+		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
 			throw new Error('Failed to validate environment');
 		}
 
@@ -112,14 +116,17 @@ export const pullSecrets = async (req: Request, res: Response) => {
 		const { workspaceId } = req.params;
 
 		// validate environment
-		if (!ENV_SET.has(environment)) {
+		const workspaceEnvs = req.membership.workspace.environments;
+		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
 			throw new Error('Failed to validate environment');
 		}
 
 		secrets = await pull({
 			userId: req.user._id.toString(),
 			workspaceId,
-			environment
+			environment,
+			channel: channel ? channel : 'cli',
+			ipAddress: req.ip
 		});
 
 		key = await Key.findOne({
@@ -169,9 +176,6 @@ export const pullSecrets = async (req: Request, res: Response) => {
  * @returns
  */
 export const pullSecretsServiceToken = async (req: Request, res: Response) => {
-	// get (encrypted) secrets from workspace with id [workspaceId]
-	// service token route
-
 	let secrets;
 	let key;
 	try {
@@ -180,14 +184,17 @@ export const pullSecretsServiceToken = async (req: Request, res: Response) => {
 		const { workspaceId } = req.params;
 
 		// validate environment
-		if (!ENV_SET.has(environment)) {
+		const workspaceEnvs = req.membership.workspace.environments;
+		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
 			throw new Error('Failed to validate environment');
 		}
 
 		secrets = await pull({
 			userId: req.serviceToken.user._id.toString(),
 			workspaceId,
-			environment
+			environment,
+			channel: 'cli',
+			ipAddress: req.ip
 		});
 
 		key = {
@@ -225,4 +232,4 @@ export const pullSecretsServiceToken = async (req: Request, res: Response) => {
 		secrets: reformatPullSecrets({ secrets }),
 		key
 	});
-};
+};

backend/src/controllers/v1/serviceTokenController.ts

@@ -1,8 +1,7 @@
 import { Request, Response } from 'express';
-import { ServiceToken } from '../models';
-import { createToken } from '../helpers/auth';
-import { ENV_SET } from '../variables';
-import { JWT_SERVICE_SECRET } from '../config';
+import { ServiceToken } from '../../models';
+import { createToken } from '../../helpers/auth';
+import { JWT_SERVICE_SECRET } from '../../config';
 
 /**
  * Return service token on request
@@ -11,7 +10,6 @@ import { JWT_SERVICE_SECRET } from '../config';
  * @returns
  */
 export const getServiceToken = async (req: Request, res: Response) => {
-	// get service token
 	return res.status(200).send({
 		serviceToken: req.serviceToken
 	});
@@ -37,7 +35,8 @@ export const createServiceToken = async (req: Request, res: Response) => {
 		} = req.body;
 
 		// validate environment
-		if (!ENV_SET.has(environment)) {
+		const workspaceEnvs = req.membership.workspace.environments;
+		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
 			throw new Error('Failed to validate environment');
 		}
 
@@ -73,4 +72,4 @@ export const createServiceToken = async (req: Request, res: Response) => {
 	return res.status(200).send({
 		token
 	});
-};
+};

backend/src/controllers/v1/signupController.ts

@@ -1,15 +1,15 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { NODE_ENV, JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET } from '../config';
-import { User, MembershipOrg } from '../models';
-import { completeAccount } from '../helpers/user';
+import { NODE_ENV, JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET } from '../../config';
+import { User, MembershipOrg } from '../../models';
+import { completeAccount } from '../../helpers/user';
 import {
 	sendEmailVerification,
 	checkEmailVerification,
 	initializeDefaultOrg
-} from '../helpers/signup';
-import { issueTokens, createToken } from '../helpers/auth';
-import { INVITED, ACCEPTED } from '../variables';
+} from '../../helpers/signup';
+import { issueTokens, createToken } from '../../helpers/auth';
+import { INVITED, ACCEPTED } from '../../variables';
 import axios from 'axios';
 
 /**

backend/src/controllers/v1/userActionController.ts

@@ -1,6 +1,6 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { UserAction } from '../models';
+import { UserAction } from '../../models';
 
 /**
  * Add user action [action]

backend/src/controllers/v1/workspaceController.ts

@@ -7,14 +7,15 @@ import {
 	Integration,
 	IntegrationAuth,
 	IUser,
-	ServiceToken
-} from '../models';
+	ServiceToken,
+	ServiceTokenData
+} from '../../models';
 import {
 	createWorkspace as create,
 	deleteWorkspace as deleteWork
-} from '../helpers/workspace';
-import { addMemberships } from '../helpers/membership';
-import { ADMIN, COMPLETED, GRANTED } from '../variables';
+} from '../../helpers/workspace';
+import { addMemberships } from '../../helpers/membership';
+import { ADMIN } from '../../variables';
 
 /**
  * Return public keys of members of workspace with id [workspaceId]
@@ -32,13 +33,12 @@ export const getWorkspacePublicKeys = async (req: Request, res: Response) => {
 				workspace: workspaceId
 			}).populate<{ user: IUser }>('user', 'publicKey')
 		)
-			.filter((m) => m.status === COMPLETED || m.status === GRANTED)
-			.map((member) => {
-				return {
-					publicKey: member.user.publicKey,
-					userId: member.user._id
-				};
-			});
+		.map((member) => {
+			return {
+				publicKey: member.user.publicKey,
+				userId: member.user._id
+			};
+		});
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);
@@ -168,8 +168,7 @@ export const createWorkspace = async (req: Request, res: Response) => {
 		await addMemberships({
 			userIds: [req.user._id],
 			workspaceId: workspace._id.toString(),
-			roles: [ADMIN],
-			statuses: [GRANTED]
+			roles: [ADMIN]
 		});
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });
@@ -318,7 +317,7 @@ export const getWorkspaceServiceTokens = async (
 	let serviceTokens;
 	try {
 		const { workspaceId } = req.params;
-
+		// ?? FIX.
 		serviceTokens = await ServiceToken.find({
 			user: req.user._id,
 			workspace: workspaceId

backend/src/controllers/v2/apiKeyDataController.ts

@@ -0,0 +1,105 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import crypto from 'crypto';
+import bcrypt from 'bcrypt';
+import {
+    APIKeyData
+} from '../../models';
+import {
+    SALT_ROUNDS
+} from '../../config';
+
+/**
+ * Return API key data for user with id [req.user_id]
+ * @param req
+ * @param res 
+ * @returns 
+ */
+export const getAPIKeyData = async (req: Request, res: Response) => {
+    let apiKeyData;
+    try {
+        apiKeyData = await APIKeyData.find({
+            user: req.user._id
+        });
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+        Sentry.captureException(err);
+        return res.status(400).send({
+            message: 'Failed to get API key data'
+        });
+    }
+    
+    return res.status(200).send({
+        apiKeyData
+    });
+}
+
+/**
+ * Create new API key data for user with id [req.user._id]
+ * @param req 
+ * @param res 
+ */
+export const createAPIKeyData = async (req: Request, res: Response) => {
+    let apiKey, apiKeyData;
+    try {
+        const { name, expiresIn } = req.body;
+        
+        const secret = crypto.randomBytes(16).toString('hex');
+        const secretHash = await bcrypt.hash(secret, SALT_ROUNDS);
+        
+		const expiresAt = new Date();
+		expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
+        
+        apiKeyData = await new APIKeyData({
+            name,
+            expiresAt,
+            user: req.user._id,
+            secretHash
+        }).save();
+        
+        // return api key data without sensitive data
+        apiKeyData = await APIKeyData.findById(apiKeyData._id);
+        
+        if (!apiKeyData) throw new Error('Failed to find API key data');
+        
+        apiKey = `ak.${apiKeyData._id.toString()}.${secret}`;
+            
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+        Sentry.captureException(err);
+        return res.status(400).send({
+            message: 'Failed to API key data'
+        });
+    }
+    
+    return res.status(200).send({
+        apiKey,
+        apiKeyData
+    });
+}
+
+/**
+ * Delete API key data with id [apiKeyDataId].
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const deleteAPIKeyData = async (req: Request, res: Response) => {
+    let apiKeyData;
+    try {
+        const { apiKeyDataId } = req.params;
+
+        apiKeyData = await APIKeyData.findByIdAndDelete(apiKeyDataId);
+        
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+        Sentry.captureException(err);
+        return res.status(400).send({
+            message: 'Failed to delete API key data'
+        });
+    }
+    
+    return res.status(200).send({
+        apiKeyData
+    });
+}

backend/src/controllers/v2/environmentController.ts

@@ -0,0 +1,261 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import {
+  Secret,
+  ServiceToken,
+  Workspace,
+  Integration,
+  ServiceTokenData,
+  Membership,
+} from '../../models';
+import { SecretVersion } from '../../ee/models';
+import { BadRequestError } from '../../utils/errors';
+import _ from 'lodash';
+import { ABILITY_READ, ABILITY_WRITE } from '../../variables/organization';
+
+/**
+ * Create new workspace environment named [environmentName] under workspace with id
+ * @param req
+ * @param res
+ * @returns
+ */
+export const createWorkspaceEnvironment = async (
+  req: Request,
+  res: Response
+) => {
+  const { workspaceId } = req.params;
+  const { environmentName, environmentSlug } = req.body;
+  try {
+    const workspace = await Workspace.findById(workspaceId).exec();
+    if (
+      !workspace ||
+      workspace?.environments.find(
+        ({ name, slug }) => slug === environmentSlug || environmentName === name
+      )
+    ) {
+      throw new Error('Failed to create workspace environment');
+    }
+
+    workspace?.environments.push({
+      name: environmentName,
+      slug: environmentSlug.toLowerCase(),
+    });
+    await workspace.save();
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: 'Failed to create new workspace environment',
+    });
+  }
+
+  return res.status(200).send({
+    message: 'Successfully created new environment',
+    workspace: workspaceId,
+    environment: {
+      name: environmentName,
+      slug: environmentSlug,
+    },
+  });
+};
+
+/**
+ * Rename workspace environment with new name and slug of a workspace with [workspaceId]
+ * Old slug [oldEnvironmentSlug] must be provided
+ * @param req
+ * @param res
+ * @returns
+ */
+export const renameWorkspaceEnvironment = async (
+  req: Request,
+  res: Response
+) => {
+  const { workspaceId } = req.params;
+  const { environmentName, environmentSlug, oldEnvironmentSlug } = req.body;
+  try {
+    // user should pass both new slug and env name
+    if (!environmentSlug || !environmentName) {
+      throw new Error('Invalid environment given.');
+    }
+
+    // atomic update the env to avoid conflict
+    const workspace = await Workspace.findById(workspaceId).exec();
+    if (!workspace) {
+      throw new Error('Failed to create workspace environment');
+    }
+
+    const isEnvExist = workspace.environments.some(
+      ({ name, slug }) =>
+        slug !== oldEnvironmentSlug &&
+        (name === environmentName || slug === environmentSlug)
+    );
+    if (isEnvExist) {
+      throw new Error('Invalid environment given');
+    }
+
+    const envIndex = workspace?.environments.findIndex(
+      ({ slug }) => slug === oldEnvironmentSlug
+    );
+    if (envIndex === -1) {
+      throw new Error('Invalid environment given');
+    }
+
+    workspace.environments[envIndex].name = environmentName;
+    workspace.environments[envIndex].slug = environmentSlug.toLowerCase();
+
+    await workspace.save();
+    await Secret.updateMany(
+      { workspace: workspaceId, environment: oldEnvironmentSlug },
+      { environment: environmentSlug }
+    );
+    await SecretVersion.updateMany(
+      { workspace: workspaceId, environment: oldEnvironmentSlug },
+      { environment: environmentSlug }
+    );
+    await ServiceToken.updateMany(
+      { workspace: workspaceId, environment: oldEnvironmentSlug },
+      { environment: environmentSlug }
+    );
+    await ServiceTokenData.updateMany(
+      { workspace: workspaceId, environment: oldEnvironmentSlug },
+      { environment: environmentSlug }
+    );
+    await Integration.updateMany(
+      { workspace: workspaceId, environment: oldEnvironmentSlug },
+      { environment: environmentSlug }
+    );
+    await Membership.updateMany(
+      {
+        workspace: workspaceId,
+        "deniedPermissions.environmentSlug": oldEnvironmentSlug
+      },
+      { $set: { "deniedPermissions.$[element].environmentSlug": environmentSlug } },
+      { arrayFilters: [{ "element.environmentSlug": oldEnvironmentSlug }] }
+    )
+
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: 'Failed to update workspace environment',
+    });
+  }
+
+  return res.status(200).send({
+    message: 'Successfully update environment',
+    workspace: workspaceId,
+    environment: {
+      name: environmentName,
+      slug: environmentSlug,
+    },
+  });
+};
+
+/**
+ * Delete workspace environment by [environmentSlug] of workspace [workspaceId] and do the clean up
+ * @param req
+ * @param res
+ * @returns
+ */
+export const deleteWorkspaceEnvironment = async (
+  req: Request,
+  res: Response
+) => {
+  const { workspaceId } = req.params;
+  const { environmentSlug } = req.body;
+  try {
+    // atomic update the env to avoid conflict
+    const workspace = await Workspace.findById(workspaceId).exec();
+    if (!workspace) {
+      throw new Error('Failed to create workspace environment');
+    }
+
+    const envIndex = workspace?.environments.findIndex(
+      ({ slug }) => slug === environmentSlug
+    );
+    if (envIndex === -1) {
+      throw new Error('Invalid environment given');
+    }
+
+    workspace.environments.splice(envIndex, 1);
+    await workspace.save();
+
+    // clean up
+    await Secret.deleteMany({
+      workspace: workspaceId,
+      environment: environmentSlug,
+    });
+    await SecretVersion.deleteMany({
+      workspace: workspaceId,
+      environment: environmentSlug,
+    });
+    await ServiceToken.deleteMany({
+      workspace: workspaceId,
+      environment: environmentSlug,
+    });
+    await ServiceTokenData.deleteMany({
+      workspace: workspaceId,
+      environment: environmentSlug,
+    });
+    await Integration.deleteMany({
+      workspace: workspaceId,
+      environment: environmentSlug,
+    });
+    await Membership.updateMany(
+      { workspace: workspaceId },
+      { $pull: { deniedPermissions: { environmentSlug: environmentSlug } } }
+    )
+
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: 'Failed to delete workspace environment',
+    });
+  }
+
+  return res.status(200).send({
+    message: 'Successfully deleted environment',
+    workspace: workspaceId,
+    environment: environmentSlug,
+  });
+};
+
+
+export const getAllAccessibleEnvironmentsOfWorkspace = async (
+  req: Request,
+  res: Response
+) => {
+  const { workspaceId } = req.params;
+  const workspacesUserIsMemberOf = await Membership.findOne({
+    workspace: workspaceId,
+    user: req.user
+  })
+
+  if (!workspacesUserIsMemberOf) {
+    throw BadRequestError()
+  }
+
+  const accessibleEnvironments: any = []
+  const deniedPermission = workspacesUserIsMemberOf.deniedPermissions
+
+  const relatedWorkspace = await Workspace.findById(workspaceId)
+  if (!relatedWorkspace) {
+    throw BadRequestError()
+  }
+  relatedWorkspace.environments.forEach(environment => {
+    const isReadBlocked = _.some(deniedPermission, { environmentSlug: environment.slug, ability: ABILITY_READ })
+    const isWriteBlocked = _.some(deniedPermission, { environmentSlug: environment.slug, ability: ABILITY_WRITE })
+    if (isReadBlocked) {
+      return
+    } else {
+      accessibleEnvironments.push({
+        name: environment.name,
+        slug: environment.slug,
+        isWriteDenied: isWriteBlocked
+      })
+    }
+  })
+
+  res.json({ accessibleEnvironments })
+};

backend/src/controllers/v2/index.ts

@@ -0,0 +1,19 @@
+import * as usersController from './usersController';
+import * as organizationsController from './organizationsController';
+import * as workspaceController from './workspaceController';
+import * as serviceTokenDataController from './serviceTokenDataController';
+import * as apiKeyDataController from './apiKeyDataController';
+import * as secretController from './secretController';
+import * as secretsController from './secretsController';
+import * as environmentController from './environmentController';
+
+export {
+    usersController,
+    organizationsController,
+    workspaceController,
+    serviceTokenDataController,
+    apiKeyDataController,
+    secretController,
+    secretsController,
+    environmentController
+}

backend/src/controllers/v2/organizationsController.ts

@@ -0,0 +1,296 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { 
+    MembershipOrg,
+    Membership,
+    Workspace
+} from '../../models';
+import { deleteMembershipOrg } from '../../helpers/membershipOrg';
+import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
+
+/**
+ * Return memberships for organization with id [organizationId]
+ * @param req 
+ * @param res 
+ */
+export const getOrganizationMemberships = async (req: Request, res: Response) => {
+    /* 
+    #swagger.summary = 'Return organization memberships'
+    #swagger.description = 'Return organization memberships'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+	#swagger.parameters['organizationId'] = {
+		"description": "ID of organization",
+		"required": true,
+		"type": "string"
+	} 
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "object",
+					"properties": {
+						"memberships": {
+							"type": "array",
+							"items": {
+								$ref: "#/components/schemas/MembershipOrg" 
+							},
+							"description": "Memberships of organization"
+						}
+					}
+                }
+            }           
+        }
+    }   
+    */
+    let memberships;
+    try {
+        const { organizationId } = req.params;
+
+		memberships = await MembershipOrg.find({
+			organization: organizationId
+		}).populate('user', '+publicKey');
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get organization memberships'
+		});
+    }
+    
+    return res.status(200).send({
+        memberships
+    });
+}
+
+/**
+ * Update role of membership with id [membershipId] to role [role]
+ * @param req 
+ * @param res 
+ */
+export const updateOrganizationMembership = async (req: Request, res: Response) => {
+    /* 
+    #swagger.summary = 'Update organization membership'
+    #swagger.description = 'Update organization membership'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+	#swagger.parameters['organizationId'] = {
+		"description": "ID of organization",
+		"required": true,
+		"type": "string"
+	} 
+
+	#swagger.parameters['membershipId'] = {
+		"description": "ID of organization membership to update",
+		"required": true,
+		"type": "string"
+	} 
+
+	#swagger.requestBody = {
+      "required": true,
+      "content": {
+        "application/json": {
+          "schema": {
+            "type": "object",
+            "properties": {
+                "role": {
+                    "type": "string",
+                    "description": "Role of organization membership - either owner, admin, or member",
+                }
+            }
+          }
+        }
+      }
+    }
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+					"type": "object",
+					"properties": {
+						"membership": {
+							$ref: "#/components/schemas/MembershipOrg",
+							"description": "Updated organization membership"
+						}
+					}
+                }
+            }           
+        }
+    }   
+    */
+    let membership;
+    try {
+        const { membershipId } = req.params;
+        const { role } = req.body;
+        
+        membership = await MembershipOrg.findByIdAndUpdate(
+            membershipId,
+            {
+                role
+            }, {
+                new: true
+            }
+        );
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to update organization membership'
+		});
+    }
+    
+    return res.status(200).send({
+        membership
+    });
+}
+
+/**
+ * Delete organization membership with id [membershipId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const deleteOrganizationMembership = async (req: Request, res: Response) => {
+    /* 
+    #swagger.summary = 'Delete organization membership'
+    #swagger.description = 'Delete organization membership'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+	#swagger.parameters['organizationId'] = {
+		"description": "ID of organization",
+		"required": true,
+		"type": "string"
+	} 
+
+	#swagger.parameters['membershipId'] = {
+		"description": "ID of organization membership to delete",
+		"required": true,
+		"type": "string"
+	} 
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+					"type": "object",
+					"properties": {
+						"membership": {
+							$ref: "#/components/schemas/MembershipOrg",
+							"description": "Deleted organization membership"
+						}
+					}
+                }
+            }           
+        }
+    }   
+    */
+    let membership;
+    try {
+        const { membershipId } = req.params;
+        
+        // delete organization membership
+        membership = await deleteMembershipOrg({
+            membershipOrgId: membershipId
+        });
+
+        await updateSubscriptionOrgQuantity({
+			organizationId: membership.organization.toString()
+		});
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to delete organization membership'
+		});	
+    }
+
+    return res.status(200).send({
+        membership
+    });
+}
+
+/**
+ * Return workspaces for organization with id [organizationId] that user has
+ * access to
+ * @param req 
+ * @param res 
+ */
+export const getOrganizationWorkspaces = async (req: Request, res: Response) => {
+    /* 
+    #swagger.summary = 'Return projects in organization that user is part of'
+    #swagger.description = 'Return projects in organization that user is part of'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+	#swagger.parameters['organizationId'] = {
+		"description": "ID of organization",
+		"required": true,
+		"type": "string"
+	} 
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "object",
+					"properties": {
+						"workspaces": {
+							"type": "array",
+							"items": {
+								$ref: "#/components/schemas/Project" 
+							},
+							"description": "Projects of organization"
+						}
+					}
+                }
+            }           
+        }
+    }   
+    */
+    let workspaces;
+    try {
+        const { organizationId } = req.params;
+
+		const workspacesSet = new Set(
+			(
+				await Workspace.find(
+					{
+						organization: organizationId
+					},
+					'_id'
+				)
+			).map((w) => w._id.toString())
+		);
+
+		workspaces = (
+			await Membership.find({
+				user: req.user._id
+			}).populate('workspace')
+		)
+			.filter((m) => workspacesSet.has(m.workspace._id.toString()))
+			.map((m) => m.workspace);
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get organization workspaces'
+		});	
+    }
+    
+    return res.status(200).send({
+        workspaces
+    });
+}

backend/src/controllers/v2/secretController.ts

@@ -0,0 +1,401 @@
+import to from "await-to-js";
+import { Request, Response } from "express";
+import mongoose, { Types } from "mongoose";
+import Secret, { ISecret } from "../../models/secret";
+import { CreateSecretRequestBody, ModifySecretRequestBody, SanitizedSecretForCreate, SanitizedSecretModify } from "../../types/secret";
+const { ValidationError } = mongoose.Error;
+import { BadRequestError, InternalServerError, UnauthorizedRequestError, ValidationError as RouteValidationError } from '../../utils/errors';
+import { AnyBulkWriteOperation } from 'mongodb';
+import { SECRET_PERSONAL, SECRET_SHARED } from "../../variables";
+import { postHogClient } from '../../services';
+
+/**
+ * Create secret for workspace with id [workspaceId] and environment [environment]
+ * @param req 
+ * @param res 
+ */
+export const createSecret = async (req: Request, res: Response) => {
+  const secretToCreate: CreateSecretRequestBody = req.body.secret;
+  const { workspaceId, environment } = req.params
+  const sanitizedSecret: SanitizedSecretForCreate = {
+    secretKeyCiphertext: secretToCreate.secretKeyCiphertext,
+    secretKeyIV: secretToCreate.secretKeyIV,
+    secretKeyTag: secretToCreate.secretKeyTag,
+    secretKeyHash: secretToCreate.secretKeyHash,
+    secretValueCiphertext: secretToCreate.secretValueCiphertext,
+    secretValueIV: secretToCreate.secretValueIV,
+    secretValueTag: secretToCreate.secretValueTag,
+    secretValueHash: secretToCreate.secretValueHash,
+    secretCommentCiphertext: secretToCreate.secretCommentCiphertext,
+    secretCommentIV: secretToCreate.secretCommentIV,
+    secretCommentTag: secretToCreate.secretCommentTag,
+    secretCommentHash: secretToCreate.secretCommentHash,
+    workspace: new Types.ObjectId(workspaceId),
+    environment,
+    type: secretToCreate.type,
+    user: new Types.ObjectId(req.user._id)
+  }
+
+
+  const [error, secret] = await to(Secret.create(sanitizedSecret).then())
+  if (error instanceof ValidationError) {
+    throw RouteValidationError({ message: error.message, stack: error.stack })
+  }
+
+  if (postHogClient) {
+    postHogClient.capture({
+      event: 'secrets added',
+      distinctId: req.user.email,
+      properties: {
+        numberOfSecrets: 1,
+        workspaceId,
+        environment,
+        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+        userAgent: req.headers?.['user-agent']
+      }
+    });
+  }
+
+  res.status(200).send({
+    secret
+  })
+}
+
+/**
+ * Create many secrets for workspace wiht id [workspaceId] and environment [environment]
+ * @param req 
+ * @param res 
+ */
+export const createSecrets = async (req: Request, res: Response) => {
+  const secretsToCreate: CreateSecretRequestBody[] = req.body.secrets;
+  const { workspaceId, environment } = req.params
+  const sanitizedSecretesToCreate: SanitizedSecretForCreate[] = []
+
+  secretsToCreate.forEach(rawSecret => {
+    const safeUpdateFields: SanitizedSecretForCreate = {
+      secretKeyCiphertext: rawSecret.secretKeyCiphertext,
+      secretKeyIV: rawSecret.secretKeyIV,
+      secretKeyTag: rawSecret.secretKeyTag,
+      secretKeyHash: rawSecret.secretKeyHash,
+      secretValueCiphertext: rawSecret.secretValueCiphertext,
+      secretValueIV: rawSecret.secretValueIV,
+      secretValueTag: rawSecret.secretValueTag,
+      secretValueHash: rawSecret.secretValueHash,
+      secretCommentCiphertext: rawSecret.secretCommentCiphertext,
+      secretCommentIV: rawSecret.secretCommentIV,
+      secretCommentTag: rawSecret.secretCommentTag,
+      secretCommentHash: rawSecret.secretCommentHash,
+      workspace: new Types.ObjectId(workspaceId),
+      environment,
+      type: rawSecret.type,
+      user: new Types.ObjectId(req.user._id)
+    }
+
+    sanitizedSecretesToCreate.push(safeUpdateFields)
+  })
+
+  const [bulkCreateError, secrets] = await to(Secret.insertMany(sanitizedSecretesToCreate).then())
+  if (bulkCreateError) {
+    if (bulkCreateError instanceof ValidationError) {
+      throw RouteValidationError({ message: bulkCreateError.message, stack: bulkCreateError.stack })
+    }
+
+    throw InternalServerError({ message: "Unable to process your batch create request. Please try again", stack: bulkCreateError.stack })
+  }
+
+  if (postHogClient) {
+    postHogClient.capture({
+      event: 'secrets added',
+      distinctId: req.user.email,
+      properties: {
+        numberOfSecrets: (secretsToCreate ?? []).length,
+        workspaceId,
+        environment,
+        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+        userAgent: req.headers?.['user-agent']
+      }
+    });
+  }
+
+  res.status(200).send({
+    secrets
+  })
+}
+
+/**
+ * Delete secrets in workspace with id [workspaceId] and environment [environment]
+ * @param req 
+ * @param res 
+ */
+export const deleteSecrets = async (req: Request, res: Response) => {
+  const { workspaceId, environmentName } = req.params
+  const secretIdsToDelete: string[] = req.body.secretIds
+
+  const [secretIdsUserCanDeleteError, secretIdsUserCanDelete] = await to(Secret.find({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
+  if (secretIdsUserCanDeleteError) {
+    throw InternalServerError({ message: `Unable to fetch secrets you own: [error=${secretIdsUserCanDeleteError.message}]` })
+  }
+
+  const secretsUserCanDeleteSet: Set<string> = new Set(secretIdsUserCanDelete.map(objectId => objectId._id.toString()));
+  const deleteOperationsToPerform: AnyBulkWriteOperation<ISecret>[] = []
+
+  let numSecretsDeleted = 0;
+  secretIdsToDelete.forEach(secretIdToDelete => {
+    if (secretsUserCanDeleteSet.has(secretIdToDelete)) {
+      const deleteOperation = { deleteOne: { filter: { _id: new Types.ObjectId(secretIdToDelete) } } }
+      deleteOperationsToPerform.push(deleteOperation)
+      numSecretsDeleted++;
+    } else {
+      throw RouteValidationError({ message: "You cannot delete secrets that you do not have access to" })
+    }
+  })
+
+  const [bulkDeleteError, bulkDelete] = await to(Secret.bulkWrite(deleteOperationsToPerform).then())
+  if (bulkDeleteError) {
+    if (bulkDeleteError instanceof ValidationError) {
+      throw RouteValidationError({ message: "Unable to apply modifications, please try again", stack: bulkDeleteError.stack })
+    }
+    throw InternalServerError()
+  }
+
+  if (postHogClient) {
+    postHogClient.capture({
+      event: 'secrets deleted',
+      distinctId: req.user.email,
+      properties: {
+        numberOfSecrets: numSecretsDeleted,
+        environment: environmentName,
+        workspaceId,
+        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+        userAgent: req.headers?.['user-agent']
+      }
+    });
+  }
+
+  res.status(200).send()
+}
+
+/**
+ * Delete secret with id [secretId]
+ * @param req 
+ * @param res
+ */
+export const deleteSecret = async (req: Request, res: Response) => {
+  await Secret.findByIdAndDelete(req._secret._id)
+
+  if (postHogClient) {
+    postHogClient.capture({
+      event: 'secrets deleted',
+      distinctId: req.user.email,
+      properties: {
+        numberOfSecrets: 1,
+        workspaceId: req._secret.workspace.toString(),
+        environment: req._secret.environment,
+        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+        userAgent: req.headers?.['user-agent']
+      }
+    });
+  }
+
+  res.status(200).send({
+    secret: req._secret
+  })
+}
+
+/**
+ * Update secrets for workspace with id [workspaceId] and environment [environment]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const updateSecrets = async (req: Request, res: Response) => {
+  const { workspaceId, environmentName } = req.params
+  const secretsModificationsRequested: ModifySecretRequestBody[] = req.body.secrets;
+  const [secretIdsUserCanModifyError, secretIdsUserCanModify] = await to(Secret.find({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
+  if (secretIdsUserCanModifyError) {
+    throw InternalServerError({ message: "Unable to fetch secrets you own" })
+  }
+
+  const secretsUserCanModifySet: Set<string> = new Set(secretIdsUserCanModify.map(objectId => objectId._id.toString()));
+  const updateOperationsToPerform: any = []
+
+  secretsModificationsRequested.forEach(userModifiedSecret => {
+    if (secretsUserCanModifySet.has(userModifiedSecret._id.toString())) {
+      const sanitizedSecret: SanitizedSecretModify = {
+        secretKeyCiphertext: userModifiedSecret.secretKeyCiphertext,
+        secretKeyIV: userModifiedSecret.secretKeyIV,
+        secretKeyTag: userModifiedSecret.secretKeyTag,
+        secretKeyHash: userModifiedSecret.secretKeyHash,
+        secretValueCiphertext: userModifiedSecret.secretValueCiphertext,
+        secretValueIV: userModifiedSecret.secretValueIV,
+        secretValueTag: userModifiedSecret.secretValueTag,
+        secretValueHash: userModifiedSecret.secretValueHash,
+        secretCommentCiphertext: userModifiedSecret.secretCommentCiphertext,
+        secretCommentIV: userModifiedSecret.secretCommentIV,
+        secretCommentTag: userModifiedSecret.secretCommentTag,
+        secretCommentHash: userModifiedSecret.secretCommentHash,
+      }
+
+      const updateOperation = { updateOne: { filter: { _id: userModifiedSecret._id, workspace: workspaceId }, update: { $inc: { version: 1 }, $set: sanitizedSecret } } }
+      updateOperationsToPerform.push(updateOperation)
+    } else {
+      throw UnauthorizedRequestError({ message: "You do not have permission to modify one or more of the requested secrets" })
+    }
+  })
+
+  const [bulkModificationInfoError, bulkModificationInfo] = await to(Secret.bulkWrite(updateOperationsToPerform).then())
+  if (bulkModificationInfoError) {
+    if (bulkModificationInfoError instanceof ValidationError) {
+      throw RouteValidationError({ message: "Unable to apply modifications, please try again", stack: bulkModificationInfoError.stack })
+    }
+
+    throw InternalServerError()
+  }
+
+  if (postHogClient) {
+    postHogClient.capture({
+      event: 'secrets modified',
+      distinctId: req.user.email,
+      properties: {
+        numberOfSecrets: (secretsModificationsRequested ?? []).length,
+        environment: environmentName,
+        workspaceId,
+        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+        userAgent: req.headers?.['user-agent']
+      }
+    });
+  }
+
+  return res.status(200).send()
+}
+
+/**
+ * Update a secret within workspace with id [workspaceId] and environment [environment]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const updateSecret = async (req: Request, res: Response) => {
+  const { workspaceId, environmentName } = req.params
+  const secretModificationsRequested: ModifySecretRequestBody = req.body.secret;
+
+  const [secretIdUserCanModifyError, secretIdUserCanModify] = await to(Secret.findOne({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
+  if (secretIdUserCanModifyError && !secretIdUserCanModify) {
+    throw BadRequestError()
+  }
+
+  const sanitizedSecret: SanitizedSecretModify = {
+    secretKeyCiphertext: secretModificationsRequested.secretKeyCiphertext,
+    secretKeyIV: secretModificationsRequested.secretKeyIV,
+    secretKeyTag: secretModificationsRequested.secretKeyTag,
+    secretKeyHash: secretModificationsRequested.secretKeyHash,
+    secretValueCiphertext: secretModificationsRequested.secretValueCiphertext,
+    secretValueIV: secretModificationsRequested.secretValueIV,
+    secretValueTag: secretModificationsRequested.secretValueTag,
+    secretValueHash: secretModificationsRequested.secretValueHash,
+    secretCommentCiphertext: secretModificationsRequested.secretCommentCiphertext,
+    secretCommentIV: secretModificationsRequested.secretCommentIV,
+    secretCommentTag: secretModificationsRequested.secretCommentTag,
+    secretCommentHash: secretModificationsRequested.secretCommentHash,
+  }
+
+  const [error, singleModificationUpdate] = await to(Secret.updateOne({ _id: secretModificationsRequested._id, workspace: workspaceId }, { $inc: { version: 1 }, $set: sanitizedSecret }).then())
+  if (error instanceof ValidationError) {
+    throw RouteValidationError({ message: "Unable to apply modifications, please try again", stack: error.stack })
+  }
+
+  if (postHogClient) {
+    postHogClient.capture({
+      event: 'secrets modified',
+      distinctId: req.user.email,
+      properties: {
+        numberOfSecrets: 1,
+        environment: environmentName,
+        workspaceId,
+        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+        userAgent: req.headers?.['user-agent']
+      }
+    });
+  }
+
+  return res.status(200).send(singleModificationUpdate)
+}
+
+/**
+ * Return secrets for workspace with id [workspaceId], environment [environment] and user
+ * with id [req.user._id]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getSecrets = async (req: Request, res: Response) => {
+  const { environment } = req.query;
+  const { workspaceId } = req.params;
+
+  let userId: Types.ObjectId | undefined = undefined // used for getting personal secrets for user
+  let userEmail: Types.ObjectId | undefined = undefined // used for posthog 
+  if (req.user) {
+    userId = req.user._id;
+    userEmail = req.user.email;
+  }
+
+  if (req.serviceTokenData) {
+    userId = req.serviceTokenData.user._id
+    userEmail = req.serviceTokenData.user.email;
+  }
+
+  const [err, secrets] = await to(Secret.find(
+    {
+      workspace: workspaceId,
+      environment,
+      $or: [{ user: userId }, { user: { $exists: false } }],
+      type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
+    }
+  ).then())
+
+  if (err) {
+    throw RouteValidationError({ message: "Failed to get secrets, please try again", stack: err.stack })
+  }
+
+  if (postHogClient) {
+    postHogClient.capture({
+      event: 'secrets pulled',
+      distinctId: userEmail,
+      properties: {
+        numberOfSecrets: (secrets ?? []).length,
+        environment,
+        workspaceId,
+        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+        userAgent: req.headers?.['user-agent']
+      }
+    });
+  }
+
+  return res.json(secrets)
+}
+
+/**
+ * Return secret with id [secretId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getSecret = async (req: Request, res: Response) => {
+  // if (postHogClient) {
+  //   postHogClient.capture({
+  //     event: 'secrets pulled',
+  //     distinctId: req.user.email,
+  //     properties: {
+  //       numberOfSecrets: 1,
+  //       workspaceId: req._secret.workspace.toString(),
+  //       environment: req._secret.environment,
+  //       channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+  //       userAgent: req.headers?.['user-agent']
+  //     }
+  //   });
+  // }
+
+  return res.status(200).send({
+    secret: req._secret
+  });
+}

backend/src/controllers/v2/secretsController.ts

@@ -0,0 +1,673 @@
+import to from 'await-to-js';
+import { Types } from 'mongoose';
+import { Request, Response } from 'express';
+import { ISecret, Membership, Secret, Workspace } from '../../models';
+import {
+    SECRET_PERSONAL,
+    SECRET_SHARED,
+    ACTION_ADD_SECRETS,
+    ACTION_READ_SECRETS,
+    ACTION_UPDATE_SECRETS,
+    ACTION_DELETE_SECRETS
+} from '../../variables';
+import { UnauthorizedRequestError, ValidationError } from '../../utils/errors';
+import { EventService } from '../../services';
+import { eventPushSecrets } from '../../events';
+import { EESecretService, EELogService } from '../../ee/services';
+import { postHogClient } from '../../services';
+import { getChannelFromUserAgent } from '../../utils/posthog';
+import { ABILITY_READ, ABILITY_WRITE } from '../../variables/organization';
+import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';
+
+/**
+ * Create secret(s) for workspace with id [workspaceId] and environment [environment]
+ * @param req 
+ * @param res 
+ */
+export const createSecrets = async (req: Request, res: Response) => {
+    /* 
+    #swagger.summary = 'Create new secret(s)'
+    #swagger.description = 'Create one or many secrets for a given project and environment.'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+    #swagger.requestBody = {
+      "required": true,
+      "content": {
+        "application/json": {
+          "schema": {
+            "type": "object",
+            "properties": {
+                "workspaceId": {
+                    "type": "string",
+                    "description": "ID of project",
+                },
+                "environment": {
+                    "type": "string",
+                    "description": "Environment within project"
+                },
+                "secrets": {
+                    $ref: "#/components/schemas/CreateSecret",
+                    "description": "Secret(s) to create - object or array of objects"
+                }
+            }
+          }
+        }
+      }
+    }
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "object",
+                    "properties": {
+                        "secrets": {
+                            "type": "array",
+                            "items": {
+                                $ref: "#/components/schemas/Secret" 
+                            },
+                            "description": "Newly-created secrets for the given project and environment"
+                        }
+                    }
+                }
+            }           
+        }
+    }   
+    */
+
+    const channel = getChannelFromUserAgent(req.headers['user-agent'])
+    const { workspaceId, environment } = req.body;
+
+    const hasAccess = await userHasWorkspaceAccess(req.user, workspaceId, environment, ABILITY_WRITE)
+    if (!hasAccess) {
+        throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
+    }
+
+    let toAdd;
+    if (Array.isArray(req.body.secrets)) {
+        // case: create multiple secrets
+        toAdd = req.body.secrets;
+    } else if (typeof req.body.secrets === 'object') {
+        // case: create 1 secret
+        toAdd = [req.body.secrets];
+    }
+
+    const newSecrets = await Secret.insertMany(
+        toAdd.map(({
+            type,
+            secretKeyCiphertext,
+            secretKeyIV,
+            secretKeyTag,
+            secretValueCiphertext,
+            secretValueIV,
+            secretValueTag,
+        }: {
+            type: string;
+            secretKeyCiphertext: string;
+            secretKeyIV: string;
+            secretKeyTag: string;
+            secretValueCiphertext: string;
+            secretValueIV: string;
+            secretValueTag: string;
+        }) => {
+            return ({
+                version: 1,
+                workspace: new Types.ObjectId(workspaceId),
+                type,
+                user: type === SECRET_PERSONAL ? req.user : undefined,
+                environment,
+                secretKeyCiphertext,
+                secretKeyIV,
+                secretKeyTag,
+                secretValueCiphertext,
+                secretValueIV,
+                secretValueTag
+            });
+        })
+    );
+
+    setTimeout(async () => {
+        // trigger event - push secrets
+        await EventService.handleEvent({
+            event: eventPushSecrets({
+                workspaceId
+            })
+        });
+    }, 5000);
+
+    // (EE) add secret versions for new secrets
+    await EESecretService.addSecretVersions({
+        secretVersions: newSecrets.map(({
+            _id,
+            version,
+            workspace,
+            type,
+            user,
+            environment,
+            secretKeyCiphertext,
+            secretKeyIV,
+            secretKeyTag,
+            secretKeyHash,
+            secretValueCiphertext,
+            secretValueIV,
+            secretValueTag,
+            secretValueHash
+        }) => ({
+            _id: new Types.ObjectId(),
+            secret: _id,
+            version,
+            workspace,
+            type,
+            user,
+            environment,
+            isDeleted: false,
+            secretKeyCiphertext,
+            secretKeyIV,
+            secretKeyTag,
+            secretKeyHash,
+            secretValueCiphertext,
+            secretValueIV,
+            secretValueTag,
+            secretValueHash
+        }))
+    });
+
+    const addAction = await EELogService.createActionSecret({
+        name: ACTION_ADD_SECRETS,
+        userId: req.user._id.toString(),
+        workspaceId,
+        secretIds: newSecrets.map((n) => n._id)
+    });
+
+    // (EE) create (audit) log
+    addAction && await EELogService.createLog({
+        userId: req.user._id.toString(),
+        workspaceId,
+        actions: [addAction],
+        channel,
+        ipAddress: req.ip
+    });
+
+    // (EE) take a secret snapshot
+    await EESecretService.takeSecretSnapshot({
+        workspaceId
+    });
+
+    if (postHogClient) {
+        postHogClient.capture({
+            event: 'secrets added',
+            distinctId: req.user.email,
+            properties: {
+                numberOfSecrets: toAdd.length,
+                environment,
+                workspaceId,
+                channel: channel,
+                userAgent: req.headers?.['user-agent']
+            }
+        });
+    }
+
+    return res.status(200).send({
+        secrets: newSecrets
+    });
+}
+
+/**
+ * Return secret(s) for workspace with id [workspaceId], environment [environment] and user
+ * with id [req.user._id]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getSecrets = async (req: Request, res: Response) => {
+    /* 
+    #swagger.summary = 'Read secrets'
+    #swagger.description = 'Read secrets from a project and environment'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+    #swagger.parameters['workspaceId'] = {
+        "description": "ID of project",
+        "required": true,
+        "type": "string"
+    }
+
+    #swagger.parameters['environment'] = {
+        "description": "Environment within project",
+        "required": true,
+        "type": "string"
+    }
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "object",
+                    "properties": {
+                        "secrets": {
+                            "type": "array",
+                            "items": {
+                                $ref: "#/components/schemas/Secret" 
+                            },
+                            "description": "Secrets for the given project and environment"
+                        }
+                    }
+                }
+            }           
+        }
+    }   
+    */
+    const { workspaceId, environment } = req.query;
+
+    let userId = "" // used for getting personal secrets for user
+    let userEmail = "" // used for posthog 
+    if (req.user) {
+        userId = req.user._id;
+        userEmail = req.user.email;
+    }
+
+    if (req.serviceTokenData) {
+        userId = req.serviceTokenData.user._id
+        userEmail = req.serviceTokenData.user.email;
+    }
+
+    // none service token case as service tokens are already scoped
+    if (!req.serviceTokenData) {
+        const hasAccess = await userHasWorkspaceAccess(userId, workspaceId, environment, ABILITY_READ)
+        if (!hasAccess) {
+            throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
+        }
+    }
+
+    const [err, secrets] = await to(Secret.find(
+        {
+            workspace: workspaceId,
+            environment,
+            $or: [
+                { user: userId },
+                { user: { $exists: false } }
+            ],
+            type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
+        }
+    ).then())
+
+    if (err) throw ValidationError({ message: 'Failed to get secrets', stack: err.stack });
+
+    const channel = getChannelFromUserAgent(req.headers['user-agent'])
+
+    const readAction = await EELogService.createActionSecret({
+        name: ACTION_READ_SECRETS,
+        userId: userId,
+        workspaceId: workspaceId as string,
+        secretIds: secrets.map((n: any) => n._id)
+    });
+
+    readAction && await EELogService.createLog({
+        userId: userId,
+        workspaceId: workspaceId as string,
+        actions: [readAction],
+        channel,
+        ipAddress: req.ip
+    });
+
+    if (postHogClient) {
+        postHogClient.capture({
+            event: 'secrets pulled',
+            distinctId: userEmail,
+            properties: {
+                numberOfSecrets: secrets.length,
+                environment,
+                workspaceId,
+                channel,
+                userAgent: req.headers?.['user-agent']
+            }
+        });
+    }
+
+    return res.status(200).send({
+        secrets
+    });
+}
+
+/**
+ * Update secret(s)
+ * @param req 
+ * @param res 
+ */
+export const updateSecrets = async (req: Request, res: Response) => {
+    /* 
+    #swagger.summary = 'Update secret(s)'
+    #swagger.description = 'Update secret(s)'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+    #swagger.requestBody = {
+      "required": true,
+      "content": {
+        "application/json": {
+          "schema": {
+            "type": "object",
+            "properties": {
+                "secrets": {
+                    $ref: "#/components/schemas/UpdateSecret",
+                    "description": "Secret(s) to update - object or array of objects"
+                }
+            }
+          }
+        }
+      }
+    }
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "object",
+                    "properties": {
+                        "secrets": {
+                            "type": "array",
+                            "items": {
+                                $ref: "#/components/schemas/Secret" 
+                            },
+                            "description": "Updated secrets"
+                        }
+                    }
+                }
+            }           
+        }
+    }
+    */
+    const channel = req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli';
+
+    // TODO: move type
+    interface PatchSecret {
+        id: string;
+        secretKeyCiphertext: string;
+        secretKeyIV: string;
+        secretKeyTag: string;
+        secretValueCiphertext: string;
+        secretValueIV: string;
+        secretValueTag: string;
+        secretCommentCiphertext: string;
+        secretCommentIV: string;
+        secretCommentTag: string;
+    }
+
+    const updateOperationsToPerform = req.body.secrets.map((secret: PatchSecret) => {
+        const {
+            secretKeyCiphertext,
+            secretKeyIV,
+            secretKeyTag,
+            secretValueCiphertext,
+            secretValueIV,
+            secretValueTag,
+            secretCommentCiphertext,
+            secretCommentIV,
+            secretCommentTag
+        } = secret;
+
+        return ({
+            updateOne: {
+                filter: { _id: new Types.ObjectId(secret.id) },
+                update: {
+                    $inc: {
+                        version: 1
+                    },
+                    secretKeyCiphertext,
+                    secretKeyIV,
+                    secretKeyTag,
+                    secretValueCiphertext,
+                    secretValueIV,
+                    secretValueTag,
+                    ...((
+                        secretCommentCiphertext &&
+                        secretCommentIV &&
+                        secretCommentTag
+                    ) ? {
+                        secretCommentCiphertext,
+                        secretCommentIV,
+                        secretCommentTag
+                    } : {}),
+                }
+            }
+        });
+    });
+
+    await Secret.bulkWrite(updateOperationsToPerform);
+
+    const secretModificationsBySecretId: { [key: string]: PatchSecret } = {};
+    req.body.secrets.forEach((secret: PatchSecret) => {
+        secretModificationsBySecretId[secret.id] = secret;
+    });
+
+    const ListOfSecretsBeforeModifications = req.secrets
+    const secretVersions = {
+        secretVersions: ListOfSecretsBeforeModifications.map((secret: ISecret) => {
+            const {
+                secretKeyCiphertext,
+                secretKeyIV,
+                secretKeyTag,
+                secretValueCiphertext,
+                secretValueIV,
+                secretValueTag,
+                secretCommentCiphertext,
+                secretCommentIV,
+                secretCommentTag,
+            } = secretModificationsBySecretId[secret._id.toString()]
+
+            return ({
+                secret: secret._id,
+                version: secret.version + 1,
+                workspace: secret.workspace,
+                type: secret.type,
+                environment: secret.environment,
+                secretKeyCiphertext: secretKeyCiphertext ? secretKeyCiphertext : secret.secretKeyCiphertext,
+                secretKeyIV: secretKeyIV ? secretKeyIV : secret.secretKeyIV,
+                secretKeyTag: secretKeyTag ? secretKeyTag : secret.secretKeyTag,
+                secretValueCiphertext: secretValueCiphertext ? secretValueCiphertext : secret.secretValueCiphertext,
+                secretValueIV: secretValueIV ? secretValueIV : secret.secretValueIV,
+                secretValueTag: secretValueTag ? secretValueTag : secret.secretValueTag,
+                secretCommentCiphertext: secretCommentCiphertext ? secretCommentCiphertext : secret.secretCommentCiphertext,
+                secretCommentIV: secretCommentIV ? secretCommentIV : secret.secretCommentIV,
+                secretCommentTag: secretCommentTag ? secretCommentTag : secret.secretCommentTag,
+            });
+        })
+    }
+
+    await EESecretService.addSecretVersions(secretVersions);
+
+
+    // group secrets into workspaces so updated secrets can
+    // be logged and snapshotted separately for each workspace
+    const workspaceSecretObj: any = {};
+    req.secrets.forEach((s: any) => {
+        if (s.workspace.toString() in workspaceSecretObj) {
+            workspaceSecretObj[s.workspace.toString()].push(s);
+        } else {
+            workspaceSecretObj[s.workspace.toString()] = [s]
+        }
+    });
+
+    Object.keys(workspaceSecretObj).forEach(async (key) => {
+        // trigger event - push secrets
+        setTimeout(async () => {
+            await EventService.handleEvent({
+                event: eventPushSecrets({
+                    workspaceId: key
+                })
+            });
+        }, 10000);
+
+        const updateAction = await EELogService.createActionSecret({
+            name: ACTION_UPDATE_SECRETS,
+            userId: req.user._id.toString(),
+            workspaceId: key,
+            secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id)
+        });
+
+        // (EE) create (audit) log
+        updateAction && await EELogService.createLog({
+            userId: req.user._id.toString(),
+            workspaceId: key,
+            actions: [updateAction],
+            channel,
+            ipAddress: req.ip
+        });
+
+        // (EE) take a secret snapshot
+        await EESecretService.takeSecretSnapshot({
+            workspaceId: key
+        })
+
+        if (postHogClient) {
+            postHogClient.capture({
+                event: 'secrets modified',
+                distinctId: req.user.email,
+                properties: {
+                    numberOfSecrets: workspaceSecretObj[key].length,
+                    environment: workspaceSecretObj[key][0].environment,
+                    workspaceId: key,
+                    channel: channel,
+                    userAgent: req.headers?.['user-agent']
+                }
+            });
+        }
+    });
+
+    return res.status(200).send({
+        secrets: await Secret.find({
+            _id: {
+                $in: req.secrets.map((secret: ISecret) => secret._id)
+            }
+        })
+    });
+}
+
+/**
+ * Delete secret(s) with id [workspaceId] and environment [environment]
+ * @param req 
+ * @param res 
+ */
+export const deleteSecrets = async (req: Request, res: Response) => {
+    /* 
+    #swagger.summary = 'Delete secret(s)'
+    #swagger.description = 'Delete one or many secrets by their ID(s)'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+    #swagger.requestBody = {
+      "required": true,
+      "content": {
+        "application/json": {
+          "schema": {
+            "type": "object",
+            "properties": {
+                "secretIds": {
+                    "type": "string",
+                    "description": "ID(s) of secrets - string or array of strings"
+                },
+            }
+          }
+        }
+      }
+    }
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "object",
+                    "properties": {
+                        "secrets": {
+                            "type": "array",
+                            "items": {
+                                $ref: "#/components/schemas/Secret" 
+                            },
+                            "description": "Deleted secrets"
+                        }
+                    }
+                }
+            }           
+        }
+    }   
+    */
+    const channel = getChannelFromUserAgent(req.headers['user-agent'])
+    const toDelete = req.secrets.map((s: any) => s._id);
+
+    await Secret.deleteMany({
+        _id: {
+            $in: toDelete
+        }
+    });
+
+    await EESecretService.markDeletedSecretVersions({
+        secretIds: toDelete
+    });
+
+    // group secrets into workspaces so deleted secrets can
+    // be logged and snapshotted separately for each workspace
+    const workspaceSecretObj: any = {};
+    req.secrets.forEach((s: any) => {
+        if (s.workspace.toString() in workspaceSecretObj) {
+            workspaceSecretObj[s.workspace.toString()].push(s);
+        } else {
+            workspaceSecretObj[s.workspace.toString()] = [s]
+        }
+    });
+
+    Object.keys(workspaceSecretObj).forEach(async (key) => {
+        // trigger event - push secrets
+        await EventService.handleEvent({
+            event: eventPushSecrets({
+                workspaceId: key
+            })
+        });
+        const deleteAction = await EELogService.createActionSecret({
+            name: ACTION_DELETE_SECRETS,
+            userId: req.user._id.toString(),
+            workspaceId: key,
+            secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id)
+        });
+
+        // (EE) create (audit) log
+        deleteAction && await EELogService.createLog({
+            userId: req.user._id.toString(),
+            workspaceId: key,
+            actions: [deleteAction],
+            channel,
+            ipAddress: req.ip
+        });
+
+        // (EE) take a secret snapshot
+        await EESecretService.takeSecretSnapshot({
+            workspaceId: key
+        })
+
+        if (postHogClient) {
+            postHogClient.capture({
+                event: 'secrets deleted',
+                distinctId: req.user.email,
+                properties: {
+                    numberOfSecrets: workspaceSecretObj[key].length,
+                    environment: workspaceSecretObj[key][0].environment,
+                    workspaceId: key,
+                    channel: channel,
+                    userAgent: req.headers?.['user-agent']
+                }
+            });
+        }
+    });
+
+    return res.status(200).send({
+        secrets: req.secrets
+    });
+}

backend/src/controllers/v2/serviceTokenDataController.ts

@@ -0,0 +1,114 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import crypto from 'crypto';
+import bcrypt from 'bcrypt';
+import {
+    ServiceTokenData
+} from '../../models';
+import {
+    SALT_ROUNDS
+} from '../../config';
+import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';
+import { ABILITY_READ } from '../../variables/organization';
+
+/**
+ * Return service token data associated with service token on request
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getServiceTokenData = async (req: Request, res: Response) => res.status(200).json(req.serviceTokenData);
+
+/**
+ * Create new service token data for workspace with id [workspaceId] and
+ * environment [environment].
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const createServiceTokenData = async (req: Request, res: Response) => {
+    let serviceToken, serviceTokenData;
+    try {
+        const {
+            name,
+            workspaceId,
+            environment,
+            encryptedKey,
+            iv,
+            tag,
+            expiresIn
+        } = req.body;
+
+        const hasAccess = await userHasWorkspaceAccess(req.user, workspaceId, environment, ABILITY_READ)
+        if (!hasAccess) {
+            throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
+        }
+
+        const secret = crypto.randomBytes(16).toString('hex');
+        const secretHash = await bcrypt.hash(secret, SALT_ROUNDS);
+
+        const expiresAt = new Date();
+        expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
+
+        serviceTokenData = await new ServiceTokenData({
+            name,
+            workspace: workspaceId,
+            environment,
+            user: req.user._id,
+            expiresAt,
+            secretHash,
+            encryptedKey,
+            iv,
+            tag
+        }).save();
+
+        // return service token data without sensitive data
+        serviceTokenData = await ServiceTokenData.findById(serviceTokenData._id);
+
+        if (!serviceTokenData) throw new Error('Failed to find service token data');
+
+        serviceToken = `st.${serviceTokenData._id.toString()}.${secret}`;
+
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+        Sentry.captureException(err);
+        return res.status(400).send({
+            message: 'Failed to create service token data'
+        });
+    }
+
+    return res.status(200).send({
+        serviceToken,
+        serviceTokenData
+    });
+}
+
+/**
+ * Delete service token data with id [serviceTokenDataId].
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const deleteServiceTokenData = async (req: Request, res: Response) => {
+    let serviceTokenData;
+    try {
+        const { serviceTokenDataId } = req.params;
+
+        serviceTokenData = await ServiceTokenData.findByIdAndDelete(serviceTokenDataId);
+
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+        Sentry.captureException(err);
+        return res.status(400).send({
+            message: 'Failed to delete service token data'
+        });
+    }
+
+    return res.status(200).send({
+        serviceTokenData
+    });
+}
+
+function UnauthorizedRequestError(arg0: { message: string; }) {
+    throw new Error('Function not implemented.');
+}

backend/src/controllers/v2/usersController.ts

@@ -0,0 +1,109 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import {
+    User,
+    MembershipOrg
+} from '../../models';
+
+/**
+ * Return the current user.
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getMe = async (req: Request, res: Response) => {
+    /* 
+    #swagger.summary = "Retrieve the current user on the request"
+    #swagger.description = "Retrieve the current user on the request"
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "object",
+                    "properties": {
+                        "user": {
+                            "type": "object",
+                            $ref: "#/components/schemas/CurrentUser",
+                            "description": "Current user on request"
+                        }
+                    }
+                }
+            }           
+        }
+    }   
+    */
+    let user;
+    try {
+        user = await User
+            .findById(req.user._id)
+            .select('+publicKey +encryptedPrivateKey +iv +tag');
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get current user'
+		});
+    }
+    
+    return res.status(200).send({
+        user
+    });
+}
+
+/**
+ * Return organizations that the current user is part of.
+ * @param req 
+ * @param res 
+ */
+export const getMyOrganizations = async (req: Request, res: Response) => {
+    /* 
+    #swagger.summary = 'Return organizations that current user is part of'
+    #swagger.description = 'Return organizations that current user is part of'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "object",
+					"properties": {
+						"organizations": {
+							"type": "array",
+							"items": {
+								$ref: "#/components/schemas/Organization" 
+							},
+							"description": "Organizations that user is part of"
+						}
+					}
+                }
+            }           
+        }
+    }   
+    */
+	let organizations;
+	try {
+		organizations = (
+			await MembershipOrg.find({
+				user: req.user._id
+			}).populate('organization')
+		).map((m) => m.organization);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: "Failed to get current user's organizations"
+		});
+	}
+
+	return res.status(200).send({
+		organizations
+	});
+}

backend/src/controllers/v2/workspaceController.ts

@@ -0,0 +1,470 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
+import {
+	Workspace,
+	Secret,
+	Membership,
+	MembershipOrg,
+	Integration,
+	IntegrationAuth,
+	Key,
+	IUser,
+	ServiceToken,
+	ServiceTokenData
+} from '../../models';
+import {
+	v2PushSecrets as push,
+	pullSecrets as pull,
+	reformatPullSecrets
+} from '../../helpers/secret';
+import { pushKeys } from '../../helpers/key';
+import { postHogClient, EventService } from '../../services';
+import { eventPushSecrets } from '../../events';
+
+interface V2PushSecret {
+	type: string; // personal or shared
+	secretKeyCiphertext: string;
+	secretKeyIV: string;
+	secretKeyTag: string;
+	secretKeyHash: string;
+	secretValueCiphertext: string;
+	secretValueIV: string;
+	secretValueTag: string;
+	secretValueHash: string;
+	secretCommentCiphertext?: string;
+	secretCommentIV?: string;
+	secretCommentTag?: string;
+	secretCommentHash?: string;
+}
+
+/**
+ * Upload (encrypted) secrets to workspace with id [workspaceId]
+ * for environment [environment]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
+	// upload (encrypted) secrets to workspace with id [workspaceId]
+	try {
+		let { secrets }: { secrets: V2PushSecret[] } = req.body;
+		const { keys, environment, channel } = req.body;
+		const { workspaceId } = req.params;
+
+		// validate environment
+		const workspaceEnvs = req.membership.workspace.environments;
+		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+			throw new Error('Failed to validate environment');
+		}
+
+		// sanitize secrets
+		secrets = secrets.filter(
+			(s: V2PushSecret) => s.secretKeyCiphertext !== '' && s.secretValueCiphertext !== ''
+		);
+
+		await push({
+			userId: req.user._id,
+			workspaceId,
+			environment,
+			secrets,
+			channel: channel ? channel : 'cli',
+			ipAddress: req.ip
+		});
+
+		await pushKeys({
+			userId: req.user._id,
+			workspaceId,
+			keys
+		});
+
+		if (postHogClient) {
+			postHogClient.capture({
+				event: 'secrets pushed',
+				distinctId: req.user.email,
+				properties: {
+					numberOfSecrets: secrets.length,
+					environment,
+					workspaceId,
+					channel: channel ? channel : 'cli'
+				}
+			});
+		}
+
+		// trigger event - push secrets
+		EventService.handleEvent({
+			event: eventPushSecrets({
+				workspaceId
+			})
+		});
+
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to upload workspace secrets'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully uploaded workspace secrets'
+	});
+};
+
+/**
+ * Return (encrypted) secrets for workspace with id [workspaceId]
+ * for environment [environment]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const pullSecrets = async (req: Request, res: Response) => {
+	let secrets;
+	try {
+		const environment: string = req.query.environment as string;
+		const channel: string = req.query.channel as string;
+		const { workspaceId } = req.params;
+
+		let userId;
+		if (req.user) {
+			userId = req.user._id.toString();
+		} else if (req.serviceTokenData) {
+			userId = req.serviceTokenData.user._id
+		}
+		// validate environment
+		const workspaceEnvs = req.membership.workspace.environments;
+		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+			throw new Error('Failed to validate environment');
+		}
+
+		secrets = await pull({
+			userId,
+			workspaceId,
+			environment,
+			channel: channel ? channel : 'cli',
+			ipAddress: req.ip
+		});
+
+		if (channel !== 'cli') {
+			secrets = reformatPullSecrets({ secrets });
+		}
+
+		if (postHogClient) {
+			// capture secrets pushed event in production
+			postHogClient.capture({
+				distinctId: req.user.email,
+				event: 'secrets pulled',
+				properties: {
+					numberOfSecrets: secrets.length,
+					environment,
+					workspaceId,
+					channel: channel ? channel : 'cli'
+				}
+			});
+		}
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to pull workspace secrets'
+		});
+	}
+
+	return res.status(200).send({
+		secrets
+	});
+};
+
+export const getWorkspaceKey = async (req: Request, res: Response) => {
+	/* 
+    #swagger.summary = 'Return encrypted project key'
+    #swagger.description = 'Return encrypted project key'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+	#swagger.parameters['workspaceId'] = {
+		"description": "ID of project",
+		"required": true,
+		"type": "string"
+	} 
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "array",
+                    "items": {
+                        $ref: "#/components/schemas/ProjectKey" 
+                    },
+                    "description": "Encrypted project key for the given project"
+                }
+            }           
+        }
+    }   
+    */
+	let key;
+	try {
+		const { workspaceId } = req.params;
+
+		key = await Key.findOne({
+			workspace: workspaceId,
+			receiver: req.user._id
+		}).populate('sender', '+publicKey');
+
+		if (!key) throw new Error('Failed to find workspace key');
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace key'
+		});
+	}
+
+	return res.status(200).json(key);
+}
+export const getWorkspaceServiceTokenData = async (
+	req: Request,
+	res: Response
+) => {
+	let serviceTokenData;
+	try {
+		const { workspaceId } = req.params;
+
+		serviceTokenData = await ServiceTokenData
+			.find({
+				workspace: workspaceId
+			})
+			.select('+encryptedKey +iv +tag');
+
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace service token data'
+		});
+	}
+
+	return res.status(200).send({
+		serviceTokenData
+	});
+}
+
+/**
+ * Return memberships for workspace with id [workspaceId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getWorkspaceMemberships = async (req: Request, res: Response) => {
+	/* 
+    #swagger.summary = 'Return project memberships'
+    #swagger.description = 'Return project memberships'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+	#swagger.parameters['workspaceId'] = {
+		"description": "ID of project",
+		"required": true,
+		"type": "string"
+	} 
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "object",
+					"properties": {
+						"memberships": {
+							"type": "array",
+							"items": {
+								$ref: "#/components/schemas/Membership" 
+							},
+							"description": "Memberships of project"
+						}
+					}
+                }
+            }           
+        }
+    }   
+    */
+	let memberships;
+	try {
+		const { workspaceId } = req.params;
+
+		memberships = await Membership.find({
+			workspace: workspaceId
+		}).populate('user', '+publicKey');
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace memberships'
+		});
+	}
+
+	return res.status(200).send({
+		memberships
+	});
+}
+
+/**
+ * Update role of membership with id [membershipId] to role [role]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const updateWorkspaceMembership = async (req: Request, res: Response) => {
+	/* 
+    #swagger.summary = 'Update project membership'
+    #swagger.description = 'Update project membership'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+	#swagger.parameters['workspaceId'] = {
+		"description": "ID of project",
+		"required": true,
+		"type": "string"
+	} 
+
+	#swagger.parameters['membershipId'] = {
+		"description": "ID of project membership to update",
+		"required": true,
+		"type": "string"
+	} 
+
+	#swagger.requestBody = {
+      "required": true,
+      "content": {
+        "application/json": {
+          "schema": {
+            "type": "object",
+            "properties": {
+                "role": {
+                    "type": "string",
+                    "description": "Role of membership - either admin or member",
+                }
+            }
+          }
+        }
+      }
+    }
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+					"type": "object",
+					"properties": {
+						"membership": {
+							$ref: "#/components/schemas/Membership",
+							"description": "Updated membership"
+						}
+					}
+                }
+            }           
+        }
+    }   
+    */
+	let membership;
+	try {
+		const {
+			membershipId
+		} = req.params;
+		const { role } = req.body;
+		
+		membership = await Membership.findByIdAndUpdate(
+			membershipId,
+			{
+				role
+			}, {
+				new: true
+			}
+		);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to update workspace membership'
+		});
+	}
+	
+	return res.status(200).send({
+		membership
+	}); 
+}
+
+/**
+ * Delete workspace membership with id [membershipId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const deleteWorkspaceMembership = async (req: Request, res: Response) => {
+	/* 
+    #swagger.summary = 'Delete project membership'
+    #swagger.description = 'Delete project membership'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+	#swagger.parameters['workspaceId'] = {
+		"description": "ID of project",
+		"required": true,
+		"type": "string"
+	} 
+
+	#swagger.parameters['membershipId'] = {
+		"description": "ID of project membership to delete",
+		"required": true,
+		"type": "string"
+	} 
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+					"type": "object",
+					"properties": {
+						"membership": {
+							$ref: "#/components/schemas/Membership",
+							"description": "Deleted membership"
+						}
+					}
+                }
+            }           
+        }
+    }   
+    */
+	let membership;
+	try {
+		const { 
+			membershipId
+		} = req.params;
+		
+		membership = await Membership.findByIdAndDelete(membershipId);
+		
+		if (!membership) throw new Error('Failed to delete workspace membership');
+		
+		await Key.deleteMany({
+			receiver: membership.user,
+			workspace: membership.workspace
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to delete workspace membership'
+		});	
+	}
+	
+	return res.status(200).send({
+		membership
+	});
+}

backend/src/ee/controllers/index.ts

@@ -1,5 +0,0 @@
-import * as stripeController from './stripeController';
-
-export {
-    stripeController
-}

backend/src/ee/controllers/v1/actionController.ts

@@ -0,0 +1,31 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { Action, SecretVersion } from '../../models';
+import { ActionNotFoundError } from '../../../utils/errors';
+
+export const getAction = async (req: Request, res: Response) => {
+    let action;
+    try {
+        const { actionId } = req.params;
+        
+        action = await Action
+            .findById(actionId)
+            .populate([
+                'payload.secretVersions.oldSecretVersion',
+                'payload.secretVersions.newSecretVersion'
+            ]);
+        
+        if (!action) throw ActionNotFoundError({
+            message: 'Failed to find action'
+        });
+
+    } catch (err) {
+        throw ActionNotFoundError({
+            message: 'Failed to find action'
+        });
+    }
+    
+    return res.status(200).send({
+        action
+    });
+}

backend/src/ee/controllers/v1/index.ts

@@ -0,0 +1,15 @@
+import * as stripeController from './stripeController';
+import * as secretController from './secretController';
+import * as secretSnapshotController from './secretSnapshotController';
+import * as workspaceController from './workspaceController';
+import * as actionController from './actionController';
+import * as membershipController from './membershipController';
+
+export {
+    stripeController,
+    secretController,
+    secretSnapshotController,
+    workspaceController,
+    actionController,
+    membershipController
+}

backend/src/ee/controllers/v1/membershipController.ts

@@ -0,0 +1,63 @@
+import { Request, Response } from "express";
+import { Membership, Workspace } from "../../../models";
+import { IMembershipPermission } from "../../../models/membership";
+import { BadRequestError, UnauthorizedRequestError } from "../../../utils/errors";
+import { ABILITY_READ, ABILITY_WRITE, ADMIN, MEMBER } from "../../../variables/organization";
+import { Builder } from "builder-pattern"
+import _ from "lodash";
+
+export const denyMembershipPermissions = async (req: Request, res: Response) => {
+  const { membershipId } = req.params;
+  const { permissions } = req.body;
+  const sanitizedMembershipPermissions: IMembershipPermission[] = permissions.map((permission: IMembershipPermission) => {
+    if (!permission.ability || !permission.environmentSlug || ![ABILITY_READ, ABILITY_WRITE].includes(permission.ability)) {
+      throw BadRequestError({ message: "One or more required fields are missing from the request or have incorrect type" })
+    }
+
+    return Builder<IMembershipPermission>()
+      .environmentSlug(permission.environmentSlug)
+      .ability(permission.ability)
+      .build();
+  })
+
+  const sanitizedMembershipPermissionsUnique = _.uniqWith(sanitizedMembershipPermissions, _.isEqual)
+
+  const membershipToModify = await Membership.findById(membershipId)
+  if (!membershipToModify) {
+    throw BadRequestError({ message: "Unable to locate resource" })
+  }
+
+  // check if the user making the request is a admin of this project 
+  if (![ADMIN, MEMBER].includes(membershipToModify.role)) {
+    throw UnauthorizedRequestError()
+  }
+
+  // check if the requested slugs are indeed a part of this related workspace 
+  const relatedWorkspace = await Workspace.findById(membershipToModify.workspace)
+  if (!relatedWorkspace) {
+    throw BadRequestError({ message: "Something went wrong when locating the related workspace" })
+  }
+
+  const uniqueEnvironmentSlugs = new Set(_.uniq(_.map(relatedWorkspace.environments, 'slug')));
+
+  sanitizedMembershipPermissionsUnique.forEach(permission => {
+    if (!uniqueEnvironmentSlugs.has(permission.environmentSlug)) {
+      throw BadRequestError({ message: "Unknown environment slug reference" })
+    }
+  })
+
+  // update the permissions 
+  const updatedMembershipWithPermissions = await Membership.findByIdAndUpdate(
+    { _id: membershipToModify._id },
+    { $set: { deniedPermissions: sanitizedMembershipPermissionsUnique } },
+    { new: true }
+  )
+
+  if (!updatedMembershipWithPermissions) {
+    throw BadRequestError({ message: "The resource has been removed before it can be modified" })
+  }
+
+  res.send({
+    permissionsDenied: updatedMembershipWithPermissions.deniedPermissions
+  })
+}

backend/src/ee/controllers/v1/secretController.ts

@@ -0,0 +1,230 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { Secret } from '../../../models';
+import { SecretVersion } from '../../models';
+import { EESecretService } from '../../services';
+
+/**
+ * Return secret versions for secret with id [secretId]
+ * @param req 
+ * @param res 
+ */
+ export const getSecretVersions = async (req: Request, res: Response) => {
+	/* 
+    #swagger.summary = 'Return secret versions'
+    #swagger.description = 'Return secret versions'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+	#swagger.parameters['secretId'] = {
+		"description": "ID of secret",
+		"required": true,
+		"type": "string"
+	} 
+
+	#swagger.parameters['offset'] = {
+		"description": "Number of versions to skip",
+		"required": false,
+		"type": "string"
+	}
+
+	#swagger.parameters['limit'] = {
+		"description": "Maximum number of versions to return",
+		"required": false,
+		"type": "string"
+	}
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                schema: { 
+                    "type": "object",
+					"properties": {
+						"secretVersions": {
+							"type": "array",
+							"items": {
+								$ref: "#/components/schemas/SecretVersion" 
+							},
+							"description": "Secret versions"
+						}
+					}
+                }
+            }           
+        }
+    }   
+    */
+	let secretVersions;
+	try {
+		const { secretId } = req.params;
+
+		const offset: number = parseInt(req.query.offset as string);
+		const limit: number = parseInt(req.query.limit as string);
+		
+		secretVersions = await SecretVersion.find({
+			secret: secretId
+		})
+		.sort({ createdAt: -1 })
+		.skip(offset)
+		.limit(limit);
+
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get secret versions'
+		});
+	}
+	
+	return res.status(200).send({
+		secretVersions
+	});
+}
+
+/**
+ * Roll back secret with id [secretId] to version [version]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const rollbackSecretVersion = async (req: Request, res: Response) => {
+	/* 
+    #swagger.summary = 'Roll back secret to a version.'
+    #swagger.description = 'Roll back secret to a version.'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+	#swagger.parameters['secretId'] = {
+		"description": "ID of secret",
+		"required": true,
+		"type": "string"
+	} 
+
+	#swagger.requestBody = {
+      "required": true,
+      "content": {
+        "application/json": {
+          "schema": {
+            "type": "object",
+            "properties": {
+                "version": {
+                    "type": "integer",
+                    "description": "Version of secret to roll back to"
+                }
+            }
+          }
+        }
+      }
+    }
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                schema: { 
+                    "type": "object",
+					"properties": {
+						"secret": {
+							"type": "object",
+							$ref: "#/components/schemas/Secret",
+							"description": "Secret rolled back to"
+						}
+					}
+                }
+            }           
+        }
+    }   
+    */
+	let secret;
+	try {
+		const { secretId } = req.params;
+		const { version } = req.body;
+		
+		// validate secret version
+		const oldSecretVersion = await SecretVersion.findOne({
+			secret: secretId,
+			version
+		});
+		
+		if (!oldSecretVersion) throw new Error('Failed to find secret version');
+		
+		const {
+			workspace,
+			type,
+			user,
+			environment,
+			secretKeyCiphertext,
+			secretKeyIV,
+			secretKeyTag,
+			secretKeyHash,
+			secretValueCiphertext,
+			secretValueIV,
+			secretValueTag,
+			secretValueHash
+		} = oldSecretVersion;
+		
+		// update secret
+		secret = await Secret.findByIdAndUpdate(
+			secretId,
+			{
+				$inc: {
+					version: 1
+				},
+				workspace,
+				type,
+				user,
+				environment,
+				secretKeyCiphertext,
+				secretKeyIV,
+				secretKeyTag,
+				secretKeyHash,
+				secretValueCiphertext,
+				secretValueIV,
+				secretValueTag,
+				secretValueHash
+			},
+			{
+				new: true
+			}
+		);
+		
+		if (!secret) throw new Error('Failed to find and update secret');
+
+		// add new secret version
+		await new SecretVersion({
+			secret: secretId,
+			version: secret.version,
+			workspace,
+			type,
+			user,
+			environment,
+			isDeleted: false,
+			secretKeyCiphertext,
+			secretKeyIV,
+			secretKeyTag,
+			secretKeyHash,
+			secretValueCiphertext,
+			secretValueIV,
+			secretValueTag,
+			secretValueHash	
+		}).save();
+		
+		// take secret snapshot
+		await EESecretService.takeSecretSnapshot({
+			workspaceId: secret.workspace.toString()
+		});
+		
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to roll back secret version'
+		});
+	}
+	
+	return res.status(200).send({
+		secret
+	});
+}

backend/src/ee/controllers/v1/secretSnapshotController.ts

@@ -0,0 +1,33 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { SecretSnapshot } from '../../models';
+
+/**
+ * Return secret snapshot with id [secretSnapshotId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getSecretSnapshot = async (req: Request, res: Response) => {
+    let secretSnapshot;
+    try {
+        const { secretSnapshotId } = req.params;
+
+        secretSnapshot = await SecretSnapshot
+            .findById(secretSnapshotId)
+            .populate('secretVersions');
+        
+        if (!secretSnapshot) throw new Error('Failed to find secret snapshot');
+        
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get secret snapshot'
+		});
+    }
+    
+    return res.status(200).send({
+        secretSnapshot
+    });
+}

backend/src/ee/controllers/v1/stripeController.ts

@@ -1,7 +1,7 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
 import Stripe from 'stripe';
-import { STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET } from '../config';
+import { STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET } from '../../../config';
 const stripe = new Stripe(STRIPE_SECRET_KEY, {
 	apiVersion: '2022-08-01'
 });

backend/src/ee/controllers/v1/workspaceController.ts

@@ -0,0 +1,434 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
+import {
+	Secret
+} from '../../../models';
+import { 
+	SecretSnapshot,
+	Log,
+	SecretVersion,
+	ISecretVersion
+} from '../../models';
+import { EESecretService } from '../../services';
+import { getLatestSecretVersionIds } from '../../helpers/secretVersion';
+
+/**
+ * Return secret snapshots for workspace with id [workspaceId]
+ * @param req 
+ * @param res 
+ */
+ export const getWorkspaceSecretSnapshots = async (req: Request, res: Response) => {
+	/* 
+    #swagger.summary = 'Return project secret snapshot ids'
+    #swagger.description = 'Return project secret snapshots ids'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+	#swagger.parameters['workspaceId'] = {
+		"description": "ID of project",
+		"required": true,
+		"type": "string"
+	} 
+
+	#swagger.parameters['offset'] = {
+		"description": "Number of secret snapshots to skip",
+		"required": false,
+		"type": "string"
+	}
+
+	#swagger.parameters['limit'] = {
+		"description": "Maximum number of secret snapshots to return",
+		"required": false,
+		"type": "string"
+	}
+
+	#swagger.responses[200] = {
+        content: {
+            "application/json": {
+                schema: { 
+					"type": "object",
+					"properties": {
+						"secretSnapshots": {
+							"type": "array",
+							"items": {
+								$ref: "#/components/schemas/SecretSnapshot" 
+							},
+							"description": "Project secret snapshots"
+						}
+					}
+                }
+            }           
+        }
+    }
+    */
+	let secretSnapshots;
+	try {
+		const { workspaceId } = req.params;
+
+		const offset: number = parseInt(req.query.offset as string);
+		const limit: number = parseInt(req.query.limit as string);
+		
+		secretSnapshots = await SecretSnapshot.find({
+			workspace: workspaceId
+		})
+		.sort({ createdAt: -1 })
+		.skip(offset)
+		.limit(limit);
+
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get secret snapshots'
+		});
+	}
+	
+	return res.status(200).send({
+		secretSnapshots
+	});
+}
+
+/**
+ * Return count of secret snapshots for workspace with id [workspaceId]
+ * @param req 
+ * @param res 
+ */
+export const getWorkspaceSecretSnapshotsCount = async (req: Request, res: Response) => {
+	let count;
+	try {
+		const { workspaceId } = req.params;
+		count = await SecretSnapshot.countDocuments({
+			workspace: workspaceId
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to count number of secret snapshots'
+		});
+	}
+	
+	return res.status(200).send({
+		count
+	});
+}
+
+/**
+ * Rollback secret snapshot with id [secretSnapshotId] to version [version]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Response) => {
+	/* 
+    #swagger.summary = 'Roll back project secrets to those captured in a secret snapshot version.'
+    #swagger.description = 'Roll back project secrets to those captured in a secret snapshot version.'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+	#swagger.parameters['workspaceId'] = {
+		"description": "ID of project",
+		"required": true,
+		"type": "string"
+	} 
+
+	#swagger.requestBody = {
+      "required": true,
+      "content": {
+        "application/json": {
+          "schema": {
+            "type": "object",
+            "properties": {
+                "version": {
+                    "type": "integer",
+                    "description": "Version of secret snapshot to roll back to",
+                }
+            }
+          }
+        }
+      }
+    }
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                schema: { 
+                    "type": "object",
+					"properties": {
+						"secrets": {
+							"type": "array",
+							"items": {
+								$ref: "#/components/schemas/Secret" 
+							},
+							"description": "Secrets rolled back to"
+						}
+					}
+                }
+            }           
+        }
+    }   
+    */
+	let secrets;
+    try {	
+        const { workspaceId } = req.params;
+        const { version } = req.body;
+        
+		// validate secret snapshot
+		const secretSnapshot = await SecretSnapshot.findOne({
+			workspace: workspaceId,
+			version
+		}).populate<{ secretVersions: ISecretVersion[]}>('secretVersions');
+        
+        if (!secretSnapshot) throw new Error('Failed to find secret snapshot');
+
+		// TODO: fix any
+		const oldSecretVersionsObj: any = secretSnapshot.secretVersions
+			.reduce((accumulator, s) => ({ 
+				...accumulator, 
+				[`${s.secret.toString()}`]: s 
+			}), {});	
+		
+		const latestSecretVersionIds = await getLatestSecretVersionIds({
+			secretIds: secretSnapshot.secretVersions.map((sv) => sv.secret)
+		});
+		
+		// TODO: fix any
+		const latestSecretVersions: any = (await SecretVersion.find({
+			_id: {
+				$in: latestSecretVersionIds.map((s) => s.versionId)
+			}
+		}, 'secret version'))
+		.reduce((accumulator, s) => ({ 
+			...accumulator, 
+			[`${s.secret.toString()}`]: s 
+		}), {});
+		
+		// delete existing secrets
+		await Secret.deleteMany({
+			workspace: workspaceId
+		});
+
+		// add secrets
+        secrets = await Secret.insertMany(
+			secretSnapshot.secretVersions.map((sv) => {
+				const secretId = sv.secret;
+				const {
+					workspace,
+					type,
+					user,
+					environment,
+					secretKeyCiphertext,
+					secretKeyIV,
+					secretKeyTag,
+					secretKeyHash,
+					secretValueCiphertext,
+					secretValueIV,
+					secretValueTag,
+					secretValueHash,
+					createdAt
+				} = oldSecretVersionsObj[secretId.toString()];
+				
+				return ({
+					_id: secretId,
+					version: latestSecretVersions[secretId.toString()].version + 1,
+					workspace,
+					type,
+					user,
+					environment,
+					secretKeyCiphertext,
+					secretKeyIV,
+					secretKeyTag,
+					secretKeyHash,
+					secretValueCiphertext,
+					secretValueIV,
+					secretValueTag,
+					secretValueHash,
+					secretCommentCiphertext: '',
+					secretCommentIV: '',
+					secretCommentTag: '',
+					createdAt
+				});
+			})
+		);
+		
+		// add secret versions
+		await SecretVersion.insertMany(
+			secrets.map(({
+				_id,
+				version,
+				workspace,
+				type,
+				user,
+				environment,
+				secretKeyCiphertext,
+				secretKeyIV,
+				secretKeyTag,
+				secretKeyHash,
+				secretValueCiphertext,
+				secretValueIV,
+				secretValueTag,
+				secretValueHash
+			}) => ({
+				_id: new Types.ObjectId(),
+				secret: _id,
+				version,
+				workspace,
+				type,
+				user,
+				environment,
+				isDeleted: false,
+				secretKeyCiphertext,
+				secretKeyIV,
+				secretKeyTag,
+				secretKeyHash,
+				secretValueCiphertext,
+				secretValueIV,
+				secretValueTag,
+				secretValueHash
+			}))
+		);
+		
+		// update secret versions of restored secrets as not deleted
+		await SecretVersion.updateMany({
+			secret: {
+				$in: secretSnapshot.secretVersions.map((sv) => sv.secret)
+			}
+		}, {
+			isDeleted: false
+		});
+		
+        // take secret snapshot
+		await EESecretService.takeSecretSnapshot({
+			workspaceId
+		});
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to roll back secret snapshot'
+		}); 
+    }
+    
+	return res.status(200).send({
+		secrets
+	});
+}
+
+/**
+ * Return (audit) logs for workspace with id [workspaceId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getWorkspaceLogs = async (req: Request, res: Response) => {
+	/* 
+    #swagger.summary = 'Return project (audit) logs'
+    #swagger.description = 'Return project (audit) logs'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+	#swagger.parameters['workspaceId'] = {
+		"description": "ID of project",
+		"required": true,
+		"type": "string"
+	} 
+
+	#swagger.parameters['userId'] = {
+		"description": "ID of project member",
+		"required": false,
+		"type": "string"
+	} 
+
+	#swagger.parameters['offset'] = {
+		"description": "Number of logs to skip",
+		"required": false,
+		"type": "string"
+	}
+
+	#swagger.parameters['limit'] = {
+		"description": "Maximum number of logs to return",
+		"required": false,
+		"type": "string"
+	}
+
+	#swagger.parameters['sortBy'] = {
+		"description": "Order to sort the logs by",
+		"schema": {
+			"type": "string",
+			"@enum": ["oldest", "recent"]
+		},
+		"required": false
+	}
+
+	#swagger.parameters['actionNames'] = {
+		"description": "Names of log actions (comma-separated)",
+		"required": false,
+		"type": "string"
+	}
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                schema: { 
+					"type": "object",
+					"properties": {
+						"logs": {
+							"type": "array",
+							"items": {
+								$ref: "#/components/schemas/Log" 
+							},
+							"description": "Project logs"
+						}
+					}
+                }
+            }           
+        }
+    }   
+    */
+	let logs
+	try {
+		const { workspaceId } = req.params;
+
+		const offset: number = parseInt(req.query.offset as string);
+		const limit: number = parseInt(req.query.limit as string);
+		const sortBy: string = req.query.sortBy as string;
+		const userId: string = req.query.userId as string;
+		const actionNames: string = req.query.actionNames as string;
+		
+		logs = await Log.find({
+			workspace: workspaceId,
+			...( userId ? { user: userId } : {}),
+			...( 
+				actionNames 
+				? { 
+					actionNames: {
+						$in: actionNames.split(',')
+					}
+				} : {}
+			)
+		})
+		.sort({ createdAt: sortBy === 'recent' ? -1 : 1 })
+		.skip(offset)
+		.limit(limit)
+		.populate('actions')
+		.populate('user');
+
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace logs'
+		});
+	}
+	
+	return res.status(200).send({
+		logs
+	});
+}

backend/src/ee/helpers/action.ts

@@ -0,0 +1,73 @@
+import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
+import { SecretVersion, Action } from '../models';
+import { 
+    getLatestSecretVersionIds,
+    getLatestNSecretSecretVersionIds
+} from '../helpers/secretVersion';
+import { ACTION_UPDATE_SECRETS } from '../../variables';
+
+/**
+ * Create an (audit) action for secrets including
+ * add, delete, update, and read actions.
+ * @param {Object} obj
+ * @param {String} obj.name - name of action
+ * @param {ObjectId[]} obj.secretIds - ids of relevant secrets
+ * @returns {Action} action - new action
+ */
+const createActionSecretHelper = async ({
+    name,
+    userId,
+    workspaceId,
+    secretIds
+}: {
+    name: string;
+    userId: string;
+    workspaceId: string;
+    secretIds: Types.ObjectId[];
+}) => {
+
+    let action;
+    let latestSecretVersions;
+    try {
+        if (name === ACTION_UPDATE_SECRETS) {
+            // case: action is updating secrets
+            // -> add old and new secret versions
+            latestSecretVersions = (await getLatestNSecretSecretVersionIds({
+                secretIds,
+                n: 2
+            }))
+            .map((s) => ({
+                oldSecretVersion: s.versions[0]._id,
+                newSecretVersion: s.versions[1]._id
+            }));
+        } else {
+            // case: action is adding, deleting, or reading secrets
+            // -> add new secret versions
+            latestSecretVersions = (await getLatestSecretVersionIds({
+                secretIds
+            }))
+            .map((s) => ({
+                newSecretVersion: s.versionId
+            }));
+        }
+
+        action = await new Action({
+            name,
+            user: userId,
+            workspace: workspaceId,
+            payload: {
+                secretVersions: latestSecretVersions
+            }
+        }).save();
+
+    } catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+        throw new Error('Failed to create action');
+    }
+    
+    return action;
+}
+
+export { createActionSecretHelper };

backend/src/ee/helpers/checkMembershipPermissions.ts

@@ -0,0 +1,18 @@
+import _ from "lodash";
+import { Membership } from "../../models";
+
+export const userHasWorkspaceAccess = async (userId: any, workspaceId: any, environment: any, action: any) => {
+  const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })
+  if (!membershipForWorkspace) {
+    return false
+  }
+
+  const deniedMembershipPermissions = membershipForWorkspace.deniedPermissions;
+  const isDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: action });
+
+  if (isDisallowed) {
+    return false
+  }
+
+  return true
+}

backend/src/ee/helpers/license.ts

@@ -1,21 +0,0 @@
-
-/**
- * @param {Object} obj
- * @param {Object} obj.licenseKey - Infisical license key
- */
-const checkLicenseKey = ({
-    licenseKey
-}: {
-    licenseKey: string
-}) => {
-    try {
-        // TODO
-
-    } catch (err) {
-
-    }
-}
-
-export {
-    checkLicenseKey
-}

backend/src/ee/helpers/log.ts

@@ -0,0 +1,41 @@
+import * as Sentry from '@sentry/node';
+import { 
+    Log,
+    IAction
+} from '../models';
+
+const createLogHelper = async ({
+    userId,
+    workspaceId,
+    actions,
+    channel,
+    ipAddress
+}: {
+    userId: string;
+    workspaceId: string;
+    actions: IAction[];
+    channel: string;
+    ipAddress: string;
+}) => {
+    let log;
+    try {
+        log = await new Log({
+            user: userId,
+            workspace: workspaceId,
+            actionNames: actions.map((a) => a.name),
+            actions,
+            channel,
+            ipAddress
+        }).save();
+    } catch (err) {
+        Sentry.setUser(null);
+		Sentry.captureException(err);
+		throw new Error('Failed to create log');
+    }
+
+    return log;
+}
+
+export {
+    createLogHelper
+}

backend/src/ee/helpers/secret.ts

@@ -0,0 +1,169 @@
+import { Types } from 'mongoose';
+import * as Sentry from '@sentry/node';
+import {
+	Secret,
+	ISecret
+} from '../../models';
+import {
+	SecretSnapshot,
+	SecretVersion,
+	ISecretVersion
+} from '../models';
+
+/**
+ * Save a secret snapshot that is a copy of the current state of secrets in workspace with id
+ * [workspaceId] under a new snapshot with incremented version under the
+ * secretsnapshots collection.
+ * @param {Object} obj
+ * @param {String} obj.workspaceId
+ * @returns {SecretSnapshot} secretSnapshot - new secret snapshot
+ */
+const takeSecretSnapshotHelper = async ({
+	workspaceId
+}: {
+	workspaceId: string;
+}) => {
+
+	let secretSnapshot;
+	try {
+		const secretIds = (await Secret.find({
+			workspace: workspaceId
+		}, '_id')).map((s) => s._id);
+
+		const latestSecretVersions = (await SecretVersion.aggregate([
+			{
+				$match: {
+					secret: {
+						$in: secretIds
+					}
+				}
+			},
+			{
+				$group: {
+					_id: '$secret',
+					version: { $max: '$version' },
+					versionId: { $max: '$_id' } // secret version id
+				}
+			},
+			{
+				$sort: { version: -1 }
+			}
+		])
+			.exec())
+			.map((s) => s.versionId);
+
+		const latestSecretSnapshot = await SecretSnapshot.findOne({
+			workspace: workspaceId
+		}).sort({ version: -1 });
+
+		secretSnapshot = await new SecretSnapshot({
+			workspace: workspaceId,
+			version: latestSecretSnapshot ? latestSecretSnapshot.version + 1 : 1,
+			secretVersions: latestSecretVersions
+		}).save();
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		throw new Error('Failed to take a secret snapshot');
+	}
+
+	return secretSnapshot;
+}
+
+/**
+ * Add secret versions [secretVersions] to the SecretVersion collection.
+ * @param {Object} obj
+ * @param {Object[]} obj.secretVersions
+ * @returns {SecretVersion[]} newSecretVersions - new secret versions
+ */
+const addSecretVersionsHelper = async ({
+	secretVersions
+}: {
+	secretVersions: ISecretVersion[]
+}) => {
+	let newSecretVersions;
+	try {
+		newSecretVersions = await SecretVersion.insertMany(secretVersions);
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		throw new Error(`Failed to add secret versions [err=${err}]`);
+	}
+
+	return newSecretVersions;
+}
+
+const markDeletedSecretVersionsHelper = async ({
+	secretIds
+}: {
+	secretIds: Types.ObjectId[];
+}) => {
+	try {
+		await SecretVersion.updateMany({
+			secret: { $in: secretIds }
+		}, {
+			isDeleted: true
+		}, {
+			new: true
+		});
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		throw new Error('Failed to mark secret versions as deleted');
+	}
+}
+
+/**
+ * Initialize secret versioning by setting previously unversioned
+ * secrets to version 1 and begin populating secret versions.
+ */
+const initSecretVersioningHelper = async () => {
+	try {
+
+		await Secret.updateMany(
+			{ version: { $exists: false } },
+			{ $set: { version: 1 } }
+		);
+
+		const unversionedSecrets: ISecret[] = await Secret.aggregate([
+			{
+				$lookup: {
+					from: 'secretversions',
+					localField: '_id',
+					foreignField: 'secret',
+					as: 'versions',
+				},
+			},
+			{
+				$match: {
+					versions: { $size: 0 },
+				},
+			},
+		]);
+
+		if (unversionedSecrets.length > 0) {
+			await addSecretVersionsHelper({
+				secretVersions: unversionedSecrets.map((s, idx) => ({
+					...s,
+					secret: s._id,
+					version: s.version ? s.version : 1,
+					isDeleted: false,
+					workspace: s.workspace,
+					environment: s.environment
+				}))
+			});
+		}
+
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		throw new Error('Failed to ensure that secrets are versioned');
+	}
+}
+
+export {
+	takeSecretSnapshotHelper,
+	addSecretVersionsHelper,
+	markDeletedSecretVersionsHelper,
+	initSecretVersioningHelper
+}

backend/src/ee/helpers/secretVersion.ts

@@ -0,0 +1,110 @@
+import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
+import { SecretVersion } from '../models';
+
+/**
+ * Return latest secret versions for secrets with ids [secretIds]
+ * @param {Object} obj
+ * @param {Object} obj.secretIds = ids of secrets to get latest versions for
+ * @returns 
+ */
+const getLatestSecretVersionIds = async ({
+    secretIds
+}: {
+    secretIds: Types.ObjectId[];
+}) => {
+    
+    interface LatestSecretVersionId {
+        _id: Types.ObjectId;
+        version: number;
+        versionId: Types.ObjectId;
+    }
+    
+    let latestSecretVersionIds: LatestSecretVersionId[];
+    try {
+        latestSecretVersionIds = (await SecretVersion.aggregate([
+            {
+                $match: { 
+                    secret: { 
+                        $in: secretIds 
+                    } 
+                }
+            },
+            {
+                $group: {
+                    _id: '$secret',
+                    version: { $max: '$version' },
+                    versionId: { $max: '$_id' } // id of latest secret version
+                }
+            },
+            {
+                $sort: { version: -1 }
+            }
+            ])
+            .exec());
+            
+    } catch (err) {
+        Sentry.setUser(null);
+		Sentry.captureException(err);
+        throw new Error('Failed to get latest secret versions');
+    }
+    
+    return latestSecretVersionIds;
+}
+
+/**
+ * Return latest [n] secret versions for secrets with ids [secretIds]
+ * @param {Object} obj
+ * @param {Object} obj.secretIds = ids of secrets to get latest versions for
+ * @param {Number} obj.n - number of latest secret versions to return for each secret
+ * @returns 
+ */
+const getLatestNSecretSecretVersionIds = async ({
+    secretIds,
+    n
+}: {
+    secretIds: Types.ObjectId[];
+    n: number;
+}) => {
+    
+    // TODO: optimize query
+    let latestNSecretVersions;
+    try {
+        latestNSecretVersions = (await SecretVersion.aggregate([
+            {
+                $match: {
+                secret: {
+                    $in: secretIds,
+                },
+                },
+            },
+            {
+                $sort: { version: -1 },
+            },
+            {
+                $group: {
+                _id: "$secret",
+                versions: { $push: "$$ROOT" },
+                },
+            },
+            {
+                $project: {
+                _id: 0,
+                secret: "$_id",
+                versions: { $slice: ["$versions", n] },
+                },
+            }
+        ]));
+    } catch (err) {
+        Sentry.setUser(null);
+		Sentry.captureException(err);
+        throw new Error('Failed to get latest n secret versions');
+    }
+    
+    return latestNSecretVersions;
+}
+
+export {
+    getLatestSecretVersionIds,
+    getLatestNSecretSecretVersionIds
+}

backend/src/ee/middleware/index.ts

@@ -0,0 +1,7 @@
+import requireLicenseAuth from './requireLicenseAuth';
+import requireSecretSnapshotAuth from './requireSecretSnapshotAuth';
+
+export {
+    requireLicenseAuth,
+    requireSecretSnapshotAuth
+}

backend/src/ee/middleware/requireSecretSnapshotAuth.ts

@@ -0,0 +1,47 @@
+import { Request, Response, NextFunction } from 'express';
+import { UnauthorizedRequestError, SecretSnapshotNotFoundError } from '../../utils/errors';
+import { SecretSnapshot } from '../models';
+import {
+    validateMembership
+} from '../../helpers/membership';
+
+/**
+ * Validate if user on request has proper membership for secret snapshot
+ * @param {Object} obj
+ * @param {String[]} obj.acceptedRoles - accepted workspace roles
+ * @param {String[]} obj.acceptedStatuses - accepted workspace statuses
+ * @param {String[]} obj.location - location of [workspaceId] on request (e.g. params, body) for parsing
+ */
+const requireSecretSnapshotAuth = ({
+    acceptedRoles,
+}: {
+    acceptedRoles: string[];
+}) => {
+    return async (req: Request, res: Response, next: NextFunction) => {
+        try {
+            const { secretSnapshotId } = req.params;
+            
+            const secretSnapshot = await SecretSnapshot.findById(secretSnapshotId);
+            
+            if (!secretSnapshot) {
+                return next(SecretSnapshotNotFoundError({
+                    message: 'Failed to find secret snapshot'
+                }));
+            }
+            
+            await validateMembership({
+                userId: req.user._id.toString(),
+                workspaceId: secretSnapshot.workspace.toString(),
+                acceptedRoles
+            });
+            
+            req.secretSnapshot = secretSnapshot as any;
+
+            next();
+        } catch (err) {
+            return next(UnauthorizedRequestError({ message: 'Unable to authenticate secret snapshot' }));
+        }
+    }
+}
+
+export default requireSecretSnapshotAuth;

backend/src/ee/models/action.ts

@@ -0,0 +1,46 @@
+import { Schema, model, Types } from 'mongoose';
+
+export interface IAction {
+    name: string;
+    user?: Types.ObjectId,
+    workspace?: Types.ObjectId,
+    payload: {
+        secretVersions?: Types.ObjectId[]
+    }
+}
+
+const actionSchema = new Schema<IAction>(
+    {
+        name: {
+            type: String,
+            required: true
+        },
+        user: {
+            type: Schema.Types.ObjectId,
+            ref: 'User',
+            required: true
+        },
+        workspace: {
+            type: Schema.Types.ObjectId,
+            ref: 'Workspace'
+        },
+        payload: {
+            secretVersions: [{
+                oldSecretVersion: {
+                    type: Schema.Types.ObjectId,
+                    ref: 'SecretVersion'
+                },
+                newSecretVersion: {
+                    type: Schema.Types.ObjectId,
+                    ref: 'SecretVersion'
+                }
+            }]
+        }
+    }, {
+        timestamps: true
+    }
+);
+
+const Action = model<IAction>('Action', actionSchema);
+
+export default Action;

backend/src/ee/models/index.ts

@@ -0,0 +1,15 @@
+import SecretSnapshot, { ISecretSnapshot } from './secretSnapshot';
+import SecretVersion, { ISecretVersion } from './secretVersion';
+import Log, { ILog } from './log';
+import Action, { IAction } from './action';
+
+export {
+    SecretSnapshot,
+    ISecretSnapshot,
+    SecretVersion,
+    ISecretVersion,
+    Log,
+    ILog,
+    Action,
+    IAction
+}

backend/src/ee/models/log.ts

@@ -0,0 +1,59 @@
+import { Schema, model, Types } from 'mongoose';
+import {
+    ACTION_ADD_SECRETS,
+    ACTION_UPDATE_SECRETS,
+    ACTION_READ_SECRETS,
+    ACTION_DELETE_SECRETS
+} from '../../variables';
+
+export interface ILog {
+    _id: Types.ObjectId;
+    user?: Types.ObjectId;
+    workspace?: Types.ObjectId;
+    actionNames: string[];
+    actions: Types.ObjectId[];
+    channel: string;
+    ipAddress?: string;
+}
+
+const logSchema = new Schema<ILog>(
+    {
+        user: {
+            type: Schema.Types.ObjectId,
+            ref: 'User'
+        },
+        workspace: {
+            type: Schema.Types.ObjectId,
+            ref: 'Workspace'
+        },
+        actionNames: {
+            type: [String],
+            enum: [
+                ACTION_ADD_SECRETS,
+                ACTION_UPDATE_SECRETS,
+                ACTION_READ_SECRETS,
+                ACTION_DELETE_SECRETS
+            ],
+            required: true
+        },
+        actions: [{
+            type: Schema.Types.ObjectId,
+            ref: 'Action',
+            required: true
+        }],
+        channel: {
+            type: String,
+            enum: ['web', 'cli', 'auto', 'k8-operator', 'other'],
+            required: true
+        },
+        ipAddress: {
+            type: String
+        }
+    }, {
+    timestamps: true
+}
+);
+
+const Log = model<ILog>('Log', logSchema);
+
+export default Log;

backend/src/ee/models/secretSnapshot.ts

@@ -0,0 +1,33 @@
+import { Schema, model, Types } from 'mongoose';
+
+export interface ISecretSnapshot {
+    workspace: Types.ObjectId;
+    version: number;
+    secretVersions: Types.ObjectId[];
+}
+
+const secretSnapshotSchema = new Schema<ISecretSnapshot>(
+    {
+        workspace: {
+            type: Schema.Types.ObjectId,
+            ref: 'Workspace',
+            required: true
+        },
+        version: {
+            type: Number,
+            required: true
+        },
+        secretVersions: [{
+            type: Schema.Types.ObjectId,
+            ref: 'SecretVersion',
+            required: true
+        }]
+    },
+    {
+        timestamps: true
+    }
+);
+
+const SecretSnapshot = model<ISecretSnapshot>('SecretSnapshot', secretSnapshotSchema);
+
+export default SecretSnapshot;

backend/src/ee/models/secretVersion.ts

@@ -0,0 +1,100 @@
+import { Schema, model, Types } from 'mongoose';
+import {
+	SECRET_SHARED,
+	SECRET_PERSONAL,
+} from '../../variables';
+
+export interface ISecretVersion {
+	_id: Types.ObjectId;
+	secret: Types.ObjectId;
+	version: number;
+	workspace: Types.ObjectId; // new
+	type: string; // new
+	user: Types.ObjectId; // new
+	environment: string; // new
+	isDeleted: boolean;
+	secretKeyCiphertext: string;
+	secretKeyIV: string;
+	secretKeyTag: string;
+	secretKeyHash: string;
+	secretValueCiphertext: string;
+	secretValueIV: string;
+	secretValueTag: string;
+	secretValueHash: string;
+}
+
+const secretVersionSchema = new Schema<ISecretVersion>(
+	{
+		secret: { // could be deleted
+			type: Schema.Types.ObjectId,
+			ref: 'Secret',
+			required: true
+		},
+		version: {
+			type: Number,
+			default: 1,
+			required: true
+		},
+		workspace: {
+			type: Schema.Types.ObjectId,
+			ref: 'Workspace',
+			required: true
+		},
+		type: {
+			type: String,
+			enum: [SECRET_SHARED, SECRET_PERSONAL],
+			required: true
+		},
+		user: {
+			// user associated with the personal secret
+			type: Schema.Types.ObjectId,
+			ref: 'User'
+		},
+		environment: {
+			type: String,
+			required: true
+		},
+		isDeleted: { // consider removing field
+			type: Boolean,
+			default: false,
+			required: true
+		},
+		secretKeyCiphertext: {
+			type: String,
+			required: true
+		},
+		secretKeyIV: {
+			type: String, // symmetric
+			required: true
+		},
+		secretKeyTag: {
+			type: String, // symmetric
+			required: true
+		},
+		secretKeyHash: {
+			type: String
+		},
+		secretValueCiphertext: {
+			type: String,
+			required: true
+		},
+		secretValueIV: {
+			type: String, // symmetric
+			required: true
+		},
+		secretValueTag: {
+			type: String, // symmetric
+			required: true
+		},
+		secretValueHash: {
+			type: String
+		}
+	},
+	{
+		timestamps: true
+	}
+);
+
+const SecretVersion = model<ISecretVersion>('SecretVersion', secretVersionSchema);
+
+export default SecretVersion;

backend/src/ee/routes/v1/action.ts

@@ -0,0 +1,17 @@
+import express from 'express';
+const router = express.Router();
+import {
+    validateRequest
+} from '../../../middleware';
+import { param } from 'express-validator';
+import { actionController } from '../../controllers/v1';
+
+// TODO: put into action controller
+router.get(
+    '/:actionId',
+    param('actionId').exists().trim(),
+    validateRequest,
+    actionController.getAction
+);
+
+export default router;

backend/src/ee/routes/v1/index.ts

@@ -0,0 +1,11 @@
+import secret from './secret';
+import secretSnapshot from './secretSnapshot';
+import workspace from './workspace';
+import action from './action';
+
+export {
+    secret,
+    secretSnapshot,
+    workspace,
+    action
+}

backend/src/ee/routes/v1/secret.ts

@@ -0,0 +1,40 @@
+import express from 'express';
+const router = express.Router();
+import {
+    requireAuth,
+	requireSecretAuth,
+    validateRequest
+} from '../../../middleware';
+import { query, param, body } from 'express-validator';
+import { secretController } from '../../controllers/v1';
+import { ADMIN, MEMBER } from '../../../variables';
+
+router.get(
+	'/:secretId/secret-versions',
+	requireAuth({
+		acceptedAuthModes: ['jwt', 'apiKey']
+	}),
+	requireSecretAuth({
+		acceptedRoles: [ADMIN, MEMBER]
+	}),
+	param('secretId').exists().trim(),
+	query('offset').exists().isInt(),
+	query('limit').exists().isInt(),
+	validateRequest,
+	secretController.getSecretVersions
+);
+
+router.post(
+	'/:secretId/secret-versions/rollback',
+	requireAuth({
+		acceptedAuthModes: ['jwt', 'apiKey']
+	}),
+	requireSecretAuth({
+		acceptedRoles: [ADMIN, MEMBER]
+	}),
+	param('secretId').exists().trim(),
+	body('version').exists().isInt(),
+	secretController.rollbackSecretVersion
+);
+
+export default router;

backend/src/ee/routes/v1/secretSnapshot.ts

@@ -0,0 +1,27 @@
+import express from 'express';
+const router = express.Router();
+import {
+    requireSecretSnapshotAuth
+} from '../../middleware';
+import {
+    requireAuth,
+    validateRequest
+} from '../../../middleware';
+import { param, body } from 'express-validator';
+import { ADMIN, MEMBER } from '../../../variables';
+import { secretSnapshotController } from '../../controllers/v1';
+
+router.get(
+    '/:secretSnapshotId',
+    requireAuth({
+		acceptedAuthModes: ['jwt']
+	}),
+    requireSecretSnapshotAuth({
+        acceptedRoles: [ADMIN, MEMBER]
+    }),
+    param('secretSnapshotId').exists().trim(),
+    validateRequest,
+    secretSnapshotController.getSecretSnapshot
+);
+
+export default router;

backend/src/ee/routes/v1/stripe.ts

@@ -1,6 +1,6 @@
 import express from 'express';
 const router = express.Router();
-import { stripeController } from '../controllers';
+import { stripeController } from '../../controllers/v1';
 
 router.post('/webhook', stripeController.handleWebhook);
 

backend/src/ee/routes/v1/workspace.ts

@@ -0,0 +1,72 @@
+import express from 'express';
+const router = express.Router();
+import {
+	requireAuth,
+	requireWorkspaceAuth,
+	validateRequest
+} from '../../../middleware';
+import { param, query, body } from 'express-validator';
+import { ADMIN, MEMBER } from '../../../variables';
+import { workspaceController } from '../../controllers/v1';
+
+router.get(
+	'/:workspaceId/secret-snapshots',
+	requireAuth({
+		acceptedAuthModes: ['jwt', 'apiKey']
+	}),
+	requireWorkspaceAuth({
+		acceptedRoles: [ADMIN, MEMBER]
+	}),
+	param('workspaceId').exists().trim(),
+	query('offset').exists().isInt(),
+	query('limit').exists().isInt(),
+	validateRequest,
+	workspaceController.getWorkspaceSecretSnapshots
+);
+
+router.get(
+	'/:workspaceId/secret-snapshots/count',
+	requireAuth({
+		acceptedAuthModes: ['jwt']
+	}),
+	requireWorkspaceAuth({
+		acceptedRoles: [ADMIN, MEMBER]
+	}),
+	param('workspaceId').exists().trim(),
+	validateRequest,
+	workspaceController.getWorkspaceSecretSnapshotsCount
+);
+
+router.post(
+	'/:workspaceId/secret-snapshots/rollback',
+	requireAuth({
+		acceptedAuthModes: ['jwt', 'apiKey']
+	}),
+	requireWorkspaceAuth({
+		acceptedRoles: [ADMIN, MEMBER]
+	}),
+	param('workspaceId').exists().trim(),
+	body('version').exists().isInt(),
+	validateRequest,
+	workspaceController.rollbackWorkspaceSecretSnapshot
+);
+
+router.get(
+	'/:workspaceId/logs',
+	requireAuth({
+		acceptedAuthModes: ['jwt', 'apiKey']
+	}),
+	requireWorkspaceAuth({
+		acceptedRoles: [ADMIN, MEMBER]
+	}),
+	param('workspaceId').exists().trim(),
+	query('offset').exists().isInt(),
+	query('limit').exists().isInt(),
+	query('sortBy'),
+	query('userId'),
+	query('actionNames'),
+	validateRequest,
+	workspaceController.getWorkspaceLogs
+);
+
+export default router;

backend/src/ee/services/EELicenseService.ts

@@ -0,0 +1,19 @@
+import { LICENSE_KEY } from '../../config';
+
+/**
+ * Class to handle Enterprise Edition license actions
+ */
+class EELicenseService {
+    
+    private readonly _isLicenseValid: boolean;
+    
+    constructor(licenseKey: string) {
+        this._isLicenseValid = true;
+    }
+
+    public get isLicenseValid(): boolean {
+        return this._isLicenseValid;
+    }
+}
+
+export default new EELicenseService(LICENSE_KEY);

backend/src/ee/services/EELogService.ts

@@ -0,0 +1,81 @@
+import { Types } from 'mongoose';
+import { 
+    Log,
+    Action,
+    IAction
+} from '../models';
+import {
+    createLogHelper
+} from '../helpers/log';
+import {
+    createActionSecretHelper
+} from '../helpers/action';
+import EELicenseService from './EELicenseService';
+
+/**
+ * Class to handle Enterprise Edition log actions
+ */
+class EELogService {
+    /**
+     * Create an (audit) log
+     * @param {Object} obj
+     * @param {String} obj.userId - id of user associated with the log
+     * @param {String} obj.workspaceId - id of workspace associated with the log
+     * @param {Action} obj.actions - actions to include in log
+     * @param {String} obj.channel - channel (web/cli/auto) associated with the log
+     * @param {String} obj.ipAddress - ip address associated with the log
+     * @returns {Log} log - new audit log
+     */
+    static async createLog({
+        userId,
+        workspaceId,
+        actions,
+        channel,
+        ipAddress
+    }: {
+        userId: string;
+        workspaceId: string;
+        actions: IAction[];
+        channel: string;
+        ipAddress: string;
+    }) {
+        if (!EELicenseService.isLicenseValid) return null;
+        return await createLogHelper({
+            userId,
+            workspaceId,
+            actions,
+            channel,
+            ipAddress
+        })
+    }
+    
+    /**
+     * Create an (audit) action for secrets including
+     * add, delete, update, and read actions.
+     * @param {Object} obj
+     * @param {String} obj.name - name of action
+     * @param {ObjectId[]} obj.secretIds - secret ids
+     * @returns {Action} action - new action
+     */
+    static async createActionSecret({
+        name,
+        userId,
+        workspaceId,
+        secretIds
+    }: {
+        name: string;
+        userId: string;
+        workspaceId: string;
+        secretIds: Types.ObjectId[];
+    }) {
+        if (!EELicenseService.isLicenseValid) return null; 
+        return await createActionSecretHelper({
+            name,
+            userId,
+            workspaceId,
+            secretIds
+        });
+    }
+}
+
+export default EELogService;

backend/src/ee/services/EESecretService.ts

@@ -0,0 +1,78 @@
+import { Types } from 'mongoose';
+import { ISecretVersion } from '../models';
+import { 
+    takeSecretSnapshotHelper,
+    addSecretVersionsHelper,
+    markDeletedSecretVersionsHelper,
+    initSecretVersioningHelper
+} from '../helpers/secret';
+import EELicenseService from './EELicenseService';
+
+/**
+ * Class to handle Enterprise Edition secret actions
+ */
+class EESecretService {
+    
+    /**
+     * Save a secret snapshot that is a copy of the current state of secrets in workspace with id
+     * [workspaceId] under a new snapshot with incremented version under the
+     * SecretSnapshot collection.
+     * Requires a valid license key [licenseKey]
+     * @param {Object} obj
+     * @param {String} obj.workspaceId
+     * @returns {SecretSnapshot} secretSnapshot - new secret snpashot
+     */
+    static async takeSecretSnapshot({
+        workspaceId
+    }: {
+        workspaceId: string;
+    }) {
+        if (!EELicenseService.isLicenseValid) return;
+        return await takeSecretSnapshotHelper({ workspaceId });
+    }
+    
+    /**
+     * Add secret versions [secretVersions] to the SecretVersion collection.
+     * @param {Object} obj
+     * @param {Object[]} obj.secretVersions
+     * @returns {SecretVersion[]} newSecretVersions - new secret versions
+     */
+    static async addSecretVersions({
+        secretVersions
+    }: {
+        secretVersions: ISecretVersion[];
+    }) {
+        if (!EELicenseService.isLicenseValid) return;
+        return await addSecretVersionsHelper({
+            secretVersions
+        });
+    }
+
+    /**
+     * Mark secret versions associated with secrets with ids [secretIds]
+     * as deleted.
+     * @param {Object} obj
+     * @param {ObjectId[]} obj.secretIds - secret ids
+     */
+    static async markDeletedSecretVersions({
+        secretIds
+    }: {
+        secretIds: Types.ObjectId[];
+    }) {
+        if (!EELicenseService.isLicenseValid) return;
+        await markDeletedSecretVersionsHelper({
+            secretIds
+        });
+    }
+    
+    /**
+     * Initialize secret versioning by setting previously unversioned
+     * secrets to version 1 and begin populating secret versions.
+     */
+    static async initSecretVersioning() {
+        if (!EELicenseService.isLicenseValid) return; 
+        await initSecretVersioningHelper();
+    }
+}
+
+export default EESecretService;

backend/src/ee/services/index.ts

@@ -0,0 +1,9 @@
+import EELicenseService from "./EELicenseService";
+import EESecretService from "./EESecretService";
+import EELogService from "./EELogService";
+
+export {
+    EELicenseService,
+    EESecretService,
+    EELogService
+}

backend/src/events/secret.ts

@@ -1,4 +1,7 @@
-import { EVENT_PUSH_SECRETS } from '../variables';
+import { 
+    EVENT_PUSH_SECRETS, 
+    EVENT_PULL_SECRETS 
+} from '../variables';
 
 interface PushSecret {
 	ciphertextKey: string;
@@ -19,7 +22,7 @@ interface PushSecret {
  * @returns 
  */
 const eventPushSecrets = ({
-    workspaceId,
+    workspaceId
 }: {
     workspaceId: string;
 }) => {
@@ -32,6 +35,26 @@ const eventPushSecrets = ({
     });
 }
 
+/**
+ * Return event for pulling secrets
+ * @param {Object} obj
+ * @param {String} obj.workspaceId - id of workspace to pull secrets from
+ * @returns 
+ */
+const eventPullSecrets = ({
+    workspaceId,
+}: {
+    workspaceId: string;
+}) => {
+    return ({
+        name: EVENT_PULL_SECRETS,
+        workspaceId,
+        payload: {
+
+        }
+    });
+}
+
 export {
     eventPushSecrets
 }

backend/src/helpers/auth.ts

@@ -1,7 +1,10 @@
 import jwt from 'jsonwebtoken';
 import * as Sentry from '@sentry/node';
+import bcrypt from 'bcrypt';
 import {
-	User
+	User,
+	ServiceTokenData,
+	APIKeyData
 } from '../models';
 import {
 	JWT_AUTH_LIFETIME,
@@ -9,6 +12,196 @@ import {
 	JWT_REFRESH_LIFETIME,
 	JWT_REFRESH_SECRET
 } from '../config';
+import {
+	AccountNotFoundError,
+	ServiceTokenDataNotFoundError,
+	APIKeyDataNotFoundError,
+	UnauthorizedRequestError,
+	BadRequestError
+} from '../utils/errors';
+
+/**
+ * 
+ * @param {Object} obj
+ * @param {Object} obj.headers - HTTP request headers object
+ */
+const validateAuthMode = ({
+	headers,
+	acceptedAuthModes
+}: {
+	headers: { [key: string]: string | string[] | undefined },
+	acceptedAuthModes: string[]
+}) => {
+	// TODO: refactor middleware
+	const apiKey = headers['x-api-key'];
+	const authHeader = headers['authorization'];
+
+	let authTokenType, authTokenValue;
+	if (apiKey === undefined && authHeader === undefined) {
+		// case: no auth or X-API-KEY header present
+		throw BadRequestError({ message: 'Missing Authorization or X-API-KEY in request header.' });
+	}
+
+	if (typeof apiKey === 'string') {
+		// case: treat request authentication type as via X-API-KEY (i.e. API Key)
+		authTokenType = 'apiKey';
+		authTokenValue = apiKey;
+	}
+
+	if (typeof authHeader === 'string') {
+		// case: treat request authentication type as via Authorization header (i.e. either JWT or service token)
+		const [tokenType, tokenValue] = <[string, string]>authHeader.split(' ', 2) ?? [null, null]
+		if (tokenType === null)
+			throw BadRequestError({ message: `Missing Authorization Header in the request header.` });
+		if (tokenType.toLowerCase() !== 'bearer')
+			throw BadRequestError({ message: `The provided authentication type '${tokenType}' is not supported.` });
+		if (tokenValue === null)
+			throw BadRequestError({ message: 'Missing Authorization Body in the request header.' });
+
+		switch (tokenValue.split('.', 1)[0]) {
+			case 'st':
+				authTokenType = 'serviceToken';
+				break;
+			default:
+				authTokenType = 'jwt';
+		}
+		authTokenValue = tokenValue;
+	}
+
+	if (!authTokenType || !authTokenValue) throw BadRequestError({ message: 'Missing valid Authorization or X-API-KEY in request header.' });
+
+	if (!acceptedAuthModes.includes(authTokenType)) throw BadRequestError({ message: 'The provided authentication type is not supported.' });
+
+	return ({
+		authTokenType,
+		authTokenValue
+	});
+}
+
+/**
+ * Return user payload corresponding to JWT token [authTokenValue]
+ * @param {Object} obj
+ * @param {String} obj.authTokenValue - JWT token value
+ * @returns {User} user - user corresponding to JWT token
+ */
+const getAuthUserPayload = async ({
+	authTokenValue
+}: {
+	authTokenValue: string;
+}) => {
+	let user;
+	try {
+		const decodedToken = <jwt.UserIDJwtPayload>(
+			jwt.verify(authTokenValue, JWT_AUTH_SECRET)
+		);
+
+		user = await User.findOne({
+			_id: decodedToken.userId
+		}).select('+publicKey');
+
+		if (!user) throw AccountNotFoundError({ message: 'Failed to find User' });
+
+		if (!user?.publicKey) throw UnauthorizedRequestError({ message: 'Failed to authenticate User with partially set up account' });
+
+	} catch (err) {
+		throw UnauthorizedRequestError({
+			message: 'Failed to authenticate JWT token'
+		});
+	}
+
+	return user;
+}
+
+/**
+ * Return service token data payload corresponding to service token [authTokenValue]
+ * @param {Object} obj
+ * @param {String} obj.authTokenValue - service token value
+ * @returns {ServiceTokenData} serviceTokenData - service token data
+ */
+const getAuthSTDPayload = async ({
+	authTokenValue
+}: {
+	authTokenValue: string;
+}) => {
+	let serviceTokenData;
+	try {
+		const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split('.', 3);
+
+		// TODO: optimize double query
+		serviceTokenData = await ServiceTokenData
+			.findById(TOKEN_IDENTIFIER, '+secretHash +expiresAt');
+
+		if (!serviceTokenData) {
+			throw ServiceTokenDataNotFoundError({ message: 'Failed to find service token data' });
+		} else if (serviceTokenData?.expiresAt && new Date(serviceTokenData.expiresAt) < new Date()) {
+			// case: service token expired
+			await ServiceTokenData.findByIdAndDelete(serviceTokenData._id);
+			throw UnauthorizedRequestError({
+				message: 'Failed to authenticate expired service token'
+			});
+		}
+
+		const isMatch = await bcrypt.compare(TOKEN_SECRET, serviceTokenData.secretHash);
+		if (!isMatch) throw UnauthorizedRequestError({
+			message: 'Failed to authenticate service token'
+		});
+
+		serviceTokenData = await ServiceTokenData
+			.findById(TOKEN_IDENTIFIER)
+			.select('+encryptedKey +iv +tag').populate('user');
+
+	} catch (err) {
+		throw UnauthorizedRequestError({
+			message: 'Failed to authenticate service token'
+		});
+	}
+
+	return serviceTokenData;
+}
+
+/**
+ * Return API key data payload corresponding to API key [authTokenValue]
+ * @param {Object} obj
+ * @param {String} obj.authTokenValue - API key value
+ * @returns {APIKeyData} apiKeyData - API key data
+ */
+const getAuthAPIKeyPayload = async ({
+	authTokenValue
+}: {
+	authTokenValue: string;
+}) => {
+	let user;
+	try {
+		const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split('.', 3);
+
+		const apiKeyData = await APIKeyData
+			.findById(TOKEN_IDENTIFIER, '+secretHash +expiresAt')
+			.populate('user', '+publicKey');
+
+		if (!apiKeyData) {
+			throw APIKeyDataNotFoundError({ message: 'Failed to find API key data' });
+		} else if (apiKeyData?.expiresAt && new Date(apiKeyData.expiresAt) < new Date()) {
+			// case: API key expired
+			await APIKeyData.findByIdAndDelete(apiKeyData._id);
+			throw UnauthorizedRequestError({
+				message: 'Failed to authenticate expired API key'
+			});
+		}
+
+		const isMatch = await bcrypt.compare(TOKEN_SECRET, apiKeyData.secretHash);
+		if (!isMatch) throw UnauthorizedRequestError({
+			message: 'Failed to authenticate API key'
+		});
+
+		user = apiKeyData.user;
+	} catch (err) {
+		throw UnauthorizedRequestError({
+			message: 'Failed to authenticate API key'
+		});
+	}
+
+	return user;
+}
 
 /**
  * Return newly issued (JWT) auth and refresh tokens to user with id [userId]
@@ -99,4 +292,12 @@ const createToken = ({
 	}
 };
 
-export { createToken, issueTokens, clearTokens };
+export {
+	validateAuthMode,
+	getAuthUserPayload,
+	getAuthSTDPayload,
+	getAuthAPIKeyPayload,
+	createToken,
+	issueTokens,
+	clearTokens
+};

backend/src/helpers/bot.ts

@@ -12,7 +12,6 @@ import {
     decryptSymmetric,
     decryptAsymmetric
 } from '../utils/crypto';
-import { decryptSecrets } from '../helpers/secret';
 import { ENCRYPTION_KEY } from '../config';
 import { SECRET_SHARED } from '../variables';
 
@@ -73,7 +72,7 @@ const getSecretsHelper = async ({
     try {
         const key = await getKey({ workspaceId });
         const secrets = await Secret.find({
-            workspaceId,
+            workspace: workspaceId,
             environment,
             type: SECRET_SHARED
         });
@@ -85,7 +84,7 @@ const getSecretsHelper = async ({
                 tag: secret.secretKeyTag,
                 key
             });
-            
+
             const secretValue = decryptSymmetric({
                 ciphertext: secret.secretValueCiphertext,
                 iv: secret.secretValueIV,

backend/src/helpers/database.ts

@@ -0,0 +1,34 @@
+import mongoose from 'mongoose';
+import { EESecretService } from '../ee/services';
+import { getLogger } from '../utils/logger';
+
+/**
+ * Initialize database connection
+ * @param {Object} obj
+ * @param {String} obj.mongoURL - mongo connection string
+ * @returns 
+ */
+const initDatabaseHelper = async ({
+    mongoURL
+}: {
+    mongoURL: string;
+}) => {
+    try {
+        await mongoose.connect(mongoURL);
+    
+        // allow empty strings to pass the required validator
+        mongoose.Schema.Types.String.checkRequired(v => typeof v === 'string');
+
+        getLogger("database").info("Database connection established");
+        
+        await EESecretService.initSecretVersioning();
+    } catch (err) {
+        getLogger("database").error(`Unable to establish Database connection due to the error.\n${err}`);
+    }
+
+    return mongoose.connection;
+}
+
+export {
+    initDatabaseHelper
+}

backend/src/helpers/integration.ts

@@ -7,8 +7,6 @@ import {
 import { exchangeCode, exchangeRefresh, syncSecrets } from '../integrations';
 import { BotService } from '../services';
 import {
-    ENV_DEV,
-    EVENT_PUSH_SECRETS,
     INTEGRATION_VERCEL,
     INTEGRATION_NETLIFY
 } from '../variables';
@@ -36,11 +34,13 @@ interface Update {
 const handleOAuthExchangeHelper = async ({
     workspaceId,
     integration,
-    code
+    code,
+    environment
 }: {
     workspaceId: string;
     integration: string;
     code: string;
+    environment: string;
 }) => {
     let action;
     let integrationAuth;
@@ -102,9 +102,9 @@ const handleOAuthExchangeHelper = async ({
         // initialize new integration after exchange
         await new Integration({
             workspace: workspaceId,
-            environment: ENV_DEV,
             isActive: false,
             app: null,
+            environment,
             integration,
             integrationAuth: integrationAuth._id
         }).save();
@@ -127,7 +127,6 @@ const syncIntegrationsHelper = async ({
 }) => {
     let integrations;
     try {
-
         integrations = await Integration.find({
             workspace: workspaceId,
             isActive: true,
@@ -142,7 +141,7 @@ const syncIntegrationsHelper = async ({
                 workspaceId: integration.workspace.toString(),
                 environment: integration.environment
             });
-            
+
             const integrationAuth = await IntegrationAuth.findById(integration.integrationAuth);
             if (!integrationAuth) throw new Error('Failed to find integration auth');
             
@@ -316,7 +315,7 @@ const setIntegrationAuthAccessHelper = async ({
 }: {
     integrationAuthId: string;
     accessToken: string;
-    accessExpiresAt: Date;
+    accessExpiresAt: Date | undefined;
 }) => {
     let integrationAuth;
     try {

backend/src/helpers/membership.ts

@@ -3,21 +3,20 @@ import { Membership, Key } from '../models';
 
 /**
  * Validate that user with id [userId] is a member of workspace with id [workspaceId]
- * and has at least one of the roles in [acceptedRoles] and statuses in [acceptedStatuses]
+ * and has at least one of the roles in [acceptedRoles]
  * @param {Object} obj
  * @param {String} obj.userId - id of user to validate
  * @param {String} obj.workspaceId - id of workspace
+ * @returns {Membership} membership - membership of user with id [userId] for workspace with id [workspaceId]
  */
 const validateMembership = async ({
 	userId,
 	workspaceId,
 	acceptedRoles,
-	acceptedStatuses
 }: {
 	userId: string;
 	workspaceId: string;
 	acceptedRoles: string[];
-	acceptedStatuses: string[];
 }) => {
 	
 	let membership;
@@ -26,18 +25,13 @@ const validateMembership = async ({
 		membership = await Membership.findOne({
 			user: userId,
 			workspace: workspaceId
-		});
+		}).populate("workspace");
 		
 		if (!membership) throw new Error('Failed to find membership');
 		
 		if (!acceptedRoles.includes(membership.role)) {
 			throw new Error('Failed to validate membership role');
 		}
-
-		if (!acceptedStatuses.includes(membership.status)) {
-			throw new Error('Failed to validate membership status');
-		}
-		
 	} catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
@@ -72,18 +66,15 @@ const findMembership = async (queryObj: any) => {
  * @param {String[]} obj.userIds - id of users.
  * @param {String} obj.workspaceId - id of workspace.
  * @param {String[]} obj.roles - roles of users.
- * @param {String[]} obj.statuses - statuses of users.
  */
 const addMemberships = async ({
 	userIds,
 	workspaceId,
-	roles,
-	statuses
+	roles
 }: {
 	userIds: string[];
 	workspaceId: string;
 	roles: string[];
-	statuses: string[];
 }): Promise<void> => {
 	try {
 		const operations = userIds.map((userId, idx) => {
@@ -92,14 +83,12 @@ const addMemberships = async ({
 					filter: {
 						user: userId,
 						workspace: workspaceId,
-						role: roles[idx],
-						status: statuses[idx]
+						role: roles[idx]
 					},
 					update: {
 						user: userId,
 						workspace: workspaceId,
-						role: roles[idx],
-						status: statuses[idx]
+						role: roles[idx]
 					},
 					upsert: true
 				}

backend/src/helpers/membershipOrg.ts

@@ -1,6 +1,42 @@
 import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
 import { MembershipOrg, Workspace, Membership, Key } from '../models';
 
+/**
+ * Validate that user with id [userId] is a member of organization with id [organizationId]
+ * and has at least one of the roles in [acceptedRoles]
+ *
+ */
+const validateMembership = async ({
+	userId,
+	organizationId,
+	acceptedRoles
+}: {
+	userId: string;
+	organizationId: string;
+	acceptedRoles: string[];
+}) => {
+	let membership;
+	try {
+		membership = await MembershipOrg.findOne({
+			user: new Types.ObjectId(userId),
+			organization: new Types.ObjectId(organizationId)
+		});
+		
+		if (!membership) throw new Error('Failed to find organization membership');
+		
+		if (!acceptedRoles.includes(membership.role)) {
+			throw new Error('Failed to validate organization membership role');
+		}
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		throw new Error('Failed to validate organization membership');
+	}
+	
+	return membership;
+}
+
 /**
  * Return organization membership matching criteria specified in
  * query [queryObj]
@@ -84,6 +120,8 @@ const deleteMembershipOrg = async ({
 			_id: membershipOrgId
 		});
 
+		if (!deletedMembershipOrg) throw new Error('Failed to delete organization membership');
+
 		// delete keys associated with organization membership
 		if (deletedMembershipOrg?.user) {
 			// case: organization membership had a registered user
@@ -117,4 +155,9 @@ const deleteMembershipOrg = async ({
 	return deletedMembershipOrg;
 };
 
-export { findMembershipOrg, addMembershipsOrg, deleteMembershipOrg };
+export {
+	validateMembership,
+	findMembershipOrg,
+	addMembershipsOrg, 
+	deleteMembershipOrg 
+}; 

backend/src/helpers/organization.ts

@@ -3,6 +3,7 @@ import Stripe from 'stripe';
 import {
 	STRIPE_SECRET_KEY,
 	STRIPE_PRODUCT_STARTER,
+	STRIPE_PRODUCT_TEAM,
 	STRIPE_PRODUCT_PRO
 } from '../config';
 const stripe = new Stripe(STRIPE_SECRET_KEY, {
@@ -14,6 +15,7 @@ import { Organization, MembershipOrg } from '../models';
 
 const productToPriceMap = {
 	starter: STRIPE_PRODUCT_STARTER,
+	team: STRIPE_PRODUCT_TEAM,
 	pro: STRIPE_PRODUCT_PRO
 };
 
@@ -55,7 +57,7 @@ const createOrganization = async ({
 	} catch (err) {
 		Sentry.setUser({ email });
 		Sentry.captureException(err);
-		throw new Error('Failed to create organization');
+		throw new Error(`Failed to create organization [err=${err}]`);
 	}
 
 	return organization;

backend/src/helpers/rateLimiter.ts

@@ -1,36 +1,43 @@
 import rateLimit from 'express-rate-limit';
 
-// 300 requests per 15 minutes
+// 120 requests per minute
 const apiLimiter = rateLimit({
-  windowMs: 15 * 60 * 1000,
-  max: 400,
+  windowMs: 60 * 1000,
+  max: 240,
   standardHeaders: true,
   legacyHeaders: false,
-  skip: (request) => request.path === '/healthcheck'
+  skip: (request) => {
+    return request.path === '/healthcheck' || request.path === '/api/status'
+  },
+  keyGenerator: (req, res) => {
+    return req.clientIp
+  }
 });
 
-// 5 requests per hour
-const signupLimiter = rateLimit({
-  windowMs: 60 * 60 * 1000,
+// 10 requests per minute
+const authLimiter = rateLimit({
+  windowMs: 60 * 1000,
   max: 10,
   standardHeaders: true,
-  legacyHeaders: false
+  legacyHeaders: false,
+  keyGenerator: (req, res) => {
+    return req.clientIp
+  }
 });
 
 // 10 requests per hour
-const loginLimiter = rateLimit({
-  windowMs: 60 * 60 * 1000,
-  max: 20,
-  standardHeaders: true,
-  legacyHeaders: false
-});
-
-// 5 requests per hour
 const passwordLimiter = rateLimit({
   windowMs: 60 * 60 * 1000,
   max: 10,
   standardHeaders: true,
-  legacyHeaders: false
+  legacyHeaders: false,
+  keyGenerator: (req, res) => {
+    return req.clientIp
+  }
 });
 
-export { apiLimiter, signupLimiter, loginLimiter, passwordLimiter };
+export { 
+  apiLimiter, 
+  authLimiter,
+  passwordLimiter 
+};

backend/src/helpers/secret.ts

@@ -1,12 +1,81 @@
 import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
 import {
 	Secret,
-	ISecret
+	ISecret,
+	Membership
 } from '../models';
-import { decryptSymmetric } from '../utils/crypto';
-import { SECRET_SHARED, SECRET_PERSONAL } from '../variables';
+import {
+	EESecretService,
+	EELogService
+} from '../ee/services';
+import {
+	IAction
+} from '../ee/models';
+import {
+	SECRET_SHARED,
+	SECRET_PERSONAL,
+	ACTION_ADD_SECRETS,
+	ACTION_UPDATE_SECRETS,
+	ACTION_DELETE_SECRETS,
+	ACTION_READ_SECRETS
+} from '../variables';
+import _ from 'lodash';
+import { ABILITY_WRITE } from '../variables/organization';
+import { BadRequestError, UnauthorizedRequestError } from '../utils/errors';
 
-interface PushSecret {
+/**
+ * Validate that user with id [userId] can modify secrets with ids [secretIds]
+ * @param {Object} obj
+ * @param {Object} obj.userId - id of user to validate
+ * @param {Object} obj.secretIds - secret ids
+ * @returns {Secret[]} secrets
+ */
+const validateSecrets = async ({
+	userId,
+	secretIds
+}: {
+	userId: string;
+	secretIds: string[];
+}) => {
+	let secrets;
+	try {
+		secrets = await Secret.find({
+			_id: {
+				$in: secretIds.map((secretId: string) => new Types.ObjectId(secretId))
+			}
+		});
+
+		if (secrets.length != secretIds.length) {
+			throw BadRequestError({ message: 'Unable to validate some secrets' })
+		}
+
+		const userMemberships = await Membership.find({ user: userId })
+		const userMembershipById = _.keyBy(userMemberships, 'workspace');
+		const workspaceIdsSet = new Set(userMemberships.map((m) => m.workspace.toString()));
+
+		// for each secret check if the secret belongs to a workspace the user is a member of
+		secrets.forEach((secret: ISecret) => {
+			if (workspaceIdsSet.has(secret.workspace.toString())) {
+				const deniedMembershipPermissions = userMembershipById[secret.workspace.toString()].deniedPermissions;
+				const isDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: secret.environment, ability: ABILITY_WRITE });
+
+				if (isDisallowed) {
+					throw UnauthorizedRequestError({ message: 'You do not have the required permissions to perform this action' });
+				}
+			} else {
+				throw BadRequestError({ message: 'You cannot edit secrets of a workspace you are not a member of' });
+			}
+		});
+
+	} catch (err) {
+		throw BadRequestError({ message: 'Unable to validate secrets' })
+	}
+
+	return secrets;
+}
+
+interface V1PushSecret {
 	ciphertextKey: string;
 	ivKey: string;
 	tagKey: string;
@@ -15,14 +84,32 @@ interface PushSecret {
 	ivValue: string;
 	tagValue: string;
 	hashValue: string;
+	ciphertextComment: string;
+	ivComment: string;
+	tagComment: string;
+	hashComment: string;
 	type: 'shared' | 'personal';
 }
 
-interface Update {
-	[index: string]: string;
+interface V2PushSecret {
+	type: string; // personal or shared
+	secretKeyCiphertext: string;
+	secretKeyIV: string;
+	secretKeyTag: string;
+	secretKeyHash: string;
+	secretValueCiphertext: string;
+	secretValueIV: string;
+	secretValueTag: string;
+	secretValueHash: string;
+	secretCommentCiphertext?: string;
+	secretCommentIV?: string;
+	secretCommentTag?: string;
+	secretCommentHash?: string;
 }
 
-type DecryptSecretType = 'text' | 'object' | 'expanded';
+interface Update {
+	[index: string]: any;
+}
 
 /**
  * Push secrets for user with id [userId] to workspace
@@ -35,92 +122,155 @@ type DecryptSecretType = 'text' | 'object' | 'expanded';
  * @param {String} obj.environment - environment for secrets
  * @param {Object[]} obj.secrets - secrets to push
  */
-const pushSecrets = async ({
+const v1PushSecrets = async ({
 	userId,
 	workspaceId,
 	environment,
-	secrets
+	secrets,
 }: {
 	userId: string;
 	workspaceId: string;
 	environment: string;
-	secrets: PushSecret[];
+	secrets: V1PushSecret[];
 }): Promise<void> => {
+	// TODO: clean up function and fix up types
 	try {
 		// construct useful data structures
-		const oldSecrets = await pullSecrets({
+		const oldSecrets = await getSecrets({
 			userId,
 			workspaceId,
 			environment
 		});
-		const oldSecretsObj: any = oldSecrets.reduce((accumulator, s: any) => {
-			return { ...accumulator, [s.secretKeyHash]: s };
-		}, {});
-		const newSecretsObj = secrets.reduce((accumulator, s) => {
-			return { ...accumulator, [s.hashKey]: s };
-		}, {});
+
+		const oldSecretsObj: any = oldSecrets.reduce((accumulator, s: any) =>
+			({ ...accumulator, [`${s.type}-${s.secretKeyHash}`]: s })
+			, {});
+		const newSecretsObj: any = secrets.reduce((accumulator, s) =>
+			({ ...accumulator, [`${s.type}-${s.hashKey}`]: s })
+			, {});
 
 		// handle deleting secrets
-		const toDelete = oldSecrets.filter(
-			(s: ISecret) => !(s.secretKeyHash in newSecretsObj)
-		);
+		const toDelete = oldSecrets
+			.filter(
+				(s: ISecret) => !(`${s.type}-${s.secretKeyHash}` in newSecretsObj)
+			)
+			.map((s) => s._id);
 		if (toDelete.length > 0) {
 			await Secret.deleteMany({
-				_id: { $in: toDelete.map((s) => s._id) }
+				_id: { $in: toDelete }
+			});
+
+			await EESecretService.markDeletedSecretVersions({
+				secretIds: toDelete
 			});
 		}
 
-		// handle modifying secrets where type or value changed
-		const operations = secrets
+		const toUpdate = oldSecrets
 			.filter((s) => {
-				if (s.hashKey in oldSecretsObj) {
-					if (s.hashValue !== oldSecretsObj[s.hashKey].secretValueHash) {
-						// case: filter secrets where value changed
+				if (`${s.type}-${s.secretKeyHash}` in newSecretsObj) {
+					if (s.secretValueHash !== newSecretsObj[`${s.type}-${s.secretKeyHash}`].hashValue
+						|| s.secretCommentHash !== newSecretsObj[`${s.type}-${s.secretKeyHash}`].hashComment) {
+						// case: filter secrets where value or comment changed
 						return true;
 					}
 
-					if (s.type !== oldSecretsObj[s.hashKey].type) {
-						// case: filter secrets where type changed
+					if (!s.version) {
+						// case: filter (legacy) secrets that were not versioned
 						return true;
 					}
 				}
 
 				return false;
-			})
+			});
+
+		const operations = toUpdate
 			.map((s) => {
+				const {
+					ciphertextValue,
+					ivValue,
+					tagValue,
+					hashValue,
+					ciphertextComment,
+					ivComment,
+					tagComment,
+					hashComment
+				} = newSecretsObj[`${s.type}-${s.secretKeyHash}`];
+
 				const update: Update = {
-					type: s.type,
-					secretValueCiphertext: s.ciphertextValue,
-					secretValueIV: s.ivValue,
-					secretValueTag: s.tagValue,
-					secretValueHash: s.hashValue
-				};
+					secretValueCiphertext: ciphertextValue,
+					secretValueIV: ivValue,
+					secretValueTag: tagValue,
+					secretValueHash: hashValue,
+					secretCommentCiphertext: ciphertextComment,
+					secretCommentIV: ivComment,
+					secretCommentTag: tagComment,
+					secretCommentHash: hashComment,
+				}
+
+				if (!s.version) {
+					// case: (legacy) secret was not versioned
+					update.version = 1;
+				} else {
+					update['$inc'] = {
+						version: 1
+					}
+				}
 
 				if (s.type === SECRET_PERSONAL) {
-					// attach user assocaited with the personal secret
+					// attach user associated with the personal secret
 					update['user'] = userId;
 				}
 
 				return {
 					updateOne: {
 						filter: {
-							workspace: workspaceId,
-							_id: oldSecretsObj[s.hashKey]._id
+							_id: oldSecretsObj[`${s.type}-${s.secretKeyHash}`]._id
 						},
 						update
 					}
 				};
 			});
-		const a = await Secret.bulkWrite(operations as any);
+		await Secret.bulkWrite(operations as any);
+
+		// (EE) add secret versions for updated secrets
+		await EESecretService.addSecretVersions({
+			secretVersions: toUpdate.map(({
+				_id,
+				version,
+				type,
+				secretKeyHash,
+			}) => {
+				const newSecret = newSecretsObj[`${type}-${secretKeyHash}`];
+				return ({
+					_id: new Types.ObjectId(),
+					secret: _id,
+					version: version ? version + 1 : 1,
+					workspace: new Types.ObjectId(workspaceId),
+					type: newSecret.type,
+					user: new Types.ObjectId(userId),
+					environment,
+					isDeleted: false,
+					secretKeyCiphertext: newSecret.ciphertextKey,
+					secretKeyIV: newSecret.ivKey,
+					secretKeyTag: newSecret.tagKey,
+					secretKeyHash: newSecret.hashKey,
+					secretValueCiphertext: newSecret.ciphertextValue,
+					secretValueIV: newSecret.ivValue,
+					secretValueTag: newSecret.tagValue,
+					secretValueHash: newSecret.hashValue
+				})
+			})
+		});
 
 		// handle adding new secrets
-		const toAdd = secrets.filter((s) => !(s.hashKey in oldSecretsObj));
+		const toAdd = secrets.filter((s) => !(`${s.type}-${s.hashKey}` in oldSecretsObj));
 
 		if (toAdd.length > 0) {
 			// add secrets
-			await Secret.insertMany(
+			const newSecrets = await Secret.insertMany(
 				toAdd.map((s, idx) => {
-					let obj: any = {
+					const obj: any = {
+						version: 1,
 						workspace: workspaceId,
 						type: toAdd[idx].type,
 						environment,
@@ -131,7 +281,11 @@ const pushSecrets = async ({
 						secretValueCiphertext: s.ciphertextValue,
 						secretValueIV: s.ivValue,
 						secretValueTag: s.tagValue,
-						secretValueHash: s.hashValue
+						secretValueHash: s.hashValue,
+						secretCommentCiphertext: s.ciphertextComment,
+						secretCommentIV: s.ivComment,
+						secretCommentTag: s.tagComment,
+						secretCommentHash: s.hashComment
 					};
 
 					if (toAdd[idx].type === 'personal') {
@@ -141,6 +295,270 @@ const pushSecrets = async ({
 					return obj;
 				})
 			);
+
+			// (EE) add secret versions for new secrets
+			EESecretService.addSecretVersions({
+				secretVersions: newSecrets.map(({
+					_id,
+					version,
+					workspace,
+					type,
+					user,
+					environment,
+					secretKeyCiphertext,
+					secretKeyIV,
+					secretKeyTag,
+					secretKeyHash,
+					secretValueCiphertext,
+					secretValueIV,
+					secretValueTag,
+					secretValueHash
+				}) => ({
+					_id: new Types.ObjectId(),
+					secret: _id,
+					version,
+					workspace,
+					type,
+					user,
+					environment,
+					isDeleted: false,
+					secretKeyCiphertext,
+					secretKeyIV,
+					secretKeyTag,
+					secretKeyHash,
+					secretValueCiphertext,
+					secretValueIV,
+					secretValueTag,
+					secretValueHash
+				}))
+			});
+		}
+
+		// (EE) take a secret snapshot
+		await EESecretService.takeSecretSnapshot({
+			workspaceId
+		});
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		throw new Error('Failed to push shared and personal secrets');
+	}
+};
+
+/**
+ * Push secrets for user with id [userId] to workspace
+ * with id [workspaceId] with environment [environment]. Follow steps:
+ * 1. Handle shared secrets (insert, delete)
+ * 2. handle personal secrets (insert, delete)
+ * @param {Object} obj
+ * @param {String} obj.userId - id of user to push secrets for
+ * @param {String} obj.workspaceId - id of workspace to push to
+ * @param {String} obj.environment - environment for secrets
+ * @param {Object[]} obj.secrets - secrets to push
+ * @param {String} obj.channel - channel (web/cli/auto)
+ * @param {String} obj.ipAddress - ip address of request to push secrets
+ */
+const v2PushSecrets = async ({
+	userId,
+	workspaceId,
+	environment,
+	secrets,
+	channel,
+	ipAddress
+}: {
+	userId: string;
+	workspaceId: string;
+	environment: string;
+	secrets: V2PushSecret[];
+	channel: string;
+	ipAddress: string;
+}): Promise<void> => {
+	// TODO: clean up function and fix up types
+	try {
+		const actions: IAction[] = [];
+
+		// construct useful data structures
+		const oldSecrets = await getSecrets({
+			userId,
+			workspaceId,
+			environment
+		});
+
+		const oldSecretsObj: any = oldSecrets.reduce((accumulator, s: any) =>
+			({ ...accumulator, [`${s.type}-${s.secretKeyHash}`]: s })
+			, {});
+		const newSecretsObj: any = secrets.reduce((accumulator, s) =>
+			({ ...accumulator, [`${s.type}-${s.secretKeyHash}`]: s })
+			, {});
+
+		// handle deleting secrets
+		const toDelete = oldSecrets
+			.filter(
+				(s: ISecret) => !(`${s.type}-${s.secretKeyHash}` in newSecretsObj)
+			)
+			.map((s) => s._id);
+		if (toDelete.length > 0) {
+			await Secret.deleteMany({
+				_id: { $in: toDelete }
+			});
+
+			await EESecretService.markDeletedSecretVersions({
+				secretIds: toDelete
+			});
+
+			const deleteAction = await EELogService.createActionSecret({
+				name: ACTION_DELETE_SECRETS,
+				userId,
+				workspaceId,
+				secretIds: toDelete
+			});
+
+			deleteAction && actions.push(deleteAction);
+		}
+
+		const toUpdate = oldSecrets
+			.filter((s) => {
+				if (`${s.type}-${s.secretKeyHash}` in newSecretsObj) {
+					if (s.secretValueHash !== newSecretsObj[`${s.type}-${s.secretKeyHash}`].secretValueHash
+						|| s.secretCommentHash !== newSecretsObj[`${s.type}-${s.secretKeyHash}`].secretCommentHash) {
+						// case: filter secrets where value or comment changed
+						return true;
+					}
+
+					if (!s.version) {
+						// case: filter (legacy) secrets that were not versioned
+						return true;
+					}
+				}
+
+				return false;
+			});
+
+		if (toUpdate.length > 0) {
+			const operations = toUpdate
+				.map((s) => {
+					const {
+						secretValueCiphertext,
+						secretValueIV,
+						secretValueTag,
+						secretValueHash,
+						secretCommentCiphertext,
+						secretCommentIV,
+						secretCommentTag,
+						secretCommentHash,
+					} = newSecretsObj[`${s.type}-${s.secretKeyHash}`];
+
+					const update: Update = {
+						secretValueCiphertext,
+						secretValueIV,
+						secretValueTag,
+						secretValueHash,
+						secretCommentCiphertext,
+						secretCommentIV,
+						secretCommentTag,
+						secretCommentHash,
+					}
+
+					if (!s.version) {
+						// case: (legacy) secret was not versioned
+						update.version = 1;
+					} else {
+						update['$inc'] = {
+							version: 1
+						}
+					}
+
+					if (s.type === SECRET_PERSONAL) {
+						// attach user associated with the personal secret
+						update['user'] = userId;
+					}
+
+					return {
+						updateOne: {
+							filter: {
+								_id: oldSecretsObj[`${s.type}-${s.secretKeyHash}`]._id
+							},
+							update
+						}
+					};
+				});
+			await Secret.bulkWrite(operations as any);
+
+			// (EE) add secret versions for updated secrets
+			await EESecretService.addSecretVersions({
+				secretVersions: toUpdate.map((s) => {
+					return ({
+						...newSecretsObj[`${s.type}-${s.secretKeyHash}`],
+						secret: s._id,
+						version: s.version ? s.version + 1 : 1,
+						workspace: new Types.ObjectId(workspaceId),
+						user: s.user,
+						environment: s.environment,
+						isDeleted: false
+					})
+				})
+			});
+
+			const updateAction = await EELogService.createActionSecret({
+				name: ACTION_UPDATE_SECRETS,
+				userId,
+				workspaceId,
+				secretIds: toUpdate.map((u) => u._id)
+			});
+
+			updateAction && actions.push(updateAction);
+		}
+
+		// handle adding new secrets
+		const toAdd = secrets.filter((s) => !(`${s.type}-${s.secretKeyHash}` in oldSecretsObj));
+
+		if (toAdd.length > 0) {
+			// add secrets
+			const newSecrets = await Secret.insertMany(
+				toAdd.map((s, idx) => ({
+					...s,
+					version: 1,
+					workspace: workspaceId,
+					type: toAdd[idx].type,
+					environment,
+					...(toAdd[idx].type === 'personal' ? { user: userId } : {})
+				}))
+			);
+
+			// (EE) add secret versions for new secrets
+			EESecretService.addSecretVersions({
+				secretVersions: newSecrets.map((secretDocument) => {
+					return {
+						...secretDocument.toObject(),
+						secret: secretDocument._id,
+						isDeleted: false
+					}
+				})
+			});
+
+			const addAction = await EELogService.createActionSecret({
+				name: ACTION_ADD_SECRETS,
+				userId,
+				workspaceId,
+				secretIds: newSecrets.map((n) => n._id)
+			});
+			addAction && actions.push(addAction);
+		}
+
+		// (EE) take a secret snapshot
+		await EESecretService.takeSecretSnapshot({
+			workspaceId
+		})
+
+		// (EE) create (audit) log
+		if (actions.length > 0) {
+			await EELogService.createLog({
+				userId,
+				workspaceId,
+				actions,
+				channel,
+				ipAddress
+			});
 		}
 	} catch (err) {
 		Sentry.setUser(null);
@@ -150,15 +568,14 @@ const pushSecrets = async ({
 };
 
 /**
- * Pull secrets for user with id [userId] for workspace
+ * Get secrets for user with id [userId] for workspace
  * with id [workspaceId] with environment [environment]
  * @param {Object} obj
  * @param {String} obj.userId -id of user to pull secrets for
  * @param {String} obj.workspaceId - id of workspace to pull from
  * @param {String} obj.environment - environment for secrets
- *
  */
-const pullSecrets = async ({
+const getSecrets = async ({
 	userId,
 	workspaceId,
 	environment
@@ -168,6 +585,7 @@ const pullSecrets = async ({
 	environment: string;
 }): Promise<ISecret[]> => {
 	let secrets: any; // TODO: FIX any
+
 	try {
 		// get shared workspace secrets
 		const sharedSecrets = await Secret.find({
@@ -195,9 +613,64 @@ const pullSecrets = async ({
 	return secrets;
 };
 
+/**
+ * Pull secrets for user with id [userId] for workspace
+ * with id [workspaceId] with environment [environment]
+ * @param {Object} obj
+ * @param {String} obj.userId -id of user to pull secrets for
+ * @param {String} obj.workspaceId - id of workspace to pull from
+ * @param {String} obj.environment - environment for secrets
+ * @param {String} obj.channel - channel (web/cli/auto)
+ * @param {String} obj.ipAddress - ip address of request to push secrets
+ */
+const pullSecrets = async ({
+	userId,
+	workspaceId,
+	environment,
+	channel,
+	ipAddress
+}: {
+	userId: string;
+	workspaceId: string;
+	environment: string;
+	channel: string;
+	ipAddress: string;
+}): Promise<ISecret[]> => {
+	let secrets: any;
+
+	try {
+		secrets = await getSecrets({
+			userId,
+			workspaceId,
+			environment
+		})
+
+		const readAction = await EELogService.createActionSecret({
+			name: ACTION_READ_SECRETS,
+			userId,
+			workspaceId,
+			secretIds: secrets.map((n: any) => n._id)
+		});
+
+		readAction && await EELogService.createLog({
+			userId,
+			workspaceId,
+			actions: [readAction],
+			channel,
+			ipAddress
+		});
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		throw new Error('Failed to pull shared and personal secrets');
+	}
+
+	return secrets;
+};
+
 /**
  * Reformat output of pullSecrets() to be compatible with how existing
- * clients handle secrets
+ * web client handle secrets
  * @param {Object} obj
  * @param {Object} obj.secrets
  */
@@ -222,6 +695,13 @@ const reformatPullSecrets = ({ secrets }: { secrets: ISecret[] }) => {
 				iv: s.secretValueIV,
 				tag: s.secretValueTag,
 				hash: s.secretValueHash
+			},
+			secretComment: {
+				workspace: s.workspace,
+				ciphertext: s.secretCommentCiphertext,
+				iv: s.secretCommentIV,
+				tag: s.secretCommentTag,
+				hash: s.secretCommentHash
 			}
 		}));
 	} catch (err) {
@@ -233,71 +713,10 @@ const reformatPullSecrets = ({ secrets }: { secrets: ISecret[] }) => {
 	return reformatedSecrets;
 };
 
-/**
- * Return decrypted secrets in format [format]
- * @param {Object} obj
- * @param {Object[]} obj.secrets - array of (encrypted) secret key-value pair objects
- * @param {String} obj.key - symmetric key to decrypt secret key-value pairs
- * @param {String} obj.format - desired return format that is either "text," "object," or "expanded"
- * @return {String|Object} (decrypted) secrets also called the content
- */
-const decryptSecrets = ({
-	secrets,
-	key,
-	format
-}: {
-	secrets: PushSecret[];
-	key: string;
-	format: DecryptSecretType;
-}) => {
-	// init content
-	let content: any = format === 'text' ? '' : {};
-
-	// decrypt secrets
-	secrets.forEach((s, idx) => {
-		const secretKey = decryptSymmetric({
-			ciphertext: s.ciphertextKey,
-			iv: s.ivKey,
-			tag: s.tagKey,
-			key
-		});
-
-		const secretValue = decryptSymmetric({
-			ciphertext: s.ciphertextValue,
-			iv: s.ivValue,
-			tag: s.tagValue,
-			key
-		});
-
-		switch (format) {
-			case 'text':
-				content += secretKey;
-				content += '=';
-				content += secretValue;
-
-				if (idx < secrets.length) {
-					content += '\n';
-				}
-				break;
-			case 'object':
-				content[secretKey] = secretValue;
-				break;
-			case 'expanded':
-				content[secretKey] = {
-					...s,
-					plaintextKey: secretKey,
-					plaintextValue: secretValue
-				};
-				break;
-		}
-	});
-
-	return content;
-};
-
 export {
-	pushSecrets,
+	validateSecrets,
+	v1PushSecrets,
+	v2PushSecrets,
 	pullSecrets,
-	reformatPullSecrets,
-	decryptSecrets
+	reformatPullSecrets
 };

backend/src/helpers/signup.ts

@@ -5,7 +5,7 @@ import { createOrganization } from './organization';
 import { addMembershipsOrg } from './membershipOrg';
 import { createWorkspace } from './workspace';
 import { addMemberships } from './membership';
-import { OWNER, ADMIN, ACCEPTED, GRANTED } from '../variables';
+import { OWNER, ADMIN, ACCEPTED } from '../variables';
 import { sendMail } from '../helpers/nodemailer';
 
 /**
@@ -66,7 +66,7 @@ const checkEmailVerification = async ({
 			email,
 			token: code
 		});
-	
+
 		if (!token) throw new Error('Failed to find email verification token');
 	} catch (err) {
 		Sentry.setUser(null);
@@ -113,11 +113,10 @@ const initializeDefaultOrg = async ({
 		await addMemberships({
 			userIds: [user._id.toString()],
 			workspaceId: workspace._id.toString(),
-			roles: [ADMIN],
-			statuses: [GRANTED]
+			roles: [ADMIN]
 		});
 	} catch (err) {
-		throw new Error('Failed to initialize default organization and workspace');
+		throw new Error(`Failed to initialize default organization and workspace [err=${err}]`);
 	}
 };
 

backend/src/index.ts

@@ -4,12 +4,13 @@ dotenv.config();
 import * as Sentry from '@sentry/node';
 import { SENTRY_DSN, NODE_ENV, MONGO_URL } from './config';
 import { server } from './app';
-import { initDatabase } from './services/database';
+import { DatabaseService } from './services';
 import { setUpHealthEndpoint } from './services/health';
 import { initSmtp } from './services/smtp';
 import { setTransporter } from './helpers/nodemailer';
+import { createTestUserForDevelopment } from './utils/addDevelopmentUser';
 
-initDatabase(MONGO_URL);
+DatabaseService.initDatabase(MONGO_URL);
 
 setUpHealthEndpoint(server);
 
@@ -23,3 +24,5 @@ if (NODE_ENV !== 'test') {
     environment: NODE_ENV
   });
 }
+
+createTestUserForDevelopment()

backend/src/integrations/apps.ts

@@ -7,16 +7,15 @@ import {
   INTEGRATION_VERCEL,
   INTEGRATION_NETLIFY,
   INTEGRATION_GITHUB,
+  INTEGRATION_RENDER,
+  INTEGRATION_FLYIO,
   INTEGRATION_HEROKU_API_URL,
   INTEGRATION_VERCEL_API_URL,
   INTEGRATION_NETLIFY_API_URL,
-  INTEGRATION_GITHUB_API_URL
+  INTEGRATION_RENDER_API_URL,
+  INTEGRATION_FLYIO_API_URL
 } from '../variables';
 
-interface GitHubApp {
-  name: string;
-}
-
 /**
  * Return list of names of apps for integration named [integration]
  * @param {Object} obj
@@ -34,10 +33,11 @@ const getApps = async ({
 }) => {
   interface App {
     name: string;
-    siteId?: string;
+    appId?: string;
+    owner?: string;
   }
 
-  let apps: App[]; // TODO: add type and define payloads for apps
+  let apps: App[];
   try {
     switch (integrationAuth.integration) {
       case INTEGRATION_HEROKU:
@@ -47,18 +47,27 @@ const getApps = async ({
         break;
       case INTEGRATION_VERCEL:
         apps = await getAppsVercel({
+          integrationAuth,
           accessToken
         });
         break;
       case INTEGRATION_NETLIFY:
         apps = await getAppsNetlify({
-          integrationAuth,
           accessToken
         });
         break;
       case INTEGRATION_GITHUB:
         apps = await getAppsGithub({
-          integrationAuth,
+          accessToken
+        });
+        break;
+      case INTEGRATION_RENDER:
+        apps = await getAppsRender({
+          accessToken
+        });
+        break;
+      case INTEGRATION_FLYIO:
+        apps = await getAppsFlyio({
           accessToken
         });
         break;
@@ -73,7 +82,7 @@ const getApps = async ({
 };
 
 /**
- * Return list of names of apps for Heroku integration
+ * Return list of apps for Heroku integration
  * @param {Object} obj
  * @param {String} obj.accessToken - access token for Heroku API
  * @returns {Object[]} apps - names of Heroku apps
@@ -110,17 +119,28 @@ const getAppsHeroku = async ({ accessToken }: { accessToken: string }) => {
  * @returns {Object[]} apps - names of Vercel apps
  * @returns {String} apps.name - name of Vercel app
  */
-const getAppsVercel = async ({ accessToken }: { accessToken: string }) => {
+const getAppsVercel = async ({ 
+  integrationAuth,
+  accessToken 
+}: { 
+  integrationAuth: IIntegrationAuth;
+  accessToken: string;
+}) => {
   let apps;
   try {
     const res = (
       await axios.get(`${INTEGRATION_VERCEL_API_URL}/v9/projects`, {
         headers: {
           Authorization: `Bearer ${accessToken}`
+        },
+       ...( integrationAuth?.teamId ? { 
+        params: {
+          teamId: integrationAuth.teamId
         }
+      } : {}) 
       })
     ).data;
-
+    
     apps = res.projects.map((a: any) => ({
       name: a.name
     }));
@@ -134,17 +154,15 @@ const getAppsVercel = async ({ accessToken }: { accessToken: string }) => {
 };
 
 /**
- * Return list of names of sites for Netlify integration
+ * Return list of sites for Netlify integration
  * @param {Object} obj
  * @param {String} obj.accessToken - access token for Netlify API
  * @returns {Object[]} apps - names of Netlify sites
  * @returns {String} apps.name - name of Netlify site
  */
 const getAppsNetlify = async ({
-  integrationAuth,
   accessToken
 }: {
-  integrationAuth: IIntegrationAuth;
   accessToken: string;
 }) => {
   let apps;
@@ -159,7 +177,7 @@ const getAppsNetlify = async ({
 
     apps = res.map((a: any) => ({
       name: a.name,
-      siteId: a.site_id
+      appId: a.site_id
     }));
   } catch (err) {
     Sentry.setUser(null);
@@ -171,17 +189,15 @@ const getAppsNetlify = async ({
 };
 
 /**
- * Return list of names of repositories for Github integration
+ * Return list of repositories for Github integration
  * @param {Object} obj
  * @param {String} obj.accessToken - access token for Netlify API
  * @returns {Object[]} apps - names of Netlify sites
  * @returns {String} apps.name - name of Netlify site
  */
 const getAppsGithub = async ({
-  integrationAuth,
   accessToken
 }: {
-  integrationAuth: IIntegrationAuth;
   accessToken: string;
 }) => {
   let apps;
@@ -192,13 +208,16 @@ const getAppsGithub = async ({
 
     const repos = (await octokit.request(
       'GET /user/repos{?visibility,affiliation,type,sort,direction,per_page,page,since,before}',
-      {}
+      {
+        per_page: 100
+      }
     )).data;
 
     apps = repos
       .filter((a:any) => a.permissions.admin === true)
       .map((a: any) => ({
-          name: a.name
+          name: a.name,
+          owner: a.owner.login
         })
       );
   } catch (err) {
@@ -210,4 +229,94 @@ const getAppsGithub = async ({
   return apps;
 };
 
+/**
+ * Return list of services for Render integration
+ * @param {Object} obj
+ * @param {String} obj.accessToken - access token for Render API
+ * @returns {Object[]} apps - names and ids of Render services
+ * @returns {String} apps.name - name of Render service
+ * @returns {String} apps.appId - id of Render service
+ */
+const getAppsRender = async ({
+  accessToken
+}: {
+  accessToken: string;
+}) => {
+  let apps: any;
+  try {
+    const res = (
+      await axios.get(`${INTEGRATION_RENDER_API_URL}/v1/services`, {
+        headers: {
+          Authorization: `Bearer ${accessToken}`
+        }
+      })
+    ).data;
+    
+    apps = res
+      .map((a: any) => ({
+        name: a.service.name,
+        appId: a.service.id
+      })); 
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed to get Render services');
+  }
+  
+  return apps;
+}
+
+/**
+ * Return list of apps for Fly.io integration
+ * @param {Object} obj
+ * @param {String} obj.accessToken - access token for Fly.io API
+ * @returns {Object[]} apps - names and ids of Fly.io apps
+ * @returns {String} apps.name - name of Fly.io apps
+ */
+const getAppsFlyio = async ({
+  accessToken
+}: {
+  accessToken: string;
+}) => {
+  let apps;
+  try {
+    const query = `
+      query($role: String) {
+        apps(type: "container", first: 400, role: $role) {
+          nodes {
+            id
+            name
+            hostname
+          }
+        }
+      }
+    `;
+    
+    const res = (await axios({
+      url: INTEGRATION_FLYIO_API_URL,
+      method: 'post',
+      headers: {
+        'Authorization': 'Bearer ' + accessToken
+      },
+      data: {
+        query,
+        variables: {
+          role: null
+        }
+      }
+    })).data.data.apps.nodes;
+    
+    apps = res
+      .map((a: any) => ({
+        name: a.name
+      })); 
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed to get Fly.io apps');
+  }
+  
+  return apps;
+}
+
 export { getApps };

backend/src/integrations/exchange.ts

@@ -8,8 +8,7 @@ import {
   INTEGRATION_HEROKU_TOKEN_URL,
   INTEGRATION_VERCEL_TOKEN_URL,
   INTEGRATION_NETLIFY_TOKEN_URL,
-  INTEGRATION_GITHUB_TOKEN_URL,
-  INTEGRATION_GITHUB_API_URL
+  INTEGRATION_GITHUB_TOKEN_URL
 } from '../variables';
 import {
   SITE_URL,
@@ -21,7 +20,6 @@ import {
   CLIENT_SECRET_NETLIFY,
   CLIENT_SECRET_GITHUB
 } from '../config';
-import { user } from '../routes';
 
 interface ExchangeCodeHerokuResponse {
   token_type: string;

backend/src/integrations/revoke.ts

@@ -1,6 +1,11 @@
-import axios from 'axios';
 import * as Sentry from '@sentry/node';
-import { IIntegrationAuth, IntegrationAuth, Integration } from '../models';
+import { 
+  IIntegrationAuth, 
+  IntegrationAuth, 
+  Integration,
+  Bot,
+  BotKey
+} from '../models';
 import {
   INTEGRATION_HEROKU,
   INTEGRATION_VERCEL,
@@ -15,6 +20,7 @@ const revokeAccess = async ({
   integrationAuth: IIntegrationAuth;
   accessToken: string;
 }) => {
+  let deletedIntegrationAuth;
   try {
     // add any integration-specific revocation logic
     switch (integrationAuth.integration) {
@@ -28,7 +34,7 @@ const revokeAccess = async ({
         break;
     }
 
-    const deletedIntegrationAuth = await IntegrationAuth.findOneAndDelete({
+    deletedIntegrationAuth = await IntegrationAuth.findOneAndDelete({
       _id: integrationAuth._id
     });
 
@@ -42,6 +48,8 @@ const revokeAccess = async ({
     Sentry.captureException(err);
     throw new Error('Failed to delete integration authorization');
   }
+  
+  return deletedIntegrationAuth;
 };
 
 export { revokeAccess };

backend/src/integrations/sync.ts

@@ -10,23 +10,21 @@ import {
   INTEGRATION_VERCEL,
   INTEGRATION_NETLIFY,
   INTEGRATION_GITHUB,
+  INTEGRATION_RENDER,
+  INTEGRATION_FLYIO,
   INTEGRATION_HEROKU_API_URL,
   INTEGRATION_VERCEL_API_URL,
   INTEGRATION_NETLIFY_API_URL,
-  INTEGRATION_GITHUB_API_URL
+  INTEGRATION_RENDER_API_URL,
+  INTEGRATION_FLYIO_API_URL
 } from '../variables';
 import { access, appendFile } from 'fs';
 
-// TODO: need a helper function in the future to handle integration
-// envar priorities (i.e. prioritize secrets within integration or those on Infisical)
-
 /**
  * Sync/push [secrets] to [app] in integration named [integration]
  * @param {Object} obj
  * @param {IIntegration} obj.integration - integration details
  * @param {IIntegrationAuth} obj.integrationAuth - integration auth details
- * @param {Object} obj.app - app in integration
- * @param {Object} obj.target - (optional) target (environment) in integration
  * @param {Object} obj.secrets - secrets to push to integration (object where keys are secret keys and values are secret values)
  * @param {String} obj.accessToken - access token for integration
  */
@@ -53,6 +51,7 @@ const syncSecrets = async ({
       case INTEGRATION_VERCEL:
         await syncSecretsVercel({
           integration,
+          integrationAuth,
           secrets,
           accessToken
         });
@@ -72,6 +71,20 @@ const syncSecrets = async ({
           accessToken
         });
         break;
+      case INTEGRATION_RENDER:
+        await syncSecretsRender({
+          integration,
+          secrets,
+          accessToken
+        });
+        break;
+      case INTEGRATION_FLYIO:
+        await syncSecretsFlyio({
+          integration,
+          secrets,
+          accessToken
+        });
+        break;
     }
   } catch (err) {
     Sentry.setUser(null);
@@ -81,10 +94,11 @@ const syncSecrets = async ({
 };
 
 /**
- * Sync/push [secrets] to Heroku [app]
+ * Sync/push [secrets] to Heroku app named [integration.app]
  * @param {Object} obj
  * @param {IIntegration} obj.integration - integration details
  * @param {Object} obj.secrets - secrets to push to integration (object where keys are secret keys and values are secret values)
+ * @param {String} obj.accessToken - access token for Heroku integration
  */
 const syncSecretsHeroku = async ({
   integration,
@@ -132,21 +146,22 @@ const syncSecretsHeroku = async ({
 };
 
 /**
- * Sync/push [secrets] to Heroku [app]
+ * Sync/push [secrets] to Vercel project named [integration.app]
  * @param {Object} obj
  * @param {IIntegration} obj.integration - integration details
  * @param {Object} obj.secrets - secrets to push to integration (object where keys are secret keys and values are secret values)
  */
 const syncSecretsVercel = async ({
     integration,
+    integrationAuth,
     secrets,
     accessToken
 }: {
     integration: IIntegration,
+    integrationAuth: IIntegrationAuth,
     secrets: any;
     accessToken: string;
 }) => {
-    
     interface VercelSecret {
         id?: string;
         type: string;
@@ -156,138 +171,145 @@ const syncSecretsVercel = async ({
     }
     
     try {
-        // Get all (decrypted) secrets back from Vercel in
-        // decrypted format
-        const params = new URLSearchParams({
-            decrypt: "true"
-        });
-        
-        const res = (await Promise.all((await axios.get(
-            `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env`, 
-            {
+      // Get all (decrypted) secrets back from Vercel in
+      // decrypted format
+      const params: { [key: string]: string } = {
+        decrypt: 'true',
+        ...( integrationAuth?.teamId ? { 
+          teamId: integrationAuth.teamId
+        } : {})   
+      }
+      
+      const res = (await Promise.all((await axios.get(
+          `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env`, 
+          {
+              params,
+              headers: {
+                  Authorization: `Bearer ${accessToken}`
+              }
+          }
+      ))
+      .data
+      .envs
+      .filter((secret: VercelSecret) => secret.target.includes(integration.targetEnvironment))
+      .map(async (secret: VercelSecret) => (await axios.get(
+              `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env/${secret.id}`,
+              {
                 params,
                 headers: {
                     Authorization: `Bearer ${accessToken}`
                 }
-            }
-        ))
-        .data
-        .envs
-        .filter((secret: VercelSecret) => secret.target.includes(integration.target))
-        .map(async (secret: VercelSecret) => (await axios.get(
-                `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env/${secret.id}`,
-                {
+              }
+          )).data)
+      )).reduce((obj: any, secret: any) => ({
+          ...obj,
+          [secret.key]: secret
+      }), {});
+      
+      const updateSecrets: VercelSecret[] = [];
+      const deleteSecrets: VercelSecret[] = [];
+      const newSecrets: VercelSecret[] = [];
+
+      // Identify secrets to create
+      Object.keys(secrets).map((key) => {
+          if (!(key in res)) {
+              // case: secret has been created
+              newSecrets.push({
+                  key: key,
+                  value: secrets[key],
+                  type: 'encrypted',
+                  target: [integration.targetEnvironment]
+              });
+          }
+      });
+      
+      // Identify secrets to update and delete
+      Object.keys(res).map((key) => {
+          if (key in secrets) {
+              if (res[key].value !== secrets[key]) {
+                  // case: secret value has changed
+                  updateSecrets.push({
+                      id: res[key].id,
+                      key: key,
+                      value: secrets[key],
+                      type: 'encrypted',
+                      target: [integration.targetEnvironment]
+                  });
+              }
+          } else {
+              // case: secret has been deleted
+              deleteSecrets.push({
+                  id: res[key].id,
+                  key: key,
+                  value: res[key].value,
+                  type: 'encrypted',
+                  target: [integration.targetEnvironment],
+              });
+          }
+      });
+
+      // Sync/push new secrets
+      if (newSecrets.length > 0) {
+          await axios.post(
+              `${INTEGRATION_VERCEL_API_URL}/v10/projects/${integration.app}/env`,
+              newSecrets,
+              {
+                params,
+                headers: {
+                    Authorization: `Bearer ${accessToken}`
+                }
+              }
+          );
+      }
+
+      // Sync/push updated secrets
+      if (updateSecrets.length > 0) {
+          updateSecrets.forEach(async (secret: VercelSecret) => {
+              const { 
+                  id, 
+                  ...updatedSecret 
+              } = secret;
+              await axios.patch(
+                  `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env/${secret.id}`,
+                  updatedSecret,
+                  {
+                    params,
+                    headers: {
+                        Authorization: `Bearer ${accessToken}` 
+                    }
+                  }
+              );
+          });
+      }
+
+      // Delete secrets
+      if (deleteSecrets.length > 0) {
+          deleteSecrets.forEach(async (secret: VercelSecret) => {
+              await axios.delete(
+                  `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env/${secret.id}`,
+                  {
+                    params,
                     headers: {
                         Authorization: `Bearer ${accessToken}`
                     }
-                    
-                }
-            )).data)
-        )).reduce((obj: any, secret: any) => ({
-            ...obj,
-            [secret.key]: secret
-        }), {});
-        
-        const updateSecrets: VercelSecret[] = [];
-        const deleteSecrets: VercelSecret[] = [];
-        const newSecrets: VercelSecret[] = [];
-
-        // Identify secrets to create
-        Object.keys(secrets).map((key) => {
-            if (!(key in res)) {
-                // case: secret has been created
-                newSecrets.push({
-                    key: key,
-                    value: secrets[key],
-                    type: 'encrypted',
-                    target: [integration.target]
-                });
-            }
-        });
-        
-        // Identify secrets to update and delete
-        Object.keys(res).map((key) => {
-            if (key in secrets) {
-                if (res[key].value !== secrets[key]) {
-                    // case: secret value has changed
-                    updateSecrets.push({
-                        id: res[key].id,
-                        key: key,
-                        value: secrets[key],
-                        type: 'encrypted',
-                        target: [integration.target]
-                    });
-                }
-            } else {
-                // case: secret has been deleted
-                deleteSecrets.push({
-                    id: res[key].id,
-                    key: key,
-                    value: res[key].value,
-                    type: 'encrypted',
-                    target: [integration.target],
-                });
-            }
-        });
-
-        // Sync/push new secrets
-        if (newSecrets.length > 0) {
-            await axios.post(
-                `${INTEGRATION_VERCEL_API_URL}/v10/projects/${integration.app}/env`,
-                newSecrets,
-                {
-                    headers: {
-                        Authorization: `Bearer ${accessToken}`
-                    }
-                }
-            );
-        }
-
-        // Sync/push updated secrets
-        if (updateSecrets.length > 0) {
-            updateSecrets.forEach(async (secret: VercelSecret) => {
-                const { 
-                    id, 
-                    ...updatedSecret 
-                } = secret;
-                await axios.patch(
-                    `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env/${secret.id}`,
-                    updatedSecret,
-                    {
-                        headers: {
-                            Authorization: `Bearer ${accessToken}` 
-                        }
-                    }
-                );
-            });
-        }
-
-        // Delete secrets
-        if (deleteSecrets.length > 0) {
-            deleteSecrets.forEach(async (secret: VercelSecret) => {
-                await axios.delete(
-                    `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env/${secret.id}`,
-                    {
-                        headers: {
-                            Authorization: `Bearer ${accessToken}`
-                        }
-                    }
-                );
-            });
-        }
+                  }
+              );
+          });
+      }
     } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-        throw new Error('Failed to sync secrets to Vercel');
+      Sentry.setUser(null);
+      Sentry.captureException(err);
+      throw new Error('Failed to sync secrets to Vercel');
     }
 }
 
 /**
- * Sync/push [secrets] to Netlify site [app]
+ * Sync/push [secrets] to Netlify site with id [integration.appId]
  * @param {Object} obj
  * @param {IIntegration} obj.integration - integration details
  * @param {IIntegrationAuth} obj.integrationAuth - integration auth details
  * @param {Object} obj.secrets - secrets to push to integration (object where keys are secret keys and values are secret values)
+ * @param {Object} obj.accessToken - access token for Netlify integration
  */
 const syncSecretsNetlify = async ({
     integration,
@@ -302,197 +324,198 @@ const syncSecretsNetlify = async ({
 }) => {
     try {
 
-        interface NetlifyValue {
-            id?: string;
-            context: string; // 'dev' | 'branch-deploy' | 'deploy-preview' | 'production',
-            value: string;
-        }
-        
-        interface NetlifySecret {
-            key: string;
-            values: NetlifyValue[];
-        }
-        
-        interface NetlifySecretsRes {
-            [index: string]: NetlifySecret;
-        }
-        
-        const getParams = new URLSearchParams({
-            context_name: 'all', // integration.context or all
-            site_id: integration.siteId
-        });
-        
-        const res = (await axios.get(
-            `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env`,
-            {
-                params: getParams,
-                headers: {
-                    Authorization: `Bearer ${accessToken}`
-                }
-            }
-        ))
-        .data
-        .reduce((obj: any, secret: any) => ({
-            ...obj,
-            [secret.key]: secret
-        }), {});
-        
-        const newSecrets: NetlifySecret[] = []; // createEnvVars
-        const deleteSecrets: string[] = []; // deleteEnvVar
-        const deleteSecretValues: NetlifySecret[] = []; // deleteEnvVarValue
-        const updateSecrets: NetlifySecret[] = []; // setEnvVarValue
+      interface NetlifyValue {
+          id?: string;
+          context: string; // 'dev' | 'branch-deploy' | 'deploy-preview' | 'production',
+          value: string;
+      }
+      
+      interface NetlifySecret {
+          key: string;
+          values: NetlifyValue[];
+      }
+      
+      interface NetlifySecretsRes {
+          [index: string]: NetlifySecret;
+      }
+      
+      const getParams = new URLSearchParams({
+          context_name: 'all', // integration.context or all
+          site_id: integration.appId
+      });
+      
+      const res = (await axios.get(
+          `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env`,
+          {
+              params: getParams,
+              headers: {
+                  Authorization: `Bearer ${accessToken}`
+              }
+          }
+      ))
+      .data
+      .reduce((obj: any, secret: any) => ({
+          ...obj,
+          [secret.key]: secret
+      }), {});
+      
+      const newSecrets: NetlifySecret[] = []; // createEnvVars
+      const deleteSecrets: string[] = []; // deleteEnvVar
+      const deleteSecretValues: NetlifySecret[] = []; // deleteEnvVarValue
+      const updateSecrets: NetlifySecret[] = []; // setEnvVarValue
+      
+      // identify secrets to create and update
+      Object.keys(secrets).map((key) => {
+          if (!(key in res)) {
+              // case: Infisical secret does not exist in Netlify -> create secret
+              newSecrets.push({
+                  key,
+                  values: [{
+                      value: secrets[key],
+                      context: integration.targetEnvironment
+                  }]
+              });
+          } else {
+              // case: Infisical secret exists in Netlify
+              const contexts = res[key].values
+                  .reduce((obj: any, value: NetlifyValue) => ({
+                      ...obj,
+                      [value.context]: value
+                  }), {});
+              
+              if (integration.targetEnvironment in contexts) {
+                  // case: Netlify secret value exists in integration context
+                  if (secrets[key] !== contexts[integration.targetEnvironment].value) {
+                      // case: Infisical and Netlify secret values are different
+                      // -> update Netlify secret context and value
+                      updateSecrets.push({
+                          key,
+                          values: [{
+                              context: integration.targetEnvironment,
+                              value: secrets[key]
+                          }]
+                      });
+                  }
+              } else {
+                  // case: Netlify secret value does not exist in integration context
+                  // -> add the new Netlify secret context and value
+                  updateSecrets.push({
+                      key,
+                      values: [{
+                          context: integration.targetEnvironment,
+                          value: secrets[key]
+                      }]
+                  });
+              }
+          }
+      })
+      
+      // identify secrets to delete
+      // TODO: revise (patch case where 1 context was deleted but others still there
+      Object.keys(res).map((key) => {
+          // loop through each key's context
+          if (!(key in secrets)) {
+              // case: Netlify secret does not exist in Infisical
+              
+              const numberOfValues = res[key].values.length;
+              
+              res[key].values.forEach((value: NetlifyValue) => {
+                  if (value.context === integration.targetEnvironment) {
+                      if (numberOfValues <= 1) {
+                          // case: Netlify secret value has less than 1 context -> delete secret
+                          deleteSecrets.push(key); 
+                      } else {
+                          // case: Netlify secret value has more than 1 context -> delete secret value context
+                          deleteSecretValues.push({
+                              key,
+                              values: [{
+                                  id: value.id,
+                                  context: integration.targetEnvironment,
+                                  value: value.value
+                              }]
+                          });
+                      }
+                  }
+              });
+          }
+      });
 
-        // identify secrets to create and update
-        Object.keys(secrets).map((key) => {
-            if (!(key in res)) {
-                // case: Infisical secret does not exist in Netlify -> create secret
-                newSecrets.push({
-                    key,
-                    values: [{
-                        value: secrets[key],
-                        context: integration.context
-                    }]
-                });
-            } else {
-                // case: Infisical secret exists in Netlify
-                const contexts = res[key].values
-                    .reduce((obj: any, value: NetlifyValue) => ({
-                        ...obj,
-                        [value.context]: value
-                    }), {});
-                
-                if (integration.context in contexts) {
-                    // case: Netlify secret value exists in integration context
-                    if (secrets[key] !== contexts[integration.context].value) {
-                        // case: Infisical and Netlify secret values are different
-                        // -> update Netlify secret context and value
-                        updateSecrets.push({
-                            key,
-                            values: [{
-                                context: integration.context,
-                                value: secrets[key]
-                            }]
-                        });
-                    }
-                } else {
-                    // case: Netlify secret value does not exist in integration context
-                    // -> add the new Netlify secret context and value
-                    updateSecrets.push({
-                        key,
-                        values: [{
-                            context: integration.context,
-                            value: secrets[key]
-                        }]
-                    });
-                }
-            }
-        })
-        
-        // identify secrets to delete
-        // TODO: revise (patch case where 1 context was deleted but others still there
-        Object.keys(res).map((key) => {
-            // loop through each key's context
-            if (!(key in secrets)) {
-                // case: Netlify secret does not exist in Infisical
-                
-                const numberOfValues = res[key].values.length;
-                
-                res[key].values.forEach((value: NetlifyValue) => {
-                    if (value.context === integration.context) {
-                        if (numberOfValues <= 1) {
-                            // case: Netlify secret value has less than 1 context -> delete secret
-                            deleteSecrets.push(key); 
-                        } else {
-                            // case: Netlify secret value has more than 1 context -> delete secret value context
-                            deleteSecretValues.push({
-                                key,
-                                values: [{
-                                    id: value.id,
-                                    context: integration.context,
-                                    value: value.value
-                                }]
-                            });
-                        }
-                    }
-                });
-            }
-        });
+      const syncParams = new URLSearchParams({
+          site_id: integration.appId
+      });
 
-        const syncParams = new URLSearchParams({
-            site_id: integration.siteId
-        });
+      if (newSecrets.length > 0) {
+          await axios.post(
+              `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env`,
+              newSecrets,
+              {
+                  params: syncParams,
+                  headers: {
+                      Authorization: `Bearer ${accessToken}`
+                  }
+              }
+          );
+      }
 
-        if (newSecrets.length > 0) {
-            await axios.post(
-                `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env`,
-                newSecrets,
-                {
-                    params: syncParams,
-                    headers: {
-                        Authorization: `Bearer ${accessToken}`
-                    }
-                }
-            );
-        }
+      if (updateSecrets.length > 0) {
+          updateSecrets.forEach(async (secret: NetlifySecret) => {
+              await axios.patch(
+                  `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env/${secret.key}`,
+                  {
+                      context: secret.values[0].context,
+                      value: secret.values[0].value
+                  },
+                  {
+                      params: syncParams,
+                      headers: {
+                          Authorization: `Bearer ${accessToken}` 
+                      }
+                  }
+              );
+          });
+      }
 
-        if (updateSecrets.length > 0) {
-            updateSecrets.forEach(async (secret: NetlifySecret) => {
-                await axios.patch(
-                    `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env/${secret.key}`,
-                    {
-                        context: secret.values[0].context,
-                        value: secret.values[0].value
-                    },
-                    {
-                        params: syncParams,
-                        headers: {
-                            Authorization: `Bearer ${accessToken}` 
-                        }
-                    }
-                );
-            });
-        }
+      if (deleteSecrets.length > 0) {
+          deleteSecrets.forEach(async (key: string) => {
+              await axios.delete(
+                  `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env/${key}`,
+                  {
+                      params: syncParams,
+                      headers: {
+                          Authorization: `Bearer ${accessToken}`
+                      }
+                  }
+              );
+          });
+      }
 
-        if (deleteSecrets.length > 0) {
-            deleteSecrets.forEach(async (key: string) => {
-                await axios.delete(
-                    `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env/${key}`,
-                    {
-                        params: syncParams,
-                        headers: {
-                            Authorization: `Bearer ${accessToken}`
-                        }
-                    }
-                );
-            });
-        }
-
-        if (deleteSecretValues.length > 0) {
-            deleteSecretValues.forEach(async (secret: NetlifySecret) => {
-                await axios.delete(
-                    `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env/${secret.key}/value/${secret.values[0].id}`,
-                    {
-                        params: syncParams,
-                        headers: {
-                            Authorization: `Bearer ${accessToken}`
-                        }
-                    }
-                );
-            });
-        }
+      if (deleteSecretValues.length > 0) {
+          deleteSecretValues.forEach(async (secret: NetlifySecret) => {
+              await axios.delete(
+                  `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env/${secret.key}/value/${secret.values[0].id}`,
+                  {
+                      params: syncParams,
+                      headers: {
+                          Authorization: `Bearer ${accessToken}`
+                      }
+                  }
+              );
+          });
+      }
     } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-        throw new Error('Failed to sync secrets to Heroku');
+      Sentry.setUser(null);
+      Sentry.captureException(err);
+      throw new Error('Failed to sync secrets to Heroku');
     }
 }
 
 /**
- * Sync/push [secrets] to GitHub [repo]
+ * Sync/push [secrets] to GitHub repo with name [integration.app]
  * @param {Object} obj
  * @param {IIntegration} obj.integration - integration details
  * @param {IIntegrationAuth} obj.integrationAuth - integration auth details
  * @param {Object} obj.secrets - secrets to push to integration (object where keys are secret keys and values are secret values)
+ * @param {String} obj.accessToken - access token for GitHub integration 
  */
 const syncSecretsGitHub = async ({
   integration,
@@ -526,21 +549,20 @@ const syncSecretsGitHub = async ({
       auth: accessToken
     });
 
-    const user = (await octokit.request('GET /user', {})).data;
-    
+    // const user = (await octokit.request('GET /user', {})).data;
     const repoPublicKey: GitHubRepoKey = (await octokit.request(
       'GET /repos/{owner}/{repo}/actions/secrets/public-key',
       {
-        owner: user.login,
+        owner: integration.owner,
         repo: integration.app
       }
     )).data;
 
-    // // Get local copy of decrypted secrets. We cannot decrypt them as we dont have access to GH private key
+    // Get local copy of decrypted secrets. We cannot decrypt them as we dont have access to GH private key
     const encryptedSecrets: GitHubSecretRes = (await octokit.request(
       'GET /repos/{owner}/{repo}/actions/secrets',
       {
-        owner: user.login,
+        owner: integration.owner,
         repo: integration.app
       }
     ))
@@ -556,7 +578,7 @@ const syncSecretsGitHub = async ({
         await octokit.request(
           'DELETE /repos/{owner}/{repo}/actions/secrets/{secret_name}',
           {
-            owner: user.login,
+            owner: integration.owner,
             repo: integration.app,
             secret_name: key
           }
@@ -586,7 +608,7 @@ const syncSecretsGitHub = async ({
           await octokit.request(
             'PUT /repos/{owner}/{repo}/actions/secrets/{secret_name}',
             {
-              owner: user.login,
+              owner: integration.owner,
               repo: integration.app,
               secret_name: key,
               encrypted_value: encryptedSecret,
@@ -602,4 +624,175 @@ const syncSecretsGitHub = async ({
   }
 };
 
+/**
+ * Sync/push [secrets] to Render service with id [integration.appId]
+ * @param {Object} obj
+ * @param {IIntegration} obj.integration - integration details
+ * @param {Object} obj.secrets - secrets to push to integration (object where keys are secret keys and values are secret values)
+ * @param {String} obj.accessToken - access token for Render integration
+ */
+const syncSecretsRender = async ({
+  integration,
+  secrets,
+  accessToken
+}: {
+  integration: IIntegration;
+  secrets: any;
+  accessToken: string;
+}) => {
+  try {
+    await axios.put(
+      `${INTEGRATION_RENDER_API_URL}/v1/services/${integration.appId}/env-vars`,
+      Object.keys(secrets).map((key) => ({
+        key,
+        value: secrets[key]
+      })),
+      {
+        headers: {
+          Authorization: `Bearer ${accessToken}`
+        }
+      }
+    );
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed to sync secrets to Render');
+  }
+}
+
+/**
+ * Sync/push [secrets] to Fly.io app
+ * @param {Object} obj
+ * @param {IIntegration} obj.integration - integration details
+ * @param {Object} obj.secrets - secrets to push to integration (object where keys are secret keys and values are secret values)
+ * @param {String} obj.accessToken - access token for Render integration
+ */
+const syncSecretsFlyio = async ({
+  integration,
+  secrets,
+  accessToken
+}: {
+  integration: IIntegration;
+  secrets: any;
+  accessToken: string;
+}) => {
+  try {
+    // set secrets
+    const SetSecrets = `
+      mutation($input: SetSecretsInput!) {
+        setSecrets(input: $input) {
+          release {
+            id
+            version
+            reason
+            description
+            user {
+              id
+              email
+              name
+            }
+            evaluationId
+            createdAt
+          }
+        }
+      }
+    `;
+
+    await axios({
+      url: INTEGRATION_FLYIO_API_URL,
+      method: 'post',
+      headers: {
+        'Authorization': 'Bearer ' + accessToken
+      },
+      data: {
+        query: SetSecrets,
+        variables: {
+          input: {
+            appId: integration.app,
+            secrets: Object.entries(secrets).map(([key, value]) => ({ key, value }))
+          }
+        }
+      }
+    });
+    
+    // get secrets
+    interface FlyioSecret {
+      name: string;
+      digest: string;
+      createdAt: string;
+    }
+    
+    const GetSecrets = `query ($appName: String!) {
+        app(name: $appName) {
+            secrets {
+                name
+                digest
+                createdAt
+            }
+        }
+    }`;
+
+    const getSecretsRes = (await axios({
+        method: 'post',
+        url: INTEGRATION_FLYIO_API_URL,
+        headers: {
+            'Authorization': 'Bearer ' + accessToken,
+            'Content-Type': 'application/json'
+        },
+        data: {
+          query: GetSecrets,
+          variables: {
+            appName: integration.app
+          }
+        }
+    })).data.data.app.secrets;
+    
+    const deleteSecretsKeys = getSecretsRes
+      .filter((secret: FlyioSecret) => !(secret.name in secrets))
+      .map((secret: FlyioSecret) => secret.name);
+    
+    // unset (delete) secrets
+    const DeleteSecrets = `mutation($input: UnsetSecretsInput!) {
+        unsetSecrets(input: $input) {
+            release {
+                id
+                version
+                reason
+                description
+                user {
+                    id
+                    email
+                    name
+                }
+                evaluationId
+                createdAt
+            }
+        }
+    }`;
+
+    await axios({
+        method: 'post',
+        url: INTEGRATION_FLYIO_API_URL,
+        headers: {
+          'Authorization': 'Bearer ' + accessToken,
+          'Content-Type': 'application/json'
+        },
+        data: {
+          query: DeleteSecrets,
+          variables: {
+            input: {
+              appId: integration.app,
+              keys: deleteSecretsKeys
+            }
+          }
+        }
+    });
+
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed to sync secrets to Fly.io');
+  }
+}
+
 export { syncSecrets };

backend/src/middleware/index.ts

@@ -2,10 +2,15 @@ import requireAuth from './requireAuth';
 import requireBotAuth from './requireBotAuth';
 import requireSignupAuth from './requireSignupAuth';
 import requireWorkspaceAuth from './requireWorkspaceAuth';
+import requireMembershipAuth from './requireMembershipAuth';
+import requireMembershipOrgAuth from './requireMembershipOrgAuth';
 import requireOrganizationAuth from './requireOrganizationAuth';
 import requireIntegrationAuth from './requireIntegrationAuth';
 import requireIntegrationAuthorizationAuth from './requireIntegrationAuthorizationAuth';
 import requireServiceTokenAuth from './requireServiceTokenAuth';
+import requireServiceTokenDataAuth from './requireServiceTokenDataAuth';
+import requireSecretAuth from './requireSecretAuth';
+import requireSecretsAuth from './requireSecretsAuth';
 import validateRequest from './validateRequest';
 
 export {
@@ -13,9 +18,14 @@ export {
 	requireBotAuth,
 	requireSignupAuth,
 	requireWorkspaceAuth,
+	requireMembershipAuth,
+	requireMembershipOrgAuth,
 	requireOrganizationAuth,
 	requireIntegrationAuth,
 	requireIntegrationAuthorizationAuth,
 	requireServiceTokenAuth,
+	requireServiceTokenDataAuth,
+	requireSecretAuth,
+	requireSecretsAuth,
 	validateRequest
 };

backend/src/middleware/requestErrorHandler.ts

@@ -4,26 +4,33 @@ import * as Sentry from '@sentry/node';
 import { InternalServerError } from "../utils/errors";
 import { getLogger } from "../utils/logger";
 import RequestError, { LogLevel } from "../utils/requestError";
+import { NODE_ENV } from "../config";
 
 
-export const requestErrorHandler: ErrorRequestHandler = (error: RequestError|Error, req, res, next) => {
-    if(res.headersSent) return next();
+export const requestErrorHandler: ErrorRequestHandler = (error: RequestError | Error, req, res, next) => {
+    if (res.headersSent) return next();
+    if (NODE_ENV !== "production") {
+        /* eslint-disable no-console */
+        console.log(error)
+        /* eslint-enable no-console */
+    }
+
     //TODO: Find better way to type check for error. In current setting you need to cast type to get the functions and variables from RequestError
-    if(!(error instanceof RequestError)){
-        error = InternalServerError({context: {exception: error.message}, stack: error.stack})
+    if (!(error instanceof RequestError)) {
+        error = InternalServerError({ context: { exception: error.message }, stack: error.stack })
         getLogger('backend-main').log((<RequestError>error).levelName.toLowerCase(), (<RequestError>error).message)
     }
-    
+
     //* Set Sentry user identification if req.user is populated
-    if(req.user !== undefined && req.user !== null){
+    if (req.user !== undefined && req.user !== null) {
         Sentry.setUser({ email: req.user.email })
     }
     //* Only sent error to Sentry if LogLevel is one of the following level 'ERROR', 'EMERGENCY' or 'CRITICAL'
     //* with this we will eliminate false-positive errors like 'BadRequestError', 'UnauthorizedRequestError' and so on
-    if([LogLevel.ERROR, LogLevel.EMERGENCY, LogLevel.CRITICAL].includes((<RequestError>error).level)){
+    if ([LogLevel.ERROR, LogLevel.EMERGENCY, LogLevel.CRITICAL].includes((<RequestError>error).level)) {
         Sentry.captureException(error)
     }
-    
+
     res.status((<RequestError>error).statusCode).json((<RequestError>error).format(req))
     next()
 }

backend/src/middleware/requireAuth.ts

@@ -1,8 +1,12 @@
 import jwt from 'jsonwebtoken';
 import { Request, Response, NextFunction } from 'express';
-import { User } from '../models';
-import { JWT_AUTH_SECRET } from '../config';
-import { AccountNotFoundError, BadRequestError, UnauthorizedRequestError } from '../utils/errors';
+import { User, ServiceTokenData } from '../models';
+import {
+	validateAuthMode,
+	getAuthUserPayload,
+	getAuthSTDPayload,
+	getAuthAPIKeyPayload
+} from '../helpers/auth';
 
 declare module 'jsonwebtoken' {
 	export interface UserIDJwtPayload extends jwt.JwtPayload {
@@ -11,34 +15,49 @@ declare module 'jsonwebtoken' {
 }
 
 /**
- * Validate if JWT (auth) token on request is valid (e.g. not expired),
- * if there is an associated user, and if that user is fully setup.
- * @param req - express request object
- * @param res - express response object
- * @param next - express next function
+ * Validate if token on request is valid (e.g. not expired) for various auth modes:
+ * - If token is a JWT token, then check if there is an associated user
+ * and if user is fully setup.
+ * - If token is a service token (st), then check if there is associated
+ * service token data.
+ * @param {Object} obj
+ * @param {String[]} obj.acceptedAuthModes - accepted modes of authentication (jwt/st)
  * @returns
  */
-const requireAuth = async (req: Request, res: Response, next: NextFunction) => {
-	// JWT authentication middleware
-	const [ AUTH_TOKEN_TYPE, AUTH_TOKEN_VALUE ] = <[string, string]>req.headers['authorization']?.split(' ', 2) ?? [null, null]
-	if(AUTH_TOKEN_TYPE === null) return next(BadRequestError({message: `Missing Authorization Header in the request header.`}))
-	if(AUTH_TOKEN_TYPE.toLowerCase() !== 'bearer') return next(BadRequestError({message: `The provided authentication type '${AUTH_TOKEN_TYPE}' is not supported.`}))
-	if(AUTH_TOKEN_VALUE === null) return next(BadRequestError({message: 'Missing Authorization Body in the request header'}))
+const requireAuth = ({
+	acceptedAuthModes = ['jwt']
+}: {
+	acceptedAuthModes: string[];
+}) => {
+	return async (req: Request, res: Response, next: NextFunction) => {
+		// validate auth token against accepted auth modes [acceptedAuthModes]
+		// and return token type [authTokenType] and value [authTokenValue]
+		const { authTokenType, authTokenValue } = validateAuthMode({
+			headers: req.headers,
+			acceptedAuthModes
+		});
 
-	const decodedToken = <jwt.UserIDJwtPayload>(
-		jwt.verify(AUTH_TOKEN_VALUE, JWT_AUTH_SECRET)
-	);
+		// attach auth payloads
+		switch (authTokenType) {
+			case 'serviceToken':
+				req.serviceTokenData = await getAuthSTDPayload({
+					authTokenValue
+				});
+				break;
+			case 'apiKey':
+				req.user = await getAuthAPIKeyPayload({
+					authTokenValue
+				});
+				break;
+			default:
+				req.user = await getAuthUserPayload({
+					authTokenValue
+				});
+				break;
+		}
 
-	const user = await User.findOne({
-		_id: decodedToken.userId
-	}).select('+publicKey');
-
-	if (!user) return next(AccountNotFoundError({message: 'Failed to locate User account'}))
-	if (!user?.publicKey)
-		return next(UnauthorizedRequestError({message: 'Unable to authenticate due to partially set up account'}))
-
-	req.user = user;
-	return next();
-};
+		return next();
+	}
+}
 
 export default requireAuth;

backend/src/middleware/requireBotAuth.ts

@@ -7,15 +7,13 @@ type req = 'params' | 'body' | 'query';
 
 const requireBotAuth = ({
     acceptedRoles,
-    acceptedStatuses,
     location = 'params'
 }: {
     acceptedRoles: string[];
-    acceptedStatuses: string[];
     location?: req;
 }) => {
     return async (req: Request, res: Response, next: NextFunction) => {
-        const bot = await Bot.findOne({ _id: req[location].botId });
+        const bot = await Bot.findById(req[location].botId);
         
         if (!bot) {
             return next(AccountNotFoundError({message: 'Failed to locate Bot account'}))
@@ -24,8 +22,7 @@ const requireBotAuth = ({
         await validateMembership({
             userId: req.user._id.toString(),
             workspaceId: bot.workspace.toString(),
-            acceptedRoles,
-            acceptedStatuses
+            acceptedRoles
         });
         
         req.bot = bot;

backend/src/middleware/requireIntegrationAuth.ts

@@ -9,14 +9,11 @@ import { IntegrationNotFoundError, UnauthorizedRequestError } from '../utils/err
  * with the integration on request params.
  * @param {Object} obj
  * @param {String[]} obj.acceptedRoles - accepted workspace roles
- * @param {String[]} obj.acceptedStatuses - accepted workspace statuses
  */
 const requireIntegrationAuth = ({
-	acceptedRoles,
-	acceptedStatuses
+	acceptedRoles
 }: {
 	acceptedRoles: string[];
-	acceptedStatuses: string[];
 }) => {
 	return async (req: Request, res: Response, next: NextFunction) => {
 		// integration authorization middleware
@@ -35,8 +32,7 @@ const requireIntegrationAuth = ({
 		await validateMembership({
 			userId: req.user._id.toString(),
 			workspaceId: integration.workspace.toString(),
-			acceptedRoles,
-			acceptedStatuses
+			acceptedRoles
 		});
 
 		const integrationAuth = await IntegrationAuth.findOne({

backend/src/middleware/requireIntegrationAuthorizationAuth.ts

@@ -1,33 +1,35 @@
 import * as Sentry from '@sentry/node';
 import { Request, Response, NextFunction } from 'express';
-import { IntegrationAuth } from '../models';
+import { IntegrationAuth, IWorkspace } from '../models';
 import { IntegrationService } from '../services';
 import { validateMembership } from '../helpers/membership';
 import { UnauthorizedRequestError } from '../utils/errors';
 
+type req = 'params' | 'body' | 'query';
+
 /**
  * Validate if user on request is a member of workspace with proper roles associated
  * with the integration authorization on request params.
  * @param {Object} obj
  * @param {String[]} obj.acceptedRoles - accepted workspace roles
- * @param {String[]} obj.acceptedStatuses - accepted workspace statuses
  * @param {Boolean} obj.attachAccessToken - whether or not to decrypt and attach integration authorization access token onto request
  */
 const requireIntegrationAuthorizationAuth = ({
 	acceptedRoles,
-	acceptedStatuses,
-	attachAccessToken = true
+	attachAccessToken = true,
+	location = 'params'
 }: {
 	acceptedRoles: string[];
-	acceptedStatuses: string[];
 	attachAccessToken?: boolean;
+	location?: req;
 }) => {
 	return async (req: Request, res: Response, next: NextFunction) => {
-		const { integrationAuthId } = req.params;
-
+		const { integrationAuthId } = req[location];
 		const integrationAuth = await IntegrationAuth.findOne({
 			_id: integrationAuthId
-		}).select(
+		})
+		.populate<{ workspace: IWorkspace }>('workspace')
+		.select(
 			'+refreshCiphertext +refreshIV +refreshTag +accessCiphertext +accessIV +accessTag +accessExpiresAt'
 		);
 
@@ -37,9 +39,8 @@ const requireIntegrationAuthorizationAuth = ({
 		
 		await validateMembership({
 			userId: req.user._id.toString(),
-			workspaceId: integrationAuth.workspace.toString(),
-			acceptedRoles,
-			acceptedStatuses
+			workspaceId: integrationAuth.workspace._id.toString(),
+			acceptedRoles
 		});
 
 		req.integrationAuth = integrationAuth;

backend/src/middleware/requireMembershipAuth.ts

@@ -0,0 +1,59 @@
+import { Request, Response, NextFunction } from 'express';
+import { UnauthorizedRequestError } from '../utils/errors';
+import {
+    Membership,
+} from '../models';
+import { validateMembership } from '../helpers/membership';
+
+type req = 'params' | 'body' | 'query';
+
+/**
+ * Validate membership with id [membershipId] and that user with id
+ * [req.user._id] can modify that membership.
+ * @param {Object} obj
+ * @param {String[]} obj.acceptedRoles - accepted workspace roles
+ * @param {String[]} obj.location - location of [workspaceId] on request (e.g. params, body) for parsing
+ */
+const requireMembershipAuth = ({
+    acceptedRoles,
+    location = 'params'
+}: {
+    acceptedRoles: string[];
+    location?: req;
+}) => {
+    return async (
+        req: Request, 
+        res: Response, 
+        next: NextFunction
+    ) => {
+        try {
+            const { membershipId } = req[location];
+            
+            const membership = await Membership.findById(membershipId);
+            
+            if (!membership) throw new Error('Failed to find target membership');
+            
+            const userMembership = await Membership.findOne({
+                workspace: membership.workspace
+            });
+            
+            if (!userMembership) throw new Error('Failed to validate own membership')
+            
+            const targetMembership = await validateMembership({
+                userId: req.user._id.toString(),
+                workspaceId: membership.workspace.toString(),
+                acceptedRoles
+            });
+            
+            req.targetMembership = targetMembership;
+            
+            return next();
+        } catch (err) {
+            return next(UnauthorizedRequestError({ 
+                message: 'Unable to validate workspace membership' 
+            }));
+        }
+    }
+}
+
+export default requireMembershipAuth;

backend/src/middleware/requireMembershipOrgAuth.ts

@@ -0,0 +1,49 @@
+import { Request, Response, NextFunction } from 'express';
+import { UnauthorizedRequestError } from '../utils/errors';
+import {
+    MembershipOrg
+} from '../models';
+import { validateMembership } from '../helpers/membershipOrg';
+
+
+type req = 'params' | 'body' | 'query';
+
+/**
+ * Validate (organization) membership id [membershipId] and that user with id 
+ * [req.user._id] can modify that membership.
+ * @param {Object} obj
+ * @param {String[]} obj.acceptedRoles - accepted organization roles
+ * @param {String[]} obj.location - location of [membershipId] on request (e.g. params, body) for parsing
+ */
+const requireMembershipOrgAuth = ({
+    acceptedRoles,
+    location = 'params'
+}: {
+    acceptedRoles: string[];
+    location?: req;
+}) => {
+    return async (req: Request, res: Response, next: NextFunction) => {
+        try {
+            const { membershipId } = req[location];
+            const membershipOrg = await MembershipOrg.findById(membershipId);
+            
+            if (!membershipOrg) throw new Error('Failed to find target organization membership');
+            
+            const targetMembership = await validateMembership({
+                userId: req.user._id.toString(),
+                organizationId: membershipOrg.organization.toString(),
+                acceptedRoles
+            });
+            
+            req.targetMembership = targetMembership;
+            
+            return next();
+        } catch (err) {
+            return next(UnauthorizedRequestError({
+                message: 'Unable to validate organization membership'
+            }));
+        }
+    }
+}
+
+export default requireMembershipOrgAuth;