allow to set default env in project file

feat(ui): save changes when user leaving dashboard

.env.example

@@ -64,7 +64,7 @@ POSTHOG_PROJECT_API_KEY=
 STRIPE_SECRET_KEY=
 STRIPE_PUBLISHABLE_KEY=
 STRIPE_WEBHOOK_SECRET=
-STRIPE_PRODUCT_CARD_AUTH=
-STRIPE_PRODUCT_PRO=
 STRIPE_PRODUCT_STARTER=
+STRIPE_PRODUCT_TEAM=
+STRIPE_PRODUCT_PRO=
 NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=

.eslintignore

@@ -1,3 +1,4 @@
 node_modules
 built
 healthcheck.js
+tailwind.config.js

.github/values.yaml

@@ -1,36 +1,93 @@
+#####
+# INFISICAL K8 DEFAULT VALUES FILE
+# PLEASE REPLACE VALUES/EDIT AS REQUIRED 
+#####
+
+nameOverride: ""
+
 frontend:
-  replicaCount: 1
+  name: frontend
+  podAnnotations: {}
+  deploymentAnnotations:
+    secrets.infisical.com/auto-reload: "true"
+  replicaCount: 2
   image:
-    repository: 
-    pullPolicy: Always
+    repository: infisical/frontend
+    pullPolicy: Always 
     tag: "latest"
   kubeSecretRef: managed-secret-frontend
+  service:
+    # type of the frontend service
+    type: ClusterIP
+    # define the nodePort if service type is NodePort
+    # nodePort: 
+    annotations: {}
 
 backend:
-  replicaCount: 1
+  name: backend
+  podAnnotations: {}
+  deploymentAnnotations:
+    secrets.infisical.com/auto-reload: "true"
+  replicaCount: 2
   image:
-    repository: 
+    repository: infisical/backend
     pullPolicy: Always
     tag: "latest"
   kubeSecretRef: managed-backend-secret
+  service:
+    annotations: {}
+
+mongodb:
+  name: mongodb
+  podAnnotations: {}
+  image:
+    repository: mongo
+    pullPolicy: IfNotPresent
+    tag: "latest"
+  service:
+    annotations: {}
+
+# By default the backend will be connected to a Mongo instance in the cluster.
+# However, it is recommended to add a managed document DB connection string because the DB instance in the cluster does not have persistence yet ( data will be deleted on next deploy).
+# Learn about connection string type here https://www.mongodb.com/docs/manual/reference/connection-string/
+mongodbConnection: {}
+  # externalMongoDBConnectionString: <>
 
 ingress:
   enabled: true
   annotations:
     kubernetes.io/ingress.class: "nginx"
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
-  hostName: gamma.infisical.com
+  hostName: gamma.infisical.com # replace with your domain 
   frontend: 
     path: /
     pathType: Prefix
   backend:
     path: /api
     pathType: Prefix
-  tls:
-    - secretName: echo-tls
-      hosts:
-        - gamma.infisical.com
+  tls: []
 
-backendEnvironmentVariables:
 
-frontendEnvironmentVariables:
+## Complete Ingress example 
+# ingress:
+#   enabled: true
+#   annotations:
+#     kubernetes.io/ingress.class: "nginx"
+#     cert-manager.io/issuer: letsencrypt-nginx
+#   hostName: k8.infisical.com
+#   frontend: 
+#     path: /
+#     pathType: Prefix
+#   backend:
+#     path: /api
+#     pathType: Prefix
+#   tls:
+#     - secretName: letsencrypt-nginx
+#       hosts:
+#         - k8.infisical.com
+
+###
+### YOU MUST FILL IN ALL SECRETS BELOW
+### 
+backendEnvironmentVariables: {}
+
+frontendEnvironmentVariables: {}

.github/workflows/docker-image.yml

@@ -129,4 +129,10 @@ jobs:
       - name: Download helm values to file and upgrade gamma deploy
         run: |
           wget https://raw.githubusercontent.com/Infisical/infisical/main/.github/values.yaml
-          helm upgrade infisical infisical-helm-charts/infisical  --values values.yaml --recreate-pods
+          helm upgrade infisical infisical-helm-charts/infisical  --values values.yaml --recreate-pods
+          if [[ $(helm status infisical) == *"FAILED"* ]]; then
+            echo "Helm upgrade failed"
+            exit 1
+          else
+            echo "Helm upgrade was successful"
+          fi

.github/workflows/release_build.yml

@@ -4,7 +4,7 @@ on:
   push:
     # run only against tags
     tags:
-      - 'v*'
+      - "v*"
 
 permissions:
   contents: write
@@ -18,10 +18,16 @@ jobs:
       - uses: actions/checkout@v3
         with:
           fetch-depth: 0
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
       - run: git fetch --force --tags
+      - run: echo "Ref name ${{github.ref_name}}"
       - uses: actions/setup-go@v3
         with:
-          go-version: '>=1.19.3'
+          go-version: ">=1.19.3"
           cache: true
           cache-dependency-path: cli/go.sum
       - name: libssl1.1 => libssl1.0-dev for OSXCross
@@ -33,19 +39,18 @@ jobs:
         run: |
           mkdir ../../osxcross
           git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
-      - uses: goreleaser/goreleaser-action@v2
+      - uses: goreleaser/goreleaser-action@v4
         with:
           distribution: goreleaser
           version: latest
-          args: release --rm-dist
+          args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
           FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
           AUR_KEY: ${{ secrets.AUR_KEY }}
       - uses: actions/setup-python@v4
       - run: pip install --upgrade cloudsmith-cli
-      - name: Publish to CloudSmith 
+      - name: Publish to CloudSmith
         run: sh cli/upload_to_cloudsmith.sh
         env:
           CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
-      

.goreleaser.yaml

@@ -14,6 +14,9 @@ before:
 builds:
   - id: darwin-build
     binary: infisical
+    ldflags: -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+    flags:
+      - -trimpath
     env:
       - CGO_ENABLED=1
       - CC=/home/runner/work/osxcross/target/bin/o64-clang
@@ -24,10 +27,14 @@ builds:
       - goos: darwin
         goarch: "386"
     dir: ./cli
+
   - id: all-other-builds
     env:
       - CGO_ENABLED=0
     binary: infisical
+    ldflags: -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+    flags:
+      - -trimpath
     goos:
       - freebsd
       - linux
@@ -61,18 +68,20 @@ archives:
 
 release:
   replace_existing_draft: true
-  mode: 'replace'
+  mode: "replace"
 
 checksum:
-  name_template: 'checksums.txt'
+  name_template: "checksums.txt"
+
 snapshot:
-  name_template: "{{ incpatch .Version }}"
+  name_template: "{{ incpatch .Version }}-devel"
+
 changelog:
   sort: asc
   filters:
     exclude:
-      - '^docs:'
-      - '^test:'
+      - "^docs:"
+      - "^test:"
 
 # publishers:
 #   - name: fury.io
@@ -80,6 +89,7 @@ changelog:
 #       - infisical
 #     dir: "{{ dir .ArtifactPath }}"
 #     cmd: curl -F package=@{{ .ArtifactName }} https://{{ .Env.FURY_TOKEN }}@push.fury.io/infisical/
+
 brews:
   - name: infisical
     tap:
@@ -91,31 +101,39 @@ brews:
     folder: Formula
     homepage: "https://infisical.com"
     description: "The official Infisical CLI"
+    install: |-
+      bin.install "infisical"
+      bash_completion.install "completions/infisical.bash" => "infisical"
+      zsh_completion.install "completions/infisical.zsh" => "_infisical"
+      fish_completion.install "completions/infisical.fish"
+      man1.install "manpages/infisical.1.gz"
+
 nfpms:
-- id: infisical
-  package_name: infisical
-  builds:
-    - all-other-builds
-  vendor: Infisical, Inc
-  homepage: https://infisical.com/
-  maintainer: Infisical, Inc
-  description: The offical Infisical CLI
-  license: MIT
-  formats:
-  - rpm
-  - deb
-  - apk
-  - archlinux
-  bindir: /usr/bin
-  contents:
-    - src: ./completions/infisical.bash
-      dst: /etc/bash_completion.d/infisical
-    - src: ./completions/infisical.fish
-      dst: /usr/share/fish/vendor_completions.d/infisical.fish
-    - src: ./completions/infisical.zsh
-      dst: /usr/share/zsh/site-functions/_infisical
-    - src: ./manpages/infisical.1.gz
-      dst: /usr/share/man/man1/infisical.1.gz
+  - id: infisical
+    package_name: infisical
+    builds:
+      - all-other-builds
+    vendor: Infisical, Inc
+    homepage: https://infisical.com/
+    maintainer: Infisical, Inc
+    description: The offical Infisical CLI
+    license: MIT
+    formats:
+      - rpm
+      - deb
+      - apk
+      - archlinux
+    bindir: /usr/bin
+    contents:
+      - src: ./completions/infisical.bash
+        dst: /etc/bash_completion.d/infisical
+      - src: ./completions/infisical.fish
+        dst: /usr/share/fish/vendor_completions.d/infisical.fish
+      - src: ./completions/infisical.zsh
+        dst: /usr/share/zsh/site-functions/_infisical
+      - src: ./manpages/infisical.1.gz
+        dst: /usr/share/man/man1/infisical.1.gz
+
 scoop:
   bucket:
     owner: Infisical
@@ -126,16 +144,16 @@ scoop:
   homepage: "https://infisical.com"
   description: "The official Infisical CLI"
   license: MIT
+
 aurs:
-  -
-    name: infisical-bin
+  - name: infisical-bin
     homepage: "https://infisical.com"
     description: "The official Infisical CLI"
     maintainers:
       - Infisical, Inc <support@infisical.com>
     license: MIT
-    private_key: '{{ .Env.AUR_KEY }}'
-    git_url: 'ssh://aur@aur.archlinux.org/infisical-bin.git'
+    private_key: "{{ .Env.AUR_KEY }}"
+    git_url: "ssh://aur@aur.archlinux.org/infisical-bin.git"
     package: |-
       # bin
       install -Dm755 "./infisical" "${pkgdir}/usr/bin/infisical"
@@ -150,19 +168,13 @@ aurs:
       install -Dm644 "./completions/infisical.fish" "${pkgdir}/usr/share/fish/vendor_completions.d/infisical.fish"
       # man pages
       install -Dm644 "./manpages/infisical.1.gz" "${pkgdir}/usr/share/man/man1/infisical.1.gz"
+
 # dockers:
-#   - dockerfile: goreleaser.dockerfile
+#   - dockerfile: cli/docker/Dockerfile
 #     goos: linux
 #     goarch: amd64
 #     ids:
 #       - infisical
 #     image_templates:
-#       - "infisical/cli:{{ .Version }}"             
-#       - "infisical/cli:{{ .Major }}.{{ .Minor }}"  
-#       - "infisical/cli:{{ .Major }}"               
+#       - "infisical/cli:{{ .Version }}"
 #       - "infisical/cli:latest"
-#     build_flag_templates:
-#       - "--label=org.label-schema.schema-version=1.0"
-#       - "--label=org.label-schema.version={{.Version}}"
-#       - "--label=org.label-schema.name={{.ProjectName}}"
-#       - "--platform=linux/amd64"

Makefile

@@ -8,7 +8,7 @@ up-dev:
 	docker-compose -f docker-compose.dev.yml up --build
 
 i-dev:
-	infisical export && infisical export > .env && docker-compose -f docker-compose.dev.yml up --build
+	infisical run -- docker-compose -f docker-compose.dev.yml up --build
 
 up-prod:
 	docker-compose -f docker-compose.yml up --build

backend/environment.d.ts

@@ -3,8 +3,10 @@ export {};
 declare global {
   namespace NodeJS {
     interface ProcessEnv {
+      PORT: string;
       EMAIL_TOKEN_LIFETIME: string;
       ENCRYPTION_KEY: string;
+      SALT_ROUNDS: string;
       JWT_AUTH_LIFETIME: string;
       JWT_AUTH_SECRET: string;
       JWT_REFRESH_LIFETIME: string;
@@ -19,23 +21,31 @@ declare global {
       CLIENT_ID_HEROKU: string;
       CLIENT_ID_VERCEL: string;
       CLIENT_ID_NETLIFY: string;
+      CLIENT_ID_GITHUB: string;
       CLIENT_SECRET_HEROKU: string;
       CLIENT_SECRET_VERCEL: string;
       CLIENT_SECRET_NETLIFY: string;
+      CLIENT_SECRET_GITHUB: string;
+      CLIENT_SLUG_VERCEL: string;
 			POSTHOG_HOST: string;
 			POSTHOG_PROJECT_API_KEY: string;
       SENTRY_DSN: string;
       SITE_URL: string;
       SMTP_HOST: string;
-      SMTP_NAME: string;
-      SMTP_PASSWORD: string;
+      SMTP_SECURE: string;
+      SMTP_PORT: string;
       SMTP_USERNAME: string;
-      STRIPE_PRODUCT_CARD_AUTH: string;
-      STRIPE_PRODUCT_PRO: string;
+      SMTP_PASSWORD: string;
+      SMTP_FROM_ADDRESS: string;
+      SMTP_FROM_NAME: string;
       STRIPE_PRODUCT_STARTER: string;
+      STRIPE_PRODUCT_TEAM: string;
+      STRIPE_PRODUCT_PRO: string;
       STRIPE_PUBLISHABLE_KEY: string;
       STRIPE_SECRET_KEY: string;
       STRIPE_WEBHOOK_SECRET: string;
+      TELEMETRY_ENABLED: string;
+      LICENSE_KEY: string;
     }
   }
 }

backend/package.json

@@ -1,11 +1,55 @@
 {
+  "dependencies": {
+    "@aws-sdk/client-secrets-manager": "^3.267.0",
+    "@godaddy/terminus": "^4.11.2",
+    "@octokit/rest": "^19.0.5",
+    "@sentry/node": "^7.14.0",
+    "@sentry/tracing": "^7.19.0",
+    "@types/crypto-js": "^4.1.1",
+    "@types/libsodium-wrappers": "^0.7.10",
+    "await-to-js": "^3.0.0",
+    "aws-sdk": "^2.1311.0",
+    "axios": "^1.1.3",
+    "bcrypt": "^5.1.0",
+    "bigint-conversion": "^2.2.2",
+    "builder-pattern": "^2.2.0",
+    "cookie-parser": "^1.4.6",
+    "cors": "^2.8.5",
+    "crypto-js": "^4.1.1",
+    "dotenv": "^16.0.1",
+    "express": "^4.18.1",
+    "express-rate-limit": "^6.7.0",
+    "express-validator": "^6.14.2",
+    "handlebars": "^4.7.7",
+    "helmet": "^5.1.1",
+    "js-yaml": "^4.1.0",
+    "jsonwebtoken": "^9.0.0",
+    "jsrp": "^0.2.4",
+    "libsodium-wrappers": "^0.7.10",
+    "lodash": "^4.17.21",
+    "mongoose": "^6.7.2",
+    "nodemailer": "^6.8.0",
+    "posthog-node": "^2.2.2",
+    "query-string": "^7.1.3",
+    "request-ip": "^3.3.0",
+    "rimraf": "^3.0.2",
+    "stripe": "^10.7.0",
+    "swagger-autogen": "^2.22.0",
+    "swagger-ui-express": "^4.6.0",
+    "tweetnacl": "^1.0.3",
+    "tweetnacl-util": "^0.15.1",
+    "typescript": "^4.9.3",
+    "utility-types": "^3.10.0",
+    "winston": "^3.8.2",
+    "winston-loki": "^6.0.6"
+  },
   "name": "infisical-api",
   "version": "1.0.0",
   "main": "src/index.js",
   "scripts": {
     "start": "npm run build && node build/index.js",
     "dev": "nodemon",
-    "swagger-autogen": "node ./swagger.ts",
+    "swagger-autogen": "node ./swagger/index.ts",
     "build": "rimraf ./build && tsc && cp -R ./src/templates ./build",
     "lint": "eslint . --ext .ts",
     "lint-and-fix": "eslint . --ext .ts --fix",
@@ -36,6 +80,7 @@
     "@types/express": "^4.17.14",
     "@types/jest": "^29.2.4",
     "@types/jsonwebtoken": "^8.5.9",
+    "@types/lodash": "^4.14.191",
     "@types/node": "^18.11.3",
     "@types/nodemailer": "^6.4.6",
     "@types/supertest": "^2.0.12",
@@ -73,43 +118,5 @@
     "suiteNameTemplate": "{filepath}",
     "classNameTemplate": "{classname}",
     "titleTemplate": "{title}"
-  },
-  "dependencies": {
-    "@godaddy/terminus": "^4.11.2",
-    "@octokit/rest": "^19.0.5",
-    "@sentry/node": "^7.14.0",
-    "@sentry/tracing": "^7.19.0",
-    "@types/crypto-js": "^4.1.1",
-    "@types/libsodium-wrappers": "^0.7.10",
-    "await-to-js": "^3.0.0",
-    "axios": "^1.1.3",
-    "bcrypt": "^5.1.0",
-    "bigint-conversion": "^2.2.2",
-    "cookie-parser": "^1.4.6",
-    "cors": "^2.8.5",
-    "crypto-js": "^4.1.1",
-    "dotenv": "^16.0.1",
-    "express": "^4.18.1",
-    "express-rate-limit": "^6.7.0",
-    "express-validator": "^6.14.2",
-    "handlebars": "^4.7.7",
-    "helmet": "^5.1.1",
-    "jsonwebtoken": "^9.0.0",
-    "jsrp": "^0.2.4",
-    "libsodium-wrappers": "^0.7.10",
-    "mongoose": "^6.7.2",
-    "nodemailer": "^6.8.0",
-    "posthog-node": "^2.2.2",
-    "query-string": "^7.1.3",
-    "rimraf": "^3.0.2",
-    "stripe": "^10.7.0",
-    "swagger-autogen": "^2.22.0",
-    "swagger-ui-express": "^4.6.0",
-    "tweetnacl": "^1.0.3",
-    "tweetnacl-util": "^0.15.1",
-    "typescript": "^4.9.3",
-    "utility-types": "^3.10.0",
-    "winston": "^3.8.2",
-    "winston-loki": "^6.0.6"
   }
 }

backend/src/app.ts

@@ -8,8 +8,9 @@ import cookieParser from 'cookie-parser';
 import dotenv from 'dotenv';
 import swaggerUi = require('swagger-ui-express');
 // eslint-disable-next-line @typescript-eslint/no-var-requires
-const swaggerFile = require('../api-documentation.json')
-
+const swaggerFile = require('../spec.json');
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const requestIp = require('request-ip');
 
 dotenv.config();
 import { PORT, NODE_ENV, SITE_URL } from './config';
@@ -41,12 +42,15 @@ import {
   integrationAuth as v1IntegrationAuthRouter
 } from './routes/v1';
 import {
-  secret as v2SecretRouter,
-  secrets as v2SecretsRouter,
+  users as v2UsersRouter,
+  organizations as v2OrganizationsRouter,
   workspace as v2WorkspaceRouter,
+  secret as v2SecretRouter, // begin to phase out
+  secrets as v2SecretsRouter,
   serviceTokenData as v2ServiceTokenDataRouter,
   apiKeyData as v2APIKeyDataRouter,
   environment as v2EnvironmentRouter,
+  tags as v2TagsRouter,
 } from './routes/v2';
 
 import { healthCheck } from './routes/status';
@@ -70,6 +74,8 @@ app.use(
   })
 );
 
+app.use(requestIp.mw())
+
 if (NODE_ENV === 'production') {
   // enable app-wide rate-limiting + helmet security
   // in production
@@ -97,19 +103,22 @@ app.use('/api/v1/membership', v1MembershipRouter);
 app.use('/api/v1/key', v1KeyRouter);
 app.use('/api/v1/invite-org', v1InviteOrgRouter);
 app.use('/api/v1/secret', v1SecretRouter);
-app.use('/api/v1/service-token', v1ServiceTokenRouter); // stop supporting
+app.use('/api/v1/service-token', v1ServiceTokenRouter); // deprecated
 app.use('/api/v1/password', v1PasswordRouter);
 app.use('/api/v1/stripe', v1StripeRouter);
 app.use('/api/v1/integration', v1IntegrationRouter);
 app.use('/api/v1/integration-auth', v1IntegrationAuthRouter);
 
 // v2 routes
+app.use('/api/v2/users', v2UsersRouter);
+app.use('/api/v2/organizations', v2OrganizationsRouter);
 app.use('/api/v2/workspace', v2EnvironmentRouter);
-app.use('/api/v2/workspace', v2WorkspaceRouter); // TODO: turn into plural route
-app.use('/api/v2/secret', v2SecretRouter); // stop supporting, TODO: revise
+app.use('/api/v2/workspace', v2TagsRouter);
+app.use('/api/v2/workspace', v2WorkspaceRouter);
+app.use('/api/v2/secret', v2SecretRouter); // deprecated
 app.use('/api/v2/secrets', v2SecretsRouter);
 app.use('/api/v2/service-token', v2ServiceTokenDataRouter); // TODO: turn into plural route
-app.use('/api/v2/api-key-data', v2APIKeyDataRouter);
+app.use('/api/v2/api-key', v2APIKeyDataRouter);
 
 // api docs 
 app.use('/api-docs', swaggerUi.serve, swaggerUi.setup(swaggerFile))
@@ -126,7 +135,6 @@ app.use((req, res, next) => {
 //* Error Handling Middleware (must be after all routing logic)
 app.use(requestErrorHandler)
 
-
 export const server = app.listen(PORT, () => {
   getLogger("backend-main").info(`Server started listening at port ${PORT}`)
 });

backend/src/config/index.ts

@@ -1,5 +1,6 @@
 const PORT = process.env.PORT || 4000;
-const EMAIL_TOKEN_LIFETIME = process.env.EMAIL_TOKEN_LIFETIME! || '86400';
+const EMAIL_TOKEN_LIFETIME = parseInt(process.env.EMAIL_TOKEN_LIFETIME! || '86400');
+const INVITE_ONLY_SIGNUP = process.env.INVITE_ONLY_SIGNUP == undefined ? false : process.env.INVITE_ONLY_SIGNUP
 const ENCRYPTION_KEY = process.env.ENCRYPTION_KEY!;
 const SALT_ROUNDS = parseInt(process.env.SALT_ROUNDS!) || 10;
 const JWT_AUTH_LIFETIME = process.env.JWT_AUTH_LIFETIME! || '10d';
@@ -13,15 +14,18 @@ const MONGO_URL = process.env.MONGO_URL!;
 const NODE_ENV = process.env.NODE_ENV! || 'production';
 const VERBOSE_ERROR_OUTPUT = process.env.VERBOSE_ERROR_OUTPUT! === 'true' && true;
 const LOKI_HOST = process.env.LOKI_HOST || undefined;
-const CLIENT_SECRET_HEROKU = process.env.CLIENT_SECRET_HEROKU!;
+const CLIENT_ID_AZURE = process.env.CLIENT_ID_AZURE!;
+const TENANT_ID_AZURE = process.env.TENANT_ID_AZURE!;
 const CLIENT_ID_HEROKU = process.env.CLIENT_ID_HEROKU!;
 const CLIENT_ID_VERCEL = process.env.CLIENT_ID_VERCEL!;
 const CLIENT_ID_NETLIFY = process.env.CLIENT_ID_NETLIFY!;
 const CLIENT_ID_GITHUB = process.env.CLIENT_ID_GITHUB!;
+const CLIENT_SECRET_AZURE = process.env.CLIENT_SECRET_AZURE!;
+const CLIENT_SECRET_HEROKU = process.env.CLIENT_SECRET_HEROKU!;
 const CLIENT_SECRET_VERCEL = process.env.CLIENT_SECRET_VERCEL!;
 const CLIENT_SECRET_NETLIFY = process.env.CLIENT_SECRET_NETLIFY!;
 const CLIENT_SECRET_GITHUB = process.env.CLIENT_SECRET_GITHUB!;
-const CLIENT_SLUG_VERCEL= process.env.CLIENT_SLUG_VERCEL!;
+const CLIENT_SLUG_VERCEL = process.env.CLIENT_SLUG_VERCEL!;
 const POSTHOG_HOST = process.env.POSTHOG_HOST! || 'https://app.posthog.com';
 const POSTHOG_PROJECT_API_KEY =
   process.env.POSTHOG_PROJECT_API_KEY! ||
@@ -35,9 +39,9 @@ const SMTP_USERNAME = process.env.SMTP_USERNAME!;
 const SMTP_PASSWORD = process.env.SMTP_PASSWORD!;
 const SMTP_FROM_ADDRESS = process.env.SMTP_FROM_ADDRESS!;
 const SMTP_FROM_NAME = process.env.SMTP_FROM_NAME! || 'Infisical';
-const STRIPE_PRODUCT_CARD_AUTH = process.env.STRIPE_PRODUCT_CARD_AUTH!;
-const STRIPE_PRODUCT_PRO = process.env.STRIPE_PRODUCT_PRO!;
 const STRIPE_PRODUCT_STARTER = process.env.STRIPE_PRODUCT_STARTER!;
+const STRIPE_PRODUCT_PRO = process.env.STRIPE_PRODUCT_PRO!;
+const STRIPE_PRODUCT_TEAM = process.env.STRIPE_PRODUCT_TEAM!;
 const STRIPE_PUBLISHABLE_KEY = process.env.STRIPE_PUBLISHABLE_KEY!;
 const STRIPE_SECRET_KEY = process.env.STRIPE_SECRET_KEY!;
 const STRIPE_WEBHOOK_SECRET = process.env.STRIPE_WEBHOOK_SECRET!;
@@ -47,6 +51,7 @@ const LICENSE_KEY = process.env.LICENSE_KEY!;
 export {
   PORT,
   EMAIL_TOKEN_LIFETIME,
+  INVITE_ONLY_SIGNUP,
   ENCRYPTION_KEY,
   SALT_ROUNDS,
   JWT_AUTH_LIFETIME,
@@ -60,10 +65,13 @@ export {
   NODE_ENV,
   VERBOSE_ERROR_OUTPUT,
   LOKI_HOST,
+  CLIENT_ID_AZURE,
+  TENANT_ID_AZURE,
   CLIENT_ID_HEROKU,
   CLIENT_ID_VERCEL,
   CLIENT_ID_NETLIFY,
   CLIENT_ID_GITHUB,
+  CLIENT_SECRET_AZURE,
   CLIENT_SECRET_HEROKU,
   CLIENT_SECRET_VERCEL,
   CLIENT_SECRET_NETLIFY,
@@ -80,9 +88,9 @@ export {
   SMTP_PASSWORD,
   SMTP_FROM_ADDRESS,
   SMTP_FROM_NAME,
-  STRIPE_PRODUCT_CARD_AUTH,
-  STRIPE_PRODUCT_PRO,
   STRIPE_PRODUCT_STARTER,
+  STRIPE_PRODUCT_TEAM,
+  STRIPE_PRODUCT_PRO,
   STRIPE_PUBLISHABLE_KEY,
   STRIPE_SECRET_KEY,
   STRIPE_WEBHOOK_SECRET,

backend/src/controllers/v1/authController.ts

@@ -4,14 +4,21 @@ import jwt from 'jsonwebtoken';
 import * as Sentry from '@sentry/node';
 import * as bigintConversion from 'bigint-conversion';
 const jsrp = require('jsrp');
-import { User } from '../../models';
+import { User, LoginSRPDetail } from '../../models';
 import { createToken, issueTokens, clearTokens } from '../../helpers/auth';
+import {
+  ACTION_LOGIN,
+  ACTION_LOGOUT
+} from '../../variables';
 import {
   NODE_ENV,
   JWT_AUTH_LIFETIME,
   JWT_AUTH_SECRET,
   JWT_REFRESH_SECRET
 } from '../../config';
+import { BadRequestError } from '../../utils/errors';
+import { EELogService } from '../../ee/services';
+import { getChannelFromUserAgent } from '../../utils/posthog'; // TODO: move this
 
 declare module 'jsonwebtoken' {
   export interface UserIDJwtPayload extends jwt.JwtPayload {
@@ -19,8 +26,6 @@ declare module 'jsonwebtoken' {
   }
 }
 
-const clientPublicKeys: any = {};
-
 /**
  * Log in user step 1: Return [salt] and [serverPublicKey] as part of step 1 of SRP protocol
  * @param req
@@ -46,13 +51,15 @@ export const login1 = async (req: Request, res: Response) => {
         salt: user.salt,
         verifier: user.verifier
       },
-      () => {
+      async () => {
         // generate server-side public key
         const serverPublicKey = server.getPublicKey();
-        clientPublicKeys[email] = {
-          clientPublicKey,
-          serverBInt: bigintConversion.bigintToBuf(server.bInt)
-        };
+
+        await LoginSRPDetail.findOneAndReplace({ email: email }, {
+          email: email,
+          clientPublicKey: clientPublicKey,
+          serverBInt: bigintConversion.bigintToBuf(server.bInt),
+        }, { upsert: true, returnNewDocument: false })
 
         return res.status(200).send({
           serverPublicKey,
@@ -85,15 +92,21 @@ export const login2 = async (req: Request, res: Response) => {
 
     if (!user) throw new Error('Failed to find user');
 
+    const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: email })
+
+    if (!loginSRPDetailFromDB) {
+      return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
+    }
+
     const server = new jsrp.server();
     server.init(
       {
         salt: user.salt,
         verifier: user.verifier,
-        b: clientPublicKeys[email].serverBInt
+        b: loginSRPDetailFromDB.serverBInt
       },
       async () => {
-        server.setClientPublicKey(clientPublicKeys[email].clientPublicKey);
+        server.setClientPublicKey(loginSRPDetailFromDB.clientPublicKey);
 
         // compare server and client shared keys
         if (server.checkClientProof(clientProof)) {
@@ -108,6 +121,18 @@ export const login2 = async (req: Request, res: Response) => {
             secure: NODE_ENV === 'production' ? true : false
           });
 
+          const loginAction = await EELogService.createAction({
+            name: ACTION_LOGIN,
+            userId: user._id
+          });
+          
+          loginAction && await EELogService.createLog({
+            userId: user._id,
+            actions: [loginAction],
+            channel: getChannelFromUserAgent(req.headers['user-agent']),
+            ipAddress: req.ip
+          });
+          
           // return (access) token in response
           return res.status(200).send({
             token: tokens.token,
@@ -151,6 +176,19 @@ export const logout = async (req: Request, res: Response) => {
       sameSite: 'strict',
       secure: NODE_ENV === 'production' ? true : false
     });
+
+    const logoutAction = await EELogService.createAction({
+      name: ACTION_LOGOUT,
+      userId: req.user._id
+    });
+    
+    logoutAction && await EELogService.createLog({
+      userId: req.user._id,
+      actions: [logoutAction],
+      channel: getChannelFromUserAgent(req.headers['user-agent']),
+      ipAddress: req.ip
+    });
+
   } catch (err) {
     Sentry.setUser({ email: req.user.email });
     Sentry.captureException(err);
@@ -170,10 +208,11 @@ export const logout = async (req: Request, res: Response) => {
  * @param res
  * @returns
  */
-export const checkAuth = async (req: Request, res: Response) =>
-  res.status(200).send({
+export const checkAuth = async (req: Request, res: Response) => {
+  return res.status(200).send({
     message: 'Authenticated'
   });
+}
 
 /**
  * Return new token by redeeming refresh token

backend/src/controllers/v1/integrationAuthController.ts

@@ -1,21 +1,46 @@
 import { Request, Response } from 'express';
+import { Types } from 'mongoose';
 import * as Sentry from '@sentry/node';
-import axios from 'axios';
-import { readFileSync } from 'fs';
-import { IntegrationAuth, Integration } from '../../models';
+import {
+	Integration, 
+	IntegrationAuth,
+	Bot 
+} from '../../models';
 import { INTEGRATION_SET, INTEGRATION_OPTIONS } from '../../variables';
 import { IntegrationService } from '../../services';
 import { getApps, revokeAccess } from '../../integrations';
 
-export const getIntegrationOptions = async (
-	req: Request,
-	res: Response
-) => {
+/***
+ * Return integration authorization with id [integrationAuthId]
+ */
+export const getIntegrationAuth = async (req: Request, res: Response) => {
+	let integrationAuth;
+	try {
+		const { integrationAuthId } = req.params;
+		integrationAuth = await IntegrationAuth.findById(integrationAuthId);
+		
+		if (!integrationAuth) return res.status(400).send({
+			message: 'Failed to find integration authorization'
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get integration authorization'
+		});	
+	}
+	
 	return res.status(200).send({
-		integrationOptions: INTEGRATION_OPTIONS
+		integrationAuth
 	});
 }
 
+export const getIntegrationOptions = async (req: Request, res: Response) => {
+  return res.status(200).send({
+    integrationOptions: INTEGRATION_OPTIONS,
+  });
+};
+
 /**
  * Perform OAuth2 code-token exchange as part of integration [integration] for workspace with id [workspaceId]
  * @param req
@@ -28,7 +53,6 @@ export const oAuthExchange = async (
 ) => {
 	try {
 		const { workspaceId, code, integration } = req.body;
-
 		if (!INTEGRATION_SET.has(integration))
 			throw new Error('Failed to validate integration');
 		
@@ -37,25 +61,92 @@ export const oAuthExchange = async (
 			throw new Error("Failed to get environments")
 		}
 	
-		await IntegrationService.handleOAuthExchange({
+		const integrationAuth = await IntegrationService.handleOAuthExchange({
 			workspaceId,
 			integration,
 			code,
 			environment: environments[0].slug,
 		});
+		
+		return res.status(200).send({
+			integrationAuth
+		});
 	} catch (err) {
-		Sentry.setUser(null);
+		Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);
 		return res.status(400).send({
 			message: 'Failed to get OAuth2 code-token exchange'
 		});
 	}
-
-	return res.status(200).send({
-		message: 'Successfully enabled integration authorization'
-	});
 };
 
+/**
+ * Save integration access token and (optionally) access id as part of integration
+ * [integration] for workspace with id [workspaceId]
+ * @param req 
+ * @param res 
+ */
+export const saveIntegrationAccessToken = async (
+  req: Request,
+  res: Response
+) => {
+	// TODO: refactor
+	// TODO: check if access token is valid for each integration
+
+	let integrationAuth;
+	try {
+		const {
+			workspaceId,
+			accessId,
+			accessToken,
+			integration
+		}: {
+			workspaceId: string;
+			accessId: string | null;
+			accessToken: string;
+			integration: string;
+		} = req.body;
+
+		const bot = await Bot.findOne({
+            workspace: new Types.ObjectId(workspaceId),
+            isActive: true
+        });
+        
+        if (!bot) throw new Error('Bot must be enabled to save integration access token');
+
+		integrationAuth = await IntegrationAuth.findOneAndUpdate({
+            workspace: new Types.ObjectId(workspaceId),
+            integration
+        }, {
+            workspace: new Types.ObjectId(workspaceId),
+            integration
+		}, {
+            new: true,
+            upsert: true
+        });
+		
+		// encrypt and save integration access details
+		integrationAuth = await IntegrationService.setIntegrationAuthAccess({
+			integrationAuthId: integrationAuth._id.toString(),
+			accessId,
+			accessToken,
+			accessExpiresAt: undefined
+		});
+		
+		if (!integrationAuth) throw new Error('Failed to save integration access token');
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to save access token for integration'
+		});
+	}
+	
+	return res.status(200).send({
+		integrationAuth
+	});
+}
+
 /**
  * Return list of applications allowed for integration with integration authorization id [integrationAuthId]
  * @param req
@@ -63,23 +154,23 @@ export const oAuthExchange = async (
  * @returns
  */
 export const getIntegrationAuthApps = async (req: Request, res: Response) => {
-	let apps;
-	try {
-		apps = await getApps({
-			integrationAuth: req.integrationAuth,
-			accessToken: req.accessToken
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-        Sentry.captureException(err);	
-		return res.status(400).send({
-			message: 'Failed to get integration authorization applications'
-		});
-	}
+  let apps;
+  try {
+    apps = await getApps({
+      integrationAuth: req.integrationAuth,
+      accessToken: req.accessToken,
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get integration authorization applications",
+    });
+  }
 
-	return res.status(200).send({
-		apps
-	});
+  return res.status(200).send({
+    apps,
+  });
 };
 
 /**
@@ -89,22 +180,21 @@ export const getIntegrationAuthApps = async (req: Request, res: Response) => {
  * @returns
  */
 export const deleteIntegrationAuth = async (req: Request, res: Response) => {
-	try {
-		const { integrationAuthId } = req.params;
+  let integrationAuth;
+  try {
+    integrationAuth = await revokeAccess({
+      integrationAuth: req.integrationAuth,
+      accessToken: req.accessToken,
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to delete integration authorization",
+    });
+  }
 
-		await revokeAccess({
-			integrationAuth: req.integrationAuth,
-			accessToken: req.accessToken
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-        Sentry.captureException(err);	
-		return res.status(400).send({
-			message: 'Failed to delete integration authorization'
-		});
-	}
-	
-	return res.status(200).send({
-		message: 'Successfully deleted integration authorization'
-	});
-}
+  return res.status(200).send({
+    integrationAuth,
+  });
+};

backend/src/controllers/v1/integrationController.ts

@@ -1,65 +1,52 @@
 import { Request, Response } from 'express';
-import { readFileSync } from 'fs';
+import { Types } from 'mongoose';
 import * as Sentry from '@sentry/node';
-import { Integration, Bot, BotKey } from '../../models';
+import { 
+	Integration, 
+	Workspace,
+	Bot, 
+	BotKey 
+} from '../../models';
 import { EventService } from '../../services';
 import { eventPushSecrets } from '../../events';
 
-interface Key {
-	encryptedKey: string;
-	nonce: string;
-}
-
-interface PushSecret {
-	ciphertextKey: string;
-	ivKey: string;
-	tagKey: string;
-	hashKey: string;
-	ciphertextValue: string;
-	ivValue: string;
-	tagValue: string;
-	hashValue: string;
-	type: 'shared' | 'personal';
-}
-
 /**
- * Change environment or name of integration with id [integrationId]
+ * Create/initialize an (empty) integration for integration authorization
  * @param req
  * @param res
  * @returns
  */
-export const updateIntegration = async (req: Request, res: Response) => {
+export const createIntegration = async (req: Request, res: Response) => {
 	let integration;
-	
-	// TODO: add integration-specific validation to ensure that each
-	// integration has the correct fields populated in [Integration]
-	
 	try {
-		const { 
-			app, 
-			environment, 
-			isActive, 
-			target, // vercel-specific integration param
-			context, // netlify-specific integration param
-			siteId // netlify-specific integration param
+		const {
+			integrationAuthId,
+			app,
+			appId,
+			isActive,
+			sourceEnvironment,
+			targetEnvironment,
+			owner,
+			path,
+			region
 		} = req.body;
 		
-		integration = await Integration.findOneAndUpdate(
-			{
-				_id: req.integration._id
-			},
-			{
-				environment,
-				isActive,
-				app,
-				target,
-				context,
-				siteId
-			},
-			{
-				new: true
-			}
-		);
+		// TODO: validate [sourceEnvironment] and [targetEnvironment]
+
+		// initialize new integration after saving integration access token
+        integration = await new Integration({
+            workspace: req.integrationAuth.workspace._id,
+            environment: sourceEnvironment,
+            isActive,
+            app,
+			appId,
+			targetEnvironment,
+			owner,
+			path,
+			region,
+            integration: req.integrationAuth.integration,
+            integrationAuth: new Types.ObjectId(integrationAuthId)
+        }).save();
 		
 		if (integration) {
 			// trigger event - push secrets
@@ -69,17 +56,78 @@ export const updateIntegration = async (req: Request, res: Response) => {
 				})
 			});
 		}
+
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);
 		return res.status(400).send({
-			message: 'Failed to update integration'
+			message: 'Failed to create integration'
 		});
 	}
 
-	return res.status(200).send({
-		integration
-	});
+  return res.status(200).send({
+    integration,
+  });
+};
+
+/**
+ * Change environment or name of integration with id [integrationId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const updateIntegration = async (req: Request, res: Response) => {
+  let integration;
+
+  // TODO: add integration-specific validation to ensure that each
+  // integration has the correct fields populated in [Integration]
+
+  try {
+    const {
+      environment,
+      isActive,
+      app,
+      appId,
+      targetEnvironment,
+      owner, // github-specific integration param
+    } = req.body;
+
+    integration = await Integration.findOneAndUpdate(
+      {
+        _id: req.integration._id,
+      },
+      {
+        environment,
+        isActive,
+        app,
+        appId,
+        targetEnvironment,
+        owner,
+      },
+      {
+        new: true,
+      }
+    );
+
+    if (integration) {
+      // trigger event - push secrets
+      EventService.handleEvent({
+        event: eventPushSecrets({
+          workspaceId: integration.workspace.toString(),
+        }),
+      });
+    }
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to update integration",
+    });
+  }
+
+  return res.status(200).send({
+    integration,
+  });
 };
 
 /**
@@ -90,45 +138,24 @@ export const updateIntegration = async (req: Request, res: Response) => {
  * @returns
  */
 export const deleteIntegration = async (req: Request, res: Response) => {
-	let deletedIntegration;
-	try {
-		const { integrationId } = req.params;
+  let integration;
+  try {
+    const { integrationId } = req.params;
 
-		deletedIntegration = await Integration.findOneAndDelete({
-			_id: integrationId
-		});
-		
-		if (!deletedIntegration) throw new Error('Failed to find integration');
-		
-		const integrations = await Integration.find({
-			workspace: deletedIntegration.workspace
-		});
-			
-		if (integrations.length === 0) {
-			// case: no integrations left, deactivate bot
-			const bot = await Bot.findOneAndUpdate({
-				workspace: deletedIntegration.workspace
-			}, {
-				isActive: false
-			}, {
-				new: true
-			});
-			
-			if (bot) {
-				await BotKey.deleteOne({
-					bot: bot._id
-				});
-			}
-		}
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to delete integration'
-		});
-	}
+    integration = await Integration.findOneAndDelete({
+      _id: integrationId,
+    });
 
-	return res.status(200).send({
-		deletedIntegration
-	});
+    if (!integration) throw new Error("Failed to find integration");
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to delete integration",
+    });
+  }
+
+  return res.status(200).send({
+    integration,
+  });
 };

backend/src/controllers/v1/membershipController.ts

@@ -1,6 +1,6 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { Membership, MembershipOrg, User, Key } from '../../models';
+import { Membership, MembershipOrg, User, Key, IMembership, Workspace } from '../../models';
 import {
 	findMembership,
 	deleteMembership as deleteMember
@@ -230,4 +230,4 @@ export const inviteUserToWorkspace = async (req: Request, res: Response) => {
 		invitee,
 		latestKey
 	});
-};
+};

backend/src/controllers/v1/membershipOrgController.ts

@@ -1,7 +1,7 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
 import crypto from 'crypto';
-import { SITE_URL, JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET } from '../../config';
+import { SITE_URL, JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET, EMAIL_TOKEN_LIFETIME } from '../../config';
 import { MembershipOrg, Organization, User, Token } from '../../models';
 import { deleteMembershipOrg as deleteMemberFromOrg } from '../../helpers/membershipOrg';
 import { checkEmailVerification } from '../../helpers/signup';
@@ -77,8 +77,6 @@ export const changeMembershipOrgRole = async (req: Request, res: Response) => {
 	// change role for (target) organization membership with id
 	// [membershipOrgId]
 
-	// TODO
-
 	let membershipToChangeRole;
 	// try {
 	// } catch (err) {
@@ -115,14 +113,14 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 		if (!membershipOrg) {
 			throw new Error('Failed to validate organization membership');
 		}
-		
+
 		invitee = await User.findOne({
 			email: inviteeEmail
 		}).select('+publicKey');
 
 		if (invitee) {
 			// case: invitee is an existing user
-			
+
 			inviteeMembershipOrg = await MembershipOrg.findOne({
 				user: invitee._id,
 				organization: organizationId
@@ -172,7 +170,8 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 				{
 					email: inviteeEmail,
 					token,
-					createdAt: new Date()
+					createdAt: new Date(),
+					ttl: Math.floor(+new Date() / 1000) + EMAIL_TOKEN_LIFETIME // time in seconds, i.e unix
 				},
 				{ upsert: true, new: true }
 			);
@@ -243,7 +242,7 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
 				message: 'Successfully verified email',
 				user,
 			});
-        }
+		}
 
 		if (!user) {
 			// initialize user account

backend/src/controllers/v1/organizationController.ts

@@ -2,10 +2,7 @@ import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
 import {
 	SITE_URL,
-	STRIPE_SECRET_KEY,
-	STRIPE_PRODUCT_STARTER,
-	STRIPE_PRODUCT_PRO,
-	STRIPE_PRODUCT_CARD_AUTH
+	STRIPE_SECRET_KEY
 } from '../../config';
 import Stripe from 'stripe';
 
@@ -17,24 +14,14 @@ import {
 	MembershipOrg,
 	Organization,
 	Workspace,
-	IncidentContactOrg
+	IncidentContactOrg,
+	IMembershipOrg
 } from '../../models';
 import { createOrganization as create } from '../../helpers/organization';
 import { addMembershipsOrg } from '../../helpers/membershipOrg';
 import { OWNER, ACCEPTED } from '../../variables';
+import _ from 'lodash';
 
-const productToPriceMap = {
-	starter: STRIPE_PRODUCT_STARTER,
-	pro: STRIPE_PRODUCT_PRO,
-	cardAuth: STRIPE_PRODUCT_CARD_AUTH
-};
-
-/**
- * Return organizations that user is part of
- * @param req
- * @param res
- * @returns
- */
 export const getOrganizations = async (req: Request, res: Response) => {
 	let organizations;
 	try {
@@ -346,7 +333,6 @@ export const createOrganizationPortalSession = async (
 
 		if (paymentMethods.data.length < 1) {
 			// case: no payment method on file
-			productToPriceMap['cardAuth'];
 			session = await stripe.checkout.sessions.create({
 				customer: req.membershipOrg.organization.customerId,
 				mode: 'setup',
@@ -398,3 +384,44 @@ export const getOrganizationSubscriptions = async (
 		subscriptions
 	});
 };
+
+
+/**
+ * Given a org id, return the projects each member of the org belongs to
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getOrganizationMembersAndTheirWorkspaces = async (
+	req: Request,
+	res: Response
+) => {
+	const { organizationId } = req.params;
+
+	const workspacesSet = (
+			await Workspace.find(
+				{
+					organization: organizationId
+				},
+				'_id'
+			)
+		).map((w) => w._id.toString());
+
+	const memberships = (
+		await Membership.find({
+			workspace: { $in: workspacesSet }
+		}).populate('workspace')
+	);
+	const userToWorkspaceIds: any = {};
+
+	memberships.forEach(membership => {
+		const user = membership.user.toString();
+		if (userToWorkspaceIds[user]) {
+			userToWorkspaceIds[user].push(membership.workspace);
+		} else {
+			userToWorkspaceIds[user] = [membership.workspace];
+		}
+	});
+
+	return res.json(userToWorkspaceIds);
+};

backend/src/controllers/v1/passwordController.ts

@@ -4,13 +4,12 @@ import crypto from 'crypto';
 // eslint-disable-next-line @typescript-eslint/no-var-requires
 const jsrp = require('jsrp');
 import * as bigintConversion from 'bigint-conversion';
-import { User, Token, BackupPrivateKey } from '../../models';
+import { User, Token, BackupPrivateKey, LoginSRPDetail } from '../../models';
 import { checkEmailVerification } from '../../helpers/signup';
 import { createToken } from '../../helpers/auth';
 import { sendMail } from '../../helpers/nodemailer';
-import { JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET, SITE_URL } from '../../config';
-
-const clientPublicKeys: any = {};
+import { EMAIL_TOKEN_LIFETIME, JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET, SITE_URL } from '../../config';
+import { BadRequestError } from '../../utils/errors';
 
 /**
  * Password reset step 1: Send email verification link to email [email] 
@@ -32,7 +31,7 @@ export const emailPasswordReset = async (req: Request, res: Response) => {
 				error: 'Failed to send email verification for password reset'
 			});
 		}
-		
+
 		const token = crypto.randomBytes(16).toString('hex');
 
 		await Token.findOneAndUpdate(
@@ -40,11 +39,12 @@ export const emailPasswordReset = async (req: Request, res: Response) => {
 			{
 				email,
 				token,
-				createdAt: new Date()
+				createdAt: new Date(),
+				ttl: Math.floor(+new Date() / 1000) + EMAIL_TOKEN_LIFETIME // time in seconds, i.e unix
 			},
 			{ upsert: true, new: true }
 		);
-		
+
 		await sendMail({
 			template: 'passwordReset.handlebars',
 			subjectLine: 'Infisical password reset',
@@ -55,15 +55,15 @@ export const emailPasswordReset = async (req: Request, res: Response) => {
 				callback_url: SITE_URL + '/password-reset'
 			}
 		});
-		
+
 	} catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
 		return res.status(400).send({
 			message: 'Failed to send email for account recovery'
-		});	
+		});
 	}
-	
+
 	return res.status(200).send({
 		message: `Sent an email for account recovery to ${email}`
 	});
@@ -79,7 +79,7 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => {
 	let user, token;
 	try {
 		const { email, code } = req.body;
-		
+
 		user = await User.findOne({ email }).select('+publicKey');
 		if (!user || !user?.publicKey) {
 			// case: user doesn't exist with email [email] or 
@@ -93,7 +93,7 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => {
 			email,
 			code
 		});
-		
+
 		// generate temporary password-reset token
 		token = createToken({
 			payload: {
@@ -107,7 +107,7 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => {
 		Sentry.captureException(err);
 		return res.status(400).send({
 			message: 'Failed email verification for password reset'
-		});	
+		});
 	}
 
 	return res.status(200).send({
@@ -130,7 +130,7 @@ export const srp1 = async (req: Request, res: Response) => {
 		const user = await User.findOne({
 			email: req.user.email
 		}).select('+salt +verifier');
-		
+
 		if (!user) throw new Error('Failed to find user');
 
 		const server = new jsrp.server();
@@ -139,13 +139,15 @@ export const srp1 = async (req: Request, res: Response) => {
 				salt: user.salt,
 				verifier: user.verifier
 			},
-			() => {
+			async () => {
 				// generate server-side public key
 				const serverPublicKey = server.getPublicKey();
-				clientPublicKeys[req.user.email] = {
-					clientPublicKey,
-					serverBInt: bigintConversion.bigintToBuf(server.bInt)
-				};
+
+				await LoginSRPDetail.findOneAndReplace({ email: req.user.email }, {
+					email: req.user.email,
+					clientPublicKey: clientPublicKey,
+					serverBInt: bigintConversion.bigintToBuf(server.bInt),
+				}, { upsert: true, returnNewDocument: false })
 
 				return res.status(200).send({
 					serverPublicKey,
@@ -180,17 +182,21 @@ export const changePassword = async (req: Request, res: Response) => {
 
 		if (!user) throw new Error('Failed to find user');
 
+		const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email })
+
+		if (!loginSRPDetailFromDB) {
+			return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
+		}
+
 		const server = new jsrp.server();
 		server.init(
 			{
 				salt: user.salt,
 				verifier: user.verifier,
-				b: clientPublicKeys[req.user.email].serverBInt
+				b: loginSRPDetailFromDB.serverBInt
 			},
 			async () => {
-				server.setClientPublicKey(
-					clientPublicKeys[req.user.email].clientPublicKey
-				);
+				server.setClientPublicKey(loginSRPDetailFromDB.clientPublicKey);
 
 				// compare server and client shared keys
 				if (server.checkClientProof(clientProof)) {
@@ -249,16 +255,22 @@ export const createBackupPrivateKey = async (req: Request, res: Response) => {
 
 		if (!user) throw new Error('Failed to find user');
 
+		const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email })
+
+		if (!loginSRPDetailFromDB) {
+			return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
+		}
+
 		const server = new jsrp.server();
 		server.init(
 			{
 				salt: user.salt,
 				verifier: user.verifier,
-				b: clientPublicKeys[req.user.email].serverBInt
+				b: loginSRPDetailFromDB.serverBInt
 			},
 			async () => {
 				server.setClientPublicKey(
-					clientPublicKeys[req.user.email].clientPublicKey
+					loginSRPDetailFromDB.clientPublicKey
 				);
 
 				// compare server and client shared keys
@@ -311,16 +323,16 @@ export const getBackupPrivateKey = async (req: Request, res: Response) => {
 		backupPrivateKey = await BackupPrivateKey.findOne({
 			user: req.user._id
 		}).select('+encryptedPrivateKey +iv +tag');
-		
+
 		if (!backupPrivateKey) throw new Error('Failed to find backup private key');
 	} catch (err) {
-		Sentry.setUser({ email: req.user.email});
+		Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);
 		return res.status(400).send({
 			message: 'Failed to get backup private key'
 		});
 	}
-	
+
 	return res.status(200).send({
 		backupPrivateKey
 	});
@@ -348,15 +360,15 @@ export const resetPassword = async (req: Request, res: Response) => {
 			{
 				new: true
 			}
-		);	
+		);
 	} catch (err) {
-		Sentry.setUser({ email: req.user.email});
+		Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);
 		return res.status(400).send({
 			message: 'Failed to get backup private key'
-		});	
+		});
 	}
-	
+
 	return res.status(200).send({
 		message: 'Successfully reset password'
 	});

backend/src/controllers/v1/signupController.ts

@@ -1,6 +1,6 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { NODE_ENV, JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET } from '../../config';
+import { NODE_ENV, JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET, INVITE_ONLY_SIGNUP } from '../../config';
 import { User, MembershipOrg } from '../../models';
 import { completeAccount } from '../../helpers/user';
 import {
@@ -11,6 +11,7 @@ import {
 import { issueTokens, createToken } from '../../helpers/auth';
 import { INVITED, ACCEPTED } from '../../variables';
 import axios from 'axios';
+import { BadRequestError } from '../../utils/errors';
 
 /**
  * Signup step 1: Initialize account for user under email [email] and send a verification code
@@ -24,6 +25,14 @@ export const beginEmailSignup = async (req: Request, res: Response) => {
 	try {
 		email = req.body.email;
 
+		if (INVITE_ONLY_SIGNUP) {
+			// Only one user can create an account without being invited. The rest need to be invited in order to make an account
+			const userCount = await User.countDocuments({})
+			if (userCount != 0) {
+				throw BadRequestError({ message: "New user sign ups are not allowed at this time. You must be invited to sign up." })
+			}
+		}
+
 		const user = await User.findOne({ email }).select('+publicKey');
 		if (user && user?.publicKey) {
 			// case: user has already completed account
@@ -129,7 +138,7 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 
 		// get user
 		user = await User.findOne({ email });
-		
+
 		if (!user || (user && user?.publicKey)) {
 			// case 1: user doesn't exist.
 			// case 2: user has already completed account

backend/src/controllers/v1/workspaceController.ts

@@ -1,21 +1,21 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
+import { Request, Response } from "express";
+import * as Sentry from "@sentry/node";
 import {
-	Workspace,
-	Membership,
-	MembershipOrg,
-	Integration,
-	IntegrationAuth,
-	IUser,
-	ServiceToken,
-	ServiceTokenData
-} from '../../models';
+  Workspace,
+  Membership,
+  MembershipOrg,
+  Integration,
+  IntegrationAuth,
+  IUser,
+  ServiceToken,
+  ServiceTokenData,
+} from "../../models";
 import {
-	createWorkspace as create,
-	deleteWorkspace as deleteWork
-} from '../../helpers/workspace';
-import { addMemberships } from '../../helpers/membership';
-import { ADMIN } from '../../variables';
+  createWorkspace as create,
+  deleteWorkspace as deleteWork,
+} from "../../helpers/workspace";
+import { addMemberships } from "../../helpers/membership";
+import { ADMIN } from "../../variables";
 
 /**
  * Return public keys of members of workspace with id [workspaceId]
@@ -24,32 +24,31 @@ import { ADMIN } from '../../variables';
  * @returns
  */
 export const getWorkspacePublicKeys = async (req: Request, res: Response) => {
-	let publicKeys;
-	try {
-		const { workspaceId } = req.params;
+  let publicKeys;
+  try {
+    const { workspaceId } = req.params;
 
-		publicKeys = (
-			await Membership.find({
-				workspace: workspaceId
-			}).populate<{ user: IUser }>('user', 'publicKey')
-		)
-		.map((member) => {
-			return {
-				publicKey: member.user.publicKey,
-				userId: member.user._id
-			};
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get workspace member public keys'
-		});
-	}
+    publicKeys = (
+      await Membership.find({
+        workspace: workspaceId,
+      }).populate<{ user: IUser }>("user", "publicKey")
+    ).map((member) => {
+      return {
+        publicKey: member.user.publicKey,
+        userId: member.user._id,
+      };
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get workspace member public keys",
+    });
+  }
 
-	return res.status(200).send({
-		publicKeys
-	});
+  return res.status(200).send({
+    publicKeys,
+  });
 };
 
 /**
@@ -59,24 +58,24 @@ export const getWorkspacePublicKeys = async (req: Request, res: Response) => {
  * @returns
  */
 export const getWorkspaceMemberships = async (req: Request, res: Response) => {
-	let users;
-	try {
-		const { workspaceId } = req.params;
+  let users;
+  try {
+    const { workspaceId } = req.params;
 
-		users = await Membership.find({
-			workspace: workspaceId
-		}).populate('user', '+publicKey');
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get workspace members'
-		});
-	}
+    users = await Membership.find({
+      workspace: workspaceId,
+    }).populate("user", "+publicKey");
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get workspace members",
+    });
+  }
 
-	return res.status(200).send({
-		users
-	});
+  return res.status(200).send({
+    users,
+  });
 };
 
 /**
@@ -86,24 +85,24 @@ export const getWorkspaceMemberships = async (req: Request, res: Response) => {
  * @returns
  */
 export const getWorkspaces = async (req: Request, res: Response) => {
-	let workspaces;
-	try {
-		workspaces = (
-			await Membership.find({
-				user: req.user._id
-			}).populate('workspace')
-		).map((m) => m.workspace);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get workspaces'
-		});
-	}
+  let workspaces;
+  try {
+    workspaces = (
+      await Membership.find({
+        user: req.user._id,
+      }).populate("workspace")
+    ).map((m) => m.workspace);
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get workspaces",
+    });
+  }
 
-	return res.status(200).send({
-		workspaces
-	});
+  return res.status(200).send({
+    workspaces,
+  });
 };
 
 /**
@@ -113,24 +112,24 @@ export const getWorkspaces = async (req: Request, res: Response) => {
  * @returns
  */
 export const getWorkspace = async (req: Request, res: Response) => {
-	let workspace;
-	try {
-		const { workspaceId } = req.params;
+  let workspace;
+  try {
+    const { workspaceId } = req.params;
 
-		workspace = await Workspace.findOne({
-			_id: workspaceId
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get workspace'
-		});
-	}
+    workspace = await Workspace.findOne({
+      _id: workspaceId,
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get workspace",
+    });
+  }
 
-	return res.status(200).send({
-		workspace
-	});
+  return res.status(200).send({
+    workspace,
+  });
 };
 
 /**
@@ -141,46 +140,46 @@ export const getWorkspace = async (req: Request, res: Response) => {
  * @returns
  */
 export const createWorkspace = async (req: Request, res: Response) => {
-	let workspace;
-	try {
-		const { workspaceName, organizationId } = req.body;
+  let workspace;
+  try {
+    const { workspaceName, organizationId } = req.body;
 
-		// validate organization membership
-		const membershipOrg = await MembershipOrg.findOne({
-			user: req.user._id,
-			organization: organizationId
-		});
+    // validate organization membership
+    const membershipOrg = await MembershipOrg.findOne({
+      user: req.user._id,
+      organization: organizationId,
+    });
 
-		if (!membershipOrg) {
-			throw new Error('Failed to validate organization membership');
-		}
+    if (!membershipOrg) {
+      throw new Error("Failed to validate organization membership");
+    }
 
-		if (workspaceName.length < 1) {
-			throw new Error('Workspace names must be at least 1-character long');
-		}
+    if (workspaceName.length < 1) {
+      throw new Error("Workspace names must be at least 1-character long");
+    }
 
-		// create workspace and add user as member
-		workspace = await create({
-			name: workspaceName,
-			organizationId
-		});
+    // create workspace and add user as member
+    workspace = await create({
+      name: workspaceName,
+      organizationId,
+    });
 
-		await addMemberships({
-			userIds: [req.user._id],
-			workspaceId: workspace._id.toString(),
-			roles: [ADMIN]
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to create workspace'
-		});
-	}
+    await addMemberships({
+      userIds: [req.user._id],
+      workspaceId: workspace._id.toString(),
+      roles: [ADMIN],
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to create workspace",
+    });
+  }
 
-	return res.status(200).send({
-		workspace
-	});
+  return res.status(200).send({
+    workspace,
+  });
 };
 
 /**
@@ -190,24 +189,24 @@ export const createWorkspace = async (req: Request, res: Response) => {
  * @returns
  */
 export const deleteWorkspace = async (req: Request, res: Response) => {
-	try {
-		const { workspaceId } = req.params;
+  try {
+    const { workspaceId } = req.params;
 
-		// delete workspace
-		await deleteWork({
-			id: workspaceId
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to delete workspace'
-		});
-	}
+    // delete workspace
+    await deleteWork({
+      id: workspaceId,
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to delete workspace",
+    });
+  }
 
-	return res.status(200).send({
-		message: 'Successfully deleted workspace'
-	});
+  return res.status(200).send({
+    message: "Successfully deleted workspace",
+  });
 };
 
 /**
@@ -217,34 +216,34 @@ export const deleteWorkspace = async (req: Request, res: Response) => {
  * @returns
  */
 export const changeWorkspaceName = async (req: Request, res: Response) => {
-	let workspace;
-	try {
-		const { workspaceId } = req.params;
-		const { name } = req.body;
+  let workspace;
+  try {
+    const { workspaceId } = req.params;
+    const { name } = req.body;
 
-		workspace = await Workspace.findOneAndUpdate(
-			{
-				_id: workspaceId
-			},
-			{
-				name
-			},
-			{
-				new: true
-			}
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to change workspace name'
-		});
-	}
+    workspace = await Workspace.findOneAndUpdate(
+      {
+        _id: workspaceId,
+      },
+      {
+        name,
+      },
+      {
+        new: true,
+      }
+    );
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to change workspace name",
+    });
+  }
 
-	return res.status(200).send({
-		message: 'Successfully changed workspace name',
-		workspace
-	});
+  return res.status(200).send({
+    message: "Successfully changed workspace name",
+    workspace,
+  });
 };
 
 /**
@@ -254,24 +253,24 @@ export const changeWorkspaceName = async (req: Request, res: Response) => {
  * @returns
  */
 export const getWorkspaceIntegrations = async (req: Request, res: Response) => {
-	let integrations;
-	try {
-		const { workspaceId } = req.params;
+  let integrations;
+  try {
+    const { workspaceId } = req.params;
 
-		integrations = await Integration.find({
-			workspace: workspaceId
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get workspace integrations'
-		});
-	}
+    integrations = await Integration.find({
+      workspace: workspaceId,
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get workspace integrations",
+    });
+  }
 
-	return res.status(200).send({
-		integrations
-	});
+  return res.status(200).send({
+    integrations,
+  });
 };
 
 /**
@@ -281,56 +280,56 @@ export const getWorkspaceIntegrations = async (req: Request, res: Response) => {
  * @returns
  */
 export const getWorkspaceIntegrationAuthorizations = async (
-	req: Request,
-	res: Response
+  req: Request,
+  res: Response
 ) => {
-	let authorizations;
-	try {
-		const { workspaceId } = req.params;
+  let authorizations;
+  try {
+    const { workspaceId } = req.params;
 
-		authorizations = await IntegrationAuth.find({
-			workspace: workspaceId
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get workspace integration authorizations'
-		});
-	}
+    authorizations = await IntegrationAuth.find({
+      workspace: workspaceId,
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get workspace integration authorizations",
+    });
+  }
 
-	return res.status(200).send({
-		authorizations
-	});
+  return res.status(200).send({
+    authorizations,
+  });
 };
 
 /**
  * Return service service tokens for workspace [workspaceId] belonging to user
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
  */
 export const getWorkspaceServiceTokens = async (
-	req: Request,
-	res: Response
+  req: Request,
+  res: Response
 ) => {
-	let serviceTokens;
-	try {
-		const { workspaceId } = req.params;
+  let serviceTokens;
+  try {
+    const { workspaceId } = req.params;
+    // ?? FIX.
+    serviceTokens = await ServiceToken.find({
+      user: req.user._id,
+      workspace: workspaceId,
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get workspace service tokens",
+    });
+  }
 
-		serviceTokens = await ServiceToken.find({
-			user: req.user._id,
-			workspace: workspaceId
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get workspace service tokens'
-		});
-	}
-	
-	return res.status(200).send({
-		serviceTokens
-	});
-}
+  return res.status(200).send({
+    serviceTokens,
+  });
+};

backend/src/controllers/v2/environmentController.ts

@@ -6,8 +6,12 @@ import {
   Workspace,
   Integration,
   ServiceTokenData,
+  Membership,
 } from '../../models';
 import { SecretVersion } from '../../ee/models';
+import { BadRequestError } from '../../utils/errors';
+import _ from 'lodash';
+import { ABILITY_READ, ABILITY_WRITE } from '../../variables/organization';
 
 /**
  * Create new workspace environment named [environmentName] under workspace with id
@@ -33,7 +37,7 @@ export const createWorkspaceEnvironment = async (
     }
 
     workspace?.environments.push({
-      name: environmentName.toLowerCase(),
+      name: environmentName,
       slug: environmentSlug.toLowerCase(),
     });
     await workspace.save();
@@ -96,7 +100,7 @@ export const renameWorkspaceEnvironment = async (
       throw new Error('Invalid environment given');
     }
 
-    workspace.environments[envIndex].name = environmentName.toLowerCase();
+    workspace.environments[envIndex].name = environmentName;
     workspace.environments[envIndex].slug = environmentSlug.toLowerCase();
 
     await workspace.save();
@@ -120,6 +124,15 @@ export const renameWorkspaceEnvironment = async (
       { workspace: workspaceId, environment: oldEnvironmentSlug },
       { environment: environmentSlug }
     );
+    await Membership.updateMany(
+      {
+        workspace: workspaceId,
+        "deniedPermissions.environmentSlug": oldEnvironmentSlug
+      },
+      { $set: { "deniedPermissions.$[element].environmentSlug": environmentSlug } },
+      { arrayFilters: [{ "element.environmentSlug": oldEnvironmentSlug }] }
+    )
+
   } catch (err) {
     Sentry.setUser({ email: req.user.email });
     Sentry.captureException(err);
@@ -188,6 +201,11 @@ export const deleteWorkspaceEnvironment = async (
       workspace: workspaceId,
       environment: environmentSlug,
     });
+    await Membership.updateMany(
+      { workspace: workspaceId },
+      { $pull: { deniedPermissions: { environmentSlug: environmentSlug } } }
+    )
+
   } catch (err) {
     Sentry.setUser({ email: req.user.email });
     Sentry.captureException(err);
@@ -202,3 +220,43 @@ export const deleteWorkspaceEnvironment = async (
     environment: environmentSlug,
   });
 };
+
+
+export const getAllAccessibleEnvironmentsOfWorkspace = async (
+  req: Request,
+  res: Response
+) => {
+  const { workspaceId } = req.params;
+  const workspacesUserIsMemberOf = await Membership.findOne({
+    workspace: workspaceId,
+    user: req.user
+  })
+
+  if (!workspacesUserIsMemberOf) {
+    throw BadRequestError()
+  }
+
+  const accessibleEnvironments: any = []
+  const deniedPermission = workspacesUserIsMemberOf.deniedPermissions
+
+  const relatedWorkspace = await Workspace.findById(workspaceId)
+  if (!relatedWorkspace) {
+    throw BadRequestError()
+  }
+  relatedWorkspace.environments.forEach(environment => {
+    const isReadBlocked = _.some(deniedPermission, { environmentSlug: environment.slug, ability: ABILITY_READ })
+    const isWriteBlocked = _.some(deniedPermission, { environmentSlug: environment.slug, ability: ABILITY_WRITE })
+    if (isReadBlocked && isWriteBlocked) {
+      return
+    } else {
+      accessibleEnvironments.push({
+        name: environment.name,
+        slug: environment.slug,
+        isWriteDenied: isWriteBlocked,
+        isReadDenied: isReadBlocked
+      })
+    }
+  })
+
+  res.json({ accessibleEnvironments })
+};

backend/src/controllers/v2/index.ts

@@ -1,15 +1,21 @@
+import * as usersController from './usersController';
+import * as organizationsController from './organizationsController';
 import * as workspaceController from './workspaceController';
 import * as serviceTokenDataController from './serviceTokenDataController';
 import * as apiKeyDataController from './apiKeyDataController';
 import * as secretController from './secretController';
 import * as secretsController from './secretsController';
 import * as environmentController from './environmentController';
+import * as tagController from './tagController';
 
 export {
+    usersController,
+    organizationsController,
     workspaceController,
     serviceTokenDataController,
     apiKeyDataController,
     secretController,
     secretsController,
-    environmentController
+    environmentController,
+    tagController
 }

backend/src/controllers/v2/organizationsController.ts

@@ -0,0 +1,296 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { 
+    MembershipOrg,
+    Membership,
+    Workspace
+} from '../../models';
+import { deleteMembershipOrg } from '../../helpers/membershipOrg';
+import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
+
+/**
+ * Return memberships for organization with id [organizationId]
+ * @param req 
+ * @param res 
+ */
+export const getOrganizationMemberships = async (req: Request, res: Response) => {
+    /* 
+    #swagger.summary = 'Return organization memberships'
+    #swagger.description = 'Return organization memberships'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+	#swagger.parameters['organizationId'] = {
+		"description": "ID of organization",
+		"required": true,
+		"type": "string"
+	} 
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "object",
+					"properties": {
+						"memberships": {
+							"type": "array",
+							"items": {
+								$ref: "#/components/schemas/MembershipOrg" 
+							},
+							"description": "Memberships of organization"
+						}
+					}
+                }
+            }           
+        }
+    }   
+    */
+    let memberships;
+    try {
+        const { organizationId } = req.params;
+
+		memberships = await MembershipOrg.find({
+			organization: organizationId
+		}).populate('user', '+publicKey');
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get organization memberships'
+		});
+    }
+    
+    return res.status(200).send({
+        memberships
+    });
+}
+
+/**
+ * Update role of membership with id [membershipId] to role [role]
+ * @param req 
+ * @param res 
+ */
+export const updateOrganizationMembership = async (req: Request, res: Response) => {
+    /* 
+    #swagger.summary = 'Update organization membership'
+    #swagger.description = 'Update organization membership'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+	#swagger.parameters['organizationId'] = {
+		"description": "ID of organization",
+		"required": true,
+		"type": "string"
+	} 
+
+	#swagger.parameters['membershipId'] = {
+		"description": "ID of organization membership to update",
+		"required": true,
+		"type": "string"
+	} 
+
+	#swagger.requestBody = {
+      "required": true,
+      "content": {
+        "application/json": {
+          "schema": {
+            "type": "object",
+            "properties": {
+                "role": {
+                    "type": "string",
+                    "description": "Role of organization membership - either owner, admin, or member",
+                }
+            }
+          }
+        }
+      }
+    }
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+					"type": "object",
+					"properties": {
+						"membership": {
+							$ref: "#/components/schemas/MembershipOrg",
+							"description": "Updated organization membership"
+						}
+					}
+                }
+            }           
+        }
+    }   
+    */
+    let membership;
+    try {
+        const { membershipId } = req.params;
+        const { role } = req.body;
+        
+        membership = await MembershipOrg.findByIdAndUpdate(
+            membershipId,
+            {
+                role
+            }, {
+                new: true
+            }
+        );
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to update organization membership'
+		});
+    }
+    
+    return res.status(200).send({
+        membership
+    });
+}
+
+/**
+ * Delete organization membership with id [membershipId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const deleteOrganizationMembership = async (req: Request, res: Response) => {
+    /* 
+    #swagger.summary = 'Delete organization membership'
+    #swagger.description = 'Delete organization membership'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+	#swagger.parameters['organizationId'] = {
+		"description": "ID of organization",
+		"required": true,
+		"type": "string"
+	} 
+
+	#swagger.parameters['membershipId'] = {
+		"description": "ID of organization membership to delete",
+		"required": true,
+		"type": "string"
+	} 
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+					"type": "object",
+					"properties": {
+						"membership": {
+							$ref: "#/components/schemas/MembershipOrg",
+							"description": "Deleted organization membership"
+						}
+					}
+                }
+            }           
+        }
+    }   
+    */
+    let membership;
+    try {
+        const { membershipId } = req.params;
+        
+        // delete organization membership
+        membership = await deleteMembershipOrg({
+            membershipOrgId: membershipId
+        });
+
+        await updateSubscriptionOrgQuantity({
+			organizationId: membership.organization.toString()
+		});
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to delete organization membership'
+		});	
+    }
+
+    return res.status(200).send({
+        membership
+    });
+}
+
+/**
+ * Return workspaces for organization with id [organizationId] that user has
+ * access to
+ * @param req 
+ * @param res 
+ */
+export const getOrganizationWorkspaces = async (req: Request, res: Response) => {
+    /* 
+    #swagger.summary = 'Return projects in organization that user is part of'
+    #swagger.description = 'Return projects in organization that user is part of'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+	#swagger.parameters['organizationId'] = {
+		"description": "ID of organization",
+		"required": true,
+		"type": "string"
+	} 
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "object",
+					"properties": {
+						"workspaces": {
+							"type": "array",
+							"items": {
+								$ref: "#/components/schemas/Project" 
+							},
+							"description": "Projects of organization"
+						}
+					}
+                }
+            }           
+        }
+    }   
+    */
+    let workspaces;
+    try {
+        const { organizationId } = req.params;
+
+		const workspacesSet = new Set(
+			(
+				await Workspace.find(
+					{
+						organization: organizationId
+					},
+					'_id'
+				)
+			).map((w) => w._id.toString())
+		);
+
+		workspaces = (
+			await Membership.find({
+				user: req.user._id
+			}).populate('workspace')
+		)
+			.filter((m) => workspacesSet.has(m.workspace._id.toString()))
+			.map((m) => m.workspace);
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get organization workspaces'
+		});	
+    }
+    
+    return res.status(200).send({
+        workspaces
+    });
+}

backend/src/controllers/v2/secretsController.ts

@@ -1,7 +1,7 @@
 import to from 'await-to-js';
 import { Types } from 'mongoose';
 import { Request, Response } from 'express';
-import { ISecret, Secret } from '../../models';
+import { ISecret, Membership, Secret, Workspace } from '../../models';
 import {
     SECRET_PERSONAL,
     SECRET_SHARED,
@@ -10,12 +10,16 @@ import {
     ACTION_UPDATE_SECRETS,
     ACTION_DELETE_SECRETS
 } from '../../variables';
-import { ValidationError } from '../../utils/errors';
+import { UnauthorizedRequestError, ValidationError } from '../../utils/errors';
 import { EventService } from '../../services';
 import { eventPushSecrets } from '../../events';
 import { EESecretService, EELogService } from '../../ee/services';
 import { postHogClient } from '../../services';
-import { BadRequestError } from '../../utils/errors';
+import { getChannelFromUserAgent } from '../../utils/posthog';
+import { ABILITY_READ, ABILITY_WRITE } from '../../variables/organization';
+import { userHasNoAbility, userHasWorkspaceAccess, userHasWriteOnlyAbility } from '../../ee/helpers/checkMembershipPermissions';
+import Tag from '../../models/tag';
+import _ from 'lodash';
 
 /**
  * Create secret(s) for workspace with id [workspaceId] and environment [environment]
@@ -23,20 +27,92 @@ import { BadRequestError } from '../../utils/errors';
  * @param res 
  */
 export const createSecrets = async (req: Request, res: Response) => {
-    const channel = req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli';
-    const { workspaceId, environment } = req.body;
+    /* 
+    #swagger.summary = 'Create new secret(s)'
+    #swagger.description = 'Create one or many secrets for a given project and environment.'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
 
-    let toAdd;
-    if (Array.isArray(req.body.secrets)) {
-        // case: create multiple secrets
-        toAdd = req.body.secrets;
-    } else if (typeof req.body.secrets === 'object') {
-        // case: create 1 secret
-        toAdd = [req.body.secrets];
+    #swagger.requestBody = {
+      "required": true,
+      "content": {
+        "application/json": {
+          "schema": {
+            "type": "object",
+            "properties": {
+                "workspaceId": {
+                    "type": "string",
+                    "description": "ID of project",
+                },
+                "environment": {
+                    "type": "string",
+                    "description": "Environment within project"
+                },
+                "secrets": {
+                    $ref: "#/components/schemas/CreateSecret",
+                    "description": "Secret(s) to create - object or array of objects"
+                }
+            }
+          }
+        }
+      }
     }
 
-    const newSecrets = await Secret.insertMany(
-        toAdd.map(({
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "object",
+                    "properties": {
+                        "secrets": {
+                            "type": "array",
+                            "items": {
+                                $ref: "#/components/schemas/Secret" 
+                            },
+                            "description": "Newly-created secrets for the given project and environment"
+                        }
+                    }
+                }
+            }           
+        }
+    }   
+    */
+
+    const channel = getChannelFromUserAgent(req.headers['user-agent'])
+    const { workspaceId, environment }: { workspaceId: string, environment: string } = req.body;
+
+    const hasAccess = await userHasWorkspaceAccess(req.user, workspaceId, environment, ABILITY_WRITE)
+    if (!hasAccess) {
+        throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
+    }
+
+    let listOfSecretsToCreate;
+    if (Array.isArray(req.body.secrets)) {
+        // case: create multiple secrets
+        listOfSecretsToCreate = req.body.secrets;
+    } else if (typeof req.body.secrets === 'object') {
+        // case: create 1 secret
+        listOfSecretsToCreate = [req.body.secrets];
+    }
+
+    type secretsToCreateType = {
+        type: string;
+        secretKeyCiphertext: string;
+        secretKeyIV: string;
+        secretKeyTag: string;
+        secretValueCiphertext: string;
+        secretValueIV: string;
+        secretValueTag: string;
+        secretCommentCiphertext: string;
+        secretCommentIV: string;
+        secretCommentTag: string;
+        tags: string[]
+    }
+
+    const newlyCreatedSecrets = await Secret.insertMany(
+        listOfSecretsToCreate.map(({
             type,
             secretKeyCiphertext,
             secretKeyIV,
@@ -44,27 +120,29 @@ export const createSecrets = async (req: Request, res: Response) => {
             secretValueCiphertext,
             secretValueIV,
             secretValueTag,
-        }: {
-            type: string;
-            secretKeyCiphertext: string;
-            secretKeyIV: string;
-            secretKeyTag: string;
-            secretValueCiphertext: string;
-            secretValueIV: string;
-            secretValueTag: string;
-        }) => ({
-            version: 1,
-            workspace: new Types.ObjectId(workspaceId),
-            type,
-            user: type === SECRET_PERSONAL ? req.user : undefined,
-            environment,
-            secretKeyCiphertext,
-            secretKeyIV,
-            secretKeyTag,
-            secretValueCiphertext,
-            secretValueIV,
-            secretValueTag
-        }))
+            secretCommentCiphertext,
+            secretCommentIV,
+            secretCommentTag,
+            tags
+        }: secretsToCreateType) => {
+            return ({
+                version: 1,
+                workspace: new Types.ObjectId(workspaceId),
+                type,
+                user: type === SECRET_PERSONAL ? req.user : undefined,
+                environment,
+                secretKeyCiphertext,
+                secretKeyIV,
+                secretKeyTag,
+                secretValueCiphertext,
+                secretValueIV,
+                secretValueTag,
+                secretCommentCiphertext,
+                secretCommentIV,
+                secretCommentTag,
+                tags
+            });
+        })
     );
 
     setTimeout(async () => {
@@ -78,7 +156,7 @@ export const createSecrets = async (req: Request, res: Response) => {
 
     // (EE) add secret versions for new secrets
     await EESecretService.addSecretVersions({
-        secretVersions: newSecrets.map(({
+        secretVersions: newlyCreatedSecrets.map(({
             _id,
             version,
             workspace,
@@ -92,7 +170,11 @@ export const createSecrets = async (req: Request, res: Response) => {
             secretValueCiphertext,
             secretValueIV,
             secretValueTag,
-            secretValueHash
+            secretValueHash,
+            secretCommentCiphertext,
+            secretCommentIV,
+            secretCommentTag,
+            tags
         }) => ({
             _id: new Types.ObjectId(),
             secret: _id,
@@ -109,21 +191,25 @@ export const createSecrets = async (req: Request, res: Response) => {
             secretValueCiphertext,
             secretValueIV,
             secretValueTag,
-            secretValueHash
+            secretValueHash,
+            secretCommentCiphertext,
+            secretCommentIV,
+            secretCommentTag,
+            tags
         }))
     });
 
-    const addAction = await EELogService.createActionSecret({
+    const addAction = await EELogService.createAction({
         name: ACTION_ADD_SECRETS,
-        userId: req.user._id.toString(),
-        workspaceId,
-        secretIds: newSecrets.map((n) => n._id)
+        userId: req.user._id,
+        workspaceId: new Types.ObjectId(workspaceId),
+        secretIds: newlyCreatedSecrets.map((n) => n._id)
     });
 
     // (EE) create (audit) log
     addAction && await EELogService.createLog({
         userId: req.user._id.toString(),
-        workspaceId,
+        workspaceId: new Types.ObjectId(workspaceId),
         actions: [addAction],
         channel,
         ipAddress: req.ip
@@ -139,17 +225,17 @@ export const createSecrets = async (req: Request, res: Response) => {
             event: 'secrets added',
             distinctId: req.user.email,
             properties: {
-                numberOfSecrets: toAdd.length,
+                numberOfSecrets: listOfSecretsToCreate.length,
                 environment,
                 workspaceId,
-                channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+                channel: channel,
                 userAgent: req.headers?.['user-agent']
             }
         });
     }
 
     return res.status(200).send({
-        secrets: newSecrets
+        secrets: newlyCreatedSecrets
     });
 }
 
@@ -161,10 +247,51 @@ export const createSecrets = async (req: Request, res: Response) => {
  * @returns 
  */
 export const getSecrets = async (req: Request, res: Response) => {
-    const { workspaceId, environment } = req.query;
+    /* 
+    #swagger.summary = 'Read secrets'
+    #swagger.description = 'Read secrets from a project and environment'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
 
-    let userId: Types.ObjectId | undefined = undefined // used for getting personal secrets for user
-    let userEmail: Types.ObjectId | undefined = undefined // used for posthog 
+    #swagger.parameters['workspaceId'] = {
+        "description": "ID of project",
+        "required": true,
+        "type": "string"
+    }
+
+    #swagger.parameters['environment'] = {
+        "description": "Environment within project",
+        "required": true,
+        "type": "string"
+    }
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "object",
+                    "properties": {
+                        "secrets": {
+                            "type": "array",
+                            "items": {
+                                $ref: "#/components/schemas/Secret" 
+                            },
+                            "description": "Secrets for the given project and environment"
+                        }
+                    }
+                }
+            }           
+        }
+    }   
+    */
+
+
+    const { workspaceId, environment, tagSlugs } = req.query;
+    const tagNamesList = typeof tagSlugs === 'string' && tagSlugs !== '' ? tagSlugs.split(',') : [];
+    let userId = "" // used for getting personal secrets for user
+    let userEmail = "" // used for posthog 
     if (req.user) {
         userId = req.user._id;
         userEmail = req.user.email;
@@ -175,8 +302,38 @@ export const getSecrets = async (req: Request, res: Response) => {
         userEmail = req.serviceTokenData.user.email;
     }
 
-    const [err, secrets] = await to(Secret.find(
-        {
+    // none service token case as service tokens are already scoped to env and project
+    let hasWriteOnlyAccess
+    if (!req.serviceTokenData) {
+        hasWriteOnlyAccess = await userHasWriteOnlyAbility(userId, workspaceId, environment)
+        const hasNoAccess = await userHasNoAbility(userId, workspaceId, environment)
+        if (hasNoAccess) {
+            throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
+        }
+    }
+    let secrets: any
+    let secretQuery: any
+
+    if (tagNamesList != undefined && tagNamesList.length != 0) {
+        const workspaceFromDB = await Tag.find({ workspace: workspaceId })
+
+        const tagIds = _.map(tagNamesList, (tagName) => {
+            const tag = _.find(workspaceFromDB, { slug: tagName });
+            return tag ? tag.id : null;
+        });
+
+        secretQuery = {
+            workspace: workspaceId,
+            environment,
+            $or: [
+                { user: userId },
+                { user: { $exists: false } }
+            ],
+            tags: { $in: tagIds },
+            type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
+        }
+    } else {
+        secretQuery = {
             workspace: workspaceId,
             environment,
             $or: [
@@ -185,22 +342,26 @@ export const getSecrets = async (req: Request, res: Response) => {
             ],
             type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
         }
-    ).then())
+    }
 
-    if (err) throw ValidationError({ message: 'Failed to get secrets', stack: err.stack });
+    if (hasWriteOnlyAccess) {
+        secrets = await Secret.find(secretQuery).select("secretKeyCiphertext secretKeyIV secretKeyTag")
+    } else {
+        secrets = await Secret.find(secretQuery).populate("tags")
+    }
 
-    const channel = req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli';
+    const channel = getChannelFromUserAgent(req.headers['user-agent'])
 
-    const readAction = await EELogService.createActionSecret({
+    const readAction = await EELogService.createAction({
         name: ACTION_READ_SECRETS,
-        userId: req.user._id.toString(),
-        workspaceId: workspaceId as string,
+        userId: new Types.ObjectId(userId),
+        workspaceId: new Types.ObjectId(workspaceId as string),
         secretIds: secrets.map((n: any) => n._id)
     });
 
     readAction && await EELogService.createLog({
-        userId: req.user._id.toString(),
-        workspaceId: workspaceId as string,
+        userId: new Types.ObjectId(userId),
+        workspaceId: new Types.ObjectId(workspaceId as string),
         actions: [readAction],
         channel,
         ipAddress: req.ip
@@ -225,12 +386,109 @@ export const getSecrets = async (req: Request, res: Response) => {
     });
 }
 
+
+export const getOnlySecretKeys = async (req: Request, res: Response) => {
+    const { workspaceId, environment } = req.query;
+
+    let userId = "" // used for getting personal secrets for user
+    let userEmail = "" // used for posthog 
+    if (req.user) {
+        userId = req.user._id;
+        userEmail = req.user.email;
+    }
+
+    if (req.serviceTokenData) {
+        userId = req.serviceTokenData.user._id
+        userEmail = req.serviceTokenData.user.email;
+    }
+
+    // none service token case as service tokens are already scoped
+    if (!req.serviceTokenData) {
+        const hasAccess = await userHasWorkspaceAccess(userId, workspaceId, environment, ABILITY_READ)
+        if (!hasAccess) {
+            throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
+        }
+    }
+
+    const [err, secretKeys] = await to(Secret.find(
+        {
+            workspace: workspaceId,
+            environment,
+            $or: [
+                { user: userId },
+                { user: { $exists: false } }
+            ],
+            type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
+        }
+    )
+        .select("secretKeyIV secretKeyTag secretKeyCiphertext")
+        .then())
+
+    if (err) throw ValidationError({ message: 'Failed to get secrets', stack: err.stack });
+
+    // readAction && await EELogService.createLog({
+    //     userId: new Types.ObjectId(userId),
+    //     workspaceId: new Types.ObjectId(workspaceId as string),
+    //     actions: [readAction],
+    //     channel,
+    //     ipAddress: req.ip
+    // });
+
+    return res.status(200).send({
+        secretKeys
+    });
+}
+
 /**
  * Update secret(s)
  * @param req 
  * @param res 
  */
 export const updateSecrets = async (req: Request, res: Response) => {
+    /* 
+    #swagger.summary = 'Update secret(s)'
+    #swagger.description = 'Update secret(s)'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+    #swagger.requestBody = {
+      "required": true,
+      "content": {
+        "application/json": {
+          "schema": {
+            "type": "object",
+            "properties": {
+                "secrets": {
+                    $ref: "#/components/schemas/UpdateSecret",
+                    "description": "Secret(s) to update - object or array of objects"
+                }
+            }
+          }
+        }
+      }
+    }
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "object",
+                    "properties": {
+                        "secrets": {
+                            "type": "array",
+                            "items": {
+                                $ref: "#/components/schemas/Secret" 
+                            },
+                            "description": "Updated secrets"
+                        }
+                    }
+                }
+            }           
+        }
+    }
+    */
     const channel = req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli';
 
     // TODO: move type
@@ -245,6 +503,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
         secretCommentCiphertext: string;
         secretCommentIV: string;
         secretCommentTag: string;
+        tags: string[]
     }
 
     const updateOperationsToPerform = req.body.secrets.map((secret: PatchSecret) => {
@@ -257,7 +516,8 @@ export const updateSecrets = async (req: Request, res: Response) => {
             secretValueTag,
             secretCommentCiphertext,
             secretCommentIV,
-            secretCommentTag
+            secretCommentTag,
+            tags
         } = secret;
 
         return ({
@@ -273,8 +533,9 @@ export const updateSecrets = async (req: Request, res: Response) => {
                     secretValueCiphertext,
                     secretValueIV,
                     secretValueTag,
+                    tags,
                     ...((
-                        secretCommentCiphertext &&
+                        secretCommentCiphertext !== undefined &&
                         secretCommentIV &&
                         secretCommentTag
                     ) ? {
@@ -307,6 +568,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
                 secretCommentCiphertext,
                 secretCommentIV,
                 secretCommentTag,
+                tags
             } = secretModificationsBySecretId[secret._id.toString()]
 
             return ({
@@ -324,6 +586,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
                 secretCommentCiphertext: secretCommentCiphertext ? secretCommentCiphertext : secret.secretCommentCiphertext,
                 secretCommentIV: secretCommentIV ? secretCommentIV : secret.secretCommentIV,
                 secretCommentTag: secretCommentTag ? secretCommentTag : secret.secretCommentTag,
+                tags: tags ? tags : secret.tags
             });
         })
     }
@@ -352,17 +615,17 @@ export const updateSecrets = async (req: Request, res: Response) => {
             });
         }, 10000);
 
-        const updateAction = await EELogService.createActionSecret({
+        const updateAction = await EELogService.createAction({
             name: ACTION_UPDATE_SECRETS,
-            userId: req.user._id.toString(),
-            workspaceId: key,
+            userId: req.user._id,
+            workspaceId: new Types.ObjectId(key),
             secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id)
         });
 
         // (EE) create (audit) log
         updateAction && await EELogService.createLog({
             userId: req.user._id.toString(),
-            workspaceId: key,
+            workspaceId: new Types.ObjectId(key),
             actions: [updateAction],
             channel,
             ipAddress: req.ip
@@ -381,7 +644,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
                     numberOfSecrets: workspaceSecretObj[key].length,
                     environment: workspaceSecretObj[key][0].environment,
                     workspaceId: key,
-                    channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+                    channel: channel,
                     userAgent: req.headers?.['user-agent']
                 }
             });
@@ -403,7 +666,51 @@ export const updateSecrets = async (req: Request, res: Response) => {
  * @param res 
  */
 export const deleteSecrets = async (req: Request, res: Response) => {
-    const channel = req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli';
+    /* 
+    #swagger.summary = 'Delete secret(s)'
+    #swagger.description = 'Delete one or many secrets by their ID(s)'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+    #swagger.requestBody = {
+      "required": true,
+      "content": {
+        "application/json": {
+          "schema": {
+            "type": "object",
+            "properties": {
+                "secretIds": {
+                    "type": "string",
+                    "description": "ID(s) of secrets - string or array of strings"
+                },
+            }
+          }
+        }
+      }
+    }
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "object",
+                    "properties": {
+                        "secrets": {
+                            "type": "array",
+                            "items": {
+                                $ref: "#/components/schemas/Secret" 
+                            },
+                            "description": "Deleted secrets"
+                        }
+                    }
+                }
+            }           
+        }
+    }   
+    */
+    const channel = getChannelFromUserAgent(req.headers['user-agent'])
     const toDelete = req.secrets.map((s: any) => s._id);
 
     await Secret.deleteMany({
@@ -434,17 +741,17 @@ export const deleteSecrets = async (req: Request, res: Response) => {
                 workspaceId: key
             })
         });
-        const deleteAction = await EELogService.createActionSecret({
+        const deleteAction = await EELogService.createAction({
             name: ACTION_DELETE_SECRETS,
-            userId: req.user._id.toString(),
-            workspaceId: key,
+            userId: req.user._id,
+            workspaceId: new Types.ObjectId(key),
             secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id)
         });
 
         // (EE) create (audit) log
         deleteAction && await EELogService.createLog({
             userId: req.user._id.toString(),
-            workspaceId: key,
+            workspaceId: new Types.ObjectId(key),
             actions: [deleteAction],
             channel,
             ipAddress: req.ip
@@ -463,7 +770,7 @@ export const deleteSecrets = async (req: Request, res: Response) => {
                     numberOfSecrets: workspaceSecretObj[key].length,
                     environment: workspaceSecretObj[key][0].environment,
                     workspaceId: key,
-                    channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+                    channel: channel,
                     userAgent: req.headers?.['user-agent']
                 }
             });

backend/src/controllers/v2/serviceTokenDataController.ts

@@ -8,6 +8,8 @@ import {
 import {
     SALT_ROUNDS
 } from '../../config';
+import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';
+import { ABILITY_READ } from '../../variables/organization';
 
 /**
  * Return service token data associated with service token on request
@@ -37,6 +39,11 @@ export const createServiceTokenData = async (req: Request, res: Response) => {
             expiresIn
         } = req.body;
 
+        const hasAccess = await userHasWorkspaceAccess(req.user, workspaceId, environment, ABILITY_READ)
+        if (!hasAccess) {
+            throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
+        }
+
         const secret = crypto.randomBytes(16).toString('hex');
         const secretHash = await bcrypt.hash(secret, SALT_ROUNDS);
 
@@ -100,4 +107,8 @@ export const deleteServiceTokenData = async (req: Request, res: Response) => {
     return res.status(200).send({
         serviceTokenData
     });
-}
+}
+
+function UnauthorizedRequestError(arg0: { message: string; }) {
+    throw new Error('Function not implemented.');
+}

backend/src/controllers/v2/tagController.ts

@@ -0,0 +1,72 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
+import {
+	Membership, Secret,
+} from '../../models';
+import Tag, { ITag } from '../../models/tag';
+import { Builder } from "builder-pattern"
+import to from 'await-to-js';
+import { BadRequestError, UnauthorizedRequestError } from '../../utils/errors';
+import { MongoError } from 'mongodb';
+import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';
+
+export const createWorkspaceTag = async (req: Request, res: Response) => {
+	const { workspaceId } = req.params
+	const { name, slug } = req.body
+	const sanitizedTagToCreate = Builder<ITag>()
+		.name(name)
+		.workspace(new Types.ObjectId(workspaceId))
+		.slug(slug)
+		.user(new Types.ObjectId(req.user._id))
+		.build();
+
+	const [err, createdTag] = await to(Tag.create(sanitizedTagToCreate))
+
+	if (err) {
+		if ((err as MongoError).code === 11000) {
+			throw BadRequestError({ message: "Tags must be unique in a workspace" })
+		}
+
+		throw err
+	}
+
+	res.json(createdTag)
+}
+
+export const deleteWorkspaceTag = async (req: Request, res: Response) => {
+	const { tagId } = req.params
+
+	const tagFromDB = await Tag.findById(tagId)
+	if (!tagFromDB) {
+		throw BadRequestError()
+	}
+
+	// can only delete if the request user is one that belongs to the same workspace as the tag
+	const membership = await Membership.findOne({
+		user: req.user,
+		workspace: tagFromDB.workspace
+	});
+
+	if (!membership) {
+		UnauthorizedRequestError({ message: 'Failed to validate membership' });
+	}
+
+	const result = await Tag.findByIdAndDelete(tagId);
+
+	// remove the tag from secrets
+	await Secret.updateMany(
+		{ tags: { $in: [tagId] } },
+		{ $pull: { tags: tagId } }
+	);
+
+	res.json(result);
+}
+
+export const getWorkspaceTags = async (req: Request, res: Response) => {
+	const { workspaceId } = req.params
+	const workspaceTags = await Tag.find({ workspace: workspaceId })
+	return res.json({
+		workspaceTags
+	})
+}

backend/src/controllers/v2/usersController.ts

@@ -0,0 +1,109 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import {
+    User,
+    MembershipOrg
+} from '../../models';
+
+/**
+ * Return the current user.
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getMe = async (req: Request, res: Response) => {
+    /* 
+    #swagger.summary = "Retrieve the current user on the request"
+    #swagger.description = "Retrieve the current user on the request"
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "object",
+                    "properties": {
+                        "user": {
+                            "type": "object",
+                            $ref: "#/components/schemas/CurrentUser",
+                            "description": "Current user on request"
+                        }
+                    }
+                }
+            }           
+        }
+    }   
+    */
+    let user;
+    try {
+        user = await User
+            .findById(req.user._id)
+            .select('+publicKey +encryptedPrivateKey +iv +tag');
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get current user'
+		});
+    }
+    
+    return res.status(200).send({
+        user
+    });
+}
+
+/**
+ * Return organizations that the current user is part of.
+ * @param req 
+ * @param res 
+ */
+export const getMyOrganizations = async (req: Request, res: Response) => {
+    /* 
+    #swagger.summary = 'Return organizations that current user is part of'
+    #swagger.description = 'Return organizations that current user is part of'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "object",
+					"properties": {
+						"organizations": {
+							"type": "array",
+							"items": {
+								$ref: "#/components/schemas/Organization" 
+							},
+							"description": "Organizations that user is part of"
+						}
+					}
+                }
+            }           
+        }
+    }   
+    */
+	let organizations;
+	try {
+		organizations = (
+			await MembershipOrg.find({
+				user: req.user._id
+			}).populate('organization')
+		).map((m) => m.organization);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: "Failed to get current user's organizations"
+		});
+	}
+
+	return res.status(200).send({
+		organizations
+	});
+}

backend/src/controllers/v2/workspaceController.ts

@@ -1,7 +1,9 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
 import {
 	Workspace,
+	Secret,
 	Membership,
 	MembershipOrg,
 	Integration,
@@ -174,6 +176,34 @@ export const pullSecrets = async (req: Request, res: Response) => {
 };
 
 export const getWorkspaceKey = async (req: Request, res: Response) => {
+	/* 
+    #swagger.summary = 'Return encrypted project key'
+    #swagger.description = 'Return encrypted project key'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+	#swagger.parameters['workspaceId'] = {
+		"description": "ID of project",
+		"required": true,
+		"type": "string"
+	} 
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "array",
+                    "items": {
+                        $ref: "#/components/schemas/ProjectKey" 
+                    },
+                    "description": "Encrypted project key for the given project"
+                }
+            }           
+        }
+    }   
+    */
 	let key;
 	try {
 		const { workspaceId } = req.params;
@@ -219,4 +249,260 @@ export const getWorkspaceServiceTokenData = async (
 	return res.status(200).send({
 		serviceTokenData
 	});
-}
+}
+
+/**
+ * Return memberships for workspace with id [workspaceId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getWorkspaceMemberships = async (req: Request, res: Response) => {
+	/* 
+    #swagger.summary = 'Return project memberships'
+    #swagger.description = 'Return project memberships'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+	#swagger.parameters['workspaceId'] = {
+		"description": "ID of project",
+		"required": true,
+		"type": "string"
+	} 
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "object",
+					"properties": {
+						"memberships": {
+							"type": "array",
+							"items": {
+								$ref: "#/components/schemas/Membership" 
+							},
+							"description": "Memberships of project"
+						}
+					}
+                }
+            }           
+        }
+    }   
+    */
+	let memberships;
+	try {
+		const { workspaceId } = req.params;
+
+		memberships = await Membership.find({
+			workspace: workspaceId
+		}).populate('user', '+publicKey');
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace memberships'
+		});
+	}
+
+	return res.status(200).send({
+		memberships
+	});
+}
+
+/**
+ * Update role of membership with id [membershipId] to role [role]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const updateWorkspaceMembership = async (req: Request, res: Response) => {
+	/* 
+    #swagger.summary = 'Update project membership'
+    #swagger.description = 'Update project membership'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+	#swagger.parameters['workspaceId'] = {
+		"description": "ID of project",
+		"required": true,
+		"type": "string"
+	} 
+
+	#swagger.parameters['membershipId'] = {
+		"description": "ID of project membership to update",
+		"required": true,
+		"type": "string"
+	} 
+
+	#swagger.requestBody = {
+      "required": true,
+      "content": {
+        "application/json": {
+          "schema": {
+            "type": "object",
+            "properties": {
+                "role": {
+                    "type": "string",
+                    "description": "Role of membership - either admin or member",
+                }
+            }
+          }
+        }
+      }
+    }
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+					"type": "object",
+					"properties": {
+						"membership": {
+							$ref: "#/components/schemas/Membership",
+							"description": "Updated membership"
+						}
+					}
+                }
+            }           
+        }
+    }   
+    */
+	let membership;
+	try {
+		const {
+			membershipId
+		} = req.params;
+		const { role } = req.body;
+		
+		membership = await Membership.findByIdAndUpdate(
+			membershipId,
+			{
+				role
+			}, {
+				new: true
+			}
+		);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to update workspace membership'
+		});
+	}
+	
+	return res.status(200).send({
+		membership
+	}); 
+}
+
+/**
+ * Delete workspace membership with id [membershipId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const deleteWorkspaceMembership = async (req: Request, res: Response) => {
+	/* 
+    #swagger.summary = 'Delete project membership'
+    #swagger.description = 'Delete project membership'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+	#swagger.parameters['workspaceId'] = {
+		"description": "ID of project",
+		"required": true,
+		"type": "string"
+	} 
+
+	#swagger.parameters['membershipId'] = {
+		"description": "ID of project membership to delete",
+		"required": true,
+		"type": "string"
+	} 
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+					"type": "object",
+					"properties": {
+						"membership": {
+							$ref: "#/components/schemas/Membership",
+							"description": "Deleted membership"
+						}
+					}
+                }
+            }           
+        }
+    }   
+    */
+	let membership;
+	try {
+		const { 
+			membershipId
+		} = req.params;
+		
+		membership = await Membership.findByIdAndDelete(membershipId);
+		
+		if (!membership) throw new Error('Failed to delete workspace membership');
+		
+		await Key.deleteMany({
+			receiver: membership.user,
+			workspace: membership.workspace
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to delete workspace membership'
+		});	
+	}
+	
+	return res.status(200).send({
+		membership
+	});
+}
+
+/**
+ * Change autoCapitilzation Rule of workspace
+ * @param req
+ * @param res
+ * @returns
+ */
+export const toggleAutoCapitalization = async (req: Request, res: Response) => {
+	let workspace;
+	try {
+		const { workspaceId } = req.params;
+		const { autoCapitalization } = req.body;
+
+		workspace = await Workspace.findOneAndUpdate(
+			{
+				_id: workspaceId
+			},
+			{
+				autoCapitalization
+			},
+			{
+				new: true
+			}
+		);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to change autoCapitalization setting'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully changed autoCapitalization setting',
+		workspace
+	});
+};
+

backend/src/ee/controllers/v1/index.ts

@@ -3,11 +3,13 @@ import * as secretController from './secretController';
 import * as secretSnapshotController from './secretSnapshotController';
 import * as workspaceController from './workspaceController';
 import * as actionController from './actionController';
+import * as membershipController from './membershipController';
 
 export {
     stripeController,
     secretController,
     secretSnapshotController,
     workspaceController,
-    actionController
+    actionController,
+    membershipController
 }

backend/src/ee/controllers/v1/membershipController.ts

@@ -0,0 +1,63 @@
+import { Request, Response } from "express";
+import { Membership, Workspace } from "../../../models";
+import { IMembershipPermission } from "../../../models/membership";
+import { BadRequestError, UnauthorizedRequestError } from "../../../utils/errors";
+import { ABILITY_READ, ABILITY_WRITE, ADMIN, MEMBER } from "../../../variables/organization";
+import { Builder } from "builder-pattern"
+import _ from "lodash";
+
+export const denyMembershipPermissions = async (req: Request, res: Response) => {
+  const { membershipId } = req.params;
+  const { permissions } = req.body;
+  const sanitizedMembershipPermissions: IMembershipPermission[] = permissions.map((permission: IMembershipPermission) => {
+    if (!permission.ability || !permission.environmentSlug || ![ABILITY_READ, ABILITY_WRITE].includes(permission.ability)) {
+      throw BadRequestError({ message: "One or more required fields are missing from the request or have incorrect type" })
+    }
+
+    return Builder<IMembershipPermission>()
+      .environmentSlug(permission.environmentSlug)
+      .ability(permission.ability)
+      .build();
+  })
+
+  const sanitizedMembershipPermissionsUnique = _.uniqWith(sanitizedMembershipPermissions, _.isEqual)
+
+  const membershipToModify = await Membership.findById(membershipId)
+  if (!membershipToModify) {
+    throw BadRequestError({ message: "Unable to locate resource" })
+  }
+
+  // check if the user making the request is a admin of this project 
+  if (![ADMIN, MEMBER].includes(membershipToModify.role)) {
+    throw UnauthorizedRequestError()
+  }
+
+  // check if the requested slugs are indeed a part of this related workspace 
+  const relatedWorkspace = await Workspace.findById(membershipToModify.workspace)
+  if (!relatedWorkspace) {
+    throw BadRequestError({ message: "Something went wrong when locating the related workspace" })
+  }
+
+  const uniqueEnvironmentSlugs = new Set(_.uniq(_.map(relatedWorkspace.environments, 'slug')));
+
+  sanitizedMembershipPermissionsUnique.forEach(permission => {
+    if (!uniqueEnvironmentSlugs.has(permission.environmentSlug)) {
+      throw BadRequestError({ message: "Unknown environment slug reference" })
+    }
+  })
+
+  // update the permissions 
+  const updatedMembershipWithPermissions = await Membership.findByIdAndUpdate(
+    { _id: membershipToModify._id },
+    { $set: { deniedPermissions: sanitizedMembershipPermissionsUnique } },
+    { new: true }
+  )
+
+  if (!updatedMembershipWithPermissions) {
+    throw BadRequestError({ message: "The resource has been removed before it can be modified" })
+  }
+
+  res.send({
+    permissionsDenied: updatedMembershipWithPermissions.deniedPermissions
+  })
+}

backend/src/ee/controllers/v1/secretController.ts

@@ -10,6 +10,51 @@ import { EESecretService } from '../../services';
  * @param res 
  */
  export const getSecretVersions = async (req: Request, res: Response) => {
+	/* 
+    #swagger.summary = 'Return secret versions'
+    #swagger.description = 'Return secret versions'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+	#swagger.parameters['secretId'] = {
+		"description": "ID of secret",
+		"required": true,
+		"type": "string"
+	} 
+
+	#swagger.parameters['offset'] = {
+		"description": "Number of versions to skip",
+		"required": false,
+		"type": "string"
+	}
+
+	#swagger.parameters['limit'] = {
+		"description": "Maximum number of versions to return",
+		"required": false,
+		"type": "string"
+	}
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                schema: { 
+                    "type": "object",
+					"properties": {
+						"secretVersions": {
+							"type": "array",
+							"items": {
+								$ref: "#/components/schemas/SecretVersion" 
+							},
+							"description": "Secret versions"
+						}
+					}
+                }
+            }           
+        }
+    }   
+    */
 	let secretVersions;
 	try {
 		const { secretId } = req.params;
@@ -44,6 +89,54 @@ import { EESecretService } from '../../services';
  * @returns 
  */
 export const rollbackSecretVersion = async (req: Request, res: Response) => {
+	/* 
+    #swagger.summary = 'Roll back secret to a version.'
+    #swagger.description = 'Roll back secret to a version.'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+	#swagger.parameters['secretId'] = {
+		"description": "ID of secret",
+		"required": true,
+		"type": "string"
+	} 
+
+	#swagger.requestBody = {
+      "required": true,
+      "content": {
+        "application/json": {
+          "schema": {
+            "type": "object",
+            "properties": {
+                "version": {
+                    "type": "integer",
+                    "description": "Version of secret to roll back to"
+                }
+            }
+          }
+        }
+      }
+    }
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                schema: { 
+                    "type": "object",
+					"properties": {
+						"secret": {
+							"type": "object",
+							$ref: "#/components/schemas/Secret",
+							"description": "Secret rolled back to"
+						}
+					}
+                }
+            }           
+        }
+    }   
+    */
 	let secret;
 	try {
 		const { secretId } = req.params;

backend/src/ee/controllers/v1/secretSnapshotController.ts

@@ -15,7 +15,13 @@ export const getSecretSnapshot = async (req: Request, res: Response) => {
 
         secretSnapshot = await SecretSnapshot
             .findById(secretSnapshotId)
-            .populate('secretVersions');
+            .populate({
+                path: 'secretVersions',
+                populate: {
+                    path: 'tags',
+                    model: 'Tag',
+                }
+            });
         
         if (!secretSnapshot) throw new Error('Failed to find secret snapshot');
         

backend/src/ee/controllers/v1/workspaceController.ts

@@ -19,6 +19,51 @@ import { getLatestSecretVersionIds } from '../../helpers/secretVersion';
  * @param res 
  */
  export const getWorkspaceSecretSnapshots = async (req: Request, res: Response) => {
+	/* 
+    #swagger.summary = 'Return project secret snapshot ids'
+    #swagger.description = 'Return project secret snapshots ids'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+	#swagger.parameters['workspaceId'] = {
+		"description": "ID of project",
+		"required": true,
+		"type": "string"
+	} 
+
+	#swagger.parameters['offset'] = {
+		"description": "Number of secret snapshots to skip",
+		"required": false,
+		"type": "string"
+	}
+
+	#swagger.parameters['limit'] = {
+		"description": "Maximum number of secret snapshots to return",
+		"required": false,
+		"type": "string"
+	}
+
+	#swagger.responses[200] = {
+        content: {
+            "application/json": {
+                schema: { 
+					"type": "object",
+					"properties": {
+						"secretSnapshots": {
+							"type": "array",
+							"items": {
+								$ref: "#/components/schemas/SecretSnapshot" 
+							},
+							"description": "Project secret snapshots"
+						}
+					}
+                }
+            }           
+        }
+    }
+    */
 	let secretSnapshots;
 	try {
 		const { workspaceId } = req.params;
@@ -78,16 +123,66 @@ export const getWorkspaceSecretSnapshotsCount = async (req: Request, res: Respon
  * @returns 
  */
 export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Response) => {
+	/* 
+    #swagger.summary = 'Roll back project secrets to those captured in a secret snapshot version.'
+    #swagger.description = 'Roll back project secrets to those captured in a secret snapshot version.'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+	#swagger.parameters['workspaceId'] = {
+		"description": "ID of project",
+		"required": true,
+		"type": "string"
+	} 
+
+	#swagger.requestBody = {
+      "required": true,
+      "content": {
+        "application/json": {
+          "schema": {
+            "type": "object",
+            "properties": {
+                "version": {
+                    "type": "integer",
+                    "description": "Version of secret snapshot to roll back to",
+                }
+            }
+          }
+        }
+      }
+    }
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                schema: { 
+                    "type": "object",
+					"properties": {
+						"secrets": {
+							"type": "array",
+							"items": {
+								$ref: "#/components/schemas/Secret" 
+							},
+							"description": "Secrets rolled back to"
+						}
+					}
+                }
+            }           
+        }
+    }   
+    */
 	let secrets;
     try {	
         const { workspaceId } = req.params;
         const { version } = req.body;
         
 		// validate secret snapshot
-        const secretSnapshot = await SecretSnapshot.findOne({
-        	workspace: workspaceId,
-            version
-        }).populate<{ secretVersions: ISecretVersion[]}>('secretVersions');
+		const secretSnapshot = await SecretSnapshot.findOne({
+			workspace: workspaceId,
+			version
+		}).populate<{ secretVersions: ISecretVersion[]}>('secretVersions');
         
         if (!secretSnapshot) throw new Error('Failed to find secret snapshot');
 
@@ -231,6 +326,72 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
  * @returns 
  */
 export const getWorkspaceLogs = async (req: Request, res: Response) => {
+	/* 
+    #swagger.summary = 'Return project (audit) logs'
+    #swagger.description = 'Return project (audit) logs'
+    
+    #swagger.security = [{
+        "apiKeyAuth": []
+    }]
+
+	#swagger.parameters['workspaceId'] = {
+		"description": "ID of project",
+		"required": true,
+		"type": "string"
+	} 
+
+	#swagger.parameters['userId'] = {
+		"description": "ID of project member",
+		"required": false,
+		"type": "string"
+	} 
+
+	#swagger.parameters['offset'] = {
+		"description": "Number of logs to skip",
+		"required": false,
+		"type": "string"
+	}
+
+	#swagger.parameters['limit'] = {
+		"description": "Maximum number of logs to return",
+		"required": false,
+		"type": "string"
+	}
+
+	#swagger.parameters['sortBy'] = {
+		"description": "Order to sort the logs by",
+		"schema": {
+			"type": "string",
+			"@enum": ["oldest", "recent"]
+		},
+		"required": false
+	}
+
+	#swagger.parameters['actionNames'] = {
+		"description": "Names of log actions (comma-separated)",
+		"required": false,
+		"type": "string"
+	}
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                schema: { 
+					"type": "object",
+					"properties": {
+						"logs": {
+							"type": "array",
+							"items": {
+								$ref: "#/components/schemas/Log" 
+							},
+							"description": "Project logs"
+						}
+					}
+                }
+            }           
+        }
+    }   
+    */
 	let logs
 	try {
 		const { workspaceId } = req.params;

backend/src/ee/helpers/action.ts

@@ -1,39 +1,40 @@
 import * as Sentry from '@sentry/node';
 import { Types } from 'mongoose';
-import { SecretVersion, Action } from '../models';
+import { Action } from '../models';
 import { 
     getLatestSecretVersionIds,
     getLatestNSecretSecretVersionIds
 } from '../helpers/secretVersion';
-import { ACTION_UPDATE_SECRETS } from '../../variables';
+import { 
+    ACTION_LOGIN,
+    ACTION_LOGOUT,
+    ACTION_ADD_SECRETS,
+    ACTION_READ_SECRETS,
+    ACTION_DELETE_SECRETS,
+    ACTION_UPDATE_SECRETS,
+} from '../../variables';
 
 /**
- * Create an (audit) action for secrets including
- * add, delete, update, and read actions.
+ * Create an (audit) action for updating secrets
  * @param {Object} obj
  * @param {String} obj.name - name of action
- * @param {ObjectId[]} obj.secretIds - ids of relevant secrets
+ * @param {Types.ObjectId} obj.secretIds - ids of relevant secrets
  * @returns {Action} action - new action
  */
-const createActionSecretHelper = async ({
+const createActionUpdateSecret = async ({
     name,
     userId,
     workspaceId,
     secretIds
 }: {
     name: string;
-    userId: string;
-    workspaceId: string;
+    userId: Types.ObjectId;
+    workspaceId: Types.ObjectId;
     secretIds: Types.ObjectId[];
 }) => {
-
     let action;
-    let latestSecretVersions;
     try {
-        if (name === ACTION_UPDATE_SECRETS) {
-            // case: action is updating secrets
-            // -> add old and new secret versions
-            latestSecretVersions = (await getLatestNSecretSecretVersionIds({
+        const latestSecretVersions = (await getLatestNSecretSecretVersionIds({
                 secretIds,
                 n: 2
             }))
@@ -41,17 +42,7 @@ const createActionSecretHelper = async ({
                 oldSecretVersion: s.versions[0]._id,
                 newSecretVersion: s.versions[1]._id
             }));
-        } else {
-            // case: action is adding, deleting, or reading secrets
-            // -> add new secret versions
-            latestSecretVersions = (await getLatestSecretVersionIds({
-                secretIds
-            }))
-            .map((s) => ({
-                newSecretVersion: s.versionId
-            }));
-        }
-
+        
         action = await new Action({
             name,
             user: userId,
@@ -64,10 +55,148 @@ const createActionSecretHelper = async ({
     } catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
+        throw new Error('Failed to create update secret action');
+    }
+    
+    return action;
+}
+
+/**
+ * Create an (audit) action for creating, reading, and deleting
+ * secrets
+ * @param {Object} obj
+ * @param {String} obj.name - name of action
+ * @param {Types.ObjectId} obj.secretIds - ids of relevant secrets
+ * @returns {Action} action - new action
+ */
+const createActionSecret = async ({
+    name,
+    userId,
+    workspaceId,
+    secretIds
+}: {
+    name: string;
+    userId: Types.ObjectId;
+    workspaceId: Types.ObjectId;
+    secretIds: Types.ObjectId[];
+}) => {
+    let action;
+    try {
+        // case: action is adding, deleting, or reading secrets
+        // -> add new secret versions
+        const latestSecretVersions = (await getLatestSecretVersionIds({
+            secretIds
+        }))
+        .map((s) => ({
+            newSecretVersion: s.versionId
+        }));
+        
+       action = await new Action({
+            name,
+            user: userId,
+            workspace: workspaceId,
+            payload: {
+                secretVersions: latestSecretVersions
+            }
+        }).save(); 
+
+    } catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+        throw new Error('Failed to create action create/read/delete secret action');
+    }
+    
+    return action;
+}
+
+/**
+ * Create an (audit) action for user with id [userId]
+ * @param {Object} obj 
+ * @param {String} obj.name - name of action
+ * @param {String} obj.userId - id of user associated with action
+ * @returns 
+ */
+const createActionUser = ({
+    name,
+    userId
+}: {
+    name: string;
+    userId: Types.ObjectId;
+}) => {
+    let action;
+    try {
+        action = new Action({
+            name,
+            user: userId
+        }).save();
+    } catch (err) {
+        Sentry.setUser(null);
+        Sentry.captureException(err);
+        throw new Error('Failed to create user action');
+    }
+
+    return action; 
+}
+
+/**
+ * Create an (audit) action. 
+ * @param {Object} obj
+ * @param {Object} obj.name - name of action
+ * @param {Types.ObjectId} obj.userId - id of user associated with action
+ * @param {Types.ObjectId} obj.workspaceId - id of workspace associated with action
+ * @param {Types.ObjectId[]} obj.secretIds - ids of secrets associated with action
+*/
+const createActionHelper = async ({
+    name,
+    userId,
+    workspaceId,
+    secretIds,
+}: {
+    name: string;
+    userId: Types.ObjectId;
+    workspaceId?: Types.ObjectId;
+    secretIds?: Types.ObjectId[];
+}) => {
+    let action;
+    try {
+        switch (name) {
+            case ACTION_LOGIN:
+            case ACTION_LOGOUT:
+                action = await createActionUser({
+                    name,
+                    userId
+                });
+                break;
+            case ACTION_ADD_SECRETS:
+            case ACTION_READ_SECRETS:
+            case ACTION_DELETE_SECRETS:
+                if (!workspaceId || !secretIds) throw new Error('Missing required params workspace id or secret ids to create action secret');
+                action = await createActionSecret({
+                    name,
+                    userId,
+                    workspaceId,
+                    secretIds
+                });
+                break;
+            case ACTION_UPDATE_SECRETS:
+                if (!workspaceId || !secretIds) throw new Error('Missing required params workspace id or secret ids to create action secret');
+                action = await createActionUpdateSecret({
+                    name,
+                    userId,
+                    workspaceId,
+                    secretIds
+                });
+                break;
+        }
+    } catch (err) {
+        Sentry.setUser(null);
+		Sentry.captureException(err);
         throw new Error('Failed to create action');
     }
     
     return action;
 }
 
-export { createActionSecretHelper };
+export { 
+    createActionHelper
+};

backend/src/ee/helpers/checkMembershipPermissions.ts

@@ -0,0 +1,54 @@
+import _ from "lodash";
+import { Membership } from "../../models";
+import { ABILITY_READ, ABILITY_WRITE } from "../../variables/organization";
+
+export const userHasWorkspaceAccess = async (userId: any, workspaceId: any, environment: any, action: any) => {
+  const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })
+  if (!membershipForWorkspace) {
+    return false
+  }
+
+  const deniedMembershipPermissions = membershipForWorkspace.deniedPermissions;
+  const isDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: action });
+
+  if (isDisallowed) {
+    return false
+  }
+
+  return true
+}
+
+export const userHasWriteOnlyAbility = async (userId: any, workspaceId: any, environment: any) => {
+  const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })
+  if (!membershipForWorkspace) {
+    return false
+  }
+
+  const deniedMembershipPermissions = membershipForWorkspace.deniedPermissions;
+  const isWriteDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: ABILITY_WRITE });
+  const isReadDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: ABILITY_READ });
+
+  // case: you have write only if read is blocked and write is not
+  if (isReadDisallowed && !isWriteDisallowed) {
+    return true
+  }
+
+  return false
+}
+
+export const userHasNoAbility = async (userId: any, workspaceId: any, environment: any) => {
+  const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })
+  if (!membershipForWorkspace) {
+    return true
+  }
+
+  const deniedMembershipPermissions = membershipForWorkspace.deniedPermissions;
+  const isWriteDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: ABILITY_WRITE });
+  const isReadBlocked = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: ABILITY_READ });
+
+  if (isReadBlocked && isWriteDisallowed) {
+    return true
+  }
+
+  return false
+}

backend/src/ee/helpers/log.ts

@@ -1,9 +1,19 @@
 import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
 import { 
     Log,
     IAction
 } from '../models';
-
+/**
+ * Create an (audit) log
+ * @param {Object} obj
+ * @param {Types.ObjectId} obj.userId - id of user associated with the log
+ * @param {Types.ObjectId} obj.workspaceId - id of workspace associated with the log
+ * @param {IAction[]} obj.actions - actions to include in log
+ * @param {String} obj.channel - channel (web/cli/auto) associated with the log
+ * @param {String} obj.ipAddress - ip address associated with the log
+ * @returns {Log} log - new audit log
+ */
 const createLogHelper = async ({
     userId,
     workspaceId,
@@ -11,8 +21,8 @@ const createLogHelper = async ({
     channel,
     ipAddress
 }: {
-    userId: string;
-    workspaceId: string;
+    userId: Types.ObjectId;
+    workspaceId?: Types.ObjectId;
     actions: IAction[];
     channel: string;
     ipAddress: string;
@@ -21,7 +31,7 @@ const createLogHelper = async ({
     try {
         log = await new Log({
             user: userId,
-            workspace: workspaceId,
+            workspace: workspaceId ?? undefined,
             actionNames: actions.map((a) => a.name),
             actions,
             channel,

backend/src/ee/models/action.ts

@@ -1,10 +1,18 @@
 import { Schema, model, Types } from 'mongoose';
+import {
+    ACTION_LOGIN,
+    ACTION_LOGOUT,
+    ACTION_ADD_SECRETS,
+    ACTION_UPDATE_SECRETS,
+    ACTION_READ_SECRETS,
+    ACTION_DELETE_SECRETS
+} from '../../variables';
 
 export interface IAction {
     name: string;
     user?: Types.ObjectId,
     workspace?: Types.ObjectId,
-    payload: {
+    payload?: {
         secretVersions?: Types.ObjectId[]
     }
 }
@@ -13,7 +21,15 @@ const actionSchema = new Schema<IAction>(
     {
         name: {
             type: String,
-            required: true
+            required: true,
+            enum: [
+                ACTION_LOGIN,
+                ACTION_LOGOUT,
+                ACTION_ADD_SECRETS,
+                ACTION_UPDATE_SECRETS,
+                ACTION_READ_SECRETS,
+                ACTION_DELETE_SECRETS
+            ]
         },
         user: {
             type: Schema.Types.ObjectId,

backend/src/ee/models/log.ts

@@ -1,5 +1,7 @@
 import { Schema, model, Types } from 'mongoose';
 import {
+    ACTION_LOGIN,
+    ACTION_LOGOUT,
     ACTION_ADD_SECRETS,
     ACTION_UPDATE_SECRETS,
     ACTION_READ_SECRETS,
@@ -29,6 +31,8 @@ const logSchema = new Schema<ILog>(
         actionNames: {
             type: [String],
             enum: [
+                ACTION_LOGIN,
+                ACTION_LOGOUT,
                 ACTION_ADD_SECRETS,
                 ACTION_UPDATE_SECRETS,
                 ACTION_READ_SECRETS,
@@ -41,17 +45,17 @@ const logSchema = new Schema<ILog>(
             ref: 'Action',
             required: true
         }],
-        channel: { 
+        channel: {
             type: String,
-            enum: ['web', 'cli', 'auto'],
+            enum: ['web', 'cli', 'auto', 'k8-operator', 'other'],
             required: true
         },
         ipAddress: {
             type: String
         }
     }, {
-        timestamps: true
-    }
+    timestamps: true
+}
 );
 
 const Log = model<ILog>('Log', logSchema);

backend/src/ee/models/secretVersion.ts

@@ -21,6 +21,7 @@ export interface ISecretVersion {
 	secretValueIV: string;
 	secretValueTag: string;
 	secretValueHash: string;
+	tags?: string[];
 }
 
 const secretVersionSchema = new Schema<ISecretVersion>(
@@ -88,7 +89,12 @@ const secretVersionSchema = new Schema<ISecretVersion>(
 		},
 		secretValueHash: {
 			type: String
-		}
+		},
+		tags: {
+			ref: 'Tag',
+			type: [Schema.Types.ObjectId],
+			default: []
+		},
 	},
 	{
 		timestamps: true

backend/src/ee/routes/v1/secret.ts

@@ -12,7 +12,7 @@ import { ADMIN, MEMBER } from '../../../variables';
 router.get(
 	'/:secretId/secret-versions',
 	requireAuth({
-		acceptedAuthModes: ['jwt']
+		acceptedAuthModes: ['jwt', 'apiKey']
 	}),
 	requireSecretAuth({
 		acceptedRoles: [ADMIN, MEMBER]
@@ -27,7 +27,7 @@ router.get(
 router.post(
 	'/:secretId/secret-versions/rollback',
 	requireAuth({
-		acceptedAuthModes: ['jwt']
+		acceptedAuthModes: ['jwt', 'apiKey']
 	}),
 	requireSecretAuth({
 		acceptedRoles: [ADMIN, MEMBER]

backend/src/ee/routes/v1/workspace.ts

@@ -12,7 +12,7 @@ import { workspaceController } from '../../controllers/v1';
 router.get(
 	'/:workspaceId/secret-snapshots',
 	requireAuth({
-		acceptedAuthModes: ['jwt']
+		acceptedAuthModes: ['jwt', 'apiKey']
 	}),
 	requireWorkspaceAuth({
 		acceptedRoles: [ADMIN, MEMBER]
@@ -40,7 +40,7 @@ router.get(
 router.post(
 	'/:workspaceId/secret-snapshots/rollback',
 	requireAuth({
-		acceptedAuthModes: ['jwt']
+		acceptedAuthModes: ['jwt', 'apiKey']
 	}),
 	requireWorkspaceAuth({
 		acceptedRoles: [ADMIN, MEMBER]
@@ -54,7 +54,7 @@ router.post(
 router.get(
 	'/:workspaceId/logs',
 	requireAuth({
-		acceptedAuthModes: ['jwt']
+		acceptedAuthModes: ['jwt', 'apiKey']
 	}),
 	requireWorkspaceAuth({
 		acceptedRoles: [ADMIN, MEMBER]

backend/src/ee/services/EELogService.ts

@@ -1,14 +1,12 @@
 import { Types } from 'mongoose';
 import { 
-    Log,
-    Action,
     IAction
 } from '../models';
 import {
     createLogHelper
 } from '../helpers/log';
 import {
-    createActionSecretHelper
+    createActionHelper
 } from '../helpers/action';
 import EELicenseService from './EELicenseService';
 
@@ -33,8 +31,8 @@ class EELogService {
         channel,
         ipAddress
     }: {
-        userId: string;
-        workspaceId: string;
+        userId: Types.ObjectId;
+        workspaceId?: Types.ObjectId;
         actions: IAction[];
         channel: string;
         ipAddress: string;
@@ -50,26 +48,26 @@ class EELogService {
     }
     
     /**
-     * Create an (audit) action for secrets including
-     * add, delete, update, and read actions.
+     * Create an (audit) action
      * @param {Object} obj
      * @param {String} obj.name - name of action
-     * @param {ObjectId[]} obj.secretIds - secret ids
+     * @param {Types.ObjectId} obj.userId - id of user associated with the action
+     * @param {Types.ObjectId} obj.workspaceId - id of workspace associated with the action
+     * @param {ObjectId[]} obj.secretIds - ids of secrets associated with the action
      * @returns {Action} action - new action
      */
-    static async createActionSecret({
+    static async createAction({
         name,
         userId,
         workspaceId,
         secretIds
     }: {
         name: string;
-        userId: string;
-        workspaceId: string;
-        secretIds: Types.ObjectId[];
+        userId: Types.ObjectId;
+        workspaceId?: Types.ObjectId;
+        secretIds?: Types.ObjectId[];
     }) {
-        if (!EELicenseService.isLicenseValid) return null; 
-        return await createActionSecretHelper({
+        return await createActionHelper({
             name,
             userId,
             workspaceId,

backend/src/helpers/auth.ts

@@ -16,49 +16,66 @@ import {
 	AccountNotFoundError,
 	ServiceTokenDataNotFoundError,
 	APIKeyDataNotFoundError,
-	UnauthorizedRequestError
+	UnauthorizedRequestError,
+	BadRequestError
 } from '../utils/errors';
 
-// TODO 1: check if API key works
-// TODO 2: optimize middleware
-
 /**
- * Validate that auth token value [authTokenValue] falls under one of
- * accepted auth modes [acceptedAuthModes].
+ * 
  * @param {Object} obj
- * @param {String} obj.authTokenValue - auth token value (e.g. JWT or service token value)
- * @param {String[]} obj.acceptedAuthModes - accepted auth modes (e.g. jwt, serviceToken)
- * @returns {String} authMode - auth mode
+ * @param {Object} obj.headers - HTTP request headers object
  */
 const validateAuthMode = ({
-	authTokenValue,
+	headers,
 	acceptedAuthModes
 }: {
-	authTokenValue: string;
-	acceptedAuthModes: string[];
+	headers: { [key: string]: string | string[] | undefined },
+	acceptedAuthModes: string[]
 }) => {
-	let authMode;
-	try {
-		switch (authTokenValue.split('.', 1)[0]) {
+	// TODO: refactor middleware
+	const apiKey = headers['x-api-key'];
+	const authHeader = headers['authorization'];
+
+	let authTokenType, authTokenValue;
+	if (apiKey === undefined && authHeader === undefined) {
+		// case: no auth or X-API-KEY header present
+		throw BadRequestError({ message: 'Missing Authorization or X-API-KEY in request header.' });
+	}
+
+	if (typeof apiKey === 'string') {
+		// case: treat request authentication type as via X-API-KEY (i.e. API Key)
+		authTokenType = 'apiKey';
+		authTokenValue = apiKey;
+	}
+
+	if (typeof authHeader === 'string') {
+		// case: treat request authentication type as via Authorization header (i.e. either JWT or service token)
+		const [tokenType, tokenValue] = <[string, string]>authHeader.split(' ', 2) ?? [null, null]
+		if (tokenType === null)
+			throw BadRequestError({ message: `Missing Authorization Header in the request header.` });
+		if (tokenType.toLowerCase() !== 'bearer')
+			throw BadRequestError({ message: `The provided authentication type '${tokenType}' is not supported.` });
+		if (tokenValue === null)
+			throw BadRequestError({ message: 'Missing Authorization Body in the request header.' });
+
+		switch (tokenValue.split('.', 1)[0]) {
 			case 'st':
-				authMode = 'serviceToken';
-				break;
-			case 'ak':
-				authMode = 'apiKey';
+				authTokenType = 'serviceToken';
 				break;
 			default:
-				authMode = 'jwt';
-				break;
+				authTokenType = 'jwt';
 		}
-		
-		if (!acceptedAuthModes.includes(authMode)) 
-			throw UnauthorizedRequestError({ message: 'Failed to authenticated auth mode' });
-
-	} catch (err) {
-		throw UnauthorizedRequestError({ message: 'Failed to authenticated auth mode' });
+		authTokenValue = tokenValue;
 	}
-	
-	return authMode;
+
+	if (!authTokenType || !authTokenValue) throw BadRequestError({ message: 'Missing valid Authorization or X-API-KEY in request header.' });
+
+	if (!acceptedAuthModes.includes(authTokenType)) throw BadRequestError({ message: 'The provided authentication type is not supported.' });
+
+	return ({
+		authTokenType,
+		authTokenValue
+	});
 }
 
 /**
@@ -91,7 +108,7 @@ const getAuthUserPayload = async ({
 			message: 'Failed to authenticate JWT token'
 		});
 	}
-	
+
 	return user;
 }
 
@@ -113,7 +130,7 @@ const getAuthSTDPayload = async ({
 		// TODO: optimize double query
 		serviceTokenData = await ServiceTokenData
 			.findById(TOKEN_IDENTIFIER, '+secretHash +expiresAt');
-		
+
 		if (!serviceTokenData) {
 			throw ServiceTokenDataNotFoundError({ message: 'Failed to find service token data' });
 		} else if (serviceTokenData?.expiresAt && new Date(serviceTokenData.expiresAt) < new Date()) {
@@ -131,14 +148,14 @@ const getAuthSTDPayload = async ({
 
 		serviceTokenData = await ServiceTokenData
 			.findById(TOKEN_IDENTIFIER)
-			.select('+encryptedKey +iv +tag');
+			.select('+encryptedKey +iv +tag').populate('user');
 
 	} catch (err) {
 		throw UnauthorizedRequestError({
 			message: 'Failed to authenticate service token'
 		});
 	}
-	
+
 	return serviceTokenData;
 }
 
@@ -156,11 +173,11 @@ const getAuthAPIKeyPayload = async ({
 	let user;
 	try {
 		const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split('.', 3);
-		
+
 		const apiKeyData = await APIKeyData
 			.findById(TOKEN_IDENTIFIER, '+secretHash +expiresAt')
 			.populate('user', '+publicKey');
-		
+
 		if (!apiKeyData) {
 			throw APIKeyDataNotFoundError({ message: 'Failed to find API key data' });
 		} else if (apiKeyData?.expiresAt && new Date(apiKeyData.expiresAt) < new Date()) {
@@ -175,14 +192,14 @@ const getAuthAPIKeyPayload = async ({
 		if (!isMatch) throw UnauthorizedRequestError({
 			message: 'Failed to authenticate API key'
 		});
-		
+
 		user = apiKeyData.user;
 	} catch (err) {
 		throw UnauthorizedRequestError({
 			message: 'Failed to authenticate API key'
 		});
 	}
-	
+
 	return user;
 }
 
@@ -275,12 +292,12 @@ const createToken = ({
 	}
 };
 
-export { 
+export {
 	validateAuthMode,
 	getAuthUserPayload,
 	getAuthSTDPayload,
 	getAuthAPIKeyPayload,
-	createToken, 
-	issueTokens, 
-	clearTokens 
+	createToken,
+	issueTokens,
+	clearTokens
 };

backend/src/helpers/database.ts

@@ -1,5 +1,4 @@
 import mongoose from 'mongoose';
-import { ISecret, Secret } from '../models';
 import { EESecretService } from '../ee/services';
 import { getLogger } from '../utils/logger';
 
@@ -16,6 +15,10 @@ const initDatabaseHelper = async ({
 }) => {
     try {
         await mongoose.connect(mongoURL);
+    
+        // allow empty strings to pass the required validator
+        mongoose.Schema.Types.String.checkRequired(v => typeof v === 'string');
+
         getLogger("database").info("Database connection established");
         
         await EESecretService.initSecretVersioning();

backend/src/helpers/integration.ts

@@ -30,6 +30,7 @@ interface Update {
  * @param {String} obj.workspaceId - id of workspace
  * @param {String} obj.integration - name of integration 
  * @param {String} obj.code - code
+ * @returns {IntegrationAuth} integrationAuth - integration auth after OAuth2 code-token exchange
 */
 const handleOAuthExchangeHelper = async ({
     workspaceId,
@@ -42,7 +43,6 @@ const handleOAuthExchangeHelper = async ({
     code: string;
     environment: string;
 }) => {
-    let action;
     let integrationAuth;
     try {
         const bot = await Bot.findOne({
@@ -94,25 +94,18 @@ const handleOAuthExchangeHelper = async ({
             // set integration auth access token
             await setIntegrationAuthAccessHelper({
                 integrationAuthId: integrationAuth._id.toString(),
+                accessId: null,
                 accessToken: res.accessToken,
                 accessExpiresAt: res.accessExpiresAt
             });
         }
-
-        // initialize new integration after exchange
-        await new Integration({
-            workspace: workspaceId,
-            isActive: false,
-            app: null,
-            environment,
-            integration,
-            integrationAuth: integrationAuth._id
-        }).save();
     } catch (err) {
         Sentry.setUser(null);
         Sentry.captureException(err);
         throw new Error('Failed to handle OAuth2 code-token exchange')
     }
+    
+    return integrationAuth;
 }
 /**
  * Sync/push environment variables in workspace with id [workspaceId] to
@@ -127,7 +120,6 @@ const syncIntegrationsHelper = async ({
 }) => {
     let integrations;
     try {
-
         integrations = await Integration.find({
             workspace: workspaceId,
             isActive: true,
@@ -142,12 +134,12 @@ const syncIntegrationsHelper = async ({
                 workspaceId: integration.workspace.toString(),
                 environment: integration.environment
             });
-            
+
             const integrationAuth = await IntegrationAuth.findById(integration.integrationAuth);
             if (!integrationAuth) throw new Error('Failed to find integration auth');
             
             // get integration auth access token
-            const accessToken = await getIntegrationAuthAccessHelper({
+            const access = await getIntegrationAuthAccessHelper({
                 integrationAuthId: integration.integrationAuth.toString()
             });
 
@@ -156,7 +148,8 @@ const syncIntegrationsHelper = async ({
                 integration,
                 integrationAuth,
                 secrets,
-                accessToken
+                accessId: access.accessId,
+                accessToken: access.accessToken
             });
         }
     } catch (err) {
@@ -212,12 +205,12 @@ const syncIntegrationsHelper = async ({
  * @returns {String} accessToken - decrypted access token
  */
 const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrationAuthId: string }) => {
+    let accessId;
     let accessToken;
-	
     try {
         const integrationAuth = await IntegrationAuth
             .findById(integrationAuthId)
-            .select('workspace integration +accessCiphertext +accessIV +accessTag +accessExpiresAt + refreshCiphertext');
+            .select('workspace integration +accessCiphertext +accessIV +accessTag +accessExpiresAt + refreshCiphertext +accessIdCiphertext +accessIdIV +accessIdTag');
 
         if (!integrationAuth) throw UnauthorizedRequestError({message: 'Failed to locate Integration Authentication credentials'});
 
@@ -241,6 +234,15 @@ const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrati
                 });
             }
         }
+        
+        if (integrationAuth?.accessIdCiphertext && integrationAuth?.accessIdIV && integrationAuth?.accessIdTag) {
+            accessId = await BotService.decryptSymmetric({
+                workspaceId: integrationAuth.workspace.toString(),
+                ciphertext: integrationAuth.accessIdCiphertext as string,
+                iv: integrationAuth.accessIdIV as string,
+                tag: integrationAuth.accessIdTag as string
+            });
+        }
 
     } catch (err) {
         Sentry.setUser(null);
@@ -251,7 +253,10 @@ const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrati
             throw new Error('Failed to get integration access token');
     }
     
-    return accessToken;
+    return ({
+        accessId,
+        accessToken
+    });
 }
 
 /**
@@ -301,9 +306,9 @@ const setIntegrationAuthRefreshHelper = async ({
 }
 
 /**
- * Encrypt access token [accessToken] using the bot's copy
- * of the workspace key for workspace belonging to integration auth
- * with id [integrationAuthId] and store it along with [accessExpiresAt]
+ * Encrypt access token [accessToken] and (optionally) access id [accessId]
+ * using the bot's copy of the workspace key for workspace belonging to 
+ * integration auth with id [integrationAuthId] and store it along with [accessExpiresAt]
  * @param {Object} obj
  * @param {String} obj.integrationAuthId - id of integration auth
  * @param {String} obj.accessToken - access token
@@ -311,12 +316,14 @@ const setIntegrationAuthRefreshHelper = async ({
  */
 const setIntegrationAuthAccessHelper = async ({
     integrationAuthId,
+    accessId,
     accessToken,
     accessExpiresAt
 }: {
     integrationAuthId: string;
+    accessId: string | null;
     accessToken: string;
-    accessExpiresAt: Date;
+    accessExpiresAt: Date | undefined;
 }) => {
     let integrationAuth;
     try {
@@ -324,17 +331,28 @@ const setIntegrationAuthAccessHelper = async ({
         
         if (!integrationAuth) throw new Error('Failed to find integration auth');
         
-        const obj = await BotService.encryptSymmetric({
+        const encryptedAccessTokenObj = await BotService.encryptSymmetric({
             workspaceId: integrationAuth.workspace.toString(),
             plaintext: accessToken
         });
         
+        let encryptedAccessIdObj;
+        if (accessId) {
+            encryptedAccessIdObj = await BotService.encryptSymmetric({
+                workspaceId: integrationAuth.workspace.toString(),
+                plaintext: accessId
+            }); 
+        }
+        
         integrationAuth = await IntegrationAuth.findOneAndUpdate({
             _id: integrationAuthId
         }, {
-            accessCiphertext: obj.ciphertext,
-            accessIV: obj.iv,
-            accessTag: obj.tag,
+            accessIdCiphertext: encryptedAccessIdObj?.ciphertext ?? undefined,
+            accessIdIV: encryptedAccessIdObj?.iv ?? undefined,
+            accessIdTag: encryptedAccessIdObj?.tag ?? undefined,
+            accessCiphertext: encryptedAccessTokenObj.ciphertext,
+            accessIV: encryptedAccessTokenObj.iv,
+            accessTag: encryptedAccessTokenObj.tag,
             accessExpiresAt
         }, {
             new: true

backend/src/helpers/membership.ts

@@ -7,6 +7,7 @@ import { Membership, Key } from '../models';
  * @param {Object} obj
  * @param {String} obj.userId - id of user to validate
  * @param {String} obj.workspaceId - id of workspace
+ * @returns {Membership} membership - membership of user with id [userId] for workspace with id [workspaceId]
  */
 const validateMembership = async ({
 	userId,

backend/src/helpers/membershipOrg.ts

@@ -1,6 +1,42 @@
 import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
 import { MembershipOrg, Workspace, Membership, Key } from '../models';
 
+/**
+ * Validate that user with id [userId] is a member of organization with id [organizationId]
+ * and has at least one of the roles in [acceptedRoles]
+ *
+ */
+const validateMembership = async ({
+	userId,
+	organizationId,
+	acceptedRoles
+}: {
+	userId: string;
+	organizationId: string;
+	acceptedRoles: string[];
+}) => {
+	let membership;
+	try {
+		membership = await MembershipOrg.findOne({
+			user: new Types.ObjectId(userId),
+			organization: new Types.ObjectId(organizationId)
+		});
+		
+		if (!membership) throw new Error('Failed to find organization membership');
+		
+		if (!acceptedRoles.includes(membership.role)) {
+			throw new Error('Failed to validate organization membership role');
+		}
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		throw new Error('Failed to validate organization membership');
+	}
+	
+	return membership;
+}
+
 /**
  * Return organization membership matching criteria specified in
  * query [queryObj]
@@ -84,6 +120,8 @@ const deleteMembershipOrg = async ({
 			_id: membershipOrgId
 		});
 
+		if (!deletedMembershipOrg) throw new Error('Failed to delete organization membership');
+
 		// delete keys associated with organization membership
 		if (deletedMembershipOrg?.user) {
 			// case: organization membership had a registered user
@@ -117,4 +155,9 @@ const deleteMembershipOrg = async ({
 	return deletedMembershipOrg;
 };
 
-export { findMembershipOrg, addMembershipsOrg, deleteMembershipOrg };
+export {
+	validateMembership,
+	findMembershipOrg,
+	addMembershipsOrg, 
+	deleteMembershipOrg 
+}; 

backend/src/helpers/organization.ts

@@ -3,6 +3,7 @@ import Stripe from 'stripe';
 import {
 	STRIPE_SECRET_KEY,
 	STRIPE_PRODUCT_STARTER,
+	STRIPE_PRODUCT_TEAM,
 	STRIPE_PRODUCT_PRO
 } from '../config';
 const stripe = new Stripe(STRIPE_SECRET_KEY, {
@@ -14,6 +15,7 @@ import { Organization, MembershipOrg } from '../models';
 
 const productToPriceMap = {
 	starter: STRIPE_PRODUCT_STARTER,
+	team: STRIPE_PRODUCT_TEAM,
 	pro: STRIPE_PRODUCT_PRO
 };
 
@@ -55,7 +57,7 @@ const createOrganization = async ({
 	} catch (err) {
 		Sentry.setUser({ email });
 		Sentry.captureException(err);
-		throw new Error('Failed to create organization');
+		throw new Error(`Failed to create organization [err=${err}]`);
 	}
 
 	return organization;

backend/src/helpers/rateLimiter.ts

@@ -1,38 +1,43 @@
 import rateLimit from 'express-rate-limit';
 
-// 300 requests per 15 minutes
+// 120 requests per minute
 const apiLimiter = rateLimit({
-  windowMs: 15 * 60 * 1000,
-  max: 450,
+  windowMs: 60 * 1000,
+  max: 240,
   standardHeaders: true,
   legacyHeaders: false,
   skip: (request) => {
     return request.path === '/healthcheck' || request.path === '/api/status'
+  },
+  keyGenerator: (req, res) => {
+    return req.clientIp
   }
 });
 
-// 5 requests per hour
-const signupLimiter = rateLimit({
-  windowMs: 60 * 60 * 1000,
+// 10 requests per minute
+const authLimiter = rateLimit({
+  windowMs: 60 * 1000,
   max: 10,
   standardHeaders: true,
-  legacyHeaders: false
+  legacyHeaders: false,
+  keyGenerator: (req, res) => {
+    return req.clientIp
+  }
 });
 
 // 10 requests per hour
-const loginLimiter = rateLimit({
-  windowMs: 60 * 60 * 1000,
-  max: 25,
-  standardHeaders: true,
-  legacyHeaders: false
-});
-
-// 5 requests per hour
 const passwordLimiter = rateLimit({
   windowMs: 60 * 60 * 1000,
   max: 10,
   standardHeaders: true,
-  legacyHeaders: false
+  legacyHeaders: false,
+  keyGenerator: (req, res) => {
+    return req.clientIp
+  }
 });
 
-export { apiLimiter, signupLimiter, loginLimiter, passwordLimiter };
+export { 
+  apiLimiter, 
+  authLimiter,
+  passwordLimiter 
+};

backend/src/helpers/secret.ts

@@ -12,14 +12,17 @@ import {
 import {
 	IAction
 } from '../ee/models';
-import { 
-	SECRET_SHARED, 
+import {
+	SECRET_SHARED,
 	SECRET_PERSONAL,
 	ACTION_ADD_SECRETS,
 	ACTION_UPDATE_SECRETS,
 	ACTION_DELETE_SECRETS,
 	ACTION_READ_SECRETS
 } from '../variables';
+import _ from 'lodash';
+import { ABILITY_WRITE } from '../variables/organization';
+import { BadRequestError, UnauthorizedRequestError } from '../utils/errors';
 
 /**
  * Validate that user with id [userId] can modify secrets with ids [secretIds]
@@ -34,7 +37,7 @@ const validateSecrets = async ({
 }: {
 	userId: string;
 	secretIds: string[];
-}) =>{
+}) => {
 	let secrets;
 	try {
 		secrets = await Secret.find({
@@ -42,20 +45,31 @@ const validateSecrets = async ({
 				$in: secretIds.map((secretId: string) => new Types.ObjectId(secretId))
 			}
 		});
-		
-		const workspaceIdsSet = new Set((await Membership.find({
-			user: userId
-		}, 'workspace'))
-		.map((m) => m.workspace.toString()));
-		
+
+		if (secrets.length != secretIds.length) {
+			throw BadRequestError({ message: 'Unable to validate some secrets' })
+		}
+
+		const userMemberships = await Membership.find({ user: userId })
+		const userMembershipById = _.keyBy(userMemberships, 'workspace');
+		const workspaceIdsSet = new Set(userMemberships.map((m) => m.workspace.toString()));
+
+		// for each secret check if the secret belongs to a workspace the user is a member of
 		secrets.forEach((secret: ISecret) => {
-			if (!workspaceIdsSet.has(secret.workspace.toString())) {
-				throw new Error('Failed to validate secret');
+			if (workspaceIdsSet.has(secret.workspace.toString())) {
+				const deniedMembershipPermissions = userMembershipById[secret.workspace.toString()].deniedPermissions;
+				const isDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: secret.environment, ability: ABILITY_WRITE });
+
+				if (isDisallowed) {
+					throw UnauthorizedRequestError({ message: 'You do not have the required permissions to perform this action' });
+				}
+			} else {
+				throw BadRequestError({ message: 'You cannot edit secrets of a workspace you are not a member of' });
 			}
 		});
-		
+
 	} catch (err) {
-		throw new Error('Failed to validate secrets');
+		throw BadRequestError({ message: 'Unable to validate secrets' })
 	}
 
 	return secrets;
@@ -127,13 +141,13 @@ const v1PushSecrets = async ({
 			workspaceId,
 			environment
 		});
-		
-		const oldSecretsObj: any = oldSecrets.reduce((accumulator, s: any) => 
+
+		const oldSecretsObj: any = oldSecrets.reduce((accumulator, s: any) =>
 			({ ...accumulator, [`${s.type}-${s.secretKeyHash}`]: s })
-		, {});
-		const newSecretsObj: any = secrets.reduce((accumulator, s) => 
+			, {});
+		const newSecretsObj: any = secrets.reduce((accumulator, s) =>
 			({ ...accumulator, [`${s.type}-${s.hashKey}`]: s })
-		, {});
+			, {});
 
 		// handle deleting secrets
 		const toDelete = oldSecrets
@@ -150,12 +164,12 @@ const v1PushSecrets = async ({
 				secretIds: toDelete
 			});
 		}
-		
+
 		const toUpdate = oldSecrets
 			.filter((s) => {
 				if (`${s.type}-${s.secretKeyHash}` in newSecretsObj) {
-					if (s.secretValueHash !== newSecretsObj[`${s.type}-${s.secretKeyHash}`].hashValue 
-					|| s.secretCommentHash !== newSecretsObj[`${s.type}-${s.secretKeyHash}`].hashComment) {
+					if (s.secretValueHash !== newSecretsObj[`${s.type}-${s.secretKeyHash}`].hashValue
+						|| s.secretCommentHash !== newSecretsObj[`${s.type}-${s.secretKeyHash}`].hashComment) {
 						// case: filter secrets where value or comment changed
 						return true;
 					}
@@ -165,7 +179,7 @@ const v1PushSecrets = async ({
 						return true;
 					}
 				}
-				
+
 				return false;
 			});
 
@@ -217,7 +231,7 @@ const v1PushSecrets = async ({
 				};
 			});
 		await Secret.bulkWrite(operations as any);
-		
+
 		// (EE) add secret versions for updated secrets
 		await EESecretService.addSecretVersions({
 			secretVersions: toUpdate.map(({
@@ -245,7 +259,7 @@ const v1PushSecrets = async ({
 					secretValueTag: newSecret.tagValue,
 					secretValueHash: newSecret.hashValue
 				})
-			}) 
+			})
 		});
 
 		// handle adding new secrets
@@ -319,7 +333,7 @@ const v1PushSecrets = async ({
 				}))
 			});
 		}
-		
+
 		// (EE) take a secret snapshot
 		await EESecretService.takeSecretSnapshot({
 			workspaceId
@@ -344,7 +358,7 @@ const v1PushSecrets = async ({
  * @param {String} obj.channel - channel (web/cli/auto)
  * @param {String} obj.ipAddress - ip address of request to push secrets
  */
- const v2PushSecrets = async ({
+const v2PushSecrets = async ({
 	userId,
 	workspaceId,
 	environment,
@@ -362,20 +376,20 @@ const v1PushSecrets = async ({
 	// TODO: clean up function and fix up types
 	try {
 		const actions: IAction[] = [];
-		
+
 		// construct useful data structures
 		const oldSecrets = await getSecrets({
 			userId,
 			workspaceId,
 			environment
 		});
-		
-		const oldSecretsObj: any = oldSecrets.reduce((accumulator, s: any) => 
+
+		const oldSecretsObj: any = oldSecrets.reduce((accumulator, s: any) =>
 			({ ...accumulator, [`${s.type}-${s.secretKeyHash}`]: s })
-		, {});
-		const newSecretsObj: any = secrets.reduce((accumulator, s) => 
+			, {});
+		const newSecretsObj: any = secrets.reduce((accumulator, s) =>
 			({ ...accumulator, [`${s.type}-${s.secretKeyHash}`]: s })
-		, {});
+			, {});
 
 		// handle deleting secrets
 		const toDelete = oldSecrets
@@ -391,22 +405,22 @@ const v1PushSecrets = async ({
 			await EESecretService.markDeletedSecretVersions({
 				secretIds: toDelete
 			});
-			
-			const deleteAction = await EELogService.createActionSecret({
+
+			const deleteAction = await EELogService.createAction({
 				name: ACTION_DELETE_SECRETS,
-				userId,
-				workspaceId,
+				userId: new Types.ObjectId(userId),
+				workspaceId: new Types.ObjectId(userId),
 				secretIds: toDelete
 			});
 
 			deleteAction && actions.push(deleteAction);
 		}
-		
+
 		const toUpdate = oldSecrets
 			.filter((s) => {
 				if (`${s.type}-${s.secretKeyHash}` in newSecretsObj) {
-					if (s.secretValueHash !== newSecretsObj[`${s.type}-${s.secretKeyHash}`].secretValueHash 
-					|| s.secretCommentHash !== newSecretsObj[`${s.type}-${s.secretKeyHash}`].secretCommentHash) {
+					if (s.secretValueHash !== newSecretsObj[`${s.type}-${s.secretKeyHash}`].secretValueHash
+						|| s.secretCommentHash !== newSecretsObj[`${s.type}-${s.secretKeyHash}`].secretCommentHash) {
 						// case: filter secrets where value or comment changed
 						return true;
 					}
@@ -416,7 +430,7 @@ const v1PushSecrets = async ({
 						return true;
 					}
 				}
-				
+
 				return false;
 			});
 
@@ -469,7 +483,7 @@ const v1PushSecrets = async ({
 					};
 				});
 			await Secret.bulkWrite(operations as any);
-			
+
 			// (EE) add secret versions for updated secrets
 			await EESecretService.addSecretVersions({
 				secretVersions: toUpdate.map((s) => {
@@ -482,13 +496,13 @@ const v1PushSecrets = async ({
 						environment: s.environment,
 						isDeleted: false
 					})
-				}) 
+				})
 			});
 
-			const updateAction = await EELogService.createActionSecret({
+			const updateAction = await EELogService.createAction({
 				name: ACTION_UPDATE_SECRETS,
-				userId,
-				workspaceId,
+				userId: new Types.ObjectId(userId),
+				workspaceId: new Types.ObjectId(workspaceId),
 				secretIds: toUpdate.map((u) => u._id)
 			});
 
@@ -507,29 +521,30 @@ const v1PushSecrets = async ({
 					workspace: workspaceId,
 					type: toAdd[idx].type,
 					environment,
-					...( toAdd[idx].type === 'personal' ? { user: userId } : {})
+					...(toAdd[idx].type === 'personal' ? { user: userId } : {})
 				}))
 			);
 
 			// (EE) add secret versions for new secrets
 			EESecretService.addSecretVersions({
-				secretVersions: newSecrets.map((secretDocument) => { 
+				secretVersions: newSecrets.map((secretDocument) => {
 					return {
 						...secretDocument.toObject(),
 						secret: secretDocument._id,
 						isDeleted: false
-				}})
+					}
+				})
 			});
 
-			const addAction = await EELogService.createActionSecret({
+			const addAction = await EELogService.createAction({
 				name: ACTION_ADD_SECRETS,
-				userId,
-				workspaceId,
+				userId: new Types.ObjectId(userId),
+				workspaceId: new Types.ObjectId(workspaceId),
 				secretIds: newSecrets.map((n) => n._id)
 			});
 			addAction && actions.push(addAction);
 		}
-		
+
 		// (EE) take a secret snapshot
 		await EESecretService.takeSecretSnapshot({
 			workspaceId
@@ -538,8 +553,8 @@ const v1PushSecrets = async ({
 		// (EE) create (audit) log
 		if (actions.length > 0) {
 			await EELogService.createLog({
-				userId,
-				workspaceId,
+				userId: new Types.ObjectId(userId),
+				workspaceId: new Types.ObjectId(workspaceId),
 				actions,
 				channel,
 				ipAddress
@@ -560,7 +575,7 @@ const v1PushSecrets = async ({
  * @param {String} obj.workspaceId - id of workspace to pull from
  * @param {String} obj.environment - environment for secrets
  */
- const getSecrets = async ({
+const getSecrets = async ({
 	userId,
 	workspaceId,
 	environment
@@ -570,7 +585,7 @@ const v1PushSecrets = async ({
 	environment: string;
 }): Promise<ISecret[]> => {
 	let secrets: any; // TODO: FIX any
-	
+
 	try {
 		// get shared workspace secrets
 		const sharedSecrets = await Secret.find({
@@ -622,7 +637,7 @@ const pullSecrets = async ({
 	ipAddress: string;
 }): Promise<ISecret[]> => {
 	let secrets: any;
-	
+
 	try {
 		secrets = await getSecrets({
 			userId,
@@ -630,16 +645,16 @@ const pullSecrets = async ({
 			environment
 		})
 
-		const readAction = await EELogService.createActionSecret({
+		const readAction = await EELogService.createAction({
 			name: ACTION_READ_SECRETS,
-			userId,
-			workspaceId,
+			userId: new Types.ObjectId(userId),
+			workspaceId: new Types.ObjectId(workspaceId),
 			secretIds: secrets.map((n: any) => n._id)
 		});
 
 		readAction && await EELogService.createLog({
-			userId,
-			workspaceId,
+			userId: new Types.ObjectId(userId),
+			workspaceId: new Types.ObjectId(workspaceId),
 			actions: [readAction],
 			channel,
 			ipAddress

backend/src/helpers/signup.ts

@@ -7,6 +7,7 @@ import { createWorkspace } from './workspace';
 import { addMemberships } from './membership';
 import { OWNER, ADMIN, ACCEPTED } from '../variables';
 import { sendMail } from '../helpers/nodemailer';
+import { EMAIL_TOKEN_LIFETIME } from '../config';
 
 /**
  * Send magic link to verify email to [email]
@@ -25,7 +26,8 @@ const sendEmailVerification = async ({ email }: { email: string }) => {
 			{
 				email,
 				token,
-				createdAt: new Date()
+				createdAt: new Date(),
+				ttl: Math.floor(+new Date() / 1000) + EMAIL_TOKEN_LIFETIME // time in seconds, i.e unix
 			},
 			{ upsert: true, new: true }
 		);
@@ -62,11 +64,20 @@ const checkEmailVerification = async ({
 	code: string;
 }) => {
 	try {
-		const token = await Token.findOneAndDelete({
+		const token = await Token.findOne({
 			email,
 			token: code
 		});
-	
+
+		if (token && Math.floor(Date.now() / 1000) > token.ttl) {
+			await Token.deleteOne({
+				email,
+				token: code
+			});
+
+			throw new Error('Verification token has expired')
+		}
+
 		if (!token) throw new Error('Failed to find email verification token');
 	} catch (err) {
 		Sentry.setUser(null);
@@ -116,7 +127,7 @@ const initializeDefaultOrg = async ({
 			roles: [ADMIN]
 		});
 	} catch (err) {
-		throw new Error('Failed to initialize default organization and workspace');
+		throw new Error(`Failed to initialize default organization and workspace [err=${err}]`);
 	}
 };
 

backend/src/index.ts

@@ -8,6 +8,7 @@ import { DatabaseService } from './services';
 import { setUpHealthEndpoint } from './services/health';
 import { initSmtp } from './services/smtp';
 import { setTransporter } from './helpers/nodemailer';
+import { createTestUserForDevelopment } from './utils/addDevelopmentUser';
 
 DatabaseService.initDatabase(MONGO_URL);
 
@@ -23,3 +24,5 @@ if (NODE_ENV !== 'test') {
     environment: NODE_ENV
   });
 }
+
+createTestUserForDevelopment()

backend/src/integrations/apps.ts

@@ -1,16 +1,25 @@
-import axios from 'axios';
-import * as Sentry from '@sentry/node';
-import { Octokit } from '@octokit/rest';
-import { IIntegrationAuth } from '../models';
+import axios from "axios";
+import * as Sentry from "@sentry/node";
+import { Octokit } from "@octokit/rest";
+import { IIntegrationAuth } from "../models";
 import {
+  INTEGRATION_AZURE_KEY_VAULT,
+  INTEGRATION_AWS_PARAMETER_STORE,
+  INTEGRATION_AWS_SECRET_MANAGER,
   INTEGRATION_HEROKU,
   INTEGRATION_VERCEL,
   INTEGRATION_NETLIFY,
   INTEGRATION_GITHUB,
+  INTEGRATION_RENDER,
+  INTEGRATION_FLYIO,
+  INTEGRATION_CIRCLECI,
   INTEGRATION_HEROKU_API_URL,
   INTEGRATION_VERCEL_API_URL,
-  INTEGRATION_NETLIFY_API_URL
-} from '../variables';
+  INTEGRATION_NETLIFY_API_URL,
+  INTEGRATION_RENDER_API_URL,
+  INTEGRATION_FLYIO_API_URL,
+  INTEGRATION_CIRCLECI_API_URL,
+} from "../variables";
 
 /**
  * Return list of names of apps for integration named [integration]
@@ -22,54 +31,77 @@ import {
  */
 const getApps = async ({
   integrationAuth,
-  accessToken
+  accessToken,
 }: {
   integrationAuth: IIntegrationAuth;
   accessToken: string;
 }) => {
   interface App {
     name: string;
-    siteId?: string;
+    appId?: string;
+    owner?: string;
   }
 
-  let apps: App[]; // TODO: add type and define payloads for apps
+  let apps: App[];
   try {
     switch (integrationAuth.integration) {
+      case INTEGRATION_AZURE_KEY_VAULT:
+        apps = [];
+        break;
+      case INTEGRATION_AWS_PARAMETER_STORE:
+        apps = [];
+        break;
+      case INTEGRATION_AWS_SECRET_MANAGER:
+        apps = [];
+        break;
       case INTEGRATION_HEROKU:
         apps = await getAppsHeroku({
-          accessToken
+          accessToken,
         });
         break;
       case INTEGRATION_VERCEL:
         apps = await getAppsVercel({
           integrationAuth,
-          accessToken
+          accessToken,
         });
         break;
       case INTEGRATION_NETLIFY:
         apps = await getAppsNetlify({
-          integrationAuth,
-          accessToken
+          accessToken,
         });
         break;
       case INTEGRATION_GITHUB:
         apps = await getAppsGithub({
-          integrationAuth,
-          accessToken
+          accessToken,
+        });
+        break;
+      case INTEGRATION_RENDER:
+        apps = await getAppsRender({
+          accessToken,
+        });
+        break;
+      case INTEGRATION_FLYIO:
+        apps = await getAppsFlyio({
+          accessToken,
+        });
+        break;
+      case INTEGRATION_CIRCLECI:
+        apps = await getAppsCircleCI({
+          accessToken,
         });
         break;
     }
   } catch (err) {
     Sentry.setUser(null);
     Sentry.captureException(err);
-    throw new Error('Failed to get integration apps');
+    throw new Error("Failed to get integration apps");
   }
 
   return apps;
 };
 
 /**
- * Return list of names of apps for Heroku integration
+ * Return list of apps for Heroku integration
  * @param {Object} obj
  * @param {String} obj.accessToken - access token for Heroku API
  * @returns {Object[]} apps - names of Heroku apps
@@ -81,19 +113,19 @@ const getAppsHeroku = async ({ accessToken }: { accessToken: string }) => {
     const res = (
       await axios.get(`${INTEGRATION_HEROKU_API_URL}/apps`, {
         headers: {
-          Accept: 'application/vnd.heroku+json; version=3',
-          Authorization: `Bearer ${accessToken}`
-        }
+          Accept: "application/vnd.heroku+json; version=3",
+          Authorization: `Bearer ${accessToken}`,
+        },
       })
     ).data;
 
     apps = res.map((a: any) => ({
-      name: a.name
+      name: a.name,
     }));
   } catch (err) {
     Sentry.setUser(null);
     Sentry.captureException(err);
-    throw new Error('Failed to get Heroku integration apps');
+    throw new Error("Failed to get Heroku integration apps");
   }
 
   return apps;
@@ -106,10 +138,10 @@ const getAppsHeroku = async ({ accessToken }: { accessToken: string }) => {
  * @returns {Object[]} apps - names of Vercel apps
  * @returns {String} apps.name - name of Vercel app
  */
-const getAppsVercel = async ({ 
+const getAppsVercel = async ({
   integrationAuth,
-  accessToken 
-}: { 
+  accessToken,
+}: {
   integrationAuth: IIntegrationAuth;
   accessToken: string;
 }) => {
@@ -118,103 +150,223 @@ const getAppsVercel = async ({
     const res = (
       await axios.get(`${INTEGRATION_VERCEL_API_URL}/v9/projects`, {
         headers: {
-          Authorization: `Bearer ${accessToken}`
+          Authorization: `Bearer ${accessToken}`,
+          'Accept-Encoding': 'application/json'
         },
-       ...( integrationAuth?.teamId ? { 
-        params: {
-          teamId: integrationAuth.teamId
-        }
-      } : {}) 
+        ...(integrationAuth?.teamId
+          ? {
+              params: {
+                teamId: integrationAuth.teamId,
+              },
+            }
+          : {}),
       })
     ).data;
-    
+
     apps = res.projects.map((a: any) => ({
-      name: a.name
+      name: a.name,
     }));
   } catch (err) {
     Sentry.setUser(null);
     Sentry.captureException(err);
-    throw new Error('Failed to get Vercel integration apps');
+    throw new Error("Failed to get Vercel integration apps");
   }
 
   return apps;
 };
 
 /**
- * Return list of names of sites for Netlify integration
+ * Return list of sites for Netlify integration
  * @param {Object} obj
  * @param {String} obj.accessToken - access token for Netlify API
  * @returns {Object[]} apps - names of Netlify sites
  * @returns {String} apps.name - name of Netlify site
  */
-const getAppsNetlify = async ({
-  integrationAuth,
-  accessToken
-}: {
-  integrationAuth: IIntegrationAuth;
-  accessToken: string;
-}) => {
+const getAppsNetlify = async ({ accessToken }: { accessToken: string }) => {
   let apps;
   try {
     const res = (
       await axios.get(`${INTEGRATION_NETLIFY_API_URL}/api/v1/sites`, {
         headers: {
-          Authorization: `Bearer ${accessToken}`
+          Authorization: `Bearer ${accessToken}`,
+          'Accept-Encoding': 'application/json'
         }
       })
     ).data;
 
     apps = res.map((a: any) => ({
       name: a.name,
-      siteId: a.site_id
+      appId: a.site_id,
     }));
   } catch (err) {
     Sentry.setUser(null);
     Sentry.captureException(err);
-    throw new Error('Failed to get Netlify integration apps');
+    throw new Error("Failed to get Netlify integration apps");
   }
 
   return apps;
 };
 
 /**
- * Return list of names of repositories for Github integration
+ * Return list of repositories for Github integration
  * @param {Object} obj
  * @param {String} obj.accessToken - access token for Netlify API
  * @returns {Object[]} apps - names of Netlify sites
  * @returns {String} apps.name - name of Netlify site
  */
-const getAppsGithub = async ({
-  integrationAuth,
-  accessToken
-}: {
-  integrationAuth: IIntegrationAuth;
-  accessToken: string;
-}) => {
+const getAppsGithub = async ({ accessToken }: { accessToken: string }) => {
   let apps;
   try {
     const octokit = new Octokit({
-      auth: accessToken
+      auth: accessToken,
     });
 
-    const repos = (await octokit.request(
-      'GET /user/repos{?visibility,affiliation,type,sort,direction,per_page,page,since,before}',
-      {}
-    )).data;
+    const repos = (
+      await octokit.request(
+        "GET /user/repos{?visibility,affiliation,type,sort,direction,per_page,page,since,before}",
+        {
+          per_page: 100,
+        }
+      )
+    ).data;
 
     apps = repos
-      .filter((a:any) => a.permissions.admin === true)
+      .filter((a: any) => a.permissions.admin === true)
       .map((a: any) => ({
-          name: a.name
-        })
-      );
+        name: a.name,
+        owner: a.owner.login,
+      }));
   } catch (err) {
     Sentry.setUser(null);
     Sentry.captureException(err);
-    throw new Error('Failed to get Github repos');
+    throw new Error("Failed to get Github repos");
   }
 
   return apps;
 };
 
+/**
+ * Return list of services for Render integration
+ * @param {Object} obj
+ * @param {String} obj.accessToken - access token for Render API
+ * @returns {Object[]} apps - names and ids of Render services
+ * @returns {String} apps.name - name of Render service
+ * @returns {String} apps.appId - id of Render service
+ */
+const getAppsRender = async ({ accessToken }: { accessToken: string }) => {
+  let apps: any;
+  try {
+    const res = (
+      await axios.get(`${INTEGRATION_RENDER_API_URL}/v1/services`, {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          Accept: 'application/json',
+          'Accept-Encoding': 'application/json',
+        },
+      })
+    ).data;
+    
+    apps = res
+      .map((a: any) => ({
+        name: a.service.name,
+        appId: a.service.id
+      })); 
+    
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error("Failed to get Render services");
+  }
+
+  return apps;
+};
+
+/**
+ * Return list of apps for Fly.io integration
+ * @param {Object} obj
+ * @param {String} obj.accessToken - access token for Fly.io API
+ * @returns {Object[]} apps - names and ids of Fly.io apps
+ * @returns {String} apps.name - name of Fly.io apps
+ */
+const getAppsFlyio = async ({ accessToken }: { accessToken: string }) => {
+  let apps;
+  try {
+    const query = `
+      query($role: String) {
+        apps(type: "container", first: 400, role: $role) {
+          nodes {
+            id
+            name
+            hostname
+          }
+        }
+      }
+    `;
+
+    const res = (
+      await axios({
+        url: INTEGRATION_FLYIO_API_URL,
+        method: "post",
+        headers: {
+          Authorization: "Bearer " + accessToken,
+        'Accept': 'application/json',
+        'Accept-Encoding': 'application/json',
+        },
+        data: {
+          query,
+          variables: {
+            role: null,
+          },
+        },
+      })
+    ).data.data.apps.nodes;
+
+    apps = res.map((a: any) => ({
+      name: a.name,
+    }));
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error("Failed to get Fly.io apps");
+  }
+
+  return apps;
+};
+
+/**
+ * Return list of projects for CircleCI integration
+ * @param {Object} obj
+ * @param {String} obj.accessToken - access token for CircleCI API
+ * @returns {Object[]} apps -
+ * @returns {String} apps.name - name of CircleCI apps
+ */
+const getAppsCircleCI = async ({ accessToken }: { accessToken: string }) => {
+  let apps: any;
+  try {    
+    const res = (
+      await axios.get(
+        `${INTEGRATION_CIRCLECI_API_URL}/v1.1/projects`,
+        {
+          headers: {
+            "Circle-Token": accessToken,
+            "Accept-Encoding": "application/json",
+          },
+        }
+      )
+    ).data
+
+    apps = res?.map((a: any) => {
+      return {
+        name: a?.reponame
+      }
+    });
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error("Failed to get CircleCI projects");
+  }
+  
+  return apps;
+};
+
 export { getApps };

backend/src/integrations/exchange.ts

@@ -1,10 +1,12 @@
 import axios from 'axios';
 import * as Sentry from '@sentry/node';
 import {
+  INTEGRATION_AZURE_KEY_VAULT,
   INTEGRATION_HEROKU,
   INTEGRATION_VERCEL,
   INTEGRATION_NETLIFY,
   INTEGRATION_GITHUB,
+  INTEGRATION_AZURE_TOKEN_URL,
   INTEGRATION_HEROKU_TOKEN_URL,
   INTEGRATION_VERCEL_TOKEN_URL,
   INTEGRATION_NETLIFY_TOKEN_URL,
@@ -12,15 +14,27 @@ import {
 } from '../variables';
 import {
   SITE_URL,
+  CLIENT_ID_AZURE,
   CLIENT_ID_VERCEL,
   CLIENT_ID_NETLIFY,
   CLIENT_ID_GITHUB,
+  CLIENT_SECRET_AZURE,
   CLIENT_SECRET_HEROKU,
   CLIENT_SECRET_VERCEL,
   CLIENT_SECRET_NETLIFY,
   CLIENT_SECRET_GITHUB
 } from '../config';
 
+interface ExchangeCodeAzureResponse {
+  token_type: string;
+  scope: string;
+  expires_in: number;
+  ext_expires_in: number;
+  access_token: string;
+  refresh_token: string;
+  id_token: string;
+}
+
 interface ExchangeCodeHerokuResponse {
   token_type: string;
   access_token: string;
@@ -75,6 +89,11 @@ const exchangeCode = async ({
 
   try {
     switch (integration) {
+      case INTEGRATION_AZURE_KEY_VAULT:
+        obj = await exchangeCodeAzure({
+          code
+        });
+        break;
       case INTEGRATION_HEROKU:
         obj = await exchangeCodeHeroku({
           code
@@ -105,6 +124,46 @@ const exchangeCode = async ({
   return obj;
 };
 
+/**
+ * Return [accessToken] for Azure OAuth2 code-token exchange
+ * @param param0 
+ */
+const exchangeCodeAzure = async ({
+  code
+}: {
+  code: string;
+}) => {
+  const accessExpiresAt = new Date();
+  let res: ExchangeCodeAzureResponse;
+  try {
+    res = (await axios.post(
+      INTEGRATION_AZURE_TOKEN_URL,
+       new URLSearchParams({
+        grant_type: 'authorization_code',
+        code: code,
+        scope: 'https://vault.azure.net/.default openid offline_access',
+        client_id: CLIENT_ID_AZURE,
+        client_secret: CLIENT_SECRET_AZURE,
+        redirect_uri: `${SITE_URL}/integrations/azure-key-vault/oauth2/callback`
+      } as any)
+    )).data;
+    
+    accessExpiresAt.setSeconds(
+        accessExpiresAt.getSeconds() + res.expires_in
+    );
+  } catch (err: any) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed OAuth2 code-token exchange with Azure');
+  }
+  
+  return ({
+    accessToken: res.access_token,
+    refreshToken: res.refresh_token,
+    accessExpiresAt
+  });
+}
+
 /**
  * Return [accessToken], [accessExpiresAt], and [refreshToken] for Heroku
  * OAuth2 code-token exchange
@@ -168,7 +227,7 @@ const exchangeCodeVercel = async ({ code }: { code: string }) => {
           code: code,
           client_id: CLIENT_ID_VERCEL,
           client_secret: CLIENT_SECRET_VERCEL,
-          redirect_uri: `${SITE_URL}/vercel`
+          redirect_uri: `${SITE_URL}/integrations/vercel/oauth2/callback`
         } as any)
       )
     ).data;
@@ -208,7 +267,7 @@ const exchangeCodeNetlify = async ({ code }: { code: string }) => {
           code: code,
           client_id: CLIENT_ID_NETLIFY,
           client_secret: CLIENT_SECRET_NETLIFY,
-          redirect_uri: `${SITE_URL}/netlify`
+          redirect_uri: `${SITE_URL}/integrations/netlify/oauth2/callback`
         } as any)
       )
     ).data;
@@ -260,10 +319,11 @@ const exchangeCodeGithub = async ({ code }: { code: string }) => {
           client_id: CLIENT_ID_GITHUB,
           client_secret: CLIENT_SECRET_GITHUB,
           code: code,
-          redirect_uri: `${SITE_URL}/github`
+          redirect_uri: `${SITE_URL}/integrations/github/oauth2/callback`
         },
         headers: {
-          Accept: 'application/json'
+          'Accept': 'application/json',
+          'Accept-Encoding': 'application/json'
         }
       })
     ).data;

backend/src/integrations/refresh.ts

@@ -1,13 +1,26 @@
 import axios from 'axios';
 import * as Sentry from '@sentry/node';
-import { INTEGRATION_HEROKU } from '../variables';
+import { INTEGRATION_AZURE_KEY_VAULT, INTEGRATION_HEROKU } from '../variables';
 import {
-    CLIENT_SECRET_HEROKU
+  SITE_URL,
+  CLIENT_ID_AZURE,
+  CLIENT_SECRET_AZURE,
+  CLIENT_SECRET_HEROKU
 } from '../config';
 import {
-    INTEGRATION_HEROKU_TOKEN_URL
+  INTEGRATION_AZURE_TOKEN_URL,
+  INTEGRATION_HEROKU_TOKEN_URL
 } from '../variables';
 
+interface RefreshTokenAzureResponse {
+  token_type: string;
+  scope: string;
+  expires_in: number;
+  ext_expires_in: 4871;
+  access_token: string;
+  refresh_token: string;
+}
+
 /**
  * Return new access token by exchanging refresh token [refreshToken] for integration
  * named [integration]
@@ -25,6 +38,11 @@ const exchangeRefresh = async ({
   let accessToken;
   try {
     switch (integration) {
+      case INTEGRATION_AZURE_KEY_VAULT:
+        accessToken = await exchangeRefreshAzure({
+          refreshToken
+        });
+        break;
       case INTEGRATION_HEROKU:
         accessToken = await exchangeRefreshHeroku({
           refreshToken
@@ -40,6 +58,38 @@ const exchangeRefresh = async ({
   return accessToken;
 };
 
+/**
+ * Return new access token by exchanging refresh token [refreshToken] for the
+ * Azure integration
+ * @param {Object} obj
+ * @param {String} obj.refreshToken - refresh token to use to get new access token for Azure
+ * @returns
+ */
+const exchangeRefreshAzure = async ({
+  refreshToken
+}: {
+  refreshToken: string;
+}) => {
+  try {
+    const res: RefreshTokenAzureResponse = (await axios.post(
+      INTEGRATION_AZURE_TOKEN_URL,
+       new URLSearchParams({
+        client_id: CLIENT_ID_AZURE,
+        scope: 'openid offline_access',
+        refresh_token: refreshToken,
+        grant_type: 'refresh_token',
+        client_secret: CLIENT_SECRET_AZURE
+      } as any)
+    )).data;
+    
+    return res.access_token;
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed to get refresh OAuth2 access token for Azure'); 
+  }
+}
+
 /**
  * Return new access token by exchanging refresh token [refreshToken] for the
  * Heroku integration
@@ -52,23 +102,23 @@ const exchangeRefreshHeroku = async ({
 }: {
   refreshToken: string;
 }) => {
-    let accessToken;
-	//TODO: Refactor code to take advantage of using RequestError. It's possible to create new types of errors for more detailed errors
-    try {
-        const res = await axios.post(
-            INTEGRATION_HEROKU_TOKEN_URL,
-            new URLSearchParams({
-                grant_type: 'refresh_token',
-                refresh_token: refreshToken,
-                client_secret: CLIENT_SECRET_HEROKU
-            } as any)
-        );
+  
+  let accessToken;
+  try {
+    const res = await axios.post(
+        INTEGRATION_HEROKU_TOKEN_URL,
+        new URLSearchParams({
+            grant_type: 'refresh_token',
+            refresh_token: refreshToken,
+            client_secret: CLIENT_SECRET_HEROKU
+        } as any)
+    );
 
     accessToken = res.data.access_token;
   } catch (err) {
     Sentry.setUser(null);
     Sentry.captureException(err);
-    throw new Error('Failed to get new OAuth2 access token for Heroku');
+    throw new Error('Failed to refresh OAuth2 access token for Heroku');
   }
 
   return accessToken;

backend/src/integrations/revoke.ts

@@ -1,6 +1,11 @@
-import axios from 'axios';
 import * as Sentry from '@sentry/node';
-import { IIntegrationAuth, IntegrationAuth, Integration } from '../models';
+import { 
+  IIntegrationAuth, 
+  IntegrationAuth, 
+  Integration,
+  Bot,
+  BotKey
+} from '../models';
 import {
   INTEGRATION_HEROKU,
   INTEGRATION_VERCEL,
@@ -15,6 +20,7 @@ const revokeAccess = async ({
   integrationAuth: IIntegrationAuth;
   accessToken: string;
 }) => {
+  let deletedIntegrationAuth;
   try {
     // add any integration-specific revocation logic
     switch (integrationAuth.integration) {
@@ -28,7 +34,7 @@ const revokeAccess = async ({
         break;
     }
 
-    const deletedIntegrationAuth = await IntegrationAuth.findOneAndDelete({
+    deletedIntegrationAuth = await IntegrationAuth.findOneAndDelete({
       _id: integrationAuth._id
     });
 
@@ -42,6 +48,8 @@ const revokeAccess = async ({
     Sentry.captureException(err);
     throw new Error('Failed to delete integration authorization');
   }
+  
+  return deletedIntegrationAuth;
 };
 
 export { revokeAccess };

backend/src/middleware/index.ts

@@ -2,6 +2,8 @@ import requireAuth from './requireAuth';
 import requireBotAuth from './requireBotAuth';
 import requireSignupAuth from './requireSignupAuth';
 import requireWorkspaceAuth from './requireWorkspaceAuth';
+import requireMembershipAuth from './requireMembershipAuth';
+import requireMembershipOrgAuth from './requireMembershipOrgAuth';
 import requireOrganizationAuth from './requireOrganizationAuth';
 import requireIntegrationAuth from './requireIntegrationAuth';
 import requireIntegrationAuthorizationAuth from './requireIntegrationAuthorizationAuth';
@@ -16,6 +18,8 @@ export {
 	requireBotAuth,
 	requireSignupAuth,
 	requireWorkspaceAuth,
+	requireMembershipAuth,
+	requireMembershipOrgAuth,
 	requireOrganizationAuth,
 	requireIntegrationAuth,
 	requireIntegrationAuthorizationAuth,

backend/src/middleware/requireAuth.ts

@@ -7,7 +7,6 @@ import {
 	getAuthSTDPayload,
 	getAuthAPIKeyPayload
 } from '../helpers/auth';
-import { BadRequestError } from '../utils/errors';
 
 declare module 'jsonwebtoken' {
 	export interface UserIDJwtPayload extends jwt.JwtPayload {
@@ -31,37 +30,28 @@ const requireAuth = ({
 	acceptedAuthModes: string[];
 }) => {
 	return async (req: Request, res: Response, next: NextFunction) => {
-		const [AUTH_TOKEN_TYPE, AUTH_TOKEN_VALUE] = <[string, string]>req.headers['authorization']?.split(' ', 2) ?? [null, null]
-		if (AUTH_TOKEN_TYPE === null)
-			return next(BadRequestError({ message: `Missing Authorization Header in the request header.` }))
-		if (AUTH_TOKEN_TYPE.toLowerCase() !== 'bearer')
-			return next(BadRequestError({ message: `The provided authentication type '${AUTH_TOKEN_TYPE}' is not supported.` }))
-		if (AUTH_TOKEN_VALUE === null)
-			return next(BadRequestError({ message: 'Missing Authorization Body in the request header' }))
-
-		// validate auth token against 
-		const authMode = validateAuthMode({
-			authTokenValue: AUTH_TOKEN_VALUE,
+		// validate auth token against accepted auth modes [acceptedAuthModes]
+		// and return token type [authTokenType] and value [authTokenValue]
+		const { authTokenType, authTokenValue } = validateAuthMode({
+			headers: req.headers,
 			acceptedAuthModes
 		});
 
-		if (!acceptedAuthModes.includes(authMode)) throw new Error('Failed to validate auth mode');
-
 		// attach auth payloads
-		switch (authMode) {
+		switch (authTokenType) {
 			case 'serviceToken':
 				req.serviceTokenData = await getAuthSTDPayload({
-					authTokenValue: AUTH_TOKEN_VALUE
+					authTokenValue
 				});
 				break;
 			case 'apiKey':
 				req.user = await getAuthAPIKeyPayload({
-					authTokenValue: AUTH_TOKEN_VALUE
+					authTokenValue
 				});
 				break;
 			default:
 				req.user = await getAuthUserPayload({
-					authTokenValue: AUTH_TOKEN_VALUE
+					authTokenValue
 				});
 				break;
 		}

backend/src/middleware/requireIntegrationAuthorizationAuth.ts

@@ -1,10 +1,12 @@
 import * as Sentry from '@sentry/node';
 import { Request, Response, NextFunction } from 'express';
-import { IntegrationAuth } from '../models';
+import { IntegrationAuth, IWorkspace } from '../models';
 import { IntegrationService } from '../services';
 import { validateMembership } from '../helpers/membership';
 import { UnauthorizedRequestError } from '../utils/errors';
 
+type req = 'params' | 'body' | 'query';
+
 /**
  * Validate if user on request is a member of workspace with proper roles associated
  * with the integration authorization on request params.
@@ -14,17 +16,20 @@ import { UnauthorizedRequestError } from '../utils/errors';
  */
 const requireIntegrationAuthorizationAuth = ({
 	acceptedRoles,
-	attachAccessToken = true
+	attachAccessToken = true,
+	location = 'params'
 }: {
 	acceptedRoles: string[];
 	attachAccessToken?: boolean;
+	location?: req;
 }) => {
 	return async (req: Request, res: Response, next: NextFunction) => {
-		const { integrationAuthId } = req.params;
-
+		const { integrationAuthId } = req[location];
 		const integrationAuth = await IntegrationAuth.findOne({
 			_id: integrationAuthId
-		}).select(
+		})
+		.populate<{ workspace: IWorkspace }>('workspace')
+		.select(
 			'+refreshCiphertext +refreshIV +refreshTag +accessCiphertext +accessIV +accessTag +accessExpiresAt'
 		);
 
@@ -34,15 +39,16 @@ const requireIntegrationAuthorizationAuth = ({
 		
 		await validateMembership({
 			userId: req.user._id.toString(),
-			workspaceId: integrationAuth.workspace.toString(),
+			workspaceId: integrationAuth.workspace._id.toString(),
 			acceptedRoles
 		});
 
 		req.integrationAuth = integrationAuth;
 		if (attachAccessToken) {
-			req.accessToken = await IntegrationService.getIntegrationAuthAccess({
+			const access = await IntegrationService.getIntegrationAuthAccess({
 				integrationAuthId: integrationAuth._id.toString()
 			});
+			req.accessToken = access.accessToken;
 		}
 		
 		return next();

backend/src/middleware/requireMembershipAuth.ts

@@ -0,0 +1,59 @@
+import { Request, Response, NextFunction } from 'express';
+import { UnauthorizedRequestError } from '../utils/errors';
+import {
+    Membership,
+} from '../models';
+import { validateMembership } from '../helpers/membership';
+
+type req = 'params' | 'body' | 'query';
+
+/**
+ * Validate membership with id [membershipId] and that user with id
+ * [req.user._id] can modify that membership.
+ * @param {Object} obj
+ * @param {String[]} obj.acceptedRoles - accepted workspace roles
+ * @param {String[]} obj.location - location of [workspaceId] on request (e.g. params, body) for parsing
+ */
+const requireMembershipAuth = ({
+    acceptedRoles,
+    location = 'params'
+}: {
+    acceptedRoles: string[];
+    location?: req;
+}) => {
+    return async (
+        req: Request, 
+        res: Response, 
+        next: NextFunction
+    ) => {
+        try {
+            const { membershipId } = req[location];
+            
+            const membership = await Membership.findById(membershipId);
+            
+            if (!membership) throw new Error('Failed to find target membership');
+            
+            const userMembership = await Membership.findOne({
+                workspace: membership.workspace
+            });
+            
+            if (!userMembership) throw new Error('Failed to validate own membership')
+            
+            const targetMembership = await validateMembership({
+                userId: req.user._id.toString(),
+                workspaceId: membership.workspace.toString(),
+                acceptedRoles
+            });
+            
+            req.targetMembership = targetMembership;
+            
+            return next();
+        } catch (err) {
+            return next(UnauthorizedRequestError({ 
+                message: 'Unable to validate workspace membership' 
+            }));
+        }
+    }
+}
+
+export default requireMembershipAuth;

backend/src/middleware/requireMembershipOrgAuth.ts

@@ -0,0 +1,49 @@
+import { Request, Response, NextFunction } from 'express';
+import { UnauthorizedRequestError } from '../utils/errors';
+import {
+    MembershipOrg
+} from '../models';
+import { validateMembership } from '../helpers/membershipOrg';
+
+
+type req = 'params' | 'body' | 'query';
+
+/**
+ * Validate (organization) membership id [membershipId] and that user with id 
+ * [req.user._id] can modify that membership.
+ * @param {Object} obj
+ * @param {String[]} obj.acceptedRoles - accepted organization roles
+ * @param {String[]} obj.location - location of [membershipId] on request (e.g. params, body) for parsing
+ */
+const requireMembershipOrgAuth = ({
+    acceptedRoles,
+    location = 'params'
+}: {
+    acceptedRoles: string[];
+    location?: req;
+}) => {
+    return async (req: Request, res: Response, next: NextFunction) => {
+        try {
+            const { membershipId } = req[location];
+            const membershipOrg = await MembershipOrg.findById(membershipId);
+            
+            if (!membershipOrg) throw new Error('Failed to find target organization membership');
+            
+            const targetMembership = await validateMembership({
+                userId: req.user._id.toString(),
+                organizationId: membershipOrg.organization.toString(),
+                acceptedRoles
+            });
+            
+            req.targetMembership = targetMembership;
+            
+            return next();
+        } catch (err) {
+            return next(UnauthorizedRequestError({
+                message: 'Unable to validate organization membership'
+            }));
+        }
+    }
+}
+
+export default requireMembershipOrgAuth;

backend/src/middleware/requireServiceTokenDataAuth.ts

@@ -17,10 +17,10 @@ const requireServiceTokenDataAuth = ({
 
         const serviceTokenData = await ServiceTokenData
             .findById(req[location].serviceTokenDataId)
-            .select('+encryptedKey +iv +tag');
+            .select('+encryptedKey +iv +tag').populate('user');
 
         if (!serviceTokenData) {
-            return next(AccountNotFoundError({message: 'Failed to locate service token data'}));
+            return next(AccountNotFoundError({ message: 'Failed to locate service token data' }));
         }
 
         if (req.user) {
@@ -31,9 +31,9 @@ const requireServiceTokenDataAuth = ({
                 acceptedRoles
             });
         }
-        
+
         req.serviceTokenData = serviceTokenData;
-        
+
         next();
     }
 }

backend/src/models/index.ts

@@ -16,6 +16,7 @@ import UserAction, { IUserAction } from './userAction';
 import Workspace, { IWorkspace } from './workspace';
 import ServiceTokenData, { IServiceTokenData } from './serviceTokenData';
 import APIKeyData, { IAPIKeyData } from './apiKeyData';
+import LoginSRPDetail, { ILoginSRPDetail } from './loginSRPDetail';
 
 export {
 	BackupPrivateKey,
@@ -53,5 +54,7 @@ export {
 	ServiceTokenData,
 	IServiceTokenData,
 	APIKeyData,
-	IAPIKeyData
+	IAPIKeyData,
+	LoginSRPDetail,
+	ILoginSRPDetail
 };

backend/src/models/integration.ts

@@ -1,10 +1,16 @@
-import { Schema, model, Types } from 'mongoose';
+import { Schema, model, Types } from "mongoose";
 import {
+  INTEGRATION_AZURE_KEY_VAULT,
+  INTEGRATION_AWS_PARAMETER_STORE,
+  INTEGRATION_AWS_SECRET_MANAGER,
   INTEGRATION_HEROKU,
   INTEGRATION_VERCEL,
   INTEGRATION_NETLIFY,
-  INTEGRATION_GITHUB
-} from '../variables';
+  INTEGRATION_GITHUB,
+  INTEGRATION_RENDER,
+  INTEGRATION_FLYIO,
+  INTEGRATION_CIRCLECI,
+} from "../variables";
 
 export interface IIntegration {
   _id: Types.ObjectId;
@@ -12,10 +18,22 @@ export interface IIntegration {
   environment: string;
   isActive: boolean;
   app: string;
-  target: string;
-  context: string;
-  siteId: string;
-  integration: 'heroku' | 'vercel' | 'netlify' | 'github';
+  owner: string;
+  targetEnvironment: string;
+  appId: string;
+  path: string;
+  region: string;
+  integration:
+    | 'azure-key-vault' 
+    | 'aws-parameter-store'
+    | 'aws-secret-manager'
+    | 'heroku' 
+    | 'vercel' 
+    | 'netlify' 
+    | 'github' 
+    | 'render' 
+    | 'flyio'
+    | 'circleci';
   integrationAuth: Types.ObjectId;
 }
 
@@ -23,58 +41,76 @@ const integrationSchema = new Schema<IIntegration>(
   {
     workspace: {
       type: Schema.Types.ObjectId,
-      ref: 'Workspace',
-      required: true
+      ref: "Workspace",
+      required: true,
     },
     environment: {
       type: String,
-      required: true
+      required: true,
     },
     isActive: {
       type: Boolean,
-      required: true
+      required: true,
     },
     app: {
       // name of app in provider
       type: String,
-      default: null
+      default: null,
     },
-    target: {
-      // vercel-specific target (environment)
+    appId: {
+      // (new)
+      // id of app in provider
+      type: String,
+      default: null,
+    },
+    targetEnvironment: {
+      // (new)
+      // target environment
+      type: String,
+      default: null,
+    },
+    owner: {
+      // github-specific repo owner-login
+      type: String,
+      default: null,
+    },
+    path: {
+      // aws-parameter-store-specific path
       type: String,
       default: null
     },
-    context: {
-      // netlify-specific context (deploy)
-      type: String,
-      default: null
-    },
-    siteId: {
-      // netlify-specific site (app) id
+    region: {
+      // aws-parameter-store-specific path
       type: String,
       default: null
     },
     integration: {
       type: String,
       enum: [
+        INTEGRATION_AZURE_KEY_VAULT,
+        INTEGRATION_AWS_PARAMETER_STORE,
+        INTEGRATION_AWS_SECRET_MANAGER,
         INTEGRATION_HEROKU,
         INTEGRATION_VERCEL,
         INTEGRATION_NETLIFY,
-        INTEGRATION_GITHUB
+        INTEGRATION_GITHUB,
+        INTEGRATION_RENDER,
+        INTEGRATION_FLYIO,
+        INTEGRATION_CIRCLECI,
       ],
-      required: true
+      required: true,
     },
     integrationAuth: {
       type: Schema.Types.ObjectId,
-      ref: 'IntegrationAuth',
-      required: true
-    }
+      ref: "IntegrationAuth",
+      required: true,
+    },
   },
   {
-    timestamps: true
+    timestamps: true,
   }
 );
 
-const Integration = model<IIntegration>('Integration', integrationSchema);
+const Integration = model<IIntegration>("Integration", integrationSchema);
 
 export default Integration;

backend/src/models/integrationAuth.ts

@@ -1,20 +1,29 @@
-import { Schema, model, Types } from 'mongoose';
+import { Schema, model, Types } from "mongoose";
 import {
+  INTEGRATION_AZURE_KEY_VAULT,
+  INTEGRATION_AWS_PARAMETER_STORE,
+  INTEGRATION_AWS_SECRET_MANAGER,
   INTEGRATION_HEROKU,
   INTEGRATION_VERCEL,
   INTEGRATION_NETLIFY,
-  INTEGRATION_GITHUB
-} from '../variables';
+  INTEGRATION_GITHUB,
+  INTEGRATION_RENDER,
+  INTEGRATION_FLYIO,
+  INTEGRATION_CIRCLECI,
+} from "../variables";
 
 export interface IIntegrationAuth {
   _id: Types.ObjectId;
   workspace: Types.ObjectId;
-  integration: 'heroku' | 'vercel' | 'netlify' | 'github';
+  integration: 'heroku' | 'vercel' | 'netlify' | 'github' | 'render' | 'flyio' | 'azure-key-vault' | 'circleci' | 'aws-parameter-store' | 'aws-secret-manager';
   teamId: string;
   accountId: string;
   refreshCiphertext?: string;
   refreshIV?: string;
   refreshTag?: string;
+  accessIdCiphertext?: string; // new
+  accessIdIV?: string; // new
+  accessIdTag?: string; // new
   accessCiphertext?: string;
   accessIV?: string;
   accessTag?: string;
@@ -25,62 +34,81 @@ const integrationAuthSchema = new Schema<IIntegrationAuth>(
   {
     workspace: {
       type: Schema.Types.ObjectId,
-      required: true
+      ref: "Workspace",
+      required: true,
     },
     integration: {
       type: String,
       enum: [
+        INTEGRATION_AZURE_KEY_VAULT,
+        INTEGRATION_AWS_PARAMETER_STORE,
+        INTEGRATION_AWS_SECRET_MANAGER,
         INTEGRATION_HEROKU,
         INTEGRATION_VERCEL,
         INTEGRATION_NETLIFY,
-        INTEGRATION_GITHUB
+        INTEGRATION_GITHUB,
+        INTEGRATION_RENDER,
+        INTEGRATION_FLYIO,
+        INTEGRATION_CIRCLECI,
       ],
-      required: true
+      required: true,
     },
     teamId: {
       // vercel-specific integration param
-      type: String
+      type: String,
     },
     accountId: {
       // netlify-specific integration param
-      type: String
+      type: String,
     },
     refreshCiphertext: {
       type: String,
-      select: false
+      select: false,
     },
     refreshIV: {
       type: String,
-      select: false
+      select: false,
     },
     refreshTag: {
+      type: String,
+      select: false,
+    },
+    accessIdCiphertext: {
+      type: String,
+      select: false
+    },
+    accessIdIV: {
+      type: String,
+      select: false
+    },
+    accessIdTag: {
       type: String,
       select: false
     },
     accessCiphertext: {
       type: String,
-      select: false
+      select: false,
     },
     accessIV: {
       type: String,
-      select: false
+      select: false,
     },
     accessTag: {
       type: String,
-      select: false
+      select: false,
     },
     accessExpiresAt: {
       type: Date,
-      select: false
-    }
+      select: false,
+    },
   },
   {
-    timestamps: true
+    timestamps: true,
   }
 );
 
 const IntegrationAuth = model<IIntegrationAuth>(
-  'IntegrationAuth',
+  "IntegrationAuth",
   integrationAuthSchema
 );
 

backend/src/models/loginSRPDetail.ts

@@ -0,0 +1,29 @@
+import mongoose, { Schema, model, Types } from 'mongoose';
+
+export interface ILoginSRPDetail {
+	_id: Types.ObjectId;
+	clientPublicKey: string;
+	email: string;
+	serverBInt: mongoose.Schema.Types.Buffer;
+	expireAt: Date;
+}
+
+const loginSRPDetailSchema = new Schema<ILoginSRPDetail>(
+	{
+		clientPublicKey: {
+			type: String,
+			required: true
+		},
+		email: {
+			type: String,
+			required: true,
+			unique: true
+		},
+		serverBInt: { type: mongoose.Schema.Types.Buffer },
+		expireAt: { type: Date }
+	}
+);
+
+const LoginSRPDetail = model('LoginSRPDetail', loginSRPDetailSchema);
+
+export default LoginSRPDetail;

backend/src/models/membership.ts

@@ -1,15 +1,21 @@
 import { Schema, model, Types } from 'mongoose';
 import { ADMIN, MEMBER } from '../variables';
 
+export interface IMembershipPermission {
+	environmentSlug: string,
+	ability: string
+}
+
 export interface IMembership {
 	_id: Types.ObjectId;
 	user: Types.ObjectId;
 	inviteEmail?: string;
 	workspace: Types.ObjectId;
 	role: 'admin' | 'member';
+	deniedPermissions: IMembershipPermission[]
 }
 
-const membershipSchema = new Schema(
+const membershipSchema = new Schema<IMembership>(
 	{
 		user: {
 			type: Schema.Types.ObjectId,
@@ -23,6 +29,18 @@ const membershipSchema = new Schema(
 			ref: 'Workspace',
 			required: true
 		},
+		deniedPermissions: {
+			type: [
+				{
+					environmentSlug: String,
+					ability: {
+						type: String,
+						enum: ['read', 'write']
+					},
+				},
+			],
+			default: []
+		},
 		role: {
 			type: String,
 			enum: [ADMIN, MEMBER],

backend/src/models/secret.ts

@@ -23,6 +23,7 @@ export interface ISecret {
 	secretCommentIV?: string;
 	secretCommentTag?: string;
 	secretCommentHash?: string;
+	tags?: string[];
 }
 
 const secretSchema = new Schema<ISecret>(
@@ -47,6 +48,11 @@ const secretSchema = new Schema<ISecret>(
 			type: Schema.Types.ObjectId,
 			ref: 'User'
 		},
+		tags: {
+			ref: 'Tag',
+			type: [Schema.Types.ObjectId],
+			default: []
+		},
 		environment: {
 			type: String,
 			required: true
@@ -103,6 +109,9 @@ const secretSchema = new Schema<ISecret>(
 	}
 );
 
+
+secretSchema.index({ tags: 1 }, { background: true })
+
 const Secret = model<ISecret>('Secret', secretSchema);
 
 export default Secret;

backend/src/models/secretApprovalRequest.ts

@@ -0,0 +1,83 @@
+import mongoose, { Schema, model } from 'mongoose';
+import Secret, { ISecret } from './secret';
+
+interface ISecretApprovalRequest {
+	secret: mongoose.Types.ObjectId;
+	requestedChanges: ISecret;
+	requestedBy: mongoose.Types.ObjectId;
+	approvers: IApprover[];
+	status: ApprovalStatus;
+	timestamp: Date;
+	requestType: RequestType;
+	requestId: string;
+}
+
+interface IApprover {
+	userId: mongoose.Types.ObjectId;
+	status: ApprovalStatus;
+}
+
+export enum ApprovalStatus {
+	PENDING = 'pending',
+	APPROVED = 'approved',
+	REJECTED = 'rejected'
+}
+
+export enum RequestType {
+	UPDATE = 'update',
+	DELETE = 'delete',
+	CREATE = 'create'
+}
+
+const approverSchema = new mongoose.Schema({
+	user: {
+		type: mongoose.Schema.Types.ObjectId,
+		ref: 'User',
+		required: true
+	},
+	status: {
+		type: String,
+		enum: [ApprovalStatus],
+		default: ApprovalStatus.PENDING
+	}
+});
+
+const secretApprovalRequestSchema = new Schema<ISecretApprovalRequest>(
+	{
+		secret: {
+			type: mongoose.Schema.Types.ObjectId,
+			ref: 'Secret'
+		},
+		requestedChanges: Secret,
+		requestedBy: {
+			type: mongoose.Schema.Types.ObjectId,
+			ref: 'User'
+		},
+		approvers: [approverSchema],
+		status: {
+			type: String,
+			enum: ApprovalStatus,
+			default: ApprovalStatus.PENDING
+		},
+		timestamp: {
+			type: Date,
+			default: Date.now
+		},
+		requestType: {
+			type: String,
+			enum: RequestType,
+			required: true
+		},
+		requestId: {
+			type: String,
+			required: false
+		}
+	},
+	{
+		timestamps: true
+	}
+);
+
+const SecretApprovalRequest = model<ISecretApprovalRequest>('SecretApprovalRequest', secretApprovalRequestSchema);
+
+export default SecretApprovalRequest;

backend/src/models/tag.ts

@@ -0,0 +1,49 @@
+import { Schema, model, Types } from 'mongoose';
+
+export interface ITag {
+	_id: Types.ObjectId;
+	name: string;
+	slug: string;
+	user: Types.ObjectId;
+	workspace: Types.ObjectId;
+}
+
+const tagSchema = new Schema<ITag>(
+	{
+		name: {
+			type: String,
+			required: true,
+			trim: true,
+		},
+		slug: {
+			type: String,
+			required: true,
+			trim: true,
+			lowercase: true,
+			validate: [
+				function (value: any) {
+					return value.indexOf(' ') === -1;
+				},
+				'slug cannot contain spaces'
+			]
+		},
+		user: {
+			type: Schema.Types.ObjectId,
+			ref: 'User'
+		},
+		workspace: {
+			type: Schema.Types.ObjectId,
+			ref: 'Workspace'
+		},
+	},
+	{
+		timestamps: true
+	}
+);
+
+tagSchema.index({ slug: 1, workspace: 1 }, { unique: true })
+tagSchema.index({ workspace: 1 })
+
+const Tag = model<ITag>('Tag', tagSchema);
+
+export default Tag;

backend/src/models/token.ts

@@ -5,6 +5,7 @@ export interface IToken {
   email: string;
   token: string;
   createdAt: Date;
+  ttl: Number;
 }
 
 const tokenSchema = new Schema<IToken>({
@@ -19,14 +20,13 @@ const tokenSchema = new Schema<IToken>({
   createdAt: {
     type: Date,
     default: Date.now
+  },
+  ttl: {
+    type: Number,
   }
 });
 
-tokenSchema.index({ 
-  createdAt: 1 
-}, { 
-  expireAfterSeconds: parseInt(EMAIL_TOKEN_LIFETIME) 
-});
+tokenSchema.index({ email: 1 });
 
 const Token = model<IToken>('Token', tokenSchema);
 

backend/src/models/user.ts

@@ -12,6 +12,7 @@ export interface IUser {
 	salt?: string;
 	verifier?: string;
 	refreshVersion?: number;
+	seenIps: [string];
 }
 
 const userSchema = new Schema<IUser>(
@@ -54,7 +55,8 @@ const userSchema = new Schema<IUser>(
 			type: Number,
 			default: 0,
 			select: false
-		}
+		},
+		seenIps: [String]
 	},
 	{
 		timestamps: true

backend/src/models/workspace.ts

@@ -8,6 +8,7 @@ export interface IWorkspace {
 		name: string;
 		slug: string;
 	}>;
+	autoCapitalization: boolean;
 }
 
 const workspaceSchema = new Schema<IWorkspace>({
@@ -15,6 +16,10 @@ const workspaceSchema = new Schema<IWorkspace>({
 		type: String,
 		required: true
 	},
+	autoCapitalization: {
+		type: Boolean,
+		default: true,
+	},
 	organization: {
 		type: Schema.Types.ObjectId,
 		ref: 'Organization',
@@ -29,19 +34,19 @@ const workspaceSchema = new Schema<IWorkspace>({
 		],
 		default: [
 			{
-				name: "development",
+				name: "Development",
 				slug: "dev"
 			},
 			{
-				name: "test",
+				name: "Test",
 				slug: "test"
 			},
 			{
-				name: "staging",
+				name: "Staging",
 				slug: "staging"
 			},
 			{
-				name: "production",
+				name: "Production",
 				slug: "prod"
 			}
 		],

backend/src/routes/v1/auth.ts

@@ -3,13 +3,13 @@ const router = express.Router();
 import { body } from 'express-validator';
 import { requireAuth, validateRequest } from '../../middleware';
 import { authController } from '../../controllers/v1';
-import { loginLimiter } from '../../helpers/rateLimiter';
+import { authLimiter } from '../../helpers/rateLimiter';
 
 router.post('/token', validateRequest, authController.getNewToken);
 
 router.post(
   '/login1',
-  loginLimiter,
+  authLimiter,
   body('email').exists().trim().notEmpty(),
   body('clientPublicKey').exists().trim().notEmpty(),
   validateRequest,
@@ -18,7 +18,7 @@ router.post(
 
 router.post(
   '/login2',
-  loginLimiter,
+  authLimiter,
   body('email').exists().trim().notEmpty(),
   body('clientProof').exists().trim().notEmpty(),
   validateRequest,
@@ -27,11 +27,13 @@ router.post(
 
 router.post(
   '/logout', 
+  authLimiter,
   requireAuth({
     acceptedAuthModes: ['jwt']
   }), 
   authController.logout
 );
+
 router.post(
   '/checkAuth', 
   requireAuth({

backend/src/routes/v1/integration.ts

@@ -3,12 +3,35 @@ const router = express.Router();
 import {
 	requireAuth,
 	requireIntegrationAuth,
+	requireIntegrationAuthorizationAuth,
 	validateRequest
 } from '../../middleware';
 import { ADMIN, MEMBER } from '../../variables';
 import { body, param } from 'express-validator';
 import { integrationController } from '../../controllers/v1';
 
+router.post( // new: add new integration for integration auth
+	'/',
+	requireAuth({
+        acceptedAuthModes: ['jwt', 'apiKey']
+    }),
+	requireIntegrationAuthorizationAuth({
+		acceptedRoles: [ADMIN, MEMBER],
+		location: 'body'
+	}),
+	body('integrationAuthId').exists().isString().trim(),
+	body('app').trim(),
+	body('isActive').exists().isBoolean(),
+	body('appId').trim(),
+	body('sourceEnvironment').trim(),
+	body('targetEnvironment').trim(),
+	body('owner').trim(),
+	body('path').trim(),
+	body('region').trim(),
+	validateRequest,
+	integrationController.createIntegration
+);
+
 router.patch(
 	'/:integrationId',
 	requireAuth({
@@ -18,12 +41,12 @@ router.patch(
 		acceptedRoles: [ADMIN, MEMBER]
 	}),
 	param('integrationId').exists().trim(),
+	body('isActive').exists().isBoolean(),
 	body('app').exists().trim(),
 	body('environment').exists().trim(),
-	body('isActive').exists().isBoolean(),
-	body('target').exists(),
-	body('context').exists(),
-	body('siteId').exists(),
+	body('appId').exists(),
+	body('targetEnvironment').exists(),
+	body('owner').exists(),
 	validateRequest,
 	integrationController.updateIntegration
 );

backend/src/routes/v1/integrationAuth.ts

@@ -18,6 +18,19 @@ router.get(
 	integrationAuthController.getIntegrationOptions
 );
 
+router.get(
+	'/:integrationAuthId',
+	requireAuth({
+        acceptedAuthModes: ['jwt']
+    }),
+	requireIntegrationAuthorizationAuth({
+		acceptedRoles: [ADMIN, MEMBER]
+	}),
+	param('integrationAuthId'),
+	validateRequest,
+	integrationAuthController.getIntegrationAuth	
+);
+
 router.post(
 	'/oauth-token',
 	requireAuth({
@@ -34,6 +47,23 @@ router.post(
 	integrationAuthController.oAuthExchange
 );
 
+router.post(
+	'/access-token',
+	requireAuth({
+        acceptedAuthModes: ['jwt', 'apiKey']
+    }),
+	requireWorkspaceAuth({
+		acceptedRoles: [ADMIN, MEMBER],
+		location: 'body'
+	}),
+	body('workspaceId').exists().trim().notEmpty(),
+	body('accessId').trim(),
+	body('accessToken').exists().trim().notEmpty(),
+	body('integration').exists().trim().notEmpty(),
+	validateRequest,
+	integrationAuthController.saveIntegrationAccessToken
+);
+
 router.get(
 	'/:integrationAuthId/apps',
 	requireAuth({

backend/src/routes/v1/membership.ts

@@ -3,12 +3,15 @@ const router = express.Router();
 import { body, param } from 'express-validator';
 import { requireAuth, validateRequest } from '../../middleware';
 import { membershipController } from '../../controllers/v1';
+import { membershipController as EEMembershipControllers } from '../../ee/controllers/v1';
 
-router.get( // used for CLI (deprecate)
+// note: ALL DEPRECIATED (moved to api/v2/workspace/:workspaceId/memberships/:membershipId)
+
+router.get( // used for old CLI (deprecate)
 	'/:workspaceId/connect',
 	requireAuth({
-        acceptedAuthModes: ['jwt']
-    }),
+		acceptedAuthModes: ['jwt']
+	}),
 	param('workspaceId').exists().trim(),
 	validateRequest,
 	membershipController.validateMembership
@@ -17,8 +20,8 @@ router.get( // used for CLI (deprecate)
 router.delete(
 	'/:membershipId',
 	requireAuth({
-        acceptedAuthModes: ['jwt']
-    }),
+		acceptedAuthModes: ['jwt']
+	}),
 	param('membershipId').exists().trim(),
 	validateRequest,
 	membershipController.deleteMembership
@@ -27,11 +30,22 @@ router.delete(
 router.post(
 	'/:membershipId/change-role',
 	requireAuth({
-        acceptedAuthModes: ['jwt']
-    }),
+		acceptedAuthModes: ['jwt']
+	}),
 	body('role').exists().trim(),
 	validateRequest,
 	membershipController.changeMembershipRole
 );
 
+router.post(
+	'/:membershipId/deny-permissions',
+	requireAuth({
+		acceptedAuthModes: ['jwt']
+	}),
+	param('membershipId').isMongoId().exists().trim(),
+	body('permissions').isArray().exists(),
+	validateRequest,
+	EEMembershipControllers.denyMembershipPermissions
+);
+
 export default router;

backend/src/routes/v1/organization.ts

@@ -9,7 +9,7 @@ import {
 import { OWNER, ADMIN, MEMBER, ACCEPTED } from '../../variables';
 import { organizationController } from '../../controllers/v1';
 
-router.get(
+router.get( // deprecated (moved to api/v2/users/me/organizations)
 	'/',
 	requireAuth({
 		acceptedAuthModes: ['jwt']
@@ -41,7 +41,7 @@ router.get(
 	organizationController.getOrganization
 );
 
-router.get(
+router.get( // deprecated (moved to api/v2/organizations/:organizationId/memberships)
 	'/:organizationId/users',
 	requireAuth({
 		acceptedAuthModes: ['jwt']
@@ -56,7 +56,7 @@ router.get(
 );
 
 router.get(
-	'/:organizationId/my-workspaces',
+	'/:organizationId/my-workspaces', // deprecated (moved to api/v2/organizations/:organizationId/workspaces)
 	requireAuth({
 		acceptedAuthModes: ['jwt']
 	}),
@@ -156,4 +156,19 @@ router.get(
 	organizationController.getOrganizationSubscriptions
 );
 
+router.get(
+	'/:organizationId/workspace-memberships',
+	requireAuth({
+		acceptedAuthModes: ['jwt']
+	}),
+	requireOrganizationAuth({
+		acceptedRoles: [OWNER, ADMIN, MEMBER],
+		acceptedStatuses: [ACCEPTED]
+	}),
+	param('organizationId').exists().trim(),
+	validateRequest,
+	organizationController.getOrganizationMembersAndTheirWorkspaces
+);
+
+
 export default router;

backend/src/routes/v1/signup.ts

@@ -3,11 +3,11 @@ const router = express.Router();
 import { body } from 'express-validator';
 import { requireSignupAuth, validateRequest } from '../../middleware';
 import { signupController } from '../../controllers/v1';
-import { signupLimiter } from '../../helpers/rateLimiter';
+import { authLimiter } from '../../helpers/rateLimiter';
 
 router.post(
 	'/email/signup',
-	signupLimiter,
+	authLimiter,
 	body('email').exists().trim().notEmpty().isEmail(),
 	validateRequest,
 	signupController.beginEmailSignup
@@ -15,7 +15,7 @@ router.post(
 
 router.post(
 	'/email/verify',
-	signupLimiter,
+	authLimiter,
 	body('email').exists().trim().notEmpty().isEmail(),
 	body('code').exists().trim().notEmpty(),
 	validateRequest,
@@ -24,7 +24,7 @@ router.post(
 
 router.post(
 	'/complete-account/signup',
-	signupLimiter,
+	authLimiter,
 	requireSignupAuth,
 	body('email').exists().trim().notEmpty().isEmail(),
 	body('firstName').exists().trim().notEmpty(),
@@ -42,7 +42,7 @@ router.post(
 
 router.post(
 	'/complete-account/invite',
-	signupLimiter,
+	authLimiter,
 	requireSignupAuth,
 	body('email').exists().trim().notEmpty().isEmail(),
 	body('firstName').exists().trim().notEmpty(),

backend/src/routes/v2/environment.ts

@@ -54,4 +54,17 @@ router.delete(
   environmentController.deleteWorkspaceEnvironment
 );
 
+router.get(
+  '/:workspaceId/environments',
+  requireAuth({
+    acceptedAuthModes: ['jwt'],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [MEMBER, ADMIN],
+  }),
+  param('workspaceId').exists().trim(),
+  validateRequest,
+  environmentController.getAllAccessibleEnvironmentsOfWorkspace
+);
+
 export default router;

backend/src/routes/v2/index.ts

@@ -1,15 +1,21 @@
-import secret from './secret'; // stop-supporting
-import secrets from './secrets';
+import users from './users';
+import organizations from './organizations';
 import workspace from './workspace';
+import secret from './secret'; // deprecated
+import secrets from './secrets';
 import serviceTokenData from './serviceTokenData';
 import apiKeyData from './apiKeyData';
 import environment from "./environment"
+import tags from "./tags"
 
 export {
+    users,
+    organizations,
+    workspace,
     secret,
     secrets,
-    workspace,
     serviceTokenData,
     apiKeyData,
-    environment
+    environment,
+    tags
 }

backend/src/routes/v2/organizations.ts

@@ -0,0 +1,80 @@
+import express from 'express';
+const router = express.Router();
+import {
+    requireAuth,
+    requireOrganizationAuth,
+    requireMembershipOrgAuth,
+    validateRequest
+} from '../../middleware';
+import { body, param, query } from 'express-validator';
+import { OWNER, ADMIN, MEMBER, ACCEPTED } from '../../variables';
+import { organizationsController } from '../../controllers/v2';
+
+// TODO: /POST to create membership
+
+router.get(
+    '/:organizationId/memberships',
+    param('organizationId').exists().trim(),
+    validateRequest,
+    requireAuth({
+        acceptedAuthModes: ['jwt', 'apiKey']
+    }),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED]
+    }),
+    organizationsController.getOrganizationMemberships
+);
+
+router.patch(
+    '/:organizationId/memberships/:membershipId',
+    param('organizationId').exists().trim(),
+    param('membershipId').exists().trim(),
+    body('role').exists().isString().trim().isIn([OWNER, ADMIN, MEMBER]),
+    validateRequest,
+    requireAuth({
+        acceptedAuthModes: ['jwt', 'apiKey']
+    }),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN],
+        acceptedStatuses: [ACCEPTED]
+    }),
+    requireMembershipOrgAuth({
+        acceptedRoles: [OWNER, ADMIN]
+    }),
+    organizationsController.updateOrganizationMembership
+);
+
+router.delete(
+    '/:organizationId/memberships/:membershipId',
+    param('organizationId').exists().trim(),
+    param('membershipId').exists().trim(),
+    validateRequest,
+    requireAuth({
+        acceptedAuthModes: ['jwt', 'apiKey']
+    }),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN],
+        acceptedStatuses: [ACCEPTED]
+    }),
+    requireMembershipOrgAuth({
+        acceptedRoles: [OWNER, ADMIN]
+    }),
+    organizationsController.deleteOrganizationMembership
+);
+
+router.get(
+    '/:organizationId/workspaces',
+    param('organizationId').exists().trim(),
+    validateRequest,
+    requireAuth({
+        acceptedAuthModes: ['jwt', 'apiKey']
+    }),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN],
+        acceptedStatuses: [ACCEPTED]
+    }),
+    organizationsController.getOrganizationWorkspaces
+);
+
+export default router;

backend/src/routes/v2/secret.ts

@@ -10,7 +10,7 @@ import { ADMIN, MEMBER } from '../../variables';
 import { CreateSecretRequestBody, ModifySecretRequestBody } from '../../types/secret';
 import { secretController } from '../../controllers/v2';
 
-// note to devs: stop supporting
+// note to devs: stop supporting these routes [deprecated]
 
 const router = express.Router();
 

backend/src/routes/v2/secrets.ts

@@ -32,7 +32,7 @@ router.post(
                         !secret.secretKeyCiphertext ||
                         !secret.secretKeyIV ||
                         !secret.secretKeyTag ||
-                        !secret.secretValueCiphertext ||
+                        (typeof secret.secretValueCiphertext !== 'string') ||
                         !secret.secretValueIV ||
                         !secret.secretValueTag
                     ) {
@@ -61,7 +61,7 @@ router.post(
         }),
     validateRequest,
     requireAuth({
-        acceptedAuthModes: ['jwt']
+        acceptedAuthModes: ['jwt', 'apiKey']
     }),
     requireWorkspaceAuth({
         acceptedRoles: [ADMIN, MEMBER],
@@ -74,9 +74,10 @@ router.get(
     '/',
     query('workspaceId').exists().trim(),
     query('environment').exists().trim(),
+    query('tagSlugs'),
     validateRequest,
     requireAuth({
-        acceptedAuthModes: ['jwt', 'serviceToken']
+        acceptedAuthModes: ['jwt', 'apiKey', 'serviceToken']
     }),
     requireWorkspaceAuth({
         acceptedRoles: [ADMIN, MEMBER],
@@ -115,7 +116,7 @@ router.patch(
         }),
     validateRequest,
     requireAuth({
-        acceptedAuthModes: ['jwt']
+        acceptedAuthModes: ['jwt', 'apiKey']
     }),
     requireSecretsAuth({
         acceptedRoles: [ADMIN, MEMBER]
@@ -143,7 +144,7 @@ router.delete(
         .isEmpty(),
     validateRequest,
     requireAuth({
-        acceptedAuthModes: ['jwt']
+        acceptedAuthModes: ['jwt', 'apiKey']
     }),
     requireSecretsAuth({
         acceptedRoles: [ADMIN, MEMBER]

backend/src/routes/v2/tags.ts

@@ -0,0 +1,50 @@
+import express, { Response, Request } from 'express';
+const router = express.Router();
+import { body, param } from 'express-validator';
+import { tagController } from '../../controllers/v2';
+import {
+  requireAuth,
+  requireWorkspaceAuth,
+  validateRequest,
+} from '../../middleware';
+import { ADMIN, MEMBER } from '../../variables';
+
+router.get(
+  '/:workspaceId/tags',
+  requireAuth({
+    acceptedAuthModes: ['jwt'],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [MEMBER, ADMIN],
+  }),
+  param('workspaceId').exists().trim(),
+  validateRequest,
+  tagController.getWorkspaceTags
+);
+
+router.delete(
+  '/tags/:tagId',
+  requireAuth({
+    acceptedAuthModes: ['jwt'],
+  }),
+  param('tagId').exists().trim(),
+  validateRequest,
+  tagController.deleteWorkspaceTag
+);
+
+router.post(
+  '/:workspaceId/tags',
+  requireAuth({
+    acceptedAuthModes: ['jwt'],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [MEMBER, ADMIN],
+  }),
+  param('workspaceId').exists().trim(),
+  body('name').exists().trim(),
+  body('slug').exists().trim(),
+  validateRequest,
+  tagController.createWorkspaceTag
+);
+
+export default router;

backend/src/routes/v2/users.ts

@@ -0,0 +1,24 @@
+import express from 'express';
+const router = express.Router();
+import {
+    requireAuth
+} from '../../middleware';
+import { usersController } from '../../controllers/v2';
+
+router.get(
+    '/me',
+    requireAuth({
+        acceptedAuthModes: ['jwt', 'apiKey']
+    }),
+    usersController.getMe
+);
+
+router.get(
+    '/me/organizations',
+    requireAuth({
+        acceptedAuthModes: ['jwt', 'apiKey']
+    }),
+    usersController.getMyOrganizations
+);
+
+export default router;

backend/src/routes/v2/workspace.ts

@@ -3,6 +3,7 @@ const router = express.Router();
 import { body, param, query } from 'express-validator';
 import {
 	requireAuth,
+	requireMembershipAuth,
 	requireWorkspaceAuth,
 	validateRequest
 } from '../../middleware';
@@ -44,7 +45,7 @@ router.get(
 router.get(
 	'/:workspaceId/encrypted-key',
 	requireAuth({
-		acceptedAuthModes: ['jwt']
+		acceptedAuthModes: ['jwt', 'apiKey']
 	}),
 	requireWorkspaceAuth({
 		acceptedRoles: [ADMIN, MEMBER]
@@ -67,4 +68,69 @@ router.get(
 	workspaceController.getWorkspaceServiceTokenData
 );
 
+// TODO: /POST to create membership and re-route inviting user to workspace there
+
+router.get( // new - TODO: rewire dashboard to this route
+	'/:workspaceId/memberships',
+	param('workspaceId').exists().trim(),
+	validateRequest,
+	requireAuth({
+		acceptedAuthModes: ['jwt', 'apiKey']
+	}),
+	requireWorkspaceAuth({
+		acceptedRoles: [ADMIN, MEMBER],
+	}),
+	workspaceController.getWorkspaceMemberships
+);
+
+router.patch( // TODO - rewire dashboard to this route
+	'/:workspaceId/memberships/:membershipId',
+	param('workspaceId').exists().trim(),
+	param('membershipId').exists().trim(),
+	body('role').exists().isString().trim().isIn([ADMIN, MEMBER]),
+	validateRequest,
+	requireAuth({
+        acceptedAuthModes: ['jwt', 'apiKey']
+    }),
+	requireWorkspaceAuth({
+		acceptedRoles: [ADMIN],
+	}),
+	requireMembershipAuth({
+		acceptedRoles: [ADMIN]
+	}),
+	workspaceController.updateWorkspaceMembership
+);
+
+router.delete( // TODO - rewire dashboard to this route
+	'/:workspaceId/memberships/:membershipId',
+	param('workspaceId').exists().trim(),
+	param('membershipId').exists().trim(),
+	validateRequest,
+	requireAuth({
+        acceptedAuthModes: ['jwt', 'apiKey']
+    }),
+	requireWorkspaceAuth({
+		acceptedRoles: [ADMIN],
+	}),
+	requireMembershipAuth({
+		acceptedRoles: [ADMIN]
+	}),
+	workspaceController.deleteWorkspaceMembership
+);
+
+
+router.patch(
+	'/:workspaceId/auto-capitalization',
+	requireAuth({
+		acceptedAuthModes: ['jwt']
+	}),
+	requireWorkspaceAuth({
+		acceptedRoles: [ADMIN, MEMBER]
+	}),
+	param('workspaceId').exists().trim(),
+	body('autoCapitalization').exists().trim().notEmpty(),
+	validateRequest,
+	workspaceController.toggleAutoCapitalization
+);
+
 export default router;

backend/src/services/IntegrationService.ts

@@ -1,7 +1,3 @@
-import * as Sentry from '@sentry/node';
-import {
-    Integration
-} from '../models';
 import { 
     handleOAuthExchangeHelper,
     syncIntegrationsHelper,
@@ -10,7 +6,6 @@ import {
     setIntegrationAuthRefreshHelper,
     setIntegrationAuthAccessHelper,
 } from '../helpers/integration';
-import { exchangeCode } from '../integrations';
 
 // should sync stuff be here too? Probably.
 // TODO: move bot functions to IntegrationService.
@@ -26,11 +21,12 @@ class IntegrationService {
      * - Store integration access and refresh tokens returned from the OAuth2 code-token exchange
      * - Add placeholder inactive integration
      * - Create bot sequence for integration
-     * @param {Object} obj
-     * @param {String} obj.workspaceId - id of workspace
-     * @param {String} obj.environment - workspace environment
-     * @param {String} obj.integration - name of integration 
-     * @param {String} obj.code - code
+     * @param {Object} obj1
+     * @param {String} obj1.workspaceId - id of workspace
+     * @param {String} obj1.environment - workspace environment
+     * @param {String} obj1.integration - name of integration 
+     * @param {String} obj1.code - code
+     * @returns {IntegrationAuth} integrationAuth - integration authorization after OAuth2 code-token exchange
      */
     static async handleOAuthExchange({ 
         workspaceId,
@@ -43,7 +39,7 @@ class IntegrationService {
         code: string;
         environment: string;
     }) {
-        await handleOAuthExchangeHelper({
+        return await handleOAuthExchangeHelper({
             workspaceId,
             integration,
             code,
@@ -116,26 +112,30 @@ class IntegrationService {
     }
 
     /**
-     * Encrypt access token [accessToken] using the bot's copy
-     * of the workspace key for workspace belonging to integration auth
+     * Encrypt access token [accessToken] and (optionally) access id using the 
+     * bot's copy of the workspace key for workspace belonging to integration auth
      * with id [integrationAuthId]
      * @param {Object} obj
      * @param {String} obj.integrationAuthId - id of integration auth
+     * @param {String} obj.accessId - access id
      * @param {String} obj.accessToken - access token
-     * @param {String} obj.accessExpiresAt - expiration date of access token
+     * @param {Date} obj.accessExpiresAt - expiration date of access token
      * @returns {IntegrationAuth} - updated integration auth
      */
     static async setIntegrationAuthAccess({ 
         integrationAuthId,
+        accessId,
         accessToken,
         accessExpiresAt
     }: { 
         integrationAuthId: string;
+        accessId: string | null;
         accessToken: string;
-        accessExpiresAt: Date;
+        accessExpiresAt: Date | undefined;
     }) {
         return await setIntegrationAuthAccessHelper({
             integrationAuthId,
+            accessId,
             accessToken,
             accessExpiresAt
         });

backend/src/templates/emailVerification.handlebars

@@ -6,10 +6,9 @@
     <title>Email Verification</title>
 </head>
 <body>
-    <h2>Infisical</h2>
     <h2>Confirm your email address</h2>
     <p>Your confirmation code is below — enter it in the browser window where you've started signing up for Infisical.</p>
-    <h2>{{code}}</h2>
+    <h1>{{code}}</h1>
     <p>Questions about setting up Infisical? Email us at support@infisical.com</p>
 </body>
 </html>

backend/src/templates/organizationInvitation.handlebars

@@ -7,12 +7,10 @@
     <title>Organization Invitation</title>
 </head>
 <body>
-    <h2>Infisical</h2>
-    <h2>Join your team on Infisical</h2>
-    <p>{{inviterFirstName}}({{inviterEmail}}) has invited you to their Infisical organization — {{organizationName}}</p>
+    <h2>Join your organization on Infisical</h2>
+    <p>{{inviterFirstName}} ({{inviterEmail}}) has invited you to their Infisical organization — {{organizationName}}</p>
     <a href="{{callback_url}}?token={{token}}&to={{email}}">Join now</a>
     <h3>What is Infisical?</h3>
-    <p>Infisical is a simple end-to-end encrypted solution that enables teams to sync and manage their environment
-        variables.</p>
+    <p>Infisical is an easy-to-use end-to-end encrypted tool that enables developers to sync and manage their secrets and configs.</p>
 </body>
 </html>

backend/src/templates/passwordReset.handlebars

@@ -6,7 +6,6 @@
     <title>Account Recovery</title>
 </head>
 <body>
-    <h2>Infisical</h2>
     <h2>Reset your password</h2>
     <p>Someone requested a password reset.</p>
     <a href="{{callback_url}}?token={{token}}&to={{email}}">Reset password</a>

backend/src/templates/workspaceInvitation.handlebars

@@ -6,11 +6,10 @@
     <title>Project Invitation</title>
 </head>
 <body>
-    <h2>Infisical</h2>
     <h2>Join your team on Infisical</h2>
-    <p>{{inviterFirstName}}({{inviterEmail}}) has invited you to their Infisical workspace — {{workspaceName}}</p>
+    <p>{{inviterFirstName}} ({{inviterEmail}}) has invited you to their Infisical project — {{workspaceName}}</p>
     <a href="{{callback_url}}">Join now</a>
     <h3>What is Infisical?</h3>
-    <p>Infisical is a simple end-to-end encrypted solution that enables teams to sync and manage their environment variables.</p>
+    <p>Infisical is an easy-to-use end-to-end encrypted tool that enables developers to sync and manage their secrets and configs.</p>
 </body>
 </html>

backend/src/types/express/index.d.ts

@@ -5,9 +5,11 @@ import { ISecret } from '../../models';
 declare global {
 	namespace Express {
 		interface Request {
+			clientIp: any;
 			user: any;
 			workspace: any;
 			membership: any;
+			targetMembership: any;
 			organization: any;
 			membershipOrg: any;
 			integration: any;

backend/src/utils/addDevelopmentUser.ts

@@ -0,0 +1,140 @@
+/************************************************************************************************
+*
+*  Attention: The credentials below are only for development purposes, it should never be used for production  
+*
+************************************************************************************************/
+
+import { NODE_ENV } from "../config"
+import { Key, Membership, MembershipOrg, Organization, User, Workspace } from "../models";
+import { Types } from 'mongoose';
+
+export const createTestUserForDevelopment = async () => {
+  if (NODE_ENV === "development") {
+    const testUserEmail = "test@localhost.local"
+    const testUserPassword = "testInfisical1"
+    const testUserId = "63cefa6ec8d3175601cfa980"
+    const testWorkspaceId = "63cefb15c8d3175601cfa989"
+    const testOrgId = "63cefb15c8d3175601cfa985"
+    const testMembershipId = "63cefb159185d9aa3ef0cf35"
+    const testMembershipOrgId = "63cefb159185d9aa3ef0cf31"
+    const testWorkspaceKeyId = "63cf48f0225e6955acec5eff"
+
+    const testUser = {
+      _id: testUserId,
+      email: testUserEmail,
+      refreshVersion: 0,
+      encryptedPrivateKey: 'ITMdDXtLoxib4+53U/qzvIV/T/UalRwimogFCXv/UsulzEoiKM+aK2aqOb0=',
+      firstName: 'Jake',
+      iv: '9fp0dZHI+UuHeKkWMDvD6w==',
+      lastName: 'Moni',
+      publicKey: 'cf44BhkybbBfsE0fZHe2jvqtCj6KLXvSq4hVjV0svzk=',
+      salt: 'd8099dc70958090346910fb9639262b83cf526fc9b4555a171b36a9e1bcd0240',
+      tag: 'bQ/UTghqcQHRoSMpLQD33g==',
+      verifier: '12271fcd50937ca4512e1e3166adaf9d9fc7a5cd0e4c4cb3eda89f35572ede4d9eef23f64aef9220367abff9437b0b6fa55792c442f177201d87051cf77dadade254ff667170440327355fb7d6ac4745d4db302f4843632c2ed5919ebdcff343287a4cd552255d9e3ce81177edefe089617b7616683901475d393405f554634b9bf9230c041ac85624f37a60401be20b78044932580ae0868323be3749fbf856df1518153ba375fec628275f0c445f237446ea4aa7f12c1aa1d6b5fd74b7f2e88d062845a19819ec63f2d2ed9e9f37c055149649461d997d2ae1482f53b04f9de7493efbb9686fb19b2d559b9aa2b502c22dec83f9fc43290dfea89a1dc6f03580b3642b3824513853e81a441be9a0b2fde2231bac60f3287872617a36884697805eeea673cf1a351697834484ada0f282e4745015c9c2928d61e6d092f1b9c3a27eda8413175d23bb2edae62f82ccaf52bf5a6a90344a766c7e4ebf65dae9ae90b2ad4ae65dbf16e3a6948e429771cc50307ae86d454f71a746939ed061f080dd3ae369c1a0739819aca17af46a085bac1f2a5d936d198e7951a8ac3bb38b893665fe7312835abd3f61811f81efa2a8761af5070085f9b6adcca80bf9b0d81899c3d41487fba90728bb24eceb98bd69770360a232624133700ceb4d153f2ad702e0a5b7dfaf97d20bc8aa71dc8c20024a58c06a8fecdad18cb5a2f89c51eaf7'
+    }
+
+    const testWorkspaceKey = {
+      _id: new Types.ObjectId(testWorkspaceKeyId),
+      workspace: testWorkspaceId,
+      encryptedKey: '96ZIRSU21CjVzIQ4Yp994FGWQvDdyK3gq+z+NCaJLK0ByTlvUePmf+AYGFJjkAdz',
+      nonce: '1jhCGqg9Wx3n0OtVxbDgiYYGq4S3EdgO',
+      sender: '63cefa6ec8d3175601cfa980',
+      receiver: '63cefa6ec8d3175601cfa980',
+    }
+
+    const testWorkspace = {
+      _id: new Types.ObjectId(testWorkspaceId),
+      name: 'Example Project',
+      organization: testOrgId,
+      environments: [
+        {
+          _id: '63cefb15c8d3175601cfa98a',
+          name: 'Development',
+          slug: 'dev'
+        },
+        {
+          _id: '63cefb15c8d3175601cfa98b',
+          name: 'Test',
+          slug: 'test'
+        },
+        {
+          _id: '63cefb15c8d3175601cfa98c',
+          name: 'Staging',
+          slug: 'staging'
+        },
+        {
+          _id: '63cefb15c8d3175601cfa98d',
+          name: 'Production',
+          slug: 'prod'
+        }
+      ],
+    }
+
+    const testOrg = {
+      _id: testOrgId,
+      name: 'Jake\'s organization'
+    }
+
+    const testMembershipOrg = {
+      _id: testMembershipOrgId,
+      organization: testOrgId,
+      role: 'owner',
+      status: 'accepted',
+      user: testUserId,
+    }
+
+    const testMembership = {
+      _id: testMembershipId,
+      role: 'admin',
+      user: testUserId,
+      workspace: testWorkspaceId
+    }
+
+    try {
+      // create user if not exist 
+      const userInDB = await User.findById(testUserId)
+      if (!userInDB) {
+        await User.create(testUser)
+      }
+
+      // create org if not exist 
+      const orgInDB = await Organization.findById(testOrgId)
+      if (!orgInDB) {
+        await Organization.create(testOrg)
+      }
+
+      // create membership org if not exist
+      const membershipOrgInDB = await MembershipOrg.findById(testMembershipOrgId)
+      if (!membershipOrgInDB) {
+        await MembershipOrg.create(testMembershipOrg)
+      }
+
+      // create membership
+      const membershipInDB = await Membership.findById(testMembershipId)
+      if (!membershipInDB) {
+        await Membership.create(testMembership)
+      }
+
+      // create workspace if not exist 
+      const workspaceInDB = await Workspace.findById(testWorkspaceId)
+      if (!workspaceInDB) {
+        await Workspace.create(testWorkspace)
+      }
+
+      // create workspace key if not exist
+      const workspaceKeyInDB = await Key.findById(testWorkspaceKeyId)
+      if (!workspaceKeyInDB) {
+        await Key.create(testWorkspaceKey)
+      }
+
+      /* eslint-disable no-console */
+      console.info(`DEVELOPMENT MODE DETECTED: You may login with test user with email: ${testUserEmail} and password: ${testUserPassword}`)
+      /* eslint-enable no-console */
+
+    } catch (e) {
+      /* eslint-disable no-console */
+      console.error(`Unable to create test user while booting up [err=${e}]`)
+      /* eslint-enable no-console */
+    }
+  }
+}

backend/src/utils/posthog.ts

@@ -0,0 +1,15 @@
+const CLI_USER_AGENT_NAME = "cli"
+const K8_OPERATOR_AGENT_NAME = "k8-operator"
+export const getChannelFromUserAgent = function (userAgent: string | undefined) {
+  if (userAgent == undefined) {
+    return "other"
+  } else if (userAgent == CLI_USER_AGENT_NAME) {
+    return "cli"
+  } else if (userAgent == K8_OPERATOR_AGENT_NAME) {
+    return "k8-operator"
+  } else if (userAgent.toLowerCase().includes('mozilla')) {
+    return "web"
+  } else {
+    return "other"
+  }
+} 

backend/src/variables/action.ts

@@ -1,9 +1,13 @@
+const ACTION_LOGIN = 'login';
+const ACTION_LOGOUT = 'logout';
 const ACTION_ADD_SECRETS = 'addSecrets';
 const ACTION_DELETE_SECRETS = 'deleteSecrets';
 const ACTION_UPDATE_SECRETS = 'updateSecrets';
 const ACTION_READ_SECRETS = 'readSecrets';
 
 export {
+    ACTION_LOGIN,
+    ACTION_LOGOUT,
     ACTION_ADD_SECRETS,
     ACTION_DELETE_SECRETS,
     ACTION_UPDATE_SECRETS,