script for helm upload to cloudsmith

.env.example

@@ -1,19 +1,21 @@
 # Keys
-# Required key for platform encryption/decryption ops
-ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218
+# Required keys for platform encryption/decryption ops
+PRIVATE_KEY=replace_with_nacl_sk
+PUBLIC_KEY=replace_with_nacl_pk
+ENCRYPTION_KEY=replace_with_lengthy_secure_hex
 
 # JWT
 # Required secrets to sign JWT tokens
-JWT_SIGNUP_SECRET=3679e04ca949f914c03332aaaeba805a
-JWT_REFRESH_SECRET=5f2f3c8f0159068dc2bbb3a652a716ff
-JWT_AUTH_SECRET=4be6ba5602e0fa0ac6ac05c3cd4d247f
-JWT_SERVICE_SECRET=f32f716d70a42c5703f4656015e76200
+JWT_SIGNUP_SECRET=replace_with_lengthy_secure_hex
+JWT_REFRESH_SECRET=replace_with_lengthy_secure_hex
+JWT_AUTH_SECRET=replace_with_lengthy_secure_hex
 
 # JWT lifetime
 # Optional lifetimes for JWT tokens expressed in seconds or a string 
 # describing a time span (e.g. 60, "2 days", "10h", "7d")
 JWT_AUTH_LIFETIME=
 JWT_REFRESH_LIFETIME=
+JWT_SERVICE_SECRET=
 JWT_SIGNUP_LIFETIME=
 
 # Optional lifetimes for OTP expressed in seconds
@@ -31,28 +33,21 @@ MONGO_PASSWORD=example
 
 # Website URL
 # Required
+
 SITE_URL=http://localhost:8080
 
 # Mail/SMTP
-SMTP_HOST= # required
-SMTP_USERNAME= # required
-SMTP_PASSWORD= # required
-SMTP_PORT=587
-SMTP_SECURE=false
-SMTP_FROM_ADDRESS= # required
-SMTP_FROM_NAME=Infisical
+# Required to send emails
+# By default, SMTP_HOST is set to smtp.gmail.com
+SMTP_HOST=smtp.gmail.com
+SMTP_NAME=Team
+SMTP_USERNAME=team@infisical.com
+SMTP_PASSWORD=
 
 # Integration
 # Optional only if integration is used
-CLIENT_ID_HEROKU=
-CLIENT_ID_VERCEL=
-CLIENT_ID_NETLIFY=
-CLIENT_ID_GITHUB=
-CLIENT_SECRET_HEROKU=
-CLIENT_SECRET_VERCEL=
-CLIENT_SECRET_NETLIFY=
-CLIENT_SECRET_GITHUB=
-CLIENT_SLUG_VERCEL=
+OAUTH_CLIENT_SECRET_HEROKU=
+OAUTH_TOKEN_URL_HEROKU=
 
 # Sentry (optional) for monitoring errors
 SENTRY_DSN=
@@ -64,7 +59,7 @@ POSTHOG_PROJECT_API_KEY=
 STRIPE_SECRET_KEY=
 STRIPE_PUBLISHABLE_KEY=
 STRIPE_WEBHOOK_SECRET=
-STRIPE_PRODUCT_STARTER=
-STRIPE_PRODUCT_TEAM=
+STRIPE_PRODUCT_CARD_AUTH=
 STRIPE_PRODUCT_PRO=
+STRIPE_PRODUCT_STARTER=
 NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=

.eslintignore

@@ -1,4 +0,0 @@
-node_modules
-built
-healthcheck.js
-tailwind.config.js

.github/resources/docker-compose.be-test.yml

@@ -1,30 +0,0 @@
-version: '3'
-
-services:
-  backend:
-    container_name: infisical-backend-test
-    restart: unless-stopped
-    depends_on:
-      - mongo
-    image: infisical/backend:test
-    command: npm run start
-    environment:
-      - NODE_ENV=production
-      - MONGO_URL=mongodb://test:example@mongo:27017/?authSource=admin
-      - MONGO_USERNAME=test
-      - MONGO_PASSWORD=example
-    networks:
-      - infisical-test
-
-  mongo:
-    container_name: infisical-mongo-test
-    image: mongo
-    restart: always
-    environment:
-      - MONGO_INITDB_ROOT_USERNAME=test
-      - MONGO_INITDB_ROOT_PASSWORD=example
-    networks:
-      - infisical-test
-
-networks:
-  infisical-test:

.github/resources/healthcheck.sh

@@ -1,26 +0,0 @@
-# Name of the target container to check
-container_name="$1"
-# Timeout in seconds. Default: 60
-timeout=$((${2:-60}));
-
-if [ -z $container_name ]; then
-  echo "No container name specified";
-  exit 1;
-fi
-
-echo "Container: $container_name";
-echo "Timeout: $timeout sec";
-
-try=0;
-is_healthy="false";
-while [ $is_healthy != "true" ];
-do
-  try=$(($try + 1));
-  printf "■";
-  is_healthy=$(docker inspect --format='{{json .State.Health}}' $container_name | jq '.Status == "healthy"');
-  sleep 1;
-  if [[ $try -eq $timeout ]]; then
-    echo " Container was not ready within timeout";
-    exit 1;
-  fi
-done

.github/values.yaml

@@ -1,93 +0,0 @@
-#####
-# INFISICAL K8 DEFAULT VALUES FILE
-# PLEASE REPLACE VALUES/EDIT AS REQUIRED 
-#####
-
-nameOverride: ""
-
-frontend:
-  name: frontend
-  podAnnotations: {}
-  deploymentAnnotations:
-    secrets.infisical.com/auto-reload: "true"
-  replicaCount: 2
-  image:
-    repository: infisical/frontend
-    pullPolicy: Always 
-    tag: "latest"
-  kubeSecretRef: managed-secret-frontend
-  service:
-    # type of the frontend service
-    type: ClusterIP
-    # define the nodePort if service type is NodePort
-    # nodePort: 
-    annotations: {}
-
-backend:
-  name: backend
-  podAnnotations: {}
-  deploymentAnnotations:
-    secrets.infisical.com/auto-reload: "true"
-  replicaCount: 2
-  image:
-    repository: infisical/backend
-    pullPolicy: Always
-    tag: "latest"
-  kubeSecretRef: managed-backend-secret
-  service:
-    annotations: {}
-
-mongodb:
-  name: mongodb
-  podAnnotations: {}
-  image:
-    repository: mongo
-    pullPolicy: IfNotPresent
-    tag: "latest"
-  service:
-    annotations: {}
-
-# By default the backend will be connected to a Mongo instance in the cluster.
-# However, it is recommended to add a managed document DB connection string because the DB instance in the cluster does not have persistence yet ( data will be deleted on next deploy).
-# Learn about connection string type here https://www.mongodb.com/docs/manual/reference/connection-string/
-mongodbConnection: {}
-  # externalMongoDBConnectionString: <>
-
-ingress:
-  enabled: true
-  annotations:
-    kubernetes.io/ingress.class: "nginx"
-  hostName: gamma.infisical.com # replace with your domain 
-  frontend: 
-    path: /
-    pathType: Prefix
-  backend:
-    path: /api
-    pathType: Prefix
-  tls: []
-
-
-## Complete Ingress example 
-# ingress:
-#   enabled: true
-#   annotations:
-#     kubernetes.io/ingress.class: "nginx"
-#     cert-manager.io/issuer: letsencrypt-nginx
-#   hostName: k8.infisical.com
-#   frontend: 
-#     path: /
-#     pathType: Prefix
-#   backend:
-#     path: /api
-#     pathType: Prefix
-#   tls:
-#     - secretName: letsencrypt-nginx
-#       hosts:
-#         - k8.infisical.com
-
-###
-### YOU MUST FILL IN ALL SECRETS BELOW
-### 
-backendEnvironmentVariables: {}
-
-frontendEnvironmentVariables: {}

.github/workflows/be-test-report.yml

@@ -1,41 +0,0 @@
-name: "Backend Test Report"
-
-on:
-  workflow_run:
-    workflows: ["Check Backend Pull Request"]
-    types:
-      - completed
-
-jobs:
-  be-report:
-    name: Backend test report
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v2
-      - name: 📁 Download test results
-        id: download-artifact
-        uses: dawidd6/action-download-artifact@v2
-        with:
-          name: be-test-results
-          path: backend
-          workflow: check-be-pull-request.yml
-          workflow_conclusion: success
-      - name: 📋 Publish test results
-        uses: dorny/test-reporter@v1
-        with:
-          name: Test Results
-          path: reports/jest-*.xml
-          reporter: jest-junit
-          working-directory: backend
-      - name: 📋 Publish coverage
-        uses: ArtiomTr/jest-coverage-report-action@v2
-        id: coverage
-        with:
-          output: comment, report-markdown
-          coverage-file: coverage/report.json
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          working-directory: backend
-      - uses: marocchino/sticky-pull-request-comment@v2
-        with:
-          message: ${{ steps.coverage.outputs.report }}

.github/workflows/check-be-pull-request.yml

@@ -1,42 +0,0 @@
-name: "Check Backend Pull Request"
-
-on:
-  pull_request:
-    types: [opened, synchronize]
-    paths:
-      - "backend/**"
-      - "!backend/README.md"
-      - "!backend/.*"
-      - "backend/.eslintrc.js"
-
-jobs:
-  check-be-pr:
-    name: Check
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: ☁️ Checkout source
-        uses: actions/checkout@v3
-      - name: 🔧 Setup Node 16
-        uses: actions/setup-node@v3
-        with:
-          node-version: "16"
-          cache: "npm"
-          cache-dependency-path: backend/package-lock.json
-      - name: 📦 Install dependencies
-        run: npm ci --only-production
-        working-directory: backend
-      - name: 🧪 Run tests
-        run: npm run test:ci
-        working-directory: backend
-      - name: 📁 Upload test results
-        uses: actions/upload-artifact@v3
-        if: always()
-        with:
-          name: be-test-results
-          path: |
-            ./backend/reports
-            ./backend/coverage
-      - name: 🏗️ Run build
-        run: npm run build
-        working-directory: backend

.github/workflows/check-fe-pull-request.yml

@@ -1,41 +0,0 @@
-name: Check Frontend Pull Request
-
-on:
-  pull_request:
-    types: [ opened, synchronize ]
-    paths:
-      - 'frontend/**'
-      - '!frontend/README.md'
-      - '!frontend/.*'
-      - 'frontend/.eslintrc.js'
-
-
-jobs:
-
-  check-fe-pr:
-    name: Check
-    runs-on: ubuntu-latest
-
-    steps:
-      -
-        name: ☁️ Checkout source
-        uses: actions/checkout@v3
-      -
-        name: 🔧 Setup Node 16
-        uses: actions/setup-node@v3
-        with:
-          node-version: '16'
-          cache: 'npm'
-          cache-dependency-path: frontend/package-lock.json
-      -
-        name: 📦 Install dependencies
-        run: npm ci --only-production --ignore-scripts
-        working-directory: frontend
-      # -
-      #   name: 🧪 Run tests
-      #   run: npm run test:ci
-      #   working-directory: frontend
-      -
-        name: 🏗️ Run build
-        run: npm run build
-        working-directory: frontend

.github/workflows/close_inactive_issues.yml

@@ -0,0 +1,22 @@
+name: Close inactive issues
+on:
+  schedule:
+    - cron: "30 1 * * *"
+
+jobs:
+  close-issues:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      - uses: actions/stale@v4
+        with:
+          days-before-issue-stale: 30
+          days-before-issue-close: 14
+          stale-issue-label: "stale"
+          stale-issue-message: "This issue is stale because it has been open for 30 days with no activity."
+          close-issue-message: "This issue was closed because it has been inactive for 14 days since being marked as stale."
+          days-before-pr-stale: -1
+          days-before-pr-close: -1
+          repo-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/docker-image.yml

@@ -1,138 +1,37 @@
-name: Build, Publish and Deploy to Gamma
+name: Push to Docker Hub
+
 on: [workflow_dispatch]
 
 jobs:
-  backend-image:
-    name: Build backend image
+  docker:
     runs-on: ubuntu-latest
-
     steps:
-      - name: ☁️ Checkout source
-        uses: actions/checkout@v3
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: 🔧 Set up Docker Buildx
+      - name: Checkout
+        uses: actions/checkout@v2
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      -
+        name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
-      - name: 🐋 Login to Docker Hub
+      -
+        name: Login to Docker Hub
         uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Set up Depot CLI
-        uses: depot/setup-action@v1
-      - name: 📦 Build backend and export to Docker
-        uses: depot/build-push-action@v1
+      -
+        name: Build and push backend
+        uses: docker/build-push-action@v3
         with:
-          project: 64mmf0n610
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          load: true
+          push: true
           context: backend
           tags: infisical/backend:test
-      - name: ⏻ Spawn backend container and dependencies
-        run: |
-          docker compose -f .github/resources/docker-compose.be-test.yml up --wait --quiet-pull
-      - name: 🧪 Test backend image
-        run: |
-          ./.github/resources/healthcheck.sh infisical-backend-test
-      - name: ⏻ Shut down backend container and dependencies
-        run: |
-          docker compose -f .github/resources/docker-compose.be-test.yml down
-      - name: 🏗️ Build backend and push
-        uses: depot/build-push-action@v1
+      -
+        name: Build and push frontend
+        uses: docker/build-push-action@v3
         with:
-          project: 64mmf0n610
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
           push: true
-          context: backend
-          tags: infisical/backend:${{ steps.commit.outputs.short }}, 
-                infisical/backend:latest
-          platforms: linux/amd64,linux/arm64
-
-  frontend-image:
-    name: Build frontend image
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: ☁️ Checkout source
-        uses: actions/checkout@v3
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Set up Depot CLI
-        uses: depot/setup-action@v1
-      - name: 📦 Build frontend and export to Docker
-        uses: depot/build-push-action@v1
-        with:
-          load: true
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          project: 64mmf0n610
+          file: frontend/Dockerfile.dev
           context: frontend
           tags: infisical/frontend:test
-          build-args: |
-            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
-      - name: ⏻ Spawn frontend container
-        run: |
-          docker run -d --rm --name infisical-frontend-test infisical/frontend:test
-      - name: 🧪 Test frontend image
-        run: |
-          ./.github/resources/healthcheck.sh infisical-frontend-test
-      - name: ⏻ Shut down frontend container
-        run: |
-          docker stop infisical-frontend-test
-      - name: 🏗️ Build frontend and push
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          push: true
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          context: frontend
-          tags: infisical/frontend:${{ steps.commit.outputs.short }}, 
-                infisical/frontend:latest
-          platforms: linux/amd64,linux/arm64
-          build-args: |
-            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
-  gamma-deployment:
-    name: Deploy to gamma
-    runs-on: ubuntu-latest
-    needs: [frontend-image, backend-image]
-    steps:
-      - name: ☁️ Checkout source
-        uses: actions/checkout@v3
-      - name: Install Helm
-        uses: azure/setup-helm@v3
-        with:
-          version: v3.10.0
-      - name: Install infisical helm chart
-        run: |
-          helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/'
-          helm repo update
-      - name: Install kubectl
-        uses: azure/setup-kubectl@v3
-      - name: Install doctl
-        uses: digitalocean/action-doctl@v2
-        with:
-          token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
-      - name: Save DigitalOcean kubeconfig with short-lived credentials
-        run: doctl kubernetes cluster kubeconfig save --expiry-seconds 600 k8s-1-25-4-do-0-nyc1-1670645170179
-      - name: switch to gamma namespace 
-        run: kubectl config set-context --current --namespace=gamma
-      - name: test kubectl
-        run: kubectl get ingress
-      - name: Download helm values to file and upgrade gamma deploy
-        run: |
-          wget https://raw.githubusercontent.com/Infisical/infisical/main/.github/values.yaml
-          helm upgrade infisical infisical-helm-charts/infisical  --values values.yaml --recreate-pods
-          if [[ $(helm status infisical) == *"FAILED"* ]]; then
-            echo "Helm upgrade failed"
-            exit 1
-          else
-            echo "Helm upgrade was successful"
-          fi

.github/workflows/helm-chart-release.yaml

@@ -0,0 +1,33 @@
+name: Release Charts
+
+on: [workflow_dispatch]
+
+jobs:
+  release:
+    # depending on default permission settings for your org (contents being read-only or read-write for workloads), you will have to add permissions
+    # see: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+
+      - name: Install Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.10.0
+
+      - name: Run chart-releaser
+        uses: helm/chart-releaser-action@v1.4.1
+        with:
+          charts_dir: helm-charts
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/helm_chart_release.yml

@@ -1,22 +0,0 @@
-name: Release Helm Charts
-
-on: [workflow_dispatch]
-
-jobs:
-  release:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-      - name: Install Helm
-        uses: azure/setup-helm@v3
-        with:
-          version: v3.10.0
-      - name: Install python
-        uses: actions/setup-python@v4
-      - name: Install Cloudsmith CLI
-        run: pip install --upgrade cloudsmith-cli
-      - name: Build and push helm package to Cloudsmith
-        run: cd helm-charts && sh upload-to-cloudsmith.sh
-        env:
-          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}

.github/workflows/release_build.yml

@@ -1,10 +1,10 @@
-name: Build and release CLI
+name: goreleaser
 
 on:
   push:
     # run only against tags
     tags:
-      - "v*"
+      - 'v*'
 
 permissions:
   contents: write
@@ -13,44 +13,29 @@ permissions:
 
 jobs:
   goreleaser:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
         with:
           fetch-depth: 0
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
       - run: git fetch --force --tags
-      - run: echo "Ref name ${{github.ref_name}}"
       - uses: actions/setup-go@v3
         with:
-          go-version: ">=1.19.3"
+          go-version: '>=1.19.3'
           cache: true
           cache-dependency-path: cli/go.sum
-      - name: libssl1.1 => libssl1.0-dev for OSXCross
-        run: |
-          echo 'deb http://security.ubuntu.com/ubuntu bionic-security main' | sudo tee -a /etc/apt/sources.list
-          sudo apt update && apt-cache policy libssl1.0-dev
-          sudo apt-get install libssl1.0-dev
-      - name: OSXCross for CGO Support
-        run: |
-          mkdir ../../osxcross
-          git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
-      - uses: goreleaser/goreleaser-action@v4
+      - uses: goreleaser/goreleaser-action@v2
         with:
           distribution: goreleaser
           version: latest
-          args: release --clean
+          args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
           FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
-          AUR_KEY: ${{ secrets.AUR_KEY }}
       - uses: actions/setup-python@v4
       - run: pip install --upgrade cloudsmith-cli
-      - name: Publish to CloudSmith
+      - name: Publish to CloudSmith 
         run: sh cli/upload_to_cloudsmith.sh
         env:
           CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
+      

.github/workflows/release_docker_k8_operator.yaml

@@ -1,29 +0,0 @@
-name: Release Docker image for K8 operator 
-on: [workflow_dispatch]
-
-jobs:
-  release:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: 🔧 Set up QEMU
-        uses: docker/setup-qemu-action@v1
-
-      - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Build and push
-        id: docker_build
-        uses: docker/build-push-action@v2
-        with:
-          context: k8-operator
-          push: true
-          platforms: linux/amd64,linux/arm64
-          tags: infisical/kubernetes-operator:latest

.gitignore

@@ -12,8 +12,6 @@ node_modules
 .DS_Store
 
 /dist
-/completions/
-/manpages/
 
 # frontend
 
@@ -27,9 +25,7 @@ node_modules
 .env
 
 # testing
-coverage
-reports
-junit.xml
+/coverage
 
 # next.js
 /.next/

.goreleaser.yaml

@@ -6,82 +6,49 @@
 #     - cd cli && go mod tidy
 #     # you may remove this if you don't need go generate
 #     - cd cli && go generate ./...
-before:
-  hooks:
-    - ./cli/scripts/completions.sh
-    - ./cli/scripts/manpages.sh
-
 builds:
-  - id: darwin-build
-    binary: infisical
-    ldflags: -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
-    flags:
-      - -trimpath
-    env:
-      - CGO_ENABLED=1
-      - CC=/home/runner/work/osxcross/target/bin/o64-clang
-      - CXX=/home/runner/work/osxcross/target/bin/o64-clang++
-    goos:
-      - darwin
-    ignore:
-      - goos: darwin
-        goarch: "386"
-    dir: ./cli
-
-  - id: all-other-builds
-    env:
+  - env:
       - CGO_ENABLED=0
     binary: infisical
-    ldflags: -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
-    flags:
-      - -trimpath
+    id: infisical
     goos:
+      - darwin
       - freebsd
       - linux
       - netbsd
       - openbsd
       - windows
     goarch:
-      - "386"
+      - 386
       - amd64
       - arm
       - arm64
     goarm:
-      - "6"
-      - "7"
+      - 6
+      - 7
     ignore:
+      - goos: darwin
+        goarch: "386"
       - goos: windows
         goarch: "386"
       - goos: freebsd
         goarch: "386"
     dir: ./cli
 
-archives:
-  - format_overrides:
-      - goos: windows
-        format: zip
-    files:
-      - README*
-      - LICENSE*
-      - manpages/*
-      - completions/*
-
 release:
   replace_existing_draft: true
-  mode: "replace"
+  mode: 'replace'
 
 checksum:
-  name_template: "checksums.txt"
-
+  name_template: 'checksums.txt'
 snapshot:
-  name_template: "{{ incpatch .Version }}-devel"
-
+  name_template: "{{ incpatch .Version }}"
 changelog:
   sort: asc
   filters:
     exclude:
-      - "^docs:"
-      - "^test:"
+      - '^docs:'
+      - '^test:'
 
 # publishers:
 #   - name: fury.io
@@ -89,7 +56,6 @@ changelog:
 #       - infisical
 #     dir: "{{ dir .ArtifactPath }}"
 #     cmd: curl -F package=@{{ .ArtifactName }} https://{{ .Env.FURY_TOKEN }}@push.fury.io/infisical/
-
 brews:
   - name: infisical
     tap:
@@ -101,39 +67,21 @@ brews:
     folder: Formula
     homepage: "https://infisical.com"
     description: "The official Infisical CLI"
-    install: |-
-      bin.install "infisical"
-      bash_completion.install "completions/infisical.bash" => "infisical"
-      zsh_completion.install "completions/infisical.zsh" => "_infisical"
-      fish_completion.install "completions/infisical.fish"
-      man1.install "manpages/infisical.1.gz"
-
 nfpms:
-  - id: infisical
-    package_name: infisical
-    builds:
-      - all-other-builds
-    vendor: Infisical, Inc
-    homepage: https://infisical.com/
-    maintainer: Infisical, Inc
-    description: The offical Infisical CLI
-    license: MIT
-    formats:
-      - rpm
-      - deb
-      - apk
-      - archlinux
-    bindir: /usr/bin
-    contents:
-      - src: ./completions/infisical.bash
-        dst: /etc/bash_completion.d/infisical
-      - src: ./completions/infisical.fish
-        dst: /usr/share/fish/vendor_completions.d/infisical.fish
-      - src: ./completions/infisical.zsh
-        dst: /usr/share/zsh/site-functions/_infisical
-      - src: ./manpages/infisical.1.gz
-        dst: /usr/share/man/man1/infisical.1.gz
-
+- id: infisical
+  package_name: infisical
+  builds:
+    - infisical
+  vendor: Infisical, Inc
+  homepage: https://infisical.com/
+  maintainer: Infisical, Inc
+  description: The offical Infisical CLI
+  license: Apache 2.0
+  formats:
+  - rpm
+  - deb
+  - apk
+  bindir: /usr/bin
 scoop:
   bucket:
     owner: Infisical
@@ -143,38 +91,20 @@ scoop:
     email: ai@infisical.com
   homepage: "https://infisical.com"
   description: "The official Infisical CLI"
-  license: MIT
-
-aurs:
-  - name: infisical-bin
-    homepage: "https://infisical.com"
-    description: "The official Infisical CLI"
-    maintainers:
-      - Infisical, Inc <support@infisical.com>
-    license: MIT
-    private_key: "{{ .Env.AUR_KEY }}"
-    git_url: "ssh://aur@aur.archlinux.org/infisical-bin.git"
-    package: |-
-      # bin
-      install -Dm755 "./infisical" "${pkgdir}/usr/bin/infisical"
-      # license
-      install -Dm644 "./LICENSE" "${pkgdir}/usr/share/licenses/infisical/LICENSE"
-      # completions
-      mkdir -p "${pkgdir}/usr/share/bash-completion/completions/"
-      mkdir -p "${pkgdir}/usr/share/zsh/site-functions/"
-      mkdir -p "${pkgdir}/usr/share/fish/vendor_completions.d/"
-      install -Dm644 "./completions/infisical.bash" "${pkgdir}/usr/share/bash-completion/completions/infisical"
-      install -Dm644 "./completions/infisical.zsh" "${pkgdir}/usr/share/zsh/site-functions/infisical"
-      install -Dm644 "./completions/infisical.fish" "${pkgdir}/usr/share/fish/vendor_completions.d/infisical.fish"
-      # man pages
-      install -Dm644 "./manpages/infisical.1.gz" "${pkgdir}/usr/share/man/man1/infisical.1.gz"
-
+  license: Apache-2.0
 # dockers:
-#   - dockerfile: cli/docker/Dockerfile
+#   - dockerfile: goreleaser.dockerfile
 #     goos: linux
 #     goarch: amd64
 #     ids:
 #       - infisical
 #     image_templates:
-#       - "infisical/cli:{{ .Version }}"
+#       - "infisical/cli:{{ .Version }}"             
+#       - "infisical/cli:{{ .Major }}.{{ .Minor }}"  
+#       - "infisical/cli:{{ .Major }}"               
 #       - "infisical/cli:latest"
+#     build_flag_templates:
+#       - "--label=org.label-schema.schema-version=1.0"
+#       - "--label=org.label-schema.version={{.Version}}"
+#       - "--label=org.label-schema.name={{.ProjectName}}"
+#       - "--platform=linux/amd64"

.husky/pre-commit

@@ -1,5 +0,0 @@
-
-#!/usr/bin/env sh
-. "$(dirname -- "$0")/_/husky.sh"
-
-npx lint-staged

Makefile

@@ -7,9 +7,6 @@ push:
 up-dev:
 	docker-compose -f docker-compose.dev.yml up --build
 
-i-dev:
-	infisical run -- docker-compose -f docker-compose.dev.yml up --build
-
 up-prod:
 	docker-compose -f docker-compose.yml up --build
 

backend/.eslintrc

@@ -1,12 +1,18 @@
 {
-  "parser": "@typescript-eslint/parser",
-  "plugins": ["@typescript-eslint"],
-  "extends": [
-    "eslint:recommended",
-    "plugin:@typescript-eslint/eslint-recommended",
-    "plugin:@typescript-eslint/recommended"
-  ],
-  "rules": {
-    "no-console": 2
-  }
-}
+    "root": true,
+    "parser": "@typescript-eslint/parser",
+    "plugins": [
+      "@typescript-eslint",
+      "prettier"
+    ],
+    "extends": [
+      "eslint:recommended",
+      "plugin:@typescript-eslint/eslint-recommended",
+      "plugin:@typescript-eslint/recommended",
+      "prettier"
+    ],
+    "rules": {
+      "no-console": 2,
+      "prettier/prettier": 2
+    }
+}

backend/.prettierrc

@@ -0,0 +1,7 @@
+{
+    "semi": true,
+    "trailingComma": "none",
+    "singleQuote": true,
+    "printWidth": 80,
+		"useTabs": true
+  }

backend/Dockerfile

@@ -2,17 +2,11 @@ FROM node:16-bullseye-slim
 
 WORKDIR /app
 
-COPY package.json package-lock.json ./
+COPY package*.json .
 
-# RUN npm ci --only-production --ignore-scripts
-# "prepare": "cd .. && npm install"
-
-RUN npm ci --only-production
+RUN npm install
 
 COPY . .
 
-HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \  
-  CMD node healthcheck.js
-
-
 CMD ["npm", "run", "start"]
+

backend/__tests__/healthcheck.test.ts

@@ -1,19 +0,0 @@
-import { server } from '../src/app';
-import { describe, expect, it, beforeAll, afterAll } from '@jest/globals';
-import supertest from 'supertest';
-import { setUpHealthEndpoint } from '../src/services/health';
-
-const requestWithSupertest = supertest(server);
-describe('Healthcheck endpoint', () => {
-  beforeAll(async () => {
-    setUpHealthEndpoint(server);
-  });
-  afterAll(async () => {
-    server.close();
-  });
-
-  it('GET /healthcheck should return OK', async () => {
-    const res = await requestWithSupertest.get('/healthcheck');
-    expect(res.status).toEqual(200);
-  });
-});

backend/environment.d.ts

@@ -3,10 +3,8 @@ export {};
 declare global {
   namespace NodeJS {
     interface ProcessEnv {
-      PORT: string;
       EMAIL_TOKEN_LIFETIME: string;
       ENCRYPTION_KEY: string;
-      SALT_ROUNDS: string;
       JWT_AUTH_LIFETIME: string;
       JWT_AUTH_SECRET: string;
       JWT_REFRESH_LIFETIME: string;
@@ -16,36 +14,24 @@ declare global {
 			JWT_SIGNUP_SECRET: string;
       MONGO_URL: string;
       NODE_ENV: 'development' | 'staging' | 'testing' | 'production';
-      VERBOSE_ERROR_OUTPUT: string;
-      LOKI_HOST: string;
-      CLIENT_ID_HEROKU: string;
-      CLIENT_ID_VERCEL: string;
-      CLIENT_ID_NETLIFY: string;
-      CLIENT_ID_GITHUB: string;
-      CLIENT_SECRET_HEROKU: string;
-      CLIENT_SECRET_VERCEL: string;
-      CLIENT_SECRET_NETLIFY: string;
-      CLIENT_SECRET_GITHUB: string;
-      CLIENT_SLUG_VERCEL: string;
+      OAUTH_CLIENT_SECRET_HEROKU: string;
+      OAUTH_TOKEN_URL_HEROKU: string;
 			POSTHOG_HOST: string;
 			POSTHOG_PROJECT_API_KEY: string;
+      PRIVATE_KEY: string;
+      PUBLIC_KEY: string;
       SENTRY_DSN: string;
       SITE_URL: string;
       SMTP_HOST: string;
-      SMTP_SECURE: string;
-      SMTP_PORT: string;
-      SMTP_USERNAME: string;
+      SMTP_NAME: string;
       SMTP_PASSWORD: string;
-      SMTP_FROM_ADDRESS: string;
-      SMTP_FROM_NAME: string;
-      STRIPE_PRODUCT_STARTER: string;
-      STRIPE_PRODUCT_TEAM: string;
+      SMTP_USERNAME: string;
+      STRIPE_PRODUCT_CARD_AUTH: string;
       STRIPE_PRODUCT_PRO: string;
+      STRIPE_PRODUCT_STARTER: string;
       STRIPE_PUBLISHABLE_KEY: string;
       STRIPE_SECRET_KEY: string;
       STRIPE_WEBHOOK_SECRET: string;
-      TELEMETRY_ENABLED: string;
-      LICENSE_KEY: string;
     }
   }
 }

backend/healthcheck.js

@@ -1,24 +0,0 @@
-const http = require('http');
-const PORT = process.env.PORT || 4000;
-const options = {
-  host: 'localhost',
-  port: PORT,
-  timeout: 2000,
-  path: '/healthcheck'
-};
-
-const healthCheck = http.request(options, (res) => {
-  console.log(`HEALTHCHECK STATUS: ${res.statusCode}`);
-  if (res.statusCode == 200) {
-    process.exit(0);
-  } else {
-    process.exit(1);
-  }
-});
-
-healthCheck.on('error', function (err) {
-  console.error(`HEALTH CHECK ERROR: ${err}`);
-  process.exit(1);
-});
-
-healthCheck.end();

backend/package.json

@@ -1,47 +1,30 @@
 {
   "dependencies": {
-    "@aws-sdk/client-secrets-manager": "^3.267.0",
-    "@godaddy/terminus": "^4.11.2",
-    "@octokit/rest": "^19.0.5",
     "@sentry/node": "^7.14.0",
-    "@sentry/tracing": "^7.19.0",
+    "@sentry/tracing": "^7.14.0",
     "@types/crypto-js": "^4.1.1",
-    "@types/libsodium-wrappers": "^0.7.10",
-    "await-to-js": "^3.0.0",
-    "aws-sdk": "^2.1311.0",
     "axios": "^1.1.3",
-    "bcrypt": "^5.1.0",
     "bigint-conversion": "^2.2.2",
-    "builder-pattern": "^2.2.0",
     "cookie-parser": "^1.4.6",
     "cors": "^2.8.5",
     "crypto-js": "^4.1.1",
     "dotenv": "^16.0.1",
     "express": "^4.18.1",
-    "express-rate-limit": "^6.7.0",
+    "express-rate-limit": "^6.5.1",
     "express-validator": "^6.14.2",
     "handlebars": "^4.7.7",
     "helmet": "^5.1.1",
-    "js-yaml": "^4.1.0",
-    "jsonwebtoken": "^9.0.0",
+    "jsonwebtoken": "^8.5.1",
     "jsrp": "^0.2.4",
-    "libsodium-wrappers": "^0.7.10",
-    "lodash": "^4.17.21",
-    "mongoose": "^6.7.2",
+    "mongoose": "^6.7.1",
     "nodemailer": "^6.8.0",
-    "posthog-node": "^2.2.2",
-    "query-string": "^7.1.3",
-    "request-ip": "^3.3.0",
+    "posthog-node": "^2.1.0",
+    "query-string": "^7.1.1",
     "rimraf": "^3.0.2",
     "stripe": "^10.7.0",
-    "swagger-autogen": "^2.22.0",
-    "swagger-ui-express": "^4.6.0",
     "tweetnacl": "^1.0.3",
     "tweetnacl-util": "^0.15.1",
-    "typescript": "^4.9.3",
-    "utility-types": "^3.10.0",
-    "winston": "^3.8.2",
-    "winston-loki": "^6.0.6"
+    "typescript": "^4.8.4"
   },
   "name": "infisical-api",
   "version": "1.0.0",
@@ -49,15 +32,10 @@
   "scripts": {
     "start": "npm run build && node build/index.js",
     "dev": "nodemon",
-    "swagger-autogen": "node ./swagger/index.ts",
-    "build": "rimraf ./build && tsc && cp -R ./src/templates ./build",
+    "build": "rimraf ./build && tsc && cp -R ./src/templates ./src/json ./build",
     "lint": "eslint . --ext .ts",
     "lint-and-fix": "eslint . --ext .ts --fix",
-    "lint-staged": "lint-staged",
-    "pretest": "docker compose -f test-resources/docker-compose.test.yml up -d",
-    "test": "cross-env NODE_ENV=test jest --testTimeout=10000 --detectOpenHandles",
-    "test:ci": "npm test -- --watchAll=false --ci --reporters=default --reporters=jest-junit --reporters=github-actions --coverage --testLocationInResults --json --outputFile=coverage/report.json",
-    "posttest": "docker compose -f test-resources/docker-compose.test.yml down"
+    "prettier-format": "prettier --config .prettierrc 'src/**/*.ts' --write"
   },
   "repository": {
     "type": "git",
@@ -71,52 +49,26 @@
   "homepage": "https://github.com/Infisical/infisical-api#readme",
   "description": "",
   "devDependencies": {
-    "@jest/globals": "^29.3.1",
     "@posthog/plugin-scaffold": "^1.3.4",
-    "@types/bcrypt": "^5.0.0",
-    "@types/bcryptjs": "^2.4.2",
     "@types/cookie-parser": "^1.4.3",
     "@types/cors": "^2.8.12",
     "@types/express": "^4.17.14",
-    "@types/jest": "^29.2.4",
     "@types/jsonwebtoken": "^8.5.9",
-    "@types/lodash": "^4.14.191",
     "@types/node": "^18.11.3",
     "@types/nodemailer": "^6.4.6",
-    "@types/supertest": "^2.0.12",
     "@types/swagger-jsdoc": "^6.0.1",
     "@types/swagger-ui-express": "^4.1.3",
     "@typescript-eslint/eslint-plugin": "^5.40.1",
     "@typescript-eslint/parser": "^5.40.1",
-    "cross-env": "^7.0.3",
     "eslint": "^8.26.0",
+    "eslint-config-prettier": "^8.5.0",
+    "eslint-plugin-prettier": "^4.2.1",
+    "husky": "^8.0.1",
     "install": "^0.13.0",
     "jest": "^29.3.1",
-    "jest-junit": "^15.0.0",
     "nodemon": "^2.0.19",
     "npm": "^8.19.3",
-    "supertest": "^6.3.3",
-    "ts-jest": "^29.0.3",
+    "prettier": "^2.7.1",
     "ts-node": "^10.9.1"
-  },
-  "jest": {
-    "preset": "ts-jest",
-    "testEnvironment": "node",
-    "collectCoverageFrom": [
-      "src/*.{js,ts}",
-      "!**/node_modules/**"
-    ],
-    "setupFiles": [
-      "<rootDir>/test-resources/env-vars.js"
-    ]
-  },
-  "jest-junit": {
-    "outputDirectory": "reports",
-    "outputName": "jest-junit.xml",
-    "ancestorSeparator": " › ",
-    "uniqueOutputName": "false",
-    "suiteNameTemplate": "{filepath}",
-    "classNameTemplate": "{classname}",
-    "titleTemplate": "{title}"
   }
 }

backend/src/app.ts

@@ -1,140 +0,0 @@
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const { patchRouterParam } = require('./utils/patchAsyncRoutes');
-
-import express, { Request, Response } from 'express';
-import helmet from 'helmet';
-import cors from 'cors';
-import cookieParser from 'cookie-parser';
-import dotenv from 'dotenv';
-import swaggerUi = require('swagger-ui-express');
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const swaggerFile = require('../spec.json');
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const requestIp = require('request-ip');
-
-dotenv.config();
-import { PORT, NODE_ENV, SITE_URL } from './config';
-import { apiLimiter } from './helpers/rateLimiter';
-
-import {
-  workspace as eeWorkspaceRouter,
-  secret as eeSecretRouter,
-  secretSnapshot as eeSecretSnapshotRouter,
-  action as eeActionRouter
-} from './ee/routes/v1';
-import {
-  signup as v1SignupRouter,
-  auth as v1AuthRouter,
-  bot as v1BotRouter,
-  organization as v1OrganizationRouter,
-  workspace as v1WorkspaceRouter,
-  membershipOrg as v1MembershipOrgRouter,
-  membership as v1MembershipRouter,
-  key as v1KeyRouter,
-  inviteOrg as v1InviteOrgRouter,
-  user as v1UserRouter,
-  userAction as v1UserActionRouter,
-  secret as v1SecretRouter,
-  serviceToken as v1ServiceTokenRouter,
-  password as v1PasswordRouter,
-  stripe as v1StripeRouter,
-  integration as v1IntegrationRouter,
-  integrationAuth as v1IntegrationAuthRouter
-} from './routes/v1';
-import {
-  users as v2UsersRouter,
-  organizations as v2OrganizationsRouter,
-  workspace as v2WorkspaceRouter,
-  secret as v2SecretRouter, // begin to phase out
-  secrets as v2SecretsRouter,
-  serviceTokenData as v2ServiceTokenDataRouter,
-  apiKeyData as v2APIKeyDataRouter,
-  environment as v2EnvironmentRouter,
-  tags as v2TagsRouter,
-} from './routes/v2';
-
-import { healthCheck } from './routes/status';
-
-import { getLogger } from './utils/logger';
-import { RouteNotFoundError } from './utils/errors';
-import { requestErrorHandler } from './middleware/requestErrorHandler';
-
-// patch async route params to handle Promise Rejections
-patchRouterParam();
-
-export const app = express();
-
-app.enable('trust proxy');
-app.use(express.json());
-app.use(cookieParser());
-app.use(
-  cors({
-    credentials: true,
-    origin: SITE_URL
-  })
-);
-
-app.use(requestIp.mw())
-
-if (NODE_ENV === 'production') {
-  // enable app-wide rate-limiting + helmet security
-  // in production
-  app.disable('x-powered-by');
-  app.use(apiLimiter);
-  app.use(helmet());
-}
-
-// (EE) routes
-app.use('/api/v1/secret', eeSecretRouter);
-app.use('/api/v1/secret-snapshot', eeSecretSnapshotRouter);
-app.use('/api/v1/workspace', eeWorkspaceRouter);
-app.use('/api/v1/action', eeActionRouter);
-
-// v1 routes
-app.use('/api/v1/signup', v1SignupRouter);
-app.use('/api/v1/auth', v1AuthRouter);
-app.use('/api/v1/bot', v1BotRouter);
-app.use('/api/v1/user', v1UserRouter);
-app.use('/api/v1/user-action', v1UserActionRouter);
-app.use('/api/v1/organization', v1OrganizationRouter);
-app.use('/api/v1/workspace', v1WorkspaceRouter);
-app.use('/api/v1/membership-org', v1MembershipOrgRouter);
-app.use('/api/v1/membership', v1MembershipRouter);
-app.use('/api/v1/key', v1KeyRouter);
-app.use('/api/v1/invite-org', v1InviteOrgRouter);
-app.use('/api/v1/secret', v1SecretRouter);
-app.use('/api/v1/service-token', v1ServiceTokenRouter); // deprecated
-app.use('/api/v1/password', v1PasswordRouter);
-app.use('/api/v1/stripe', v1StripeRouter);
-app.use('/api/v1/integration', v1IntegrationRouter);
-app.use('/api/v1/integration-auth', v1IntegrationAuthRouter);
-
-// v2 routes
-app.use('/api/v2/users', v2UsersRouter);
-app.use('/api/v2/organizations', v2OrganizationsRouter);
-app.use('/api/v2/workspace', v2EnvironmentRouter);
-app.use('/api/v2/workspace', v2TagsRouter);
-app.use('/api/v2/workspace', v2WorkspaceRouter);
-app.use('/api/v2/secret', v2SecretRouter); // deprecated
-app.use('/api/v2/secrets', v2SecretsRouter);
-app.use('/api/v2/service-token', v2ServiceTokenDataRouter); // TODO: turn into plural route
-app.use('/api/v2/api-key', v2APIKeyDataRouter);
-
-// api docs 
-app.use('/api-docs', swaggerUi.serve, swaggerUi.setup(swaggerFile))
-
-// Server status
-app.use('/api', healthCheck)
-
-//* Handle unrouted requests and respond with proper error message as well as status code
-app.use((req, res, next) => {
-  if (res.headersSent) return next();
-  next(RouteNotFoundError({ message: `The requested source '(${req.method})${req.url}' was not found` }))
-})
-
-//* Error Handling Middleware (must be after all routing logic)
-app.use(requestErrorHandler)
-
-export const server = app.listen(PORT, () => {
-  getLogger("backend-main").info(`Server started listening at port ${PORT}`)
-});

backend/src/config/index.ts

@@ -1,8 +1,6 @@
 const PORT = process.env.PORT || 4000;
-const EMAIL_TOKEN_LIFETIME = parseInt(process.env.EMAIL_TOKEN_LIFETIME! || '86400');
-const INVITE_ONLY_SIGNUP = process.env.INVITE_ONLY_SIGNUP == undefined ? false : process.env.INVITE_ONLY_SIGNUP
+const EMAIL_TOKEN_LIFETIME = process.env.EMAIL_TOKEN_LIFETIME! || '86400';
 const ENCRYPTION_KEY = process.env.ENCRYPTION_KEY!;
-const SALT_ROUNDS = parseInt(process.env.SALT_ROUNDS!) || 10;
 const JWT_AUTH_LIFETIME = process.env.JWT_AUTH_LIFETIME! || '10d';
 const JWT_AUTH_SECRET = process.env.JWT_AUTH_SECRET!;
 const JWT_REFRESH_LIFETIME = process.env.JWT_REFRESH_LIFETIME! || '90d';
@@ -12,88 +10,56 @@ const JWT_SIGNUP_LIFETIME = process.env.JWT_SIGNUP_LIFETIME! || '15m';
 const JWT_SIGNUP_SECRET = process.env.JWT_SIGNUP_SECRET!;
 const MONGO_URL = process.env.MONGO_URL!;
 const NODE_ENV = process.env.NODE_ENV! || 'production';
-const VERBOSE_ERROR_OUTPUT = process.env.VERBOSE_ERROR_OUTPUT! === 'true' && true;
-const LOKI_HOST = process.env.LOKI_HOST || undefined;
-const CLIENT_ID_AZURE = process.env.CLIENT_ID_AZURE!;
-const TENANT_ID_AZURE = process.env.TENANT_ID_AZURE!;
-const CLIENT_ID_HEROKU = process.env.CLIENT_ID_HEROKU!;
-const CLIENT_ID_VERCEL = process.env.CLIENT_ID_VERCEL!;
-const CLIENT_ID_NETLIFY = process.env.CLIENT_ID_NETLIFY!;
-const CLIENT_ID_GITHUB = process.env.CLIENT_ID_GITHUB!;
-const CLIENT_SECRET_AZURE = process.env.CLIENT_SECRET_AZURE!;
-const CLIENT_SECRET_HEROKU = process.env.CLIENT_SECRET_HEROKU!;
-const CLIENT_SECRET_VERCEL = process.env.CLIENT_SECRET_VERCEL!;
-const CLIENT_SECRET_NETLIFY = process.env.CLIENT_SECRET_NETLIFY!;
-const CLIENT_SECRET_GITHUB = process.env.CLIENT_SECRET_GITHUB!;
-const CLIENT_SLUG_VERCEL = process.env.CLIENT_SLUG_VERCEL!;
+const OAUTH_CLIENT_SECRET_HEROKU = process.env.OAUTH_CLIENT_SECRET_HEROKU!;
+const OAUTH_TOKEN_URL_HEROKU = process.env.OAUTH_TOKEN_URL_HEROKU!;
 const POSTHOG_HOST = process.env.POSTHOG_HOST! || 'https://app.posthog.com';
-const POSTHOG_PROJECT_API_KEY =
-  process.env.POSTHOG_PROJECT_API_KEY! ||
-  'phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE';
+const POSTHOG_PROJECT_API_KEY = process.env.POSTHOG_PROJECT_API_KEY! || 'phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE';
+const PRIVATE_KEY = process.env.PRIVATE_KEY!;
+const PUBLIC_KEY = process.env.PUBLIC_KEY!;
 const SENTRY_DSN = process.env.SENTRY_DSN!;
 const SITE_URL = process.env.SITE_URL!;
-const SMTP_HOST = process.env.SMTP_HOST!;
-const SMTP_SECURE = process.env.SMTP_SECURE! === 'true' || false;
-const SMTP_PORT = parseInt(process.env.SMTP_PORT!) || 587;
+const SMTP_HOST = process.env.SMTP_HOST! || 'smtp.gmail.com';
+const SMTP_NAME = process.env.SMTP_NAME!;
 const SMTP_USERNAME = process.env.SMTP_USERNAME!;
 const SMTP_PASSWORD = process.env.SMTP_PASSWORD!;
-const SMTP_FROM_ADDRESS = process.env.SMTP_FROM_ADDRESS!;
-const SMTP_FROM_NAME = process.env.SMTP_FROM_NAME! || 'Infisical';
-const STRIPE_PRODUCT_STARTER = process.env.STRIPE_PRODUCT_STARTER!;
+const STRIPE_PRODUCT_CARD_AUTH = process.env.STRIPE_PRODUCT_CARD_AUTH!;
 const STRIPE_PRODUCT_PRO = process.env.STRIPE_PRODUCT_PRO!;
-const STRIPE_PRODUCT_TEAM = process.env.STRIPE_PRODUCT_TEAM!;
+const STRIPE_PRODUCT_STARTER = process.env.STRIPE_PRODUCT_STARTER!;
 const STRIPE_PUBLISHABLE_KEY = process.env.STRIPE_PUBLISHABLE_KEY!;
 const STRIPE_SECRET_KEY = process.env.STRIPE_SECRET_KEY!;
 const STRIPE_WEBHOOK_SECRET = process.env.STRIPE_WEBHOOK_SECRET!;
-const TELEMETRY_ENABLED = process.env.TELEMETRY_ENABLED! !== 'false' && true;
-const LICENSE_KEY = process.env.LICENSE_KEY!;
+const TELEMETRY_ENABLED = (process.env.TELEMETRY_ENABLED! !== 'false') && true;
 
 export {
-  PORT,
-  EMAIL_TOKEN_LIFETIME,
-  INVITE_ONLY_SIGNUP,
-  ENCRYPTION_KEY,
-  SALT_ROUNDS,
-  JWT_AUTH_LIFETIME,
-  JWT_AUTH_SECRET,
-  JWT_REFRESH_LIFETIME,
-  JWT_REFRESH_SECRET,
-  JWT_SERVICE_SECRET,
-  JWT_SIGNUP_LIFETIME,
-  JWT_SIGNUP_SECRET,
-  MONGO_URL,
-  NODE_ENV,
-  VERBOSE_ERROR_OUTPUT,
-  LOKI_HOST,
-  CLIENT_ID_AZURE,
-  TENANT_ID_AZURE,
-  CLIENT_ID_HEROKU,
-  CLIENT_ID_VERCEL,
-  CLIENT_ID_NETLIFY,
-  CLIENT_ID_GITHUB,
-  CLIENT_SECRET_AZURE,
-  CLIENT_SECRET_HEROKU,
-  CLIENT_SECRET_VERCEL,
-  CLIENT_SECRET_NETLIFY,
-  CLIENT_SECRET_GITHUB,
-  CLIENT_SLUG_VERCEL,
-  POSTHOG_HOST,
-  POSTHOG_PROJECT_API_KEY,
-  SENTRY_DSN,
-  SITE_URL,
-  SMTP_HOST,
-  SMTP_PORT,
-  SMTP_SECURE,
-  SMTP_USERNAME,
-  SMTP_PASSWORD,
-  SMTP_FROM_ADDRESS,
-  SMTP_FROM_NAME,
-  STRIPE_PRODUCT_STARTER,
-  STRIPE_PRODUCT_TEAM,
-  STRIPE_PRODUCT_PRO,
-  STRIPE_PUBLISHABLE_KEY,
-  STRIPE_SECRET_KEY,
-  STRIPE_WEBHOOK_SECRET,
-  TELEMETRY_ENABLED,
-  LICENSE_KEY
+	PORT,
+	EMAIL_TOKEN_LIFETIME,
+	ENCRYPTION_KEY,
+	JWT_AUTH_LIFETIME,
+	JWT_AUTH_SECRET,
+	JWT_REFRESH_LIFETIME,
+	JWT_REFRESH_SECRET,
+	JWT_SERVICE_SECRET,
+	JWT_SIGNUP_LIFETIME,
+	JWT_SIGNUP_SECRET,
+	MONGO_URL,
+	NODE_ENV,
+	OAUTH_CLIENT_SECRET_HEROKU,
+	OAUTH_TOKEN_URL_HEROKU,
+	POSTHOG_HOST,
+	POSTHOG_PROJECT_API_KEY,
+	PRIVATE_KEY,
+	PUBLIC_KEY,
+	SENTRY_DSN,
+	SITE_URL,
+	SMTP_HOST,
+	SMTP_NAME,
+	SMTP_USERNAME,
+	SMTP_PASSWORD,
+	STRIPE_PRODUCT_CARD_AUTH,
+	STRIPE_PRODUCT_PRO,
+	STRIPE_PRODUCT_STARTER,
+	STRIPE_PUBLISHABLE_KEY,
+	STRIPE_SECRET_KEY,
+	STRIPE_WEBHOOK_SECRET,
+	TELEMETRY_ENABLED
 };

backend/src/controllers/authController.ts

@@ -0,0 +1,224 @@
+import { Request, Response } from 'express';
+import jwt from 'jsonwebtoken';
+import * as Sentry from '@sentry/node';
+import * as bigintConversion from 'bigint-conversion';
+const jsrp = require('jsrp');
+import { User } from '../models';
+import { createToken, issueTokens, clearTokens } from '../helpers/auth';
+import { 
+	NODE_ENV,
+	JWT_AUTH_LIFETIME, 
+	JWT_AUTH_SECRET,
+	JWT_REFRESH_SECRET
+} from '../config';
+
+declare module 'jsonwebtoken' {
+	export interface UserIDJwtPayload extends jwt.JwtPayload {
+		userId: string;
+	}
+}
+
+const clientPublicKeys: any = {};
+
+/**
+ * Log in user step 1: Return [salt] and [serverPublicKey] as part of step 1 of SRP protocol
+ * @param req
+ * @param res
+ * @returns
+ */
+export const login1 = async (req: Request, res: Response) => {
+	try {
+		const {
+			email,
+			clientPublicKey
+		}: { email: string; clientPublicKey: string } = req.body;
+		
+		const user = await User.findOne({
+			email
+		}).select('+salt +verifier');
+		
+
+		if (!user) throw new Error('Failed to find user');
+
+		const server = new jsrp.server();
+		server.init(
+			{
+				salt: user.salt,
+				verifier: user.verifier
+			},
+			() => {
+				// generate server-side public key
+				const serverPublicKey = server.getPublicKey();
+				clientPublicKeys[email] = {
+					clientPublicKey,
+					serverBInt: bigintConversion.bigintToBuf(server.bInt)
+				};
+				
+
+				return res.status(200).send({
+					serverPublicKey,
+					salt: user.salt
+				});
+			}
+		);
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to start authentication process'
+		});
+	}
+};
+
+/**
+ * Log in user step 2: complete step 2 of SRP protocol and return token and their (encrypted)
+ * private key
+ * @param req
+ * @param res
+ * @returns
+ */
+export const login2 = async (req: Request, res: Response) => {
+	try {
+		const { email, clientProof } = req.body;
+		const user = await User.findOne({
+			email
+		}).select('+salt +verifier +publicKey +encryptedPrivateKey +iv +tag');
+
+		if (!user) throw new Error('Failed to find user');
+
+		const server = new jsrp.server();
+		server.init(
+			{
+				salt: user.salt,
+				verifier: user.verifier,
+				b: clientPublicKeys[email].serverBInt
+			},
+			async () => {
+				server.setClientPublicKey(clientPublicKeys[email].clientPublicKey);
+
+				// compare server and client shared keys
+				if (server.checkClientProof(clientProof)) {
+					// issue tokens
+					const tokens = await issueTokens({ userId: user._id.toString() });
+					
+					// store (refresh) token in httpOnly cookie
+					res.cookie('jid', tokens.refreshToken, {
+						httpOnly: true,
+						path: '/token',
+						sameSite: "strict",
+						secure: NODE_ENV === 'production' ? true : false
+					});
+
+					// return (access) token in response
+					return res.status(200).send({
+						token: tokens.token,
+						publicKey: user.publicKey,
+						encryptedPrivateKey: user.encryptedPrivateKey,
+						iv: user.iv,
+						tag: user.tag
+					});
+				}
+
+				return res.status(400).send({
+					message: 'Failed to authenticate. Try again?'
+				});
+			}
+		);
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to authenticate. Try again?'
+		});
+	}
+};
+
+/**
+ * Log out user
+ * @param req
+ * @param res
+ * @returns
+ */
+export const logout = async (req: Request, res: Response) => {
+	try {
+		await clearTokens({
+			userId: req.user._id.toString()
+		});
+		
+		// clear httpOnly cookie
+		res.cookie('jid', '', {
+			httpOnly: true,
+			path: '/token',
+			sameSite: "strict",
+			secure: NODE_ENV === 'production' ? true : false
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to logout'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully logged out.'
+	});
+};
+
+/**
+ * Return user is authenticated
+ * @param req
+ * @param res
+ * @returns
+ */
+export const checkAuth = async (req: Request, res: Response) =>
+	res.status(200).send({
+		message: 'Authenticated'
+	});
+
+/**
+ * Return new token by redeeming refresh token
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getNewToken = async (req: Request, res: Response) => {
+	try {
+		const refreshToken = req.cookies.jid;
+		
+		if (!refreshToken) {
+			throw new Error('Failed to find token in request cookies');
+		}
+		
+		const decodedToken = <jwt.UserIDJwtPayload>(
+			jwt.verify(refreshToken, JWT_REFRESH_SECRET)
+		);
+		
+		const user = await User.findOne({
+			_id: decodedToken.userId
+		}).select('+publicKey');
+
+		if (!user) throw new Error('Failed to authenticate unfound user');
+		if (!user?.publicKey)
+			throw new Error('Failed to authenticate not fully set up account');
+		
+		const token = createToken({
+			payload: {
+				userId: decodedToken.userId
+			},
+			expiresIn: JWT_AUTH_LIFETIME,
+			secret: JWT_AUTH_SECRET
+		});
+		
+		return res.status(200).send({
+			token
+		});
+		
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Invalid request'
+		});
+	}
+};

backend/src/controllers/index.ts

@@ -1,5 +1,4 @@
 import * as authController from './authController';
-import * as botController from './botController';
 import * as integrationAuthController from './integrationAuthController';
 import * as integrationController from './integrationController';
 import * as keyController from './keyController';
@@ -17,7 +16,6 @@ import * as workspaceController from './workspaceController';
 
 export {
 	authController,
-	botController,
 	integrationAuthController,
 	integrationController,
 	keyController,

backend/src/controllers/integrationAuthController.ts

@@ -0,0 +1,153 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import axios from 'axios';
+import { readFileSync } from 'fs';
+import { IntegrationAuth, Integration } from '../models';
+import { processOAuthTokenRes } from '../helpers/integrationAuth';
+import { INTEGRATION_SET, ENV_DEV } from '../variables';
+import { OAUTH_CLIENT_SECRET_HEROKU, OAUTH_TOKEN_URL_HEROKU } from '../config';
+
+/**
+ * Perform OAuth2 code-token exchange as part of integration [integration] for workspace with id [workspaceId]
+ * Note: integration [integration] must be set up compatible/designed for OAuth2
+ * @param req
+ * @param res
+ * @returns
+ */
+export const integrationAuthOauthExchange = async (
+	req: Request,
+	res: Response
+) => {
+	try {
+		let clientSecret;
+
+		const { workspaceId, code, integration } = req.body;
+
+		if (!INTEGRATION_SET.has(integration))
+			throw new Error('Failed to validate integration');
+
+		// use correct client secret
+		switch (integration) {
+			case 'heroku':
+				clientSecret = OAUTH_CLIENT_SECRET_HEROKU;
+		}
+
+		// TODO: unfinished - make compatible with other integration types
+		const res = await axios.post(
+			OAUTH_TOKEN_URL_HEROKU!,
+			new URLSearchParams({
+				grant_type: 'authorization_code',
+				code: code,
+				client_secret: clientSecret
+			} as any)
+		);
+
+		const integrationAuth = await processOAuthTokenRes({
+			workspaceId,
+			integration,
+			res
+		});
+
+		// create or replace integration
+		const integrationObj = await Integration.findOneAndUpdate(
+			{ workspace: workspaceId, integration },
+			{
+				workspace: workspaceId,
+				environment: ENV_DEV,
+				isActive: false,
+				app: null,
+				integration,
+				integrationAuth: integrationAuth._id
+			},
+			{ upsert: true, new: true }
+		);
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get OAuth2 token'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully enabled integration authorization'
+	});
+};
+
+/**
+ * Return list of applications allowed for integration with id [integrationAuthId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getIntegrationAuthApps = async (req: Request, res: Response) => {
+	// TODO: unfinished - make compatible with other integration types
+	let apps;
+	try {
+		const res = await axios.get('https://api.heroku.com/apps', {
+			headers: {
+				Accept: 'application/vnd.heroku+json; version=3',
+				Authorization: 'Bearer ' + req.accessToken
+			}
+		});
+
+		apps = res.data.map((a: any) => ({
+			name: a.name
+		}));
+	} catch (err) {}
+
+	return res.status(200).send({
+		apps
+	});
+};
+
+/**
+ * Delete integration authorization with id [integrationAuthId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const deleteIntegrationAuth = async (req: Request, res: Response) => {
+	// TODO: unfinished - disable application via Heroku API and make compatible with other integration types
+	try {
+		const { integrationAuthId } = req.params;
+
+		// TODO: disable application via Heroku API; figure out what authorization id is
+
+		const integrations = JSON.parse(
+			readFileSync('./src/json/integrations.json').toString()
+		);
+
+		let authorizationId;
+		switch (req.integrationAuth.integration) {
+			case 'heroku':
+				authorizationId = integrations.heroku.clientId;
+		}
+
+		// not sure what authorizationId is?
+		// // revoke authorization
+		// const res2 = await axios.delete(
+		//   `https://api.heroku.com/oauth/authorizations/${authorizationId}`,
+		//   {
+		//     headers: {
+		//         'Accept': 'application/vnd.heroku+json; version=3',
+		//         'Authorization': 'Bearer ' + req.accessToken
+		//     }
+		//   }
+		// );
+
+		const deletedIntegrationAuth = await IntegrationAuth.findOneAndDelete({
+			_id: integrationAuthId
+		});
+
+		if (deletedIntegrationAuth) {
+			await Integration.deleteMany({
+				integrationAuth: deletedIntegrationAuth._id
+			});
+		}
+	} catch (err) {
+		return res.status(400).send({
+			message: 'Failed to delete integration authorization'
+		});
+	}
+};

backend/src/controllers/integrationController.ts

@@ -0,0 +1,158 @@
+import { Request, Response } from 'express';
+import { readFileSync } from 'fs';
+import * as Sentry from '@sentry/node';
+import axios from 'axios';
+import { Integration } from '../models';
+import { decryptAsymmetric } from '../utils/crypto';
+import { decryptSecrets } from '../helpers/secret';
+import { PRIVATE_KEY } from '../config';
+
+interface Key {
+	encryptedKey: string;
+	nonce: string;
+}
+
+interface PushSecret {
+	ciphertextKey: string;
+	ivKey: string;
+	tagKey: string;
+	hashKey: string;
+	ciphertextValue: string;
+	ivValue: string;
+	tagValue: string;
+	hashValue: string;
+	type: 'shared' | 'personal';
+}
+
+/**
+ * Return list of all available integrations on Infisical
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getIntegrations = async (req: Request, res: Response) => {
+	let integrations;
+	try {
+		integrations = JSON.parse(
+			readFileSync('./src/json/integrations.json').toString()
+		);
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get integrations'
+		});
+	}
+
+	return res.status(200).send({
+		integrations
+	});
+};
+
+/**
+ * Sync secrets [secrets] to integration with id [integrationId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const syncIntegration = async (req: Request, res: Response) => {
+	// TODO: unfinished - make more versatile to accomodate for other integrations
+	try {
+		const { key, secrets }: { key: Key; secrets: PushSecret[] } = req.body;
+		const symmetricKey = decryptAsymmetric({
+			ciphertext: key.encryptedKey,
+			nonce: key.nonce,
+			publicKey: req.user.publicKey,
+			privateKey: PRIVATE_KEY
+		});
+
+		// decrypt secrets with symmetric key
+		const content = decryptSecrets({
+			secrets,
+			key: symmetricKey,
+			format: 'object'
+		});
+
+		// TODO: make integration work for other integrations as well
+		const res = await axios.patch(
+			`https://api.heroku.com/apps/${req.integration.app}/config-vars`,
+			content,
+			{
+				headers: {
+					Accept: 'application/vnd.heroku+json; version=3',
+					Authorization: 'Bearer ' + req.accessToken
+				}
+			}
+		);
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to sync secrets with integration'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully synced secrets with integration'
+	});
+};
+
+/**
+ * Change environment or name of integration with id [integrationId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const modifyIntegration = async (req: Request, res: Response) => {
+	let integration;
+	try {
+		const { update } = req.body;
+
+		integration = await Integration.findOneAndUpdate(
+			{
+				_id: req.integration._id
+			},
+			update,
+			{
+				new: true
+			}
+		);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to modify integration'
+		});
+	}
+
+	return res.status(200).send({
+		integration
+	});
+};
+
+/**
+ * Delete integration with id [integrationId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const deleteIntegration = async (req: Request, res: Response) => {
+	let deletedIntegration;
+	try {
+		const { integrationId } = req.params;
+
+		deletedIntegration = await Integration.findOneAndDelete({
+			_id: integrationId
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to delete integration'
+		});
+	}
+
+	return res.status(200).send({
+		deletedIntegration
+	});
+};

backend/src/controllers/keyController.ts

@@ -1,7 +1,9 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { Key } from '../../models';
-import { findMembership } from '../../helpers/membership';
+import { Key } from '../models';
+import { findMembership } from '../helpers/membership';
+import { PUBLIC_KEY } from '../config';
+import { GRANTED } from '../variables';
 
 /**
  * Add (encrypted) copy of workspace key for workspace with id [workspaceId] for user with
@@ -15,6 +17,16 @@ export const uploadKey = async (req: Request, res: Response) => {
 		const { workspaceId } = req.params;
 		const { key } = req.body;
 
+		// validate membership of sender
+		const senderMembership = await findMembership({
+			user: req.user._id,
+			workspace: workspaceId
+		});
+
+		if (!senderMembership) {
+			throw new Error('Failed sender membership validation for workspace');
+		}
+
 		// validate membership of receiver
 		const receiverMembership = await findMembership({
 			user: key.userId,
@@ -25,6 +37,9 @@ export const uploadKey = async (req: Request, res: Response) => {
 			throw new Error('Failed receiver membership validation for workspace');
 		}
 
+		receiverMembership.status = GRANTED;
+		await receiverMembership.save();
+
 		await new Key({
 			encryptedKey: key.encryptedKey,
 			nonce: key.nonce,
@@ -79,4 +94,16 @@ export const getLatestKey = async (req: Request, res: Response) => {
 	}
 
 	return res.status(200).send(resObj);
-};
+};
+
+/**
+ * Return public key of Infisical
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getPublicKeyInfisical = async (req: Request, res: Response) => {
+	return res.status(200).send({
+		publicKey: PUBLIC_KEY
+	});
+};

backend/src/controllers/membershipController.ts

@@ -1,13 +1,13 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { Membership, MembershipOrg, User, Key, IMembership, Workspace } from '../../models';
+import { Membership, MembershipOrg, User, Key } from '../models';
 import {
 	findMembership,
 	deleteMembership as deleteMember
-} from '../../helpers/membership';
-import { sendMail } from '../../helpers/nodemailer';
-import { SITE_URL } from '../../config';
-import { ADMIN, MEMBER, ACCEPTED } from '../../variables';
+} from '../helpers/membership';
+import { sendMail } from '../helpers/nodemailer';
+import { SITE_URL } from '../config';
+import { ADMIN, MEMBER, GRANTED, ACCEPTED } from '../variables';
 
 /**
  * Check that user is a member of workspace with id [workspaceId]
@@ -175,7 +175,8 @@ export const inviteUserToWorkspace = async (req: Request, res: Response) => {
 		// already a member of the workspace
 		const inviteeMembership = await Membership.findOne({
 			user: invitee._id,
-			workspace: workspaceId
+			workspace: workspaceId,
+			status: GRANTED
 		});
 
 		if (inviteeMembership)
@@ -204,7 +205,8 @@ export const inviteUserToWorkspace = async (req: Request, res: Response) => {
 		const m = await new Membership({
 			user: invitee._id,
 			workspace: workspaceId,
-			role: MEMBER
+			role: MEMBER,
+			status: GRANTED
 		}).save();
 
 		await sendMail({
@@ -230,4 +232,4 @@ export const inviteUserToWorkspace = async (req: Request, res: Response) => {
 		invitee,
 		latestKey
 	});
-};
+};

backend/src/controllers/membershipOrgController.ts

@@ -1,14 +1,14 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
 import crypto from 'crypto';
-import { SITE_URL, JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET, EMAIL_TOKEN_LIFETIME } from '../../config';
-import { MembershipOrg, Organization, User, Token } from '../../models';
-import { deleteMembershipOrg as deleteMemberFromOrg } from '../../helpers/membershipOrg';
-import { checkEmailVerification } from '../../helpers/signup';
-import { createToken } from '../../helpers/auth';
-import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
-import { sendMail } from '../../helpers/nodemailer';
-import { OWNER, ADMIN, MEMBER, ACCEPTED, INVITED } from '../../variables';
+import { SITE_URL, JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET } from '../config';
+import { MembershipOrg, Organization, User, Token } from '../models';
+import { deleteMembershipOrg as deleteMemberFromOrg } from '../helpers/membershipOrg';
+import { checkEmailVerification } from '../helpers/signup';
+import { createToken } from '../helpers/auth';
+import { updateSubscriptionOrgQuantity } from '../helpers/organization';
+import { sendMail } from '../helpers/nodemailer';
+import { OWNER, ADMIN, MEMBER, ACCEPTED, INVITED } from '../variables';
 
 /**
  * Delete organization membership with id [membershipOrgId] from organization
@@ -77,15 +77,17 @@ export const changeMembershipOrgRole = async (req: Request, res: Response) => {
 	// change role for (target) organization membership with id
 	// [membershipOrgId]
 
+	// TODO
+
 	let membershipToChangeRole;
-	// try {
-	// } catch (err) {
-	// 	Sentry.setUser({ email: req.user.email });
-	// 	Sentry.captureException(err);
-	// 	return res.status(400).send({
-	// 		message: 'Failed to change organization membership role'
-	// 	});
-	// }
+	try {
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to change organization membership role'
+		});
+	}
 
 	return res.status(200).send({
 		membershipOrg: membershipToChangeRole
@@ -116,11 +118,10 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 
 		invitee = await User.findOne({
 			email: inviteeEmail
-		}).select('+publicKey');
+		});
 
 		if (invitee) {
 			// case: invitee is an existing user
-
 			inviteeMembershipOrg = await MembershipOrg.findOne({
 				user: invitee._id,
 				organization: organizationId
@@ -170,8 +171,7 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 				{
 					email: inviteeEmail,
 					token,
-					createdAt: new Date(),
-					ttl: Math.floor(+new Date() / 1000) + EMAIL_TOKEN_LIFETIME // time in seconds, i.e unix
+					createdAt: new Date()
 				},
 				{ upsert: true, new: true }
 			);
@@ -217,7 +217,13 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
 	try {
 		const { email, code } = req.body;
 
-		user = await User.findOne({ email }).select('+publicKey');
+		user = await User.findOne({ email });
+		if (user && user?.publicKey) {
+			// case: user has already completed account
+			return res.status(403).send({
+				error: 'Failed email magic link verification for complete account'
+			});
+		}
 
 		const membershipOrg = await MembershipOrg.findOne({
 			inviteEmail: email,
@@ -232,18 +238,6 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
 			code
 		});
 
-		if (user && user?.publicKey) {
-			// case: user has already completed account
-			// membership can be approved and redirected to login/dashboard
-			membershipOrg.status = ACCEPTED;
-			await membershipOrg.save();
-
-			return res.status(200).send({
-				message: 'Successfully verified email',
-				user,
-			});
-		}
-
 		if (!user) {
 			// initialize user account
 			user = await new User({
@@ -263,7 +257,7 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
 		return res.status(400).send({
-			error: 'Failed email magic link verification for organization invitation'
+			error: 'Failed email magic link confirmation'
 		});
 	}
 

backend/src/controllers/organizationController.ts

@@ -2,8 +2,11 @@ import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
 import {
 	SITE_URL,
-	STRIPE_SECRET_KEY
-} from '../../config';
+	STRIPE_SECRET_KEY,
+	STRIPE_PRODUCT_STARTER,
+	STRIPE_PRODUCT_PRO,
+	STRIPE_PRODUCT_CARD_AUTH
+} from '../config';
 import Stripe from 'stripe';
 
 const stripe = new Stripe(STRIPE_SECRET_KEY, {
@@ -14,14 +17,24 @@ import {
 	MembershipOrg,
 	Organization,
 	Workspace,
-	IncidentContactOrg,
-	IMembershipOrg
-} from '../../models';
-import { createOrganization as create } from '../../helpers/organization';
-import { addMembershipsOrg } from '../../helpers/membershipOrg';
-import { OWNER, ACCEPTED } from '../../variables';
-import _ from 'lodash';
+	IncidentContactOrg
+} from '../models';
+import { createOrganization as create } from '../helpers/organization';
+import { addMembershipsOrg } from '../helpers/membershipOrg';
+import { OWNER, ACCEPTED } from '../variables';
 
+const productToPriceMap = {
+	starter: STRIPE_PRODUCT_STARTER,
+	pro: STRIPE_PRODUCT_PRO,
+	cardAuth: STRIPE_PRODUCT_CARD_AUTH
+};
+
+/**
+ * Return organizations that user is part of
+ * @param req
+ * @param res
+ * @returns
+ */
 export const getOrganizations = async (req: Request, res: Response) => {
 	let organizations;
 	try {
@@ -333,6 +346,7 @@ export const createOrganizationPortalSession = async (
 
 		if (paymentMethods.data.length < 1) {
 			// case: no payment method on file
+			productToPriceMap['cardAuth'];
 			session = await stripe.checkout.sessions.create({
 				customer: req.membershipOrg.organization.customerId,
 				mode: 'setup',
@@ -384,44 +398,3 @@ export const getOrganizationSubscriptions = async (
 		subscriptions
 	});
 };
-
-
-/**
- * Given a org id, return the projects each member of the org belongs to
- * @param req
- * @param res
- * @returns
- */
-export const getOrganizationMembersAndTheirWorkspaces = async (
-	req: Request,
-	res: Response
-) => {
-	const { organizationId } = req.params;
-
-	const workspacesSet = (
-			await Workspace.find(
-				{
-					organization: organizationId
-				},
-				'_id'
-			)
-		).map((w) => w._id.toString());
-
-	const memberships = (
-		await Membership.find({
-			workspace: { $in: workspacesSet }
-		}).populate('workspace')
-	);
-	const userToWorkspaceIds: any = {};
-
-	memberships.forEach(membership => {
-		const user = membership.user.toString();
-		if (userToWorkspaceIds[user]) {
-			userToWorkspaceIds[user].push(membership.workspace);
-		} else {
-			userToWorkspaceIds[user] = [membership.workspace];
-		}
-	});
-
-	return res.json(userToWorkspaceIds);
-};

backend/src/controllers/passwordController.ts

@@ -0,0 +1,189 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+const jsrp = require('jsrp');
+import * as bigintConversion from 'bigint-conversion';
+import { User, BackupPrivateKey } from '../models';
+
+const clientPublicKeys: any = {};
+
+/**
+ * Return [salt] and [serverPublicKey] as part of step 1 of SRP protocol
+ * @param req
+ * @param res
+ * @returns
+ */
+export const srp1 = async (req: Request, res: Response) => {
+	// return salt, serverPublicKey as part of first step of SRP protocol
+	try {
+		const { clientPublicKey } = req.body;
+		const user = await User.findOne({
+			email: req.user.email
+		}).select('+salt +verifier');
+		
+		if (!user) throw new Error('Failed to find user');
+
+		const server = new jsrp.server();
+		server.init(
+			{
+				salt: user.salt,
+				verifier: user.verifier
+			},
+			() => {
+				// generate server-side public key
+				const serverPublicKey = server.getPublicKey();
+				clientPublicKeys[req.user.email] = {
+					clientPublicKey,
+					serverBInt: bigintConversion.bigintToBuf(server.bInt)
+				};
+
+				return res.status(200).send({
+					serverPublicKey,
+					salt: user.salt
+				});
+			}
+		);
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			error: 'Failed to start change password process'
+		});
+	}
+};
+
+/**
+ * Change account SRP authentication information for user
+ * Requires verifying [clientProof] as part of step 2 of SRP protocol
+ * as initiated in POST /srp1
+ * @param req
+ * @param res
+ * @returns
+ */
+export const changePassword = async (req: Request, res: Response) => {
+	try {
+		const { clientProof, encryptedPrivateKey, iv, tag, salt, verifier } =
+			req.body;
+		const user = await User.findOne({
+			email: req.user.email
+		}).select('+salt +verifier');
+
+		if (!user) throw new Error('Failed to find user');
+
+		const server = new jsrp.server();
+		server.init(
+			{
+				salt: user.salt,
+				verifier: user.verifier,
+				b: clientPublicKeys[req.user.email].serverBInt
+			},
+			async () => {
+				server.setClientPublicKey(
+					clientPublicKeys[req.user.email].clientPublicKey
+				);
+
+				// compare server and client shared keys
+				if (server.checkClientProof(clientProof)) {
+					// change password
+
+					await User.findByIdAndUpdate(
+						req.user._id.toString(),
+						{
+							encryptedPrivateKey,
+							iv,
+							tag,
+							salt,
+							verifier
+						},
+						{
+							new: true
+						}
+					);
+
+					return res.status(200).send({
+						message: 'Successfully changed password'
+					});
+				}
+
+				return res.status(400).send({
+					error: 'Failed to change password. Try again?'
+				});
+			}
+		);
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			error: 'Failed to change password. Try again?'
+		});
+	}
+};
+
+/**
+ * Create or change backup private key for user
+ * @param req
+ * @param res
+ * @returns
+ */
+export const createBackupPrivateKey = async (req: Request, res: Response) => {
+	// create/change backup private key
+	// requires verifying [clientProof] as part of second step of SRP protocol
+	// as initiated in /srp1
+
+	try {
+		const { clientProof, encryptedPrivateKey, iv, tag, salt, verifier } =
+			req.body;
+		const user = await User.findOne({
+			email: req.user.email
+		}).select('+salt +verifier');
+
+		if (!user) throw new Error('Failed to find user');
+
+		const server = new jsrp.server();
+		server.init(
+			{
+				salt: user.salt,
+				verifier: user.verifier,
+				b: clientPublicKeys[req.user.email].serverBInt
+			},
+			async () => {
+				server.setClientPublicKey(
+					clientPublicKeys[req.user.email].clientPublicKey
+				);
+
+				// compare server and client shared keys
+				if (server.checkClientProof(clientProof)) {
+					// create new or replace backup private key
+
+					const backupPrivateKey = await BackupPrivateKey.findOneAndUpdate(
+						{ user: req.user._id },
+						{
+							user: req.user._id,
+							encryptedPrivateKey,
+							iv,
+							tag,
+							salt,
+							verifier
+						},
+						{ upsert: true, new: true }
+					).select('+user, encryptedPrivateKey');
+
+					// issue tokens
+					return res.status(200).send({
+						message: 'Successfully updated backup private key',
+						backupPrivateKey
+					});
+				}
+
+				return res.status(400).send({
+					message: 'Failed to update backup private key'
+				});
+			}
+		);
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to update backup private key'
+		});
+	}
+};

backend/src/controllers/secretController.ts

@@ -1,15 +1,15 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { Key, Secret } from '../../models';
+import { Key } from '../models';
 import {
-	v1PushSecrets as push,
+	pushSecrets as push,
 	pullSecrets as pull,
 	reformatPullSecrets
-} from '../../helpers/secret';
-import { pushKeys } from '../../helpers/key';
-import { eventPushSecrets } from '../../events';
-import { EventService } from '../../services';
-import { postHogClient } from '../../services';
+} from '../helpers/secret';
+import { pushKeys } from '../helpers/key';
+import { ENV_SET } from '../variables';
+
+import { postHogClient } from '../services';
 
 interface PushSecret {
 	ciphertextKey: string;
@@ -20,10 +20,6 @@ interface PushSecret {
 	ivValue: string;
 	tagValue: string;
 	hashValue: string;
-	ciphertextComment: string;
-	ivComment: string;
-	tagComment: string;
-	hashComment: string;
 	type: 'shared' | 'personal';
 }
 
@@ -43,8 +39,7 @@ export const pushSecrets = async (req: Request, res: Response) => {
 		const { workspaceId } = req.params;
 
 		// validate environment
-		const workspaceEnvs = req.membership.workspace.environments;
-		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+		if (!ENV_SET.has(environment)) {
 			throw new Error('Failed to validate environment');
 		}
 
@@ -65,8 +60,7 @@ export const pushSecrets = async (req: Request, res: Response) => {
 			workspaceId,
 			keys
 		});
-		
-		
+
 		if (postHogClient) {
 			postHogClient.capture({
 				event: 'secrets pushed',
@@ -80,13 +74,6 @@ export const pushSecrets = async (req: Request, res: Response) => {
 			});
 		}
 
-		// trigger event - push secrets
-		EventService.handleEvent({
-			event: eventPushSecrets({
-				workspaceId
-			})
-		});
-
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);
@@ -116,17 +103,14 @@ export const pullSecrets = async (req: Request, res: Response) => {
 		const { workspaceId } = req.params;
 
 		// validate environment
-		const workspaceEnvs = req.membership.workspace.environments;
-		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+		if (!ENV_SET.has(environment)) {
 			throw new Error('Failed to validate environment');
 		}
 
 		secrets = await pull({
 			userId: req.user._id.toString(),
 			workspaceId,
-			environment,
-			channel: channel ? channel : 'cli',
-			ipAddress: req.ip
+			environment
 		});
 
 		key = await Key.findOne({
@@ -176,6 +160,9 @@ export const pullSecrets = async (req: Request, res: Response) => {
  * @returns
  */
 export const pullSecretsServiceToken = async (req: Request, res: Response) => {
+	// get (encrypted) secrets from workspace with id [workspaceId]
+	// service token route
+
 	let secrets;
 	let key;
 	try {
@@ -184,17 +171,14 @@ export const pullSecretsServiceToken = async (req: Request, res: Response) => {
 		const { workspaceId } = req.params;
 
 		// validate environment
-		const workspaceEnvs = req.membership.workspace.environments;
-		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+		if (!ENV_SET.has(environment)) {
 			throw new Error('Failed to validate environment');
 		}
 
 		secrets = await pull({
 			userId: req.serviceToken.user._id.toString(),
 			workspaceId,
-			environment,
-			channel: 'cli',
-			ipAddress: req.ip
+			environment
 		});
 
 		key = {
@@ -208,7 +192,7 @@ export const pullSecretsServiceToken = async (req: Request, res: Response) => {
 		};
 
 		if (postHogClient) {
-			// capture secrets pulled event in production
+			// capture secrets pushed event in production
 			postHogClient.capture({
 				distinctId: req.serviceToken.user.email,
 				event: 'secrets pulled',
@@ -232,4 +216,4 @@ export const pullSecretsServiceToken = async (req: Request, res: Response) => {
 		secrets: reformatPullSecrets({ secrets }),
 		key
 	});
-};
+};

backend/src/controllers/serviceTokenController.ts

@@ -1,7 +1,8 @@
 import { Request, Response } from 'express';
-import { ServiceToken } from '../../models';
-import { createToken } from '../../helpers/auth';
-import { JWT_SERVICE_SECRET } from '../../config';
+import { ServiceToken } from '../models';
+import { createToken } from '../helpers/auth';
+import { ENV_SET } from '../variables';
+import { JWT_SERVICE_SECRET } from '../config';
 
 /**
  * Return service token on request
@@ -10,6 +11,7 @@ import { JWT_SERVICE_SECRET } from '../../config';
  * @returns
  */
 export const getServiceToken = async (req: Request, res: Response) => {
+	// get service token
 	return res.status(200).send({
 		serviceToken: req.serviceToken
 	});
@@ -35,8 +37,7 @@ export const createServiceToken = async (req: Request, res: Response) => {
 		} = req.body;
 
 		// validate environment
-		const workspaceEnvs = req.membership.workspace.environments;
-		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+		if (!ENV_SET.has(environment)) {
 			throw new Error('Failed to validate environment');
 		}
 
@@ -57,8 +58,7 @@ export const createServiceToken = async (req: Request, res: Response) => {
 
 		token = createToken({
 			payload: {
-				serviceTokenId: serviceToken._id.toString(),
-				workspaceId
+				serviceTokenId: serviceToken._id.toString()
 			},
 			expiresIn: expiresIn,
 			secret: JWT_SERVICE_SECRET
@@ -72,4 +72,4 @@ export const createServiceToken = async (req: Request, res: Response) => {
 	return res.status(200).send({
 		token
 	});
-};
+};

backend/src/controllers/signupController.ts

@@ -1,17 +1,15 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { NODE_ENV, JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET, INVITE_ONLY_SIGNUP } from '../../config';
-import { User, MembershipOrg } from '../../models';
-import { completeAccount } from '../../helpers/user';
+import { NODE_ENV, JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET } from '../config';
+import { User, MembershipOrg } from '../models';
+import { completeAccount } from '../helpers/user';
 import {
 	sendEmailVerification,
 	checkEmailVerification,
 	initializeDefaultOrg
-} from '../../helpers/signup';
-import { issueTokens, createToken } from '../../helpers/auth';
-import { INVITED, ACCEPTED } from '../../variables';
-import axios from 'axios';
-import { BadRequestError } from '../../utils/errors';
+} from '../helpers/signup';
+import { issueTokens, createToken } from '../helpers/auth';
+import { INVITED, ACCEPTED } from '../variables';
 
 /**
  * Signup step 1: Initialize account for user under email [email] and send a verification code
@@ -25,14 +23,6 @@ export const beginEmailSignup = async (req: Request, res: Response) => {
 	try {
 		email = req.body.email;
 
-		if (INVITE_ONLY_SIGNUP) {
-			// Only one user can create an account without being invited. The rest need to be invited in order to make an account
-			const userCount = await User.countDocuments({})
-			if (userCount != 0) {
-				throw BadRequestError({ message: "New user sign ups are not allowed at this time. You must be invited to sign up." })
-			}
-		}
-
 		const user = await User.findOne({ email }).select('+publicKey');
 		if (user && user?.publicKey) {
 			// case: user has already completed account
@@ -138,7 +128,7 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 
 		// get user
 		user = await User.findOne({ email });
-
+		
 		if (!user || (user && user?.publicKey)) {
 			// case 1: user doesn't exist.
 			// case 2: user has already completed account
@@ -189,21 +179,6 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 
 		token = tokens.token;
 		refreshToken = tokens.refreshToken;
-
-		// sending a welcome email to new users
-		if (process.env.LOOPS_API_KEY) {
-			await axios.post("https://app.loops.so/api/v1/events/send", {
-				"email": email,
-				"eventName": "Sign Up",
-				"firstName": firstName,
-				"lastName": lastName
-			}, {
-				headers: {
-					"Accept": "application/json",
-					"Authorization": "Bearer " + process.env.LOOPS_API_KEY
-				},
-			});
-		}
 	} catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);

backend/src/controllers/stripeController.ts

@@ -1,7 +1,7 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
 import Stripe from 'stripe';
-import { STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET } from '../../../config';
+import { STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET } from '../config';
 const stripe = new Stripe(STRIPE_SECRET_KEY, {
 	apiVersion: '2022-08-01'
 });

backend/src/controllers/userActionController.ts

@@ -1,6 +1,6 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { UserAction } from '../../models';
+import { UserAction } from '../models';
 
 /**
  * Add user action [action]

backend/src/controllers/v1/authController.ts

@@ -1,261 +0,0 @@
-/* eslint-disable @typescript-eslint/no-var-requires */
-import { Request, Response } from 'express';
-import jwt from 'jsonwebtoken';
-import * as Sentry from '@sentry/node';
-import * as bigintConversion from 'bigint-conversion';
-const jsrp = require('jsrp');
-import { User, LoginSRPDetail } from '../../models';
-import { createToken, issueTokens, clearTokens } from '../../helpers/auth';
-import {
-  ACTION_LOGIN,
-  ACTION_LOGOUT
-} from '../../variables';
-import {
-  NODE_ENV,
-  JWT_AUTH_LIFETIME,
-  JWT_AUTH_SECRET,
-  JWT_REFRESH_SECRET
-} from '../../config';
-import { BadRequestError } from '../../utils/errors';
-import { EELogService } from '../../ee/services';
-import { getChannelFromUserAgent } from '../../utils/posthog'; // TODO: move this
-
-declare module 'jsonwebtoken' {
-  export interface UserIDJwtPayload extends jwt.JwtPayload {
-    userId: string;
-  }
-}
-
-/**
- * Log in user step 1: Return [salt] and [serverPublicKey] as part of step 1 of SRP protocol
- * @param req
- * @param res
- * @returns
- */
-export const login1 = async (req: Request, res: Response) => {
-  try {
-    const {
-      email,
-      clientPublicKey
-    }: { email: string; clientPublicKey: string } = req.body;
-
-    const user = await User.findOne({
-      email
-    }).select('+salt +verifier');
-
-    if (!user) throw new Error('Failed to find user');
-
-    const server = new jsrp.server();
-    server.init(
-      {
-        salt: user.salt,
-        verifier: user.verifier
-      },
-      async () => {
-        // generate server-side public key
-        const serverPublicKey = server.getPublicKey();
-
-        await LoginSRPDetail.findOneAndReplace({ email: email }, {
-          email: email,
-          clientPublicKey: clientPublicKey,
-          serverBInt: bigintConversion.bigintToBuf(server.bInt),
-        }, { upsert: true, returnNewDocument: false })
-
-        return res.status(200).send({
-          serverPublicKey,
-          salt: user.salt
-        });
-      }
-    );
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to start authentication process'
-    });
-  }
-};
-
-/**
- * Log in user step 2: complete step 2 of SRP protocol and return token and their (encrypted)
- * private key
- * @param req
- * @param res
- * @returns
- */
-export const login2 = async (req: Request, res: Response) => {
-  try {
-    const { email, clientProof } = req.body;
-    const user = await User.findOne({
-      email
-    }).select('+salt +verifier +publicKey +encryptedPrivateKey +iv +tag');
-
-    if (!user) throw new Error('Failed to find user');
-
-    const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: email })
-
-    if (!loginSRPDetailFromDB) {
-      return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
-    }
-
-    const server = new jsrp.server();
-    server.init(
-      {
-        salt: user.salt,
-        verifier: user.verifier,
-        b: loginSRPDetailFromDB.serverBInt
-      },
-      async () => {
-        server.setClientPublicKey(loginSRPDetailFromDB.clientPublicKey);
-
-        // compare server and client shared keys
-        if (server.checkClientProof(clientProof)) {
-          // issue tokens
-          const tokens = await issueTokens({ userId: user._id.toString() });
-
-          // store (refresh) token in httpOnly cookie
-          res.cookie('jid', tokens.refreshToken, {
-            httpOnly: true,
-            path: '/',
-            sameSite: 'strict',
-            secure: NODE_ENV === 'production' ? true : false
-          });
-
-          const loginAction = await EELogService.createAction({
-            name: ACTION_LOGIN,
-            userId: user._id
-          });
-          
-          loginAction && await EELogService.createLog({
-            userId: user._id,
-            actions: [loginAction],
-            channel: getChannelFromUserAgent(req.headers['user-agent']),
-            ipAddress: req.ip
-          });
-          
-          // return (access) token in response
-          return res.status(200).send({
-            token: tokens.token,
-            publicKey: user.publicKey,
-            encryptedPrivateKey: user.encryptedPrivateKey,
-            iv: user.iv,
-            tag: user.tag
-          });
-        }
-
-        return res.status(400).send({
-          message: 'Failed to authenticate. Try again?'
-        });
-      }
-    );
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to authenticate. Try again?'
-    });
-  }
-};
-
-/**
- * Log out user
- * @param req
- * @param res
- * @returns
- */
-export const logout = async (req: Request, res: Response) => {
-  try {
-    await clearTokens({
-      userId: req.user._id.toString()
-    });
-
-    // clear httpOnly cookie
-    res.cookie('jid', '', {
-      httpOnly: true,
-      path: '/',
-      sameSite: 'strict',
-      secure: NODE_ENV === 'production' ? true : false
-    });
-
-    const logoutAction = await EELogService.createAction({
-      name: ACTION_LOGOUT,
-      userId: req.user._id
-    });
-    
-    logoutAction && await EELogService.createLog({
-      userId: req.user._id,
-      actions: [logoutAction],
-      channel: getChannelFromUserAgent(req.headers['user-agent']),
-      ipAddress: req.ip
-    });
-
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to logout'
-    });
-  }
-
-  return res.status(200).send({
-    message: 'Successfully logged out.'
-  });
-};
-
-/**
- * Return user is authenticated
- * @param req
- * @param res
- * @returns
- */
-export const checkAuth = async (req: Request, res: Response) => {
-  return res.status(200).send({
-    message: 'Authenticated'
-  });
-}
-
-/**
- * Return new token by redeeming refresh token
- * @param req
- * @param res
- * @returns
- */
-export const getNewToken = async (req: Request, res: Response) => {
-  try {
-    const refreshToken = req.cookies.jid;
-
-    if (!refreshToken) {
-      throw new Error('Failed to find token in request cookies');
-    }
-
-    const decodedToken = <jwt.UserIDJwtPayload>(
-      jwt.verify(refreshToken, JWT_REFRESH_SECRET)
-    );
-
-    const user = await User.findOne({
-      _id: decodedToken.userId
-    }).select('+publicKey');
-
-    if (!user) throw new Error('Failed to authenticate unfound user');
-    if (!user?.publicKey)
-      throw new Error('Failed to authenticate not fully set up account');
-
-    const token = createToken({
-      payload: {
-        userId: decodedToken.userId
-      },
-      expiresIn: JWT_AUTH_LIFETIME,
-      secret: JWT_AUTH_SECRET
-    });
-
-    return res.status(200).send({
-      token
-    });
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Invalid request'
-    });
-  }
-};

backend/src/controllers/v1/botController.ts

@@ -1,107 +0,0 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { Bot, BotKey } from '../../models';
-import { createBot } from '../../helpers/bot';
-
-interface BotKey {
-    encryptedKey: string;
-    nonce: string;
-}
-
-/**
- * Return bot for workspace with id [workspaceId]. If a workspace bot doesn't exist,
- * then create and return a new bot.
- * @param req
- * @param res
- * @returns
- */
-export const getBotByWorkspaceId = async (req: Request, res: Response) => {
-    let bot;
-	try {
-        const { workspaceId } = req.params;
-
-        bot = await Bot.findOne({
-            workspace: workspaceId
-        });
-        
-        if (!bot) {
-            // case: bot doesn't exist for workspace with id [workspaceId]
-            // -> create a new bot and return it
-            bot = await createBot({
-                name: 'Infisical Bot',
-                workspaceId
-            });
-        }
-	} catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-        return res.status(400).send({
-			message: 'Failed to get bot for workspace'
-		});
-	}
-    
-    return res.status(200).send({
-        bot
-    });
-};
-
-/**
- * Return bot with id [req.bot._id] with active state set to [isActive].
- * @param req
- * @param res
- * @returns
- */
-export const setBotActiveState = async (req: Request, res: Response) => {
-    let bot;
-	try {
-        const { isActive, botKey }: { isActive: boolean, botKey: BotKey } = req.body;
-        
-        if (isActive) {
-            // bot state set to active -> share workspace key with bot
-            if (!botKey?.encryptedKey || !botKey?.nonce) {
-                return res.status(400).send({
-                    message: 'Failed to set bot state to active - missing bot key'
-                });
-            }
-            
-            await BotKey.findOneAndUpdate({
-                workspace: req.bot.workspace
-            }, {
-                encryptedKey: botKey.encryptedKey,
-                nonce: botKey.nonce,
-                sender: req.user._id,
-                bot: req.bot._id,
-                workspace: req.bot.workspace
-            }, {
-                upsert: true,
-                new: true
-            });
-        } else {
-            // case: bot state set to inactive -> delete bot's workspace key
-            await BotKey.deleteOne({
-                bot: req.bot._id
-            });
-        }
-
-        bot = await Bot.findOneAndUpdate({
-            _id: req.bot._id
-        }, {
-            isActive
-        }, {
-            new: true
-        });
-        
-        if (!bot) throw new Error('Failed to update bot active state');
-        
-	} catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-        return res.status(400).send({
-			message: 'Failed to update bot active state'
-		});
-	}
-    
-    return res.status(200).send({
-        bot
-    });
-};

backend/src/controllers/v1/integrationAuthController.ts

@@ -1,200 +0,0 @@
-import { Request, Response } from 'express';
-import { Types } from 'mongoose';
-import * as Sentry from '@sentry/node';
-import {
-	Integration, 
-	IntegrationAuth,
-	Bot 
-} from '../../models';
-import { INTEGRATION_SET, INTEGRATION_OPTIONS } from '../../variables';
-import { IntegrationService } from '../../services';
-import { getApps, revokeAccess } from '../../integrations';
-
-/***
- * Return integration authorization with id [integrationAuthId]
- */
-export const getIntegrationAuth = async (req: Request, res: Response) => {
-	let integrationAuth;
-	try {
-		const { integrationAuthId } = req.params;
-		integrationAuth = await IntegrationAuth.findById(integrationAuthId);
-		
-		if (!integrationAuth) return res.status(400).send({
-			message: 'Failed to find integration authorization'
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get integration authorization'
-		});	
-	}
-	
-	return res.status(200).send({
-		integrationAuth
-	});
-}
-
-export const getIntegrationOptions = async (req: Request, res: Response) => {
-  return res.status(200).send({
-    integrationOptions: INTEGRATION_OPTIONS,
-  });
-};
-
-/**
- * Perform OAuth2 code-token exchange as part of integration [integration] for workspace with id [workspaceId]
- * @param req
- * @param res
- * @returns
- */
-export const oAuthExchange = async (
-	req: Request,
-	res: Response
-) => {
-	try {
-		const { workspaceId, code, integration } = req.body;
-		if (!INTEGRATION_SET.has(integration))
-			throw new Error('Failed to validate integration');
-		
-		const environments = req.membership.workspace?.environments || [];
-		if(environments.length === 0){
-			throw new Error("Failed to get environments")
-		}
-	
-		const integrationAuth = await IntegrationService.handleOAuthExchange({
-			workspaceId,
-			integration,
-			code,
-			environment: environments[0].slug,
-		});
-		
-		return res.status(200).send({
-			integrationAuth
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get OAuth2 code-token exchange'
-		});
-	}
-};
-
-/**
- * Save integration access token and (optionally) access id as part of integration
- * [integration] for workspace with id [workspaceId]
- * @param req 
- * @param res 
- */
-export const saveIntegrationAccessToken = async (
-  req: Request,
-  res: Response
-) => {
-	// TODO: refactor
-	// TODO: check if access token is valid for each integration
-
-	let integrationAuth;
-	try {
-		const {
-			workspaceId,
-			accessId,
-			accessToken,
-			integration
-		}: {
-			workspaceId: string;
-			accessId: string | null;
-			accessToken: string;
-			integration: string;
-		} = req.body;
-
-		const bot = await Bot.findOne({
-            workspace: new Types.ObjectId(workspaceId),
-            isActive: true
-        });
-        
-        if (!bot) throw new Error('Bot must be enabled to save integration access token');
-
-		integrationAuth = await IntegrationAuth.findOneAndUpdate({
-            workspace: new Types.ObjectId(workspaceId),
-            integration
-        }, {
-            workspace: new Types.ObjectId(workspaceId),
-            integration
-		}, {
-            new: true,
-            upsert: true
-        });
-		
-		// encrypt and save integration access details
-		integrationAuth = await IntegrationService.setIntegrationAuthAccess({
-			integrationAuthId: integrationAuth._id.toString(),
-			accessId,
-			accessToken,
-			accessExpiresAt: undefined
-		});
-		
-		if (!integrationAuth) throw new Error('Failed to save integration access token');
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to save access token for integration'
-		});
-	}
-	
-	return res.status(200).send({
-		integrationAuth
-	});
-}
-
-/**
- * Return list of applications allowed for integration with integration authorization id [integrationAuthId]
- * @param req
- * @param res
- * @returns
- */
-export const getIntegrationAuthApps = async (req: Request, res: Response) => {
-  let apps;
-  try {
-    apps = await getApps({
-      integrationAuth: req.integrationAuth,
-      accessToken: req.accessToken,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get integration authorization applications",
-    });
-  }
-
-  return res.status(200).send({
-    apps,
-  });
-};
-
-/**
- * Delete integration authorization with id [integrationAuthId]
- * @param req
- * @param res
- * @returns
- */
-export const deleteIntegrationAuth = async (req: Request, res: Response) => {
-  let integrationAuth;
-  try {
-    integrationAuth = await revokeAccess({
-      integrationAuth: req.integrationAuth,
-      accessToken: req.accessToken,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to delete integration authorization",
-    });
-  }
-
-  return res.status(200).send({
-    integrationAuth,
-  });
-};

backend/src/controllers/v1/integrationController.ts

@@ -1,161 +0,0 @@
-import { Request, Response } from 'express';
-import { Types } from 'mongoose';
-import * as Sentry from '@sentry/node';
-import { 
-	Integration, 
-	Workspace,
-	Bot, 
-	BotKey 
-} from '../../models';
-import { EventService } from '../../services';
-import { eventPushSecrets } from '../../events';
-
-/**
- * Create/initialize an (empty) integration for integration authorization
- * @param req
- * @param res
- * @returns
- */
-export const createIntegration = async (req: Request, res: Response) => {
-	let integration;
-	try {
-		const {
-			integrationAuthId,
-			app,
-			appId,
-			isActive,
-			sourceEnvironment,
-			targetEnvironment,
-			owner,
-			path,
-			region
-		} = req.body;
-		
-		// TODO: validate [sourceEnvironment] and [targetEnvironment]
-
-		// initialize new integration after saving integration access token
-        integration = await new Integration({
-            workspace: req.integrationAuth.workspace._id,
-            environment: sourceEnvironment,
-            isActive,
-            app,
-			appId,
-			targetEnvironment,
-			owner,
-			path,
-			region,
-            integration: req.integrationAuth.integration,
-            integrationAuth: new Types.ObjectId(integrationAuthId)
-        }).save();
-		
-		if (integration) {
-			// trigger event - push secrets
-			EventService.handleEvent({
-				event: eventPushSecrets({
-					workspaceId: integration.workspace.toString()
-				})
-			});
-		}
-
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to create integration'
-		});
-	}
-
-  return res.status(200).send({
-    integration,
-  });
-};
-
-/**
- * Change environment or name of integration with id [integrationId]
- * @param req
- * @param res
- * @returns
- */
-export const updateIntegration = async (req: Request, res: Response) => {
-  let integration;
-
-  // TODO: add integration-specific validation to ensure that each
-  // integration has the correct fields populated in [Integration]
-
-  try {
-    const {
-      environment,
-      isActive,
-      app,
-      appId,
-      targetEnvironment,
-      owner, // github-specific integration param
-    } = req.body;
-
-    integration = await Integration.findOneAndUpdate(
-      {
-        _id: req.integration._id,
-      },
-      {
-        environment,
-        isActive,
-        app,
-        appId,
-        targetEnvironment,
-        owner,
-      },
-      {
-        new: true,
-      }
-    );
-
-    if (integration) {
-      // trigger event - push secrets
-      EventService.handleEvent({
-        event: eventPushSecrets({
-          workspaceId: integration.workspace.toString(),
-        }),
-      });
-    }
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to update integration",
-    });
-  }
-
-  return res.status(200).send({
-    integration,
-  });
-};
-
-/**
- * Delete integration with id [integrationId] and deactivate bot if there are
- * no integrations left
- * @param req
- * @param res
- * @returns
- */
-export const deleteIntegration = async (req: Request, res: Response) => {
-  let integration;
-  try {
-    const { integrationId } = req.params;
-
-    integration = await Integration.findOneAndDelete({
-      _id: integrationId,
-    });
-
-    if (!integration) throw new Error("Failed to find integration");
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to delete integration",
-    });
-  }
-
-  return res.status(200).send({
-    integration,
-  });
-};

backend/src/controllers/v1/passwordController.ts

@@ -1,375 +0,0 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import crypto from 'crypto';
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const jsrp = require('jsrp');
-import * as bigintConversion from 'bigint-conversion';
-import { User, Token, BackupPrivateKey, LoginSRPDetail } from '../../models';
-import { checkEmailVerification } from '../../helpers/signup';
-import { createToken } from '../../helpers/auth';
-import { sendMail } from '../../helpers/nodemailer';
-import { EMAIL_TOKEN_LIFETIME, JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET, SITE_URL } from '../../config';
-import { BadRequestError } from '../../utils/errors';
-
-/**
- * Password reset step 1: Send email verification link to email [email] 
- * for account recovery.
- * @param req
- * @param res
- * @returns
- */
-export const emailPasswordReset = async (req: Request, res: Response) => {
-	let email: string;
-	try {
-		email = req.body.email;
-
-		const user = await User.findOne({ email }).select('+publicKey');
-		if (!user || !user?.publicKey) {
-			// case: user has already completed account
-
-			return res.status(403).send({
-				error: 'Failed to send email verification for password reset'
-			});
-		}
-
-		const token = crypto.randomBytes(16).toString('hex');
-
-		await Token.findOneAndUpdate(
-			{ email },
-			{
-				email,
-				token,
-				createdAt: new Date(),
-				ttl: Math.floor(+new Date() / 1000) + EMAIL_TOKEN_LIFETIME // time in seconds, i.e unix
-			},
-			{ upsert: true, new: true }
-		);
-
-		await sendMail({
-			template: 'passwordReset.handlebars',
-			subjectLine: 'Infisical password reset',
-			recipients: [email],
-			substitutions: {
-				email,
-				token,
-				callback_url: SITE_URL + '/password-reset'
-			}
-		});
-
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to send email for account recovery'
-		});
-	}
-
-	return res.status(200).send({
-		message: `Sent an email for account recovery to ${email}`
-	});
-}
-
-/**
- * Password reset step 2: Verify email verification link sent to email [email]
- * @param req 
- * @param res 
- * @returns 
- */
-export const emailPasswordResetVerify = async (req: Request, res: Response) => {
-	let user, token;
-	try {
-		const { email, code } = req.body;
-
-		user = await User.findOne({ email }).select('+publicKey');
-		if (!user || !user?.publicKey) {
-			// case: user doesn't exist with email [email] or 
-			// hasn't even completed their account
-			return res.status(403).send({
-				error: 'Failed email verification for password reset'
-			});
-		}
-
-		await checkEmailVerification({
-			email,
-			code
-		});
-
-		// generate temporary password-reset token
-		token = createToken({
-			payload: {
-				userId: user._id.toString()
-			},
-			expiresIn: JWT_SIGNUP_LIFETIME,
-			secret: JWT_SIGNUP_SECRET
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed email verification for password reset'
-		});
-	}
-
-	return res.status(200).send({
-		message: 'Successfully verified email',
-		user,
-		token
-	});
-}
-
-/**
- * Return [salt] and [serverPublicKey] as part of step 1 of SRP protocol
- * @param req
- * @param res
- * @returns
- */
-export const srp1 = async (req: Request, res: Response) => {
-	// return salt, serverPublicKey as part of first step of SRP protocol
-	try {
-		const { clientPublicKey } = req.body;
-		const user = await User.findOne({
-			email: req.user.email
-		}).select('+salt +verifier');
-
-		if (!user) throw new Error('Failed to find user');
-
-		const server = new jsrp.server();
-		server.init(
-			{
-				salt: user.salt,
-				verifier: user.verifier
-			},
-			async () => {
-				// generate server-side public key
-				const serverPublicKey = server.getPublicKey();
-
-				await LoginSRPDetail.findOneAndReplace({ email: req.user.email }, {
-					email: req.user.email,
-					clientPublicKey: clientPublicKey,
-					serverBInt: bigintConversion.bigintToBuf(server.bInt),
-				}, { upsert: true, returnNewDocument: false })
-
-				return res.status(200).send({
-					serverPublicKey,
-					salt: user.salt
-				});
-			}
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			error: 'Failed to start change password process'
-		});
-	}
-};
-
-/**
- * Change account SRP authentication information for user
- * Requires verifying [clientProof] as part of step 2 of SRP protocol
- * as initiated in POST /srp1
- * @param req
- * @param res
- * @returns
- */
-export const changePassword = async (req: Request, res: Response) => {
-	try {
-		const { clientProof, encryptedPrivateKey, iv, tag, salt, verifier } =
-			req.body;
-		const user = await User.findOne({
-			email: req.user.email
-		}).select('+salt +verifier');
-
-		if (!user) throw new Error('Failed to find user');
-
-		const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email })
-
-		if (!loginSRPDetailFromDB) {
-			return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
-		}
-
-		const server = new jsrp.server();
-		server.init(
-			{
-				salt: user.salt,
-				verifier: user.verifier,
-				b: loginSRPDetailFromDB.serverBInt
-			},
-			async () => {
-				server.setClientPublicKey(loginSRPDetailFromDB.clientPublicKey);
-
-				// compare server and client shared keys
-				if (server.checkClientProof(clientProof)) {
-					// change password
-
-					await User.findByIdAndUpdate(
-						req.user._id.toString(),
-						{
-							encryptedPrivateKey,
-							iv,
-							tag,
-							salt,
-							verifier
-						},
-						{
-							new: true
-						}
-					);
-
-					return res.status(200).send({
-						message: 'Successfully changed password'
-					});
-				}
-
-				return res.status(400).send({
-					error: 'Failed to change password. Try again?'
-				});
-			}
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			error: 'Failed to change password. Try again?'
-		});
-	}
-};
-
-/**
- * Create or change backup private key for user
- * @param req
- * @param res
- * @returns
- */
-export const createBackupPrivateKey = async (req: Request, res: Response) => {
-	// create/change backup private key
-	// requires verifying [clientProof] as part of second step of SRP protocol
-	// as initiated in /srp1
-
-	try {
-		const { clientProof, encryptedPrivateKey, iv, tag, salt, verifier } =
-			req.body;
-		const user = await User.findOne({
-			email: req.user.email
-		}).select('+salt +verifier');
-
-		if (!user) throw new Error('Failed to find user');
-
-		const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email })
-
-		if (!loginSRPDetailFromDB) {
-			return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
-		}
-
-		const server = new jsrp.server();
-		server.init(
-			{
-				salt: user.salt,
-				verifier: user.verifier,
-				b: loginSRPDetailFromDB.serverBInt
-			},
-			async () => {
-				server.setClientPublicKey(
-					loginSRPDetailFromDB.clientPublicKey
-				);
-
-				// compare server and client shared keys
-				if (server.checkClientProof(clientProof)) {
-					// create new or replace backup private key
-
-					const backupPrivateKey = await BackupPrivateKey.findOneAndUpdate(
-						{ user: req.user._id },
-						{
-							user: req.user._id,
-							encryptedPrivateKey,
-							iv,
-							tag,
-							salt,
-							verifier
-						},
-						{ upsert: true, new: true }
-					).select('+user, encryptedPrivateKey');
-
-					// issue tokens
-					return res.status(200).send({
-						message: 'Successfully updated backup private key',
-						backupPrivateKey
-					});
-				}
-
-				return res.status(400).send({
-					message: 'Failed to update backup private key'
-				});
-			}
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to update backup private key'
-		});
-	}
-};
-
-/**
- * Return backup private key for user
- * @param req 
- * @param res 
- * @returns 
- */
-export const getBackupPrivateKey = async (req: Request, res: Response) => {
-	let backupPrivateKey;
-	try {
-		backupPrivateKey = await BackupPrivateKey.findOne({
-			user: req.user._id
-		}).select('+encryptedPrivateKey +iv +tag');
-
-		if (!backupPrivateKey) throw new Error('Failed to find backup private key');
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get backup private key'
-		});
-	}
-
-	return res.status(200).send({
-		backupPrivateKey
-	});
-}
-
-export const resetPassword = async (req: Request, res: Response) => {
-	try {
-		const {
-			encryptedPrivateKey,
-			iv,
-			tag,
-			salt,
-			verifier,
-		} = req.body;
-
-		await User.findByIdAndUpdate(
-			req.user._id.toString(),
-			{
-				encryptedPrivateKey,
-				iv,
-				tag,
-				salt,
-				verifier
-			},
-			{
-				new: true
-			}
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get backup private key'
-		});
-	}
-
-	return res.status(200).send({
-		message: 'Successfully reset password'
-	});
-}

backend/src/controllers/v1/workspaceController.ts

@@ -1,335 +0,0 @@
-import { Request, Response } from "express";
-import * as Sentry from "@sentry/node";
-import {
-  Workspace,
-  Membership,
-  MembershipOrg,
-  Integration,
-  IntegrationAuth,
-  IUser,
-  ServiceToken,
-  ServiceTokenData,
-} from "../../models";
-import {
-  createWorkspace as create,
-  deleteWorkspace as deleteWork,
-} from "../../helpers/workspace";
-import { addMemberships } from "../../helpers/membership";
-import { ADMIN } from "../../variables";
-
-/**
- * Return public keys of members of workspace with id [workspaceId]
- * @param req
- * @param res
- * @returns
- */
-export const getWorkspacePublicKeys = async (req: Request, res: Response) => {
-  let publicKeys;
-  try {
-    const { workspaceId } = req.params;
-
-    publicKeys = (
-      await Membership.find({
-        workspace: workspaceId,
-      }).populate<{ user: IUser }>("user", "publicKey")
-    ).map((member) => {
-      return {
-        publicKey: member.user.publicKey,
-        userId: member.user._id,
-      };
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace member public keys",
-    });
-  }
-
-  return res.status(200).send({
-    publicKeys,
-  });
-};
-
-/**
- * Return memberships for workspace with id [workspaceId]
- * @param req
- * @param res
- * @returns
- */
-export const getWorkspaceMemberships = async (req: Request, res: Response) => {
-  let users;
-  try {
-    const { workspaceId } = req.params;
-
-    users = await Membership.find({
-      workspace: workspaceId,
-    }).populate("user", "+publicKey");
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace members",
-    });
-  }
-
-  return res.status(200).send({
-    users,
-  });
-};
-
-/**
- * Return workspaces that user is part of
- * @param req
- * @param res
- * @returns
- */
-export const getWorkspaces = async (req: Request, res: Response) => {
-  let workspaces;
-  try {
-    workspaces = (
-      await Membership.find({
-        user: req.user._id,
-      }).populate("workspace")
-    ).map((m) => m.workspace);
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspaces",
-    });
-  }
-
-  return res.status(200).send({
-    workspaces,
-  });
-};
-
-/**
- * Return workspace with id [workspaceId]
- * @param req
- * @param res
- * @returns
- */
-export const getWorkspace = async (req: Request, res: Response) => {
-  let workspace;
-  try {
-    const { workspaceId } = req.params;
-
-    workspace = await Workspace.findOne({
-      _id: workspaceId,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace",
-    });
-  }
-
-  return res.status(200).send({
-    workspace,
-  });
-};
-
-/**
- * Create new workspace named [workspaceName] under organization with id
- * [organizationId] and add user as admin
- * @param req
- * @param res
- * @returns
- */
-export const createWorkspace = async (req: Request, res: Response) => {
-  let workspace;
-  try {
-    const { workspaceName, organizationId } = req.body;
-
-    // validate organization membership
-    const membershipOrg = await MembershipOrg.findOne({
-      user: req.user._id,
-      organization: organizationId,
-    });
-
-    if (!membershipOrg) {
-      throw new Error("Failed to validate organization membership");
-    }
-
-    if (workspaceName.length < 1) {
-      throw new Error("Workspace names must be at least 1-character long");
-    }
-
-    // create workspace and add user as member
-    workspace = await create({
-      name: workspaceName,
-      organizationId,
-    });
-
-    await addMemberships({
-      userIds: [req.user._id],
-      workspaceId: workspace._id.toString(),
-      roles: [ADMIN],
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to create workspace",
-    });
-  }
-
-  return res.status(200).send({
-    workspace,
-  });
-};
-
-/**
- * Delete workspace with id [workspaceId]
- * @param req
- * @param res
- * @returns
- */
-export const deleteWorkspace = async (req: Request, res: Response) => {
-  try {
-    const { workspaceId } = req.params;
-
-    // delete workspace
-    await deleteWork({
-      id: workspaceId,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to delete workspace",
-    });
-  }
-
-  return res.status(200).send({
-    message: "Successfully deleted workspace",
-  });
-};
-
-/**
- * Change name of workspace with id [workspaceId] to [name]
- * @param req
- * @param res
- * @returns
- */
-export const changeWorkspaceName = async (req: Request, res: Response) => {
-  let workspace;
-  try {
-    const { workspaceId } = req.params;
-    const { name } = req.body;
-
-    workspace = await Workspace.findOneAndUpdate(
-      {
-        _id: workspaceId,
-      },
-      {
-        name,
-      },
-      {
-        new: true,
-      }
-    );
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to change workspace name",
-    });
-  }
-
-  return res.status(200).send({
-    message: "Successfully changed workspace name",
-    workspace,
-  });
-};
-
-/**
- * Return integrations for workspace with id [workspaceId]
- * @param req
- * @param res
- * @returns
- */
-export const getWorkspaceIntegrations = async (req: Request, res: Response) => {
-  let integrations;
-  try {
-    const { workspaceId } = req.params;
-
-    integrations = await Integration.find({
-      workspace: workspaceId,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace integrations",
-    });
-  }
-
-  return res.status(200).send({
-    integrations,
-  });
-};
-
-/**
- * Return (integration) authorizations for workspace with id [workspaceId]
- * @param req
- * @param res
- * @returns
- */
-export const getWorkspaceIntegrationAuthorizations = async (
-  req: Request,
-  res: Response
-) => {
-  let authorizations;
-  try {
-    const { workspaceId } = req.params;
-
-    authorizations = await IntegrationAuth.find({
-      workspace: workspaceId,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace integration authorizations",
-    });
-  }
-
-  return res.status(200).send({
-    authorizations,
-  });
-};
-
-/**
- * Return service service tokens for workspace [workspaceId] belonging to user
- * @param req
- * @param res
- * @returns
- */
-export const getWorkspaceServiceTokens = async (
-  req: Request,
-  res: Response
-) => {
-  let serviceTokens;
-  try {
-    const { workspaceId } = req.params;
-    // ?? FIX.
-    serviceTokens = await ServiceToken.find({
-      user: req.user._id,
-      workspace: workspaceId,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace service tokens",
-    });
-  }
-
-  return res.status(200).send({
-    serviceTokens,
-  });
-};

backend/src/controllers/v2/apiKeyDataController.ts

@@ -1,105 +0,0 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import crypto from 'crypto';
-import bcrypt from 'bcrypt';
-import {
-    APIKeyData
-} from '../../models';
-import {
-    SALT_ROUNDS
-} from '../../config';
-
-/**
- * Return API key data for user with id [req.user_id]
- * @param req
- * @param res 
- * @returns 
- */
-export const getAPIKeyData = async (req: Request, res: Response) => {
-    let apiKeyData;
-    try {
-        apiKeyData = await APIKeyData.find({
-            user: req.user._id
-        });
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-        Sentry.captureException(err);
-        return res.status(400).send({
-            message: 'Failed to get API key data'
-        });
-    }
-    
-    return res.status(200).send({
-        apiKeyData
-    });
-}
-
-/**
- * Create new API key data for user with id [req.user._id]
- * @param req 
- * @param res 
- */
-export const createAPIKeyData = async (req: Request, res: Response) => {
-    let apiKey, apiKeyData;
-    try {
-        const { name, expiresIn } = req.body;
-        
-        const secret = crypto.randomBytes(16).toString('hex');
-        const secretHash = await bcrypt.hash(secret, SALT_ROUNDS);
-        
-		const expiresAt = new Date();
-		expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
-        
-        apiKeyData = await new APIKeyData({
-            name,
-            expiresAt,
-            user: req.user._id,
-            secretHash
-        }).save();
-        
-        // return api key data without sensitive data
-        apiKeyData = await APIKeyData.findById(apiKeyData._id);
-        
-        if (!apiKeyData) throw new Error('Failed to find API key data');
-        
-        apiKey = `ak.${apiKeyData._id.toString()}.${secret}`;
-            
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-        Sentry.captureException(err);
-        return res.status(400).send({
-            message: 'Failed to API key data'
-        });
-    }
-    
-    return res.status(200).send({
-        apiKey,
-        apiKeyData
-    });
-}
-
-/**
- * Delete API key data with id [apiKeyDataId].
- * @param req 
- * @param res 
- * @returns 
- */
-export const deleteAPIKeyData = async (req: Request, res: Response) => {
-    let apiKeyData;
-    try {
-        const { apiKeyDataId } = req.params;
-
-        apiKeyData = await APIKeyData.findByIdAndDelete(apiKeyDataId);
-        
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-        Sentry.captureException(err);
-        return res.status(400).send({
-            message: 'Failed to delete API key data'
-        });
-    }
-    
-    return res.status(200).send({
-        apiKeyData
-    });
-}

backend/src/controllers/v2/environmentController.ts

@@ -1,262 +0,0 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import {
-  Secret,
-  ServiceToken,
-  Workspace,
-  Integration,
-  ServiceTokenData,
-  Membership,
-} from '../../models';
-import { SecretVersion } from '../../ee/models';
-import { BadRequestError } from '../../utils/errors';
-import _ from 'lodash';
-import { ABILITY_READ, ABILITY_WRITE } from '../../variables/organization';
-
-/**
- * Create new workspace environment named [environmentName] under workspace with id
- * @param req
- * @param res
- * @returns
- */
-export const createWorkspaceEnvironment = async (
-  req: Request,
-  res: Response
-) => {
-  const { workspaceId } = req.params;
-  const { environmentName, environmentSlug } = req.body;
-  try {
-    const workspace = await Workspace.findById(workspaceId).exec();
-    if (
-      !workspace ||
-      workspace?.environments.find(
-        ({ name, slug }) => slug === environmentSlug || environmentName === name
-      )
-    ) {
-      throw new Error('Failed to create workspace environment');
-    }
-
-    workspace?.environments.push({
-      name: environmentName,
-      slug: environmentSlug.toLowerCase(),
-    });
-    await workspace.save();
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to create new workspace environment',
-    });
-  }
-
-  return res.status(200).send({
-    message: 'Successfully created new environment',
-    workspace: workspaceId,
-    environment: {
-      name: environmentName,
-      slug: environmentSlug,
-    },
-  });
-};
-
-/**
- * Rename workspace environment with new name and slug of a workspace with [workspaceId]
- * Old slug [oldEnvironmentSlug] must be provided
- * @param req
- * @param res
- * @returns
- */
-export const renameWorkspaceEnvironment = async (
-  req: Request,
-  res: Response
-) => {
-  const { workspaceId } = req.params;
-  const { environmentName, environmentSlug, oldEnvironmentSlug } = req.body;
-  try {
-    // user should pass both new slug and env name
-    if (!environmentSlug || !environmentName) {
-      throw new Error('Invalid environment given.');
-    }
-
-    // atomic update the env to avoid conflict
-    const workspace = await Workspace.findById(workspaceId).exec();
-    if (!workspace) {
-      throw new Error('Failed to create workspace environment');
-    }
-
-    const isEnvExist = workspace.environments.some(
-      ({ name, slug }) =>
-        slug !== oldEnvironmentSlug &&
-        (name === environmentName || slug === environmentSlug)
-    );
-    if (isEnvExist) {
-      throw new Error('Invalid environment given');
-    }
-
-    const envIndex = workspace?.environments.findIndex(
-      ({ slug }) => slug === oldEnvironmentSlug
-    );
-    if (envIndex === -1) {
-      throw new Error('Invalid environment given');
-    }
-
-    workspace.environments[envIndex].name = environmentName;
-    workspace.environments[envIndex].slug = environmentSlug.toLowerCase();
-
-    await workspace.save();
-    await Secret.updateMany(
-      { workspace: workspaceId, environment: oldEnvironmentSlug },
-      { environment: environmentSlug }
-    );
-    await SecretVersion.updateMany(
-      { workspace: workspaceId, environment: oldEnvironmentSlug },
-      { environment: environmentSlug }
-    );
-    await ServiceToken.updateMany(
-      { workspace: workspaceId, environment: oldEnvironmentSlug },
-      { environment: environmentSlug }
-    );
-    await ServiceTokenData.updateMany(
-      { workspace: workspaceId, environment: oldEnvironmentSlug },
-      { environment: environmentSlug }
-    );
-    await Integration.updateMany(
-      { workspace: workspaceId, environment: oldEnvironmentSlug },
-      { environment: environmentSlug }
-    );
-    await Membership.updateMany(
-      {
-        workspace: workspaceId,
-        "deniedPermissions.environmentSlug": oldEnvironmentSlug
-      },
-      { $set: { "deniedPermissions.$[element].environmentSlug": environmentSlug } },
-      { arrayFilters: [{ "element.environmentSlug": oldEnvironmentSlug }] }
-    )
-
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to update workspace environment',
-    });
-  }
-
-  return res.status(200).send({
-    message: 'Successfully update environment',
-    workspace: workspaceId,
-    environment: {
-      name: environmentName,
-      slug: environmentSlug,
-    },
-  });
-};
-
-/**
- * Delete workspace environment by [environmentSlug] of workspace [workspaceId] and do the clean up
- * @param req
- * @param res
- * @returns
- */
-export const deleteWorkspaceEnvironment = async (
-  req: Request,
-  res: Response
-) => {
-  const { workspaceId } = req.params;
-  const { environmentSlug } = req.body;
-  try {
-    // atomic update the env to avoid conflict
-    const workspace = await Workspace.findById(workspaceId).exec();
-    if (!workspace) {
-      throw new Error('Failed to create workspace environment');
-    }
-
-    const envIndex = workspace?.environments.findIndex(
-      ({ slug }) => slug === environmentSlug
-    );
-    if (envIndex === -1) {
-      throw new Error('Invalid environment given');
-    }
-
-    workspace.environments.splice(envIndex, 1);
-    await workspace.save();
-
-    // clean up
-    await Secret.deleteMany({
-      workspace: workspaceId,
-      environment: environmentSlug,
-    });
-    await SecretVersion.deleteMany({
-      workspace: workspaceId,
-      environment: environmentSlug,
-    });
-    await ServiceToken.deleteMany({
-      workspace: workspaceId,
-      environment: environmentSlug,
-    });
-    await ServiceTokenData.deleteMany({
-      workspace: workspaceId,
-      environment: environmentSlug,
-    });
-    await Integration.deleteMany({
-      workspace: workspaceId,
-      environment: environmentSlug,
-    });
-    await Membership.updateMany(
-      { workspace: workspaceId },
-      { $pull: { deniedPermissions: { environmentSlug: environmentSlug } } }
-    )
-
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to delete workspace environment',
-    });
-  }
-
-  return res.status(200).send({
-    message: 'Successfully deleted environment',
-    workspace: workspaceId,
-    environment: environmentSlug,
-  });
-};
-
-
-export const getAllAccessibleEnvironmentsOfWorkspace = async (
-  req: Request,
-  res: Response
-) => {
-  const { workspaceId } = req.params;
-  const workspacesUserIsMemberOf = await Membership.findOne({
-    workspace: workspaceId,
-    user: req.user
-  })
-
-  if (!workspacesUserIsMemberOf) {
-    throw BadRequestError()
-  }
-
-  const accessibleEnvironments: any = []
-  const deniedPermission = workspacesUserIsMemberOf.deniedPermissions
-
-  const relatedWorkspace = await Workspace.findById(workspaceId)
-  if (!relatedWorkspace) {
-    throw BadRequestError()
-  }
-  relatedWorkspace.environments.forEach(environment => {
-    const isReadBlocked = _.some(deniedPermission, { environmentSlug: environment.slug, ability: ABILITY_READ })
-    const isWriteBlocked = _.some(deniedPermission, { environmentSlug: environment.slug, ability: ABILITY_WRITE })
-    if (isReadBlocked && isWriteBlocked) {
-      return
-    } else {
-      accessibleEnvironments.push({
-        name: environment.name,
-        slug: environment.slug,
-        isWriteDenied: isWriteBlocked,
-        isReadDenied: isReadBlocked
-      })
-    }
-  })
-
-  res.json({ accessibleEnvironments })
-};

backend/src/controllers/v2/index.ts

@@ -1,21 +0,0 @@
-import * as usersController from './usersController';
-import * as organizationsController from './organizationsController';
-import * as workspaceController from './workspaceController';
-import * as serviceTokenDataController from './serviceTokenDataController';
-import * as apiKeyDataController from './apiKeyDataController';
-import * as secretController from './secretController';
-import * as secretsController from './secretsController';
-import * as environmentController from './environmentController';
-import * as tagController from './tagController';
-
-export {
-    usersController,
-    organizationsController,
-    workspaceController,
-    serviceTokenDataController,
-    apiKeyDataController,
-    secretController,
-    secretsController,
-    environmentController,
-    tagController
-}

backend/src/controllers/v2/organizationsController.ts

@@ -1,296 +0,0 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { 
-    MembershipOrg,
-    Membership,
-    Workspace
-} from '../../models';
-import { deleteMembershipOrg } from '../../helpers/membershipOrg';
-import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
-
-/**
- * Return memberships for organization with id [organizationId]
- * @param req 
- * @param res 
- */
-export const getOrganizationMemberships = async (req: Request, res: Response) => {
-    /* 
-    #swagger.summary = 'Return organization memberships'
-    #swagger.description = 'Return organization memberships'
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-	#swagger.parameters['organizationId'] = {
-		"description": "ID of organization",
-		"required": true,
-		"type": "string"
-	} 
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                "schema": { 
-                    "type": "object",
-					"properties": {
-						"memberships": {
-							"type": "array",
-							"items": {
-								$ref: "#/components/schemas/MembershipOrg" 
-							},
-							"description": "Memberships of organization"
-						}
-					}
-                }
-            }           
-        }
-    }   
-    */
-    let memberships;
-    try {
-        const { organizationId } = req.params;
-
-		memberships = await MembershipOrg.find({
-			organization: organizationId
-		}).populate('user', '+publicKey');
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get organization memberships'
-		});
-    }
-    
-    return res.status(200).send({
-        memberships
-    });
-}
-
-/**
- * Update role of membership with id [membershipId] to role [role]
- * @param req 
- * @param res 
- */
-export const updateOrganizationMembership = async (req: Request, res: Response) => {
-    /* 
-    #swagger.summary = 'Update organization membership'
-    #swagger.description = 'Update organization membership'
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-	#swagger.parameters['organizationId'] = {
-		"description": "ID of organization",
-		"required": true,
-		"type": "string"
-	} 
-
-	#swagger.parameters['membershipId'] = {
-		"description": "ID of organization membership to update",
-		"required": true,
-		"type": "string"
-	} 
-
-	#swagger.requestBody = {
-      "required": true,
-      "content": {
-        "application/json": {
-          "schema": {
-            "type": "object",
-            "properties": {
-                "role": {
-                    "type": "string",
-                    "description": "Role of organization membership - either owner, admin, or member",
-                }
-            }
-          }
-        }
-      }
-    }
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                "schema": { 
-					"type": "object",
-					"properties": {
-						"membership": {
-							$ref: "#/components/schemas/MembershipOrg",
-							"description": "Updated organization membership"
-						}
-					}
-                }
-            }           
-        }
-    }   
-    */
-    let membership;
-    try {
-        const { membershipId } = req.params;
-        const { role } = req.body;
-        
-        membership = await MembershipOrg.findByIdAndUpdate(
-            membershipId,
-            {
-                role
-            }, {
-                new: true
-            }
-        );
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to update organization membership'
-		});
-    }
-    
-    return res.status(200).send({
-        membership
-    });
-}
-
-/**
- * Delete organization membership with id [membershipId]
- * @param req 
- * @param res 
- * @returns 
- */
-export const deleteOrganizationMembership = async (req: Request, res: Response) => {
-    /* 
-    #swagger.summary = 'Delete organization membership'
-    #swagger.description = 'Delete organization membership'
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-	#swagger.parameters['organizationId'] = {
-		"description": "ID of organization",
-		"required": true,
-		"type": "string"
-	} 
-
-	#swagger.parameters['membershipId'] = {
-		"description": "ID of organization membership to delete",
-		"required": true,
-		"type": "string"
-	} 
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                "schema": { 
-					"type": "object",
-					"properties": {
-						"membership": {
-							$ref: "#/components/schemas/MembershipOrg",
-							"description": "Deleted organization membership"
-						}
-					}
-                }
-            }           
-        }
-    }   
-    */
-    let membership;
-    try {
-        const { membershipId } = req.params;
-        
-        // delete organization membership
-        membership = await deleteMembershipOrg({
-            membershipOrgId: membershipId
-        });
-
-        await updateSubscriptionOrgQuantity({
-			organizationId: membership.organization.toString()
-		});
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to delete organization membership'
-		});	
-    }
-
-    return res.status(200).send({
-        membership
-    });
-}
-
-/**
- * Return workspaces for organization with id [organizationId] that user has
- * access to
- * @param req 
- * @param res 
- */
-export const getOrganizationWorkspaces = async (req: Request, res: Response) => {
-    /* 
-    #swagger.summary = 'Return projects in organization that user is part of'
-    #swagger.description = 'Return projects in organization that user is part of'
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-	#swagger.parameters['organizationId'] = {
-		"description": "ID of organization",
-		"required": true,
-		"type": "string"
-	} 
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                "schema": { 
-                    "type": "object",
-					"properties": {
-						"workspaces": {
-							"type": "array",
-							"items": {
-								$ref: "#/components/schemas/Project" 
-							},
-							"description": "Projects of organization"
-						}
-					}
-                }
-            }           
-        }
-    }   
-    */
-    let workspaces;
-    try {
-        const { organizationId } = req.params;
-
-		const workspacesSet = new Set(
-			(
-				await Workspace.find(
-					{
-						organization: organizationId
-					},
-					'_id'
-				)
-			).map((w) => w._id.toString())
-		);
-
-		workspaces = (
-			await Membership.find({
-				user: req.user._id
-			}).populate('workspace')
-		)
-			.filter((m) => workspacesSet.has(m.workspace._id.toString()))
-			.map((m) => m.workspace);
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get organization workspaces'
-		});	
-    }
-    
-    return res.status(200).send({
-        workspaces
-    });
-}

backend/src/controllers/v2/secretController.ts

@@ -1,401 +0,0 @@
-import to from "await-to-js";
-import { Request, Response } from "express";
-import mongoose, { Types } from "mongoose";
-import Secret, { ISecret } from "../../models/secret";
-import { CreateSecretRequestBody, ModifySecretRequestBody, SanitizedSecretForCreate, SanitizedSecretModify } from "../../types/secret";
-const { ValidationError } = mongoose.Error;
-import { BadRequestError, InternalServerError, UnauthorizedRequestError, ValidationError as RouteValidationError } from '../../utils/errors';
-import { AnyBulkWriteOperation } from 'mongodb';
-import { SECRET_PERSONAL, SECRET_SHARED } from "../../variables";
-import { postHogClient } from '../../services';
-
-/**
- * Create secret for workspace with id [workspaceId] and environment [environment]
- * @param req 
- * @param res 
- */
-export const createSecret = async (req: Request, res: Response) => {
-  const secretToCreate: CreateSecretRequestBody = req.body.secret;
-  const { workspaceId, environment } = req.params
-  const sanitizedSecret: SanitizedSecretForCreate = {
-    secretKeyCiphertext: secretToCreate.secretKeyCiphertext,
-    secretKeyIV: secretToCreate.secretKeyIV,
-    secretKeyTag: secretToCreate.secretKeyTag,
-    secretKeyHash: secretToCreate.secretKeyHash,
-    secretValueCiphertext: secretToCreate.secretValueCiphertext,
-    secretValueIV: secretToCreate.secretValueIV,
-    secretValueTag: secretToCreate.secretValueTag,
-    secretValueHash: secretToCreate.secretValueHash,
-    secretCommentCiphertext: secretToCreate.secretCommentCiphertext,
-    secretCommentIV: secretToCreate.secretCommentIV,
-    secretCommentTag: secretToCreate.secretCommentTag,
-    secretCommentHash: secretToCreate.secretCommentHash,
-    workspace: new Types.ObjectId(workspaceId),
-    environment,
-    type: secretToCreate.type,
-    user: new Types.ObjectId(req.user._id)
-  }
-
-
-  const [error, secret] = await to(Secret.create(sanitizedSecret).then())
-  if (error instanceof ValidationError) {
-    throw RouteValidationError({ message: error.message, stack: error.stack })
-  }
-
-  if (postHogClient) {
-    postHogClient.capture({
-      event: 'secrets added',
-      distinctId: req.user.email,
-      properties: {
-        numberOfSecrets: 1,
-        workspaceId,
-        environment,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
-      }
-    });
-  }
-
-  res.status(200).send({
-    secret
-  })
-}
-
-/**
- * Create many secrets for workspace wiht id [workspaceId] and environment [environment]
- * @param req 
- * @param res 
- */
-export const createSecrets = async (req: Request, res: Response) => {
-  const secretsToCreate: CreateSecretRequestBody[] = req.body.secrets;
-  const { workspaceId, environment } = req.params
-  const sanitizedSecretesToCreate: SanitizedSecretForCreate[] = []
-
-  secretsToCreate.forEach(rawSecret => {
-    const safeUpdateFields: SanitizedSecretForCreate = {
-      secretKeyCiphertext: rawSecret.secretKeyCiphertext,
-      secretKeyIV: rawSecret.secretKeyIV,
-      secretKeyTag: rawSecret.secretKeyTag,
-      secretKeyHash: rawSecret.secretKeyHash,
-      secretValueCiphertext: rawSecret.secretValueCiphertext,
-      secretValueIV: rawSecret.secretValueIV,
-      secretValueTag: rawSecret.secretValueTag,
-      secretValueHash: rawSecret.secretValueHash,
-      secretCommentCiphertext: rawSecret.secretCommentCiphertext,
-      secretCommentIV: rawSecret.secretCommentIV,
-      secretCommentTag: rawSecret.secretCommentTag,
-      secretCommentHash: rawSecret.secretCommentHash,
-      workspace: new Types.ObjectId(workspaceId),
-      environment,
-      type: rawSecret.type,
-      user: new Types.ObjectId(req.user._id)
-    }
-
-    sanitizedSecretesToCreate.push(safeUpdateFields)
-  })
-
-  const [bulkCreateError, secrets] = await to(Secret.insertMany(sanitizedSecretesToCreate).then())
-  if (bulkCreateError) {
-    if (bulkCreateError instanceof ValidationError) {
-      throw RouteValidationError({ message: bulkCreateError.message, stack: bulkCreateError.stack })
-    }
-
-    throw InternalServerError({ message: "Unable to process your batch create request. Please try again", stack: bulkCreateError.stack })
-  }
-
-  if (postHogClient) {
-    postHogClient.capture({
-      event: 'secrets added',
-      distinctId: req.user.email,
-      properties: {
-        numberOfSecrets: (secretsToCreate ?? []).length,
-        workspaceId,
-        environment,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
-      }
-    });
-  }
-
-  res.status(200).send({
-    secrets
-  })
-}
-
-/**
- * Delete secrets in workspace with id [workspaceId] and environment [environment]
- * @param req 
- * @param res 
- */
-export const deleteSecrets = async (req: Request, res: Response) => {
-  const { workspaceId, environmentName } = req.params
-  const secretIdsToDelete: string[] = req.body.secretIds
-
-  const [secretIdsUserCanDeleteError, secretIdsUserCanDelete] = await to(Secret.find({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
-  if (secretIdsUserCanDeleteError) {
-    throw InternalServerError({ message: `Unable to fetch secrets you own: [error=${secretIdsUserCanDeleteError.message}]` })
-  }
-
-  const secretsUserCanDeleteSet: Set<string> = new Set(secretIdsUserCanDelete.map(objectId => objectId._id.toString()));
-  const deleteOperationsToPerform: AnyBulkWriteOperation<ISecret>[] = []
-
-  let numSecretsDeleted = 0;
-  secretIdsToDelete.forEach(secretIdToDelete => {
-    if (secretsUserCanDeleteSet.has(secretIdToDelete)) {
-      const deleteOperation = { deleteOne: { filter: { _id: new Types.ObjectId(secretIdToDelete) } } }
-      deleteOperationsToPerform.push(deleteOperation)
-      numSecretsDeleted++;
-    } else {
-      throw RouteValidationError({ message: "You cannot delete secrets that you do not have access to" })
-    }
-  })
-
-  const [bulkDeleteError, bulkDelete] = await to(Secret.bulkWrite(deleteOperationsToPerform).then())
-  if (bulkDeleteError) {
-    if (bulkDeleteError instanceof ValidationError) {
-      throw RouteValidationError({ message: "Unable to apply modifications, please try again", stack: bulkDeleteError.stack })
-    }
-    throw InternalServerError()
-  }
-
-  if (postHogClient) {
-    postHogClient.capture({
-      event: 'secrets deleted',
-      distinctId: req.user.email,
-      properties: {
-        numberOfSecrets: numSecretsDeleted,
-        environment: environmentName,
-        workspaceId,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
-      }
-    });
-  }
-
-  res.status(200).send()
-}
-
-/**
- * Delete secret with id [secretId]
- * @param req 
- * @param res
- */
-export const deleteSecret = async (req: Request, res: Response) => {
-  await Secret.findByIdAndDelete(req._secret._id)
-
-  if (postHogClient) {
-    postHogClient.capture({
-      event: 'secrets deleted',
-      distinctId: req.user.email,
-      properties: {
-        numberOfSecrets: 1,
-        workspaceId: req._secret.workspace.toString(),
-        environment: req._secret.environment,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
-      }
-    });
-  }
-
-  res.status(200).send({
-    secret: req._secret
-  })
-}
-
-/**
- * Update secrets for workspace with id [workspaceId] and environment [environment]
- * @param req 
- * @param res 
- * @returns 
- */
-export const updateSecrets = async (req: Request, res: Response) => {
-  const { workspaceId, environmentName } = req.params
-  const secretsModificationsRequested: ModifySecretRequestBody[] = req.body.secrets;
-  const [secretIdsUserCanModifyError, secretIdsUserCanModify] = await to(Secret.find({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
-  if (secretIdsUserCanModifyError) {
-    throw InternalServerError({ message: "Unable to fetch secrets you own" })
-  }
-
-  const secretsUserCanModifySet: Set<string> = new Set(secretIdsUserCanModify.map(objectId => objectId._id.toString()));
-  const updateOperationsToPerform: any = []
-
-  secretsModificationsRequested.forEach(userModifiedSecret => {
-    if (secretsUserCanModifySet.has(userModifiedSecret._id.toString())) {
-      const sanitizedSecret: SanitizedSecretModify = {
-        secretKeyCiphertext: userModifiedSecret.secretKeyCiphertext,
-        secretKeyIV: userModifiedSecret.secretKeyIV,
-        secretKeyTag: userModifiedSecret.secretKeyTag,
-        secretKeyHash: userModifiedSecret.secretKeyHash,
-        secretValueCiphertext: userModifiedSecret.secretValueCiphertext,
-        secretValueIV: userModifiedSecret.secretValueIV,
-        secretValueTag: userModifiedSecret.secretValueTag,
-        secretValueHash: userModifiedSecret.secretValueHash,
-        secretCommentCiphertext: userModifiedSecret.secretCommentCiphertext,
-        secretCommentIV: userModifiedSecret.secretCommentIV,
-        secretCommentTag: userModifiedSecret.secretCommentTag,
-        secretCommentHash: userModifiedSecret.secretCommentHash,
-      }
-
-      const updateOperation = { updateOne: { filter: { _id: userModifiedSecret._id, workspace: workspaceId }, update: { $inc: { version: 1 }, $set: sanitizedSecret } } }
-      updateOperationsToPerform.push(updateOperation)
-    } else {
-      throw UnauthorizedRequestError({ message: "You do not have permission to modify one or more of the requested secrets" })
-    }
-  })
-
-  const [bulkModificationInfoError, bulkModificationInfo] = await to(Secret.bulkWrite(updateOperationsToPerform).then())
-  if (bulkModificationInfoError) {
-    if (bulkModificationInfoError instanceof ValidationError) {
-      throw RouteValidationError({ message: "Unable to apply modifications, please try again", stack: bulkModificationInfoError.stack })
-    }
-
-    throw InternalServerError()
-  }
-
-  if (postHogClient) {
-    postHogClient.capture({
-      event: 'secrets modified',
-      distinctId: req.user.email,
-      properties: {
-        numberOfSecrets: (secretsModificationsRequested ?? []).length,
-        environment: environmentName,
-        workspaceId,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
-      }
-    });
-  }
-
-  return res.status(200).send()
-}
-
-/**
- * Update a secret within workspace with id [workspaceId] and environment [environment]
- * @param req 
- * @param res 
- * @returns 
- */
-export const updateSecret = async (req: Request, res: Response) => {
-  const { workspaceId, environmentName } = req.params
-  const secretModificationsRequested: ModifySecretRequestBody = req.body.secret;
-
-  const [secretIdUserCanModifyError, secretIdUserCanModify] = await to(Secret.findOne({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
-  if (secretIdUserCanModifyError && !secretIdUserCanModify) {
-    throw BadRequestError()
-  }
-
-  const sanitizedSecret: SanitizedSecretModify = {
-    secretKeyCiphertext: secretModificationsRequested.secretKeyCiphertext,
-    secretKeyIV: secretModificationsRequested.secretKeyIV,
-    secretKeyTag: secretModificationsRequested.secretKeyTag,
-    secretKeyHash: secretModificationsRequested.secretKeyHash,
-    secretValueCiphertext: secretModificationsRequested.secretValueCiphertext,
-    secretValueIV: secretModificationsRequested.secretValueIV,
-    secretValueTag: secretModificationsRequested.secretValueTag,
-    secretValueHash: secretModificationsRequested.secretValueHash,
-    secretCommentCiphertext: secretModificationsRequested.secretCommentCiphertext,
-    secretCommentIV: secretModificationsRequested.secretCommentIV,
-    secretCommentTag: secretModificationsRequested.secretCommentTag,
-    secretCommentHash: secretModificationsRequested.secretCommentHash,
-  }
-
-  const [error, singleModificationUpdate] = await to(Secret.updateOne({ _id: secretModificationsRequested._id, workspace: workspaceId }, { $inc: { version: 1 }, $set: sanitizedSecret }).then())
-  if (error instanceof ValidationError) {
-    throw RouteValidationError({ message: "Unable to apply modifications, please try again", stack: error.stack })
-  }
-
-  if (postHogClient) {
-    postHogClient.capture({
-      event: 'secrets modified',
-      distinctId: req.user.email,
-      properties: {
-        numberOfSecrets: 1,
-        environment: environmentName,
-        workspaceId,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
-      }
-    });
-  }
-
-  return res.status(200).send(singleModificationUpdate)
-}
-
-/**
- * Return secrets for workspace with id [workspaceId], environment [environment] and user
- * with id [req.user._id]
- * @param req 
- * @param res 
- * @returns 
- */
-export const getSecrets = async (req: Request, res: Response) => {
-  const { environment } = req.query;
-  const { workspaceId } = req.params;
-
-  let userId: Types.ObjectId | undefined = undefined // used for getting personal secrets for user
-  let userEmail: Types.ObjectId | undefined = undefined // used for posthog 
-  if (req.user) {
-    userId = req.user._id;
-    userEmail = req.user.email;
-  }
-
-  if (req.serviceTokenData) {
-    userId = req.serviceTokenData.user._id
-    userEmail = req.serviceTokenData.user.email;
-  }
-
-  const [err, secrets] = await to(Secret.find(
-    {
-      workspace: workspaceId,
-      environment,
-      $or: [{ user: userId }, { user: { $exists: false } }],
-      type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
-    }
-  ).then())
-
-  if (err) {
-    throw RouteValidationError({ message: "Failed to get secrets, please try again", stack: err.stack })
-  }
-
-  if (postHogClient) {
-    postHogClient.capture({
-      event: 'secrets pulled',
-      distinctId: userEmail,
-      properties: {
-        numberOfSecrets: (secrets ?? []).length,
-        environment,
-        workspaceId,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
-      }
-    });
-  }
-
-  return res.json(secrets)
-}
-
-/**
- * Return secret with id [secretId]
- * @param req 
- * @param res 
- * @returns 
- */
-export const getSecret = async (req: Request, res: Response) => {
-  // if (postHogClient) {
-  //   postHogClient.capture({
-  //     event: 'secrets pulled',
-  //     distinctId: req.user.email,
-  //     properties: {
-  //       numberOfSecrets: 1,
-  //       workspaceId: req._secret.workspace.toString(),
-  //       environment: req._secret.environment,
-  //       channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-  //       userAgent: req.headers?.['user-agent']
-  //     }
-  //   });
-  // }
-
-  return res.status(200).send({
-    secret: req._secret
-  });
-}

backend/src/controllers/v2/secretsController.ts

@@ -1,783 +0,0 @@
-import to from 'await-to-js';
-import { Types } from 'mongoose';
-import { Request, Response } from 'express';
-import { ISecret, Membership, Secret, Workspace } from '../../models';
-import {
-    SECRET_PERSONAL,
-    SECRET_SHARED,
-    ACTION_ADD_SECRETS,
-    ACTION_READ_SECRETS,
-    ACTION_UPDATE_SECRETS,
-    ACTION_DELETE_SECRETS
-} from '../../variables';
-import { UnauthorizedRequestError, ValidationError } from '../../utils/errors';
-import { EventService } from '../../services';
-import { eventPushSecrets } from '../../events';
-import { EESecretService, EELogService } from '../../ee/services';
-import { postHogClient } from '../../services';
-import { getChannelFromUserAgent } from '../../utils/posthog';
-import { ABILITY_READ, ABILITY_WRITE } from '../../variables/organization';
-import { userHasNoAbility, userHasWorkspaceAccess, userHasWriteOnlyAbility } from '../../ee/helpers/checkMembershipPermissions';
-import Tag from '../../models/tag';
-import _ from 'lodash';
-
-/**
- * Create secret(s) for workspace with id [workspaceId] and environment [environment]
- * @param req 
- * @param res 
- */
-export const createSecrets = async (req: Request, res: Response) => {
-    /* 
-    #swagger.summary = 'Create new secret(s)'
-    #swagger.description = 'Create one or many secrets for a given project and environment.'
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-    #swagger.requestBody = {
-      "required": true,
-      "content": {
-        "application/json": {
-          "schema": {
-            "type": "object",
-            "properties": {
-                "workspaceId": {
-                    "type": "string",
-                    "description": "ID of project",
-                },
-                "environment": {
-                    "type": "string",
-                    "description": "Environment within project"
-                },
-                "secrets": {
-                    $ref: "#/components/schemas/CreateSecret",
-                    "description": "Secret(s) to create - object or array of objects"
-                }
-            }
-          }
-        }
-      }
-    }
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                "schema": { 
-                    "type": "object",
-                    "properties": {
-                        "secrets": {
-                            "type": "array",
-                            "items": {
-                                $ref: "#/components/schemas/Secret" 
-                            },
-                            "description": "Newly-created secrets for the given project and environment"
-                        }
-                    }
-                }
-            }           
-        }
-    }   
-    */
-
-    const channel = getChannelFromUserAgent(req.headers['user-agent'])
-    const { workspaceId, environment }: { workspaceId: string, environment: string } = req.body;
-
-    const hasAccess = await userHasWorkspaceAccess(req.user, workspaceId, environment, ABILITY_WRITE)
-    if (!hasAccess) {
-        throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
-    }
-
-    let listOfSecretsToCreate;
-    if (Array.isArray(req.body.secrets)) {
-        // case: create multiple secrets
-        listOfSecretsToCreate = req.body.secrets;
-    } else if (typeof req.body.secrets === 'object') {
-        // case: create 1 secret
-        listOfSecretsToCreate = [req.body.secrets];
-    }
-
-    type secretsToCreateType = {
-        type: string;
-        secretKeyCiphertext: string;
-        secretKeyIV: string;
-        secretKeyTag: string;
-        secretValueCiphertext: string;
-        secretValueIV: string;
-        secretValueTag: string;
-        secretCommentCiphertext: string;
-        secretCommentIV: string;
-        secretCommentTag: string;
-        tags: string[]
-    }
-
-    const newlyCreatedSecrets = await Secret.insertMany(
-        listOfSecretsToCreate.map(({
-            type,
-            secretKeyCiphertext,
-            secretKeyIV,
-            secretKeyTag,
-            secretValueCiphertext,
-            secretValueIV,
-            secretValueTag,
-            secretCommentCiphertext,
-            secretCommentIV,
-            secretCommentTag,
-            tags
-        }: secretsToCreateType) => {
-            return ({
-                version: 1,
-                workspace: new Types.ObjectId(workspaceId),
-                type,
-                user: type === SECRET_PERSONAL ? req.user : undefined,
-                environment,
-                secretKeyCiphertext,
-                secretKeyIV,
-                secretKeyTag,
-                secretValueCiphertext,
-                secretValueIV,
-                secretValueTag,
-                secretCommentCiphertext,
-                secretCommentIV,
-                secretCommentTag,
-                tags
-            });
-        })
-    );
-
-    setTimeout(async () => {
-        // trigger event - push secrets
-        await EventService.handleEvent({
-            event: eventPushSecrets({
-                workspaceId
-            })
-        });
-    }, 5000);
-
-    // (EE) add secret versions for new secrets
-    await EESecretService.addSecretVersions({
-        secretVersions: newlyCreatedSecrets.map(({
-            _id,
-            version,
-            workspace,
-            type,
-            user,
-            environment,
-            secretKeyCiphertext,
-            secretKeyIV,
-            secretKeyTag,
-            secretKeyHash,
-            secretValueCiphertext,
-            secretValueIV,
-            secretValueTag,
-            secretValueHash,
-            secretCommentCiphertext,
-            secretCommentIV,
-            secretCommentTag,
-            tags
-        }) => ({
-            _id: new Types.ObjectId(),
-            secret: _id,
-            version,
-            workspace,
-            type,
-            user,
-            environment,
-            isDeleted: false,
-            secretKeyCiphertext,
-            secretKeyIV,
-            secretKeyTag,
-            secretKeyHash,
-            secretValueCiphertext,
-            secretValueIV,
-            secretValueTag,
-            secretValueHash,
-            secretCommentCiphertext,
-            secretCommentIV,
-            secretCommentTag,
-            tags
-        }))
-    });
-
-    const addAction = await EELogService.createAction({
-        name: ACTION_ADD_SECRETS,
-        userId: req.user._id,
-        workspaceId: new Types.ObjectId(workspaceId),
-        secretIds: newlyCreatedSecrets.map((n) => n._id)
-    });
-
-    // (EE) create (audit) log
-    addAction && await EELogService.createLog({
-        userId: req.user._id.toString(),
-        workspaceId: new Types.ObjectId(workspaceId),
-        actions: [addAction],
-        channel,
-        ipAddress: req.ip
-    });
-
-    // (EE) take a secret snapshot
-    await EESecretService.takeSecretSnapshot({
-        workspaceId
-    });
-
-    if (postHogClient) {
-        postHogClient.capture({
-            event: 'secrets added',
-            distinctId: req.user.email,
-            properties: {
-                numberOfSecrets: listOfSecretsToCreate.length,
-                environment,
-                workspaceId,
-                channel: channel,
-                userAgent: req.headers?.['user-agent']
-            }
-        });
-    }
-
-    return res.status(200).send({
-        secrets: newlyCreatedSecrets
-    });
-}
-
-/**
- * Return secret(s) for workspace with id [workspaceId], environment [environment] and user
- * with id [req.user._id]
- * @param req 
- * @param res 
- * @returns 
- */
-export const getSecrets = async (req: Request, res: Response) => {
-    /* 
-    #swagger.summary = 'Read secrets'
-    #swagger.description = 'Read secrets from a project and environment'
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-    #swagger.parameters['workspaceId'] = {
-        "description": "ID of project",
-        "required": true,
-        "type": "string"
-    }
-
-    #swagger.parameters['environment'] = {
-        "description": "Environment within project",
-        "required": true,
-        "type": "string"
-    }
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                "schema": { 
-                    "type": "object",
-                    "properties": {
-                        "secrets": {
-                            "type": "array",
-                            "items": {
-                                $ref: "#/components/schemas/Secret" 
-                            },
-                            "description": "Secrets for the given project and environment"
-                        }
-                    }
-                }
-            }           
-        }
-    }   
-    */
-
-
-    const { workspaceId, environment, tagSlugs } = req.query;
-    const tagNamesList = typeof tagSlugs === 'string' && tagSlugs !== '' ? tagSlugs.split(',') : [];
-    let userId = "" // used for getting personal secrets for user
-    let userEmail = "" // used for posthog 
-    if (req.user) {
-        userId = req.user._id;
-        userEmail = req.user.email;
-    }
-
-    if (req.serviceTokenData) {
-        userId = req.serviceTokenData.user._id
-        userEmail = req.serviceTokenData.user.email;
-    }
-
-    // none service token case as service tokens are already scoped to env and project
-    let hasWriteOnlyAccess
-    if (!req.serviceTokenData) {
-        hasWriteOnlyAccess = await userHasWriteOnlyAbility(userId, workspaceId, environment)
-        const hasNoAccess = await userHasNoAbility(userId, workspaceId, environment)
-        if (hasNoAccess) {
-            throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
-        }
-    }
-    let secrets: any
-    let secretQuery: any
-
-    if (tagNamesList != undefined && tagNamesList.length != 0) {
-        const workspaceFromDB = await Tag.find({ workspace: workspaceId })
-
-        const tagIds = _.map(tagNamesList, (tagName) => {
-            const tag = _.find(workspaceFromDB, { slug: tagName });
-            return tag ? tag.id : null;
-        });
-
-        secretQuery = {
-            workspace: workspaceId,
-            environment,
-            $or: [
-                { user: userId },
-                { user: { $exists: false } }
-            ],
-            tags: { $in: tagIds },
-            type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
-        }
-    } else {
-        secretQuery = {
-            workspace: workspaceId,
-            environment,
-            $or: [
-                { user: userId },
-                { user: { $exists: false } }
-            ],
-            type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
-        }
-    }
-
-    if (hasWriteOnlyAccess) {
-        secrets = await Secret.find(secretQuery).select("secretKeyCiphertext secretKeyIV secretKeyTag")
-    } else {
-        secrets = await Secret.find(secretQuery).populate("tags")
-    }
-
-    const channel = getChannelFromUserAgent(req.headers['user-agent'])
-
-    const readAction = await EELogService.createAction({
-        name: ACTION_READ_SECRETS,
-        userId: new Types.ObjectId(userId),
-        workspaceId: new Types.ObjectId(workspaceId as string),
-        secretIds: secrets.map((n: any) => n._id)
-    });
-
-    readAction && await EELogService.createLog({
-        userId: new Types.ObjectId(userId),
-        workspaceId: new Types.ObjectId(workspaceId as string),
-        actions: [readAction],
-        channel,
-        ipAddress: req.ip
-    });
-
-    if (postHogClient) {
-        postHogClient.capture({
-            event: 'secrets pulled',
-            distinctId: userEmail,
-            properties: {
-                numberOfSecrets: secrets.length,
-                environment,
-                workspaceId,
-                channel,
-                userAgent: req.headers?.['user-agent']
-            }
-        });
-    }
-
-    return res.status(200).send({
-        secrets
-    });
-}
-
-
-export const getOnlySecretKeys = async (req: Request, res: Response) => {
-    const { workspaceId, environment } = req.query;
-
-    let userId = "" // used for getting personal secrets for user
-    let userEmail = "" // used for posthog 
-    if (req.user) {
-        userId = req.user._id;
-        userEmail = req.user.email;
-    }
-
-    if (req.serviceTokenData) {
-        userId = req.serviceTokenData.user._id
-        userEmail = req.serviceTokenData.user.email;
-    }
-
-    // none service token case as service tokens are already scoped
-    if (!req.serviceTokenData) {
-        const hasAccess = await userHasWorkspaceAccess(userId, workspaceId, environment, ABILITY_READ)
-        if (!hasAccess) {
-            throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
-        }
-    }
-
-    const [err, secretKeys] = await to(Secret.find(
-        {
-            workspace: workspaceId,
-            environment,
-            $or: [
-                { user: userId },
-                { user: { $exists: false } }
-            ],
-            type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
-        }
-    )
-        .select("secretKeyIV secretKeyTag secretKeyCiphertext")
-        .then())
-
-    if (err) throw ValidationError({ message: 'Failed to get secrets', stack: err.stack });
-
-    // readAction && await EELogService.createLog({
-    //     userId: new Types.ObjectId(userId),
-    //     workspaceId: new Types.ObjectId(workspaceId as string),
-    //     actions: [readAction],
-    //     channel,
-    //     ipAddress: req.ip
-    // });
-
-    return res.status(200).send({
-        secretKeys
-    });
-}
-
-/**
- * Update secret(s)
- * @param req 
- * @param res 
- */
-export const updateSecrets = async (req: Request, res: Response) => {
-    /* 
-    #swagger.summary = 'Update secret(s)'
-    #swagger.description = 'Update secret(s)'
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-    #swagger.requestBody = {
-      "required": true,
-      "content": {
-        "application/json": {
-          "schema": {
-            "type": "object",
-            "properties": {
-                "secrets": {
-                    $ref: "#/components/schemas/UpdateSecret",
-                    "description": "Secret(s) to update - object or array of objects"
-                }
-            }
-          }
-        }
-      }
-    }
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                "schema": { 
-                    "type": "object",
-                    "properties": {
-                        "secrets": {
-                            "type": "array",
-                            "items": {
-                                $ref: "#/components/schemas/Secret" 
-                            },
-                            "description": "Updated secrets"
-                        }
-                    }
-                }
-            }           
-        }
-    }
-    */
-    const channel = req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli';
-
-    // TODO: move type
-    interface PatchSecret {
-        id: string;
-        secretKeyCiphertext: string;
-        secretKeyIV: string;
-        secretKeyTag: string;
-        secretValueCiphertext: string;
-        secretValueIV: string;
-        secretValueTag: string;
-        secretCommentCiphertext: string;
-        secretCommentIV: string;
-        secretCommentTag: string;
-        tags: string[]
-    }
-
-    const updateOperationsToPerform = req.body.secrets.map((secret: PatchSecret) => {
-        const {
-            secretKeyCiphertext,
-            secretKeyIV,
-            secretKeyTag,
-            secretValueCiphertext,
-            secretValueIV,
-            secretValueTag,
-            secretCommentCiphertext,
-            secretCommentIV,
-            secretCommentTag,
-            tags
-        } = secret;
-
-        return ({
-            updateOne: {
-                filter: { _id: new Types.ObjectId(secret.id) },
-                update: {
-                    $inc: {
-                        version: 1
-                    },
-                    secretKeyCiphertext,
-                    secretKeyIV,
-                    secretKeyTag,
-                    secretValueCiphertext,
-                    secretValueIV,
-                    secretValueTag,
-                    tags,
-                    ...((
-                        secretCommentCiphertext !== undefined &&
-                        secretCommentIV &&
-                        secretCommentTag
-                    ) ? {
-                        secretCommentCiphertext,
-                        secretCommentIV,
-                        secretCommentTag
-                    } : {}),
-                }
-            }
-        });
-    });
-
-    await Secret.bulkWrite(updateOperationsToPerform);
-
-    const secretModificationsBySecretId: { [key: string]: PatchSecret } = {};
-    req.body.secrets.forEach((secret: PatchSecret) => {
-        secretModificationsBySecretId[secret.id] = secret;
-    });
-
-    const ListOfSecretsBeforeModifications = req.secrets
-    const secretVersions = {
-        secretVersions: ListOfSecretsBeforeModifications.map((secret: ISecret) => {
-            const {
-                secretKeyCiphertext,
-                secretKeyIV,
-                secretKeyTag,
-                secretValueCiphertext,
-                secretValueIV,
-                secretValueTag,
-                secretCommentCiphertext,
-                secretCommentIV,
-                secretCommentTag,
-                tags
-            } = secretModificationsBySecretId[secret._id.toString()]
-
-            return ({
-                secret: secret._id,
-                version: secret.version + 1,
-                workspace: secret.workspace,
-                type: secret.type,
-                environment: secret.environment,
-                secretKeyCiphertext: secretKeyCiphertext ? secretKeyCiphertext : secret.secretKeyCiphertext,
-                secretKeyIV: secretKeyIV ? secretKeyIV : secret.secretKeyIV,
-                secretKeyTag: secretKeyTag ? secretKeyTag : secret.secretKeyTag,
-                secretValueCiphertext: secretValueCiphertext ? secretValueCiphertext : secret.secretValueCiphertext,
-                secretValueIV: secretValueIV ? secretValueIV : secret.secretValueIV,
-                secretValueTag: secretValueTag ? secretValueTag : secret.secretValueTag,
-                secretCommentCiphertext: secretCommentCiphertext ? secretCommentCiphertext : secret.secretCommentCiphertext,
-                secretCommentIV: secretCommentIV ? secretCommentIV : secret.secretCommentIV,
-                secretCommentTag: secretCommentTag ? secretCommentTag : secret.secretCommentTag,
-                tags: tags ? tags : secret.tags
-            });
-        })
-    }
-
-    await EESecretService.addSecretVersions(secretVersions);
-
-
-    // group secrets into workspaces so updated secrets can
-    // be logged and snapshotted separately for each workspace
-    const workspaceSecretObj: any = {};
-    req.secrets.forEach((s: any) => {
-        if (s.workspace.toString() in workspaceSecretObj) {
-            workspaceSecretObj[s.workspace.toString()].push(s);
-        } else {
-            workspaceSecretObj[s.workspace.toString()] = [s]
-        }
-    });
-
-    Object.keys(workspaceSecretObj).forEach(async (key) => {
-        // trigger event - push secrets
-        setTimeout(async () => {
-            await EventService.handleEvent({
-                event: eventPushSecrets({
-                    workspaceId: key
-                })
-            });
-        }, 10000);
-
-        const updateAction = await EELogService.createAction({
-            name: ACTION_UPDATE_SECRETS,
-            userId: req.user._id,
-            workspaceId: new Types.ObjectId(key),
-            secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id)
-        });
-
-        // (EE) create (audit) log
-        updateAction && await EELogService.createLog({
-            userId: req.user._id.toString(),
-            workspaceId: new Types.ObjectId(key),
-            actions: [updateAction],
-            channel,
-            ipAddress: req.ip
-        });
-
-        // (EE) take a secret snapshot
-        await EESecretService.takeSecretSnapshot({
-            workspaceId: key
-        })
-
-        if (postHogClient) {
-            postHogClient.capture({
-                event: 'secrets modified',
-                distinctId: req.user.email,
-                properties: {
-                    numberOfSecrets: workspaceSecretObj[key].length,
-                    environment: workspaceSecretObj[key][0].environment,
-                    workspaceId: key,
-                    channel: channel,
-                    userAgent: req.headers?.['user-agent']
-                }
-            });
-        }
-    });
-
-    return res.status(200).send({
-        secrets: await Secret.find({
-            _id: {
-                $in: req.secrets.map((secret: ISecret) => secret._id)
-            }
-        })
-    });
-}
-
-/**
- * Delete secret(s) with id [workspaceId] and environment [environment]
- * @param req 
- * @param res 
- */
-export const deleteSecrets = async (req: Request, res: Response) => {
-    /* 
-    #swagger.summary = 'Delete secret(s)'
-    #swagger.description = 'Delete one or many secrets by their ID(s)'
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-    #swagger.requestBody = {
-      "required": true,
-      "content": {
-        "application/json": {
-          "schema": {
-            "type": "object",
-            "properties": {
-                "secretIds": {
-                    "type": "string",
-                    "description": "ID(s) of secrets - string or array of strings"
-                },
-            }
-          }
-        }
-      }
-    }
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                "schema": { 
-                    "type": "object",
-                    "properties": {
-                        "secrets": {
-                            "type": "array",
-                            "items": {
-                                $ref: "#/components/schemas/Secret" 
-                            },
-                            "description": "Deleted secrets"
-                        }
-                    }
-                }
-            }           
-        }
-    }   
-    */
-    const channel = getChannelFromUserAgent(req.headers['user-agent'])
-    const toDelete = req.secrets.map((s: any) => s._id);
-
-    await Secret.deleteMany({
-        _id: {
-            $in: toDelete
-        }
-    });
-
-    await EESecretService.markDeletedSecretVersions({
-        secretIds: toDelete
-    });
-
-    // group secrets into workspaces so deleted secrets can
-    // be logged and snapshotted separately for each workspace
-    const workspaceSecretObj: any = {};
-    req.secrets.forEach((s: any) => {
-        if (s.workspace.toString() in workspaceSecretObj) {
-            workspaceSecretObj[s.workspace.toString()].push(s);
-        } else {
-            workspaceSecretObj[s.workspace.toString()] = [s]
-        }
-    });
-
-    Object.keys(workspaceSecretObj).forEach(async (key) => {
-        // trigger event - push secrets
-        await EventService.handleEvent({
-            event: eventPushSecrets({
-                workspaceId: key
-            })
-        });
-        const deleteAction = await EELogService.createAction({
-            name: ACTION_DELETE_SECRETS,
-            userId: req.user._id,
-            workspaceId: new Types.ObjectId(key),
-            secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id)
-        });
-
-        // (EE) create (audit) log
-        deleteAction && await EELogService.createLog({
-            userId: req.user._id.toString(),
-            workspaceId: new Types.ObjectId(key),
-            actions: [deleteAction],
-            channel,
-            ipAddress: req.ip
-        });
-
-        // (EE) take a secret snapshot
-        await EESecretService.takeSecretSnapshot({
-            workspaceId: key
-        })
-
-        if (postHogClient) {
-            postHogClient.capture({
-                event: 'secrets deleted',
-                distinctId: req.user.email,
-                properties: {
-                    numberOfSecrets: workspaceSecretObj[key].length,
-                    environment: workspaceSecretObj[key][0].environment,
-                    workspaceId: key,
-                    channel: channel,
-                    userAgent: req.headers?.['user-agent']
-                }
-            });
-        }
-    });
-
-    return res.status(200).send({
-        secrets: req.secrets
-    });
-}

backend/src/controllers/v2/serviceTokenDataController.ts

@@ -1,114 +0,0 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import crypto from 'crypto';
-import bcrypt from 'bcrypt';
-import {
-    ServiceTokenData
-} from '../../models';
-import {
-    SALT_ROUNDS
-} from '../../config';
-import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';
-import { ABILITY_READ } from '../../variables/organization';
-
-/**
- * Return service token data associated with service token on request
- * @param req 
- * @param res 
- * @returns 
- */
-export const getServiceTokenData = async (req: Request, res: Response) => res.status(200).json(req.serviceTokenData);
-
-/**
- * Create new service token data for workspace with id [workspaceId] and
- * environment [environment].
- * @param req 
- * @param res 
- * @returns 
- */
-export const createServiceTokenData = async (req: Request, res: Response) => {
-    let serviceToken, serviceTokenData;
-    try {
-        const {
-            name,
-            workspaceId,
-            environment,
-            encryptedKey,
-            iv,
-            tag,
-            expiresIn
-        } = req.body;
-
-        const hasAccess = await userHasWorkspaceAccess(req.user, workspaceId, environment, ABILITY_READ)
-        if (!hasAccess) {
-            throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
-        }
-
-        const secret = crypto.randomBytes(16).toString('hex');
-        const secretHash = await bcrypt.hash(secret, SALT_ROUNDS);
-
-        const expiresAt = new Date();
-        expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
-
-        serviceTokenData = await new ServiceTokenData({
-            name,
-            workspace: workspaceId,
-            environment,
-            user: req.user._id,
-            expiresAt,
-            secretHash,
-            encryptedKey,
-            iv,
-            tag
-        }).save();
-
-        // return service token data without sensitive data
-        serviceTokenData = await ServiceTokenData.findById(serviceTokenData._id);
-
-        if (!serviceTokenData) throw new Error('Failed to find service token data');
-
-        serviceToken = `st.${serviceTokenData._id.toString()}.${secret}`;
-
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-        Sentry.captureException(err);
-        return res.status(400).send({
-            message: 'Failed to create service token data'
-        });
-    }
-
-    return res.status(200).send({
-        serviceToken,
-        serviceTokenData
-    });
-}
-
-/**
- * Delete service token data with id [serviceTokenDataId].
- * @param req 
- * @param res 
- * @returns 
- */
-export const deleteServiceTokenData = async (req: Request, res: Response) => {
-    let serviceTokenData;
-    try {
-        const { serviceTokenDataId } = req.params;
-
-        serviceTokenData = await ServiceTokenData.findByIdAndDelete(serviceTokenDataId);
-
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-        Sentry.captureException(err);
-        return res.status(400).send({
-            message: 'Failed to delete service token data'
-        });
-    }
-
-    return res.status(200).send({
-        serviceTokenData
-    });
-}
-
-function UnauthorizedRequestError(arg0: { message: string; }) {
-    throw new Error('Function not implemented.');
-}

backend/src/controllers/v2/tagController.ts

@@ -1,72 +0,0 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
-import {
-	Membership, Secret,
-} from '../../models';
-import Tag, { ITag } from '../../models/tag';
-import { Builder } from "builder-pattern"
-import to from 'await-to-js';
-import { BadRequestError, UnauthorizedRequestError } from '../../utils/errors';
-import { MongoError } from 'mongodb';
-import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';
-
-export const createWorkspaceTag = async (req: Request, res: Response) => {
-	const { workspaceId } = req.params
-	const { name, slug } = req.body
-	const sanitizedTagToCreate = Builder<ITag>()
-		.name(name)
-		.workspace(new Types.ObjectId(workspaceId))
-		.slug(slug)
-		.user(new Types.ObjectId(req.user._id))
-		.build();
-
-	const [err, createdTag] = await to(Tag.create(sanitizedTagToCreate))
-
-	if (err) {
-		if ((err as MongoError).code === 11000) {
-			throw BadRequestError({ message: "Tags must be unique in a workspace" })
-		}
-
-		throw err
-	}
-
-	res.json(createdTag)
-}
-
-export const deleteWorkspaceTag = async (req: Request, res: Response) => {
-	const { tagId } = req.params
-
-	const tagFromDB = await Tag.findById(tagId)
-	if (!tagFromDB) {
-		throw BadRequestError()
-	}
-
-	// can only delete if the request user is one that belongs to the same workspace as the tag
-	const membership = await Membership.findOne({
-		user: req.user,
-		workspace: tagFromDB.workspace
-	});
-
-	if (!membership) {
-		UnauthorizedRequestError({ message: 'Failed to validate membership' });
-	}
-
-	const result = await Tag.findByIdAndDelete(tagId);
-
-	// remove the tag from secrets
-	await Secret.updateMany(
-		{ tags: { $in: [tagId] } },
-		{ $pull: { tags: tagId } }
-	);
-
-	res.json(result);
-}
-
-export const getWorkspaceTags = async (req: Request, res: Response) => {
-	const { workspaceId } = req.params
-	const workspaceTags = await Tag.find({ workspace: workspaceId })
-	return res.json({
-		workspaceTags
-	})
-}

backend/src/controllers/v2/usersController.ts

@@ -1,109 +0,0 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import {
-    User,
-    MembershipOrg
-} from '../../models';
-
-/**
- * Return the current user.
- * @param req 
- * @param res 
- * @returns 
- */
-export const getMe = async (req: Request, res: Response) => {
-    /* 
-    #swagger.summary = "Retrieve the current user on the request"
-    #swagger.description = "Retrieve the current user on the request"
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                "schema": { 
-                    "type": "object",
-                    "properties": {
-                        "user": {
-                            "type": "object",
-                            $ref: "#/components/schemas/CurrentUser",
-                            "description": "Current user on request"
-                        }
-                    }
-                }
-            }           
-        }
-    }   
-    */
-    let user;
-    try {
-        user = await User
-            .findById(req.user._id)
-            .select('+publicKey +encryptedPrivateKey +iv +tag');
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get current user'
-		});
-    }
-    
-    return res.status(200).send({
-        user
-    });
-}
-
-/**
- * Return organizations that the current user is part of.
- * @param req 
- * @param res 
- */
-export const getMyOrganizations = async (req: Request, res: Response) => {
-    /* 
-    #swagger.summary = 'Return organizations that current user is part of'
-    #swagger.description = 'Return organizations that current user is part of'
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                "schema": { 
-                    "type": "object",
-					"properties": {
-						"organizations": {
-							"type": "array",
-							"items": {
-								$ref: "#/components/schemas/Organization" 
-							},
-							"description": "Organizations that user is part of"
-						}
-					}
-                }
-            }           
-        }
-    }   
-    */
-	let organizations;
-	try {
-		organizations = (
-			await MembershipOrg.find({
-				user: req.user._id
-			}).populate('organization')
-		).map((m) => m.organization);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: "Failed to get current user's organizations"
-		});
-	}
-
-	return res.status(200).send({
-		organizations
-	});
-}

backend/src/controllers/v2/workspaceController.ts

@@ -1,508 +0,0 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
-import {
-	Workspace,
-	Secret,
-	Membership,
-	MembershipOrg,
-	Integration,
-	IntegrationAuth,
-	Key,
-	IUser,
-	ServiceToken,
-	ServiceTokenData
-} from '../../models';
-import {
-	v2PushSecrets as push,
-	pullSecrets as pull,
-	reformatPullSecrets
-} from '../../helpers/secret';
-import { pushKeys } from '../../helpers/key';
-import { postHogClient, EventService } from '../../services';
-import { eventPushSecrets } from '../../events';
-
-interface V2PushSecret {
-	type: string; // personal or shared
-	secretKeyCiphertext: string;
-	secretKeyIV: string;
-	secretKeyTag: string;
-	secretKeyHash: string;
-	secretValueCiphertext: string;
-	secretValueIV: string;
-	secretValueTag: string;
-	secretValueHash: string;
-	secretCommentCiphertext?: string;
-	secretCommentIV?: string;
-	secretCommentTag?: string;
-	secretCommentHash?: string;
-}
-
-/**
- * Upload (encrypted) secrets to workspace with id [workspaceId]
- * for environment [environment]
- * @param req
- * @param res
- * @returns
- */
-export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
-	// upload (encrypted) secrets to workspace with id [workspaceId]
-	try {
-		let { secrets }: { secrets: V2PushSecret[] } = req.body;
-		const { keys, environment, channel } = req.body;
-		const { workspaceId } = req.params;
-
-		// validate environment
-		const workspaceEnvs = req.membership.workspace.environments;
-		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
-			throw new Error('Failed to validate environment');
-		}
-
-		// sanitize secrets
-		secrets = secrets.filter(
-			(s: V2PushSecret) => s.secretKeyCiphertext !== '' && s.secretValueCiphertext !== ''
-		);
-
-		await push({
-			userId: req.user._id,
-			workspaceId,
-			environment,
-			secrets,
-			channel: channel ? channel : 'cli',
-			ipAddress: req.ip
-		});
-
-		await pushKeys({
-			userId: req.user._id,
-			workspaceId,
-			keys
-		});
-
-		if (postHogClient) {
-			postHogClient.capture({
-				event: 'secrets pushed',
-				distinctId: req.user.email,
-				properties: {
-					numberOfSecrets: secrets.length,
-					environment,
-					workspaceId,
-					channel: channel ? channel : 'cli'
-				}
-			});
-		}
-
-		// trigger event - push secrets
-		EventService.handleEvent({
-			event: eventPushSecrets({
-				workspaceId
-			})
-		});
-
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to upload workspace secrets'
-		});
-	}
-
-	return res.status(200).send({
-		message: 'Successfully uploaded workspace secrets'
-	});
-};
-
-/**
- * Return (encrypted) secrets for workspace with id [workspaceId]
- * for environment [environment]
- * @param req
- * @param res
- * @returns
- */
-export const pullSecrets = async (req: Request, res: Response) => {
-	let secrets;
-	try {
-		const environment: string = req.query.environment as string;
-		const channel: string = req.query.channel as string;
-		const { workspaceId } = req.params;
-
-		let userId;
-		if (req.user) {
-			userId = req.user._id.toString();
-		} else if (req.serviceTokenData) {
-			userId = req.serviceTokenData.user._id
-		}
-		// validate environment
-		const workspaceEnvs = req.membership.workspace.environments;
-		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
-			throw new Error('Failed to validate environment');
-		}
-
-		secrets = await pull({
-			userId,
-			workspaceId,
-			environment,
-			channel: channel ? channel : 'cli',
-			ipAddress: req.ip
-		});
-
-		if (channel !== 'cli') {
-			secrets = reformatPullSecrets({ secrets });
-		}
-
-		if (postHogClient) {
-			// capture secrets pushed event in production
-			postHogClient.capture({
-				distinctId: req.user.email,
-				event: 'secrets pulled',
-				properties: {
-					numberOfSecrets: secrets.length,
-					environment,
-					workspaceId,
-					channel: channel ? channel : 'cli'
-				}
-			});
-		}
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to pull workspace secrets'
-		});
-	}
-
-	return res.status(200).send({
-		secrets
-	});
-};
-
-export const getWorkspaceKey = async (req: Request, res: Response) => {
-	/* 
-    #swagger.summary = 'Return encrypted project key'
-    #swagger.description = 'Return encrypted project key'
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-	#swagger.parameters['workspaceId'] = {
-		"description": "ID of project",
-		"required": true,
-		"type": "string"
-	} 
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                "schema": { 
-                    "type": "array",
-                    "items": {
-                        $ref: "#/components/schemas/ProjectKey" 
-                    },
-                    "description": "Encrypted project key for the given project"
-                }
-            }           
-        }
-    }   
-    */
-	let key;
-	try {
-		const { workspaceId } = req.params;
-
-		key = await Key.findOne({
-			workspace: workspaceId,
-			receiver: req.user._id
-		}).populate('sender', '+publicKey');
-
-		if (!key) throw new Error('Failed to find workspace key');
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get workspace key'
-		});
-	}
-
-	return res.status(200).json(key);
-}
-export const getWorkspaceServiceTokenData = async (
-	req: Request,
-	res: Response
-) => {
-	let serviceTokenData;
-	try {
-		const { workspaceId } = req.params;
-
-		serviceTokenData = await ServiceTokenData
-			.find({
-				workspace: workspaceId
-			})
-			.select('+encryptedKey +iv +tag');
-
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get workspace service token data'
-		});
-	}
-
-	return res.status(200).send({
-		serviceTokenData
-	});
-}
-
-/**
- * Return memberships for workspace with id [workspaceId]
- * @param req 
- * @param res 
- * @returns 
- */
-export const getWorkspaceMemberships = async (req: Request, res: Response) => {
-	/* 
-    #swagger.summary = 'Return project memberships'
-    #swagger.description = 'Return project memberships'
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-	#swagger.parameters['workspaceId'] = {
-		"description": "ID of project",
-		"required": true,
-		"type": "string"
-	} 
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                "schema": { 
-                    "type": "object",
-					"properties": {
-						"memberships": {
-							"type": "array",
-							"items": {
-								$ref: "#/components/schemas/Membership" 
-							},
-							"description": "Memberships of project"
-						}
-					}
-                }
-            }           
-        }
-    }   
-    */
-	let memberships;
-	try {
-		const { workspaceId } = req.params;
-
-		memberships = await Membership.find({
-			workspace: workspaceId
-		}).populate('user', '+publicKey');
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get workspace memberships'
-		});
-	}
-
-	return res.status(200).send({
-		memberships
-	});
-}
-
-/**
- * Update role of membership with id [membershipId] to role [role]
- * @param req 
- * @param res 
- * @returns 
- */
-export const updateWorkspaceMembership = async (req: Request, res: Response) => {
-	/* 
-    #swagger.summary = 'Update project membership'
-    #swagger.description = 'Update project membership'
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-	#swagger.parameters['workspaceId'] = {
-		"description": "ID of project",
-		"required": true,
-		"type": "string"
-	} 
-
-	#swagger.parameters['membershipId'] = {
-		"description": "ID of project membership to update",
-		"required": true,
-		"type": "string"
-	} 
-
-	#swagger.requestBody = {
-      "required": true,
-      "content": {
-        "application/json": {
-          "schema": {
-            "type": "object",
-            "properties": {
-                "role": {
-                    "type": "string",
-                    "description": "Role of membership - either admin or member",
-                }
-            }
-          }
-        }
-      }
-    }
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                "schema": { 
-					"type": "object",
-					"properties": {
-						"membership": {
-							$ref: "#/components/schemas/Membership",
-							"description": "Updated membership"
-						}
-					}
-                }
-            }           
-        }
-    }   
-    */
-	let membership;
-	try {
-		const {
-			membershipId
-		} = req.params;
-		const { role } = req.body;
-		
-		membership = await Membership.findByIdAndUpdate(
-			membershipId,
-			{
-				role
-			}, {
-				new: true
-			}
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to update workspace membership'
-		});
-	}
-	
-	return res.status(200).send({
-		membership
-	}); 
-}
-
-/**
- * Delete workspace membership with id [membershipId]
- * @param req 
- * @param res 
- * @returns 
- */
-export const deleteWorkspaceMembership = async (req: Request, res: Response) => {
-	/* 
-    #swagger.summary = 'Delete project membership'
-    #swagger.description = 'Delete project membership'
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-	#swagger.parameters['workspaceId'] = {
-		"description": "ID of project",
-		"required": true,
-		"type": "string"
-	} 
-
-	#swagger.parameters['membershipId'] = {
-		"description": "ID of project membership to delete",
-		"required": true,
-		"type": "string"
-	} 
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                "schema": { 
-					"type": "object",
-					"properties": {
-						"membership": {
-							$ref: "#/components/schemas/Membership",
-							"description": "Deleted membership"
-						}
-					}
-                }
-            }           
-        }
-    }   
-    */
-	let membership;
-	try {
-		const { 
-			membershipId
-		} = req.params;
-		
-		membership = await Membership.findByIdAndDelete(membershipId);
-		
-		if (!membership) throw new Error('Failed to delete workspace membership');
-		
-		await Key.deleteMany({
-			receiver: membership.user,
-			workspace: membership.workspace
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to delete workspace membership'
-		});	
-	}
-	
-	return res.status(200).send({
-		membership
-	});
-}
-
-/**
- * Change autoCapitilzation Rule of workspace
- * @param req
- * @param res
- * @returns
- */
-export const toggleAutoCapitalization = async (req: Request, res: Response) => {
-	let workspace;
-	try {
-		const { workspaceId } = req.params;
-		const { autoCapitalization } = req.body;
-
-		workspace = await Workspace.findOneAndUpdate(
-			{
-				_id: workspaceId
-			},
-			{
-				autoCapitalization
-			},
-			{
-				new: true
-			}
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to change autoCapitalization setting'
-		});
-	}
-
-	return res.status(200).send({
-		message: 'Successfully changed autoCapitalization setting',
-		workspace
-	});
-};
-

backend/src/controllers/workspaceController.ts

@@ -0,0 +1,337 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import {
+	Workspace,
+	Membership,
+	MembershipOrg,
+	Integration,
+	IntegrationAuth,
+	IUser,
+	ServiceToken
+} from '../models';
+import {
+	createWorkspace as create,
+	deleteWorkspace as deleteWork
+} from '../helpers/workspace';
+import { addMemberships } from '../helpers/membership';
+import { ADMIN, COMPLETED, GRANTED } from '../variables';
+
+/**
+ * Return public keys of members of workspace with id [workspaceId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getWorkspacePublicKeys = async (req: Request, res: Response) => {
+	let publicKeys;
+	try {
+		const { workspaceId } = req.params;
+
+		publicKeys = (
+			await Membership.find({
+				workspace: workspaceId
+			}).populate<{ user: IUser }>('user', 'publicKey')
+		)
+			.filter((m) => m.status === COMPLETED || m.status === GRANTED)
+			.map((member) => {
+				return {
+					publicKey: member.user.publicKey,
+					userId: member.user._id
+				};
+			});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace member public keys'
+		});
+	}
+
+	return res.status(200).send({
+		publicKeys
+	});
+};
+
+/**
+ * Return memberships for workspace with id [workspaceId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getWorkspaceMemberships = async (req: Request, res: Response) => {
+	let users;
+	try {
+		const { workspaceId } = req.params;
+
+		users = await Membership.find({
+			workspace: workspaceId
+		}).populate('user', '+publicKey');
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace members'
+		});
+	}
+
+	return res.status(200).send({
+		users
+	});
+};
+
+/**
+ * Return workspaces that user is part of
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getWorkspaces = async (req: Request, res: Response) => {
+	let workspaces;
+	try {
+		workspaces = (
+			await Membership.find({
+				user: req.user._id
+			}).populate('workspace')
+		).map((m) => m.workspace);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspaces'
+		});
+	}
+
+	return res.status(200).send({
+		workspaces
+	});
+};
+
+/**
+ * Return workspace with id [workspaceId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getWorkspace = async (req: Request, res: Response) => {
+	let workspace;
+	try {
+		const { workspaceId } = req.params;
+
+		workspace = await Workspace.findOne({
+			_id: workspaceId
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace'
+		});
+	}
+
+	return res.status(200).send({
+		workspace
+	});
+};
+
+/**
+ * Create new workspace named [workspaceName] under organization with id
+ * [organizationId] and add user as admin
+ * @param req
+ * @param res
+ * @returns
+ */
+export const createWorkspace = async (req: Request, res: Response) => {
+	let workspace;
+	try {
+		const { workspaceName, organizationId } = req.body;
+
+		// validate organization membership
+		const membershipOrg = await MembershipOrg.findOne({
+			user: req.user._id,
+			organization: organizationId
+		});
+
+		if (!membershipOrg) {
+			throw new Error('Failed to validate organization membership');
+		}
+
+		if (workspaceName.length < 1) {
+			throw new Error('Workspace names must be at least 1-character long');
+		}
+
+		// create workspace and add user as member
+		workspace = await create({
+			name: workspaceName,
+			organizationId
+		});
+
+		await addMemberships({
+			userIds: [req.user._id],
+			workspaceId: workspace._id.toString(),
+			roles: [ADMIN],
+			statuses: [GRANTED]
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to create workspace'
+		});
+	}
+
+	return res.status(200).send({
+		workspace
+	});
+};
+
+/**
+ * Delete workspace with id [workspaceId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const deleteWorkspace = async (req: Request, res: Response) => {
+	try {
+		const { workspaceId } = req.params;
+
+		// delete workspace
+		await deleteWork({
+			id: workspaceId
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to delete workspace'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully deleted workspace'
+	});
+};
+
+/**
+ * Change name of workspace with id [workspaceId] to [name]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const changeWorkspaceName = async (req: Request, res: Response) => {
+	let workspace;
+	try {
+		const { workspaceId } = req.params;
+		const { name } = req.body;
+
+		workspace = await Workspace.findOneAndUpdate(
+			{
+				_id: workspaceId
+			},
+			{
+				name
+			},
+			{
+				new: true
+			}
+		);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to change workspace name'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully changed workspace name',
+		workspace
+	});
+};
+
+/**
+ * Return integrations for workspace with id [workspaceId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getWorkspaceIntegrations = async (req: Request, res: Response) => {
+	let integrations;
+	try {
+		const { workspaceId } = req.params;
+
+		integrations = await Integration.find({
+			workspace: workspaceId
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace integrations'
+		});
+	}
+
+	return res.status(200).send({
+		integrations
+	});
+};
+
+/**
+ * Return (integration) authorizations for workspace with id [workspaceId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getWorkspaceIntegrationAuthorizations = async (
+	req: Request,
+	res: Response
+) => {
+	let authorizations;
+	try {
+		const { workspaceId } = req.params;
+
+		authorizations = await IntegrationAuth.find({
+			workspace: workspaceId
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace integration authorizations'
+		});
+	}
+
+	return res.status(200).send({
+		authorizations
+	});
+};
+
+/**
+ * Return service service tokens for workspace [workspaceId] belonging to user
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getWorkspaceServiceTokens = async (
+	req: Request,
+	res: Response
+) => {
+	let serviceTokens;
+	try {
+		const { workspaceId } = req.params;
+
+		serviceTokens = await ServiceToken.find({
+			user: req.user._id,
+			workspace: workspaceId
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace service tokens'
+		});
+	}
+	
+	return res.status(200).send({
+		serviceTokens
+	});
+}

backend/src/ee/controllers/index.ts

@@ -0,0 +1,5 @@
+import * as stripeController from './stripeController';
+
+export {
+    stripeController
+}

backend/src/ee/controllers/v1/actionController.ts

@@ -1,31 +0,0 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { Action, SecretVersion } from '../../models';
-import { ActionNotFoundError } from '../../../utils/errors';
-
-export const getAction = async (req: Request, res: Response) => {
-    let action;
-    try {
-        const { actionId } = req.params;
-        
-        action = await Action
-            .findById(actionId)
-            .populate([
-                'payload.secretVersions.oldSecretVersion',
-                'payload.secretVersions.newSecretVersion'
-            ]);
-        
-        if (!action) throw ActionNotFoundError({
-            message: 'Failed to find action'
-        });
-
-    } catch (err) {
-        throw ActionNotFoundError({
-            message: 'Failed to find action'
-        });
-    }
-    
-    return res.status(200).send({
-        action
-    });
-}

backend/src/ee/controllers/v1/index.ts

@@ -1,15 +0,0 @@
-import * as stripeController from './stripeController';
-import * as secretController from './secretController';
-import * as secretSnapshotController from './secretSnapshotController';
-import * as workspaceController from './workspaceController';
-import * as actionController from './actionController';
-import * as membershipController from './membershipController';
-
-export {
-    stripeController,
-    secretController,
-    secretSnapshotController,
-    workspaceController,
-    actionController,
-    membershipController
-}

backend/src/ee/controllers/v1/membershipController.ts

@@ -1,63 +0,0 @@
-import { Request, Response } from "express";
-import { Membership, Workspace } from "../../../models";
-import { IMembershipPermission } from "../../../models/membership";
-import { BadRequestError, UnauthorizedRequestError } from "../../../utils/errors";
-import { ABILITY_READ, ABILITY_WRITE, ADMIN, MEMBER } from "../../../variables/organization";
-import { Builder } from "builder-pattern"
-import _ from "lodash";
-
-export const denyMembershipPermissions = async (req: Request, res: Response) => {
-  const { membershipId } = req.params;
-  const { permissions } = req.body;
-  const sanitizedMembershipPermissions: IMembershipPermission[] = permissions.map((permission: IMembershipPermission) => {
-    if (!permission.ability || !permission.environmentSlug || ![ABILITY_READ, ABILITY_WRITE].includes(permission.ability)) {
-      throw BadRequestError({ message: "One or more required fields are missing from the request or have incorrect type" })
-    }
-
-    return Builder<IMembershipPermission>()
-      .environmentSlug(permission.environmentSlug)
-      .ability(permission.ability)
-      .build();
-  })
-
-  const sanitizedMembershipPermissionsUnique = _.uniqWith(sanitizedMembershipPermissions, _.isEqual)
-
-  const membershipToModify = await Membership.findById(membershipId)
-  if (!membershipToModify) {
-    throw BadRequestError({ message: "Unable to locate resource" })
-  }
-
-  // check if the user making the request is a admin of this project 
-  if (![ADMIN, MEMBER].includes(membershipToModify.role)) {
-    throw UnauthorizedRequestError()
-  }
-
-  // check if the requested slugs are indeed a part of this related workspace 
-  const relatedWorkspace = await Workspace.findById(membershipToModify.workspace)
-  if (!relatedWorkspace) {
-    throw BadRequestError({ message: "Something went wrong when locating the related workspace" })
-  }
-
-  const uniqueEnvironmentSlugs = new Set(_.uniq(_.map(relatedWorkspace.environments, 'slug')));
-
-  sanitizedMembershipPermissionsUnique.forEach(permission => {
-    if (!uniqueEnvironmentSlugs.has(permission.environmentSlug)) {
-      throw BadRequestError({ message: "Unknown environment slug reference" })
-    }
-  })
-
-  // update the permissions 
-  const updatedMembershipWithPermissions = await Membership.findByIdAndUpdate(
-    { _id: membershipToModify._id },
-    { $set: { deniedPermissions: sanitizedMembershipPermissionsUnique } },
-    { new: true }
-  )
-
-  if (!updatedMembershipWithPermissions) {
-    throw BadRequestError({ message: "The resource has been removed before it can be modified" })
-  }
-
-  res.send({
-    permissionsDenied: updatedMembershipWithPermissions.deniedPermissions
-  })
-}

backend/src/ee/controllers/v1/secretController.ts

@@ -1,230 +0,0 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { Secret } from '../../../models';
-import { SecretVersion } from '../../models';
-import { EESecretService } from '../../services';
-
-/**
- * Return secret versions for secret with id [secretId]
- * @param req 
- * @param res 
- */
- export const getSecretVersions = async (req: Request, res: Response) => {
-	/* 
-    #swagger.summary = 'Return secret versions'
-    #swagger.description = 'Return secret versions'
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-	#swagger.parameters['secretId'] = {
-		"description": "ID of secret",
-		"required": true,
-		"type": "string"
-	} 
-
-	#swagger.parameters['offset'] = {
-		"description": "Number of versions to skip",
-		"required": false,
-		"type": "string"
-	}
-
-	#swagger.parameters['limit'] = {
-		"description": "Maximum number of versions to return",
-		"required": false,
-		"type": "string"
-	}
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                schema: { 
-                    "type": "object",
-					"properties": {
-						"secretVersions": {
-							"type": "array",
-							"items": {
-								$ref: "#/components/schemas/SecretVersion" 
-							},
-							"description": "Secret versions"
-						}
-					}
-                }
-            }           
-        }
-    }   
-    */
-	let secretVersions;
-	try {
-		const { secretId } = req.params;
-
-		const offset: number = parseInt(req.query.offset as string);
-		const limit: number = parseInt(req.query.limit as string);
-		
-		secretVersions = await SecretVersion.find({
-			secret: secretId
-		})
-		.sort({ createdAt: -1 })
-		.skip(offset)
-		.limit(limit);
-
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get secret versions'
-		});
-	}
-	
-	return res.status(200).send({
-		secretVersions
-	});
-}
-
-/**
- * Roll back secret with id [secretId] to version [version]
- * @param req 
- * @param res 
- * @returns 
- */
-export const rollbackSecretVersion = async (req: Request, res: Response) => {
-	/* 
-    #swagger.summary = 'Roll back secret to a version.'
-    #swagger.description = 'Roll back secret to a version.'
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-	#swagger.parameters['secretId'] = {
-		"description": "ID of secret",
-		"required": true,
-		"type": "string"
-	} 
-
-	#swagger.requestBody = {
-      "required": true,
-      "content": {
-        "application/json": {
-          "schema": {
-            "type": "object",
-            "properties": {
-                "version": {
-                    "type": "integer",
-                    "description": "Version of secret to roll back to"
-                }
-            }
-          }
-        }
-      }
-    }
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                schema: { 
-                    "type": "object",
-					"properties": {
-						"secret": {
-							"type": "object",
-							$ref: "#/components/schemas/Secret",
-							"description": "Secret rolled back to"
-						}
-					}
-                }
-            }           
-        }
-    }   
-    */
-	let secret;
-	try {
-		const { secretId } = req.params;
-		const { version } = req.body;
-		
-		// validate secret version
-		const oldSecretVersion = await SecretVersion.findOne({
-			secret: secretId,
-			version
-		});
-		
-		if (!oldSecretVersion) throw new Error('Failed to find secret version');
-		
-		const {
-			workspace,
-			type,
-			user,
-			environment,
-			secretKeyCiphertext,
-			secretKeyIV,
-			secretKeyTag,
-			secretKeyHash,
-			secretValueCiphertext,
-			secretValueIV,
-			secretValueTag,
-			secretValueHash
-		} = oldSecretVersion;
-		
-		// update secret
-		secret = await Secret.findByIdAndUpdate(
-			secretId,
-			{
-				$inc: {
-					version: 1
-				},
-				workspace,
-				type,
-				user,
-				environment,
-				secretKeyCiphertext,
-				secretKeyIV,
-				secretKeyTag,
-				secretKeyHash,
-				secretValueCiphertext,
-				secretValueIV,
-				secretValueTag,
-				secretValueHash
-			},
-			{
-				new: true
-			}
-		);
-		
-		if (!secret) throw new Error('Failed to find and update secret');
-
-		// add new secret version
-		await new SecretVersion({
-			secret: secretId,
-			version: secret.version,
-			workspace,
-			type,
-			user,
-			environment,
-			isDeleted: false,
-			secretKeyCiphertext,
-			secretKeyIV,
-			secretKeyTag,
-			secretKeyHash,
-			secretValueCiphertext,
-			secretValueIV,
-			secretValueTag,
-			secretValueHash	
-		}).save();
-		
-		// take secret snapshot
-		await EESecretService.takeSecretSnapshot({
-			workspaceId: secret.workspace.toString()
-		});
-		
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to roll back secret version'
-		});
-	}
-	
-	return res.status(200).send({
-		secret
-	});
-}

backend/src/ee/controllers/v1/secretSnapshotController.ts

@@ -1,39 +0,0 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { SecretSnapshot } from '../../models';
-
-/**
- * Return secret snapshot with id [secretSnapshotId]
- * @param req 
- * @param res 
- * @returns 
- */
-export const getSecretSnapshot = async (req: Request, res: Response) => {
-    let secretSnapshot;
-    try {
-        const { secretSnapshotId } = req.params;
-
-        secretSnapshot = await SecretSnapshot
-            .findById(secretSnapshotId)
-            .populate({
-                path: 'secretVersions',
-                populate: {
-                    path: 'tags',
-                    model: 'Tag',
-                }
-            });
-        
-        if (!secretSnapshot) throw new Error('Failed to find secret snapshot');
-        
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get secret snapshot'
-		});
-    }
-    
-    return res.status(200).send({
-        secretSnapshot
-    });
-}

backend/src/ee/controllers/v1/workspaceController.ts

@@ -1,434 +0,0 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
-import {
-	Secret
-} from '../../../models';
-import { 
-	SecretSnapshot,
-	Log,
-	SecretVersion,
-	ISecretVersion
-} from '../../models';
-import { EESecretService } from '../../services';
-import { getLatestSecretVersionIds } from '../../helpers/secretVersion';
-
-/**
- * Return secret snapshots for workspace with id [workspaceId]
- * @param req 
- * @param res 
- */
- export const getWorkspaceSecretSnapshots = async (req: Request, res: Response) => {
-	/* 
-    #swagger.summary = 'Return project secret snapshot ids'
-    #swagger.description = 'Return project secret snapshots ids'
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-	#swagger.parameters['workspaceId'] = {
-		"description": "ID of project",
-		"required": true,
-		"type": "string"
-	} 
-
-	#swagger.parameters['offset'] = {
-		"description": "Number of secret snapshots to skip",
-		"required": false,
-		"type": "string"
-	}
-
-	#swagger.parameters['limit'] = {
-		"description": "Maximum number of secret snapshots to return",
-		"required": false,
-		"type": "string"
-	}
-
-	#swagger.responses[200] = {
-        content: {
-            "application/json": {
-                schema: { 
-					"type": "object",
-					"properties": {
-						"secretSnapshots": {
-							"type": "array",
-							"items": {
-								$ref: "#/components/schemas/SecretSnapshot" 
-							},
-							"description": "Project secret snapshots"
-						}
-					}
-                }
-            }           
-        }
-    }
-    */
-	let secretSnapshots;
-	try {
-		const { workspaceId } = req.params;
-
-		const offset: number = parseInt(req.query.offset as string);
-		const limit: number = parseInt(req.query.limit as string);
-		
-		secretSnapshots = await SecretSnapshot.find({
-			workspace: workspaceId
-		})
-		.sort({ createdAt: -1 })
-		.skip(offset)
-		.limit(limit);
-
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get secret snapshots'
-		});
-	}
-	
-	return res.status(200).send({
-		secretSnapshots
-	});
-}
-
-/**
- * Return count of secret snapshots for workspace with id [workspaceId]
- * @param req 
- * @param res 
- */
-export const getWorkspaceSecretSnapshotsCount = async (req: Request, res: Response) => {
-	let count;
-	try {
-		const { workspaceId } = req.params;
-		count = await SecretSnapshot.countDocuments({
-			workspace: workspaceId
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to count number of secret snapshots'
-		});
-	}
-	
-	return res.status(200).send({
-		count
-	});
-}
-
-/**
- * Rollback secret snapshot with id [secretSnapshotId] to version [version]
- * @param req 
- * @param res 
- * @returns 
- */
-export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Response) => {
-	/* 
-    #swagger.summary = 'Roll back project secrets to those captured in a secret snapshot version.'
-    #swagger.description = 'Roll back project secrets to those captured in a secret snapshot version.'
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-	#swagger.parameters['workspaceId'] = {
-		"description": "ID of project",
-		"required": true,
-		"type": "string"
-	} 
-
-	#swagger.requestBody = {
-      "required": true,
-      "content": {
-        "application/json": {
-          "schema": {
-            "type": "object",
-            "properties": {
-                "version": {
-                    "type": "integer",
-                    "description": "Version of secret snapshot to roll back to",
-                }
-            }
-          }
-        }
-      }
-    }
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                schema: { 
-                    "type": "object",
-					"properties": {
-						"secrets": {
-							"type": "array",
-							"items": {
-								$ref: "#/components/schemas/Secret" 
-							},
-							"description": "Secrets rolled back to"
-						}
-					}
-                }
-            }           
-        }
-    }   
-    */
-	let secrets;
-    try {	
-        const { workspaceId } = req.params;
-        const { version } = req.body;
-        
-		// validate secret snapshot
-		const secretSnapshot = await SecretSnapshot.findOne({
-			workspace: workspaceId,
-			version
-		}).populate<{ secretVersions: ISecretVersion[]}>('secretVersions');
-        
-        if (!secretSnapshot) throw new Error('Failed to find secret snapshot');
-
-		// TODO: fix any
-		const oldSecretVersionsObj: any = secretSnapshot.secretVersions
-			.reduce((accumulator, s) => ({ 
-				...accumulator, 
-				[`${s.secret.toString()}`]: s 
-			}), {});	
-		
-		const latestSecretVersionIds = await getLatestSecretVersionIds({
-			secretIds: secretSnapshot.secretVersions.map((sv) => sv.secret)
-		});
-		
-		// TODO: fix any
-		const latestSecretVersions: any = (await SecretVersion.find({
-			_id: {
-				$in: latestSecretVersionIds.map((s) => s.versionId)
-			}
-		}, 'secret version'))
-		.reduce((accumulator, s) => ({ 
-			...accumulator, 
-			[`${s.secret.toString()}`]: s 
-		}), {});
-		
-		// delete existing secrets
-		await Secret.deleteMany({
-			workspace: workspaceId
-		});
-
-		// add secrets
-        secrets = await Secret.insertMany(
-			secretSnapshot.secretVersions.map((sv) => {
-				const secretId = sv.secret;
-				const {
-					workspace,
-					type,
-					user,
-					environment,
-					secretKeyCiphertext,
-					secretKeyIV,
-					secretKeyTag,
-					secretKeyHash,
-					secretValueCiphertext,
-					secretValueIV,
-					secretValueTag,
-					secretValueHash,
-					createdAt
-				} = oldSecretVersionsObj[secretId.toString()];
-				
-				return ({
-					_id: secretId,
-					version: latestSecretVersions[secretId.toString()].version + 1,
-					workspace,
-					type,
-					user,
-					environment,
-					secretKeyCiphertext,
-					secretKeyIV,
-					secretKeyTag,
-					secretKeyHash,
-					secretValueCiphertext,
-					secretValueIV,
-					secretValueTag,
-					secretValueHash,
-					secretCommentCiphertext: '',
-					secretCommentIV: '',
-					secretCommentTag: '',
-					createdAt
-				});
-			})
-		);
-		
-		// add secret versions
-		await SecretVersion.insertMany(
-			secrets.map(({
-				_id,
-				version,
-				workspace,
-				type,
-				user,
-				environment,
-				secretKeyCiphertext,
-				secretKeyIV,
-				secretKeyTag,
-				secretKeyHash,
-				secretValueCiphertext,
-				secretValueIV,
-				secretValueTag,
-				secretValueHash
-			}) => ({
-				_id: new Types.ObjectId(),
-				secret: _id,
-				version,
-				workspace,
-				type,
-				user,
-				environment,
-				isDeleted: false,
-				secretKeyCiphertext,
-				secretKeyIV,
-				secretKeyTag,
-				secretKeyHash,
-				secretValueCiphertext,
-				secretValueIV,
-				secretValueTag,
-				secretValueHash
-			}))
-		);
-		
-		// update secret versions of restored secrets as not deleted
-		await SecretVersion.updateMany({
-			secret: {
-				$in: secretSnapshot.secretVersions.map((sv) => sv.secret)
-			}
-		}, {
-			isDeleted: false
-		});
-		
-        // take secret snapshot
-		await EESecretService.takeSecretSnapshot({
-			workspaceId
-		});
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to roll back secret snapshot'
-		}); 
-    }
-    
-	return res.status(200).send({
-		secrets
-	});
-}
-
-/**
- * Return (audit) logs for workspace with id [workspaceId]
- * @param req 
- * @param res 
- * @returns 
- */
-export const getWorkspaceLogs = async (req: Request, res: Response) => {
-	/* 
-    #swagger.summary = 'Return project (audit) logs'
-    #swagger.description = 'Return project (audit) logs'
-    
-    #swagger.security = [{
-        "apiKeyAuth": []
-    }]
-
-	#swagger.parameters['workspaceId'] = {
-		"description": "ID of project",
-		"required": true,
-		"type": "string"
-	} 
-
-	#swagger.parameters['userId'] = {
-		"description": "ID of project member",
-		"required": false,
-		"type": "string"
-	} 
-
-	#swagger.parameters['offset'] = {
-		"description": "Number of logs to skip",
-		"required": false,
-		"type": "string"
-	}
-
-	#swagger.parameters['limit'] = {
-		"description": "Maximum number of logs to return",
-		"required": false,
-		"type": "string"
-	}
-
-	#swagger.parameters['sortBy'] = {
-		"description": "Order to sort the logs by",
-		"schema": {
-			"type": "string",
-			"@enum": ["oldest", "recent"]
-		},
-		"required": false
-	}
-
-	#swagger.parameters['actionNames'] = {
-		"description": "Names of log actions (comma-separated)",
-		"required": false,
-		"type": "string"
-	}
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                schema: { 
-					"type": "object",
-					"properties": {
-						"logs": {
-							"type": "array",
-							"items": {
-								$ref: "#/components/schemas/Log" 
-							},
-							"description": "Project logs"
-						}
-					}
-                }
-            }           
-        }
-    }   
-    */
-	let logs
-	try {
-		const { workspaceId } = req.params;
-
-		const offset: number = parseInt(req.query.offset as string);
-		const limit: number = parseInt(req.query.limit as string);
-		const sortBy: string = req.query.sortBy as string;
-		const userId: string = req.query.userId as string;
-		const actionNames: string = req.query.actionNames as string;
-		
-		logs = await Log.find({
-			workspace: workspaceId,
-			...( userId ? { user: userId } : {}),
-			...( 
-				actionNames 
-				? { 
-					actionNames: {
-						$in: actionNames.split(',')
-					}
-				} : {}
-			)
-		})
-		.sort({ createdAt: sortBy === 'recent' ? -1 : 1 })
-		.skip(offset)
-		.limit(limit)
-		.populate('actions')
-		.populate('user');
-
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get workspace logs'
-		});
-	}
-	
-	return res.status(200).send({
-		logs
-	});
-}

backend/src/ee/helpers/action.ts

@@ -1,202 +0,0 @@
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
-import { Action } from '../models';
-import { 
-    getLatestSecretVersionIds,
-    getLatestNSecretSecretVersionIds
-} from '../helpers/secretVersion';
-import { 
-    ACTION_LOGIN,
-    ACTION_LOGOUT,
-    ACTION_ADD_SECRETS,
-    ACTION_READ_SECRETS,
-    ACTION_DELETE_SECRETS,
-    ACTION_UPDATE_SECRETS,
-} from '../../variables';
-
-/**
- * Create an (audit) action for updating secrets
- * @param {Object} obj
- * @param {String} obj.name - name of action
- * @param {Types.ObjectId} obj.secretIds - ids of relevant secrets
- * @returns {Action} action - new action
- */
-const createActionUpdateSecret = async ({
-    name,
-    userId,
-    workspaceId,
-    secretIds
-}: {
-    name: string;
-    userId: Types.ObjectId;
-    workspaceId: Types.ObjectId;
-    secretIds: Types.ObjectId[];
-}) => {
-    let action;
-    try {
-        const latestSecretVersions = (await getLatestNSecretSecretVersionIds({
-                secretIds,
-                n: 2
-            }))
-            .map((s) => ({
-                oldSecretVersion: s.versions[0]._id,
-                newSecretVersion: s.versions[1]._id
-            }));
-        
-        action = await new Action({
-            name,
-            user: userId,
-            workspace: workspaceId,
-            payload: {
-                secretVersions: latestSecretVersions
-            }
-        }).save();
-
-    } catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-        throw new Error('Failed to create update secret action');
-    }
-    
-    return action;
-}
-
-/**
- * Create an (audit) action for creating, reading, and deleting
- * secrets
- * @param {Object} obj
- * @param {String} obj.name - name of action
- * @param {Types.ObjectId} obj.secretIds - ids of relevant secrets
- * @returns {Action} action - new action
- */
-const createActionSecret = async ({
-    name,
-    userId,
-    workspaceId,
-    secretIds
-}: {
-    name: string;
-    userId: Types.ObjectId;
-    workspaceId: Types.ObjectId;
-    secretIds: Types.ObjectId[];
-}) => {
-    let action;
-    try {
-        // case: action is adding, deleting, or reading secrets
-        // -> add new secret versions
-        const latestSecretVersions = (await getLatestSecretVersionIds({
-            secretIds
-        }))
-        .map((s) => ({
-            newSecretVersion: s.versionId
-        }));
-        
-       action = await new Action({
-            name,
-            user: userId,
-            workspace: workspaceId,
-            payload: {
-                secretVersions: latestSecretVersions
-            }
-        }).save(); 
-
-    } catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-        throw new Error('Failed to create action create/read/delete secret action');
-    }
-    
-    return action;
-}
-
-/**
- * Create an (audit) action for user with id [userId]
- * @param {Object} obj 
- * @param {String} obj.name - name of action
- * @param {String} obj.userId - id of user associated with action
- * @returns 
- */
-const createActionUser = ({
-    name,
-    userId
-}: {
-    name: string;
-    userId: Types.ObjectId;
-}) => {
-    let action;
-    try {
-        action = new Action({
-            name,
-            user: userId
-        }).save();
-    } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-        throw new Error('Failed to create user action');
-    }
-
-    return action; 
-}
-
-/**
- * Create an (audit) action. 
- * @param {Object} obj
- * @param {Object} obj.name - name of action
- * @param {Types.ObjectId} obj.userId - id of user associated with action
- * @param {Types.ObjectId} obj.workspaceId - id of workspace associated with action
- * @param {Types.ObjectId[]} obj.secretIds - ids of secrets associated with action
-*/
-const createActionHelper = async ({
-    name,
-    userId,
-    workspaceId,
-    secretIds,
-}: {
-    name: string;
-    userId: Types.ObjectId;
-    workspaceId?: Types.ObjectId;
-    secretIds?: Types.ObjectId[];
-}) => {
-    let action;
-    try {
-        switch (name) {
-            case ACTION_LOGIN:
-            case ACTION_LOGOUT:
-                action = await createActionUser({
-                    name,
-                    userId
-                });
-                break;
-            case ACTION_ADD_SECRETS:
-            case ACTION_READ_SECRETS:
-            case ACTION_DELETE_SECRETS:
-                if (!workspaceId || !secretIds) throw new Error('Missing required params workspace id or secret ids to create action secret');
-                action = await createActionSecret({
-                    name,
-                    userId,
-                    workspaceId,
-                    secretIds
-                });
-                break;
-            case ACTION_UPDATE_SECRETS:
-                if (!workspaceId || !secretIds) throw new Error('Missing required params workspace id or secret ids to create action secret');
-                action = await createActionUpdateSecret({
-                    name,
-                    userId,
-                    workspaceId,
-                    secretIds
-                });
-                break;
-        }
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-        throw new Error('Failed to create action');
-    }
-    
-    return action;
-}
-
-export { 
-    createActionHelper
-};

backend/src/ee/helpers/checkMembershipPermissions.ts

@@ -1,54 +0,0 @@
-import _ from "lodash";
-import { Membership } from "../../models";
-import { ABILITY_READ, ABILITY_WRITE } from "../../variables/organization";
-
-export const userHasWorkspaceAccess = async (userId: any, workspaceId: any, environment: any, action: any) => {
-  const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })
-  if (!membershipForWorkspace) {
-    return false
-  }
-
-  const deniedMembershipPermissions = membershipForWorkspace.deniedPermissions;
-  const isDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: action });
-
-  if (isDisallowed) {
-    return false
-  }
-
-  return true
-}
-
-export const userHasWriteOnlyAbility = async (userId: any, workspaceId: any, environment: any) => {
-  const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })
-  if (!membershipForWorkspace) {
-    return false
-  }
-
-  const deniedMembershipPermissions = membershipForWorkspace.deniedPermissions;
-  const isWriteDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: ABILITY_WRITE });
-  const isReadDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: ABILITY_READ });
-
-  // case: you have write only if read is blocked and write is not
-  if (isReadDisallowed && !isWriteDisallowed) {
-    return true
-  }
-
-  return false
-}
-
-export const userHasNoAbility = async (userId: any, workspaceId: any, environment: any) => {
-  const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })
-  if (!membershipForWorkspace) {
-    return true
-  }
-
-  const deniedMembershipPermissions = membershipForWorkspace.deniedPermissions;
-  const isWriteDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: ABILITY_WRITE });
-  const isReadBlocked = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: ABILITY_READ });
-
-  if (isReadBlocked && isWriteDisallowed) {
-    return true
-  }
-
-  return false
-}

backend/src/ee/helpers/license.ts

@@ -0,0 +1,21 @@
+
+/**
+ * @param {Object} obj
+ * @param {Object} obj.licenseKey - Infisical license key
+ */
+const checkLicenseKey = ({
+    licenseKey
+}: {
+    licenseKey: string
+}) => {
+    try {
+        // TODO
+
+    } catch (err) {
+
+    }
+}
+
+export {
+    checkLicenseKey
+}

backend/src/ee/helpers/log.ts

@@ -1,51 +0,0 @@
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
-import { 
-    Log,
-    IAction
-} from '../models';
-/**
- * Create an (audit) log
- * @param {Object} obj
- * @param {Types.ObjectId} obj.userId - id of user associated with the log
- * @param {Types.ObjectId} obj.workspaceId - id of workspace associated with the log
- * @param {IAction[]} obj.actions - actions to include in log
- * @param {String} obj.channel - channel (web/cli/auto) associated with the log
- * @param {String} obj.ipAddress - ip address associated with the log
- * @returns {Log} log - new audit log
- */
-const createLogHelper = async ({
-    userId,
-    workspaceId,
-    actions,
-    channel,
-    ipAddress
-}: {
-    userId: Types.ObjectId;
-    workspaceId?: Types.ObjectId;
-    actions: IAction[];
-    channel: string;
-    ipAddress: string;
-}) => {
-    let log;
-    try {
-        log = await new Log({
-            user: userId,
-            workspace: workspaceId ?? undefined,
-            actionNames: actions.map((a) => a.name),
-            actions,
-            channel,
-            ipAddress
-        }).save();
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to create log');
-    }
-
-    return log;
-}
-
-export {
-    createLogHelper
-}

backend/src/ee/helpers/secret.ts

@@ -1,169 +0,0 @@
-import { Types } from 'mongoose';
-import * as Sentry from '@sentry/node';
-import {
-	Secret,
-	ISecret
-} from '../../models';
-import {
-	SecretSnapshot,
-	SecretVersion,
-	ISecretVersion
-} from '../models';
-
-/**
- * Save a secret snapshot that is a copy of the current state of secrets in workspace with id
- * [workspaceId] under a new snapshot with incremented version under the
- * secretsnapshots collection.
- * @param {Object} obj
- * @param {String} obj.workspaceId
- * @returns {SecretSnapshot} secretSnapshot - new secret snapshot
- */
-const takeSecretSnapshotHelper = async ({
-	workspaceId
-}: {
-	workspaceId: string;
-}) => {
-
-	let secretSnapshot;
-	try {
-		const secretIds = (await Secret.find({
-			workspace: workspaceId
-		}, '_id')).map((s) => s._id);
-
-		const latestSecretVersions = (await SecretVersion.aggregate([
-			{
-				$match: {
-					secret: {
-						$in: secretIds
-					}
-				}
-			},
-			{
-				$group: {
-					_id: '$secret',
-					version: { $max: '$version' },
-					versionId: { $max: '$_id' } // secret version id
-				}
-			},
-			{
-				$sort: { version: -1 }
-			}
-		])
-			.exec())
-			.map((s) => s.versionId);
-
-		const latestSecretSnapshot = await SecretSnapshot.findOne({
-			workspace: workspaceId
-		}).sort({ version: -1 });
-
-		secretSnapshot = await new SecretSnapshot({
-			workspace: workspaceId,
-			version: latestSecretSnapshot ? latestSecretSnapshot.version + 1 : 1,
-			secretVersions: latestSecretVersions
-		}).save();
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to take a secret snapshot');
-	}
-
-	return secretSnapshot;
-}
-
-/**
- * Add secret versions [secretVersions] to the SecretVersion collection.
- * @param {Object} obj
- * @param {Object[]} obj.secretVersions
- * @returns {SecretVersion[]} newSecretVersions - new secret versions
- */
-const addSecretVersionsHelper = async ({
-	secretVersions
-}: {
-	secretVersions: ISecretVersion[]
-}) => {
-	let newSecretVersions;
-	try {
-		newSecretVersions = await SecretVersion.insertMany(secretVersions);
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error(`Failed to add secret versions [err=${err}]`);
-	}
-
-	return newSecretVersions;
-}
-
-const markDeletedSecretVersionsHelper = async ({
-	secretIds
-}: {
-	secretIds: Types.ObjectId[];
-}) => {
-	try {
-		await SecretVersion.updateMany({
-			secret: { $in: secretIds }
-		}, {
-			isDeleted: true
-		}, {
-			new: true
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to mark secret versions as deleted');
-	}
-}
-
-/**
- * Initialize secret versioning by setting previously unversioned
- * secrets to version 1 and begin populating secret versions.
- */
-const initSecretVersioningHelper = async () => {
-	try {
-
-		await Secret.updateMany(
-			{ version: { $exists: false } },
-			{ $set: { version: 1 } }
-		);
-
-		const unversionedSecrets: ISecret[] = await Secret.aggregate([
-			{
-				$lookup: {
-					from: 'secretversions',
-					localField: '_id',
-					foreignField: 'secret',
-					as: 'versions',
-				},
-			},
-			{
-				$match: {
-					versions: { $size: 0 },
-				},
-			},
-		]);
-
-		if (unversionedSecrets.length > 0) {
-			await addSecretVersionsHelper({
-				secretVersions: unversionedSecrets.map((s, idx) => ({
-					...s,
-					secret: s._id,
-					version: s.version ? s.version : 1,
-					isDeleted: false,
-					workspace: s.workspace,
-					environment: s.environment
-				}))
-			});
-		}
-
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to ensure that secrets are versioned');
-	}
-}
-
-export {
-	takeSecretSnapshotHelper,
-	addSecretVersionsHelper,
-	markDeletedSecretVersionsHelper,
-	initSecretVersioningHelper
-}

backend/src/ee/helpers/secretVersion.ts

@@ -1,110 +0,0 @@
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
-import { SecretVersion } from '../models';
-
-/**
- * Return latest secret versions for secrets with ids [secretIds]
- * @param {Object} obj
- * @param {Object} obj.secretIds = ids of secrets to get latest versions for
- * @returns 
- */
-const getLatestSecretVersionIds = async ({
-    secretIds
-}: {
-    secretIds: Types.ObjectId[];
-}) => {
-    
-    interface LatestSecretVersionId {
-        _id: Types.ObjectId;
-        version: number;
-        versionId: Types.ObjectId;
-    }
-    
-    let latestSecretVersionIds: LatestSecretVersionId[];
-    try {
-        latestSecretVersionIds = (await SecretVersion.aggregate([
-            {
-                $match: { 
-                    secret: { 
-                        $in: secretIds 
-                    } 
-                }
-            },
-            {
-                $group: {
-                    _id: '$secret',
-                    version: { $max: '$version' },
-                    versionId: { $max: '$_id' } // id of latest secret version
-                }
-            },
-            {
-                $sort: { version: -1 }
-            }
-            ])
-            .exec());
-            
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-        throw new Error('Failed to get latest secret versions');
-    }
-    
-    return latestSecretVersionIds;
-}
-
-/**
- * Return latest [n] secret versions for secrets with ids [secretIds]
- * @param {Object} obj
- * @param {Object} obj.secretIds = ids of secrets to get latest versions for
- * @param {Number} obj.n - number of latest secret versions to return for each secret
- * @returns 
- */
-const getLatestNSecretSecretVersionIds = async ({
-    secretIds,
-    n
-}: {
-    secretIds: Types.ObjectId[];
-    n: number;
-}) => {
-    
-    // TODO: optimize query
-    let latestNSecretVersions;
-    try {
-        latestNSecretVersions = (await SecretVersion.aggregate([
-            {
-                $match: {
-                secret: {
-                    $in: secretIds,
-                },
-                },
-            },
-            {
-                $sort: { version: -1 },
-            },
-            {
-                $group: {
-                _id: "$secret",
-                versions: { $push: "$$ROOT" },
-                },
-            },
-            {
-                $project: {
-                _id: 0,
-                secret: "$_id",
-                versions: { $slice: ["$versions", n] },
-                },
-            }
-        ]));
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-        throw new Error('Failed to get latest n secret versions');
-    }
-    
-    return latestNSecretVersions;
-}
-
-export {
-    getLatestSecretVersionIds,
-    getLatestNSecretSecretVersionIds
-}

backend/src/ee/middleware/index.ts

@@ -1,7 +0,0 @@
-import requireLicenseAuth from './requireLicenseAuth';
-import requireSecretSnapshotAuth from './requireSecretSnapshotAuth';
-
-export {
-    requireLicenseAuth,
-    requireSecretSnapshotAuth
-}

backend/src/ee/middleware/requireSecretSnapshotAuth.ts

@@ -1,47 +0,0 @@
-import { Request, Response, NextFunction } from 'express';
-import { UnauthorizedRequestError, SecretSnapshotNotFoundError } from '../../utils/errors';
-import { SecretSnapshot } from '../models';
-import {
-    validateMembership
-} from '../../helpers/membership';
-
-/**
- * Validate if user on request has proper membership for secret snapshot
- * @param {Object} obj
- * @param {String[]} obj.acceptedRoles - accepted workspace roles
- * @param {String[]} obj.acceptedStatuses - accepted workspace statuses
- * @param {String[]} obj.location - location of [workspaceId] on request (e.g. params, body) for parsing
- */
-const requireSecretSnapshotAuth = ({
-    acceptedRoles,
-}: {
-    acceptedRoles: string[];
-}) => {
-    return async (req: Request, res: Response, next: NextFunction) => {
-        try {
-            const { secretSnapshotId } = req.params;
-            
-            const secretSnapshot = await SecretSnapshot.findById(secretSnapshotId);
-            
-            if (!secretSnapshot) {
-                return next(SecretSnapshotNotFoundError({
-                    message: 'Failed to find secret snapshot'
-                }));
-            }
-            
-            await validateMembership({
-                userId: req.user._id.toString(),
-                workspaceId: secretSnapshot.workspace.toString(),
-                acceptedRoles
-            });
-            
-            req.secretSnapshot = secretSnapshot as any;
-
-            next();
-        } catch (err) {
-            return next(UnauthorizedRequestError({ message: 'Unable to authenticate secret snapshot' }));
-        }
-    }
-}
-
-export default requireSecretSnapshotAuth;

backend/src/ee/models/action.ts

@@ -1,62 +0,0 @@
-import { Schema, model, Types } from 'mongoose';
-import {
-    ACTION_LOGIN,
-    ACTION_LOGOUT,
-    ACTION_ADD_SECRETS,
-    ACTION_UPDATE_SECRETS,
-    ACTION_READ_SECRETS,
-    ACTION_DELETE_SECRETS
-} from '../../variables';
-
-export interface IAction {
-    name: string;
-    user?: Types.ObjectId,
-    workspace?: Types.ObjectId,
-    payload?: {
-        secretVersions?: Types.ObjectId[]
-    }
-}
-
-const actionSchema = new Schema<IAction>(
-    {
-        name: {
-            type: String,
-            required: true,
-            enum: [
-                ACTION_LOGIN,
-                ACTION_LOGOUT,
-                ACTION_ADD_SECRETS,
-                ACTION_UPDATE_SECRETS,
-                ACTION_READ_SECRETS,
-                ACTION_DELETE_SECRETS
-            ]
-        },
-        user: {
-            type: Schema.Types.ObjectId,
-            ref: 'User',
-            required: true
-        },
-        workspace: {
-            type: Schema.Types.ObjectId,
-            ref: 'Workspace'
-        },
-        payload: {
-            secretVersions: [{
-                oldSecretVersion: {
-                    type: Schema.Types.ObjectId,
-                    ref: 'SecretVersion'
-                },
-                newSecretVersion: {
-                    type: Schema.Types.ObjectId,
-                    ref: 'SecretVersion'
-                }
-            }]
-        }
-    }, {
-        timestamps: true
-    }
-);
-
-const Action = model<IAction>('Action', actionSchema);
-
-export default Action;

backend/src/ee/models/index.ts

@@ -1,15 +0,0 @@
-import SecretSnapshot, { ISecretSnapshot } from './secretSnapshot';
-import SecretVersion, { ISecretVersion } from './secretVersion';
-import Log, { ILog } from './log';
-import Action, { IAction } from './action';
-
-export {
-    SecretSnapshot,
-    ISecretSnapshot,
-    SecretVersion,
-    ISecretVersion,
-    Log,
-    ILog,
-    Action,
-    IAction
-}

backend/src/ee/models/log.ts

@@ -1,63 +0,0 @@
-import { Schema, model, Types } from 'mongoose';
-import {
-    ACTION_LOGIN,
-    ACTION_LOGOUT,
-    ACTION_ADD_SECRETS,
-    ACTION_UPDATE_SECRETS,
-    ACTION_READ_SECRETS,
-    ACTION_DELETE_SECRETS
-} from '../../variables';
-
-export interface ILog {
-    _id: Types.ObjectId;
-    user?: Types.ObjectId;
-    workspace?: Types.ObjectId;
-    actionNames: string[];
-    actions: Types.ObjectId[];
-    channel: string;
-    ipAddress?: string;
-}
-
-const logSchema = new Schema<ILog>(
-    {
-        user: {
-            type: Schema.Types.ObjectId,
-            ref: 'User'
-        },
-        workspace: {
-            type: Schema.Types.ObjectId,
-            ref: 'Workspace'
-        },
-        actionNames: {
-            type: [String],
-            enum: [
-                ACTION_LOGIN,
-                ACTION_LOGOUT,
-                ACTION_ADD_SECRETS,
-                ACTION_UPDATE_SECRETS,
-                ACTION_READ_SECRETS,
-                ACTION_DELETE_SECRETS
-            ],
-            required: true
-        },
-        actions: [{
-            type: Schema.Types.ObjectId,
-            ref: 'Action',
-            required: true
-        }],
-        channel: {
-            type: String,
-            enum: ['web', 'cli', 'auto', 'k8-operator', 'other'],
-            required: true
-        },
-        ipAddress: {
-            type: String
-        }
-    }, {
-    timestamps: true
-}
-);
-
-const Log = model<ILog>('Log', logSchema);
-
-export default Log;

backend/src/ee/models/secretSnapshot.ts

@@ -1,33 +0,0 @@
-import { Schema, model, Types } from 'mongoose';
-
-export interface ISecretSnapshot {
-    workspace: Types.ObjectId;
-    version: number;
-    secretVersions: Types.ObjectId[];
-}
-
-const secretSnapshotSchema = new Schema<ISecretSnapshot>(
-    {
-        workspace: {
-            type: Schema.Types.ObjectId,
-            ref: 'Workspace',
-            required: true
-        },
-        version: {
-            type: Number,
-            required: true
-        },
-        secretVersions: [{
-            type: Schema.Types.ObjectId,
-            ref: 'SecretVersion',
-            required: true
-        }]
-    },
-    {
-        timestamps: true
-    }
-);
-
-const SecretSnapshot = model<ISecretSnapshot>('SecretSnapshot', secretSnapshotSchema);
-
-export default SecretSnapshot;

backend/src/ee/models/secretVersion.ts

@@ -1,106 +0,0 @@
-import { Schema, model, Types } from 'mongoose';
-import {
-	SECRET_SHARED,
-	SECRET_PERSONAL,
-} from '../../variables';
-
-export interface ISecretVersion {
-	_id: Types.ObjectId;
-	secret: Types.ObjectId;
-	version: number;
-	workspace: Types.ObjectId; // new
-	type: string; // new
-	user: Types.ObjectId; // new
-	environment: string; // new
-	isDeleted: boolean;
-	secretKeyCiphertext: string;
-	secretKeyIV: string;
-	secretKeyTag: string;
-	secretKeyHash: string;
-	secretValueCiphertext: string;
-	secretValueIV: string;
-	secretValueTag: string;
-	secretValueHash: string;
-	tags?: string[];
-}
-
-const secretVersionSchema = new Schema<ISecretVersion>(
-	{
-		secret: { // could be deleted
-			type: Schema.Types.ObjectId,
-			ref: 'Secret',
-			required: true
-		},
-		version: {
-			type: Number,
-			default: 1,
-			required: true
-		},
-		workspace: {
-			type: Schema.Types.ObjectId,
-			ref: 'Workspace',
-			required: true
-		},
-		type: {
-			type: String,
-			enum: [SECRET_SHARED, SECRET_PERSONAL],
-			required: true
-		},
-		user: {
-			// user associated with the personal secret
-			type: Schema.Types.ObjectId,
-			ref: 'User'
-		},
-		environment: {
-			type: String,
-			required: true
-		},
-		isDeleted: { // consider removing field
-			type: Boolean,
-			default: false,
-			required: true
-		},
-		secretKeyCiphertext: {
-			type: String,
-			required: true
-		},
-		secretKeyIV: {
-			type: String, // symmetric
-			required: true
-		},
-		secretKeyTag: {
-			type: String, // symmetric
-			required: true
-		},
-		secretKeyHash: {
-			type: String
-		},
-		secretValueCiphertext: {
-			type: String,
-			required: true
-		},
-		secretValueIV: {
-			type: String, // symmetric
-			required: true
-		},
-		secretValueTag: {
-			type: String, // symmetric
-			required: true
-		},
-		secretValueHash: {
-			type: String
-		},
-		tags: {
-			ref: 'Tag',
-			type: [Schema.Types.ObjectId],
-			default: []
-		},
-	},
-	{
-		timestamps: true
-	}
-);
-
-const SecretVersion = model<ISecretVersion>('SecretVersion', secretVersionSchema);
-
-export default SecretVersion;

backend/src/ee/routes/stripe.ts

@@ -1,6 +1,6 @@
 import express from 'express';
 const router = express.Router();
-import { stripeController } from '../../controllers/v1';
+import { stripeController } from '../controllers';
 
 router.post('/webhook', stripeController.handleWebhook);
 

backend/src/ee/routes/v1/action.ts

@@ -1,17 +0,0 @@
-import express from 'express';
-const router = express.Router();
-import {
-    validateRequest
-} from '../../../middleware';
-import { param } from 'express-validator';
-import { actionController } from '../../controllers/v1';
-
-// TODO: put into action controller
-router.get(
-    '/:actionId',
-    param('actionId').exists().trim(),
-    validateRequest,
-    actionController.getAction
-);
-
-export default router;

backend/src/ee/routes/v1/index.ts

@@ -1,11 +0,0 @@
-import secret from './secret';
-import secretSnapshot from './secretSnapshot';
-import workspace from './workspace';
-import action from './action';
-
-export {
-    secret,
-    secretSnapshot,
-    workspace,
-    action
-}

backend/src/ee/routes/v1/secret.ts

@@ -1,40 +0,0 @@
-import express from 'express';
-const router = express.Router();
-import {
-    requireAuth,
-	requireSecretAuth,
-    validateRequest
-} from '../../../middleware';
-import { query, param, body } from 'express-validator';
-import { secretController } from '../../controllers/v1';
-import { ADMIN, MEMBER } from '../../../variables';
-
-router.get(
-	'/:secretId/secret-versions',
-	requireAuth({
-		acceptedAuthModes: ['jwt', 'apiKey']
-	}),
-	requireSecretAuth({
-		acceptedRoles: [ADMIN, MEMBER]
-	}),
-	param('secretId').exists().trim(),
-	query('offset').exists().isInt(),
-	query('limit').exists().isInt(),
-	validateRequest,
-	secretController.getSecretVersions
-);
-
-router.post(
-	'/:secretId/secret-versions/rollback',
-	requireAuth({
-		acceptedAuthModes: ['jwt', 'apiKey']
-	}),
-	requireSecretAuth({
-		acceptedRoles: [ADMIN, MEMBER]
-	}),
-	param('secretId').exists().trim(),
-	body('version').exists().isInt(),
-	secretController.rollbackSecretVersion
-);
-
-export default router;

backend/src/ee/routes/v1/secretSnapshot.ts

@@ -1,27 +0,0 @@
-import express from 'express';
-const router = express.Router();
-import {
-    requireSecretSnapshotAuth
-} from '../../middleware';
-import {
-    requireAuth,
-    validateRequest
-} from '../../../middleware';
-import { param, body } from 'express-validator';
-import { ADMIN, MEMBER } from '../../../variables';
-import { secretSnapshotController } from '../../controllers/v1';
-
-router.get(
-    '/:secretSnapshotId',
-    requireAuth({
-		acceptedAuthModes: ['jwt']
-	}),
-    requireSecretSnapshotAuth({
-        acceptedRoles: [ADMIN, MEMBER]
-    }),
-    param('secretSnapshotId').exists().trim(),
-    validateRequest,
-    secretSnapshotController.getSecretSnapshot
-);
-
-export default router;

backend/src/ee/routes/v1/workspace.ts

@@ -1,72 +0,0 @@
-import express from 'express';
-const router = express.Router();
-import {
-	requireAuth,
-	requireWorkspaceAuth,
-	validateRequest
-} from '../../../middleware';
-import { param, query, body } from 'express-validator';
-import { ADMIN, MEMBER } from '../../../variables';
-import { workspaceController } from '../../controllers/v1';
-
-router.get(
-	'/:workspaceId/secret-snapshots',
-	requireAuth({
-		acceptedAuthModes: ['jwt', 'apiKey']
-	}),
-	requireWorkspaceAuth({
-		acceptedRoles: [ADMIN, MEMBER]
-	}),
-	param('workspaceId').exists().trim(),
-	query('offset').exists().isInt(),
-	query('limit').exists().isInt(),
-	validateRequest,
-	workspaceController.getWorkspaceSecretSnapshots
-);
-
-router.get(
-	'/:workspaceId/secret-snapshots/count',
-	requireAuth({
-		acceptedAuthModes: ['jwt']
-	}),
-	requireWorkspaceAuth({
-		acceptedRoles: [ADMIN, MEMBER]
-	}),
-	param('workspaceId').exists().trim(),
-	validateRequest,
-	workspaceController.getWorkspaceSecretSnapshotsCount
-);
-
-router.post(
-	'/:workspaceId/secret-snapshots/rollback',
-	requireAuth({
-		acceptedAuthModes: ['jwt', 'apiKey']
-	}),
-	requireWorkspaceAuth({
-		acceptedRoles: [ADMIN, MEMBER]
-	}),
-	param('workspaceId').exists().trim(),
-	body('version').exists().isInt(),
-	validateRequest,
-	workspaceController.rollbackWorkspaceSecretSnapshot
-);
-
-router.get(
-	'/:workspaceId/logs',
-	requireAuth({
-		acceptedAuthModes: ['jwt', 'apiKey']
-	}),
-	requireWorkspaceAuth({
-		acceptedRoles: [ADMIN, MEMBER]
-	}),
-	param('workspaceId').exists().trim(),
-	query('offset').exists().isInt(),
-	query('limit').exists().isInt(),
-	query('sortBy'),
-	query('userId'),
-	query('actionNames'),
-	validateRequest,
-	workspaceController.getWorkspaceLogs
-);
-
-export default router;

backend/src/ee/services/EELicenseService.ts

@@ -1,19 +0,0 @@
-import { LICENSE_KEY } from '../../config';
-
-/**
- * Class to handle Enterprise Edition license actions
- */
-class EELicenseService {
-    
-    private readonly _isLicenseValid: boolean;
-    
-    constructor(licenseKey: string) {
-        this._isLicenseValid = true;
-    }
-
-    public get isLicenseValid(): boolean {
-        return this._isLicenseValid;
-    }
-}
-
-export default new EELicenseService(LICENSE_KEY);

backend/src/ee/services/EELogService.ts

@@ -1,79 +0,0 @@
-import { Types } from 'mongoose';
-import { 
-    IAction
-} from '../models';
-import {
-    createLogHelper
-} from '../helpers/log';
-import {
-    createActionHelper
-} from '../helpers/action';
-import EELicenseService from './EELicenseService';
-
-/**
- * Class to handle Enterprise Edition log actions
- */
-class EELogService {
-    /**
-     * Create an (audit) log
-     * @param {Object} obj
-     * @param {String} obj.userId - id of user associated with the log
-     * @param {String} obj.workspaceId - id of workspace associated with the log
-     * @param {Action} obj.actions - actions to include in log
-     * @param {String} obj.channel - channel (web/cli/auto) associated with the log
-     * @param {String} obj.ipAddress - ip address associated with the log
-     * @returns {Log} log - new audit log
-     */
-    static async createLog({
-        userId,
-        workspaceId,
-        actions,
-        channel,
-        ipAddress
-    }: {
-        userId: Types.ObjectId;
-        workspaceId?: Types.ObjectId;
-        actions: IAction[];
-        channel: string;
-        ipAddress: string;
-    }) {
-        if (!EELicenseService.isLicenseValid) return null;
-        return await createLogHelper({
-            userId,
-            workspaceId,
-            actions,
-            channel,
-            ipAddress
-        })
-    }
-    
-    /**
-     * Create an (audit) action
-     * @param {Object} obj
-     * @param {String} obj.name - name of action
-     * @param {Types.ObjectId} obj.userId - id of user associated with the action
-     * @param {Types.ObjectId} obj.workspaceId - id of workspace associated with the action
-     * @param {ObjectId[]} obj.secretIds - ids of secrets associated with the action
-     * @returns {Action} action - new action
-     */
-    static async createAction({
-        name,
-        userId,
-        workspaceId,
-        secretIds
-    }: {
-        name: string;
-        userId: Types.ObjectId;
-        workspaceId?: Types.ObjectId;
-        secretIds?: Types.ObjectId[];
-    }) {
-        return await createActionHelper({
-            name,
-            userId,
-            workspaceId,
-            secretIds
-        });
-    }
-}
-
-export default EELogService;

backend/src/ee/services/EESecretService.ts

@@ -1,78 +0,0 @@
-import { Types } from 'mongoose';
-import { ISecretVersion } from '../models';
-import { 
-    takeSecretSnapshotHelper,
-    addSecretVersionsHelper,
-    markDeletedSecretVersionsHelper,
-    initSecretVersioningHelper
-} from '../helpers/secret';
-import EELicenseService from './EELicenseService';
-
-/**
- * Class to handle Enterprise Edition secret actions
- */
-class EESecretService {
-    
-    /**
-     * Save a secret snapshot that is a copy of the current state of secrets in workspace with id
-     * [workspaceId] under a new snapshot with incremented version under the
-     * SecretSnapshot collection.
-     * Requires a valid license key [licenseKey]
-     * @param {Object} obj
-     * @param {String} obj.workspaceId
-     * @returns {SecretSnapshot} secretSnapshot - new secret snpashot
-     */
-    static async takeSecretSnapshot({
-        workspaceId
-    }: {
-        workspaceId: string;
-    }) {
-        if (!EELicenseService.isLicenseValid) return;
-        return await takeSecretSnapshotHelper({ workspaceId });
-    }
-    
-    /**
-     * Add secret versions [secretVersions] to the SecretVersion collection.
-     * @param {Object} obj
-     * @param {Object[]} obj.secretVersions
-     * @returns {SecretVersion[]} newSecretVersions - new secret versions
-     */
-    static async addSecretVersions({
-        secretVersions
-    }: {
-        secretVersions: ISecretVersion[];
-    }) {
-        if (!EELicenseService.isLicenseValid) return;
-        return await addSecretVersionsHelper({
-            secretVersions
-        });
-    }
-
-    /**
-     * Mark secret versions associated with secrets with ids [secretIds]
-     * as deleted.
-     * @param {Object} obj
-     * @param {ObjectId[]} obj.secretIds - secret ids
-     */
-    static async markDeletedSecretVersions({
-        secretIds
-    }: {
-        secretIds: Types.ObjectId[];
-    }) {
-        if (!EELicenseService.isLicenseValid) return;
-        await markDeletedSecretVersionsHelper({
-            secretIds
-        });
-    }
-    
-    /**
-     * Initialize secret versioning by setting previously unversioned
-     * secrets to version 1 and begin populating secret versions.
-     */
-    static async initSecretVersioning() {
-        if (!EELicenseService.isLicenseValid) return; 
-        await initSecretVersioningHelper();
-    }
-}
-
-export default EESecretService;

backend/src/ee/services/index.ts

@@ -1,9 +0,0 @@
-import EELicenseService from "./EELicenseService";
-import EESecretService from "./EESecretService";
-import EELogService from "./EELogService";
-
-export {
-    EELicenseService,
-    EESecretService,
-    EELogService
-}

backend/src/events/index.ts

@@ -1,5 +0,0 @@
-import { eventPushSecrets } from "./secret"
-
-export {
-    eventPushSecrets
-}

backend/src/events/secret.ts

@@ -1,60 +0,0 @@
-import { 
-    EVENT_PUSH_SECRETS, 
-    EVENT_PULL_SECRETS 
-} from '../variables';
-
-interface PushSecret {
-	ciphertextKey: string;
-	ivKey: string;
-	tagKey: string;
-	hashKey: string;
-	ciphertextValue: string;
-	ivValue: string;
-	tagValue: string;
-	hashValue: string;
-	type: 'shared' | 'personal';
-}
-
-/**
- * Return event for pushing secrets
- * @param {Object} obj
- * @param {String} obj.workspaceId - id of workspace to push secrets to
- * @returns 
- */
-const eventPushSecrets = ({
-    workspaceId
-}: {
-    workspaceId: string;
-}) => {
-    return ({
-        name: EVENT_PUSH_SECRETS,
-        workspaceId,
-        payload: {
-
-        }
-    });
-}
-
-/**
- * Return event for pulling secrets
- * @param {Object} obj
- * @param {String} obj.workspaceId - id of workspace to pull secrets from
- * @returns 
- */
-const eventPullSecrets = ({
-    workspaceId,
-}: {
-    workspaceId: string;
-}) => {
-    return ({
-        name: EVENT_PULL_SECRETS,
-        workspaceId,
-        payload: {
-
-        }
-    });
-}
-
-export {
-    eventPushSecrets
-}

backend/src/helpers/auth.ts

@@ -1,10 +1,7 @@
 import jwt from 'jsonwebtoken';
 import * as Sentry from '@sentry/node';
-import bcrypt from 'bcrypt';
 import {
-	User,
-	ServiceTokenData,
-	APIKeyData
+	User
 } from '../models';
 import {
 	JWT_AUTH_LIFETIME,
@@ -12,196 +9,6 @@ import {
 	JWT_REFRESH_LIFETIME,
 	JWT_REFRESH_SECRET
 } from '../config';
-import {
-	AccountNotFoundError,
-	ServiceTokenDataNotFoundError,
-	APIKeyDataNotFoundError,
-	UnauthorizedRequestError,
-	BadRequestError
-} from '../utils/errors';
-
-/**
- * 
- * @param {Object} obj
- * @param {Object} obj.headers - HTTP request headers object
- */
-const validateAuthMode = ({
-	headers,
-	acceptedAuthModes
-}: {
-	headers: { [key: string]: string | string[] | undefined },
-	acceptedAuthModes: string[]
-}) => {
-	// TODO: refactor middleware
-	const apiKey = headers['x-api-key'];
-	const authHeader = headers['authorization'];
-
-	let authTokenType, authTokenValue;
-	if (apiKey === undefined && authHeader === undefined) {
-		// case: no auth or X-API-KEY header present
-		throw BadRequestError({ message: 'Missing Authorization or X-API-KEY in request header.' });
-	}
-
-	if (typeof apiKey === 'string') {
-		// case: treat request authentication type as via X-API-KEY (i.e. API Key)
-		authTokenType = 'apiKey';
-		authTokenValue = apiKey;
-	}
-
-	if (typeof authHeader === 'string') {
-		// case: treat request authentication type as via Authorization header (i.e. either JWT or service token)
-		const [tokenType, tokenValue] = <[string, string]>authHeader.split(' ', 2) ?? [null, null]
-		if (tokenType === null)
-			throw BadRequestError({ message: `Missing Authorization Header in the request header.` });
-		if (tokenType.toLowerCase() !== 'bearer')
-			throw BadRequestError({ message: `The provided authentication type '${tokenType}' is not supported.` });
-		if (tokenValue === null)
-			throw BadRequestError({ message: 'Missing Authorization Body in the request header.' });
-
-		switch (tokenValue.split('.', 1)[0]) {
-			case 'st':
-				authTokenType = 'serviceToken';
-				break;
-			default:
-				authTokenType = 'jwt';
-		}
-		authTokenValue = tokenValue;
-	}
-
-	if (!authTokenType || !authTokenValue) throw BadRequestError({ message: 'Missing valid Authorization or X-API-KEY in request header.' });
-
-	if (!acceptedAuthModes.includes(authTokenType)) throw BadRequestError({ message: 'The provided authentication type is not supported.' });
-
-	return ({
-		authTokenType,
-		authTokenValue
-	});
-}
-
-/**
- * Return user payload corresponding to JWT token [authTokenValue]
- * @param {Object} obj
- * @param {String} obj.authTokenValue - JWT token value
- * @returns {User} user - user corresponding to JWT token
- */
-const getAuthUserPayload = async ({
-	authTokenValue
-}: {
-	authTokenValue: string;
-}) => {
-	let user;
-	try {
-		const decodedToken = <jwt.UserIDJwtPayload>(
-			jwt.verify(authTokenValue, JWT_AUTH_SECRET)
-		);
-
-		user = await User.findOne({
-			_id: decodedToken.userId
-		}).select('+publicKey');
-
-		if (!user) throw AccountNotFoundError({ message: 'Failed to find User' });
-
-		if (!user?.publicKey) throw UnauthorizedRequestError({ message: 'Failed to authenticate User with partially set up account' });
-
-	} catch (err) {
-		throw UnauthorizedRequestError({
-			message: 'Failed to authenticate JWT token'
-		});
-	}
-
-	return user;
-}
-
-/**
- * Return service token data payload corresponding to service token [authTokenValue]
- * @param {Object} obj
- * @param {String} obj.authTokenValue - service token value
- * @returns {ServiceTokenData} serviceTokenData - service token data
- */
-const getAuthSTDPayload = async ({
-	authTokenValue
-}: {
-	authTokenValue: string;
-}) => {
-	let serviceTokenData;
-	try {
-		const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split('.', 3);
-
-		// TODO: optimize double query
-		serviceTokenData = await ServiceTokenData
-			.findById(TOKEN_IDENTIFIER, '+secretHash +expiresAt');
-
-		if (!serviceTokenData) {
-			throw ServiceTokenDataNotFoundError({ message: 'Failed to find service token data' });
-		} else if (serviceTokenData?.expiresAt && new Date(serviceTokenData.expiresAt) < new Date()) {
-			// case: service token expired
-			await ServiceTokenData.findByIdAndDelete(serviceTokenData._id);
-			throw UnauthorizedRequestError({
-				message: 'Failed to authenticate expired service token'
-			});
-		}
-
-		const isMatch = await bcrypt.compare(TOKEN_SECRET, serviceTokenData.secretHash);
-		if (!isMatch) throw UnauthorizedRequestError({
-			message: 'Failed to authenticate service token'
-		});
-
-		serviceTokenData = await ServiceTokenData
-			.findById(TOKEN_IDENTIFIER)
-			.select('+encryptedKey +iv +tag').populate('user');
-
-	} catch (err) {
-		throw UnauthorizedRequestError({
-			message: 'Failed to authenticate service token'
-		});
-	}
-
-	return serviceTokenData;
-}
-
-/**
- * Return API key data payload corresponding to API key [authTokenValue]
- * @param {Object} obj
- * @param {String} obj.authTokenValue - API key value
- * @returns {APIKeyData} apiKeyData - API key data
- */
-const getAuthAPIKeyPayload = async ({
-	authTokenValue
-}: {
-	authTokenValue: string;
-}) => {
-	let user;
-	try {
-		const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split('.', 3);
-
-		const apiKeyData = await APIKeyData
-			.findById(TOKEN_IDENTIFIER, '+secretHash +expiresAt')
-			.populate('user', '+publicKey');
-
-		if (!apiKeyData) {
-			throw APIKeyDataNotFoundError({ message: 'Failed to find API key data' });
-		} else if (apiKeyData?.expiresAt && new Date(apiKeyData.expiresAt) < new Date()) {
-			// case: API key expired
-			await APIKeyData.findByIdAndDelete(apiKeyData._id);
-			throw UnauthorizedRequestError({
-				message: 'Failed to authenticate expired API key'
-			});
-		}
-
-		const isMatch = await bcrypt.compare(TOKEN_SECRET, apiKeyData.secretHash);
-		if (!isMatch) throw UnauthorizedRequestError({
-			message: 'Failed to authenticate API key'
-		});
-
-		user = apiKeyData.user;
-	} catch (err) {
-		throw UnauthorizedRequestError({
-			message: 'Failed to authenticate API key'
-		});
-	}
-
-	return user;
-}
 
 /**
  * Return newly issued (JWT) auth and refresh tokens to user with id [userId]
@@ -292,12 +99,4 @@ const createToken = ({
 	}
 };
 
-export {
-	validateAuthMode,
-	getAuthUserPayload,
-	getAuthSTDPayload,
-	getAuthAPIKeyPayload,
-	createToken,
-	issueTokens,
-	clearTokens
-};
+export { createToken, issueTokens, clearTokens };

backend/src/helpers/bot.ts

@@ -1,229 +0,0 @@
-import * as Sentry from '@sentry/node';
-import {
-    Bot,
-    BotKey,
-    Secret,
-    ISecret,
-    IUser
-} from '../models';
-import { 
-    generateKeyPair, 
-    encryptSymmetric,
-    decryptSymmetric,
-    decryptAsymmetric
-} from '../utils/crypto';
-import { ENCRYPTION_KEY } from '../config';
-import { SECRET_SHARED } from '../variables';
-
-/**
- * Create an inactive bot with name [name] for workspace with id [workspaceId]
- * @param {Object} obj 
- * @param {String} obj.name - name of bot
- * @param {String} obj.workspaceId - id of workspace that bot belongs to
- */
-const createBot = async ({
-    name,
-    workspaceId,
-}: {
-    name: string;
-    workspaceId: string;
-}) => {
-    let bot;
-    try {
-        const { publicKey, privateKey } = generateKeyPair();
-        const { ciphertext, iv, tag } = encryptSymmetric({
-            plaintext: privateKey,
-            key: ENCRYPTION_KEY
-        });
-
-        bot = await new Bot({
-            name,
-            workspace: workspaceId,
-            isActive: false,
-            publicKey,
-            encryptedPrivateKey: ciphertext,
-            iv,
-            tag
-        }).save();
-    } catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to create bot');
-    }
-    
-    return bot;
-}
-
-/**
- * Return decrypted secrets for workspace with id [workspaceId]
- * and [environment] using bot
- * @param {Object} obj
- * @param {String} obj.workspaceId - id of workspace
- * @param {String} obj.environment - environment
- */
-const getSecretsHelper = async ({
-    workspaceId,
-    environment
-}: {
-    workspaceId: string;
-    environment: string;
-}) => {
-    const content = {} as any;
-    try {
-        const key = await getKey({ workspaceId });
-        const secrets = await Secret.find({
-            workspace: workspaceId,
-            environment,
-            type: SECRET_SHARED
-        });
-        
-        secrets.forEach((secret: ISecret) => {
-            const secretKey = decryptSymmetric({
-                ciphertext: secret.secretKeyCiphertext,
-                iv: secret.secretKeyIV,
-                tag: secret.secretKeyTag,
-                key
-            });
-
-            const secretValue = decryptSymmetric({
-                ciphertext: secret.secretValueCiphertext,
-                iv: secret.secretValueIV,
-                tag: secret.secretValueTag,
-                key
-            });
-
-            content[secretKey] = secretValue;
-        });
-    } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-        throw new Error('Failed to get secrets');
-    }
-
-    return content;
-}
-
-/**
- * Return bot's copy of the workspace key for workspace 
- * with id [workspaceId]
- * @param {Object} obj
- * @param {String} obj.workspaceId - id of workspace
- * @returns {String} key - decrypted workspace key
- */
-const getKey = async ({ workspaceId }: { workspaceId: string }) => {
-    let key;
-    try {
-        const botKey = await BotKey.findOne({
-            workspace: workspaceId
-        }).populate<{ sender: IUser }>('sender', 'publicKey');
-        
-        if (!botKey) throw new Error('Failed to find bot key');
-        
-        const bot = await Bot.findOne({
-            workspace: workspaceId
-        }).select('+encryptedPrivateKey +iv +tag');
-        
-        if (!bot) throw new Error('Failed to find bot');
-        if (!bot.isActive) throw new Error('Bot is not active');
-        
-        const privateKeyBot = decryptSymmetric({
-            ciphertext: bot.encryptedPrivateKey,
-            iv: bot.iv,
-            tag: bot.tag,
-            key: ENCRYPTION_KEY
-        });
-        
-        key = decryptAsymmetric({
-            ciphertext: botKey.encryptedKey,
-            nonce: botKey.nonce,
-            publicKey: botKey.sender.publicKey as string,
-            privateKey: privateKeyBot
-        });
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to get workspace key');
-    }
-    
-    return key;
-}
-
-/**
- * Return symmetrically encrypted [plaintext] using the
- * key for workspace with id [workspaceId] 
- * @param {Object} obj1
- * @param {String} obj1.workspaceId - id of workspace
- * @param {String} obj1.plaintext - plaintext to encrypt
- */
-const encryptSymmetricHelper = async ({
-    workspaceId,
-    plaintext
-}: {
-    workspaceId: string;
-    plaintext: string;
-}) => {
-    
-    try {
-        const key = await getKey({ workspaceId });
-        const { ciphertext, iv, tag } = encryptSymmetric({
-            plaintext,
-            key
-        });
-        
-        return ({
-            ciphertext,
-            iv,
-            tag
-        });
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to perform symmetric encryption with bot');
-    }
-}
-/**
- * Return symmetrically decrypted [ciphertext] using the
- * key for workspace with id [workspaceId]
- * @param {Object} obj
- * @param {String} obj.workspaceId - id of workspace
- * @param {String} obj.ciphertext - ciphertext to decrypt
- * @param {String} obj.iv - iv
- * @param {String} obj.tag - tag
- */
-const decryptSymmetricHelper = async ({
-    workspaceId,
-    ciphertext,
-    iv,
-    tag
-}: {
-    workspaceId: string;
-    ciphertext: string;
-    iv: string;
-    tag: string;
-}) => {
-    let plaintext;
-    try {
-        const key = await getKey({ workspaceId });
-        const plaintext = decryptSymmetric({
-            ciphertext,
-            iv,
-            tag,
-            key
-        });
-        
-        return plaintext;
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to perform symmetric decryption with bot');
-    }
-    
-    return plaintext;
-}
-
-export {
-    createBot,
-    getSecretsHelper,
-    encryptSymmetricHelper,
-    decryptSymmetricHelper
-}

backend/src/helpers/database.ts

@@ -1,34 +0,0 @@
-import mongoose from 'mongoose';
-import { EESecretService } from '../ee/services';
-import { getLogger } from '../utils/logger';
-
-/**
- * Initialize database connection
- * @param {Object} obj
- * @param {String} obj.mongoURL - mongo connection string
- * @returns 
- */
-const initDatabaseHelper = async ({
-    mongoURL
-}: {
-    mongoURL: string;
-}) => {
-    try {
-        await mongoose.connect(mongoURL);
-    
-        // allow empty strings to pass the required validator
-        mongoose.Schema.Types.String.checkRequired(v => typeof v === 'string');
-
-        getLogger("database").info("Database connection established");
-        
-        await EESecretService.initSecretVersioning();
-    } catch (err) {
-        getLogger("database").error(`Unable to establish Database connection due to the error.\n${err}`);
-    }
-
-    return mongoose.connection;
-}
-
-export {
-    initDatabaseHelper
-}