Add simple validation checks

Improve infisical secrets command

.env.example

@@ -16,9 +16,6 @@ JWT_AUTH_LIFETIME=
 JWT_REFRESH_LIFETIME=
 JWT_SIGNUP_LIFETIME=
 
-# Optional lifetimes for OTP expressed in seconds
-EMAIL_TOKEN_LIFETIME=
-
 # MongoDB
 # Backend will connect to the MongoDB instance at connection string MONGO_URL which can either be a ref
 # to the MongoDB container instance or Mongo Cloud
@@ -48,10 +45,12 @@ CLIENT_ID_HEROKU=
 CLIENT_ID_VERCEL=
 CLIENT_ID_NETLIFY=
 CLIENT_ID_GITHUB=
+CLIENT_ID_GITLAB=
 CLIENT_SECRET_HEROKU=
 CLIENT_SECRET_VERCEL=
 CLIENT_SECRET_NETLIFY=
 CLIENT_SECRET_GITHUB=
+CLIENT_SECRET_GITLAB=
 CLIENT_SLUG_VERCEL=
 
 # Sentry (optional) for monitoring errors

.github/pull_request_template.md

@@ -0,0 +1,22 @@
+# Description 📣
+
+*Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.*
+
+## Type ✨
+
+- [ ] Bug fix
+- [ ] New feature
+- [ ] Breaking change
+- [ ] Documentation
+
+# Tests 🛠️
+
+*Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration. You may want to add screenshots when relevant and possible*
+
+```sh
+# Here's some code block to paste some code snippets
+```
+
+---
+
+- [ ] I have read the [contributing guide](https://infisical.com/docs/contributing/overview), agreed and acknowledged the [code of conduct](https://infisical.com/docs/contributing/code-of-conduct). 📝

.github/values.yaml

@@ -1,11 +1,5 @@
-#####
-# INFISICAL K8 DEFAULT VALUES FILE
-# PLEASE REPLACE VALUES/EDIT AS REQUIRED 
-#####
-
-nameOverride: ""
-
 frontend:
+  enabled: true
   name: frontend
   podAnnotations: {}
   deploymentAnnotations:
@@ -13,17 +7,18 @@ frontend:
   replicaCount: 2
   image:
     repository: infisical/frontend
-    pullPolicy: Always 
     tag: "latest"
+    pullPolicy: Always
   kubeSecretRef: managed-secret-frontend
   service:
-    # type of the frontend service
-    type: ClusterIP
-    # define the nodePort if service type is NodePort
-    # nodePort: 
     annotations: {}
+    type: ClusterIP
+    nodePort: ""
+
+frontendEnvironmentVariables: null
 
 backend:
+  enabled: true
   name: backend
   podAnnotations: {}
   deploymentAnnotations:
@@ -31,63 +26,46 @@ backend:
   replicaCount: 2
   image:
     repository: infisical/backend
-    pullPolicy: Always
     tag: "latest"
+    pullPolicy: Always
   kubeSecretRef: managed-backend-secret
   service:
     annotations: {}
+    type: ClusterIP
+    nodePort: ""
 
+backendEnvironmentVariables: null
+
+## Mongo DB persistence
 mongodb:
-  name: mongodb
-  podAnnotations: {}
-  image:
-    repository: mongo
-    pullPolicy: IfNotPresent
-    tag: "latest"
-  service:
-    annotations: {}
+  enabled: true
+  persistence:
+    enabled: false
 
-# By default the backend will be connected to a Mongo instance in the cluster.
-# However, it is recommended to add a managed document DB connection string because the DB instance in the cluster does not have persistence yet ( data will be deleted on next deploy).
-# Learn about connection string type here https://www.mongodb.com/docs/manual/reference/connection-string/
-mongodbConnection: {}
-  # externalMongoDBConnectionString: <>
+## By default the backend will be connected to a Mongo instance within the cluster
+## However, it is recommended to add a managed document DB connection string for production-use (DBaaS)
+## Learn about connection string type here https://www.mongodb.com/docs/manual/reference/connection-string/
+## e.g. "mongodb://<user>:<pass>@<host>:<port>/<database-name>"
+mongodbConnection:
+  externalMongoDBConnectionString: ""
 
 ingress:
   enabled: true
   annotations:
     kubernetes.io/ingress.class: "nginx"
-  hostName: gamma.infisical.com # replace with your domain 
-  frontend: 
+    # cert-manager.io/issuer: letsencrypt-nginx
+  hostName: gamma.infisical.com ## <- Replace with your own domain
+  frontend:
     path: /
     pathType: Prefix
   backend:
     path: /api
     pathType: Prefix
-  tls: []
+  tls:
+    []
+    # - secretName: letsencrypt-nginx
+    #   hosts:
+    #     - infisical.local
 
-
-## Complete Ingress example 
-# ingress:
-#   enabled: true
-#   annotations:
-#     kubernetes.io/ingress.class: "nginx"
-#     cert-manager.io/issuer: letsencrypt-nginx
-#   hostName: k8.infisical.com
-#   frontend: 
-#     path: /
-#     pathType: Prefix
-#   backend:
-#     path: /api
-#     pathType: Prefix
-#   tls:
-#     - secretName: letsencrypt-nginx
-#       hosts:
-#         - k8.infisical.com
-
-###
-### YOU MUST FILL IN ALL SECRETS BELOW
-### 
-backendEnvironmentVariables: {}
-
-frontendEnvironmentVariables: {}
+mailhog:
+  enabled: false

backend/Dockerfile

@@ -1,18 +1,27 @@
-FROM node:16-bullseye-slim
+# Build stage
+FROM node:16-alpine AS build
 
 WORKDIR /app
 
-COPY package.json package-lock.json ./
-
-# RUN npm ci --only-production --ignore-scripts
-# "prepare": "cd .. && npm install"
-
+COPY package*.json ./
 RUN npm ci --only-production
 
 COPY . .
+RUN npm run build
+
+# Production stage
+FROM node:16-alpine
+
+WORKDIR /app
+
+COPY package*.json ./
+RUN npm ci --only-production
+
+COPY --from=build /app .
 
 HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \  
   CMD node healthcheck.js
 
+EXPOSE 4000
 
-CMD ["npm", "run", "start"]
+CMD ["npm", "run", "start"]

backend/__tests__/healthcheck.test.ts

@@ -1,19 +0,0 @@
-import { server } from '../src/app';
-import { describe, expect, it, beforeAll, afterAll } from '@jest/globals';
-import supertest from 'supertest';
-import { setUpHealthEndpoint } from '../src/services/health';
-
-const requestWithSupertest = supertest(server);
-describe('Healthcheck endpoint', () => {
-  beforeAll(async () => {
-    setUpHealthEndpoint(server);
-  });
-  afterAll(async () => {
-    server.close();
-  });
-
-  it('GET /healthcheck should return OK', async () => {
-    const res = await requestWithSupertest.get('/healthcheck');
-    expect(res.status).toEqual(200);
-  });
-});

backend/environment.d.ts

@@ -4,7 +4,6 @@ declare global {
   namespace NodeJS {
     interface ProcessEnv {
       PORT: string;
-      EMAIL_TOKEN_LIFETIME: string;
       ENCRYPTION_KEY: string;
       SALT_ROUNDS: string;
       JWT_AUTH_LIFETIME: string;
@@ -22,10 +21,12 @@ declare global {
       CLIENT_ID_VERCEL: string;
       CLIENT_ID_NETLIFY: string;
       CLIENT_ID_GITHUB: string;
+      CLIENT_ID_GITLAB: string;
       CLIENT_SECRET_HEROKU: string;
       CLIENT_SECRET_VERCEL: string;
       CLIENT_SECRET_NETLIFY: string;
       CLIENT_SECRET_GITHUB: string;
+      CLIENT_SECRET_GITLAB: string;
       CLIENT_SLUG_VERCEL: string;
 			POSTHOG_HOST: string;
 			POSTHOG_PROJECT_API_KEY: string;

backend/jest.config.ts

@@ -0,0 +1,9 @@
+export default {
+  preset: 'ts-jest',
+  testEnvironment: 'node',
+  collectCoverageFrom: ['src/*.{js,ts}', '!**/node_modules/**'],
+  modulePaths: ['<rootDir>/src'],
+  testMatch: ['<rootDir>/tests/**/*.test.ts'],
+  setupFiles: ['<rootDir>/test-resources/env-vars.js'],
+  setupFilesAfterEnv: ['<rootDir>/tests/setupTests.ts']
+};

backend/package.json

@@ -3,13 +3,14 @@
     "@aws-sdk/client-secrets-manager": "^3.267.0",
     "@godaddy/terminus": "^4.11.2",
     "@octokit/rest": "^19.0.5",
-    "@sentry/node": "^7.14.0",
+    "@sentry/node": "^7.39.0",
     "@sentry/tracing": "^7.19.0",
     "@types/crypto-js": "^4.1.1",
     "@types/libsodium-wrappers": "^0.7.10",
     "await-to-js": "^3.0.0",
     "aws-sdk": "^2.1311.0",
     "axios": "^1.1.3",
+    "axios-retry": "^3.4.0",
     "bcrypt": "^5.1.0",
     "bigint-conversion": "^2.2.2",
     "builder-pattern": "^2.2.0",
@@ -22,6 +23,7 @@
     "express-validator": "^6.14.2",
     "handlebars": "^4.7.7",
     "helmet": "^5.1.1",
+    "infisical-node": "^1.0.37",
     "js-yaml": "^4.1.0",
     "jsonwebtoken": "^9.0.0",
     "jsrp": "^0.2.4",
@@ -29,13 +31,13 @@
     "lodash": "^4.17.21",
     "mongoose": "^6.7.2",
     "nodemailer": "^6.8.0",
-    "posthog-node": "^2.2.2",
+    "posthog-node": "^2.5.4",
     "query-string": "^7.1.3",
     "request-ip": "^3.3.0",
     "rimraf": "^3.0.2",
     "stripe": "^10.7.0",
     "swagger-autogen": "^2.22.0",
-    "swagger-ui-express": "^4.6.0",
+    "swagger-ui-express": "^4.6.2",
     "tweetnacl": "^1.0.3",
     "tweetnacl-util": "^0.15.1",
     "typescript": "^4.9.3",
@@ -47,7 +49,7 @@
   "version": "1.0.0",
   "main": "src/index.js",
   "scripts": {
-    "start": "npm run build && node build/index.js",
+    "start": "node build/index.js",
     "dev": "nodemon",
     "swagger-autogen": "node ./swagger/index.ts",
     "build": "rimraf ./build && tsc && cp -R ./src/templates ./build",
@@ -86,7 +88,7 @@
     "@types/supertest": "^2.0.12",
     "@types/swagger-jsdoc": "^6.0.1",
     "@types/swagger-ui-express": "^4.1.3",
-    "@typescript-eslint/eslint-plugin": "^5.40.1",
+    "@typescript-eslint/eslint-plugin": "^5.54.0",
     "@typescript-eslint/parser": "^5.40.1",
     "cross-env": "^7.0.3",
     "eslint": "^8.26.0",
@@ -99,17 +101,6 @@
     "ts-jest": "^29.0.3",
     "ts-node": "^10.9.1"
   },
-  "jest": {
-    "preset": "ts-jest",
-    "testEnvironment": "node",
-    "collectCoverageFrom": [
-      "src/*.{js,ts}",
-      "!**/node_modules/**"
-    ],
-    "setupFiles": [
-      "<rootDir>/test-resources/env-vars.js"
-    ]
-  },
   "jest-junit": {
     "outputDirectory": "reports",
     "outputName": "jest-junit.xml",

backend/src/app.ts

@@ -1,140 +0,0 @@
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const { patchRouterParam } = require('./utils/patchAsyncRoutes');
-
-import express, { Request, Response } from 'express';
-import helmet from 'helmet';
-import cors from 'cors';
-import cookieParser from 'cookie-parser';
-import dotenv from 'dotenv';
-import swaggerUi = require('swagger-ui-express');
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const swaggerFile = require('../spec.json');
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const requestIp = require('request-ip');
-
-dotenv.config();
-import { PORT, NODE_ENV, SITE_URL } from './config';
-import { apiLimiter } from './helpers/rateLimiter';
-
-import {
-  workspace as eeWorkspaceRouter,
-  secret as eeSecretRouter,
-  secretSnapshot as eeSecretSnapshotRouter,
-  action as eeActionRouter
-} from './ee/routes/v1';
-import {
-  signup as v1SignupRouter,
-  auth as v1AuthRouter,
-  bot as v1BotRouter,
-  organization as v1OrganizationRouter,
-  workspace as v1WorkspaceRouter,
-  membershipOrg as v1MembershipOrgRouter,
-  membership as v1MembershipRouter,
-  key as v1KeyRouter,
-  inviteOrg as v1InviteOrgRouter,
-  user as v1UserRouter,
-  userAction as v1UserActionRouter,
-  secret as v1SecretRouter,
-  serviceToken as v1ServiceTokenRouter,
-  password as v1PasswordRouter,
-  stripe as v1StripeRouter,
-  integration as v1IntegrationRouter,
-  integrationAuth as v1IntegrationAuthRouter
-} from './routes/v1';
-import {
-  users as v2UsersRouter,
-  organizations as v2OrganizationsRouter,
-  workspace as v2WorkspaceRouter,
-  secret as v2SecretRouter, // begin to phase out
-  secrets as v2SecretsRouter,
-  serviceTokenData as v2ServiceTokenDataRouter,
-  apiKeyData as v2APIKeyDataRouter,
-  environment as v2EnvironmentRouter,
-  tags as v2TagsRouter,
-} from './routes/v2';
-
-import { healthCheck } from './routes/status';
-
-import { getLogger } from './utils/logger';
-import { RouteNotFoundError } from './utils/errors';
-import { requestErrorHandler } from './middleware/requestErrorHandler';
-
-// patch async route params to handle Promise Rejections
-patchRouterParam();
-
-export const app = express();
-
-app.enable('trust proxy');
-app.use(express.json());
-app.use(cookieParser());
-app.use(
-  cors({
-    credentials: true,
-    origin: SITE_URL
-  })
-);
-
-app.use(requestIp.mw())
-
-if (NODE_ENV === 'production') {
-  // enable app-wide rate-limiting + helmet security
-  // in production
-  app.disable('x-powered-by');
-  app.use(apiLimiter);
-  app.use(helmet());
-}
-
-// (EE) routes
-app.use('/api/v1/secret', eeSecretRouter);
-app.use('/api/v1/secret-snapshot', eeSecretSnapshotRouter);
-app.use('/api/v1/workspace', eeWorkspaceRouter);
-app.use('/api/v1/action', eeActionRouter);
-
-// v1 routes
-app.use('/api/v1/signup', v1SignupRouter);
-app.use('/api/v1/auth', v1AuthRouter);
-app.use('/api/v1/bot', v1BotRouter);
-app.use('/api/v1/user', v1UserRouter);
-app.use('/api/v1/user-action', v1UserActionRouter);
-app.use('/api/v1/organization', v1OrganizationRouter);
-app.use('/api/v1/workspace', v1WorkspaceRouter);
-app.use('/api/v1/membership-org', v1MembershipOrgRouter);
-app.use('/api/v1/membership', v1MembershipRouter);
-app.use('/api/v1/key', v1KeyRouter);
-app.use('/api/v1/invite-org', v1InviteOrgRouter);
-app.use('/api/v1/secret', v1SecretRouter);
-app.use('/api/v1/service-token', v1ServiceTokenRouter); // deprecated
-app.use('/api/v1/password', v1PasswordRouter);
-app.use('/api/v1/stripe', v1StripeRouter);
-app.use('/api/v1/integration', v1IntegrationRouter);
-app.use('/api/v1/integration-auth', v1IntegrationAuthRouter);
-
-// v2 routes
-app.use('/api/v2/users', v2UsersRouter);
-app.use('/api/v2/organizations', v2OrganizationsRouter);
-app.use('/api/v2/workspace', v2EnvironmentRouter);
-app.use('/api/v2/workspace', v2TagsRouter);
-app.use('/api/v2/workspace', v2WorkspaceRouter);
-app.use('/api/v2/secret', v2SecretRouter); // deprecated
-app.use('/api/v2/secrets', v2SecretsRouter);
-app.use('/api/v2/service-token', v2ServiceTokenDataRouter); // TODO: turn into plural route
-app.use('/api/v2/api-key', v2APIKeyDataRouter);
-
-// api docs 
-app.use('/api-docs', swaggerUi.serve, swaggerUi.setup(swaggerFile))
-
-// Server status
-app.use('/api', healthCheck)
-
-//* Handle unrouted requests and respond with proper error message as well as status code
-app.use((req, res, next) => {
-  if (res.headersSent) return next();
-  next(RouteNotFoundError({ message: `The requested source '(${req.method})${req.url}' was not found` }))
-})
-
-//* Error Handling Middleware (must be after all routing logic)
-app.use(requestErrorHandler)
-
-export const server = app.listen(PORT, () => {
-  getLogger("backend-main").info(`Server started listening at port ${PORT}`)
-});

backend/src/config/index.ts

@@ -1,99 +1,51 @@
-const PORT = process.env.PORT || 4000;
-const EMAIL_TOKEN_LIFETIME = parseInt(process.env.EMAIL_TOKEN_LIFETIME! || '86400');
-const INVITE_ONLY_SIGNUP = process.env.INVITE_ONLY_SIGNUP == undefined ? false : process.env.INVITE_ONLY_SIGNUP
-const ENCRYPTION_KEY = process.env.ENCRYPTION_KEY!;
-const SALT_ROUNDS = parseInt(process.env.SALT_ROUNDS!) || 10;
-const JWT_AUTH_LIFETIME = process.env.JWT_AUTH_LIFETIME! || '10d';
-const JWT_AUTH_SECRET = process.env.JWT_AUTH_SECRET!;
-const JWT_REFRESH_LIFETIME = process.env.JWT_REFRESH_LIFETIME! || '90d';
-const JWT_REFRESH_SECRET = process.env.JWT_REFRESH_SECRET!;
-const JWT_SERVICE_SECRET = process.env.JWT_SERVICE_SECRET!;
-const JWT_SIGNUP_LIFETIME = process.env.JWT_SIGNUP_LIFETIME! || '15m';
-const JWT_SIGNUP_SECRET = process.env.JWT_SIGNUP_SECRET!;
-const MONGO_URL = process.env.MONGO_URL!;
-const NODE_ENV = process.env.NODE_ENV! || 'production';
-const VERBOSE_ERROR_OUTPUT = process.env.VERBOSE_ERROR_OUTPUT! === 'true' && true;
-const LOKI_HOST = process.env.LOKI_HOST || undefined;
-const CLIENT_ID_AZURE = process.env.CLIENT_ID_AZURE!;
-const TENANT_ID_AZURE = process.env.TENANT_ID_AZURE!;
-const CLIENT_ID_HEROKU = process.env.CLIENT_ID_HEROKU!;
-const CLIENT_ID_VERCEL = process.env.CLIENT_ID_VERCEL!;
-const CLIENT_ID_NETLIFY = process.env.CLIENT_ID_NETLIFY!;
-const CLIENT_ID_GITHUB = process.env.CLIENT_ID_GITHUB!;
-const CLIENT_SECRET_AZURE = process.env.CLIENT_SECRET_AZURE!;
-const CLIENT_SECRET_HEROKU = process.env.CLIENT_SECRET_HEROKU!;
-const CLIENT_SECRET_VERCEL = process.env.CLIENT_SECRET_VERCEL!;
-const CLIENT_SECRET_NETLIFY = process.env.CLIENT_SECRET_NETLIFY!;
-const CLIENT_SECRET_GITHUB = process.env.CLIENT_SECRET_GITHUB!;
-const CLIENT_SLUG_VERCEL = process.env.CLIENT_SLUG_VERCEL!;
-const POSTHOG_HOST = process.env.POSTHOG_HOST! || 'https://app.posthog.com';
-const POSTHOG_PROJECT_API_KEY =
-  process.env.POSTHOG_PROJECT_API_KEY! ||
-  'phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE';
-const SENTRY_DSN = process.env.SENTRY_DSN!;
-const SITE_URL = process.env.SITE_URL!;
-const SMTP_HOST = process.env.SMTP_HOST!;
-const SMTP_SECURE = process.env.SMTP_SECURE! === 'true' || false;
-const SMTP_PORT = parseInt(process.env.SMTP_PORT!) || 587;
-const SMTP_USERNAME = process.env.SMTP_USERNAME!;
-const SMTP_PASSWORD = process.env.SMTP_PASSWORD!;
-const SMTP_FROM_ADDRESS = process.env.SMTP_FROM_ADDRESS!;
-const SMTP_FROM_NAME = process.env.SMTP_FROM_NAME! || 'Infisical';
-const STRIPE_PRODUCT_STARTER = process.env.STRIPE_PRODUCT_STARTER!;
-const STRIPE_PRODUCT_PRO = process.env.STRIPE_PRODUCT_PRO!;
-const STRIPE_PRODUCT_TEAM = process.env.STRIPE_PRODUCT_TEAM!;
-const STRIPE_PUBLISHABLE_KEY = process.env.STRIPE_PUBLISHABLE_KEY!;
-const STRIPE_SECRET_KEY = process.env.STRIPE_SECRET_KEY!;
-const STRIPE_WEBHOOK_SECRET = process.env.STRIPE_WEBHOOK_SECRET!;
-const TELEMETRY_ENABLED = process.env.TELEMETRY_ENABLED! !== 'false' && true;
-const LICENSE_KEY = process.env.LICENSE_KEY!;
-
-export {
-  PORT,
-  EMAIL_TOKEN_LIFETIME,
-  INVITE_ONLY_SIGNUP,
-  ENCRYPTION_KEY,
-  SALT_ROUNDS,
-  JWT_AUTH_LIFETIME,
-  JWT_AUTH_SECRET,
-  JWT_REFRESH_LIFETIME,
-  JWT_REFRESH_SECRET,
-  JWT_SERVICE_SECRET,
-  JWT_SIGNUP_LIFETIME,
-  JWT_SIGNUP_SECRET,
-  MONGO_URL,
-  NODE_ENV,
-  VERBOSE_ERROR_OUTPUT,
-  LOKI_HOST,
-  CLIENT_ID_AZURE,
-  TENANT_ID_AZURE,
-  CLIENT_ID_HEROKU,
-  CLIENT_ID_VERCEL,
-  CLIENT_ID_NETLIFY,
-  CLIENT_ID_GITHUB,
-  CLIENT_SECRET_AZURE,
-  CLIENT_SECRET_HEROKU,
-  CLIENT_SECRET_VERCEL,
-  CLIENT_SECRET_NETLIFY,
-  CLIENT_SECRET_GITHUB,
-  CLIENT_SLUG_VERCEL,
-  POSTHOG_HOST,
-  POSTHOG_PROJECT_API_KEY,
-  SENTRY_DSN,
-  SITE_URL,
-  SMTP_HOST,
-  SMTP_PORT,
-  SMTP_SECURE,
-  SMTP_USERNAME,
-  SMTP_PASSWORD,
-  SMTP_FROM_ADDRESS,
-  SMTP_FROM_NAME,
-  STRIPE_PRODUCT_STARTER,
-  STRIPE_PRODUCT_TEAM,
-  STRIPE_PRODUCT_PRO,
-  STRIPE_PUBLISHABLE_KEY,
-  STRIPE_SECRET_KEY,
-  STRIPE_WEBHOOK_SECRET,
-  TELEMETRY_ENABLED,
-  LICENSE_KEY
-};
+import infisical from 'infisical-node';
+export const getPort = () => infisical.get('PORT')! || 4000;
+export const getInviteOnlySignup = () => infisical.get('INVITE_ONLY_SIGNUP')! == undefined ? false : infisical.get('INVITE_ONLY_SIGNUP');
+export const getEncryptionKey = () => infisical.get('ENCRYPTION_KEY')!;
+export const getSaltRounds = () => parseInt(infisical.get('SALT_ROUNDS')!) || 10;
+export const getJwtAuthLifetime = () => infisical.get('JWT_AUTH_LIFETIME')! || '10d';
+export const getJwtAuthSecret = () => infisical.get('JWT_AUTH_SECRET')!;
+export const getJwtMfaLifetime = () => infisical.get('JWT_MFA_LIFETIME')! || '5m';
+export const getJwtMfaSecret = () => infisical.get('JWT_MFA_LIFETIME')! || '5m';
+export const getJwtRefreshLifetime = () => infisical.get('JWT_REFRESH_LIFETIME')! || '90d';
+export const getJwtRefreshSecret = () => infisical.get('JWT_REFRESH_SECRET')!;
+export const getJwtServiceSecret = () => infisical.get('JWT_SERVICE_SECRET')!;
+export const getJwtSignupLifetime = () => infisical.get('JWT_SIGNUP_LIFETIME')! || '15m';
+export const getJwtSignupSecret = () => infisical.get('JWT_SIGNUP_SECRET')!;
+export const getMongoURL = () => infisical.get('MONGO_URL')!;
+export const getNodeEnv = () => infisical.get('NODE_ENV')!;
+export const getVerboseErrorOutput = () => infisical.get('VERBOSE_ERROR_OUTPUT')! === 'true' && true;
+export const getLokiHost = () => infisical.get('LOKI_HOST')!;
+export const getClientIdAzure = () => infisical.get('CLIENT_ID_AZURE')!;
+export const getClientIdHeroku = () => infisical.get('CLIENT_ID_HEROKU')!;
+export const getClientIdVercel = () => infisical.get('CLIENT_ID_VERCEL')!;
+export const getClientIdNetlify = () => infisical.get('CLIENT_ID_NETLIFY')!;
+export const getClientIdGitHub = () => infisical.get('CLIENT_ID_GITHUB')!;
+export const getClientIdGitLab = () => infisical.get('CLIENT_ID_GITLAB')!;
+export const getClientSecretAzure = () => infisical.get('CLIENT_SECRET_AZURE')!;
+export const getClientSecretHeroku = () => infisical.get('CLIENT_SECRET_HEROKU')!;
+export const getClientSecretVercel = () => infisical.get('CLIENT_SECRET_VERCEL')!;
+export const getClientSecretNetlify = () => infisical.get('CLIENT_SECRET_NETLIFY')!;
+export const getClientSecretGitHub = () => infisical.get('CLIENT_SECRET_GITHUB')!;
+export const getClientSecretGitLab = () => infisical.get('CLIENT_SECRET_GITLAB')!;
+export const getClientSlugVercel = () => infisical.get('CLIENT_SLUG_VERCEL')!;
+export const getPostHogHost = () => infisical.get('POSTHOG_HOST')! || 'https://app.posthog.com';
+export const getPostHogProjectApiKey = () => infisical.get('POSTHOG_PROJECT_API_KEY')! || 'phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE';
+export const getSentryDSN = () => infisical.get('SENTRY_DSN')!;
+export const getSiteURL = () => infisical.get('SITE_URL')!;
+export const getSmtpHost = () => infisical.get('SMTP_HOST')!;
+export const getSmtpSecure = () => infisical.get('SMTP_SECURE')! === 'true' || false;
+export const getSmtpPort = () => parseInt(infisical.get('SMTP_PORT')!) || 587;
+export const getSmtpUsername = () => infisical.get('SMTP_USERNAME')!;
+export const getSmtpPassword = () => infisical.get('SMTP_PASSWORD')!;
+export const getSmtpFromAddress = () => infisical.get('SMTP_FROM_ADDRESS')!;
+export const getSmtpFromName = () => infisical.get('SMTP_FROM_NAME')! || 'Infisical';
+export const getStripeProductStarter = () => infisical.get('STRIPE_PRODUCT_STARTER')!;
+export const getStripeProductPro = () => infisical.get('STRIPE_PRODUCT_PRO')!;
+export const getStripeProductTeam = () => infisical.get('STRIPE_PRODUCT_TEAM')!;
+export const getStripePublishableKey = () => infisical.get('STRIPE_PUBLISHABLE_KEY')!;
+export const getStripeSecretKey = () => infisical.get('STRIPE_SECRET_KEY')!;
+export const getStripeWebhookSecret = () => infisical.get('STRIPE_WEBHOOK_SECRET')!;
+export const getTelemetryEnabled = () => infisical.get('TELEMETRY_ENABLED')! !== 'false' && true;
+export const getLoopsApiKey = () => infisical.get('LOOPS_API_KEY')!;
+export const getSmtpConfigured = () => infisical.get('SMTP_HOST') == '' || infisical.get('SMTP_HOST') == undefined ? false : true

backend/src/config/request.ts

@@ -0,0 +1,16 @@
+import axios from 'axios';
+import axiosRetry from 'axios-retry';
+
+const axiosInstance = axios.create();
+
+// add retry functionality to the axios instance
+axiosRetry(axiosInstance, {
+  retries: 3,
+  retryDelay: axiosRetry.exponentialDelay, // exponential back-off delay between retries
+  retryCondition: (error) => {
+    // only retry if the error is a network error or a 5xx server error
+    return axiosRetry.isNetworkError(error) || axiosRetry.isRetryableError(error);
+  },
+});
+
+export default axiosInstance;

backend/src/controllers/v1/authController.ts

@@ -1,24 +1,25 @@
-/* eslint-disable @typescript-eslint/no-var-requires */
+import * as Sentry from '@sentry/node';
 import { Request, Response } from 'express';
 import jwt from 'jsonwebtoken';
-import * as Sentry from '@sentry/node';
 import * as bigintConversion from 'bigint-conversion';
+// eslint-disable-next-line @typescript-eslint/no-var-requires
 const jsrp = require('jsrp');
 import { User, LoginSRPDetail } from '../../models';
-import { createToken, issueTokens, clearTokens } from '../../helpers/auth';
+import { createToken, issueAuthTokens, clearTokens } from '../../helpers/auth';
+import { checkUserDevice } from '../../helpers/user';
 import {
   ACTION_LOGIN,
   ACTION_LOGOUT
 } from '../../variables';
-import {
-  NODE_ENV,
-  JWT_AUTH_LIFETIME,
-  JWT_AUTH_SECRET,
-  JWT_REFRESH_SECRET
-} from '../../config';
 import { BadRequestError } from '../../utils/errors';
 import { EELogService } from '../../ee/services';
 import { getChannelFromUserAgent } from '../../utils/posthog'; // TODO: move this
+import {
+  getNodeEnv,
+  getJwtRefreshSecret,
+  getJwtAuthLifetime,
+  getJwtAuthSecret
+} from '../../config';
 
 declare module 'jsonwebtoken' {
   export interface UserIDJwtPayload extends jwt.JwtPayload {
@@ -111,14 +112,21 @@ export const login2 = async (req: Request, res: Response) => {
         // compare server and client shared keys
         if (server.checkClientProof(clientProof)) {
           // issue tokens
-          const tokens = await issueTokens({ userId: user._id.toString() });
+
+          await checkUserDevice({
+            user,
+            ip: req.ip,
+            userAgent: req.headers['user-agent'] ?? ''
+          });
+
+          const tokens = await issueAuthTokens({ userId: user._id.toString() });
 
           // store (refresh) token in httpOnly cookie
           res.cookie('jid', tokens.refreshToken, {
             httpOnly: true,
             path: '/',
             sameSite: 'strict',
-            secure: NODE_ENV === 'production' ? true : false
+            secure: getNodeEnv() === 'production' ? true : false
           });
 
           const loginAction = await EELogService.createAction({
@@ -174,7 +182,7 @@ export const logout = async (req: Request, res: Response) => {
       httpOnly: true,
       path: '/',
       sameSite: 'strict',
-      secure: NODE_ENV === 'production' ? true : false
+      secure: getNodeEnv() === 'production' ? true : false
     });
 
     const logoutAction = await EELogService.createAction({
@@ -229,7 +237,7 @@ export const getNewToken = async (req: Request, res: Response) => {
     }
 
     const decodedToken = <jwt.UserIDJwtPayload>(
-      jwt.verify(refreshToken, JWT_REFRESH_SECRET)
+      jwt.verify(refreshToken, getJwtRefreshSecret())
     );
 
     const user = await User.findOne({
@@ -244,8 +252,8 @@ export const getNewToken = async (req: Request, res: Response) => {
       payload: {
         userId: decodedToken.userId
       },
-      expiresIn: JWT_AUTH_LIFETIME,
-      secret: JWT_AUTH_SECRET
+      expiresIn: getJwtAuthLifetime(),
+      secret: getJwtAuthSecret()
     });
 
     return res.status(200).send({

backend/src/controllers/v1/index.ts

@@ -14,6 +14,7 @@ import * as stripeController from './stripeController';
 import * as userActionController from './userActionController';
 import * as userController from './userController';
 import * as workspaceController from './workspaceController';
+import * as secretsFolderController from './secretsFolderController'
 
 export {
 	authController,
@@ -31,5 +32,6 @@ export {
 	stripeController,
 	userActionController,
 	userController,
-	workspaceController
+	workspaceController,
+	secretsFolderController
 };

backend/src/controllers/v1/integrationAuthController.ts

@@ -2,13 +2,16 @@ import { Request, Response } from 'express';
 import { Types } from 'mongoose';
 import * as Sentry from '@sentry/node';
 import {
-	Integration, 
 	IntegrationAuth,
 	Bot 
 } from '../../models';
-import { INTEGRATION_SET, INTEGRATION_OPTIONS } from '../../variables';
+import { INTEGRATION_SET, getIntegrationOptions as getIntegrationOptionsFunc } from '../../variables';
 import { IntegrationService } from '../../services';
-import { getApps, revokeAccess } from '../../integrations';
+import {
+	getApps, 
+	getTeams,
+	revokeAccess 
+} from '../../integrations';
 
 /***
  * Return integration authorization with id [integrationAuthId]
@@ -36,9 +39,11 @@ export const getIntegrationAuth = async (req: Request, res: Response) => {
 }
 
 export const getIntegrationOptions = async (req: Request, res: Response) => {
-  return res.status(200).send({
-    integrationOptions: INTEGRATION_OPTIONS,
-  });
+	const INTEGRATION_OPTIONS = getIntegrationOptionsFunc();
+
+	return res.status(200).send({
+		integrationOptions: INTEGRATION_OPTIONS,
+	});
 };
 
 /**
@@ -154,25 +159,54 @@ export const saveIntegrationAccessToken = async (
  * @returns
  */
 export const getIntegrationAuthApps = async (req: Request, res: Response) => {
-  let apps;
-  try {
-    apps = await getApps({
-      integrationAuth: req.integrationAuth,
-      accessToken: req.accessToken,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get integration authorization applications",
-    });
-  }
+	let apps;
+	try {
+		const teamId = req.query.teamId as string;
+		
+		apps = await getApps({
+			integrationAuth: req.integrationAuth,
+			accessToken: req.accessToken,
+			...teamId && { teamId }
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: "Failed to get integration authorization applications",
+		});
+	}
 
-  return res.status(200).send({
-    apps,
-  });
+	return res.status(200).send({
+		apps
+	});
 };
 
+/**
+ * Return list of teams allowed for integration with integration authorization id [integrationAuthId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getIntegrationAuthTeams = async (req: Request, res: Response) => {
+	let teams;
+	try {
+		teams = await getTeams({
+			integrationAuth: req.integrationAuth,
+			accessToken: req.accessToken
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+		message: "Failed to get integration authorization teams"
+		});
+	}
+	
+	return res.status(200).send({
+		teams
+	});
+}
+
 /**
  * Delete integration authorization with id [integrationAuthId]
  * @param req

backend/src/controllers/v1/integrationController.ts

@@ -2,10 +2,7 @@ import { Request, Response } from 'express';
 import { Types } from 'mongoose';
 import * as Sentry from '@sentry/node';
 import { 
-	Integration, 
-	Workspace,
-	Bot, 
-	BotKey 
+	Integration
 } from '../../models';
 import { EventService } from '../../services';
 import { eventPushSecrets } from '../../events';
@@ -18,6 +15,7 @@ import { eventPushSecrets } from '../../events';
  */
 export const createIntegration = async (req: Request, res: Response) => {
 	let integration;
+
 	try {
 		const {
 			integrationAuthId,
@@ -34,19 +32,19 @@ export const createIntegration = async (req: Request, res: Response) => {
 		// TODO: validate [sourceEnvironment] and [targetEnvironment]
 
 		// initialize new integration after saving integration access token
-        integration = await new Integration({
-            workspace: req.integrationAuth.workspace._id,
-            environment: sourceEnvironment,
-            isActive,
-            app,
+    integration = await new Integration({
+      workspace: req.integrationAuth.workspace._id,
+      environment: sourceEnvironment,
+      isActive,
+      app,
 			appId,
 			targetEnvironment,
 			owner,
 			path,
 			region,
-            integration: req.integrationAuth.integration,
-            integrationAuth: new Types.ObjectId(integrationAuthId)
-        }).save();
+      integration: req.integrationAuth.integration,
+      integrationAuth: new Types.ObjectId(integrationAuthId)
+      }).save();
 		
 		if (integration) {
 			// trigger event - push secrets

backend/src/controllers/v1/membershipController.ts

@@ -1,13 +1,13 @@
-import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { Membership, MembershipOrg, User, Key, IMembership, Workspace } from '../../models';
+import { Request, Response } from 'express';
+import { Membership, MembershipOrg, User, Key } from '../../models';
 import {
 	findMembership,
 	deleteMembership as deleteMember
 } from '../../helpers/membership';
 import { sendMail } from '../../helpers/nodemailer';
-import { SITE_URL } from '../../config';
 import { ADMIN, MEMBER, ACCEPTED } from '../../variables';
+import { getSiteURL } from '../../config';
 
 /**
  * Check that user is a member of workspace with id [workspaceId]
@@ -215,7 +215,7 @@ export const inviteUserToWorkspace = async (req: Request, res: Response) => {
 				inviterFirstName: req.user.firstName,
 				inviterEmail: req.user.email,
 				workspaceName: req.membership.workspace.name,
-				callback_url: SITE_URL + '/login'
+				callback_url: getSiteURL() + '/login'
 			}
 		});
 	} catch (err) {

backend/src/controllers/v1/membershipOrgController.ts

@@ -1,14 +1,13 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import crypto from 'crypto';
-import { SITE_URL, JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET, EMAIL_TOKEN_LIFETIME } from '../../config';
-import { MembershipOrg, Organization, User, Token } from '../../models';
+import { MembershipOrg, Organization, User } from '../../models';
 import { deleteMembershipOrg as deleteMemberFromOrg } from '../../helpers/membershipOrg';
-import { checkEmailVerification } from '../../helpers/signup';
 import { createToken } from '../../helpers/auth';
 import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
 import { sendMail } from '../../helpers/nodemailer';
-import { OWNER, ADMIN, MEMBER, ACCEPTED, INVITED } from '../../variables';
+import { TokenService } from '../../services';
+import { OWNER, ADMIN, MEMBER, ACCEPTED, INVITED, TOKEN_EMAIL_ORG_INVITATION } from '../../variables';
+import { getSiteURL, getJwtSignupLifetime, getJwtSignupSecret, getSmtpConfigured } from '../../config';
 
 /**
  * Delete organization membership with id [membershipOrgId] from organization
@@ -100,9 +99,11 @@ export const changeMembershipOrgRole = async (req: Request, res: Response) => {
  * @returns
  */
 export const inviteUserToOrganization = async (req: Request, res: Response) => {
-	let invitee, inviteeMembershipOrg;
+	let invitee, inviteeMembershipOrg, completeInviteLink;
 	try {
 		const { organizationId, inviteeEmail } = req.body;
+		const host = req.headers.host;
+		const siteUrl = `${req.protocol}://${host}`;
 
 		// validate membership
 		const membershipOrg = await MembershipOrg.findOne({
@@ -163,18 +164,11 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 		const organization = await Organization.findOne({ _id: organizationId });
 
 		if (organization) {
-			const token = crypto.randomBytes(16).toString('hex');
-
-			await Token.findOneAndUpdate(
-				{ email: inviteeEmail },
-				{
-					email: inviteeEmail,
-					token,
-					createdAt: new Date(),
-					ttl: Math.floor(+new Date() / 1000) + EMAIL_TOKEN_LIFETIME // time in seconds, i.e unix
-				},
-				{ upsert: true, new: true }
-			);
+			const token = await TokenService.createToken({
+				type: TOKEN_EMAIL_ORG_INVITATION,
+				email: inviteeEmail,
+				organizationId: organization._id
+			});
 
 			await sendMail({
 				template: 'organizationInvitation.handlebars',
@@ -186,9 +180,13 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 					organizationName: organization.name,
 					email: inviteeEmail,
 					token,
-					callback_url: SITE_URL + '/signupinvite'
+					callback_url: getSiteURL() + '/signupinvite'
 				}
 			});
+
+			if (!getSmtpConfigured()) {
+				completeInviteLink = `${siteUrl + '/signupinvite'}?token=${token}&to=${inviteeEmail}`
+			}
 		}
 
 		await updateSubscriptionOrgQuantity({ organizationId });
@@ -201,7 +199,8 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 	}
 
 	return res.status(200).send({
-		message: `Sent an invite link to ${req.body.inviteeEmail}`
+		message: `Sent an invite link to ${req.body.inviteeEmail}`,
+		completeInviteLink
 	});
 };
 
@@ -227,9 +226,11 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
 		if (!membershipOrg)
 			throw new Error('Failed to find any invitations for email');
 
-		await checkEmailVerification({
+		await TokenService.validateToken({
+			type: TOKEN_EMAIL_ORG_INVITATION,
 			email,
-			code
+			organizationId: membershipOrg.organization,
+			token: code
 		});
 
 		if (user && user?.publicKey) {
@@ -256,8 +257,8 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
 			payload: {
 				userId: user._id.toString()
 			},
-			expiresIn: JWT_SIGNUP_LIFETIME,
-			secret: JWT_SIGNUP_SECRET
+			expiresIn: getJwtSignupLifetime(),
+			secret: getJwtSignupSecret()
 		});
 	} catch (err) {
 		Sentry.setUser(null);

backend/src/controllers/v1/organizationController.ts

@@ -1,26 +1,18 @@
-import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import {
-	SITE_URL,
-	STRIPE_SECRET_KEY
-} from '../../config';
+import { Request, Response } from 'express';
 import Stripe from 'stripe';
-
-const stripe = new Stripe(STRIPE_SECRET_KEY, {
-	apiVersion: '2022-08-01'
-});
 import {
 	Membership,
 	MembershipOrg,
 	Organization,
 	Workspace,
-	IncidentContactOrg,
-	IMembershipOrg
+	IncidentContactOrg
 } from '../../models';
 import { createOrganization as create } from '../../helpers/organization';
 import { addMembershipsOrg } from '../../helpers/membershipOrg';
 import { OWNER, ACCEPTED } from '../../variables';
 import _ from 'lodash';
+import { getStripeSecretKey, getSiteURL } from '../../config';
 
 export const getOrganizations = async (req: Request, res: Response) => {
 	let organizations;
@@ -325,6 +317,10 @@ export const createOrganizationPortalSession = async (
 ) => {
 	let session;
 	try {
+		const stripe = new Stripe(getStripeSecretKey(), {
+			apiVersion: '2022-08-01'
+		});
+
 		// check if there is a payment method on file
 		const paymentMethods = await stripe.paymentMethods.list({
 			customer: req.membershipOrg.organization.customerId,
@@ -337,13 +333,13 @@ export const createOrganizationPortalSession = async (
 				customer: req.membershipOrg.organization.customerId,
 				mode: 'setup',
 				payment_method_types: ['card'],
-				success_url: SITE_URL + '/dashboard',
-				cancel_url: SITE_URL + '/dashboard'
+				success_url: getSiteURL() + '/dashboard',
+				cancel_url: getSiteURL() + '/dashboard'
 			});
 		} else {
 			session = await stripe.billingPortal.sessions.create({
 				customer: req.membershipOrg.organization.customerId,
-				return_url: SITE_URL + '/dashboard'
+				return_url: getSiteURL() + '/dashboard'
 			});
 		}
 
@@ -369,6 +365,10 @@ export const getOrganizationSubscriptions = async (
 ) => {
 	let subscriptions;
 	try {
+		const stripe = new Stripe(getStripeSecretKey(), {
+			apiVersion: '2022-08-01'
+		});
+		
 		subscriptions = await stripe.subscriptions.list({
 			customer: req.membershipOrg.organization.customerId
 		});

backend/src/controllers/v1/passwordController.ts

@@ -1,15 +1,15 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import crypto from 'crypto';
 // eslint-disable-next-line @typescript-eslint/no-var-requires
 const jsrp = require('jsrp');
 import * as bigintConversion from 'bigint-conversion';
-import { User, Token, BackupPrivateKey, LoginSRPDetail } from '../../models';
-import { checkEmailVerification } from '../../helpers/signup';
+import { User, BackupPrivateKey, LoginSRPDetail } from '../../models';
 import { createToken } from '../../helpers/auth';
 import { sendMail } from '../../helpers/nodemailer';
-import { EMAIL_TOKEN_LIFETIME, JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET, SITE_URL } from '../../config';
+import { TokenService } from '../../services';
+import { TOKEN_EMAIL_PASSWORD_RESET } from '../../variables';
 import { BadRequestError } from '../../utils/errors';
+import { getSiteURL, getJwtSignupLifetime, getJwtSignupSecret } from '../../config';
 
 /**
  * Password reset step 1: Send email verification link to email [email] 
@@ -31,20 +31,12 @@ export const emailPasswordReset = async (req: Request, res: Response) => {
 				error: 'Failed to send email verification for password reset'
 			});
 		}
-
-		const token = crypto.randomBytes(16).toString('hex');
-
-		await Token.findOneAndUpdate(
-			{ email },
-			{
-				email,
-				token,
-				createdAt: new Date(),
-				ttl: Math.floor(+new Date() / 1000) + EMAIL_TOKEN_LIFETIME // time in seconds, i.e unix
-			},
-			{ upsert: true, new: true }
-		);
-
+		
+		const token = await TokenService.createToken({
+			type: TOKEN_EMAIL_PASSWORD_RESET,
+			email
+		});
+		
 		await sendMail({
 			template: 'passwordReset.handlebars',
 			subjectLine: 'Infisical password reset',
@@ -52,10 +44,9 @@ export const emailPasswordReset = async (req: Request, res: Response) => {
 			substitutions: {
 				email,
 				token,
-				callback_url: SITE_URL + '/password-reset'
+				callback_url: getSiteURL() + '/password-reset'
 			}
 		});
-
 	} catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
@@ -88,10 +79,11 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => {
 				error: 'Failed email verification for password reset'
 			});
 		}
-
-		await checkEmailVerification({
+		
+		await TokenService.validateToken({
+			type: TOKEN_EMAIL_PASSWORD_RESET,
 			email,
-			code
+			token: code
 		});
 
 		// generate temporary password-reset token
@@ -99,8 +91,8 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => {
 			payload: {
 				userId: user._id.toString()
 			},
-			expiresIn: JWT_SIGNUP_LIFETIME,
-			secret: JWT_SIGNUP_SECRET
+			expiresIn: getJwtSignupLifetime(),
+			secret: getJwtSignupSecret()
 		});
 	} catch (err) {
 		Sentry.setUser(null);
@@ -174,8 +166,18 @@ export const srp1 = async (req: Request, res: Response) => {
  */
 export const changePassword = async (req: Request, res: Response) => {
 	try {
-		const { clientProof, encryptedPrivateKey, iv, tag, salt, verifier } =
-			req.body;
+		const { 
+			clientProof, 
+			protectedKey,
+			protectedKeyIV,
+			protectedKeyTag,
+			encryptedPrivateKey,
+			encryptedPrivateKeyIV,
+			encryptedPrivateKeyTag,
+			salt,
+			verifier
+		} = req.body;
+
 		const user = await User.findOne({
 			email: req.user.email
 		}).select('+salt +verifier');
@@ -205,9 +207,13 @@ export const changePassword = async (req: Request, res: Response) => {
 					await User.findByIdAndUpdate(
 						req.user._id.toString(),
 						{
+							encryptionVersion: 2,
+							protectedKey,
+							protectedKeyIV,
+							protectedKeyTag,
 							encryptedPrivateKey,
-							iv,
-							tag,
+							iv: encryptedPrivateKeyIV,
+							tag: encryptedPrivateKeyTag,
 							salt,
 							verifier
 						},
@@ -341,9 +347,12 @@ export const getBackupPrivateKey = async (req: Request, res: Response) => {
 export const resetPassword = async (req: Request, res: Response) => {
 	try {
 		const {
+			protectedKey,
+			protectedKeyIV,
+			protectedKeyTag,
 			encryptedPrivateKey,
-			iv,
-			tag,
+			encryptedPrivateKeyIV,
+			encryptedPrivateKeyTag,
 			salt,
 			verifier,
 		} = req.body;
@@ -351,9 +360,13 @@ export const resetPassword = async (req: Request, res: Response) => {
 		await User.findByIdAndUpdate(
 			req.user._id.toString(),
 			{
+				encryptionVersion: 2,
+				protectedKey,
+				protectedKeyIV,
+				protectedKeyTag,	
 				encryptedPrivateKey,
-				iv,
-				tag,
+				iv: encryptedPrivateKeyIV,
+				tag: encryptedPrivateKeyTag,
 				salt,
 				verifier
 			},

backend/src/controllers/v1/secretController.ts

@@ -9,7 +9,7 @@ import {
 import { pushKeys } from '../../helpers/key';
 import { eventPushSecrets } from '../../events';
 import { EventService } from '../../services';
-import { postHogClient } from '../../services';
+import { getPostHogClient } from '../../services';
 
 interface PushSecret {
 	ciphertextKey: string;
@@ -38,6 +38,7 @@ export const pushSecrets = async (req: Request, res: Response) => {
 	// upload (encrypted) secrets to workspace with id [workspaceId]
 
 	try {
+		const postHogClient = getPostHogClient();
 		let { secrets }: { secrets: PushSecret[] } = req.body;
 		const { keys, environment, channel } = req.body;
 		const { workspaceId } = req.params;
@@ -111,6 +112,7 @@ export const pullSecrets = async (req: Request, res: Response) => {
 	let secrets;
 	let key;
 	try {
+		const postHogClient = getPostHogClient();
 		const environment: string = req.query.environment as string;
 		const channel: string = req.query.channel as string;
 		const { workspaceId } = req.params;
@@ -179,6 +181,7 @@ export const pullSecretsServiceToken = async (req: Request, res: Response) => {
 	let secrets;
 	let key;
 	try {
+		const postHogClient = getPostHogClient();
 		const environment: string = req.query.environment as string;
 		const channel: string = req.query.channel as string;
 		const { workspaceId } = req.params;

backend/src/controllers/v1/secretsFolderController.ts

@@ -0,0 +1,89 @@
+import { Request, Response } from 'express';
+import { Secret } from '../../models';
+import Folder from '../../models/folder';
+import { BadRequestError } from '../../utils/errors';
+import { ROOT_FOLDER_PATH, getFolderPath, getParentPath, normalizePath, validateFolderName } from '../../utils/folder';
+import { ADMIN, MEMBER } from '../../variables';
+import { validateMembership } from '../../helpers/membership';
+
+// TODO
+// verify workspace id/environment
+export const createFolder = async (req: Request, res: Response) => {
+  const { workspaceId, environment, folderName, parentFolderId } = req.body
+  if (!validateFolderName(folderName)) {
+    throw BadRequestError({ message: "Folder name cannot contain spaces. Only underscore and dashes" })
+  }
+
+  if (parentFolderId) {
+    const parentFolder = await Folder.find({ environment: environment, workspace: workspaceId, id: parentFolderId });
+    if (!parentFolder) {
+      throw BadRequestError({ message: "The parent folder doesn't exist" })
+    }
+  }
+
+  let completePath = await getFolderPath(parentFolderId)
+  if (completePath == ROOT_FOLDER_PATH) {
+    completePath = ""
+  }
+
+  const currentFolderPath = completePath + "/" + folderName // construct new path with current folder to be created
+  const normalizedCurrentPath = normalizePath(currentFolderPath)
+  const normalizedParentPath = getParentPath(normalizedCurrentPath)
+
+  const existingFolder = await Folder.findOne({
+    name: folderName,
+    workspace: workspaceId,
+    environment: environment,
+    parent: parentFolderId,
+    path: normalizedCurrentPath
+  });
+
+  if (existingFolder) {
+    return res.json(existingFolder)
+  }
+
+  const newFolder = new Folder({
+    name: folderName,
+    workspace: workspaceId,
+    environment: environment,
+    parent: parentFolderId,
+    path: normalizedCurrentPath,
+    parentPath: normalizedParentPath
+  });
+
+  await newFolder.save();
+
+  return res.json(newFolder)
+}
+
+export const deleteFolder = async (req: Request, res: Response) => {
+  const { folderId } = req.params
+  const queue: any[] = [folderId];
+
+  const folder = await Folder.findById(folderId);
+  if (!folder) {
+    throw BadRequestError({ message: "The folder doesn't exist" })
+  }
+
+  // check that user is a member of the workspace
+  await validateMembership({
+    userId: req.user._id.toString(),
+    workspaceId: folder.workspace as any,
+    acceptedRoles: [ADMIN, MEMBER]
+  });
+
+  while (queue.length > 0) {
+    const currentFolderId = queue.shift();
+
+    const childFolders = await Folder.find({ parent: currentFolderId });
+    for (const childFolder of childFolders) {
+      queue.push(childFolder._id);
+    }
+
+    await Secret.deleteMany({ folder: currentFolderId });
+
+    await Folder.deleteOne({ _id: currentFolderId });
+  }
+
+  res.send()
+}

backend/src/controllers/v1/serviceTokenController.ts

@@ -1,7 +1,7 @@
 import { Request, Response } from 'express';
 import { ServiceToken } from '../../models';
 import { createToken } from '../../helpers/auth';
-import { JWT_SERVICE_SECRET } from '../../config';
+import { getJwtServiceSecret } from '../../config';
 
 /**
  * Return service token on request
@@ -61,7 +61,7 @@ export const createServiceToken = async (req: Request, res: Response) => {
 				workspaceId
 			},
 			expiresIn: expiresIn,
-			secret: JWT_SERVICE_SECRET
+			secret: getJwtServiceSecret()
 		});
 	} catch (err) {
 		return res.status(400).send({

backend/src/controllers/v1/signupController.ts

@@ -1,17 +1,13 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { NODE_ENV, JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET, INVITE_ONLY_SIGNUP } from '../../config';
-import { User, MembershipOrg } from '../../models';
-import { completeAccount } from '../../helpers/user';
+import { User } from '../../models';
 import {
 	sendEmailVerification,
 	checkEmailVerification,
-	initializeDefaultOrg
 } from '../../helpers/signup';
-import { issueTokens, createToken } from '../../helpers/auth';
-import { INVITED, ACCEPTED } from '../../variables';
-import axios from 'axios';
+import { createToken } from '../../helpers/auth';
 import { BadRequestError } from '../../utils/errors';
+import { getInviteOnlySignup, getJwtSignupLifetime, getJwtSignupSecret, getSmtpConfigured } from '../../config';
 
 /**
  * Signup step 1: Initialize account for user under email [email] and send a verification code
@@ -25,7 +21,7 @@ export const beginEmailSignup = async (req: Request, res: Response) => {
 	try {
 		email = req.body.email;
 
-		if (INVITE_ONLY_SIGNUP) {
+		if (getInviteOnlySignup()) {
 			// Only one user can create an account without being invited. The rest need to be invited in order to make an account
 			const userCount = await User.countDocuments({})
 			if (userCount != 0) {
@@ -70,7 +66,7 @@ export const verifyEmailSignup = async (req: Request, res: Response) => {
 		const { email, code } = req.body;
 
 		// initialize user account
-		user = await User.findOne({ email });
+		user = await User.findOne({ email }).select('+publicKey');
 		if (user && user?.publicKey) {
 			// case: user has already completed account
 			return res.status(403).send({
@@ -79,10 +75,12 @@ export const verifyEmailSignup = async (req: Request, res: Response) => {
 		}
 
 		// verify email
-		await checkEmailVerification({
-			email,
-			code
-		});
+		if (getSmtpConfigured()) {
+			await checkEmailVerification({
+				email,
+				code
+			});
+		}
 
 		if (!user) {
 			user = await new User({
@@ -95,8 +93,8 @@ export const verifyEmailSignup = async (req: Request, res: Response) => {
 			payload: {
 				userId: user._id.toString()
 			},
-			expiresIn: JWT_SIGNUP_LIFETIME,
-			secret: JWT_SIGNUP_SECRET
+			expiresIn: getJwtSignupLifetime(),
+			secret: getJwtSignupSecret()
 		});
 	} catch (err) {
 		Sentry.setUser(null);
@@ -112,201 +110,3 @@ export const verifyEmailSignup = async (req: Request, res: Response) => {
 		token
 	});
 };
-
-/**
- * Complete setting up user by adding their personal and auth information as part of the
- * signup flow
- * @param req
- * @param res
- * @returns
- */
-export const completeAccountSignup = async (req: Request, res: Response) => {
-	let user, token, refreshToken;
-	try {
-		const {
-			email,
-			firstName,
-			lastName,
-			publicKey,
-			encryptedPrivateKey,
-			iv,
-			tag,
-			salt,
-			verifier,
-			organizationName
-		} = req.body;
-
-		// get user
-		user = await User.findOne({ email });
-
-		if (!user || (user && user?.publicKey)) {
-			// case 1: user doesn't exist.
-			// case 2: user has already completed account
-			return res.status(403).send({
-				error: 'Failed to complete account for complete user'
-			});
-		}
-
-		// complete setting up user's account
-		user = await completeAccount({
-			userId: user._id.toString(),
-			firstName,
-			lastName,
-			publicKey,
-			encryptedPrivateKey,
-			iv,
-			tag,
-			salt,
-			verifier
-		});
-
-		if (!user)
-			throw new Error('Failed to complete account for non-existent user'); // ensure user is non-null
-
-		// initialize default organization and workspace
-		await initializeDefaultOrg({
-			organizationName,
-			user
-		});
-
-		// update organization membership statuses that are
-		// invited to completed with user attached
-		await MembershipOrg.updateMany(
-			{
-				inviteEmail: email,
-				status: INVITED
-			},
-			{
-				user,
-				status: ACCEPTED
-			}
-		);
-
-		// issue tokens
-		const tokens = await issueTokens({
-			userId: user._id.toString()
-		});
-
-		token = tokens.token;
-		refreshToken = tokens.refreshToken;
-
-		// sending a welcome email to new users
-		if (process.env.LOOPS_API_KEY) {
-			await axios.post("https://app.loops.so/api/v1/events/send", {
-				"email": email,
-				"eventName": "Sign Up",
-				"firstName": firstName,
-				"lastName": lastName
-			}, {
-				headers: {
-					"Accept": "application/json",
-					"Authorization": "Bearer " + process.env.LOOPS_API_KEY
-				},
-			});
-		}
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to complete account setup'
-		});
-	}
-
-	return res.status(200).send({
-		message: 'Successfully set up account',
-		user,
-		token,
-		refreshToken
-	});
-};
-/**
- * Complete setting up user by adding their personal and auth information as part of the
- * invite flow
- * @param req
- * @param res
- * @returns
- */
-export const completeAccountInvite = async (req: Request, res: Response) => {
-	let user, token, refreshToken;
-	try {
-		const {
-			email,
-			firstName,
-			lastName,
-			publicKey,
-			encryptedPrivateKey,
-			iv,
-			tag,
-			salt,
-			verifier
-		} = req.body;
-
-		// get user
-		user = await User.findOne({ email });
-
-		if (!user || (user && user?.publicKey)) {
-			// case 1: user doesn't exist.
-			// case 2: user has already completed account
-			return res.status(403).send({
-				error: 'Failed to complete account for complete user'
-			});
-		}
-
-		const membershipOrg = await MembershipOrg.findOne({
-			inviteEmail: email,
-			status: INVITED
-		});
-
-		if (!membershipOrg) throw new Error('Failed to find invitations for email');
-
-		// complete setting up user's account
-		user = await completeAccount({
-			userId: user._id.toString(),
-			firstName,
-			lastName,
-			publicKey,
-			encryptedPrivateKey,
-			iv,
-			tag,
-			salt,
-			verifier
-		});
-
-		if (!user)
-			throw new Error('Failed to complete account for non-existent user');
-
-		// update organization membership statuses that are
-		// invited to completed with user attached
-		await MembershipOrg.updateMany(
-			{
-				inviteEmail: email,
-				status: INVITED
-			},
-			{
-				user,
-				status: ACCEPTED
-			}
-		);
-
-		// issue tokens
-		const tokens = await issueTokens({
-			userId: user._id.toString()
-		});
-
-		token = tokens.token;
-		refreshToken = tokens.refreshToken;
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to complete account setup'
-		});
-	}
-
-	return res.status(200).send({
-		message: 'Successfully set up account',
-		user,
-		token,
-		refreshToken
-	});
-};

backend/src/controllers/v1/stripeController.ts

@@ -1,10 +1,7 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
 import Stripe from 'stripe';
-import { STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET } from '../../config';
-const stripe = new Stripe(STRIPE_SECRET_KEY, {
-	apiVersion: '2022-08-01'
-});
+import { getStripeSecretKey, getStripeWebhookSecret } from '../../config';
 
 /**
  * Handle service provisioning/un-provisioning via Stripe
@@ -16,11 +13,15 @@ export const handleWebhook = async (req: Request, res: Response) => {
 	let event;
 	try {
 		// check request for valid stripe signature
+		const stripe = new Stripe(getStripeSecretKey(), {
+			apiVersion: '2022-08-01'
+		});
+
 		const sig = req.headers['stripe-signature'] as string;
 		event = stripe.webhooks.constructEvent(
 			req.body,
 			sig,
-			STRIPE_WEBHOOK_SECRET // ?
+			getStripeWebhookSecret()
 		);
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });

backend/src/controllers/v2/apiKeyDataController.ts

@@ -1,13 +1,11 @@
-import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
+import { Request, Response } from 'express';
 import crypto from 'crypto';
 import bcrypt from 'bcrypt';
 import {
     APIKeyData
 } from '../../models';
-import {
-    SALT_ROUNDS
-} from '../../config';
+import { getSaltRounds } from '../../config';
 
 /**
  * Return API key data for user with id [req.user_id]
@@ -45,7 +43,7 @@ export const createAPIKeyData = async (req: Request, res: Response) => {
         const { name, expiresIn } = req.body;
         
         const secret = crypto.randomBytes(16).toString('hex');
-        const secretHash = await bcrypt.hash(secret, SALT_ROUNDS);
+        const secretHash = await bcrypt.hash(secret, getSaltRounds());
         
 		const expiresAt = new Date();
 		expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);

backend/src/controllers/v2/authController.ts

@@ -0,0 +1,360 @@
+/* eslint-disable @typescript-eslint/no-var-requires */
+import { Request, Response } from 'express';
+import jwt from 'jsonwebtoken';
+import * as Sentry from '@sentry/node';
+import * as bigintConversion from 'bigint-conversion';
+const jsrp = require('jsrp');
+import { User, LoginSRPDetail } from '../../models';
+import { issueAuthTokens, createToken } from '../../helpers/auth';
+import { checkUserDevice } from '../../helpers/user';
+import { sendMail } from '../../helpers/nodemailer';
+import { TokenService } from '../../services';
+import { EELogService } from '../../ee/services';
+import { BadRequestError, InternalServerError } from '../../utils/errors';
+import {
+  TOKEN_EMAIL_MFA,
+  ACTION_LOGIN
+} from '../../variables';
+import { getChannelFromUserAgent } from '../../utils/posthog'; // TODO: move this
+import {
+  getNodeEnv,
+  getJwtMfaLifetime,
+  getJwtMfaSecret
+} from '../../config';
+
+declare module 'jsonwebtoken' {
+  export interface UserIDJwtPayload extends jwt.JwtPayload {
+    userId: string;
+  }
+}
+
+/**
+ * Log in user step 1: Return [salt] and [serverPublicKey] as part of step 1 of SRP protocol
+ * @param req
+ * @param res
+ * @returns
+ */
+export const login1 = async (req: Request, res: Response) => {
+  try {
+    const {
+      email,
+      clientPublicKey
+    }: { email: string; clientPublicKey: string } = req.body;
+
+    const user = await User.findOne({
+      email
+    }).select('+salt +verifier');
+
+    if (!user) throw new Error('Failed to find user');
+
+    const server = new jsrp.server();
+    server.init(
+      {
+        salt: user.salt,
+        verifier: user.verifier
+      },
+      async () => {
+        // generate server-side public key
+        const serverPublicKey = server.getPublicKey();
+
+        await LoginSRPDetail.findOneAndReplace({ email: email }, {
+          email: email,
+          clientPublicKey: clientPublicKey,
+          serverBInt: bigintConversion.bigintToBuf(server.bInt),
+        }, { upsert: true, returnNewDocument: false });
+
+        return res.status(200).send({
+          serverPublicKey,
+          salt: user.salt
+        });
+      }
+    );
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: 'Failed to start authentication process'
+    });
+  }
+};
+
+/**
+ * Log in user step 2: complete step 2 of SRP protocol and return token and their (encrypted)
+ * private key
+ * @param req
+ * @param res
+ * @returns
+ */
+export const login2 = async (req: Request, res: Response) => {
+  try {
+
+    if (!req.headers['user-agent']) throw InternalServerError({ message: 'User-Agent header is required' });
+
+    const { email, clientProof } = req.body;
+    const user = await User.findOne({
+      email
+    }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag');
+
+    if (!user) throw new Error('Failed to find user');
+
+    const loginSRPDetail = await LoginSRPDetail.findOneAndDelete({ email: email })
+
+    if (!loginSRPDetail) {
+      return BadRequestError(Error("Failed to find login details for SRP"))
+    }
+
+    const server = new jsrp.server();
+    server.init(
+      {
+        salt: user.salt,
+        verifier: user.verifier,
+        b: loginSRPDetail.serverBInt
+      },
+      async () => {
+        server.setClientPublicKey(loginSRPDetail.clientPublicKey);
+
+        // compare server and client shared keys
+        if (server.checkClientProof(clientProof)) {
+
+          if (user.isMfaEnabled) {
+            // case: user has MFA enabled
+
+            // generate temporary MFA token
+            const token = createToken({
+              payload: {
+                userId: user._id.toString()
+              },
+              expiresIn: getJwtMfaLifetime(),
+              secret: getJwtMfaSecret()
+            });
+
+            const code = await TokenService.createToken({
+              type: TOKEN_EMAIL_MFA,
+              email
+            });
+
+            // send MFA code [code] to [email]
+            await sendMail({
+              template: 'emailMfa.handlebars',
+              subjectLine: 'Infisical MFA code',
+              recipients: [email],
+              substitutions: {
+                code
+              }
+            });
+
+            return res.status(200).send({
+              mfaEnabled: true,
+              token
+            });
+          }
+
+          await checkUserDevice({
+            user,
+            ip: req.ip,
+            userAgent: req.headers['user-agent'] ?? ''
+          });
+
+          // issue tokens
+          const tokens = await issueAuthTokens({ userId: user._id.toString() });
+
+          // store (refresh) token in httpOnly cookie
+          res.cookie('jid', tokens.refreshToken, {
+            httpOnly: true,
+            path: '/',
+            sameSite: 'strict',
+            secure: getNodeEnv() === 'production' ? true : false
+          });
+
+          // case: user does not have MFA enablgged
+          // return (access) token in response
+
+          interface ResponseData {
+            mfaEnabled: boolean;
+            encryptionVersion: any;
+            protectedKey?: string;
+            protectedKeyIV?: string;
+            protectedKeyTag?: string;
+            token: string;
+            publicKey?: string;
+            encryptedPrivateKey?: string;
+            iv?: string;
+            tag?: string;
+          }
+
+          const response: ResponseData = {
+            mfaEnabled: false,
+            encryptionVersion: user.encryptionVersion,
+            token: tokens.token,
+            publicKey: user.publicKey,
+            encryptedPrivateKey: user.encryptedPrivateKey,
+            iv: user.iv,
+            tag: user.tag
+          }
+
+          if (
+            user?.protectedKey &&
+            user?.protectedKeyIV &&
+            user?.protectedKeyTag
+          ) {
+            response.protectedKey = user.protectedKey;
+            response.protectedKeyIV = user.protectedKeyIV
+            response.protectedKeyTag = user.protectedKeyTag;
+          }
+
+          const loginAction = await EELogService.createAction({
+            name: ACTION_LOGIN,
+            userId: user._id
+          });
+
+          loginAction && await EELogService.createLog({
+            userId: user._id,
+            actions: [loginAction],
+            channel: getChannelFromUserAgent(req.headers['user-agent']),
+            ipAddress: req.ip
+          });
+
+          return res.status(200).send(response);
+        }
+
+        return res.status(400).send({
+          message: 'Failed to authenticate. Try again?'
+        });
+      }
+    );
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: 'Failed to authenticate. Try again?'
+    });
+  }
+};
+
+/**
+ * Send MFA token to email [email]
+ * @param req 
+ * @param res 
+ */
+export const sendMfaToken = async (req: Request, res: Response) => {
+  try {
+    const { email } = req.body;
+
+    const code = await TokenService.createToken({
+      type: TOKEN_EMAIL_MFA,
+      email
+    });
+
+    // send MFA code [code] to [email]
+    await sendMail({
+      template: 'emailMfa.handlebars',
+      subjectLine: 'Infisical MFA code',
+      recipients: [email],
+      substitutions: {
+        code
+      }
+    });
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: 'Failed to send MFA code'
+    });
+  }
+
+  return res.status(200).send({
+    message: 'Successfully sent new MFA code'
+  });
+}
+
+/**
+ * Verify MFA token [mfaToken] and issue JWT and refresh tokens if the
+ * MFA token [mfaToken] is valid
+ * @param req 
+ * @param res 
+ */
+export const verifyMfaToken = async (req: Request, res: Response) => {
+  const { email, mfaToken } = req.body;
+
+  await TokenService.validateToken({
+    type: TOKEN_EMAIL_MFA,
+    email,
+    token: mfaToken
+  });
+
+  const user = await User.findOne({
+    email
+  }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag');
+
+  if (!user) throw new Error('Failed to find user');
+
+  await checkUserDevice({
+    user,
+    ip: req.ip,
+    userAgent: req.headers['user-agent'] ?? ''
+  });
+
+  // issue tokens
+  const tokens = await issueAuthTokens({ userId: user._id.toString() });
+
+  // store (refresh) token in httpOnly cookie
+  res.cookie('jid', tokens.refreshToken, {
+    httpOnly: true,
+    path: '/',
+    sameSite: 'strict',
+    secure: getNodeEnv() === 'production' ? true : false
+  });
+
+  interface VerifyMfaTokenRes {
+    encryptionVersion: number;
+    protectedKey?: string;
+    protectedKeyIV?: string;
+    protectedKeyTag?: string;
+    token: string;
+    publicKey: string;
+    encryptedPrivateKey: string;
+    iv: string;
+    tag: string;
+  }
+
+  interface VerifyMfaTokenRes {
+    encryptionVersion: number;
+    protectedKey?: string;
+    protectedKeyIV?: string;
+    protectedKeyTag?: string;
+    token: string;
+    publicKey: string;
+    encryptedPrivateKey: string;
+    iv: string;
+    tag: string;
+  }
+
+  const resObj: VerifyMfaTokenRes = {
+    encryptionVersion: user.encryptionVersion,
+    token: tokens.token,
+    publicKey: user.publicKey as string,
+    encryptedPrivateKey: user.encryptedPrivateKey as string,
+    iv: user.iv as string,
+    tag: user.tag as string
+  }
+
+  if (user?.protectedKey && user?.protectedKeyIV && user?.protectedKeyTag) {
+    resObj.protectedKey = user.protectedKey;
+    resObj.protectedKeyIV = user.protectedKeyIV;
+    resObj.protectedKeyTag = user.protectedKeyTag;
+  }
+
+  const loginAction = await EELogService.createAction({
+    name: ACTION_LOGIN,
+    userId: user._id
+  });
+
+  loginAction && await EELogService.createLog({
+    userId: user._id,
+    actions: [loginAction],
+    channel: getChannelFromUserAgent(req.headers['user-agent']),
+    ipAddress: req.ip
+  });
+
+  return res.status(200).send(resObj);
+}

backend/src/controllers/v2/index.ts

@@ -1,3 +1,5 @@
+import * as authController from './authController';
+import * as signupController from './signupController';
 import * as usersController from './usersController';
 import * as organizationsController from './organizationsController';
 import * as workspaceController from './workspaceController';
@@ -9,6 +11,8 @@ import * as environmentController from './environmentController';
 import * as tagController from './tagController';
 
 export {
+    authController,
+    signupController,
     usersController,
     organizationsController,
     workspaceController,

backend/src/controllers/v2/secretController.ts

@@ -7,7 +7,7 @@ const { ValidationError } = mongoose.Error;
 import { BadRequestError, InternalServerError, UnauthorizedRequestError, ValidationError as RouteValidationError } from '../../utils/errors';
 import { AnyBulkWriteOperation } from 'mongodb';
 import { SECRET_PERSONAL, SECRET_SHARED } from "../../variables";
-import { postHogClient } from '../../services';
+import { getPostHogClient } from '../../services';
 
 /**
  * Create secret for workspace with id [workspaceId] and environment [environment]
@@ -15,6 +15,7 @@ import { postHogClient } from '../../services';
  * @param res 
  */
 export const createSecret = async (req: Request, res: Response) => {
+  const postHogClient = getPostHogClient();
   const secretToCreate: CreateSecretRequestBody = req.body.secret;
   const { workspaceId, environment } = req.params
   const sanitizedSecret: SanitizedSecretForCreate = {
@@ -67,6 +68,7 @@ export const createSecret = async (req: Request, res: Response) => {
  * @param res 
  */
 export const createSecrets = async (req: Request, res: Response) => {
+  const postHogClient = getPostHogClient();
   const secretsToCreate: CreateSecretRequestBody[] = req.body.secrets;
   const { workspaceId, environment } = req.params
   const sanitizedSecretesToCreate: SanitizedSecretForCreate[] = []
@@ -128,6 +130,7 @@ export const createSecrets = async (req: Request, res: Response) => {
  * @param res 
  */
 export const deleteSecrets = async (req: Request, res: Response) => {
+  const postHogClient = getPostHogClient();
   const { workspaceId, environmentName } = req.params
   const secretIdsToDelete: string[] = req.body.secretIds
 
@@ -181,6 +184,7 @@ export const deleteSecrets = async (req: Request, res: Response) => {
  * @param res
  */
 export const deleteSecret = async (req: Request, res: Response) => {
+  const postHogClient = getPostHogClient();
   await Secret.findByIdAndDelete(req._secret._id)
 
   if (postHogClient) {
@@ -209,6 +213,7 @@ export const deleteSecret = async (req: Request, res: Response) => {
  * @returns 
  */
 export const updateSecrets = async (req: Request, res: Response) => {
+  const postHogClient = getPostHogClient();
   const { workspaceId, environmentName } = req.params
   const secretsModificationsRequested: ModifySecretRequestBody[] = req.body.secrets;
   const [secretIdsUserCanModifyError, secretIdsUserCanModify] = await to(Secret.find({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
@@ -276,6 +281,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
  * @returns 
  */
 export const updateSecret = async (req: Request, res: Response) => {
+  const postHogClient = getPostHogClient();
   const { workspaceId, environmentName } = req.params
   const secretModificationsRequested: ModifySecretRequestBody = req.body.secret;
 
@@ -329,6 +335,7 @@ export const updateSecret = async (req: Request, res: Response) => {
  * @returns 
  */
 export const getSecrets = async (req: Request, res: Response) => {
+  const postHogClient = getPostHogClient();
   const { environment } = req.query;
   const { workspaceId } = req.params;
 

backend/src/controllers/v2/secretsController.ts

@@ -1,7 +1,8 @@
 import to from 'await-to-js';
 import { Types } from 'mongoose';
 import { Request, Response } from 'express';
-import { ISecret, Membership, Secret, Workspace } from '../../models';
+import { ISecret, Secret } from '../../models';
+import { IAction } from '../../ee/models';
 import {
     SECRET_PERSONAL,
     SECRET_SHARED,
@@ -10,16 +11,276 @@ import {
     ACTION_UPDATE_SECRETS,
     ACTION_DELETE_SECRETS
 } from '../../variables';
-import { UnauthorizedRequestError, ValidationError } from '../../utils/errors';
+import { BadRequestError, UnauthorizedRequestError, ValidationError } from '../../utils/errors';
 import { EventService } from '../../services';
 import { eventPushSecrets } from '../../events';
 import { EESecretService, EELogService } from '../../ee/services';
-import { postHogClient } from '../../services';
+import { getPostHogClient } from '../../services';
 import { getChannelFromUserAgent } from '../../utils/posthog';
 import { ABILITY_READ, ABILITY_WRITE } from '../../variables/organization';
 import { userHasNoAbility, userHasWorkspaceAccess, userHasWriteOnlyAbility } from '../../ee/helpers/checkMembershipPermissions';
 import Tag from '../../models/tag';
 import _ from 'lodash';
+import {
+    BatchSecretRequest,
+    BatchSecret
+} from '../../types/secret';
+import { getFolderPath, getFoldersInDirectory, normalizePath } from '../../utils/folder';
+import Folder from '../../models/folder';
+
+/**
+ * Peform a batch of any specified CUD secret operations
+ * @param req 
+ * @param res 
+ */
+export const batchSecrets = async (req: Request, res: Response) => {
+    const channel = getChannelFromUserAgent(req.headers['user-agent']);
+    const postHogClient = getPostHogClient();
+
+    const {
+        workspaceId,
+        environment,
+        requests
+    }: {
+        workspaceId: string;
+        environment: string;
+        requests: BatchSecretRequest[];
+    } = req.body;
+
+    const createSecrets: BatchSecret[] = [];
+    const updateSecrets: BatchSecret[] = [];
+    const deleteSecrets: Types.ObjectId[] = [];
+    const actions: IAction[] = [];
+
+    for (const request of requests) {
+        const folderId = request.secret.folder
+
+        // need to auth folder
+        const fullFolderPath = await getFolderPath(folderId)
+
+        switch (request.method) {
+            case 'POST':
+                createSecrets.push({
+                    ...request.secret,
+                    path: fullFolderPath,
+                    folder: folderId,
+                    version: 1,
+                    user: request.secret.type === SECRET_PERSONAL ? req.user : undefined,
+                    environment,
+                    workspace: new Types.ObjectId(workspaceId)
+                });
+                break;
+            case 'PATCH':
+                updateSecrets.push({
+                    ...request.secret,
+                    folder: folderId,
+                    path: fullFolderPath,
+                    _id: new Types.ObjectId(request.secret._id)
+                });
+                break;
+            case 'DELETE':
+                deleteSecrets.push(new Types.ObjectId(request.secret._id));
+                break;
+        }
+    }
+
+    // handle create secrets
+    let createdSecrets: ISecret[] = [];
+    if (createSecrets.length > 0) {
+        createdSecrets = await Secret.insertMany(createSecrets);
+        // (EE) add secret versions for new secrets
+
+        await EESecretService.addSecretVersions({
+            secretVersions: createdSecrets.map((n: any) => {
+                return ({
+                    ...n._doc,
+                    _id: new Types.ObjectId(),
+                    secret: n._id,
+                    isDeleted: false
+                });
+            })
+        });
+
+        const addAction = await EELogService.createAction({
+            name: ACTION_ADD_SECRETS,
+            userId: req.user._id,
+            workspaceId: new Types.ObjectId(workspaceId),
+            secretIds: createdSecrets.map((n) => n._id)
+        }) as IAction;
+        actions.push(addAction);
+
+        if (postHogClient) {
+            postHogClient.capture({
+                event: 'secrets added',
+                distinctId: req.user.email,
+                properties: {
+                    numberOfSecrets: createdSecrets.length,
+                    environment,
+                    workspaceId,
+                    channel,
+                    userAgent: req.headers?.['user-agent']
+                }
+            });
+        }
+    }
+
+    // handle update secrets
+    let updatedSecrets: ISecret[] = [];
+    if (updateSecrets.length > 0 && req.secrets) {
+        // construct object containing all secrets
+        let listedSecretsObj: {
+            [key: string]: {
+                version: number;
+                type: string;
+            }
+        } = {};
+
+        listedSecretsObj = req.secrets.reduce((obj: any, secret: ISecret) => ({
+            ...obj,
+            [secret._id.toString()]: secret
+        }), {});
+
+        const updateOperations = updateSecrets.map((u) => ({
+            updateOne: {
+                filter: { _id: new Types.ObjectId(u._id) },
+                update: {
+                    $inc: {
+                        version: 1
+                    },
+                    ...u,
+                    _id: new Types.ObjectId(u._id)
+                }
+            }
+        }));
+
+        await Secret.bulkWrite(updateOperations);
+
+        const secretVersions = updateSecrets.map((u) => ({
+            secret: new Types.ObjectId(u._id),
+            version: listedSecretsObj[u._id.toString()].version,
+            workspace: new Types.ObjectId(workspaceId),
+            type: listedSecretsObj[u._id.toString()].type,
+            environment,
+            isDeleted: false,
+            secretKeyCiphertext: u.secretKeyCiphertext,
+            secretKeyIV: u.secretKeyIV,
+            secretKeyTag: u.secretKeyTag,
+            secretValueCiphertext: u.secretValueCiphertext,
+            secretValueIV: u.secretValueIV,
+            secretValueTag: u.secretValueTag,
+            secretCommentCiphertext: u.secretCommentCiphertext,
+            secretCommentIV: u.secretCommentIV,
+            secretCommentTag: u.secretCommentTag,
+            tags: u.tags
+        }));
+
+        await EESecretService.addSecretVersions({
+            secretVersions
+        });
+
+        updatedSecrets = await Secret.find({
+            _id: {
+                $in: updateSecrets.map((u) => new Types.ObjectId(u._id))
+            }
+        });
+
+        const updateAction = await EELogService.createAction({
+            name: ACTION_UPDATE_SECRETS,
+            userId: req.user._id,
+            workspaceId: new Types.ObjectId(workspaceId),
+            secretIds: updatedSecrets.map((u) => u._id)
+        }) as IAction;
+        actions.push(updateAction);
+
+        if (postHogClient) {
+            postHogClient.capture({
+                event: 'secrets modified',
+                distinctId: req.user.email,
+                properties: {
+                    numberOfSecrets: updateSecrets.length,
+                    environment,
+                    workspaceId,
+                    channel,
+                    userAgent: req.headers?.['user-agent']
+                }
+            });
+        }
+    }
+
+    // handle delete secrets
+    if (deleteSecrets.length > 0) {
+        await Secret.deleteMany({
+            _id: {
+                $in: deleteSecrets
+            }
+        });
+
+        await EESecretService.markDeletedSecretVersions({
+            secretIds: deleteSecrets
+        });
+
+        const deleteAction = await EELogService.createAction({
+            name: ACTION_DELETE_SECRETS,
+            userId: req.user._id,
+            workspaceId: new Types.ObjectId(workspaceId),
+            secretIds: deleteSecrets
+        }) as IAction;
+        actions.push(deleteAction);
+
+        if (postHogClient) {
+            postHogClient.capture({
+                event: 'secrets deleted',
+                distinctId: req.user.email,
+                properties: {
+                    numberOfSecrets: deleteSecrets.length,
+                    environment,
+                    workspaceId,
+                    channel: channel,
+                    userAgent: req.headers?.['user-agent']
+                }
+            });
+        }
+    }
+
+    if (actions.length > 0) {
+        // (EE) create (audit) log
+        await EELogService.createLog({
+            userId: req.user._id.toString(),
+            workspaceId: new Types.ObjectId(workspaceId),
+            actions,
+            channel,
+            ipAddress: req.ip
+        });
+    }
+
+    // // trigger event - push secrets
+    await EventService.handleEvent({
+        event: eventPushSecrets({
+            workspaceId
+        })
+    });
+
+    // (EE) take a secret snapshot
+    await EESecretService.takeSecretSnapshot({
+        workspaceId
+    });
+
+    const resObj: { [key: string]: ISecret[] | string[] } = {}
+
+    if (createSecrets.length > 0) {
+        resObj['createdSecrets'] = createdSecrets;
+    }
+
+    if (updateSecrets.length > 0) {
+        resObj['updatedSecrets'] = updatedSecrets;
+    }
+
+    if (deleteSecrets.length > 0) {
+        resObj['deletedSecrets'] = deleteSecrets.map((d) => d.toString());
+    }
+
+    return res.status(200).send(resObj);
+}
 
 /**
  * Create secret(s) for workspace with id [workspaceId] and environment [environment]
@@ -79,6 +340,7 @@ export const createSecrets = async (req: Request, res: Response) => {
         }
     }   
     */
+    const postHogClient = getPostHogClient();
 
     const channel = getChannelFromUserAgent(req.headers['user-agent'])
     const { workspaceId, environment }: { workspaceId: string, environment: string } = req.body;
@@ -97,23 +359,31 @@ export const createSecrets = async (req: Request, res: Response) => {
         listOfSecretsToCreate = [req.body.secrets];
     }
 
-    type secretsToCreateType = {
-        type: string;
-        secretKeyCiphertext: string;
-        secretKeyIV: string;
-        secretKeyTag: string;
-        secretValueCiphertext: string;
-        secretValueIV: string;
-        secretValueTag: string;
-        secretCommentCiphertext: string;
-        secretCommentIV: string;
-        secretCommentTag: string;
-        tags: string[]
-    }
 
-    const newlyCreatedSecrets = await Secret.insertMany(
-        listOfSecretsToCreate.map(({
+    const secretsToInsert: ISecret[] = [];
+
+    for (const {
+        type,
+        secretKeyCiphertext,
+        secretKeyIV,
+        secretKeyTag,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag,
+        secretCommentCiphertext,
+        secretCommentIV,
+        secretCommentTag,
+        tags,
+        folder
+    } of listOfSecretsToCreate) {
+        const fullFolderPath = await getFolderPath(folder)
+
+        const secret: any = {
+            version: 1,
+            workspace: new Types.ObjectId(workspaceId),
             type,
+            user: type === SECRET_PERSONAL ? req.user : undefined,
+            environment,
             secretKeyCiphertext,
             secretKeyIV,
             secretKeyTag,
@@ -123,27 +393,15 @@ export const createSecrets = async (req: Request, res: Response) => {
             secretCommentCiphertext,
             secretCommentIV,
             secretCommentTag,
-            tags
-        }: secretsToCreateType) => {
-            return ({
-                version: 1,
-                workspace: new Types.ObjectId(workspaceId),
-                type,
-                user: type === SECRET_PERSONAL ? req.user : undefined,
-                environment,
-                secretKeyCiphertext,
-                secretKeyIV,
-                secretKeyTag,
-                secretValueCiphertext,
-                secretValueIV,
-                secretValueTag,
-                secretCommentCiphertext,
-                secretCommentIV,
-                secretCommentTag,
-                tags
-            });
-        })
-    );
+            tags,
+            folder: folder,
+            path: fullFolderPath
+        };
+
+        secretsToInsert.push(secret);
+    }
+
+    const newlyCreatedSecrets: ISecret[] = (await Secret.insertMany(secretsToInsert)).map((insertedSecret) => insertedSecret.toObject());
 
     setTimeout(async () => {
         // trigger event - push secrets
@@ -166,11 +424,9 @@ export const createSecrets = async (req: Request, res: Response) => {
             secretKeyCiphertext,
             secretKeyIV,
             secretKeyTag,
-            secretKeyHash,
             secretValueCiphertext,
             secretValueIV,
             secretValueTag,
-            secretValueHash,
             secretCommentCiphertext,
             secretCommentIV,
             secretCommentTag,
@@ -187,11 +443,9 @@ export const createSecrets = async (req: Request, res: Response) => {
             secretKeyCiphertext,
             secretKeyIV,
             secretKeyTag,
-            secretKeyHash,
             secretValueCiphertext,
             secretValueIV,
             secretValueTag,
-            secretValueHash,
             secretCommentCiphertext,
             secretCommentIV,
             secretCommentTag,
@@ -253,7 +507,7 @@ export const getSecrets = async (req: Request, res: Response) => {
     
     #swagger.security = [{
         "apiKeyAuth": []
-    }]
+    }] 
 
     #swagger.parameters['workspaceId'] = {
         "description": "ID of project",
@@ -287,11 +541,15 @@ export const getSecrets = async (req: Request, res: Response) => {
     }   
     */
 
+    const postHogClient = getPostHogClient();
 
-    const { workspaceId, environment, tagSlugs } = req.query;
+    const { workspaceId, environment, tagSlugs, secretsPath } = req.query;
+
+    const normalizedPath = normalizePath(secretsPath as string)
     const tagNamesList = typeof tagSlugs === 'string' && tagSlugs !== '' ? tagSlugs.split(',') : [];
     let userId = "" // used for getting personal secrets for user
     let userEmail = "" // used for posthog 
+
     if (req.user) {
         userId = req.user._id;
         userEmail = req.user.email;
@@ -311,6 +569,7 @@ export const getSecrets = async (req: Request, res: Response) => {
             throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
         }
     }
+
     let secrets: any
     let secretQuery: any
 
@@ -344,6 +603,9 @@ export const getSecrets = async (req: Request, res: Response) => {
         }
     }
 
+    // Add path to secrets query
+    secretQuery.path = normalizedPath
+
     if (hasWriteOnlyAccess) {
         secrets = await Secret.find(secretQuery).select("secretKeyCiphertext secretKeyIV secretKeyTag")
     } else {
@@ -367,6 +629,8 @@ export const getSecrets = async (req: Request, res: Response) => {
         ipAddress: req.ip
     });
 
+    const folders = await getFoldersInDirectory(workspaceId as string, environment as string, normalizedPath)
+
     if (postHogClient) {
         postHogClient.capture({
             event: 'secrets pulled',
@@ -382,11 +646,11 @@ export const getSecrets = async (req: Request, res: Response) => {
     }
 
     return res.status(200).send({
-        secrets
+        secrets,
+        folders
     });
 }
 
-
 export const getOnlySecretKeys = async (req: Request, res: Response) => {
     const { workspaceId, environment } = req.query;
 
@@ -489,6 +753,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
         }
     }
     */
+    const postHogClient = getPostHogClient();
     const channel = req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli';
 
     // TODO: move type
@@ -506,7 +771,9 @@ export const updateSecrets = async (req: Request, res: Response) => {
         tags: string[]
     }
 
-    const updateOperationsToPerform = req.body.secrets.map((secret: PatchSecret) => {
+    const updateOperationsToPerform = [];
+
+    for (const secret of req.body.secrets) {
         const {
             secretKeyCiphertext,
             secretKeyIV,
@@ -517,10 +784,13 @@ export const updateSecrets = async (req: Request, res: Response) => {
             secretCommentCiphertext,
             secretCommentIV,
             secretCommentTag,
-            tags
+            tags,
+            folder
         } = secret;
 
-        return ({
+        const fullFolderPath = await getFolderPath(folder)
+
+        const updateOperation = {
             updateOne: {
                 filter: { _id: new Types.ObjectId(secret.id) },
                 update: {
@@ -534,6 +804,8 @@ export const updateSecrets = async (req: Request, res: Response) => {
                     secretValueIV,
                     secretValueTag,
                     tags,
+                    path: fullFolderPath,
+                    folder: folder,
                     ...((
                         secretCommentCiphertext !== undefined &&
                         secretCommentIV &&
@@ -545,8 +817,10 @@ export const updateSecrets = async (req: Request, res: Response) => {
                     } : {}),
                 }
             }
-        });
-    });
+        };
+
+        updateOperationsToPerform.push(updateOperation);
+    }
 
     await Secret.bulkWrite(updateOperationsToPerform);
 
@@ -710,6 +984,7 @@ export const deleteSecrets = async (req: Request, res: Response) => {
         }
     }   
     */
+    const postHogClient = getPostHogClient();
     const channel = getChannelFromUserAgent(req.headers['user-agent'])
     const toDelete = req.secrets.map((s: any) => s._id);
 

backend/src/controllers/v2/serviceTokenDataController.ts

@@ -1,15 +1,13 @@
-import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
+import { Request, Response } from 'express';
 import crypto from 'crypto';
 import bcrypt from 'bcrypt';
 import {
     ServiceTokenData
 } from '../../models';
-import {
-    SALT_ROUNDS
-} from '../../config';
 import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';
 import { ABILITY_READ } from '../../variables/organization';
+import { getSaltRounds } from '../../config';
 
 /**
  * Return service token data associated with service token on request
@@ -17,7 +15,35 @@ import { ABILITY_READ } from '../../variables/organization';
  * @param res 
  * @returns 
  */
-export const getServiceTokenData = async (req: Request, res: Response) => res.status(200).json(req.serviceTokenData);
+export const getServiceTokenData = async (req: Request, res: Response) => {
+    /* 
+    #swagger.summary = 'Return Infisical Token data'
+    #swagger.description = 'Return Infisical Token data'
+    
+    #swagger.security = [{
+        "bearerAuth": []
+    }]
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "object",
+					"properties": {
+                        "serviceTokenData": {
+                            "type": "object",
+                            $ref: "#/components/schemas/ServiceTokenData",
+                            "description": "Details of service token"
+                        }
+					}
+                }
+            }           
+        }
+    }   
+    */
+
+    return res.status(200).json(req.serviceTokenData);
+}
 
 /**
  * Create new service token data for workspace with id [workspaceId] and
@@ -28,6 +54,7 @@ export const getServiceTokenData = async (req: Request, res: Response) => res.st
  */
 export const createServiceTokenData = async (req: Request, res: Response) => {
     let serviceToken, serviceTokenData;
+
     try {
         const {
             name,
@@ -36,7 +63,8 @@ export const createServiceTokenData = async (req: Request, res: Response) => {
             encryptedKey,
             iv,
             tag,
-            expiresIn
+            expiresIn,
+            permissions
         } = req.body;
 
         const hasAccess = await userHasWorkspaceAccess(req.user, workspaceId, environment, ABILITY_READ)
@@ -45,7 +73,7 @@ export const createServiceTokenData = async (req: Request, res: Response) => {
         }
 
         const secret = crypto.randomBytes(16).toString('hex');
-        const secretHash = await bcrypt.hash(secret, SALT_ROUNDS);
+        const secretHash = await bcrypt.hash(secret, getSaltRounds());
 
         const expiresAt = new Date();
         expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
@@ -59,7 +87,8 @@ export const createServiceTokenData = async (req: Request, res: Response) => {
             secretHash,
             encryptedKey,
             iv,
-            tag
+            tag,
+            permissions
         }).save();
 
         // return service token data without sensitive data
@@ -111,4 +140,4 @@ export const deleteServiceTokenData = async (req: Request, res: Response) => {
 
 function UnauthorizedRequestError(arg0: { message: string; }) {
     throw new Error('Function not implemented.');
-}
+}

backend/src/controllers/v2/signupController.ts

@@ -0,0 +1,250 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { User, MembershipOrg } from '../../models';
+import { completeAccount } from '../../helpers/user';
+import {
+	initializeDefaultOrg
+} from '../../helpers/signup';
+import { issueAuthTokens } from '../../helpers/auth';
+import { INVITED, ACCEPTED } from '../../variables';
+import request from '../../config/request';
+import { getNodeEnv, getLoopsApiKey } from '../../config';
+
+/**
+ * Complete setting up user by adding their personal and auth information as part of the
+ * signup flow
+ * @param req
+ * @param res
+ * @returns
+ */
+export const completeAccountSignup = async (req: Request, res: Response) => {
+	let user, token, refreshToken;
+	try {
+		const {
+			email,
+			firstName,
+			lastName,
+            protectedKey,
+            protectedKeyIV,
+            protectedKeyTag,
+			publicKey,
+			encryptedPrivateKey,
+			encryptedPrivateKeyIV,
+			encryptedPrivateKeyTag,
+			salt,
+			verifier,
+			organizationName
+		}: {
+			email: string;
+			firstName: string;
+			lastName: string;
+            protectedKey: string;
+            protectedKeyIV: string;
+            protectedKeyTag: string;
+			publicKey: string;
+			encryptedPrivateKey: string;
+			encryptedPrivateKeyIV: string;
+			encryptedPrivateKeyTag: string;
+			salt: string;
+			verifier: string;
+			organizationName: string;
+        } = req.body;
+
+		// get user
+		user = await User.findOne({ email });
+		
+		if (!user || (user && user?.publicKey)) {
+			// case 1: user doesn't exist.
+			// case 2: user has already completed account
+			return res.status(403).send({
+				error: 'Failed to complete account for complete user'
+			});
+		}
+
+		// complete setting up user's account
+		user = await completeAccount({
+			userId: user._id.toString(),
+			firstName,
+			lastName,
+            encryptionVersion: 2,
+            protectedKey,
+            protectedKeyIV,
+            protectedKeyTag,
+			publicKey,
+			encryptedPrivateKey,
+			encryptedPrivateKeyIV,
+			encryptedPrivateKeyTag,
+			salt,
+			verifier
+		});
+
+		if (!user)
+			throw new Error('Failed to complete account for non-existent user'); // ensure user is non-null
+
+		// initialize default organization and workspace
+		await initializeDefaultOrg({
+			organizationName,
+			user
+		});
+
+		// update organization membership statuses that are
+		// invited to completed with user attached
+		await MembershipOrg.updateMany(
+			{
+				inviteEmail: email,
+				status: INVITED
+			},
+			{
+				user,
+				status: ACCEPTED
+			}
+		);
+
+		// issue tokens
+		const tokens = await issueAuthTokens({
+			userId: user._id.toString()
+		});
+
+		token = tokens.token;
+
+		// sending a welcome email to new users
+		if (getLoopsApiKey()) {
+			await request.post("https://app.loops.so/api/v1/events/send", {
+				"email": email,
+				"eventName": "Sign Up",
+				"firstName": firstName,
+				"lastName": lastName
+			}, {
+				headers: {
+					"Accept": "application/json",
+					"Authorization": "Bearer " + getLoopsApiKey()
+				},
+			});
+		}
+
+		// store (refresh) token in httpOnly cookie
+		res.cookie('jid', tokens.refreshToken, {
+			httpOnly: true,
+			path: '/',
+			sameSite: 'strict',
+			secure: getNodeEnv() === 'production' ? true : false
+		});
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to complete account setup'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully set up account',
+		user,
+		token
+	});
+};
+
+/**
+ * Complete setting up user by adding their personal and auth information as part of the
+ * invite flow
+ * @param req
+ * @param res
+ * @returns
+ */
+export const completeAccountInvite = async (req: Request, res: Response) => {
+	let user, token, refreshToken;
+	try {
+		const {
+			email,
+			firstName,
+			lastName,
+            protectedKey,
+            protectedKeyIV,
+            protectedKeyTag,
+			publicKey,
+			encryptedPrivateKey,
+			encryptedPrivateKeyIV,
+			encryptedPrivateKeyTag,
+			salt,
+			verifier
+		} = req.body;
+
+		// get user
+		user = await User.findOne({ email });
+
+		if (!user || (user && user?.publicKey)) {
+			// case 1: user doesn't exist.
+			// case 2: user has already completed account
+			return res.status(403).send({
+				error: 'Failed to complete account for complete user'
+			});
+		}
+
+		const membershipOrg = await MembershipOrg.findOne({
+			inviteEmail: email,
+			status: INVITED
+		});
+
+		if (!membershipOrg) throw new Error('Failed to find invitations for email');
+
+		// complete setting up user's account
+		user = await completeAccount({
+			userId: user._id.toString(),
+			firstName,
+			lastName,
+            encryptionVersion: 2,
+            protectedKey,
+            protectedKeyIV,
+            protectedKeyTag,
+			publicKey,
+			encryptedPrivateKey,
+			encryptedPrivateKeyIV,
+			encryptedPrivateKeyTag,
+			salt,
+			verifier
+		});
+
+		if (!user)
+			throw new Error('Failed to complete account for non-existent user');
+
+		// update organization membership statuses that are
+		// invited to completed with user attached
+		await MembershipOrg.updateMany(
+			{
+				inviteEmail: email,
+				status: INVITED
+			},
+			{
+				user,
+				status: ACCEPTED
+			}
+		);
+
+		// issue tokens
+		const tokens = await issueAuthTokens({
+			userId: user._id.toString()
+		});
+
+		token = tokens.token;
+
+		// store (refresh) token in httpOnly cookie
+		res.cookie('jid', tokens.refreshToken, {
+			httpOnly: true,
+			path: '/',
+			sameSite: 'strict',
+			secure: getNodeEnv() === 'production' ? true : false
+		});
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to complete account setup'
+		});
+	}
+	
+	return res.status(200).send({
+		message: 'Successfully set up account',
+		user,
+		token
+	});
+};

backend/src/controllers/v2/usersController.ts

@@ -41,7 +41,7 @@ export const getMe = async (req: Request, res: Response) => {
     try {
         user = await User
             .findById(req.user._id)
-            .select('+publicKey +encryptedPrivateKey +iv +tag');
+            .select('+salt +publicKey +encryptedPrivateKey +iv +tag +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag');
     } catch (err) {
         Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);
@@ -55,6 +55,44 @@ export const getMe = async (req: Request, res: Response) => {
     });
 }
 
+/**
+ * Update the current user's MFA-enabled status [isMfaEnabled].
+ * Note: Infisical currently only supports email-based 2FA only; this will expand to
+ * include SMS and authenticator app modes of authentication in the future.
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const updateMyMfaEnabled = async (req: Request, res: Response) => {
+    let user;
+    try {
+        const { isMfaEnabled }: { isMfaEnabled: boolean } = req.body;
+        req.user.isMfaEnabled = isMfaEnabled;
+        
+        if (isMfaEnabled) { 
+            // TODO: adapt this route/controller 
+            // to work for different forms of MFA
+            req.user.mfaMethods = ['email'];
+        } else {
+            req.user.mfaMethods = [];
+        }
+
+        await req.user.save();
+        
+        user = req.user;
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: "Failed to update current user's MFA status"
+		}); 
+    }
+    
+    return res.status(200).send({
+        user
+    });
+}
+
 /**
  * Return organizations that the current user is part of.
  * @param req 

backend/src/controllers/v2/workspaceController.ts

@@ -19,7 +19,7 @@ import {
 	reformatPullSecrets
 } from '../../helpers/secret';
 import { pushKeys } from '../../helpers/key';
-import { postHogClient, EventService } from '../../services';
+import { getPostHogClient, EventService } from '../../services';
 import { eventPushSecrets } from '../../events';
 
 interface V2PushSecret {
@@ -48,6 +48,7 @@ interface V2PushSecret {
 export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
 	// upload (encrypted) secrets to workspace with id [workspaceId]
 	try {
+		const postHogClient = getPostHogClient();
 		let { secrets }: { secrets: V2PushSecret[] } = req.body;
 		const { keys, environment, channel } = req.body;
 		const { workspaceId } = req.params;
@@ -121,6 +122,7 @@ export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
 export const pullSecrets = async (req: Request, res: Response) => {
 	let secrets;
 	try {
+		const postHogClient = getPostHogClient();
 		const environment: string = req.query.environment as string;
 		const channel: string = req.query.channel as string;
 		const { workspaceId } = req.params;

backend/src/ee/controllers/v1/secretController.ts

@@ -158,11 +158,9 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
 			secretKeyCiphertext,
 			secretKeyIV,
 			secretKeyTag,
-			secretKeyHash,
 			secretValueCiphertext,
 			secretValueIV,
 			secretValueTag,
-			secretValueHash
 		} = oldSecretVersion;
 		
 		// update secret
@@ -179,11 +177,9 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
 				secretKeyCiphertext,
 				secretKeyIV,
 				secretKeyTag,
-				secretKeyHash,
 				secretValueCiphertext,
 				secretValueIV,
 				secretValueTag,
-				secretValueHash
 			},
 			{
 				new: true
@@ -204,11 +200,9 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
 			secretKeyCiphertext,
 			secretKeyIV,
 			secretKeyTag,
-			secretKeyHash,
 			secretValueCiphertext,
 			secretValueIV,
-			secretValueTag,
-			secretValueHash	
+			secretValueTag
 		}).save();
 		
 		// take secret snapshot

backend/src/ee/controllers/v1/stripeController.ts

@@ -1,10 +1,7 @@
-import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
+import { Request, Response } from 'express';
 import Stripe from 'stripe';
-import { STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET } from '../../../config';
-const stripe = new Stripe(STRIPE_SECRET_KEY, {
-	apiVersion: '2022-08-01'
-});
+import { getStripeSecretKey, getStripeWebhookSecret } from '../../../config';
 
 /**
  * Handle service provisioning/un-provisioning via Stripe
@@ -15,12 +12,16 @@ const stripe = new Stripe(STRIPE_SECRET_KEY, {
 export const handleWebhook = async (req: Request, res: Response) => {
 	let event;
 	try {
+		const stripe = new Stripe(getStripeSecretKey(), {
+			apiVersion: '2022-08-01'
+		});
+
 		// check request for valid stripe signature
 		const sig = req.headers['stripe-signature'] as string;
 		event = stripe.webhooks.constructEvent(
 			req.body,
 			sig,
-			STRIPE_WEBHOOK_SECRET // ?
+			getStripeWebhookSecret()
 		);
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });

backend/src/ee/models/secretVersion.ts

@@ -5,22 +5,19 @@ import {
 } from '../../variables';
 
 export interface ISecretVersion {
-	_id: Types.ObjectId;
 	secret: Types.ObjectId;
 	version: number;
 	workspace: Types.ObjectId; // new
 	type: string; // new
-	user: Types.ObjectId; // new
+	user?: Types.ObjectId; // new
 	environment: string; // new
 	isDeleted: boolean;
 	secretKeyCiphertext: string;
 	secretKeyIV: string;
 	secretKeyTag: string;
-	secretKeyHash: string;
 	secretValueCiphertext: string;
 	secretValueIV: string;
 	secretValueTag: string;
-	secretValueHash: string;
 	tags?: string[];
 }
 
@@ -72,9 +69,6 @@ const secretVersionSchema = new Schema<ISecretVersion>(
 			type: String, // symmetric
 			required: true
 		},
-		secretKeyHash: {
-			type: String
-		},
 		secretValueCiphertext: {
 			type: String,
 			required: true
@@ -87,9 +81,6 @@ const secretVersionSchema = new Schema<ISecretVersion>(
 			type: String, // symmetric
 			required: true
 		},
-		secretValueHash: {
-			type: String
-		},
 		tags: {
 			ref: 'Tag',
 			type: [Schema.Types.ObjectId],

backend/src/ee/services/EELicenseService.ts

@@ -1,5 +1,3 @@
-import { LICENSE_KEY } from '../../config';
-
 /**
  * Class to handle Enterprise Edition license actions
  */
@@ -16,4 +14,4 @@ class EELicenseService {
     }
 }
 
-export default new EELicenseService(LICENSE_KEY);
+export default new EELicenseService('N/A');

backend/src/helpers/auth.ts

@@ -1,17 +1,12 @@
-import jwt from 'jsonwebtoken';
 import * as Sentry from '@sentry/node';
+import jwt from 'jsonwebtoken';
 import bcrypt from 'bcrypt';
 import {
+	IUser,
 	User,
 	ServiceTokenData,
 	APIKeyData
 } from '../models';
-import {
-	JWT_AUTH_LIFETIME,
-	JWT_AUTH_SECRET,
-	JWT_REFRESH_LIFETIME,
-	JWT_REFRESH_SECRET
-} from '../config';
 import {
 	AccountNotFoundError,
 	ServiceTokenDataNotFoundError,
@@ -19,6 +14,12 @@ import {
 	UnauthorizedRequestError,
 	BadRequestError
 } from '../utils/errors';
+import {
+	getJwtAuthLifetime,
+	getJwtAuthSecret,
+	getJwtRefreshLifetime,
+	getJwtRefreshSecret
+} from '../config';
 
 /**
  * 
@@ -92,7 +93,7 @@ const getAuthUserPayload = async ({
 	let user;
 	try {
 		const decodedToken = <jwt.UserIDJwtPayload>(
-			jwt.verify(authTokenValue, JWT_AUTH_SECRET)
+			jwt.verify(authTokenValue, getJwtAuthSecret())
 		);
 
 		user = await User.findOne({
@@ -148,7 +149,10 @@ const getAuthSTDPayload = async ({
 
 		serviceTokenData = await ServiceTokenData
 			.findById(TOKEN_IDENTIFIER)
-			.select('+encryptedKey +iv +tag').populate('user');
+			.select('+encryptedKey +iv +tag')
+			.populate<{user: IUser}>('user');
+		
+		if (!serviceTokenData) throw ServiceTokenDataNotFoundError({ message: 'Failed to find service token data' });
 
 	} catch (err) {
 		throw UnauthorizedRequestError({
@@ -211,7 +215,7 @@ const getAuthAPIKeyPayload = async ({
  * @return {String} obj.token - issued JWT token
  * @return {String} obj.refreshToken - issued refresh token
  */
-const issueTokens = async ({ userId }: { userId: string }) => {
+const issueAuthTokens = async ({ userId }: { userId: string }) => {
 	let token: string;
 	let refreshToken: string;
 	try {
@@ -220,16 +224,16 @@ const issueTokens = async ({ userId }: { userId: string }) => {
 			payload: {
 				userId
 			},
-			expiresIn: JWT_AUTH_LIFETIME,
-			secret: JWT_AUTH_SECRET
+			expiresIn: getJwtAuthLifetime(),
+			secret: getJwtAuthSecret()
 		});
 
 		refreshToken = createToken({
 			payload: {
 				userId
 			},
-			expiresIn: JWT_REFRESH_LIFETIME,
-			secret: JWT_REFRESH_SECRET
+			expiresIn: getJwtRefreshLifetime(),
+			secret: getJwtRefreshSecret()
 		});
 	} catch (err) {
 		Sentry.setUser(null);
@@ -298,6 +302,6 @@ export {
 	getAuthSTDPayload,
 	getAuthAPIKeyPayload,
 	createToken,
-	issueTokens,
+	issueAuthTokens,
 	clearTokens
 };

backend/src/helpers/bot.ts

@@ -12,8 +12,8 @@ import {
     decryptSymmetric,
     decryptAsymmetric
 } from '../utils/crypto';
-import { ENCRYPTION_KEY } from '../config';
 import { SECRET_SHARED } from '../variables';
+import { getEncryptionKey } from '../config';
 
 /**
  * Create an inactive bot with name [name] for workspace with id [workspaceId]
@@ -33,7 +33,7 @@ const createBot = async ({
         const { publicKey, privateKey } = generateKeyPair();
         const { ciphertext, iv, tag } = encryptSymmetric({
             plaintext: privateKey,
-            key: ENCRYPTION_KEY
+            key: getEncryptionKey()
         });
 
         bot = await new Bot({
@@ -130,7 +130,7 @@ const getKey = async ({ workspaceId }: { workspaceId: string }) => {
             ciphertext: bot.encryptedPrivateKey,
             iv: bot.iv,
             tag: bot.tag,
-            key: ENCRYPTION_KEY
+            key: getEncryptionKey()
         });
         
         key = decryptAsymmetric({

backend/src/helpers/database.ts

@@ -29,6 +29,23 @@ const initDatabaseHelper = async ({
     return mongoose.connection;
 }
 
+/**
+ * Close database conection
+ */
+const closeDatabaseHelper = async () => {
+    return Promise.all([
+        new Promise((resolve) => {
+            if (mongoose.connection && mongoose.connection.readyState == 1) {
+            mongoose.connection.close()
+                .then(() => resolve('Database connection closed'));
+            } else {
+            resolve('Database connection already closed');
+            }
+        })
+    ]);
+}
+
 export {
-    initDatabaseHelper
+    initDatabaseHelper,
+    closeDatabaseHelper
 }

backend/src/helpers/integration.ts

@@ -229,7 +229,7 @@ const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrati
                 // access token is expired
                 const refreshToken = await getIntegrationAuthRefreshHelper({ integrationAuthId });
                 accessToken = await exchangeRefresh({
-                    integration: integrationAuth.integration,
+                    integrationAuth,
                     refreshToken
                 });
             }

backend/src/helpers/nodemailer.ts

@@ -1,9 +1,9 @@
+import * as Sentry from '@sentry/node';
 import fs from 'fs';
 import path from 'path';
 import handlebars from 'handlebars';
 import nodemailer from 'nodemailer';
-import { SMTP_FROM_NAME, SMTP_FROM_ADDRESS } from '../config';
-import * as Sentry from '@sentry/node';
+import { getSmtpFromName, getSmtpFromAddress, getSmtpConfigured } from '../config';
 
 let smtpTransporter: nodemailer.Transporter;
 
@@ -25,23 +25,25 @@ const sendMail = async ({
   recipients: string[];
   substitutions: any;
 }) => {
-  try {
-    const html = fs.readFileSync(
-      path.resolve(__dirname, '../templates/' + template),
-      'utf8'
-    );
-    const temp = handlebars.compile(html);
-    const htmlToSend = temp(substitutions);
+  if (getSmtpConfigured()) {
+    try {
+      const html = fs.readFileSync(
+        path.resolve(__dirname, '../templates/' + template),
+        'utf8'
+      );
+      const temp = handlebars.compile(html);
+      const htmlToSend = temp(substitutions);
 
-    await smtpTransporter.sendMail({
-      from: `"${SMTP_FROM_NAME}" <${SMTP_FROM_ADDRESS}>`,
-      to: recipients.join(', '),
-      subject: subjectLine,
-      html: htmlToSend
-    });
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
+      await smtpTransporter.sendMail({
+        from: `"${getSmtpFromName()}" <${getSmtpFromAddress()}>`,
+        to: recipients.join(', '),
+        subject: subjectLine,
+        html: htmlToSend
+      });
+    } catch (err) {
+      Sentry.setUser(null);
+      Sentry.captureException(err);
+    }
   }
 };
 

backend/src/helpers/organization.ts

@@ -1,23 +1,14 @@
 import * as Sentry from '@sentry/node';
 import Stripe from 'stripe';
-import {
-	STRIPE_SECRET_KEY,
-	STRIPE_PRODUCT_STARTER,
-	STRIPE_PRODUCT_TEAM,
-	STRIPE_PRODUCT_PRO
-} from '../config';
-const stripe = new Stripe(STRIPE_SECRET_KEY, {
-	apiVersion: '2022-08-01'
-});
 import { Types } from 'mongoose';
 import { ACCEPTED } from '../variables';
 import { Organization, MembershipOrg } from '../models';
-
-const productToPriceMap = {
-	starter: STRIPE_PRODUCT_STARTER,
-	team: STRIPE_PRODUCT_TEAM,
-	pro: STRIPE_PRODUCT_PRO
-};
+import { 
+	getStripeSecretKey,
+	getStripeProductPro,
+	getStripeProductTeam,
+	getStripeProductStarter
+} from '../config';
 
 /**
  * Create an organization with name [name]
@@ -36,8 +27,11 @@ const createOrganization = async ({
 	let organization;
 	try {
 		// register stripe account
+		const stripe = new Stripe(getStripeSecretKey(), {
+			apiVersion: '2022-08-01'
+		});
 
-		if (STRIPE_SECRET_KEY) {
+		if (getStripeSecretKey()) {
 			const customer = await stripe.customers.create({
 				email,
 				description: name
@@ -87,6 +81,16 @@ const initSubscriptionOrg = async ({
 		if (organization) {
 			if (organization.customerId) {
 				// initialize starter subscription with quantity of 0
+				const stripe = new Stripe(getStripeSecretKey(), {
+					apiVersion: '2022-08-01'
+				});
+
+				const productToPriceMap = {
+					starter: getStripeProductStarter(),
+					team: getStripeProductTeam(),
+					pro: getStripeProductPro()
+				};
+
 				stripeSubscription = await stripe.subscriptions.create({
 					customer: organization.customerId,
 					items: [
@@ -139,6 +143,10 @@ const updateSubscriptionOrgQuantity = async ({
 				status: ACCEPTED
 			});
 
+			const stripe = new Stripe(getStripeSecretKey(), {
+				apiVersion: '2022-08-01'
+			});
+
 			const subscription = (
 				await stripe.subscriptions.list({
 					customer: organization.customerId
@@ -167,4 +175,4 @@ export {
 	createOrganization,
 	initSubscriptionOrg,
 	updateSubscriptionOrgQuantity
-};
+};

backend/src/helpers/secret.ts

@@ -267,7 +267,7 @@ const v1PushSecrets = async ({
 
 		if (toAdd.length > 0) {
 			// add secrets
-			const newSecrets = await Secret.insertMany(
+			const newSecrets: ISecret[] = (await Secret.insertMany(
 				toAdd.map((s, idx) => {
 					const obj: any = {
 						version: 1,
@@ -294,7 +294,7 @@ const v1PushSecrets = async ({
 
 					return obj;
 				})
-			);
+			)).map((insertedSecret) => insertedSecret.toObject());
 
 			// (EE) add secret versions for new secrets
 			EESecretService.addSecretVersions({

backend/src/helpers/signup.ts

@@ -1,13 +1,11 @@
 import * as Sentry from '@sentry/node';
-import crypto from 'crypto';
-import { Token, IToken, IUser } from '../models';
+import { IUser } from '../models';
 import { createOrganization } from './organization';
 import { addMembershipsOrg } from './membershipOrg';
-import { createWorkspace } from './workspace';
-import { addMemberships } from './membership';
-import { OWNER, ADMIN, ACCEPTED } from '../variables';
+import { OWNER, ACCEPTED } from '../variables';
 import { sendMail } from '../helpers/nodemailer';
-import { EMAIL_TOKEN_LIFETIME } from '../config';
+import { TokenService } from '../services';
+import { TOKEN_EMAIL_CONFIRMATION } from '../variables';
 
 /**
  * Send magic link to verify email to [email]
@@ -15,22 +13,13 @@ import { EMAIL_TOKEN_LIFETIME } from '../config';
  * @param {Object} obj
  * @param {String} obj.email - email
  * @returns {Boolean} success - whether or not operation was successful
- *
  */
 const sendEmailVerification = async ({ email }: { email: string }) => {
 	try {
-		const token = String(crypto.randomInt(Math.pow(10, 5), Math.pow(10, 6) - 1));
-
-		await Token.findOneAndUpdate(
-			{ email },
-			{
-				email,
-				token,
-				createdAt: new Date(),
-				ttl: Math.floor(+new Date() / 1000) + EMAIL_TOKEN_LIFETIME // time in seconds, i.e unix
-			},
-			{ upsert: true, new: true }
-		);
+		const token = await TokenService.createToken({
+			type: TOKEN_EMAIL_CONFIRMATION,
+			email
+		});
 
 		// send mail
 		await sendMail({
@@ -64,21 +53,11 @@ const checkEmailVerification = async ({
 	code: string;
 }) => {
 	try {
-		const token = await Token.findOne({
+		await TokenService.validateToken({
+			type: TOKEN_EMAIL_CONFIRMATION,
 			email,
 			token: code
 		});
-
-		if (token && Math.floor(Date.now() / 1000) > token.ttl) {
-			await Token.deleteOne({
-				email,
-				token: code
-			});
-
-			throw new Error('Verification token has expired')
-		}
-
-		if (!token) throw new Error('Failed to find email verification token');
 	} catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
@@ -114,18 +93,6 @@ const initializeDefaultOrg = async ({
 			roles: [OWNER],
 			statuses: [ACCEPTED]
 		});
-
-		// initialize a default workspace inside the new organization
-		const workspace = await createWorkspace({
-			name: `Example Project`,
-			organizationId: organization._id.toString()
-		});
-
-		await addMemberships({
-			userIds: [user._id.toString()],
-			workspaceId: workspace._id.toString(),
-			roles: [ADMIN]
-		});
 	} catch (err) {
 		throw new Error(`Failed to initialize default organization and workspace [err=${err}]`);
 	}

backend/src/helpers/token.ts

@@ -0,0 +1,215 @@
+import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
+import { TokenData } from '../models';
+import crypto from 'crypto';
+import bcrypt from 'bcrypt';
+import {
+    TOKEN_EMAIL_CONFIRMATION,
+    TOKEN_EMAIL_MFA,
+    TOKEN_EMAIL_ORG_INVITATION,
+    TOKEN_EMAIL_PASSWORD_RESET
+} from '../variables';
+import { UnauthorizedRequestError } from '../utils/errors';
+import { getSaltRounds } from '../config';
+
+/**
+ * Create and store a token in the database for purpose [type]
+ * @param {Object} obj
+ * @param {String} obj.type
+ * @param {String} obj.email
+ * @param {String} obj.phoneNumber
+ * @param {Types.ObjectId} obj.organizationId
+ * @returns {String} token - the created token
+ */
+const createTokenHelper = async ({
+    type,
+    email,
+    phoneNumber,
+    organizationId
+}: {
+    type: 'emailConfirmation' | 'emailMfa' | 'organizationInvitation' | 'passwordReset';
+    email?: string;
+    phoneNumber?: string;
+    organizationId?: Types.ObjectId
+}) => {
+    let token, expiresAt, triesLeft;
+    try {
+        // generate random token based on specified token use-case
+        // type [type]
+        switch (type) {
+            case TOKEN_EMAIL_CONFIRMATION:
+                // generate random 6-digit code
+                token = String(crypto.randomInt(Math.pow(10, 5), Math.pow(10, 6) - 1));
+                expiresAt = new Date((new Date()).getTime() + 86400000);
+                break;
+            case TOKEN_EMAIL_MFA:
+                // generate random 6-digit code
+                token = String(crypto.randomInt(Math.pow(10, 5), Math.pow(10, 6) - 1));
+                triesLeft = 5;
+                expiresAt = new Date((new Date()).getTime() + 300000);
+                break;
+            case TOKEN_EMAIL_ORG_INVITATION:
+                // generate random hex
+                token = crypto.randomBytes(16).toString('hex');
+                expiresAt = new Date((new Date()).getTime() + 259200000);
+                break;
+            case TOKEN_EMAIL_PASSWORD_RESET:
+                // generate random hex
+                token = crypto.randomBytes(16).toString('hex');
+                expiresAt = new Date((new Date()).getTime() + 86400000); 
+                break;
+            default:
+                token = crypto.randomBytes(16).toString('hex');
+                expiresAt = new Date();
+                break;
+        }
+        
+       interface TokenDataQuery {
+            type: string;
+            email?: string;
+            phoneNumber?: string;
+            organization?: Types.ObjectId;
+        }
+        
+        interface TokenDataUpdate {
+            type: string;
+            email?: string;
+            phoneNumber?: string;
+            organization?: Types.ObjectId;
+            tokenHash: string;
+            triesLeft?: number;
+            expiresAt: Date;
+        }
+
+        const query: TokenDataQuery = { type };
+        const update: TokenDataUpdate = {
+            type,
+            tokenHash: await bcrypt.hash(token, getSaltRounds()),
+            expiresAt
+        }
+
+        if (email) {
+            query.email = email; 
+            update.email = email; 
+        }
+        if (phoneNumber) { 
+            query.phoneNumber = phoneNumber; 
+            update.phoneNumber = phoneNumber; 
+        }
+        if (organizationId) { 
+            query.organization = organizationId 
+            update.organization = organizationId 
+        } 
+        
+        if (triesLeft) {
+            update.triesLeft = triesLeft;
+        }
+       
+        await TokenData.findOneAndUpdate(
+            query,
+            update,
+            {
+                new: true,
+                upsert: true
+            }
+        );
+    } catch (err) {
+        Sentry.setUser(null);
+        Sentry.captureException(err);
+        throw new Error(
+            "Failed to create token"
+        ); 
+    }
+    
+    return token;
+}
+
+/**
+ * 
+ * @param {Object} obj
+ * @param {String} obj.email - email associated with the token
+ * @param {String} obj.token - value of the token
+ */
+const validateTokenHelper = async ({
+    type,
+    email,
+    phoneNumber,
+    organizationId,
+    token
+}: {
+    type: 'emailConfirmation' | 'emailMfa' | 'organizationInvitation' | 'passwordReset';
+    email?: string;
+    phoneNumber?: string;
+    organizationId?: Types.ObjectId;
+    token: string;
+}) => {
+    interface Query {
+        type: string;
+        email?: string;
+        phoneNumber?: string;
+        organization?: Types.ObjectId;
+    }
+
+    const query: Query = { type };
+
+    if (email) { query.email = email; }
+    if (phoneNumber) { query.phoneNumber = phoneNumber; }
+    if (organizationId) { query.organization = organizationId; }
+
+    const tokenData = await TokenData.findOne(query).select('+tokenHash');
+    
+    if (!tokenData) throw new Error('Failed to find token to validate');
+    
+    if (tokenData.expiresAt < new Date()) {
+        // case: token expired
+        await TokenData.findByIdAndDelete(tokenData._id);
+        throw UnauthorizedRequestError({
+            message: 'MFA session expired. Please log in again',
+            context: {
+                code: 'mfa_expired'
+            }
+        });
+    }
+
+    const isValid = await bcrypt.compare(token, tokenData.tokenHash);
+    if (!isValid) {
+        // case: token is not valid
+        if (tokenData?.triesLeft !== undefined) {
+            // case: token has a try-limit
+            if (tokenData.triesLeft === 1) {
+                // case: token is out of tries
+                await TokenData.findByIdAndDelete(tokenData._id);
+            } else {
+                // case: token has more than 1 try left
+                await TokenData.findByIdAndUpdate(tokenData._id, {
+                    triesLeft: tokenData.triesLeft - 1
+                }, {
+                    new: true
+                });
+            }
+
+            throw UnauthorizedRequestError({
+                message: 'MFA code is invalid',
+                context: {
+                    code: 'mfa_invalid',
+                    triesLeft: tokenData.triesLeft - 1
+                }
+            });
+        }
+
+        throw UnauthorizedRequestError({
+            message: 'MFA code is invalid',
+            context: {
+                code: 'mfa_invalid'
+            }
+        });
+    }
+
+    // case: token is valid
+    await TokenData.findByIdAndDelete(tokenData._id);
+}
+
+export {
+    createTokenHelper,
+    validateTokenHelper
+}

backend/src/helpers/user.ts

@@ -1,5 +1,6 @@
 import * as Sentry from '@sentry/node';
-import { User, IUser } from '../models';
+import { IUser, User } from '../models';
+import { sendMail } from './nodemailer';
 
 /**
  * Initialize a user under email [email]
@@ -28,10 +29,14 @@ const setupAccount = async ({ email }: { email: string }) => {
  * @param {String} obj.userId - id of user to finish setting up
  * @param {String} obj.firstName - first name of user
  * @param {String} obj.lastName - last name of user
+ * @param {Number} obj.encryptionVersion - version of auth encryption scheme used
+ * @param {String} obj.protectedKey - protected key in encryption version 2
+ * @param {String} obj.protectedKeyIV - IV of protected key in encryption version 2
+ * @param {String} obj.protectedKeyTag - tag of protected key in encryption version 2
  * @param {String} obj.publicKey - publickey of user
  * @param {String} obj.encryptedPrivateKey - (encrypted) private key of user
- * @param {String} obj.iv - iv for (encrypted) private key of user
- * @param {String} obj.tag - tag for (encrypted) private key of user
+ * @param {String} obj.encryptedPrivateKeyIV - iv for (encrypted) private key of user
+ * @param {String} obj.encryptedPrivateKeyTag - tag for (encrypted) private key of user
  * @param {String} obj.salt - salt for auth SRP
  * @param {String} obj.verifier - verifier for auth SRP
  * @returns {Object} user - the completed user
@@ -40,20 +45,28 @@ const completeAccount = async ({
 	userId,
 	firstName,
 	lastName,
+	encryptionVersion,
+	protectedKey,
+	protectedKeyIV,
+	protectedKeyTag,
 	publicKey,
 	encryptedPrivateKey,
-	iv,
-	tag,
+	encryptedPrivateKeyIV,
+	encryptedPrivateKeyTag,
 	salt,
 	verifier
 }: {
 	userId: string;
 	firstName: string;
 	lastName: string;
+	encryptionVersion: number;
+	protectedKey: string;
+	protectedKeyIV: string;
+	protectedKeyTag: string;
 	publicKey: string;
 	encryptedPrivateKey: string;
-	iv: string;
-	tag: string;
+	encryptedPrivateKeyIV: string;
+	encryptedPrivateKeyTag: string;
 	salt: string;
 	verifier: string;
 }) => {
@@ -67,10 +80,14 @@ const completeAccount = async ({
 			{
 				firstName,
 				lastName,
+				encryptionVersion,
+				protectedKey,
+				protectedKeyIV,
+				protectedKeyTag,
 				publicKey,
 				encryptedPrivateKey,
-				iv,
-				tag,
+				iv: encryptedPrivateKeyIV,
+				tag: encryptedPrivateKeyTag,
 				salt,
 				verifier
 			},
@@ -85,4 +102,48 @@ const completeAccount = async ({
 	return user;
 };
 
-export { setupAccount, completeAccount };
+/**
+ * Check if device with ip [ip] and user-agent [userAgent] has been seen for user [user].
+ * If the device is unseen, then notify the user of the new device
+ * @param {Object} obj
+ * @param {String} obj.ip - login ip address
+ * @param {String} obj.userAgent - login user-agent
+ */
+const checkUserDevice = async ({
+	user,
+	ip,
+	userAgent
+}: {
+	user: IUser;
+	ip: string;
+	userAgent: string;
+}) => {
+	const isDeviceSeen = user.devices.some((device) => device.ip === ip && device.userAgent === userAgent);
+		
+	if (!isDeviceSeen) {
+		// case: unseen login ip detected for user
+		// -> notify user about the sign-in from new ip 
+		
+		user.devices = user.devices.concat([{
+			ip: String(ip),
+			userAgent
+		}]);
+		
+		await user.save();
+
+		// send MFA code [code] to [email]
+		await sendMail({
+			template: 'newDevice.handlebars',
+			subjectLine: `Successful login from new device`,
+			recipients: [user.email],
+			substitutions: {
+				email: user.email,
+				timestamp: new Date().toString(),
+				ip,
+				userAgent
+			}
+		}); 
+	}
+}
+
+export { setupAccount, completeAccount, checkUserDevice };

backend/src/index.ts

@@ -1,28 +1,185 @@
+import mongoose from 'mongoose';
 import dotenv from 'dotenv';
 dotenv.config();
-
+import infisical from 'infisical-node';
+import express from 'express';
+import helmet from 'helmet';
+import cors from 'cors';
 import * as Sentry from '@sentry/node';
-import { SENTRY_DSN, NODE_ENV, MONGO_URL } from './config';
-import { server } from './app';
 import { DatabaseService } from './services';
 import { setUpHealthEndpoint } from './services/health';
 import { initSmtp } from './services/smtp';
+import { logTelemetryMessage } from './services';
 import { setTransporter } from './helpers/nodemailer';
 import { createTestUserForDevelopment } from './utils/addDevelopmentUser';
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const { patchRouterParam } = require('./utils/patchAsyncRoutes');
 
-DatabaseService.initDatabase(MONGO_URL);
+import cookieParser from 'cookie-parser';
+import swaggerUi = require('swagger-ui-express');
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const swaggerFile = require('../spec.json');
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const requestIp = require('request-ip');
+import { apiLimiter } from './helpers/rateLimiter';
+import {
+    workspace as eeWorkspaceRouter,
+    secret as eeSecretRouter,
+    secretSnapshot as eeSecretSnapshotRouter,
+    action as eeActionRouter
+} from './ee/routes/v1';
+import {
+    signup as v1SignupRouter,
+    auth as v1AuthRouter,
+    bot as v1BotRouter,
+    organization as v1OrganizationRouter,
+    workspace as v1WorkspaceRouter,
+    membershipOrg as v1MembershipOrgRouter,
+    membership as v1MembershipRouter,
+    key as v1KeyRouter,
+    inviteOrg as v1InviteOrgRouter,
+    user as v1UserRouter,
+    userAction as v1UserActionRouter,
+    secret as v1SecretRouter,
+    serviceToken as v1ServiceTokenRouter,
+    password as v1PasswordRouter,
+    stripe as v1StripeRouter,
+    integration as v1IntegrationRouter,
+    integrationAuth as v1IntegrationAuthRouter,
+    secretsFolder as v1SecretsFolder
+} from './routes/v1';
+import {
+    signup as v2SignupRouter,
+    auth as v2AuthRouter,
+    users as v2UsersRouter,
+    organizations as v2OrganizationsRouter,
+    workspace as v2WorkspaceRouter,
+    secret as v2SecretRouter, // begin to phase out
+    secrets as v2SecretsRouter,
+    serviceTokenData as v2ServiceTokenDataRouter,
+    apiKeyData as v2APIKeyDataRouter,
+    environment as v2EnvironmentRouter,
+    tags as v2TagsRouter,
+} from './routes/v2';
+import { healthCheck } from './routes/status';
+import { getLogger } from './utils/logger';
+import { RouteNotFoundError } from './utils/errors';
+import { requestErrorHandler } from './middleware/requestErrorHandler';
+import {
+    getMongoURL,
+    getNodeEnv,
+    getPort,
+    getSentryDSN,
+    getSiteURL
+} from './config';
 
-setUpHealthEndpoint(server);
+const main = async () => {
+    if (process.env.INFISICAL_TOKEN != "" || process.env.INFISICAL_TOKEN != undefined) {
+        await infisical.connect({
+            token: process.env.INFISICAL_TOKEN!
+        });
+    }
 
-setTransporter(initSmtp());
+    logTelemetryMessage();
+    setTransporter(initSmtp());
 
-if (NODE_ENV !== 'test') {
-  Sentry.init({
-    dsn: SENTRY_DSN,
-    tracesSampleRate: 1.0,
-    debug: NODE_ENV === 'production' ? false : true,
-    environment: NODE_ENV
-  });
+    await DatabaseService.initDatabase(getMongoURL());
+    if (getNodeEnv() !== 'test') {
+        Sentry.init({
+            dsn: getSentryDSN(),
+            tracesSampleRate: 1.0,
+            debug: getNodeEnv() === 'production' ? false : true,
+            environment: getNodeEnv()
+        });
+    }
+
+    patchRouterParam();
+    const app = express();
+    app.enable('trust proxy');
+    app.use(express.json());
+    app.use(cookieParser());
+    app.use(
+        cors({
+            credentials: true,
+            origin: getSiteURL()
+        })
+    );
+
+    app.use(requestIp.mw());
+
+    if (getNodeEnv() === 'production') {
+        // enable app-wide rate-limiting + helmet security
+        // in production
+        app.disable('x-powered-by');
+        app.use(apiLimiter);
+        app.use(helmet());
+    }
+
+    // (EE) routes
+    app.use('/api/v1/secret', eeSecretRouter);
+    app.use('/api/v1/secret-snapshot', eeSecretSnapshotRouter);
+    app.use('/api/v1/workspace', eeWorkspaceRouter);
+    app.use('/api/v1/action', eeActionRouter);
+
+    // v1 routes
+    app.use('/api/v1/signup', v1SignupRouter);
+    app.use('/api/v1/auth', v1AuthRouter);
+    app.use('/api/v1/bot', v1BotRouter);
+    app.use('/api/v1/user', v1UserRouter);
+    app.use('/api/v1/user-action', v1UserActionRouter);
+    app.use('/api/v1/organization', v1OrganizationRouter);
+    app.use('/api/v1/workspace', v1WorkspaceRouter);
+    app.use('/api/v1/membership-org', v1MembershipOrgRouter);
+    app.use('/api/v1/membership', v1MembershipRouter);
+    app.use('/api/v1/key', v1KeyRouter);
+    app.use('/api/v1/invite-org', v1InviteOrgRouter);
+    app.use('/api/v1/secret', v1SecretRouter);
+    app.use('/api/v1/service-token', v1ServiceTokenRouter); // deprecated
+    app.use('/api/v1/password', v1PasswordRouter);
+    app.use('/api/v1/stripe', v1StripeRouter);
+    app.use('/api/v1/integration', v1IntegrationRouter);
+    app.use('/api/v1/integration-auth', v1IntegrationAuthRouter);
+    app.use('/api/v1/folder', v1SecretsFolder)
+
+    // v2 routes
+    app.use('/api/v2/signup', v2SignupRouter);
+    app.use('/api/v2/auth', v2AuthRouter);
+    app.use('/api/v2/users', v2UsersRouter);
+    app.use('/api/v2/organizations', v2OrganizationsRouter);
+    app.use('/api/v2/workspace', v2EnvironmentRouter);
+    app.use('/api/v2/workspace', v2TagsRouter);
+    app.use('/api/v2/workspace', v2WorkspaceRouter);
+    app.use('/api/v2/secret', v2SecretRouter); // deprecated
+    app.use('/api/v2/secrets', v2SecretsRouter);
+    app.use('/api/v2/service-token', v2ServiceTokenDataRouter); // TODO: turn into plural route
+    app.use('/api/v2/api-key', v2APIKeyDataRouter);
+
+    // api docs 
+    app.use('/api-docs', swaggerUi.serve, swaggerUi.setup(swaggerFile))
+
+    // Server status
+    app.use('/api', healthCheck)
+
+    //* Handle unrouted requests and respond with proper error message as well as status code
+    app.use((req, res, next) => {
+        if (res.headersSent) return next();
+        next(RouteNotFoundError({ message: `The requested source '(${req.method})${req.url}' was not found` }))
+    })
+
+    app.use(requestErrorHandler)
+
+    const server = app.listen(getPort(), () => {
+        getLogger("backend-main").info(`Server started listening at port ${getPort()}`)
+    });
+
+    createTestUserForDevelopment();
+    setUpHealthEndpoint(server);
+
+    server.on('close', async () => {
+        await DatabaseService.closeDatabase();
+    })
+
+    return server;
 }
 
-createTestUserForDevelopment()
+export default main();

backend/src/integrations/apps.ts

@@ -1,7 +1,7 @@
-import axios from "axios";
 import * as Sentry from "@sentry/node";
 import { Octokit } from "@octokit/rest";
 import { IIntegrationAuth } from "../models";
+import request from '../config/request';
 import {
   INTEGRATION_AZURE_KEY_VAULT,
   INTEGRATION_AWS_PARAMETER_STORE,
@@ -10,39 +10,47 @@ import {
   INTEGRATION_VERCEL,
   INTEGRATION_NETLIFY,
   INTEGRATION_GITHUB,
+  INTEGRATION_GITLAB,
   INTEGRATION_RENDER,
   INTEGRATION_FLYIO,
   INTEGRATION_CIRCLECI,
+  INTEGRATION_TRAVISCI,
   INTEGRATION_HEROKU_API_URL,
+  INTEGRATION_GITLAB_API_URL,
   INTEGRATION_VERCEL_API_URL,
   INTEGRATION_NETLIFY_API_URL,
   INTEGRATION_RENDER_API_URL,
   INTEGRATION_FLYIO_API_URL,
   INTEGRATION_CIRCLECI_API_URL,
+  INTEGRATION_TRAVISCI_API_URL,
 } from "../variables";
 
+interface App {
+  name: string;
+  appId?: string;
+  owner?: string;
+}
+
 /**
  * Return list of names of apps for integration named [integration]
  * @param {Object} obj
  * @param {String} obj.integration - name of integration
  * @param {String} obj.accessToken - access token for integration
+ * @param {String} obj.teamId - (optional) id of team for getting integration apps (used for integrations like GitLab)
  * @returns {Object[]} apps - names of integration apps
  * @returns {String} apps.name - name of integration app
  */
 const getApps = async ({
   integrationAuth,
   accessToken,
+  teamId
 }: {
   integrationAuth: IIntegrationAuth;
   accessToken: string;
+  teamId?: string;
 }) => {
-  interface App {
-    name: string;
-    appId?: string;
-    owner?: string;
-  }
 
-  let apps: App[];
+  let apps: App[] = [];
   try {
     switch (integrationAuth.integration) {
       case INTEGRATION_AZURE_KEY_VAULT:
@@ -75,6 +83,12 @@ const getApps = async ({
           accessToken,
         });
         break;
+      case INTEGRATION_GITLAB:
+        apps = await getAppsGitlab({
+          accessToken,
+          teamId
+        });
+        break;
       case INTEGRATION_RENDER:
         apps = await getAppsRender({
           accessToken,
@@ -90,6 +104,11 @@ const getApps = async ({
           accessToken,
         });
         break;
+      case INTEGRATION_TRAVISCI:
+        apps = await getAppsTravisCI({
+          accessToken,
+        })
+        break;
     }
   } catch (err) {
     Sentry.setUser(null);
@@ -111,7 +130,7 @@ const getAppsHeroku = async ({ accessToken }: { accessToken: string }) => {
   let apps;
   try {
     const res = (
-      await axios.get(`${INTEGRATION_HEROKU_API_URL}/apps`, {
+      await request.get(`${INTEGRATION_HEROKU_API_URL}/apps`, {
         headers: {
           Accept: "application/vnd.heroku+json; version=3",
           Authorization: `Bearer ${accessToken}`,
@@ -148,7 +167,7 @@ const getAppsVercel = async ({
   let apps;
   try {
     const res = (
-      await axios.get(`${INTEGRATION_VERCEL_API_URL}/v9/projects`, {
+      await request.get(`${INTEGRATION_VERCEL_API_URL}/v9/projects`, {
         headers: {
           Authorization: `Bearer ${accessToken}`,
           'Accept-Encoding': 'application/json'
@@ -183,21 +202,40 @@ const getAppsVercel = async ({
  * @returns {String} apps.name - name of Netlify site
  */
 const getAppsNetlify = async ({ accessToken }: { accessToken: string }) => {
-  let apps;
+  const apps: any = [];
   try {
-    const res = (
-      await axios.get(`${INTEGRATION_NETLIFY_API_URL}/api/v1/sites`, {
+    let page = 1;
+    const perPage = 10;
+    let hasMorePages = true;
+    
+    // paginate through all sites
+    while (hasMorePages) {
+      const params = new URLSearchParams({
+        page: String(page),
+        per_page: String(perPage)
+      });
+
+      const { data } = await request.get(`${INTEGRATION_NETLIFY_API_URL}/api/v1/sites`, {
+        params,
         headers: {
           Authorization: `Bearer ${accessToken}`,
           'Accept-Encoding': 'application/json'
         }
-      })
-    ).data;
+      });
+      
+      data.map((a: any) => {
+        apps.push({
+          name: a.name,
+          appId: a.site_id
+        });
+      });
+      
+      if (data.length < perPage) {
+        hasMorePages = false;
+      }
 
-    apps = res.map((a: any) => ({
-      name: a.name,
-      appId: a.site_id,
-    }));
+      page++;
+    }
   } catch (err) {
     Sentry.setUser(null);
     Sentry.captureException(err);
@@ -210,9 +248,9 @@ const getAppsNetlify = async ({ accessToken }: { accessToken: string }) => {
 /**
  * Return list of repositories for Github integration
  * @param {Object} obj
- * @param {String} obj.accessToken - access token for Netlify API
- * @returns {Object[]} apps - names of Netlify sites
- * @returns {String} apps.name - name of Netlify site
+ * @param {String} obj.accessToken - access token for Github API
+ * @returns {Object[]} apps - names of Github sites
+ * @returns {String} apps.name - name of Github site
  */
 const getAppsGithub = async ({ accessToken }: { accessToken: string }) => {
   let apps;
@@ -257,7 +295,7 @@ const getAppsRender = async ({ accessToken }: { accessToken: string }) => {
   let apps: any;
   try {
     const res = (
-      await axios.get(`${INTEGRATION_RENDER_API_URL}/v1/services`, {
+      await request.get(`${INTEGRATION_RENDER_API_URL}/v1/services`, {
         headers: {
           Authorization: `Bearer ${accessToken}`,
           Accept: 'application/json',
@@ -303,23 +341,18 @@ const getAppsFlyio = async ({ accessToken }: { accessToken: string }) => {
       }
     `;
 
-    const res = (
-      await axios({
-        url: INTEGRATION_FLYIO_API_URL,
-        method: "post",
-        headers: {
-          Authorization: "Bearer " + accessToken,
+    const res = (await request.post(INTEGRATION_FLYIO_API_URL, {
+      query,
+      variables: {
+        role: null,
+      },
+    }, {
+      headers: {
+        Authorization: "Bearer " + accessToken,
         'Accept': 'application/json',
         'Accept-Encoding': 'application/json',
-        },
-        data: {
-          query,
-          variables: {
-            role: null,
-          },
-        },
-      })
-    ).data.data.apps.nodes;
+      },
+    })).data.data.apps.nodes;
 
     apps = res.map((a: any) => ({
       name: a.name,
@@ -344,7 +377,7 @@ const getAppsCircleCI = async ({ accessToken }: { accessToken: string }) => {
   let apps: any;
   try {    
     const res = (
-      await axios.get(
+      await request.get(
         `${INTEGRATION_CIRCLECI_API_URL}/v1.1/projects`,
         {
           headers: {
@@ -369,4 +402,147 @@ const getAppsCircleCI = async ({ accessToken }: { accessToken: string }) => {
   return apps;
 };
 
+const getAppsTravisCI = async ({ accessToken }: { accessToken: string }) => {
+  let apps: any;
+  try {
+    const res = (
+      await request.get(
+        `${INTEGRATION_TRAVISCI_API_URL}/repos`,
+        {
+          headers: {
+            "Authorization": `token ${accessToken}`,
+            "Accept-Encoding": "application/json",
+          },
+        }
+      )
+    ).data;
+
+    apps = res?.map((a: any) => {
+      return {
+        name: a?.slug?.split("/")[1],
+        appId: a?.id,
+      }
+    });
+  }catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error("Failed to get TravisCI projects");
+  }
+  
+  return apps;
+}
+
+/**
+ * Return list of repositories for GitLab integration
+ * @param {Object} obj
+ * @param {String} obj.accessToken - access token for GitLab API
+ * @returns {Object[]} apps - names of GitLab sites
+ * @returns {String} apps.name - name of GitLab site
+ */
+const getAppsGitlab = async ({ 
+  accessToken,
+  teamId
+}: {
+  accessToken: string;
+  teamId?: string;
+}) => {
+  const apps: App[] = [];
+  
+  let page = 1;
+  const perPage = 10;
+  let hasMorePages = true;
+  try {
+
+    if (teamId) {
+      // case: fetch projects for group with id [teamId] in GitLab
+      
+      while (hasMorePages) {
+        const params = new URLSearchParams({
+          page: String(page),
+          per_page: String(perPage)
+        });
+
+        const { data } = (
+          await request.get(
+            `${INTEGRATION_GITLAB_API_URL}/v4/groups/${teamId}/projects`,
+            {
+              params,
+              headers: {
+                "Authorization": `Bearer ${accessToken}`,
+                "Accept-Encoding": "application/json",
+              },
+            }
+          )
+        );
+
+        data.map((a: any) => {
+          apps.push({
+            name: a.name,
+            appId: a.id
+          });
+        });
+        
+        if (data.length < perPage) {
+          hasMorePages = false;
+        }
+        
+        page++;
+      }
+    } else {
+      // case: fetch projects for individual in GitLab
+      
+      const { id } = (
+        await request.get(
+          `${INTEGRATION_GITLAB_API_URL}/v4/user`,
+          {
+            headers: {
+              "Authorization": `Bearer ${accessToken}`,
+              "Accept-Encoding": "application/json",
+            },
+          }
+        )
+      ).data;
+      
+      while (hasMorePages) {
+        const params = new URLSearchParams({
+          page: String(page),
+          per_page: String(perPage)
+        });
+
+        const { data } = (
+          await request.get(
+            `${INTEGRATION_GITLAB_API_URL}/v4/users/${id}/projects`,
+            {
+              params,
+              headers: {
+                "Authorization": `Bearer ${accessToken}`,
+                "Accept-Encoding": "application/json",
+              },
+            }
+          )
+        );
+
+        data.map((a: any) => {
+          apps.push({
+            name: a.name,
+            appId: a.id
+          });
+        });
+
+        if (data.length < perPage) {
+          hasMorePages = false;
+        }
+        
+        page++;
+      }
+    }
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error("Failed to get GitLab projects");
+  }
+  
+  return apps;
+}
+
 export { getApps };

backend/src/integrations/exchange.ts

@@ -1,28 +1,32 @@
-import axios from 'axios';
 import * as Sentry from '@sentry/node';
+import request from '../config/request';
 import {
   INTEGRATION_AZURE_KEY_VAULT,
   INTEGRATION_HEROKU,
   INTEGRATION_VERCEL,
   INTEGRATION_NETLIFY,
   INTEGRATION_GITHUB,
+  INTEGRATION_GITLAB,
   INTEGRATION_AZURE_TOKEN_URL,
   INTEGRATION_HEROKU_TOKEN_URL,
   INTEGRATION_VERCEL_TOKEN_URL,
   INTEGRATION_NETLIFY_TOKEN_URL,
-  INTEGRATION_GITHUB_TOKEN_URL
+  INTEGRATION_GITHUB_TOKEN_URL,
+  INTEGRATION_GITLAB_TOKEN_URL
 } from '../variables';
 import {
-  SITE_URL,
-  CLIENT_ID_AZURE,
-  CLIENT_ID_VERCEL,
-  CLIENT_ID_NETLIFY,
-  CLIENT_ID_GITHUB,
-  CLIENT_SECRET_AZURE,
-  CLIENT_SECRET_HEROKU,
-  CLIENT_SECRET_VERCEL,
-  CLIENT_SECRET_NETLIFY,
-  CLIENT_SECRET_GITHUB
+  getSiteURL,
+  getClientIdAzure,
+  getClientSecretAzure,
+  getClientSecretHeroku,
+  getClientIdVercel,
+  getClientSecretVercel,
+  getClientIdNetlify,
+  getClientSecretNetlify,
+  getClientIdGitHub,
+  getClientSecretGitHub,
+  getClientIdGitLab,
+  getClientSecretGitLab
 } from '../config';
 
 interface ExchangeCodeAzureResponse {
@@ -66,6 +70,15 @@ interface ExchangeCodeGithubResponse {
   token_type: string;
 }
 
+interface ExchangeCodeGitlabResponse {
+  access_token: string;
+  token_type: string;
+  expires_in: number;
+  refresh_token: string;
+  scope: string;
+  created_at: number;
+}
+
 /**
  * Return [accessToken], [accessExpiresAt], and [refreshToken] for OAuth2
  * code-token exchange for integration named [integration]
@@ -114,6 +127,10 @@ const exchangeCode = async ({
           code
         });
         break;
+      case INTEGRATION_GITLAB:
+        obj = await exchangeCodeGitlab({
+          code
+        });
     }
   } catch (err) {
     Sentry.setUser(null);
@@ -136,27 +153,27 @@ const exchangeCodeAzure = async ({
   const accessExpiresAt = new Date();
   let res: ExchangeCodeAzureResponse;
   try {
-    res = (await axios.post(
+    res = (await request.post(
       INTEGRATION_AZURE_TOKEN_URL,
-       new URLSearchParams({
+      new URLSearchParams({
         grant_type: 'authorization_code',
         code: code,
         scope: 'https://vault.azure.net/.default openid offline_access',
-        client_id: CLIENT_ID_AZURE,
-        client_secret: CLIENT_SECRET_AZURE,
-        redirect_uri: `${SITE_URL}/integrations/azure-key-vault/oauth2/callback`
+        client_id: getClientIdAzure(),
+        client_secret: getClientSecretAzure(),
+        redirect_uri: `${getSiteURL()}/integrations/azure-key-vault/oauth2/callback`
       } as any)
     )).data;
-    
+
     accessExpiresAt.setSeconds(
-        accessExpiresAt.getSeconds() + res.expires_in
+      accessExpiresAt.getSeconds() + res.expires_in
     );
-  } catch (err: any) {
+  } catch (err) {
     Sentry.setUser(null);
     Sentry.captureException(err);
     throw new Error('Failed OAuth2 code-token exchange with Azure');
   }
-  
+
   return ({
     accessToken: res.access_token,
     refreshToken: res.refresh_token,
@@ -175,36 +192,36 @@ const exchangeCodeAzure = async ({
  * @returns {Date} obj2.accessExpiresAt - date of expiration for access token
  */
 const exchangeCodeHeroku = async ({
-    code
+  code
 }: {
-    code: string;
+  code: string;
 }) => {
-    let res: ExchangeCodeHerokuResponse;
-    const accessExpiresAt = new Date();
-    try {
-        res = (await axios.post(
-            INTEGRATION_HEROKU_TOKEN_URL,
-            new URLSearchParams({
-				grant_type: 'authorization_code',
-				code: code,
-				client_secret: CLIENT_SECRET_HEROKU
-			} as any)
-        )).data;
-        
-        accessExpiresAt.setSeconds(
-            accessExpiresAt.getSeconds() + res.expires_in
-        );
-    } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-        throw new Error('Failed OAuth2 code-token exchange with Heroku');
-    }
-    
-    return ({
-        accessToken: res.access_token,
-        refreshToken: res.refresh_token,
-        accessExpiresAt
-    });
+  let res: ExchangeCodeHerokuResponse;
+  const accessExpiresAt = new Date();
+  try {
+    res = (await request.post(
+      INTEGRATION_HEROKU_TOKEN_URL,
+      new URLSearchParams({
+        grant_type: 'authorization_code',
+        code: code,
+        client_secret: getClientSecretHeroku()
+      } as any)
+    )).data;
+
+    accessExpiresAt.setSeconds(
+      accessExpiresAt.getSeconds() + res.expires_in
+    );
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed OAuth2 code-token exchange with Heroku');
+  }
+
+  return ({
+    accessToken: res.access_token,
+    refreshToken: res.refresh_token,
+    accessExpiresAt
+  });
 }
 
 /**
@@ -221,20 +238,20 @@ const exchangeCodeVercel = async ({ code }: { code: string }) => {
   let res: ExchangeCodeVercelResponse;
   try {
     res = (
-      await axios.post(
+      await request.post(
         INTEGRATION_VERCEL_TOKEN_URL,
         new URLSearchParams({
           code: code,
-          client_id: CLIENT_ID_VERCEL,
-          client_secret: CLIENT_SECRET_VERCEL,
-          redirect_uri: `${SITE_URL}/integrations/vercel/oauth2/callback`
+          client_id: getClientIdVercel(),
+          client_secret: getClientSecretVercel(),
+          redirect_uri: `${getSiteURL()}/integrations/vercel/oauth2/callback`
         } as any)
       )
     ).data;
   } catch (err) {
     Sentry.setUser(null);
     Sentry.captureException(err);
-    throw new Error('Failed OAuth2 code-token exchange with Vercel');
+    throw new Error(`Failed OAuth2 code-token exchange with Vercel [err=${err}]`);
   }
 
   return {
@@ -260,26 +277,26 @@ const exchangeCodeNetlify = async ({ code }: { code: string }) => {
   let accountId;
   try {
     res = (
-      await axios.post(
+      await request.post(
         INTEGRATION_NETLIFY_TOKEN_URL,
         new URLSearchParams({
           grant_type: 'authorization_code',
           code: code,
-          client_id: CLIENT_ID_NETLIFY,
-          client_secret: CLIENT_SECRET_NETLIFY,
-          redirect_uri: `${SITE_URL}/integrations/netlify/oauth2/callback`
+          client_id: getClientIdNetlify(),
+          client_secret: getClientSecretNetlify(),
+          redirect_uri: `${getSiteURL()}/integrations/netlify/oauth2/callback`
         } as any)
       )
     ).data;
 
-    const res2 = await axios.get('https://api.netlify.com/api/v1/sites', {
+    const res2 = await request.get('https://api.netlify.com/api/v1/sites', {
       headers: {
         Authorization: `Bearer ${res.access_token}`
       }
     });
 
     const res3 = (
-      await axios.get('https://api.netlify.com/api/v1/accounts', {
+      await request.get('https://api.netlify.com/api/v1/accounts', {
         headers: {
           Authorization: `Bearer ${res.access_token}`
         }
@@ -314,12 +331,12 @@ const exchangeCodeGithub = async ({ code }: { code: string }) => {
   let res: ExchangeCodeGithubResponse;
   try {
     res = (
-      await axios.get(INTEGRATION_GITHUB_TOKEN_URL, {
+      await request.get(INTEGRATION_GITHUB_TOKEN_URL, {
         params: {
-          client_id: CLIENT_ID_GITHUB,
-          client_secret: CLIENT_SECRET_GITHUB,
+          client_id: getClientIdGitHub(),
+          client_secret: getClientSecretGitHub(),
           code: code,
-          redirect_uri: `${SITE_URL}/integrations/github/oauth2/callback`
+          redirect_uri: `${getSiteURL()}/integrations/github/oauth2/callback`
         },
         headers: {
           'Accept': 'application/json',
@@ -341,4 +358,53 @@ const exchangeCodeGithub = async ({ code }: { code: string }) => {
   };
 };
 
+/**
+ * Return [accessToken], [accessExpiresAt], and [refreshToken] for Gitlab
+ * code-token exchange
+ * @param {Object} obj1
+ * @param {Object} obj1.code - code for code-token exchange
+ * @returns {Object} obj2
+ * @returns {String} obj2.accessToken - access token for Gitlab API
+ * @returns {String} obj2.refreshToken - refresh token for Gitlab API
+ * @returns {Date} obj2.accessExpiresAt - date of expiration for access token
+ */
+const exchangeCodeGitlab = async ({ code }: { code: string }) => {
+  let res: ExchangeCodeGitlabResponse; 
+  const accessExpiresAt = new Date();
+  
+  try {
+    res = (
+      await request.post(
+        INTEGRATION_GITLAB_TOKEN_URL,
+        new URLSearchParams({
+          grant_type: 'authorization_code',
+          code: code,
+          client_id: getClientIdGitLab(),
+          client_secret: getClientSecretGitLab(),
+          redirect_uri: `${getSiteURL()}/integrations/gitlab/oauth2/callback`
+        } as any),
+        {
+          headers: {
+            "Accept-Encoding": "application/json",
+          }
+        }
+      )
+    ).data;
+    
+    accessExpiresAt.setSeconds(
+      accessExpiresAt.getSeconds() + res.expires_in
+    );
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed OAuth2 code-token exchange with Gitlab');
+  }
+
+  return {
+    accessToken: res.access_token,
+    refreshToken: res.refresh_token,
+    accessExpiresAt
+  };
+}
+
 export { exchangeCode };

backend/src/integrations/index.ts

@@ -1,6 +1,7 @@
 import { exchangeCode } from './exchange';
 import { exchangeRefresh } from './refresh';
 import { getApps } from './apps';
+import { getTeams } from './teams';
 import { syncSecrets } from './sync';
 import { revokeAccess } from './revoke';
 
@@ -8,6 +9,7 @@ export {
     exchangeCode,
     exchangeRefresh,
     getApps,
+    getTeams,
     syncSecrets,
     revokeAccess
 }

backend/src/integrations/refresh.ts

@@ -1,16 +1,29 @@
-import axios from 'axios';
 import * as Sentry from '@sentry/node';
-import { INTEGRATION_AZURE_KEY_VAULT, INTEGRATION_HEROKU } from '../variables';
+import request from '../config/request';
 import {
-  SITE_URL,
-  CLIENT_ID_AZURE,
-  CLIENT_SECRET_AZURE,
-  CLIENT_SECRET_HEROKU
-} from '../config';
+  IIntegrationAuth
+} from '../models';
+import {
+  INTEGRATION_AZURE_KEY_VAULT, 
+  INTEGRATION_HEROKU,
+  INTEGRATION_GITLAB,
+} from '../variables';
 import {
   INTEGRATION_AZURE_TOKEN_URL,
-  INTEGRATION_HEROKU_TOKEN_URL
+  INTEGRATION_HEROKU_TOKEN_URL,
+  INTEGRATION_GITLAB_TOKEN_URL
 } from '../variables';
+import {
+  IntegrationService
+} from '../services';
+import {
+  getSiteURL,
+  getClientIdAzure,
+  getClientSecretAzure,
+  getClientSecretHeroku,
+  getClientIdGitLab,
+  getClientSecretGitLab
+} from '../config';
 
 interface RefreshTokenAzureResponse {
   token_type: string;
@@ -21,6 +34,23 @@ interface RefreshTokenAzureResponse {
   refresh_token: string;
 }
 
+interface RefreshTokenHerokuResponse {
+  access_token: string;
+  expires_in: number;
+  refresh_token: string;
+  token_type: string;
+  user_id: string;
+}
+
+interface RefreshTokenGitLabResponse {
+  token_type: string;
+  scope: string;
+  expires_in: number;
+  access_token: string;
+  refresh_token: string;
+  created_at: number;
+}
+
 /**
  * Return new access token by exchanging refresh token [refreshToken] for integration
  * named [integration]
@@ -29,33 +59,61 @@ interface RefreshTokenAzureResponse {
  * @param {String} obj.refreshToken - refresh token to use to get new access token for Heroku
  */
 const exchangeRefresh = async ({
-  integration,
+  integrationAuth,
   refreshToken
 }: {
-  integration: string;
+  integrationAuth: IIntegrationAuth;
   refreshToken: string;
 }) => {
-  let accessToken;
+  
+  interface TokenDetails {
+    accessToken: string;
+    refreshToken: string;
+    accessExpiresAt: Date;
+  }
+  
+  let tokenDetails: TokenDetails;
   try {
-    switch (integration) {
+    switch (integrationAuth.integration) {
       case INTEGRATION_AZURE_KEY_VAULT:
-        accessToken = await exchangeRefreshAzure({
+        tokenDetails = await exchangeRefreshAzure({
           refreshToken
         });
         break;
       case INTEGRATION_HEROKU:
-        accessToken = await exchangeRefreshHeroku({
+        tokenDetails = await exchangeRefreshHeroku({
           refreshToken
         });
         break;
+      case INTEGRATION_GITLAB:
+        tokenDetails = await exchangeRefreshGitLab({
+          refreshToken
+        });
+        break;
+      default:
+        throw new Error('Failed to exchange token for incompatible integration');
     }
+
+    if (tokenDetails?.accessToken && tokenDetails?.refreshToken && tokenDetails?.accessExpiresAt) {
+      await IntegrationService.setIntegrationAuthAccess({
+        integrationAuthId: integrationAuth._id.toString(),
+        accessId: null,
+        accessToken: tokenDetails.accessToken,
+        accessExpiresAt: tokenDetails.accessExpiresAt
+      });
+
+      await IntegrationService.setIntegrationAuthRefresh({
+        integrationAuthId: integrationAuth._id.toString(),
+        refreshToken: tokenDetails.refreshToken
+      });
+    }
+
+    return tokenDetails.accessToken;
   } catch (err) {
     Sentry.setUser(null);
     Sentry.captureException(err);
     throw new Error('Failed to get new OAuth2 access token');
   }
-
-  return accessToken;
 };
 
 /**
@@ -71,18 +129,27 @@ const exchangeRefreshAzure = async ({
   refreshToken: string;
 }) => {
   try {
-    const res: RefreshTokenAzureResponse = (await axios.post(
+    const accessExpiresAt = new Date();
+    const { data }: { data: RefreshTokenAzureResponse } = await request.post(
       INTEGRATION_AZURE_TOKEN_URL,
        new URLSearchParams({
-        client_id: CLIENT_ID_AZURE,
+        client_id: getClientIdAzure(),
         scope: 'openid offline_access',
         refresh_token: refreshToken,
         grant_type: 'refresh_token',
-        client_secret: CLIENT_SECRET_AZURE
+        client_secret: getClientSecretAzure()
       } as any)
-    )).data;
+    );
     
-    return res.access_token;
+    accessExpiresAt.setSeconds(
+      accessExpiresAt.getSeconds() + data.expires_in
+    );
+
+    return ({
+      accessToken: data.access_token,
+      refreshToken: data.refresh_token,
+      accessExpiresAt
+    });
   } catch (err) {
     Sentry.setUser(null);
     Sentry.captureException(err);
@@ -102,26 +169,84 @@ const exchangeRefreshHeroku = async ({
 }: {
   refreshToken: string;
 }) => {
-  
-  let accessToken;
   try {
-    const res = await axios.post(
+    const accessExpiresAt = new Date();
+    const { 
+      data 
+    }: { 
+      data: RefreshTokenHerokuResponse 
+    } = await request.post(
         INTEGRATION_HEROKU_TOKEN_URL,
         new URLSearchParams({
             grant_type: 'refresh_token',
             refresh_token: refreshToken,
-            client_secret: CLIENT_SECRET_HEROKU
+            client_secret: getClientSecretHeroku()
         } as any)
     );
 
-    accessToken = res.data.access_token;
+    accessExpiresAt.setSeconds(
+      accessExpiresAt.getSeconds() + data.expires_in
+    );
+
+    return ({
+      accessToken: data.access_token,
+      refreshToken: data.refresh_token,
+      accessExpiresAt
+    });
   } catch (err) {
     Sentry.setUser(null);
     Sentry.captureException(err);
     throw new Error('Failed to refresh OAuth2 access token for Heroku');
   }
+};
 
-  return accessToken;
+/**
+ * Return new access token by exchanging refresh token [refreshToken] for the
+ * GitLab integration
+ * @param {Object} obj
+ * @param {String} obj.refreshToken - refresh token to use to get new access token for GitLab
+ * @returns
+ */
+const exchangeRefreshGitLab = async ({
+  refreshToken
+}: {
+  refreshToken: string;
+}) => {
+  try {
+    const accessExpiresAt = new Date();
+    const { 
+      data
+    }: { 
+      data: RefreshTokenGitLabResponse 
+    } = await request.post(
+      INTEGRATION_GITLAB_TOKEN_URL,
+      new URLSearchParams({
+        grant_type: 'refresh_token',
+        refresh_token: refreshToken,
+        client_id: getClientIdGitLab,
+        client_secret: getClientSecretGitLab(),
+        redirect_uri: `${getSiteURL()}/integrations/gitlab/oauth2/callback`
+      } as any),
+      {
+        headers: {
+          "Accept-Encoding": "application/json",
+        }
+      });
+
+    accessExpiresAt.setSeconds(
+      accessExpiresAt.getSeconds() + data.expires_in
+    );
+
+    return ({
+      accessToken: data.access_token,
+      refreshToken: data.refresh_token,
+      accessExpiresAt
+    });
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed to refresh OAuth2 access token for GitLab');
+  }
 };
 
 export { exchangeRefresh };

backend/src/integrations/revoke.ts

@@ -10,7 +10,8 @@ import {
   INTEGRATION_HEROKU,
   INTEGRATION_VERCEL,
   INTEGRATION_NETLIFY,
-  INTEGRATION_GITHUB
+  INTEGRATION_GITHUB,
+  INTEGRATION_GITLAB,
 } from '../variables';
 
 const revokeAccess = async ({
@@ -32,6 +33,8 @@ const revokeAccess = async ({
         break;
       case INTEGRATION_GITHUB:
         break;
+      case INTEGRATION_GITLAB:
+        break;
     }
 
     deletedIntegrationAuth = await IntegrationAuth.findOneAndDelete({

backend/src/integrations/sync.ts

@@ -1,4 +1,3 @@
-import axios from "axios";
 import * as Sentry from "@sentry/node";
 import _ from 'lodash';
 import AWS from 'aws-sdk';
@@ -20,17 +19,21 @@ import {
   INTEGRATION_VERCEL,
   INTEGRATION_NETLIFY,
   INTEGRATION_GITHUB,
+  INTEGRATION_GITLAB,
   INTEGRATION_RENDER,
   INTEGRATION_FLYIO,
   INTEGRATION_CIRCLECI,
+  INTEGRATION_TRAVISCI,
   INTEGRATION_HEROKU_API_URL,
+  INTEGRATION_GITLAB_API_URL,
   INTEGRATION_VERCEL_API_URL,
   INTEGRATION_NETLIFY_API_URL,
   INTEGRATION_RENDER_API_URL,
   INTEGRATION_FLYIO_API_URL,
   INTEGRATION_CIRCLECI_API_URL,
+  INTEGRATION_TRAVISCI_API_URL,
 } from "../variables";
-import { access, appendFile } from "fs";
+import request from '../config/request';
 
 /**
  * Sync/push [secrets] to [app] in integration named [integration]
@@ -109,6 +112,13 @@ const syncSecrets = async ({
           accessToken,
         });
         break;
+      case INTEGRATION_GITLAB:
+        await syncSecretsGitLab({
+          integration,
+          secrets,
+          accessToken,
+        });
+        break;
       case INTEGRATION_RENDER:
         await syncSecretsRender({
           integration,
@@ -129,6 +139,14 @@ const syncSecrets = async ({
           secrets,
           accessToken,
         });
+        break;
+      case INTEGRATION_TRAVISCI:
+        await syncSecretsTravisCI({
+          integration,
+          secrets,
+          accessToken,
+        });
+        break;
     }
   } catch (err) {
     Sentry.setUser(null);
@@ -154,7 +172,6 @@ const syncSecretsAzureKeyVault = async ({
   accessToken: string;
 }) => {
   try {
-
     interface GetAzureKeyVaultSecret {
       id: string; // secret URI
       attributes: {
@@ -177,16 +194,22 @@ const syncSecretsAzureKeyVault = async ({
      */
     const paginateAzureKeyVaultSecrets = async (url: string) => {
       let result: GetAzureKeyVaultSecret[] = [];
-      
-      while (url) {
-        const res = await axios.get(url, {
-          headers: {
-            Authorization: `Bearer ${accessToken}`
-          }
-        });
+      try {
+        while (url) {
+          const res = await request.get(url, {
+            headers: {
+              Authorization: `Bearer ${accessToken}`
+            }
+          });
+          
+          result = result.concat(res.data.value);
+          
+          url = res.data.nextLink;
+        }
         
-        result = result.concat(res.data.value);
-        url = res.data.nextLink;
+      } catch (err) {
+        Sentry.setUser(null);
+        Sentry.captureException(err);
       }
       
       return result;
@@ -200,7 +223,7 @@ const syncSecretsAzureKeyVault = async ({
         lastSlashIndex = getAzureKeyVaultSecret.id.lastIndexOf('/');
       }
       
-      const azureKeyVaultSecret = await axios.get(`${getAzureKeyVaultSecret.id}?api-version=7.3`, {
+      const azureKeyVaultSecret = await request.get(`${getAzureKeyVaultSecret.id}?api-version=7.3`, {
         headers: {
           'Authorization': `Bearer ${accessToken}`
         }
@@ -248,31 +271,75 @@ const syncSecretsAzureKeyVault = async ({
         deleteSecrets.push(res[key]);
       }
     });
+
+    const setSecretAzureKeyVault = async ({
+      key,
+      value,
+      integration,
+      accessToken
+    }: {
+      key: string;
+      value: string;
+      integration: IIntegration;
+      accessToken: string;
+    }) => {
+      let isSecretSet = false;
+      let maxTries = 6;
+      
+      while (!isSecretSet && maxTries > 0) {
+        // try to set secret
+        try {
+          await request.put(
+            `${integration.app}/secrets/${key}?api-version=7.3`,
+            {
+              value
+            },
+            {
+              headers: {
+                Authorization: `Bearer ${accessToken}`
+              }
+            }
+          );
+
+          isSecretSet = true;
+        
+        } catch (err) {
+          const error: any = err;
+          if (error?.response?.data?.error?.innererror?.code === 'ObjectIsDeletedButRecoverable') {
+            await request.post(
+              `${integration.app}/deletedsecrets/${key}/recover?api-version=7.3`, {},
+              {
+                headers: {
+                  Authorization: `Bearer ${accessToken}`
+                }
+              }
+            );
+            await new Promise(resolve => setTimeout(resolve, 10000));
+          } else {
+            await new Promise(resolve => setTimeout(resolve, 10000));
+            maxTries--;
+          }
+        }
+      }
+    }
     
     // Sync/push set secrets
-    if (setSecrets.length > 0) {
-      setSecrets.forEach(async ({ key, value }) => {
-        await axios.put(
-          `${integration.app}/secrets/${key}?api-version=7.3`,
-          {
-            value
-          },
-          {
-            headers: {
-              Authorization: `Bearer ${accessToken}`
-            }
-          }
-        );
+    for await (const setSecret of setSecrets) {
+      const { key, value } = setSecret;
+      setSecretAzureKeyVault({
+        key,
+        value,
+        integration,
+        accessToken
       });
     }
     
-    if (deleteSecrets.length > 0) {
-      deleteSecrets.forEach(async (secret) => {
-        await axios.delete(`${integration.app}/secrets/${secret.key}?api-version=7.3`, {
-          headers: {
-            'Authorization': `Bearer ${accessToken}`
-          }
-        });
+    for await (const deleteSecret of deleteSecrets) {
+      const { key } = deleteSecret;
+      await request.delete(`${integration.app}/secrets/${key}?api-version=7.3`, {
+        headers: {
+          'Authorization': `Bearer ${accessToken}`
+        }
       });
     }
   } catch (err) {
@@ -482,12 +549,13 @@ const syncSecretsHeroku = async ({
 }) => {
   try {
     const herokuSecrets = (
-      await axios.get(
+      await request.get(
         `${INTEGRATION_HEROKU_API_URL}/apps/${integration.app}/config-vars`,
         {
           headers: {
             Accept: "application/vnd.heroku+json; version=3",
             Authorization: `Bearer ${accessToken}`,
+            'Accept-Encoding': 'application/json'
           },
         }
       )
@@ -499,13 +567,14 @@ const syncSecretsHeroku = async ({
       }
     });
 
-    await axios.patch(
+    await request.patch(
       `${INTEGRATION_HEROKU_API_URL}/apps/${integration.app}/config-vars`,
       secrets,
       {
         headers: {
           Accept: "application/vnd.heroku+json; version=3",
           Authorization: `Bearer ${accessToken}`,
+          'Accept-Encoding': 'application/json'
         },
       }
     );
@@ -540,7 +609,7 @@ const syncSecretsVercel = async ({
     value: string;
     target: string[];
   }
-
+  
   try {
     // Get all (decrypted) secrets back from Vercel in
     // decrypted format
@@ -552,39 +621,85 @@ const syncSecretsVercel = async ({
           }
         : {}),
     };
+    
+    // const res = (
+    //   await Promise.all(
+    //     (
+    //       await request.get(
+    //         `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env`,
+    //         {
+    //           params,
+    //           headers: {
+    //               Authorization: `Bearer ${accessToken}`,
+    //               'Accept-Encoding': 'application/json'
+    //           }
+    //       }
+    //   ))
+    //   .data
+    //   .envs
+    //   .filter((secret: VercelSecret) => secret.target.includes(integration.targetEnvironment))
+    //   .map(async (secret: VercelSecret) => {
+    //     if (secret.type === 'encrypted') {
+    //       // case: secret is encrypted -> need to decrypt
+    //       const decryptedSecret = (await request.get(
+    //           `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env/${secret.id}`,
+    //           {
+    //             params,
+    //             headers: {
+    //                 Authorization: `Bearer ${accessToken}`,
+    //                 'Accept-Encoding': 'application/json'
+    //             }
+    //           }
+    //       )).data;
 
-    const res = (
-      await Promise.all(
-        (
-          await axios.get(
-            `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env`,
+    //       return decryptedSecret;
+    //     }
+
+    //     return secret;
+    //   }))).reduce((obj: any, secret: any) => ({
+    //       ...obj,
+    //       [secret.key]: secret
+    //   }), {});
+    
+    const vercelSecrets: VercelSecret[] = (await request.get(
+      `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env`,
+      {
+        params,
+        headers: {
+            Authorization: `Bearer ${accessToken}`,
+            'Accept-Encoding': 'application/json'
+        }
+      }
+    ))
+    .data
+    .envs
+    .filter((secret: VercelSecret) => secret.target.includes(integration.targetEnvironment));
+
+    const res: { [key: string]: VercelSecret } = {};
+
+    for await (const vercelSecret of vercelSecrets) {
+      if (vercelSecret.type === 'encrypted') {
+        // case: secret is encrypted -> need to decrypt
+        const decryptedSecret = (await request.get(
+            `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env/${vercelSecret.id}`,
             {
               params,
               headers: {
-                  Authorization: `Bearer ${accessToken}`
+                  Authorization: `Bearer ${accessToken}`,
+                  'Accept-Encoding': 'application/json'
               }
-          }
-      ))
-      .data
-      .envs
-      .filter((secret: VercelSecret) => secret.target.includes(integration.targetEnvironment))
-      .map(async (secret: VercelSecret) => (await axios.get(
-              `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env/${secret.id}`,
-              {
-                params,
-                headers: {
-                    Authorization: `Bearer ${accessToken}`
-                }
-              }
-          )).data)
-      )).reduce((obj: any, secret: any) => ({
-          ...obj,
-          [secret.key]: secret
-      }), {});
+            }
+        )).data;
 
-      const updateSecrets: VercelSecret[] = [];
-      const deleteSecrets: VercelSecret[] = [];
-      const newSecrets: VercelSecret[] = [];
+        res[vercelSecret.key] = decryptedSecret;
+      } else {
+        res[vercelSecret.key] = vercelSecret;
+      }
+    }
+
+    const updateSecrets: VercelSecret[] = [];
+    const deleteSecrets: VercelSecret[] = [];
+    const newSecrets: VercelSecret[] = [];
 
     // Identify secrets to create
     Object.keys(secrets).map((key) => {
@@ -608,8 +723,10 @@ const syncSecretsVercel = async ({
             id: res[key].id,
             key: key,
             value: secrets[key],
-            type: "encrypted",
-            target: [integration.targetEnvironment],
+            type: res[key].type,
+            target: res[key].target.includes(integration.targetEnvironment) 
+            ? [...res[key].target] 
+            : [...res[key].target, integration.targetEnvironment]
           });
         }
       } else {
@@ -618,7 +735,7 @@ const syncSecretsVercel = async ({
           id: res[key].id,
           key: key,
           value: res[key].value,
-          type: "encrypted",
+          type: "encrypted", // value doesn't matter
           target: [integration.targetEnvironment],
         });
       }
@@ -626,48 +743,47 @@ const syncSecretsVercel = async ({
 
     // Sync/push new secrets
     if (newSecrets.length > 0) {
-      await axios.post(
+      await request.post(
         `${INTEGRATION_VERCEL_API_URL}/v10/projects/${integration.app}/env`,
         newSecrets,
         {
           params,
           headers: {
             Authorization: `Bearer ${accessToken}`,
+            'Accept-Encoding': 'application/json'
           },
         }
       );
     }
-
-    // Sync/push updated secrets
-    if (updateSecrets.length > 0) {
-      updateSecrets.forEach(async (secret: VercelSecret) => {
+  
+    for await (const secret of updateSecrets) {
+      if (secret.type !== 'sensitive') {
         const { id, ...updatedSecret } = secret;
-        await axios.patch(
+        await request.patch(
           `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env/${secret.id}`,
           updatedSecret,
           {
             params,
             headers: {
               Authorization: `Bearer ${accessToken}`,
+              'Accept-Encoding': 'application/json'
             },
           }
         );
-      });
+      } 
     }
 
-    // Delete secrets
-    if (deleteSecrets.length > 0) {
-      deleteSecrets.forEach(async (secret: VercelSecret) => {
-        await axios.delete(
-          `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env/${secret.id}`,
-          {
-            params,
-            headers: {
-              Authorization: `Bearer ${accessToken}`,
-            },
-          }
-        );
-      });
+    for await (const secret of deleteSecrets) {
+      await request.delete(
+        `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env/${secret.id}`,
+        {
+          params,
+          headers: {
+            Authorization: `Bearer ${accessToken}`,
+            'Accept-Encoding': 'application/json'
+          },
+        }
+      ); 
     }
   } catch (err) {
     Sentry.setUser(null);
@@ -717,12 +833,13 @@ const syncSecretsNetlify = async ({
     });
 
     const res = (
-      await axios.get(
+      await request.get(
         `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env`,
         {
           params: getParams,
           headers: {
             Authorization: `Bearer ${accessToken}`,
+            'Accept-Encoding': 'application/json'
           },
         }
       )
@@ -830,13 +947,14 @@ const syncSecretsNetlify = async ({
     });
 
     if (newSecrets.length > 0) {
-      await axios.post(
+      await request.post(
         `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env`,
         newSecrets,
         {
           params: syncParams,
           headers: {
             Authorization: `Bearer ${accessToken}`,
+            'Accept-Encoding': 'application/json'
           },
         }
       );
@@ -844,7 +962,7 @@ const syncSecretsNetlify = async ({
 
     if (updateSecrets.length > 0) {
       updateSecrets.forEach(async (secret: NetlifySecret) => {
-        await axios.patch(
+        await request.patch(
           `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env/${secret.key}`,
           {
             context: secret.values[0].context,
@@ -854,6 +972,7 @@ const syncSecretsNetlify = async ({
             params: syncParams,
             headers: {
               Authorization: `Bearer ${accessToken}`,
+              'Accept-Encoding': 'application/json'
             },
           }
         );
@@ -862,12 +981,13 @@ const syncSecretsNetlify = async ({
 
     if (deleteSecrets.length > 0) {
       deleteSecrets.forEach(async (key: string) => {
-        await axios.delete(
+        await request.delete(
           `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env/${key}`,
           {
             params: syncParams,
             headers: {
               Authorization: `Bearer ${accessToken}`,
+              'Accept-Encoding': 'application/json'
             },
           }
         );
@@ -876,12 +996,13 @@ const syncSecretsNetlify = async ({
 
     if (deleteSecretValues.length > 0) {
       deleteSecretValues.forEach(async (secret: NetlifySecret) => {
-        await axios.delete(
+        await request.delete(
           `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env/${secret.key}/value/${secret.values[0].id}`,
           {
             params: syncParams,
             headers: {
               Authorization: `Bearer ${accessToken}`,
+              'Accept-Encoding': 'application/json'
             },
           }
         );
@@ -1026,7 +1147,7 @@ const syncSecretsRender = async ({
   accessToken: string;
 }) => {
   try {
-    await axios.put(
+    await request.put(
       `${INTEGRATION_RENDER_API_URL}/v1/services/${integration.appId}/env-vars`,
       Object.keys(secrets).map((key) => ({
         key,
@@ -1035,6 +1156,7 @@ const syncSecretsRender = async ({
       {
         headers: {
           Authorization: `Bearer ${accessToken}`,
+          'Accept-Encoding': 'application/json'
         },
       }
     );
@@ -1083,23 +1205,21 @@ const syncSecretsFlyio = async ({
       }
     `;
 
-    await axios({
-      url: INTEGRATION_FLYIO_API_URL,
-      method: "post",
+    await request.post(INTEGRATION_FLYIO_API_URL, {
+      query: SetSecrets,
+      variables: {
+        input: {
+          appId: integration.app,
+          secrets: Object.entries(secrets).map(([key, value]) => ({
+            key,
+            value,
+          })),
+        },
+      },
+    }, {
       headers: {
         Authorization: "Bearer " + accessToken,
-      },
-      data: {
-        query: SetSecrets,
-        variables: {
-          input: {
-            appId: integration.app,
-            secrets: Object.entries(secrets).map(([key, value]) => ({
-              key,
-              value,
-            })),
-          },
-        },
+        'Accept-Encoding': 'application/json',
       },
     });
 
@@ -1120,23 +1240,18 @@ const syncSecretsFlyio = async ({
         }
     }`;
 
-    const getSecretsRes = (
-      await axios({
-        method: "post",
-        url: INTEGRATION_FLYIO_API_URL,
-        headers: {
-          'Authorization': 'Bearer ' + accessToken,
-          'Content-Type': 'application/json',
-          'Accept-Encoding': 'application/json'
-        },
-        data: {
-          query: GetSecrets,
-          variables: {
-            appName: integration.app,
-          },
-        },
-      })
-    ).data.data.app.secrets;
+    const getSecretsRes = (await request.post(INTEGRATION_FLYIO_API_URL, {
+      query: GetSecrets,
+      variables: {
+        appName: integration.app,
+      },
+    }, {
+      headers: {
+        Authorization: "Bearer " + accessToken,
+        'Content-Type': 'application/json',
+        'Accept-Encoding': 'application/json',
+      },
+    })).data.data.app.secrets;
 
     const deleteSecretsKeys = getSecretsRes
       .filter((secret: FlyioSecret) => !(secret.name in secrets))
@@ -1161,23 +1276,22 @@ const syncSecretsFlyio = async ({
         }
     }`;
 
-    await axios({
-      method: "post",
-      url: INTEGRATION_FLYIO_API_URL,
+    await request.post(INTEGRATION_FLYIO_API_URL, {
+      query: DeleteSecrets,
+      variables: {
+        input: {
+          appId: integration.app,
+          keys: deleteSecretsKeys,
+        },
+      },
+    }, {
       headers: {
         Authorization: "Bearer " + accessToken,
         "Content-Type": "application/json",
-      },
-      data: {
-        query: DeleteSecrets,
-        variables: {
-          input: {
-            appId: integration.app,
-            keys: deleteSecretsKeys,
-          },
-        },
+        'Accept-Encoding': 'application/json',
       },
     });
+
   } catch (err) {
     Sentry.setUser(null);
     Sentry.captureException(err);
@@ -1203,7 +1317,7 @@ const syncSecretsCircleCI = async ({
 }) => {  
   try {
     const circleciOrganizationDetail = (
-      await axios.get(`${INTEGRATION_CIRCLECI_API_URL}/v2/me/collaborations`, {
+      await request.get(`${INTEGRATION_CIRCLECI_API_URL}/v2/me/collaborations`, {
         headers: {
           "Circle-Token": accessToken,
           "Accept-Encoding": "application/json",
@@ -1216,7 +1330,7 @@ const syncSecretsCircleCI = async ({
     // sync secrets to CircleCI
     Object.keys(secrets).forEach(
       async (key) =>
-        await axios.post(
+        await request.post(
           `${INTEGRATION_CIRCLECI_API_URL}/v2/project/${slug}/${integration.app}/envvar`,
           {
             name: key,
@@ -1233,7 +1347,7 @@ const syncSecretsCircleCI = async ({
 
     // get secrets from CircleCI
     const getSecretsRes = (
-      await axios.get(
+      await request.get(
         `${INTEGRATION_CIRCLECI_API_URL}/v2/project/${slug}/${integration.app}/envvar`,
         {
           headers: {
@@ -1247,7 +1361,7 @@ const syncSecretsCircleCI = async ({
     // delete secrets from CircleCI
     getSecretsRes.forEach(async (sec: any) => {
       if (!(sec.name in secrets)) {
-        await axios.delete(
+        await request.delete(
           `${INTEGRATION_CIRCLECI_API_URL}/v2/project/${slug}/${integration.app}/envvar/${sec.name}`,
           {
             headers: {
@@ -1265,4 +1379,196 @@ const syncSecretsCircleCI = async ({
   }
 };
 
+/**
+ * Sync/push [secrets] to TravisCI project 
+ * @param {Object} obj
+ * @param {IIntegration} obj.integration - integration details
+ * @param {Object} obj.secrets - secrets to push to integration (object where keys are secret keys and values are secret values)
+ * @param {String} obj.accessToken - access token for TravisCI integration
+ */
+const syncSecretsTravisCI = async ({
+  integration,
+  secrets,
+  accessToken,
+}: {
+  integration: IIntegration;
+  secrets: any;
+  accessToken: string;
+}) => {
+  try {
+    // get secrets from travis-ci  
+    const getSecretsRes = (
+      await request.get(
+        `${INTEGRATION_TRAVISCI_API_URL}/settings/env_vars?repository_id=${integration.appId}`,
+        {
+          headers: {
+            "Authorization": `token ${accessToken}`,
+            "Accept-Encoding": "application/json",
+          },
+        }
+      )
+    )
+    .data
+    ?.env_vars
+    .reduce((obj: any, secret: any) => ({
+        ...obj,
+        [secret.name]: secret
+    }), {});
+    
+    // add secrets
+    for await (const key of Object.keys(secrets)) {
+      if (!(key in getSecretsRes)) {
+        // case: secret does not exist in travis ci
+        // -> add secret
+        await request.post(
+          `${INTEGRATION_TRAVISCI_API_URL}/settings/env_vars?repository_id=${integration.appId}`,
+          {
+            env_var: {
+              name: key,
+              value: secrets[key]
+            }
+          },
+          {
+            headers: {
+              "Authorization": `token ${accessToken}`,
+              "Content-Type": "application/json",
+              "Accept-Encoding": "application/json",
+            },
+          }
+        );
+      } else {
+        // case: secret exists in travis ci
+        // -> update/set secret
+        await request.patch(
+          `${INTEGRATION_TRAVISCI_API_URL}/settings/env_vars/${getSecretsRes[key].id}?repository_id=${getSecretsRes[key].repository_id}`,
+          {
+            env_var: {
+              name: key,
+              value: secrets[key],
+            }
+          },
+          {
+            headers: {
+              "Authorization": `token ${accessToken}`,
+              "Content-Type": "application/json",
+              "Accept-Encoding": "application/json",
+            },
+          }
+        );
+      }
+    }
+
+    for await (const key of Object.keys(getSecretsRes)) {
+      if (!(key in secrets)){
+        // delete secret
+        await request.delete(
+          `${INTEGRATION_TRAVISCI_API_URL}/settings/env_vars/${getSecretsRes[key].id}?repository_id=${getSecretsRes[key].repository_id}`,
+          {
+            headers: {
+              "Authorization": `token ${accessToken}`,
+              "Content-Type": "application/json",
+              "Accept-Encoding": "application/json",
+            },
+          }
+        );
+      }
+    }
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error("Failed to sync secrets to GitLab");
+  }
+}
+
+/**
+ * Sync/push [secrets] to GitLab repo with name [integration.app]
+ * @param {Object} obj
+ * @param {IIntegration} obj.integration - integration details
+ * @param {IIntegrationAuth} obj.integrationAuth - integration auth details
+ * @param {Object} obj.secrets - secrets to push to integration (object where keys are secret keys and values are secret values)
+ * @param {String} obj.accessToken - access token for GitLab integration
+ */
+const syncSecretsGitLab = async ({
+  integration,
+  secrets,
+  accessToken,
+}: {
+  integration: IIntegration;
+  secrets: any;
+  accessToken: string;
+}) => {
+  try {
+    // get secrets from gitlab
+    const getSecretsRes = (
+      await request.get(
+        `${INTEGRATION_GITLAB_API_URL}/v4/projects/${integration?.appId}/variables`,
+        { 
+          headers: {
+            "Authorization": `Bearer ${accessToken}`,
+            "Accept-Encoding": "application/json",
+          },
+        }
+      )
+    ).data;
+
+    for await (const key of Object.keys(secrets)) {
+      const existingSecret = getSecretsRes.find((s: any) => s.key == key);
+      if (!existingSecret) {
+        await request.post(
+          `${INTEGRATION_GITLAB_API_URL}/v4/projects/${integration?.appId}/variables`,
+          {
+            key: key,
+            value: secrets[key],
+            protected: false,
+            masked: false,
+            raw: false,
+            environment_scope:'*'
+          },
+          {
+            headers: {
+              "Authorization": `Bearer ${accessToken}`,
+              "Content-Type": "application/json",
+              "Accept-Encoding": "application/json",
+            },
+          }
+        )
+      } else {
+        // udpate secret 
+        await request.put(
+          `${INTEGRATION_GITLAB_API_URL}/v4/projects/${integration?.appId}/variables/${existingSecret.key}`,
+          {
+            ...existingSecret,
+            value: secrets[existingSecret.key]
+          },
+          {
+            headers: {
+              "Authorization": `Bearer ${accessToken}`,
+              "Content-Type": "application/json",
+              "Accept-Encoding": "application/json",
+            },
+          }
+        )
+      }
+    }
+
+    // delete secrets 
+    for await (const sec of getSecretsRes) {
+      if (!(sec.key in secrets)) {
+        await request.delete(
+          `${INTEGRATION_GITLAB_API_URL}/v4/projects/${integration?.appId}/variables/${sec.key}`,
+          {
+            headers: {
+              "Authorization": `Bearer ${accessToken}`,
+            },
+          }
+        );
+      }
+    }
+  }catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error("Failed to sync secrets to GitLab");
+  }
+}
+
 export { syncSecrets };

backend/src/integrations/teams.ts

@@ -0,0 +1,92 @@
+import * as Sentry from "@sentry/node";
+import {
+    IIntegrationAuth
+} from '../models';
+import {
+    INTEGRATION_GITLAB,
+    INTEGRATION_GITLAB_API_URL
+} from '../variables';
+import request from '../config/request';
+
+interface Team {
+    name: string;
+    teamId: string;
+}
+
+/**
+ * Return list of teams for integration authorization [integrationAuth]
+ * @param {Object} obj
+ * @param {String} obj.integrationAuth - integration authorization to get teams for
+ * @param {String} obj.accessToken - access token for integration authorization
+ * @returns {Object[]} teams - teams of integration authorization
+ * @returns {String} teams.name - name of team
+ * @returns {String} teams.teamId - id of team
+*/
+const getTeams = async ({
+    integrationAuth,
+    accessToken
+}: {
+    integrationAuth: IIntegrationAuth;
+    accessToken: string;
+}) => {
+    
+    let teams: Team[] = [];
+    try {
+        switch (integrationAuth.integration) {
+            case INTEGRATION_GITLAB:
+                teams = await getTeamsGitLab({
+                    accessToken
+                });
+                break;
+        }
+    } catch (err) {
+        Sentry.setUser(null);
+        Sentry.captureException(err);
+        throw new Error('Failed to get integration teams');
+    }
+    
+    
+    return teams;
+}
+
+/**
+ * Return list of teams for GitLab integration
+ * @param {Object} obj
+ * @param {String} obj.accessToken - access token for GitLab API
+ * @returns {Object[]} teams - teams that user is part of in GitLab
+ * @returns {String} teams.name - name of team
+ * @returns {String} teams.teamId - id of team
+*/
+const getTeamsGitLab = async ({
+    accessToken
+}: {
+    accessToken: string;
+}) => {
+    let teams: Team[] = [];
+    try {
+        const res = (await request.get(
+            `${INTEGRATION_GITLAB_API_URL}/v4/groups`,
+            {
+                headers: {
+                Authorization: `Bearer ${accessToken}`,
+                "Accept-Encoding": "application/json"
+                }
+            }
+        )).data; 
+    
+      teams = res.map((t: any) => ({
+        name: t.name,
+        teamId: t.id
+      }));
+    } catch (err) {
+        Sentry.setUser(null);
+        Sentry.captureException(err);
+        throw new Error("Failed to get GitLab integration teams");
+    }
+    
+    return teams;
+}
+
+export {
+    getTeams
+}

backend/src/middleware/index.ts

@@ -1,4 +1,5 @@
 import requireAuth from './requireAuth';
+import requireMfaAuth from './requireMfaAuth';
 import requireBotAuth from './requireBotAuth';
 import requireSignupAuth from './requireSignupAuth';
 import requireWorkspaceAuth from './requireWorkspaceAuth';
@@ -15,6 +16,7 @@ import validateRequest from './validateRequest';
 
 export {
 	requireAuth,
+	requireMfaAuth,
 	requireBotAuth,
 	requireSignupAuth,
 	requireWorkspaceAuth,

backend/src/middleware/requestErrorHandler.ts

@@ -1,15 +1,13 @@
-import { ErrorRequestHandler } from "express";
-
 import * as Sentry from '@sentry/node';
+import { ErrorRequestHandler } from "express";
 import { InternalServerError } from "../utils/errors";
 import { getLogger } from "../utils/logger";
 import RequestError, { LogLevel } from "../utils/requestError";
-import { NODE_ENV } from "../config";
-
+import { getNodeEnv } from '../config';
 
 export const requestErrorHandler: ErrorRequestHandler = (error: RequestError | Error, req, res, next) => {
     if (res.headersSent) return next();
-    if (NODE_ENV !== "production") {
+    if (getNodeEnv() !== "production") {
         /* eslint-disable no-console */
         console.log(error)
         /* eslint-enable no-console */

backend/src/middleware/requireAuth.ts

@@ -1,12 +1,14 @@
 import jwt from 'jsonwebtoken';
 import { Request, Response, NextFunction } from 'express';
-import { User, ServiceTokenData } from '../models';
 import {
 	validateAuthMode,
 	getAuthUserPayload,
 	getAuthSTDPayload,
 	getAuthAPIKeyPayload
 } from '../helpers/auth';
+import { 
+	UnauthorizedRequestError
+} from '../utils/errors';
 
 declare module 'jsonwebtoken' {
 	export interface UserIDJwtPayload extends jwt.JwtPayload {
@@ -25,9 +27,11 @@ declare module 'jsonwebtoken' {
  * @returns
  */
 const requireAuth = ({
-	acceptedAuthModes = ['jwt']
+	acceptedAuthModes = ['jwt'],
+	requiredServiceTokenPermissions = []
 }: {
 	acceptedAuthModes: string[];
+	requiredServiceTokenPermissions?: string[];
 }) => {
 	return async (req: Request, res: Response, next: NextFunction) => {
 		// validate auth token against accepted auth modes [acceptedAuthModes]
@@ -38,11 +42,22 @@ const requireAuth = ({
 		});
 
 		// attach auth payloads
+		let serviceTokenData: any;
 		switch (authTokenType) {
 			case 'serviceToken':
-				req.serviceTokenData = await getAuthSTDPayload({
+				serviceTokenData = await getAuthSTDPayload({
 					authTokenValue
 				});
+				
+				requiredServiceTokenPermissions.forEach((requiredServiceTokenPermission) => {
+					if (!serviceTokenData.permissions.includes(requiredServiceTokenPermission)) {
+						return next(UnauthorizedRequestError({ message: 'Failed to authorize service token for endpoint' }));
+					}
+				});
+			
+				req.serviceTokenData = serviceTokenData;
+				req.user = serviceTokenData?.user;
+				
 				break;
 			case 'apiKey':
 				req.user = await getAuthAPIKeyPayload({

backend/src/middleware/requireMfaAuth.ts

@@ -0,0 +1,43 @@
+import jwt from 'jsonwebtoken';
+import { Request, Response, NextFunction } from 'express';
+import { User } from '../models';
+import { BadRequestError, UnauthorizedRequestError } from '../utils/errors';
+import { getJwtMfaSecret } from '../config';
+
+declare module 'jsonwebtoken' {
+	export interface UserIDJwtPayload extends jwt.JwtPayload {
+		userId: string;
+	}
+}
+
+/**
+ * Validate if (MFA) JWT temporary token on request is valid (e.g. not expired)
+ * and if there is an associated user.
+ */
+const requireMfaAuth = async (
+	req: Request,
+	res: Response,
+	next: NextFunction
+) => {
+	// JWT (temporary) authentication middleware for complete signup
+	const [ AUTH_TOKEN_TYPE, AUTH_TOKEN_VALUE ] = <[string, string]>req.headers['authorization']?.split(' ', 2) ?? [null, null]
+	if(AUTH_TOKEN_TYPE === null) return next(BadRequestError({message: `Missing Authorization Header in the request header.`}))
+	if(AUTH_TOKEN_TYPE.toLowerCase() !== 'bearer') return next(BadRequestError({message: `The provided authentication type '${AUTH_TOKEN_TYPE}' is not supported.`}))
+	if(AUTH_TOKEN_VALUE === null) return next(BadRequestError({message: 'Missing Authorization Body in the request header'}))
+	
+	const decodedToken = <jwt.UserIDJwtPayload>(
+		jwt.verify(AUTH_TOKEN_VALUE, getJwtMfaSecret())
+	);
+
+	const user = await User.findOne({
+		_id: decodedToken.userId
+	}).select('+publicKey');
+
+	if (!user)
+		return next(UnauthorizedRequestError({message: 'Unable to authenticate for User account completion. Try logging in again'}))
+
+	req.user = user;
+	return next();
+};
+
+export default requireMfaAuth;

backend/src/middleware/requireSecretsAuth.ts

@@ -23,7 +23,7 @@ const requireSecretsAuth = ({
                 // case: validate 1 secret
                 secrets = await validateSecrets({
                     userId: req.user._id.toString(),
-                    secretIds: req.body.secrets.id
+                    secretIds: [req.body.secrets.id]
                 });
             } else if (Array.isArray(req.body.secretIds)) {
                 secrets = await validateSecrets({

backend/src/middleware/requireServiceTokenAuth.ts

@@ -1,8 +1,8 @@
 import jwt from 'jsonwebtoken';
 import { Request, Response, NextFunction } from 'express';
 import { ServiceToken } from '../models';
-import { JWT_SERVICE_SECRET } from '../config';
 import { BadRequestError, UnauthorizedRequestError } from '../utils/errors';
+import { getJwtServiceSecret } from '../config';
 
 // TODO: deprecate
 declare module 'jsonwebtoken' {
@@ -33,7 +33,7 @@ const requireServiceTokenAuth = async (
 	if(AUTH_TOKEN_VALUE === null) return next(BadRequestError({message: 'Missing Authorization Body in the request header'}))
 
 	const decodedToken = <jwt.UserIDJwtPayload>(
-		jwt.verify(AUTH_TOKEN_VALUE, JWT_SERVICE_SECRET)
+		jwt.verify(AUTH_TOKEN_VALUE, getJwtServiceSecret())
 	);
 
 	const serviceToken = await ServiceToken.findOne({

backend/src/middleware/requireSignupAuth.ts

@@ -1,8 +1,8 @@
 import jwt from 'jsonwebtoken';
 import { Request, Response, NextFunction } from 'express';
 import { User } from '../models';
-import { JWT_SIGNUP_SECRET } from '../config';
 import { BadRequestError, UnauthorizedRequestError } from '../utils/errors';
+import { getJwtSignupSecret } from '../config';
 
 declare module 'jsonwebtoken' {
 	export interface UserIDJwtPayload extends jwt.JwtPayload {
@@ -27,7 +27,7 @@ const requireSignupAuth = async (
 	if(AUTH_TOKEN_VALUE === null) return next(BadRequestError({message: 'Missing Authorization Body in the request header'}))
 	
 	const decodedToken = <jwt.UserIDJwtPayload>(
-		jwt.verify(AUTH_TOKEN_VALUE, JWT_SIGNUP_SECRET)
+		jwt.verify(AUTH_TOKEN_VALUE, getJwtSignupSecret())
 	);
 
 	const user = await User.findOne({

backend/src/middleware/requireWorkspaceAuth.ts

@@ -21,7 +21,7 @@ const requireWorkspaceAuth = ({
 	return async (req: Request, res: Response, next: NextFunction) => {
 		try {
 			const { workspaceId } = req[location];
-
+			
 			if (req.user) {
 				// case: jwt auth
 				const membership = await validateMembership({
@@ -32,11 +32,11 @@ const requireWorkspaceAuth = ({
 
 				req.membership = membership;
 			}
-			
+
 			if (
 				req.serviceTokenData 
-				&& req.serviceTokenData.workspace !== workspaceId
-				&& req.serviceTokenData.environment !== req.query.environment
+				&& req.serviceTokenData.workspace.toString() !== workspaceId
+				&& req.serviceTokenData.environment !== req.body.environment
 			) {
 				next(UnauthorizedRequestError({message: 'Unable to authenticate workspace'}))	
 			}

backend/src/models/folder.ts

@@ -0,0 +1,36 @@
+import { Schema, Types, model } from 'mongoose';
+
+const folderSchema = new Schema({
+  name: {
+    type: String,
+    required: true,
+  },
+  workspace: {
+    type: Schema.Types.ObjectId,
+    ref: 'Workspace',
+    required: true,
+  },
+  environment: {
+    type: String,
+    required: true,
+  },
+  parent: {
+    type: Schema.Types.ObjectId,
+    ref: 'Folder',
+    required: false, // optional for root folders
+  },
+  path: {
+    type: String,
+    required: true
+  },
+  parentPath: {
+    type: String,
+    required: true,
+  },
+}, {
+  timestamps: true
+});
+
+const Folder = model('Folder', folderSchema);
+
+export default Folder;

backend/src/models/index.ts

@@ -10,7 +10,7 @@ import MembershipOrg, { IMembershipOrg } from './membershipOrg';
 import Organization, { IOrganization } from './organization';
 import Secret, { ISecret } from './secret';
 import ServiceToken, { IServiceToken } from './serviceToken';
-import Token, { IToken } from './token';
+import TokenData, { ITokenData } from './tokenData';
 import User, { IUser } from './user';
 import UserAction, { IUserAction } from './userAction';
 import Workspace, { IWorkspace } from './workspace';
@@ -43,8 +43,8 @@ export {
 	ISecret,
 	ServiceToken,
 	IServiceToken,
-	Token,
-	IToken,
+	TokenData,
+	ITokenData,
 	User,
 	IUser,
 	UserAction,

backend/src/models/integration.ts

@@ -7,9 +7,11 @@ import {
   INTEGRATION_VERCEL,
   INTEGRATION_NETLIFY,
   INTEGRATION_GITHUB,
+  INTEGRATION_GITLAB,
   INTEGRATION_RENDER,
   INTEGRATION_FLYIO,
   INTEGRATION_CIRCLECI,
+  INTEGRATION_TRAVISCI,
 } from "../variables";
 
 export interface IIntegration {
@@ -30,10 +32,12 @@ export interface IIntegration {
     | 'heroku' 
     | 'vercel' 
     | 'netlify' 
-    | 'github' 
+    | 'github'
+    | 'gitlab'
     | 'render' 
     | 'flyio'
-    | 'circleci';
+    | 'circleci'
+    | 'travisci';
   integrationAuth: Types.ObjectId;
 }
 
@@ -58,13 +62,11 @@ const integrationSchema = new Schema<IIntegration>(
       default: null,
     },
     appId: {
-      // (new)
       // id of app in provider
       type: String,
       default: null,
     },
     targetEnvironment: {
-      // (new)
       // target environment
       type: String,
       default: null,
@@ -94,9 +96,11 @@ const integrationSchema = new Schema<IIntegration>(
         INTEGRATION_VERCEL,
         INTEGRATION_NETLIFY,
         INTEGRATION_GITHUB,
+        INTEGRATION_GITLAB,
         INTEGRATION_RENDER,
         INTEGRATION_FLYIO,
         INTEGRATION_CIRCLECI,
+        INTEGRATION_TRAVISCI,
       ],
       required: true,
     },

backend/src/models/integrationAuth.ts

@@ -7,23 +7,25 @@ import {
   INTEGRATION_VERCEL,
   INTEGRATION_NETLIFY,
   INTEGRATION_GITHUB,
+  INTEGRATION_GITLAB,
   INTEGRATION_RENDER,
   INTEGRATION_FLYIO,
   INTEGRATION_CIRCLECI,
+  INTEGRATION_TRAVISCI,
 } from "../variables";
 
 export interface IIntegrationAuth {
   _id: Types.ObjectId;
   workspace: Types.ObjectId;
-  integration: 'heroku' | 'vercel' | 'netlify' | 'github' | 'render' | 'flyio' | 'azure-key-vault' | 'circleci' | 'aws-parameter-store' | 'aws-secret-manager';
+  integration: 'heroku' | 'vercel' | 'netlify' | 'github' | 'gitlab' | 'render' | 'flyio' | 'azure-key-vault' | 'circleci' | 'travisci' | 'aws-parameter-store' | 'aws-secret-manager';
   teamId: string;
   accountId: string;
   refreshCiphertext?: string;
   refreshIV?: string;
   refreshTag?: string;
-  accessIdCiphertext?: string; // new
-  accessIdIV?: string; // new
-  accessIdTag?: string; // new
+  accessIdCiphertext?: string;
+  accessIdIV?: string;
+  accessIdTag?: string;
   accessCiphertext?: string;
   accessIV?: string;
   accessTag?: string;
@@ -47,9 +49,11 @@ const integrationAuthSchema = new Schema<IIntegrationAuth>(
         INTEGRATION_VERCEL,
         INTEGRATION_NETLIFY,
         INTEGRATION_GITHUB,
+        INTEGRATION_GITLAB,
         INTEGRATION_RENDER,
         INTEGRATION_FLYIO,
         INTEGRATION_CIRCLECI,
+        INTEGRATION_TRAVISCI,
       ],
       required: true,
     },

backend/src/models/secret.ts

@@ -24,6 +24,8 @@ export interface ISecret {
 	secretCommentTag?: string;
 	secretCommentHash?: string;
 	tags?: string[];
+	path?: string,
+	folder?: Types.ObjectId
 }
 
 const secretSchema = new Schema<ISecret>(
@@ -53,6 +55,17 @@ const secretSchema = new Schema<ISecret>(
 			type: [Schema.Types.ObjectId],
 			default: []
 		},
+		// the full path to the secret in relation to folders
+		path: {
+			type: String,
+			required: false,
+			default: "/"
+		},
+		folder: {
+			type: Schema.Types.ObjectId,
+			ref: 'Folder',
+			required: false,
+		},
 		environment: {
 			type: String,
 			required: true

backend/src/models/serviceTokenData.ts

@@ -3,13 +3,14 @@ import { Schema, model, Types } from 'mongoose';
 export interface IServiceTokenData {
     name: string;
     workspace: Types.ObjectId;
-    environment: string; // TODO: adapt to upcoming environment id
+    environment: string;
     user: Types.ObjectId;
     expiresAt: Date;
     secretHash: string;
     encryptedKey: string;
     iv: string;
     tag: string;
+    permissions: string[];
 }
 
 const serviceTokenDataSchema = new Schema<IServiceTokenData>(
@@ -51,6 +52,11 @@ const serviceTokenDataSchema = new Schema<IServiceTokenData>(
         tag: {
             type: String,
             select: false
+        },
+        permissions: {
+            type: [String],
+            enum: ['read', 'write'],
+            default: ['read']
         }
     }, 
     {

backend/src/models/token.ts

@@ -1,11 +1,10 @@
 import { Schema, model } from 'mongoose';
-import { EMAIL_TOKEN_LIFETIME } from '../config';
 
 export interface IToken {
   email: string;
   token: string;
   createdAt: Date;
-  ttl: Number;
+  ttl: number;
 }
 
 const tokenSchema = new Schema<IToken>({

backend/src/models/tokenData.ts

@@ -0,0 +1,55 @@
+import { Schema, Types, model } from 'mongoose';
+
+export interface ITokenData {
+  type: string;
+  email?: string;
+  phoneNumber?: string;
+  organization?: Types.ObjectId;
+  tokenHash: string;
+  triesLeft?: number;
+  expiresAt: Date;
+  createdAt: Date;
+  updatedAt: Date;
+}
+
+const tokenDataSchema = new Schema<ITokenData>({
+  type: {
+    type: String,
+    enum: [
+      'emailConfirmation',
+      'emailMfa',
+      'organizationInvitation',
+      'passwordReset'
+    ],
+    required: true
+  },
+  email: {
+    type: String
+  },
+  phoneNumber: {
+    type: String
+  },
+  organization: { // organizationInvitation-specific field
+    type: Schema.Types.ObjectId,
+    ref: 'Organization'
+  },
+  tokenHash: {
+    type: String,
+    select: false,
+    required: true
+  },
+  triesLeft: {
+    type: Number
+  },
+  expiresAt: {
+    type: Date,
+    expires: 0,
+    required: true
+  }
+}, {
+  timestamps: true
+});
+
+const TokenData = model<ITokenData>('TokenData', tokenDataSchema);
+
+export default TokenData;

backend/src/models/user.ts

@@ -1,10 +1,14 @@
-import { Schema, model, Types } from 'mongoose';
+import { Schema, model, Types, Document } from 'mongoose';
 
-export interface IUser {
+export interface IUser extends Document {
 	_id: Types.ObjectId;
 	email: string;
 	firstName?: string;
 	lastName?: string;
+	encryptionVersion: number;
+	protectedKey: string;
+	protectedKeyIV: string;
+	protectedKeyTag: string;
 	publicKey?: string;
 	encryptedPrivateKey?: string;
 	iv?: string;
@@ -12,7 +16,12 @@ export interface IUser {
 	salt?: string;
 	verifier?: string;
 	refreshVersion?: number;
-	seenIps: [string];
+	isMfaEnabled: boolean;
+	mfaMethods: boolean;
+	devices: {
+		ip: string;
+		userAgent: string;
+	}[];
 }
 
 const userSchema = new Schema<IUser>(
@@ -27,6 +36,23 @@ const userSchema = new Schema<IUser>(
 		lastName: {
 			type: String
 		},
+		encryptionVersion: {
+			type: Number,
+			select: false,
+			default: 1 // to resolve backward-compatibility issues
+		},
+		protectedKey: { // introduced as part of encryption version 2
+			type: String,
+			select: false
+		},
+		protectedKeyIV: { // introduced as part of encryption version 2
+			type: String,
+			select: false
+		},
+		protectedKeyTag: { // introduced as part of encryption version 2
+			type: String,
+			select: false
+		},
 		publicKey: {
 			type: String,
 			select: false
@@ -35,11 +61,11 @@ const userSchema = new Schema<IUser>(
 			type: String,
 			select: false
 		},
-		iv: {
+		iv: { // iv of [encryptedPrivateKey]
 			type: String,
 			select: false
 		},
-		tag: {
+		tag: { // tag of [encryptedPrivateKey]
 			type: String,
 			select: false
 		},
@@ -56,8 +82,21 @@ const userSchema = new Schema<IUser>(
 			default: 0,
 			select: false
 		},
-		seenIps: [String]
-	},
+		isMfaEnabled: {
+			type: Boolean,
+			default: false
+		},
+		mfaMethods: [{
+			type: String
+		}],
+		devices: {
+			type: [{
+				ip: String,
+				userAgent: String
+			}],
+			default: []
+		}
+	}, 
 	{
 		timestamps: true
 	}

backend/src/routes/status/status.ts

@@ -1,4 +1,5 @@
 import express, { Request, Response } from 'express';
+import { getSmtpConfigured } from '../../config';
 
 const router = express.Router();
 
@@ -8,6 +9,7 @@ router.get(
     res.status(200).json({
       date: new Date(),
       message: 'Ok',
+      emailConfigured: getSmtpConfigured()
     })
   }
 );

backend/src/routes/v1/auth.ts

@@ -7,7 +7,7 @@ import { authLimiter } from '../../helpers/rateLimiter';
 
 router.post('/token', validateRequest, authController.getNewToken);
 
-router.post(
+router.post( // deprecated (moved to api/v2/auth/login1)
   '/login1',
   authLimiter,
   body('email').exists().trim().notEmpty(),
@@ -16,7 +16,7 @@ router.post(
   authController.login1
 );
 
-router.post(
+router.post( // deprecated (moved to api/v2/auth/login2)
   '/login2',
   authLimiter,
   body('email').exists().trim().notEmpty(),

backend/src/routes/v1/bot.ts

@@ -31,7 +31,7 @@ router.patch(
     requireBotAuth({
 		acceptedRoles: [ADMIN, MEMBER]
     }),
-    body('isActive').isBoolean(),
+    body('isActive').exists().isBoolean(),
     body('botKey'),
     validateRequest,
     botController.setBotActiveState

backend/src/routes/v1/index.ts

@@ -15,6 +15,7 @@ import password from './password';
 import stripe from './stripe';
 import integration from './integration';
 import integrationAuth from './integrationAuth';
+import secretsFolder from './secretsFolder'
 
 export {
 	signup,
@@ -33,5 +34,6 @@ export {
 	password,
 	stripe,
 	integration,
-	integrationAuth
+	integrationAuth,
+	secretsFolder
 };

backend/src/routes/v1/integrationAuth.ts

@@ -1,6 +1,6 @@
 import express from 'express';
 const router = express.Router();
-import { body, param } from 'express-validator';
+import { body, param, query } from 'express-validator';
 import {
 	requireAuth,
 	requireWorkspaceAuth,
@@ -73,10 +73,24 @@ router.get(
 		acceptedRoles: [ADMIN, MEMBER]
 	}),
 	param('integrationAuthId'),
+	query('teamId'),
 	validateRequest,
 	integrationAuthController.getIntegrationAuthApps
 );
 
+router.get(
+	'/:integrationAuthId/teams',
+	requireAuth({
+        acceptedAuthModes: ['jwt']
+    }),
+	requireIntegrationAuthorizationAuth({
+		acceptedRoles: [ADMIN, MEMBER]
+	}),
+	param('integrationAuthId'),
+	validateRequest,
+	integrationAuthController.getIntegrationAuthTeams
+);
+
 router.delete(
 	'/:integrationAuthId',
 	requireAuth({

backend/src/routes/v1/password.ts

@@ -10,7 +10,7 @@ router.post(
 	requireAuth({
 		acceptedAuthModes: ['jwt']
 	}),
-	body('clientPublicKey').exists().trim().notEmpty(),
+	body('clientPublicKey').exists().isString().trim().notEmpty(),
 	validateRequest,
 	passwordController.srp1
 );
@@ -22,11 +22,14 @@ router.post(
 		acceptedAuthModes: ['jwt']
 	}),
 	body('clientProof').exists().trim().notEmpty(),
-	body('encryptedPrivateKey').exists().trim().notEmpty().notEmpty(), // private key encrypted under new pwd
-	body('iv').exists().trim().notEmpty(), // new iv for private key
-	body('tag').exists().trim().notEmpty(), // new tag for private key
-	body('salt').exists().trim().notEmpty(), // part of new pwd
-	body('verifier').exists().trim().notEmpty(), // part of new pwd
+	body('protectedKey').exists().isString().trim().notEmpty(),
+	body('protectedKeyIV').exists().isString().trim().notEmpty(),
+	body('protectedKeyTag').exists().isString().trim().notEmpty(),
+	body('encryptedPrivateKey').exists().isString().trim().notEmpty(), // private key encrypted under new pwd
+	body('encryptedPrivateKeyIV').exists().isString().trim().notEmpty(), // new iv for private key
+	body('encryptedPrivateKeyTag').exists().isString().trim().notEmpty(), // new tag for private key
+	body('salt').exists().isString().trim().notEmpty(), // part of new pwd
+	body('verifier').exists().isString().trim().notEmpty(), // part of new pwd
 	validateRequest,
 	passwordController.changePassword
 );
@@ -34,7 +37,7 @@ router.post(
 router.post(
 	'/email/password-reset',
 	passwordLimiter,
-	body('email').exists().trim().notEmpty(),
+	body('email').exists().isString().trim().notEmpty().isEmail(),
 	validateRequest,
 	passwordController.emailPasswordReset
 );
@@ -42,8 +45,8 @@ router.post(
 router.post(
 	'/email/password-reset-verify',
 	passwordLimiter,
-	body('email').exists().trim().notEmpty().isEmail(),
-	body('code').exists().trim().notEmpty(),
+	body('email').exists().isString().trim().notEmpty().isEmail(),
+	body('code').exists().isString().trim().notEmpty(),
 	validateRequest,
 	passwordController.emailPasswordResetVerify
 );
@@ -61,12 +64,12 @@ router.post(
 	requireAuth({
 		acceptedAuthModes: ['jwt']
 	}),
-	body('clientProof').exists().trim().notEmpty(),
-	body('encryptedPrivateKey').exists().trim().notEmpty(), // (backup) private key encrypted under a strong key
-	body('iv').exists().trim().notEmpty(), // new iv for (backup) private key
-	body('tag').exists().trim().notEmpty(), // new tag for (backup) private key
-	body('salt').exists().trim().notEmpty(), // salt generated from strong key
-	body('verifier').exists().trim().notEmpty(), // salt generated from strong key
+	body('clientProof').exists().isString().trim().notEmpty(),
+	body('encryptedPrivateKey').exists().isString().trim().notEmpty(), // (backup) private key encrypted under a strong key
+	body('iv').exists().isString().trim().notEmpty(), // new iv for (backup) private key
+	body('tag').exists().isString().trim().notEmpty(), // new tag for (backup) private key
+	body('salt').exists().isString().trim().notEmpty(), // salt generated from strong key
+	body('verifier').exists().isString().trim().notEmpty(), // salt generated from strong key
 	validateRequest,
 	passwordController.createBackupPrivateKey
 );
@@ -74,11 +77,14 @@ router.post(
 router.post(
 	'/password-reset',
 	requireSignupAuth,
-	body('encryptedPrivateKey').exists().trim().notEmpty(), // private key encrypted under new pwd
-	body('iv').exists().trim().notEmpty(), // new iv for private key
-	body('tag').exists().trim().notEmpty(), // new tag for private key 
-	body('salt').exists().trim().notEmpty(), // part of new pwd
-	body('verifier').exists().trim().notEmpty(), // part of new pwd
+	body('protectedKey').exists().isString().trim().notEmpty(),
+	body('protectedKeyIV').exists().isString().trim().notEmpty(),
+	body('protectedKeyTag').exists().isString().trim().notEmpty(),
+	body('encryptedPrivateKey').exists().isString().trim().notEmpty(), // private key encrypted under new pwd
+	body('encryptedPrivateKeyIV').exists().isString().trim().notEmpty(), // new iv for private key
+	body('encryptedPrivateKeyTag').exists().isString().trim().notEmpty(), // new tag for private key 
+	body('salt').exists().isString().trim().notEmpty(), // part of new pwd
+	body('verifier').exists().isString().trim().notEmpty(), // part of new pwd
 	validateRequest,
 	passwordController.resetPassword
 );

backend/src/routes/v1/secretsFolder.ts

@@ -0,0 +1,40 @@
+import express, { Request, Response } from 'express';
+const router = express.Router();
+import {
+	requireAuth,
+	requireWorkspaceAuth,
+	validateRequest
+} from '../../middleware';
+import { body, param } from 'express-validator';
+import { createFolder, deleteFolder } from '../../controllers/v1/secretsFolderController';
+import { ADMIN, MEMBER } from '../../variables';
+
+router.post(
+	'/',
+	requireAuth({
+		acceptedAuthModes: ['jwt']
+	}),
+	requireWorkspaceAuth({
+		acceptedRoles: [ADMIN, MEMBER],
+		location: 'body'
+	}),
+	body('workspaceId').exists(),
+	body('environment').exists(),
+	body('folderName').exists(),
+	body('parentFolderId'),
+	validateRequest,
+	createFolder
+);
+
+router.delete(
+	'/:folderId',
+	requireAuth({
+		acceptedAuthModes: ['jwt']
+	}),
+	param('folderId').exists(),
+	validateRequest,
+	deleteFolder
+);
+
+
+export default router;

backend/src/routes/v1/signup.ts

@@ -1,7 +1,7 @@
 import express from 'express';
 const router = express.Router();
 import { body } from 'express-validator';
-import { requireSignupAuth, validateRequest } from '../../middleware';
+import { validateRequest } from '../../middleware';
 import { signupController } from '../../controllers/v1';
 import { authLimiter } from '../../helpers/rateLimiter';
 
@@ -22,39 +22,4 @@ router.post(
 	signupController.verifyEmailSignup
 );
 
-router.post(
-	'/complete-account/signup',
-	authLimiter,
-	requireSignupAuth,
-	body('email').exists().trim().notEmpty().isEmail(),
-	body('firstName').exists().trim().notEmpty(),
-	body('lastName').exists().trim().notEmpty(),
-	body('publicKey').exists().trim().notEmpty(),
-	body('encryptedPrivateKey').exists().trim().notEmpty(),
-	body('iv').exists().trim().notEmpty(),
-	body('tag').exists().trim().notEmpty(),
-	body('salt').exists().trim().notEmpty(),
-	body('verifier').exists().trim().notEmpty(),
-	body('organizationName').exists().trim().notEmpty(),
-	validateRequest,
-	signupController.completeAccountSignup
-);
-
-router.post(
-	'/complete-account/invite',
-	authLimiter,
-	requireSignupAuth,
-	body('email').exists().trim().notEmpty().isEmail(),
-	body('firstName').exists().trim().notEmpty(),
-	body('lastName').exists().trim().notEmpty(),
-	body('publicKey').exists().trim().notEmpty(),
-	body('encryptedPrivateKey').exists().trim().notEmpty(),
-	body('iv').exists().trim().notEmpty(),
-	body('tag').exists().trim().notEmpty(),
-	body('salt').exists().trim().notEmpty(),
-	body('verifier').exists().trim().notEmpty(),
-	validateRequest,
-	signupController.completeAccountInvite
-);
-
 export default router;

backend/src/routes/v2/auth.ts

@@ -0,0 +1,44 @@
+import express from 'express';
+const router = express.Router();
+import { body } from 'express-validator';
+import { requireMfaAuth, validateRequest } from '../../middleware';
+import { authController } from '../../controllers/v2';
+import { authLimiter } from '../../helpers/rateLimiter';
+
+router.post(
+  '/login1',
+  authLimiter,
+  body('email').isString().trim().notEmpty(),
+  body('clientPublicKey').isString().trim().notEmpty(),
+  validateRequest,
+  authController.login1
+);
+
+router.post(
+  '/login2',
+  authLimiter,
+  body('email').isString().trim().notEmpty(),
+  body('clientProof').isString().trim().notEmpty(),
+  validateRequest,
+  authController.login2
+);
+
+router.post(
+  '/mfa/send',
+  authLimiter,
+  body('email').isString().trim().notEmpty(),
+  validateRequest,
+  authController.sendMfaToken
+);
+
+router.post(
+  '/mfa/verify',
+  authLimiter,
+  requireMfaAuth,
+  body('email').isString().trim().notEmpty(),
+  body('mfaToken').isString().trim().notEmpty(),
+  validateRequest,
+  authController.verifyMfaToken
+);
+
+export default router;

backend/src/routes/v2/index.ts

@@ -1,3 +1,5 @@
+import auth from './auth';
+import signup from './signup';
 import users from './users';
 import organizations from './organizations';
 import workspace from './workspace';
@@ -9,6 +11,8 @@ import environment from "./environment"
 import tags from "./tags"
 
 export {
+    auth,
+    signup,
     users,
     organizations,
     workspace,

backend/src/routes/v2/secrets.ts

@@ -6,14 +6,53 @@ import {
     requireSecretsAuth,
     validateRequest
 } from '../../middleware';
-import { query, check, body } from 'express-validator';
+import { query, body } from 'express-validator';
 import { secretsController } from '../../controllers/v2';
+import { validateSecrets } from '../../helpers/secret';
 import {
     ADMIN,
     MEMBER,
     SECRET_PERSONAL,
     SECRET_SHARED
 } from '../../variables';
+import {
+    BatchSecretRequest
+} from '../../types/secret';
+
+router.post(
+    '/batch',
+    requireAuth({
+        acceptedAuthModes: ['jwt', 'apiKey', 'serviceToken'],
+        requiredServiceTokenPermissions: ['read', 'write']
+    }),
+    requireWorkspaceAuth({
+        acceptedRoles: [ADMIN, MEMBER],
+        location: 'body'
+    }),
+    body('workspaceId').exists().isString().trim(),
+    body('environment').exists().isString().trim(),
+    body('requests')
+        .exists()
+        .custom(async (requests: BatchSecretRequest[], { req }) => {
+            if (Array.isArray(requests)) {
+                const secretIds = requests
+                    .map((request) => request.secret._id)
+                    .filter((secretId) => secretId !== undefined)
+                
+                if (secretIds.length > 0) {
+                    const relevantSecrets = await validateSecrets({
+                        userId: req.user._id.toString(),
+                        secretIds
+                    });
+                    
+                    req.secrets = relevantSecrets;
+                }
+            }
+        return true;
+    }),
+    validateRequest,
+    secretsController.batchSecrets
+);
 
 router.post(
     '/',
@@ -61,7 +100,8 @@ router.post(
         }),
     validateRequest,
     requireAuth({
-        acceptedAuthModes: ['jwt', 'apiKey']
+        acceptedAuthModes: ['jwt', 'apiKey', 'serviceToken'],
+        requiredServiceTokenPermissions: ['write']
     }),
     requireWorkspaceAuth({
         acceptedRoles: [ADMIN, MEMBER],
@@ -77,7 +117,8 @@ router.get(
     query('tagSlugs'),
     validateRequest,
     requireAuth({
-        acceptedAuthModes: ['jwt', 'apiKey', 'serviceToken']
+        acceptedAuthModes: ['jwt', 'apiKey', 'serviceToken'],
+        requiredServiceTokenPermissions: ['read']
     }),
     requireWorkspaceAuth({
         acceptedRoles: [ADMIN, MEMBER],
@@ -116,7 +157,8 @@ router.patch(
         }),
     validateRequest,
     requireAuth({
-        acceptedAuthModes: ['jwt', 'apiKey']
+        acceptedAuthModes: ['jwt', 'apiKey', 'serviceToken'],
+        requiredServiceTokenPermissions: ['write']
     }),
     requireSecretsAuth({
         acceptedRoles: [ADMIN, MEMBER]
@@ -144,7 +186,8 @@ router.delete(
         .isEmpty(),
     validateRequest,
     requireAuth({
-        acceptedAuthModes: ['jwt', 'apiKey']
+        acceptedAuthModes: ['jwt', 'apiKey', 'serviceToken'],
+        requiredServiceTokenPermissions: ['write']
     }),
     requireSecretsAuth({
         acceptedRoles: [ADMIN, MEMBER]
@@ -154,5 +197,3 @@ router.delete(
 
 export default router;
 
-
-

backend/src/routes/v2/serviceTokenData.ts

@@ -30,13 +30,22 @@ router.post(
         acceptedRoles: [ADMIN, MEMBER],
         location: 'body'
     }),
-    body('name').exists().trim(),
-    body('workspaceId'),
-    body('environment'),
-    body('encryptedKey'),
-    body('iv'),
-    body('tag'),
-    body('expiresIn'), // measured in ms
+    body('name').exists().isString().trim(),
+    body('workspaceId').exists().isString().trim(),
+    body('environment').exists().isString().trim(),
+    body('encryptedKey').exists().isString().trim(),
+    body('iv').exists().isString().trim(),
+    body('tag').exists().isString().trim(),
+    body('expiresIn').exists().isNumeric(), // measured in ms
+    body('permissions').isArray({ min: 1 }).custom((value: string[]) => {
+        const allowedPermissions = ['read', 'write'];
+        const invalidValues = value.filter((v) => !allowedPermissions.includes(v));
+        if (invalidValues.length > 0) {
+            throw new Error(`permissions contains invalid values: ${invalidValues.join(', ')}`);
+        }
+
+        return true
+    }),
     validateRequest,
     serviceTokenDataController.createServiceTokenData
 );

backend/src/routes/v2/signup.ts

@@ -0,0 +1,49 @@
+import express from 'express';
+const router = express.Router();
+import { body } from 'express-validator';
+import { requireSignupAuth, validateRequest } from '../../middleware';
+import { signupController } from '../../controllers/v2';
+import { authLimiter } from '../../helpers/rateLimiter';
+
+router.post(
+    '/complete-account/signup',
+    authLimiter,
+    requireSignupAuth,
+    body('email').exists().isString().trim().notEmpty().isEmail(),
+	body('firstName').exists().isString().trim().notEmpty(),
+	body('lastName').exists().isString().trim().notEmpty(),
+	body('protectedKey').exists().isString().trim().notEmpty(),
+	body('protectedKeyIV').exists().isString().trim().notEmpty(),
+	body('protectedKeyTag').exists().isString().trim().notEmpty(),
+	body('publicKey').exists().isString().trim().notEmpty(),
+	body('encryptedPrivateKey').exists().isString().trim().notEmpty(),
+	body('encryptedPrivateKeyIV').exists().isString().trim().notEmpty(),
+	body('encryptedPrivateKeyTag').exists().isString().trim().notEmpty(),
+	body('salt').exists().isString().trim().notEmpty(),
+	body('verifier').exists().isString().trim().notEmpty(),
+	body('organizationName').exists().isString().trim().notEmpty(),
+    validateRequest,
+    signupController.completeAccountSignup
+);
+
+router.post(
+	'/complete-account/invite',
+	authLimiter,
+	requireSignupAuth,
+	body('email').exists().isString().trim().notEmpty().isEmail(),
+	body('firstName').exists().isString().trim().notEmpty(),
+	body('lastName').exists().isString().trim().notEmpty(),
+	body('protectedKey').exists().isString().trim().notEmpty(),
+	body('protectedKeyIV').exists().isString().trim().notEmpty(),
+	body('protectedKeyTag').exists().isString().trim().notEmpty(),
+	body('publicKey').exists().trim().notEmpty(),
+	body('encryptedPrivateKey').exists().isString().trim().notEmpty(),
+	body('encryptedPrivateKeyIV').exists().isString().trim().notEmpty(),
+	body('encryptedPrivateKeyTag').exists().isString().trim().notEmpty(),
+	body('salt').exists().isString().trim().notEmpty(),
+	body('verifier').exists().isString().trim().notEmpty(),
+	validateRequest,
+	signupController.completeAccountInvite
+);
+
+export default router;

backend/src/routes/v2/users.ts

@@ -1,8 +1,10 @@
 import express from 'express';
 const router = express.Router();
 import {
-    requireAuth
+    requireAuth,
+    validateRequest
 } from '../../middleware';
+import { body } from 'express-validator';
 import { usersController } from '../../controllers/v2';
 
 router.get(
@@ -13,6 +15,16 @@ router.get(
     usersController.getMe
 );
 
+router.patch(
+    '/me/mfa',
+    requireAuth({
+        acceptedAuthModes: ['jwt', 'apiKey']
+    }),
+    body('isMfaEnabled').exists().isBoolean(),
+    validateRequest,
+    usersController.updateMyMfaEnabled
+);
+
 router.get(
     '/me/organizations',
     requireAuth({

backend/src/routes/v2/workspace.ts

@@ -118,7 +118,6 @@ router.delete( // TODO - rewire dashboard to this route
 	workspaceController.deleteWorkspaceMembership
 );
 
-
 router.patch(
 	'/:workspaceId/auto-capitalization',
 	requireAuth({

backend/src/services/DatabaseService.ts

@@ -1,16 +1,32 @@
 import mongoose from 'mongoose';
 import { getLogger } from '../utils/logger';
-import { initDatabaseHelper } from '../helpers/database';
+import { 
+  initDatabaseHelper,
+  closeDatabaseHelper
+} from '../helpers/database';
 
 /**
  * Class to handle database actions
  */
 class DatabaseService {
+  /**
+   * Initialize database connection
+   * @param {Object} obj
+   * @param {String} obj.mongoURL - mongo connection string
+   * @returns 
+   */
   static async initDatabase(MONGO_URL: string) {
     return await initDatabaseHelper({
       mongoURL: MONGO_URL
     });
   }
+  
+  /**
+   * Close database conection
+  */
+  static async closeDatabase() {
+    return await closeDatabaseHelper();
+  }
 }
 
 export default DatabaseService;

backend/src/services/EventService.ts

@@ -1,5 +1,3 @@
-import { Bot, IBot } from '../models';
-import * as Sentry from '@sentry/node';
 import { handleEventHelper } from '../helpers/event';
 
 interface Event {

backend/src/services/IntegrationService.ts

@@ -7,9 +7,6 @@ import {
     setIntegrationAuthAccessHelper,
 } from '../helpers/integration';
 
-// should sync stuff be here too? Probably.
-// TODO: move bot functions to IntegrationService.
-
 /**
  * Class to handle integrations
  */

backend/src/services/PostHogClient.ts

@@ -1,27 +1,44 @@
 import { PostHog } from 'posthog-node';
-import {
-  NODE_ENV,
-  POSTHOG_HOST,
-  POSTHOG_PROJECT_API_KEY,
-  TELEMETRY_ENABLED
-} from '../config';
 import { getLogger } from '../utils/logger';
+import {
+  getNodeEnv,
+  getTelemetryEnabled,
+  getPostHogProjectApiKey,
+  getPostHogHost
+} from '../config';
 
-if(!TELEMETRY_ENABLED){
-  getLogger("backend-main").info([
-    "",
-    "To improve, Infisical collects telemetry data about general usage.",
-    "This helps us understand how the product is doing and guide our product development to create the best possible platform; it also helps us demonstrate growth as we support Infisical as open-source software.",
-    "To opt into telemetry, you can set `TELEMETRY_ENABLED=true` within the environment variables.",
-  ].join('\n'))
+/**
+ * Logs telemetry enable/disable notice.
+ */
+const logTelemetryMessage = () => {
+  if(!getTelemetryEnabled()){
+    getLogger("backend-main").info([
+      "",
+      "To improve, Infisical collects telemetry data about general usage.",
+      "This helps us understand how the product is doing and guide our product development to create the best possible platform; it also helps us demonstrate growth as we support Infisical as open-source software.",
+      "To opt into telemetry, you can set `TELEMETRY_ENABLED=true` within the environment variables.",
+    ].join('\n'))
+  }
 }
 
-let postHogClient: any;
-if (NODE_ENV === 'production' && TELEMETRY_ENABLED) {
-  // case: enable opt-out telemetry in production
-  postHogClient = new PostHog(POSTHOG_PROJECT_API_KEY, {
-    host: POSTHOG_HOST
-  });
+/**
+ * Return an instance of the PostHog client initialized.
+ * @returns 
+ */
+const getPostHogClient = () => {
+  let postHogClient: any;
+  if (getNodeEnv() === 'production' && getTelemetryEnabled()) {
+    // case: enable opt-out telemetry in production
+    postHogClient = new PostHog(getPostHogProjectApiKey(), {
+      host: getPostHogHost()
+    });
+  } 
+  
+  return postHogClient;
+}
+
+export {
+  logTelemetryMessage,
+  getPostHogClient
 }
 
-export default postHogClient;

backend/src/services/TokenService.ts

@@ -0,0 +1,69 @@
+import { Types } from 'mongoose';
+import { createTokenHelper, validateTokenHelper } from '../helpers/token';
+
+/**
+ * Class to handle token actions
+ * TODO: elaborate more on this class
+ */
+class TokenService {
+    /**
+     * Create a token [token] for type [type] with associated details
+     * @param {Object} obj
+     * @param {String} obj.type - type or context of token (e.g. emailConfirmation)
+     * @param {String} obj.email - email associated with the token
+     * @param {String} obj.phoneNumber - phone number associated with the token
+     * @param {Types.ObjectId} obj.organizationId - id of organization associated with the token
+     * @returns {String} token - the token to create
+     */
+    static async createToken({
+        type,
+        email,
+        phoneNumber,
+        organizationId
+    }: {
+        type: 'emailConfirmation' | 'emailMfa' | 'organizationInvitation' | 'passwordReset';
+        email?: string;
+        phoneNumber?: string;
+        organizationId?: Types.ObjectId;
+    }) {
+        return await createTokenHelper({
+            type,
+            email,
+            phoneNumber,
+            organizationId
+        });
+    }
+    
+    /**
+     * Validate whether or not token [token] and its associated details match a token in the DB
+     * @param {Object} obj
+     * @param {String} obj.type - type or context of token (e.g. emailConfirmation)
+     * @param {String} obj.email - email associated with the token
+     * @param {String} obj.phoneNumber - phone number associated with the token
+     * @param {Types.ObjectId} obj.organizationId - id of organization associated with the token
+     * @param {String} obj.token - the token to validate
+     */
+    static async validateToken({
+        type,
+        email,
+        phoneNumber,
+        organizationId,
+        token
+    }: {
+        type: 'emailConfirmation' | 'emailMfa' | 'organizationInvitation' | 'passwordReset';
+        email?: string;
+        phoneNumber?: string;
+        organizationId?: Types.ObjectId;
+        token: string;
+    }) {
+        return await validateTokenHelper({
+            type,
+            email,
+            phoneNumber,
+            organizationId,
+            token
+        });
+    }
+}
+
+export default TokenService;

backend/src/services/index.ts

@@ -1,13 +1,16 @@
 import DatabaseService from './DatabaseService';
-import postHogClient from './PostHogClient';
+import { logTelemetryMessage, getPostHogClient } from './PostHogClient';
 import BotService from './BotService';
 import EventService from './EventService';
 import IntegrationService from './IntegrationService';
+import TokenService from './TokenService';
 
 export {
+    logTelemetryMessage,
+    getPostHogClient,
     DatabaseService,
-    postHogClient,
     BotService,
     EventService,
-    IntegrationService
+    IntegrationService,
+    TokenService
 }

backend/src/services/smtp.ts

@@ -1,45 +1,68 @@
 import nodemailer from 'nodemailer';
-import { SMTP_HOST, SMTP_PORT, SMTP_USERNAME, SMTP_PASSWORD, SMTP_SECURE } from '../config';
-import { SMTP_HOST_SENDGRID, SMTP_HOST_MAILGUN } from '../variables';
+import {
+  SMTP_HOST_SENDGRID, 
+  SMTP_HOST_MAILGUN,
+  SMTP_HOST_SOCKETLABS,
+  SMTP_HOST_ZOHOMAIL
+} from '../variables';
 import SMTPConnection from 'nodemailer/lib/smtp-connection';
 import * as Sentry from '@sentry/node';
+import {
+  getSmtpHost,
+  getSmtpUsername,
+  getSmtpPassword,
+  getSmtpSecure,
+  getSmtpPort
+} from '../config';
 
-const mailOpts: SMTPConnection.Options = {
-  host: SMTP_HOST,
-  port: SMTP_PORT as number
-};
-
-if (SMTP_USERNAME && SMTP_PASSWORD) {
-  mailOpts.auth = {
-    user: SMTP_USERNAME,
-    pass: SMTP_PASSWORD
+export const initSmtp = () => {
+  const mailOpts: SMTPConnection.Options = {
+    host: getSmtpHost(),
+    port: getSmtpPort()
   };
-}
 
-if (SMTP_SECURE) {
-  switch (SMTP_HOST) {
-    case SMTP_HOST_SENDGRID:
-      mailOpts.requireTLS = true;
-      break;
-    case SMTP_HOST_MAILGUN:
-      mailOpts.requireTLS = true; 
-      mailOpts.tls = {
-        ciphers: 'TLSv1.2'
-      }
-      break;
-    default:
-      if (SMTP_HOST.includes('amazonaws.com')) {
+  if (getSmtpUsername() && getSmtpPassword()) {
+    mailOpts.auth = {
+      user: getSmtpUsername(),
+      pass: getSmtpPassword()
+    };
+  }
+
+  if (getSmtpSecure() ? getSmtpSecure() : false) {
+    switch (getSmtpHost()) {
+      case SMTP_HOST_SENDGRID:
+        mailOpts.requireTLS = true;
+        break;
+      case SMTP_HOST_MAILGUN:
+        mailOpts.requireTLS = true; 
         mailOpts.tls = {
           ciphers: 'TLSv1.2'
         }
-      } else {
-        mailOpts.secure = true;
-      }
-      break;
+        break;
+      case SMTP_HOST_SOCKETLABS:
+        mailOpts.requireTLS = true; 
+        mailOpts.tls = {
+          ciphers: 'TLSv1.2'
+        }
+        break;
+      case SMTP_HOST_ZOHOMAIL:
+        mailOpts.requireTLS = true; 
+        mailOpts.tls = {
+          ciphers: 'TLSv1.2'
+        }
+        break; 
+      default:
+        if (getSmtpHost().includes('amazonaws.com')) {
+          mailOpts.tls = {
+            ciphers: 'TLSv1.2'
+          }
+        } else {
+          mailOpts.secure = true;
+        }
+        break;
+    }
   }
-}
 
-export const initSmtp = () => {
   const transporter = nodemailer.createTransport(mailOpts);
   transporter
     .verify()
@@ -50,7 +73,7 @@ export const initSmtp = () => {
     .catch((err) => {
       Sentry.setUser(null);
       Sentry.captureException(
-        `SMTP - Failed to connect to ${SMTP_HOST}:${SMTP_PORT} \n\t${err}`
+        `SMTP - Failed to connect to ${getSmtpHost()}:${getSmtpPort()} \n\t${err}`
       );
     });
 

backend/src/templates/emailMfa.handlebars

@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta charset="utf-8">
+    <meta http-equiv="x-ua-compatible" content="ie=edge">
+    <title>MFA Code</title>
+</head>
+
+<body>
+    <h2>Infisical</h2>
+    <h2>Sign in attempt requires further verification</h2>
+    <p>Your MFA code is below — enter it where you started signing in to Infisical.</p>
+    <h2>{{code}}</h2>
+    <p>The MFA code will be valid for 2 minutes.</p>
+    <p>Not you? Contact Infisical or your administrator immediately.</p>
+</body>
+
+</html>

backend/src/templates/emailVerification.handlebars

@@ -1,14 +1,17 @@
 <!DOCTYPE html>
 <html>
+
 <head>
     <meta charset="utf-8">
     <meta http-equiv="x-ua-compatible" content="ie=edge">
-    <title>Email Verification</title>
+    <title>Code</title>
 </head>
+
 <body>
     <h2>Confirm your email address</h2>
     <p>Your confirmation code is below — enter it in the browser window where you've started signing up for Infisical.</p>
     <h1>{{code}}</h1>
     <p>Questions about setting up Infisical? Email us at support@infisical.com</p>
 </body>
+
 </html>

backend/src/templates/newDevice.handlebars

@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta charset="utf-8">
+    <meta http-equiv="x-ua-compatible" content="ie=edge">
+    <title>Successful login for {{email}} from new device</title>
+</head>
+
+<body>
+    <h2>Infisical</h2>
+    <p>We're verifying a recent login for {{email}}:</p>
+    <p><strong>Timestamp</strong>: {{timestamp}}</p>
+    <p><strong>IP address</strong>: {{ip}}</p>
+    <p><strong>User agent</strong>: {{userAgent}}</p>
+    <p>If you believe that this login is suspicious, please contact Infisical or reset your password immediately.</p>
+</body>
+
+</html>