Add deny api/get envs api

add basic auth model for Organization
2025-03-22 07:12:17 +00:00 · 2023-01-29 21:04:47 -08:00 · 2023-01-24 23:16:08 -08:00
516 changed files with 6226 additions and 25314 deletions
--- a/.env.example
+++ b/.env.example
@ -64,7 +64,7 @@ POSTHOG_PROJECT_API_KEY=
 STRIPE_SECRET_KEY=
 STRIPE_PUBLISHABLE_KEY=
 STRIPE_WEBHOOK_SECRET=
-STRIPE_PRODUCT_STARTER=
-STRIPE_PRODUCT_TEAM=
+STRIPE_PRODUCT_CARD_AUTH=
 STRIPE_PRODUCT_PRO=
+STRIPE_PRODUCT_STARTER=
 NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=
--- a/.github/values.yaml
+++ b/.github/values.yaml
@ -1,71 +1,36 @@
 frontend:
-  enabled: true
-  name: frontend
-  podAnnotations: {}
-  deploymentAnnotations:
-    secrets.infisical.com/auto-reload: "true"
-  replicaCount: 2
+  replicaCount: 1
  image:
-    repository: infisical/frontend
-    tag: "latest"
+    repository: 
    pullPolicy: Always
+    tag: "latest"
  kubeSecretRef: managed-secret-frontend
-  service:
-    annotations: {}
-    type: ClusterIP
-    nodePort: ""
-
-frontendEnvironmentVariables: null

 backend:
-  enabled: true
-  name: backend
-  podAnnotations: {}
-  deploymentAnnotations:
-    secrets.infisical.com/auto-reload: "true"
-  replicaCount: 2
+  replicaCount: 1
  image:
-    repository: infisical/backend
-    tag: "latest"
+    repository: 
    pullPolicy: Always
+    tag: "latest"
  kubeSecretRef: managed-backend-secret
-  service:
-    annotations: {}
-    type: ClusterIP
-    nodePort: ""
-
-backendEnvironmentVariables: null
-
-## Mongo DB persistence
-mongodb:
-  enabled: true
-  persistence:
-    enabled: false
-
-## By default the backend will be connected to a Mongo instance within the cluster
-## However, it is recommended to add a managed document DB connection string for production-use (DBaaS)
-## Learn about connection string type here https://www.mongodb.com/docs/manual/reference/connection-string/
-## e.g. "mongodb://<user>:<pass>@<host>:<port>/<database-name>"
-mongodbConnection:
-  externalMongoDBConnectionString: ""

 ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: "nginx"
-    # cert-manager.io/issuer: letsencrypt-nginx
-  hostName: gamma.infisical.com ## <- Replace with your own domain
-  frontend:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+  hostName: gamma.infisical.com
+  frontend: 
    path: /
    pathType: Prefix
  backend:
    path: /api
    pathType: Prefix
  tls:
-    []
-    # - secretName: letsencrypt-nginx
-    #   hosts:
-    #     - infisical.local
+    - secretName: echo-tls
+      hosts:
+        - gamma.infisical.com

-mailhog:
-  enabled: false
+backendEnvironmentVariables:
+
+frontendEnvironmentVariables:
--- a/.github/workflows/release_build.yml
+++ b/.github/workflows/release_build.yml
@ -4,7 +4,7 @@ on:
  push:
    # run only against tags
    tags:
-      - "v*"
+      - 'v*'

 permissions:
  contents: write
@ -18,16 +18,10 @@ jobs:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - run: git fetch --force --tags
-      - run: echo "Ref name ${{github.ref_name}}"
      - uses: actions/setup-go@v3
        with:
-          go-version: ">=1.19.3"
+          go-version: '>=1.19.3'
          cache: true
          cache-dependency-path: cli/go.sum
      - name: libssl1.1 => libssl1.0-dev for OSXCross
@ -39,18 +33,19 @@ jobs:
        run: |
          mkdir ../../osxcross
          git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
-      - uses: goreleaser/goreleaser-action@v4
+      - uses: goreleaser/goreleaser-action@v2
        with:
          distribution: goreleaser
          version: latest
-          args: release --clean
+          args: release --rm-dist
        env:
          GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
          FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
          AUR_KEY: ${{ secrets.AUR_KEY }}
      - uses: actions/setup-python@v4
      - run: pip install --upgrade cloudsmith-cli
-      - name: Publish to CloudSmith
+      - name: Publish to CloudSmith 
        run: sh cli/upload_to_cloudsmith.sh
        env:
          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
+      
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -14,9 +14,6 @@ before:
 builds:
  - id: darwin-build
    binary: infisical
-    ldflags: -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
-    flags:
-      - -trimpath
    env:
      - CGO_ENABLED=1
      - CC=/home/runner/work/osxcross/target/bin/o64-clang
@ -27,14 +24,10 @@ builds:
      - goos: darwin
        goarch: "386"
    dir: ./cli
-
  - id: all-other-builds
    env:
      - CGO_ENABLED=0
    binary: infisical
-    ldflags: -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
-    flags:
-      - -trimpath
    goos:
      - freebsd
      - linux
@ -68,20 +61,18 @@ archives:

 release:
  replace_existing_draft: true
-  mode: "replace"
+  mode: 'replace'

 checksum:
-  name_template: "checksums.txt"
-
+  name_template: 'checksums.txt'
 snapshot:
-  name_template: "{{ incpatch .Version }}-devel"
-
+  name_template: "{{ incpatch .Version }}"
 changelog:
  sort: asc
  filters:
    exclude:
-      - "^docs:"
-      - "^test:"
+      - '^docs:'
+      - '^test:'

 # publishers:
 #   - name: fury.io
@ -89,7 +80,6 @@ changelog:
 #       - infisical
 #     dir: "{{ dir .ArtifactPath }}"
 #     cmd: curl -F package=@{{ .ArtifactName }} https://{{ .Env.FURY_TOKEN }}@push.fury.io/infisical/
-
 brews:
  - name: infisical
    tap:
@ -101,39 +91,31 @@ brews:
    folder: Formula
    homepage: "https://infisical.com"
    description: "The official Infisical CLI"
-    install: |-
-      bin.install "infisical"
-      bash_completion.install "completions/infisical.bash" => "infisical"
-      zsh_completion.install "completions/infisical.zsh" => "_infisical"
-      fish_completion.install "completions/infisical.fish"
-      man1.install "manpages/infisical.1.gz"
-
 nfpms:
-  - id: infisical
-    package_name: infisical
-    builds:
-      - all-other-builds
-    vendor: Infisical, Inc
-    homepage: https://infisical.com/
-    maintainer: Infisical, Inc
-    description: The offical Infisical CLI
-    license: MIT
-    formats:
-      - rpm
-      - deb
-      - apk
-      - archlinux
-    bindir: /usr/bin
-    contents:
-      - src: ./completions/infisical.bash
-        dst: /etc/bash_completion.d/infisical
-      - src: ./completions/infisical.fish
-        dst: /usr/share/fish/vendor_completions.d/infisical.fish
-      - src: ./completions/infisical.zsh
-        dst: /usr/share/zsh/site-functions/_infisical
-      - src: ./manpages/infisical.1.gz
-        dst: /usr/share/man/man1/infisical.1.gz
-
+- id: infisical
+  package_name: infisical
+  builds:
+    - all-other-builds
+  vendor: Infisical, Inc
+  homepage: https://infisical.com/
+  maintainer: Infisical, Inc
+  description: The offical Infisical CLI
+  license: MIT
+  formats:
+  - rpm
+  - deb
+  - apk
+  - archlinux
+  bindir: /usr/bin
+  contents:
+    - src: ./completions/infisical.bash
+      dst: /etc/bash_completion.d/infisical
+    - src: ./completions/infisical.fish
+      dst: /usr/share/fish/vendor_completions.d/infisical.fish
+    - src: ./completions/infisical.zsh
+      dst: /usr/share/zsh/site-functions/_infisical
+    - src: ./manpages/infisical.1.gz
+      dst: /usr/share/man/man1/infisical.1.gz
 scoop:
  bucket:
    owner: Infisical
@ -144,16 +126,16 @@ scoop:
  homepage: "https://infisical.com"
  description: "The official Infisical CLI"
  license: MIT
-
 aurs:
-  - name: infisical-bin
+  -
+    name: infisical-bin
    homepage: "https://infisical.com"
    description: "The official Infisical CLI"
    maintainers:
      - Infisical, Inc <support@infisical.com>
    license: MIT
-    private_key: "{{ .Env.AUR_KEY }}"
-    git_url: "ssh://aur@aur.archlinux.org/infisical-bin.git"
+    private_key: '{{ .Env.AUR_KEY }}'
+    git_url: 'ssh://aur@aur.archlinux.org/infisical-bin.git'
    package: |-
      # bin
      install -Dm755 "./infisical" "${pkgdir}/usr/bin/infisical"
@ -168,13 +150,19 @@ aurs:
      install -Dm644 "./completions/infisical.fish" "${pkgdir}/usr/share/fish/vendor_completions.d/infisical.fish"
      # man pages
      install -Dm644 "./manpages/infisical.1.gz" "${pkgdir}/usr/share/man/man1/infisical.1.gz"
-
 # dockers:
-#   - dockerfile: cli/docker/Dockerfile
+#   - dockerfile: goreleaser.dockerfile
 #     goos: linux
 #     goarch: amd64
 #     ids:
 #       - infisical
 #     image_templates:
-#       - "infisical/cli:{{ .Version }}"
+#       - "infisical/cli:{{ .Version }}"             
+#       - "infisical/cli:{{ .Major }}.{{ .Minor }}"  
+#       - "infisical/cli:{{ .Major }}"               
 #       - "infisical/cli:latest"
+#     build_flag_templates:
+#       - "--label=org.label-schema.schema-version=1.0"
+#       - "--label=org.label-schema.version={{.Version}}"
+#       - "--label=org.label-schema.name={{.ProjectName}}"
+#       - "--platform=linux/amd64"
--- a/README.md
+++ b/README.md
--- a/backend/environment.d.ts
+++ b/backend/environment.d.ts
@ -3,10 +3,8 @@ export {};
 declare global {
  namespace NodeJS {
    interface ProcessEnv {
-      PORT: string;
      EMAIL_TOKEN_LIFETIME: string;
      ENCRYPTION_KEY: string;
-      SALT_ROUNDS: string;
      JWT_AUTH_LIFETIME: string;
      JWT_AUTH_SECRET: string;
      JWT_REFRESH_LIFETIME: string;
@ -21,31 +19,23 @@ declare global {
      CLIENT_ID_HEROKU: string;
      CLIENT_ID_VERCEL: string;
      CLIENT_ID_NETLIFY: string;
-      CLIENT_ID_GITHUB: string;
      CLIENT_SECRET_HEROKU: string;
      CLIENT_SECRET_VERCEL: string;
      CLIENT_SECRET_NETLIFY: string;
-      CLIENT_SECRET_GITHUB: string;
-      CLIENT_SLUG_VERCEL: string;
 			POSTHOG_HOST: string;
 			POSTHOG_PROJECT_API_KEY: string;
      SENTRY_DSN: string;
      SITE_URL: string;
      SMTP_HOST: string;
-      SMTP_SECURE: string;
-      SMTP_PORT: string;
-      SMTP_USERNAME: string;
+      SMTP_NAME: string;
      SMTP_PASSWORD: string;
-      SMTP_FROM_ADDRESS: string;
-      SMTP_FROM_NAME: string;
-      STRIPE_PRODUCT_STARTER: string;
-      STRIPE_PRODUCT_TEAM: string;
+      SMTP_USERNAME: string;
+      STRIPE_PRODUCT_CARD_AUTH: string;
      STRIPE_PRODUCT_PRO: string;
+      STRIPE_PRODUCT_STARTER: string;
      STRIPE_PUBLISHABLE_KEY: string;
      STRIPE_SECRET_KEY: string;
      STRIPE_WEBHOOK_SECRET: string;
-      TELEMETRY_ENABLED: string;
-      LICENSE_KEY: string;
    }
  }
 }
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
--- a/backend/package.json
+++ b/backend/package.json
@ -1,48 +1,4 @@
 {
-  "dependencies": {
-    "@aws-sdk/client-secrets-manager": "^3.267.0",
-    "@godaddy/terminus": "^4.11.2",
-    "@octokit/rest": "^19.0.5",
-    "@sentry/node": "^7.14.0",
-    "@sentry/tracing": "^7.19.0",
-    "@types/crypto-js": "^4.1.1",
-    "@types/libsodium-wrappers": "^0.7.10",
-    "await-to-js": "^3.0.0",
-    "aws-sdk": "^2.1311.0",
-    "axios": "^1.1.3",
-    "bcrypt": "^5.1.0",
-    "bigint-conversion": "^2.2.2",
-    "builder-pattern": "^2.2.0",
-    "cookie-parser": "^1.4.6",
-    "cors": "^2.8.5",
-    "crypto-js": "^4.1.1",
-    "dotenv": "^16.0.1",
-    "express": "^4.18.1",
-    "express-rate-limit": "^6.7.0",
-    "express-validator": "^6.14.2",
-    "handlebars": "^4.7.7",
-    "helmet": "^5.1.1",
-    "js-yaml": "^4.1.0",
-    "jsonwebtoken": "^9.0.0",
-    "jsrp": "^0.2.4",
-    "libsodium-wrappers": "^0.7.10",
-    "lodash": "^4.17.21",
-    "mongoose": "^6.7.2",
-    "nodemailer": "^6.8.0",
-    "posthog-node": "^2.2.2",
-    "query-string": "^7.1.3",
-    "request-ip": "^3.3.0",
-    "rimraf": "^3.0.2",
-    "stripe": "^10.7.0",
-    "swagger-autogen": "^2.22.0",
-    "swagger-ui-express": "^4.6.0",
-    "tweetnacl": "^1.0.3",
-    "tweetnacl-util": "^0.15.1",
-    "typescript": "^4.9.3",
-    "utility-types": "^3.10.0",
-    "winston": "^3.8.2",
-    "winston-loki": "^6.0.6"
-  },
  "name": "infisical-api",
  "version": "1.0.0",
  "main": "src/index.js",
@ -118,5 +74,47 @@
    "suiteNameTemplate": "{filepath}",
    "classNameTemplate": "{classname}",
    "titleTemplate": "{title}"
+  },
+  "dependencies": {
+    "@godaddy/terminus": "^4.11.2",
+    "@octokit/rest": "^19.0.5",
+    "@sentry/node": "^7.14.0",
+    "@sentry/tracing": "^7.19.0",
+    "@types/crypto-js": "^4.1.1",
+    "@types/libsodium-wrappers": "^0.7.10",
+    "await-to-js": "^3.0.0",
+    "axios": "^1.1.3",
+    "bcrypt": "^5.1.0",
+    "bigint-conversion": "^2.2.2",
+    "builder-pattern": "^2.2.0",
+    "cookie-parser": "^1.4.6",
+    "cors": "^2.8.5",
+    "crypto-js": "^4.1.1",
+    "dotenv": "^16.0.1",
+    "express": "^4.18.1",
+    "express-rate-limit": "^6.7.0",
+    "express-validator": "^6.14.2",
+    "handlebars": "^4.7.7",
+    "helmet": "^5.1.1",
+    "js-yaml": "^4.1.0",
+    "jsonwebtoken": "^9.0.0",
+    "jsrp": "^0.2.4",
+    "libsodium-wrappers": "^0.7.10",
+    "lodash": "^4.17.21",
+    "mongoose": "^6.7.2",
+    "nodemailer": "^6.8.0",
+    "posthog-node": "^2.2.2",
+    "query-string": "^7.1.3",
+    "request-ip": "^3.3.0",
+    "rimraf": "^3.0.2",
+    "stripe": "^10.7.0",
+    "swagger-autogen": "^2.22.0",
+    "swagger-ui-express": "^4.6.0",
+    "tweetnacl": "^1.0.3",
+    "tweetnacl-util": "^0.15.1",
+    "typescript": "^4.9.3",
+    "utility-types": "^3.10.0",
+    "winston": "^3.8.2",
+    "winston-loki": "^6.0.6"
  }
 }
--- a/backend/src/app.ts
+++ b/backend/src/app.ts
@ -1,7 +1,7 @@
 // eslint-disable-next-line @typescript-eslint/no-var-requires
 const { patchRouterParam } = require('./utils/patchAsyncRoutes');

-import express from 'express';
+import express, { Request, Response } from 'express';
 import helmet from 'helmet';
 import cors from 'cors';
 import cookieParser from 'cookie-parser';
@ -42,8 +42,6 @@ import {
  integrationAuth as v1IntegrationAuthRouter
 } from './routes/v1';
 import {
-  signup as v2SignupRouter,
-  auth as v2AuthRouter,
  users as v2UsersRouter,
  organizations as v2OrganizationsRouter,
  workspace as v2WorkspaceRouter,
@ -52,7 +50,6 @@ import {
  serviceTokenData as v2ServiceTokenDataRouter,
  apiKeyData as v2APIKeyDataRouter,
  environment as v2EnvironmentRouter,
-  tags as v2TagsRouter,
 } from './routes/v2';

 import { healthCheck } from './routes/status';
@ -112,12 +109,9 @@ app.use('/api/v1/integration', v1IntegrationRouter);
 app.use('/api/v1/integration-auth', v1IntegrationAuthRouter);

 // v2 routes
-app.use('/api/v2/signup', v2SignupRouter);
-app.use('/api/v2/auth', v2AuthRouter);
 app.use('/api/v2/users', v2UsersRouter);
 app.use('/api/v2/organizations', v2OrganizationsRouter);
 app.use('/api/v2/workspace', v2EnvironmentRouter);
-app.use('/api/v2/workspace', v2TagsRouter);
 app.use('/api/v2/workspace', v2WorkspaceRouter);
 app.use('/api/v2/secret', v2SecretRouter); // deprecated
 app.use('/api/v2/secrets', v2SecretsRouter);
--- a/backend/src/config/index.ts
+++ b/backend/src/config/index.ts
@ -1,12 +1,9 @@
 const PORT = process.env.PORT || 4000;
-const EMAIL_TOKEN_LIFETIME = parseInt(process.env.EMAIL_TOKEN_LIFETIME! || '86400');
-const INVITE_ONLY_SIGNUP = process.env.INVITE_ONLY_SIGNUP == undefined ? false : process.env.INVITE_ONLY_SIGNUP
+const EMAIL_TOKEN_LIFETIME = process.env.EMAIL_TOKEN_LIFETIME! || '86400';
 const ENCRYPTION_KEY = process.env.ENCRYPTION_KEY!;
 const SALT_ROUNDS = parseInt(process.env.SALT_ROUNDS!) || 10;
 const JWT_AUTH_LIFETIME = process.env.JWT_AUTH_LIFETIME! || '10d';
 const JWT_AUTH_SECRET = process.env.JWT_AUTH_SECRET!;
-const JWT_MFA_LIFETIME = process.env.JWT_MFA_LIFETIME! || '5m';
-const JWT_MFA_SECRET = process.env.JWT_MFA_SECRET!;
 const JWT_REFRESH_LIFETIME = process.env.JWT_REFRESH_LIFETIME! || '90d';
 const JWT_REFRESH_SECRET = process.env.JWT_REFRESH_SECRET!;
 const JWT_SERVICE_SECRET = process.env.JWT_SERVICE_SECRET!;
@ -16,18 +13,15 @@ const MONGO_URL = process.env.MONGO_URL!;
 const NODE_ENV = process.env.NODE_ENV! || 'production';
 const VERBOSE_ERROR_OUTPUT = process.env.VERBOSE_ERROR_OUTPUT! === 'true' && true;
 const LOKI_HOST = process.env.LOKI_HOST || undefined;
-const CLIENT_ID_AZURE = process.env.CLIENT_ID_AZURE!;
-const TENANT_ID_AZURE = process.env.TENANT_ID_AZURE!;
+const CLIENT_SECRET_HEROKU = process.env.CLIENT_SECRET_HEROKU!;
 const CLIENT_ID_HEROKU = process.env.CLIENT_ID_HEROKU!;
 const CLIENT_ID_VERCEL = process.env.CLIENT_ID_VERCEL!;
 const CLIENT_ID_NETLIFY = process.env.CLIENT_ID_NETLIFY!;
 const CLIENT_ID_GITHUB = process.env.CLIENT_ID_GITHUB!;
-const CLIENT_SECRET_AZURE = process.env.CLIENT_SECRET_AZURE!;
-const CLIENT_SECRET_HEROKU = process.env.CLIENT_SECRET_HEROKU!;
 const CLIENT_SECRET_VERCEL = process.env.CLIENT_SECRET_VERCEL!;
 const CLIENT_SECRET_NETLIFY = process.env.CLIENT_SECRET_NETLIFY!;
 const CLIENT_SECRET_GITHUB = process.env.CLIENT_SECRET_GITHUB!;
-const CLIENT_SLUG_VERCEL = process.env.CLIENT_SLUG_VERCEL!;
+const CLIENT_SLUG_VERCEL= process.env.CLIENT_SLUG_VERCEL!;
 const POSTHOG_HOST = process.env.POSTHOG_HOST! || 'https://app.posthog.com';
 const POSTHOG_PROJECT_API_KEY =
  process.env.POSTHOG_PROJECT_API_KEY! ||
@ -41,9 +35,9 @@ const SMTP_USERNAME = process.env.SMTP_USERNAME!;
 const SMTP_PASSWORD = process.env.SMTP_PASSWORD!;
 const SMTP_FROM_ADDRESS = process.env.SMTP_FROM_ADDRESS!;
 const SMTP_FROM_NAME = process.env.SMTP_FROM_NAME! || 'Infisical';
-const STRIPE_PRODUCT_STARTER = process.env.STRIPE_PRODUCT_STARTER!;
+const STRIPE_PRODUCT_CARD_AUTH = process.env.STRIPE_PRODUCT_CARD_AUTH!;
 const STRIPE_PRODUCT_PRO = process.env.STRIPE_PRODUCT_PRO!;
-const STRIPE_PRODUCT_TEAM = process.env.STRIPE_PRODUCT_TEAM!;
+const STRIPE_PRODUCT_STARTER = process.env.STRIPE_PRODUCT_STARTER!;
 const STRIPE_PUBLISHABLE_KEY = process.env.STRIPE_PUBLISHABLE_KEY!;
 const STRIPE_SECRET_KEY = process.env.STRIPE_SECRET_KEY!;
 const STRIPE_WEBHOOK_SECRET = process.env.STRIPE_WEBHOOK_SECRET!;
@ -53,13 +47,10 @@ const LICENSE_KEY = process.env.LICENSE_KEY!;
 export {
  PORT,
  EMAIL_TOKEN_LIFETIME,
-  INVITE_ONLY_SIGNUP,
  ENCRYPTION_KEY,
  SALT_ROUNDS,
  JWT_AUTH_LIFETIME,
  JWT_AUTH_SECRET,
-  JWT_MFA_LIFETIME,
-  JWT_MFA_SECRET,
  JWT_REFRESH_LIFETIME,
  JWT_REFRESH_SECRET,
  JWT_SERVICE_SECRET,
@ -69,13 +60,10 @@ export {
  NODE_ENV,
  VERBOSE_ERROR_OUTPUT,
  LOKI_HOST,
-  CLIENT_ID_AZURE,
-  TENANT_ID_AZURE,
  CLIENT_ID_HEROKU,
  CLIENT_ID_VERCEL,
  CLIENT_ID_NETLIFY,
  CLIENT_ID_GITHUB,
-  CLIENT_SECRET_AZURE,
  CLIENT_SECRET_HEROKU,
  CLIENT_SECRET_VERCEL,
  CLIENT_SECRET_NETLIFY,
@ -92,9 +80,9 @@ export {
  SMTP_PASSWORD,
  SMTP_FROM_ADDRESS,
  SMTP_FROM_NAME,
-  STRIPE_PRODUCT_STARTER,
-  STRIPE_PRODUCT_TEAM,
+  STRIPE_PRODUCT_CARD_AUTH,
  STRIPE_PRODUCT_PRO,
+  STRIPE_PRODUCT_STARTER,
  STRIPE_PUBLISHABLE_KEY,
  STRIPE_SECRET_KEY,
  STRIPE_WEBHOOK_SECRET,
--- a/backend/src/controllers/v1/authController.ts
+++ b/backend/src/controllers/v1/authController.ts
@ -4,22 +4,14 @@ import jwt from 'jsonwebtoken';
 import * as Sentry from '@sentry/node';
 import * as bigintConversion from 'bigint-conversion';
 const jsrp = require('jsrp');
-import { User, LoginSRPDetail } from '../../models';
-import { createToken, issueAuthTokens, clearTokens } from '../../helpers/auth';
-import { checkUserDevice } from '../../helpers/user';
-import {
-  ACTION_LOGIN,
-  ACTION_LOGOUT
-} from '../../variables';
+import { User } from '../../models';
+import { createToken, issueTokens, clearTokens } from '../../helpers/auth';
 import {
  NODE_ENV,
  JWT_AUTH_LIFETIME,
  JWT_AUTH_SECRET,
  JWT_REFRESH_SECRET
 } from '../../config';
-import { BadRequestError } from '../../utils/errors';
-import { EELogService } from '../../ee/services';
-import { getChannelFromUserAgent } from '../../utils/posthog'; // TODO: move this

 declare module 'jsonwebtoken' {
  export interface UserIDJwtPayload extends jwt.JwtPayload {
@ -27,6 +19,8 @@ declare module 'jsonwebtoken' {
  }
 }

+const clientPublicKeys: any = {};
+
 /**
 * Log in user step 1: Return [salt] and [serverPublicKey] as part of step 1 of SRP protocol
 * @param req
@ -52,15 +46,13 @@ export const login1 = async (req: Request, res: Response) => {
        salt: user.salt,
        verifier: user.verifier
      },
-      async () => {
+      () => {
        // generate server-side public key
        const serverPublicKey = server.getPublicKey();
-
-        await LoginSRPDetail.findOneAndReplace({ email: email }, {
-          email: email,
-          clientPublicKey: clientPublicKey,
-          serverBInt: bigintConversion.bigintToBuf(server.bInt),
-        }, { upsert: true, returnNewDocument: false })
+        clientPublicKeys[email] = {
+          clientPublicKey,
+          serverBInt: bigintConversion.bigintToBuf(server.bInt)
+        };

        return res.status(200).send({
          serverPublicKey,
@ -93,33 +85,20 @@ export const login2 = async (req: Request, res: Response) => {

    if (!user) throw new Error('Failed to find user');

-    const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: email })
-
-    if (!loginSRPDetailFromDB) {
-      return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
-    }
-
    const server = new jsrp.server();
    server.init(
      {
        salt: user.salt,
        verifier: user.verifier,
-        b: loginSRPDetailFromDB.serverBInt
+        b: clientPublicKeys[email].serverBInt
      },
      async () => {
-        server.setClientPublicKey(loginSRPDetailFromDB.clientPublicKey);
+        server.setClientPublicKey(clientPublicKeys[email].clientPublicKey);

        // compare server and client shared keys
        if (server.checkClientProof(clientProof)) {
          // issue tokens
-
-          await checkUserDevice({
-            user,
-            ip: req.ip,
-            userAgent: req.headers['user-agent'] ?? ''
-          });
-
-          const tokens = await issueAuthTokens({ userId: user._id.toString() });
+          const tokens = await issueTokens({ userId: user._id.toString() });

          // store (refresh) token in httpOnly cookie
          res.cookie('jid', tokens.refreshToken, {
@ -129,18 +108,6 @@ export const login2 = async (req: Request, res: Response) => {
            secure: NODE_ENV === 'production' ? true : false
          });

-          const loginAction = await EELogService.createAction({
-            name: ACTION_LOGIN,
-            userId: user._id
-          });
-          
-          loginAction && await EELogService.createLog({
-            userId: user._id,
-            actions: [loginAction],
-            channel: getChannelFromUserAgent(req.headers['user-agent']),
-            ipAddress: req.ip
-          });
-          
          // return (access) token in response
          return res.status(200).send({
            token: tokens.token,
@ -184,19 +151,6 @@ export const logout = async (req: Request, res: Response) => {
      sameSite: 'strict',
      secure: NODE_ENV === 'production' ? true : false
    });
-
-    const logoutAction = await EELogService.createAction({
-      name: ACTION_LOGOUT,
-      userId: req.user._id
-    });
-    
-    logoutAction && await EELogService.createLog({
-      userId: req.user._id,
-      actions: [logoutAction],
-      channel: getChannelFromUserAgent(req.headers['user-agent']),
-      ipAddress: req.ip
-    });
-
  } catch (err) {
    Sentry.setUser({ email: req.user.email });
    Sentry.captureException(err);
--- a/backend/src/controllers/v1/integrationAuthController.ts
+++ b/backend/src/controllers/v1/integrationAuthController.ts
@ -10,37 +10,15 @@ import { INTEGRATION_SET, INTEGRATION_OPTIONS } from '../../variables';
 import { IntegrationService } from '../../services';
 import { getApps, revokeAccess } from '../../integrations';

-/***
- * Return integration authorization with id [integrationAuthId]
- */
-export const getIntegrationAuth = async (req: Request, res: Response) => {
-	let integrationAuth;
-	try {
-		const { integrationAuthId } = req.params;
-		integrationAuth = await IntegrationAuth.findById(integrationAuthId);
-		
-		if (!integrationAuth) return res.status(400).send({
-			message: 'Failed to find integration authorization'
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get integration authorization'
-		});	
-	}
-	
+export const getIntegrationOptions = async (
+	req: Request,
+	res: Response
+) => {
 	return res.status(200).send({
-		integrationAuth
+		integrationOptions: INTEGRATION_OPTIONS
 	});
 }

-export const getIntegrationOptions = async (req: Request, res: Response) => {
-  return res.status(200).send({
-    integrationOptions: INTEGRATION_OPTIONS,
-  });
-};
-
 /**
 * Perform OAuth2 code-token exchange as part of integration [integration] for workspace with id [workspaceId]
 * @param req
@ -53,6 +31,7 @@ export const oAuthExchange = async (
 ) => {
 	try {
 		const { workspaceId, code, integration } = req.body;
+
 		if (!INTEGRATION_SET.has(integration))
 			throw new Error('Failed to validate integration');
 		
@ -61,16 +40,12 @@ export const oAuthExchange = async (
 			throw new Error("Failed to get environments")
 		}
 	
-		const integrationAuth = await IntegrationService.handleOAuthExchange({
+		await IntegrationService.handleOAuthExchange({
 			workspaceId,
 			integration,
 			code,
 			environment: environments[0].slug,
 		});
-		
-		return res.status(200).send({
-			integrationAuth
-		});
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);
@ -78,42 +53,34 @@ export const oAuthExchange = async (
 			message: 'Failed to get OAuth2 code-token exchange'
 		});
 	}
+
+	return res.status(200).send({
+		message: 'Successfully enabled integration authorization'
+	});
 };

 /**
- * Save integration access token and (optionally) access id as part of integration
- * [integration] for workspace with id [workspaceId]
+ * Save integration access token as part of integration [integration] for workspace with id [workspaceId]
 * @param req 
 * @param res 
 */
 export const saveIntegrationAccessToken = async (
-  req: Request,
-  res: Response
+	req: Request,
+	res: Response
 ) => {
 	// TODO: refactor
-	// TODO: check if access token is valid for each integration
-
 	let integrationAuth;
 	try {
 		const {
 			workspaceId,
-			accessId,
 			accessToken,
 			integration
 		}: {
 			workspaceId: string;
-			accessId: string | null;
 			accessToken: string;
 			integration: string;
 		} = req.body;

-		const bot = await Bot.findOne({
-            workspace: new Types.ObjectId(workspaceId),
-            isActive: true
-        });
-        
-        if (!bot) throw new Error('Bot must be enabled to save integration access token');
-
 		integrationAuth = await IntegrationAuth.findOneAndUpdate({
            workspace: new Types.ObjectId(workspaceId),
            integration
@ -124,11 +91,17 @@ export const saveIntegrationAccessToken = async (
            new: true,
            upsert: true
        });
+
+		const bot = await Bot.findOne({
+            workspace: new Types.ObjectId(workspaceId),
+            isActive: true
+        });
+        
+        if (!bot) throw new Error('Bot must be enabled to save integration access token');
 		
-		// encrypt and save integration access details
+		// encrypt and save integration access token
 		integrationAuth = await IntegrationService.setIntegrationAuthAccess({
 			integrationAuthId: integrationAuth._id.toString(),
-			accessId,
 			accessToken,
 			accessExpiresAt: undefined
 		});
@ -154,23 +127,23 @@ export const saveIntegrationAccessToken = async (
 * @returns
 */
 export const getIntegrationAuthApps = async (req: Request, res: Response) => {
-  let apps;
-  try {
-    apps = await getApps({
-      integrationAuth: req.integrationAuth,
-      accessToken: req.accessToken,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get integration authorization applications",
-    });
-  }
+	let apps;
+	try {
+		apps = await getApps({
+			integrationAuth: req.integrationAuth,
+			accessToken: req.accessToken
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+        Sentry.captureException(err);	
+		return res.status(400).send({
+			message: 'Failed to get integration authorization applications'
+		});
+	}

-  return res.status(200).send({
-    apps,
-  });
+	return res.status(200).send({
+		apps
+	});
 };

 /**
@ -180,21 +153,21 @@ export const getIntegrationAuthApps = async (req: Request, res: Response) => {
 * @returns
 */
 export const deleteIntegrationAuth = async (req: Request, res: Response) => {
-  let integrationAuth;
-  try {
-    integrationAuth = await revokeAccess({
-      integrationAuth: req.integrationAuth,
-      accessToken: req.accessToken,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to delete integration authorization",
-    });
-  }
-
-  return res.status(200).send({
-    integrationAuth,
-  });
-};
+	let integrationAuth;
+	try {
+		integrationAuth = await revokeAccess({
+			integrationAuth: req.integrationAuth,
+			accessToken: req.accessToken
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+        Sentry.captureException(err);	
+		return res.status(400).send({
+			message: 'Failed to delete integration authorization'
+		});
+	}
+	
+	return res.status(200).send({
+		integrationAuth
+	});
+}
--- a/backend/src/controllers/v1/integrationController.ts
+++ b/backend/src/controllers/v1/integrationController.ts
@ -1,5 +1,4 @@
 import { Request, Response } from 'express';
-import { Types } from 'mongoose';
 import * as Sentry from '@sentry/node';
 import { 
 	Integration, 
@ -12,41 +11,73 @@ import { eventPushSecrets } from '../../events';

 /**
 * Create/initialize an (empty) integration for integration authorization
- * @param req
- * @param res
- * @returns
+ * @param req 
+ * @param res 
+ * @returns 
 */
 export const createIntegration = async (req: Request, res: Response) => {
 	let integration;
 	try {
-		const {
-			integrationAuthId,
-			app,
-			appId,
-			isActive,
-			sourceEnvironment,
-			targetEnvironment,
-			owner,
-			path,
-			region
-		} = req.body;
-		
-		// TODO: validate [sourceEnvironment] and [targetEnvironment]
-
 		// initialize new integration after saving integration access token
        integration = await new Integration({
            workspace: req.integrationAuth.workspace._id,
-            environment: sourceEnvironment,
-            isActive,
-            app,
+            isActive: false,
+            app: null,
+            environment: req.integrationAuth.workspace?.environments[0].slug,
+            integration: req.integrationAuth.integration,
+            integrationAuth: req.integrationAuth._id
+        }).save();
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to create integration'
+		});
+	}
+
+	return res.status(200).send({
+		integration
+	});
+}
+
+/**
+ * Change environment or name of integration with id [integrationId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const updateIntegration = async (req: Request, res: Response) => {
+	let integration;
+	
+	// TODO: add integration-specific validation to ensure that each
+	// integration has the correct fields populated in [Integration]
+	
+	try {
+		const { 
+			environment, 
+			isActive, 
+			app, 
 			appId,
 			targetEnvironment,
-			owner,
-			path,
-			region,
-            integration: req.integrationAuth.integration,
-            integrationAuth: new Types.ObjectId(integrationAuthId)
-        }).save();
+			owner, // github-specific integration param
+		} = req.body;
+		
+		integration = await Integration.findOneAndUpdate(
+			{
+				_id: req.integration._id
+			},
+			{
+				environment,
+				isActive,
+				app,
+				appId,
+				targetEnvironment,
+				owner
+			},
+			{
+				new: true
+			}
+		);
 		
 		if (integration) {
 			// trigger event - push secrets
@ -56,78 +87,17 @@ export const createIntegration = async (req: Request, res: Response) => {
 				})
 			});
 		}
-
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);
 		return res.status(400).send({
-			message: 'Failed to create integration'
+			message: 'Failed to update integration'
 		});
 	}

-  return res.status(200).send({
-    integration,
-  });
-};
-
-/**
- * Change environment or name of integration with id [integrationId]
- * @param req
- * @param res
- * @returns
- */
-export const updateIntegration = async (req: Request, res: Response) => {
-  let integration;
-
-  // TODO: add integration-specific validation to ensure that each
-  // integration has the correct fields populated in [Integration]
-
-  try {
-    const {
-      environment,
-      isActive,
-      app,
-      appId,
-      targetEnvironment,
-      owner, // github-specific integration param
-    } = req.body;
-
-    integration = await Integration.findOneAndUpdate(
-      {
-        _id: req.integration._id,
-      },
-      {
-        environment,
-        isActive,
-        app,
-        appId,
-        targetEnvironment,
-        owner,
-      },
-      {
-        new: true,
-      }
-    );
-
-    if (integration) {
-      // trigger event - push secrets
-      EventService.handleEvent({
-        event: eventPushSecrets({
-          workspaceId: integration.workspace.toString(),
-        }),
-      });
-    }
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to update integration",
-    });
-  }
-
-  return res.status(200).send({
-    integration,
-  });
+	return res.status(200).send({
+		integration
+	});
 };

 /**
@ -138,24 +108,24 @@ export const updateIntegration = async (req: Request, res: Response) => {
 * @returns
 */
 export const deleteIntegration = async (req: Request, res: Response) => {
-  let integration;
-  try {
-    const { integrationId } = req.params;
+	let integration;
+	try {
+		const { integrationId } = req.params;

-    integration = await Integration.findOneAndDelete({
-      _id: integrationId,
-    });
-
-    if (!integration) throw new Error("Failed to find integration");
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to delete integration",
-    });
-  }
-
-  return res.status(200).send({
-    integration,
-  });
+		integration = await Integration.findOneAndDelete({
+			_id: integrationId
+		});
+		
+		if (!integration) throw new Error('Failed to find integration');
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to delete integration'
+		});
+	}
+	
+	return res.status(200).send({
+		integration
+	});
 };
--- a/backend/src/controllers/v1/membershipOrgController.ts
+++ b/backend/src/controllers/v1/membershipOrgController.ts
@ -1,13 +1,14 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
+import crypto from 'crypto';
 import { SITE_URL, JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET } from '../../config';
-import { MembershipOrg, Organization, User } from '../../models';
+import { MembershipOrg, Organization, User, Token } from '../../models';
 import { deleteMembershipOrg as deleteMemberFromOrg } from '../../helpers/membershipOrg';
+import { checkEmailVerification } from '../../helpers/signup';
 import { createToken } from '../../helpers/auth';
 import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
 import { sendMail } from '../../helpers/nodemailer';
-import { TokenService } from '../../services';
-import { OWNER, ADMIN, MEMBER, ACCEPTED, INVITED, TOKEN_EMAIL_ORG_INVITATION } from '../../variables';
+import { OWNER, ADMIN, MEMBER, ACCEPTED, INVITED } from '../../variables';

 /**
 * Delete organization membership with id [membershipOrgId] from organization
@ -76,6 +77,8 @@ export const changeMembershipOrgRole = async (req: Request, res: Response) => {
 	// change role for (target) organization membership with id
 	// [membershipOrgId]

+	// TODO
+
 	let membershipToChangeRole;
 	// try {
 	// } catch (err) {
@ -112,14 +115,14 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 		if (!membershipOrg) {
 			throw new Error('Failed to validate organization membership');
 		}
-
+		
 		invitee = await User.findOne({
 			email: inviteeEmail
 		}).select('+publicKey');

 		if (invitee) {
 			// case: invitee is an existing user
-
+			
 			inviteeMembershipOrg = await MembershipOrg.findOne({
 				user: invitee._id,
 				organization: organizationId
@ -162,11 +165,17 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 		const organization = await Organization.findOne({ _id: organizationId });

 		if (organization) {
-			const token = await TokenService.createToken({
-				type: TOKEN_EMAIL_ORG_INVITATION,
-				email: inviteeEmail,
-				organizationId: organization._id
-			});
+			const token = crypto.randomBytes(16).toString('hex');
+
+			await Token.findOneAndUpdate(
+				{ email: inviteeEmail },
+				{
+					email: inviteeEmail,
+					token,
+					createdAt: new Date()
+				},
+				{ upsert: true, new: true }
+			);

 			await sendMail({
 				template: 'organizationInvitation.handlebars',
@ -218,12 +227,10 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {

 		if (!membershipOrg)
 			throw new Error('Failed to find any invitations for email');
-		
-		await TokenService.validateToken({
-			type: TOKEN_EMAIL_ORG_INVITATION,
+
+		await checkEmailVerification({
 			email,
-			organizationId: membershipOrg.organization,
-			token: code
+			code
 		});

 		if (user && user?.publicKey) {
@ -236,7 +243,7 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
 				message: 'Successfully verified email',
 				user,
 			});
-		}
+        }

 		if (!user) {
 			// initialize user account
--- a/backend/src/controllers/v1/organizationController.ts
+++ b/backend/src/controllers/v1/organizationController.ts
@ -2,7 +2,10 @@ import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
 import {
 	SITE_URL,
-	STRIPE_SECRET_KEY
+	STRIPE_SECRET_KEY,
+	STRIPE_PRODUCT_STARTER,
+	STRIPE_PRODUCT_PRO,
+	STRIPE_PRODUCT_CARD_AUTH
 } from '../../config';
 import Stripe from 'stripe';

@ -14,13 +17,17 @@ import {
 	MembershipOrg,
 	Organization,
 	Workspace,
-	IncidentContactOrg,
-	IMembershipOrg
+	IncidentContactOrg
 } from '../../models';
 import { createOrganization as create } from '../../helpers/organization';
 import { addMembershipsOrg } from '../../helpers/membershipOrg';
 import { OWNER, ACCEPTED } from '../../variables';
-import _ from 'lodash';
+
+const productToPriceMap = {
+	starter: STRIPE_PRODUCT_STARTER,
+	pro: STRIPE_PRODUCT_PRO,
+	cardAuth: STRIPE_PRODUCT_CARD_AUTH
+};

 export const getOrganizations = async (req: Request, res: Response) => {
 	let organizations;
@ -333,6 +340,7 @@ export const createOrganizationPortalSession = async (

 		if (paymentMethods.data.length < 1) {
 			// case: no payment method on file
+			productToPriceMap['cardAuth'];
 			session = await stripe.checkout.sessions.create({
 				customer: req.membershipOrg.organization.customerId,
 				mode: 'setup',
@ -384,44 +392,3 @@ export const getOrganizationSubscriptions = async (
 		subscriptions
 	});
 };
-
-
-/**
- * Given a org id, return the projects each member of the org belongs to
- * @param req
- * @param res
- * @returns
- */
-export const getOrganizationMembersAndTheirWorkspaces = async (
-	req: Request,
-	res: Response
-) => {
-	const { organizationId } = req.params;
-
-	const workspacesSet = (
-			await Workspace.find(
-				{
-					organization: organizationId
-				},
-				'_id'
-			)
-		).map((w) => w._id.toString());
-
-	const memberships = (
-		await Membership.find({
-			workspace: { $in: workspacesSet }
-		}).populate('workspace')
-	);
-	const userToWorkspaceIds: any = {};
-
-	memberships.forEach(membership => {
-		const user = membership.user.toString();
-		if (userToWorkspaceIds[user]) {
-			userToWorkspaceIds[user].push(membership.workspace);
-		} else {
-			userToWorkspaceIds[user] = [membership.workspace];
-		}
-	});
-
-	return res.json(userToWorkspaceIds);
-};
--- a/backend/src/controllers/v1/passwordController.ts
+++ b/backend/src/controllers/v1/passwordController.ts
@ -1,15 +1,16 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
+import crypto from 'crypto';
 // eslint-disable-next-line @typescript-eslint/no-var-requires
 const jsrp = require('jsrp');
 import * as bigintConversion from 'bigint-conversion';
-import { User, BackupPrivateKey, LoginSRPDetail } from '../../models';
+import { User, Token, BackupPrivateKey } from '../../models';
+import { checkEmailVerification } from '../../helpers/signup';
 import { createToken } from '../../helpers/auth';
 import { sendMail } from '../../helpers/nodemailer';
-import { TokenService } from '../../services';
 import { JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET, SITE_URL } from '../../config';
-import { TOKEN_EMAIL_PASSWORD_RESET } from '../../variables';
-import { BadRequestError } from '../../utils/errors';
+
+const clientPublicKeys: any = {};

 /**
 * Password reset step 1: Send email verification link to email [email] 
@ -32,10 +33,17 @@ export const emailPasswordReset = async (req: Request, res: Response) => {
 			});
 		}
 		
-		const token = await TokenService.createToken({
-			type: TOKEN_EMAIL_PASSWORD_RESET,
-			email
-		});
+		const token = crypto.randomBytes(16).toString('hex');
+
+		await Token.findOneAndUpdate(
+			{ email },
+			{
+				email,
+				token,
+				createdAt: new Date()
+			},
+			{ upsert: true, new: true }
+		);
 		
 		await sendMail({
 			template: 'passwordReset.handlebars',
@ -47,14 +55,15 @@ export const emailPasswordReset = async (req: Request, res: Response) => {
 				callback_url: SITE_URL + '/password-reset'
 			}
 		});
+		
 	} catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
 		return res.status(400).send({
 			message: 'Failed to send email for account recovery'
-		});
+		});	
 	}
-
+	
 	return res.status(200).send({
 		message: `Sent an email for account recovery to ${email}`
 	});
@ -70,7 +79,7 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => {
 	let user, token;
 	try {
 		const { email, code } = req.body;
-
+		
 		user = await User.findOne({ email }).select('+publicKey');
 		if (!user || !user?.publicKey) {
 			// case: user doesn't exist with email [email] or 
@ -79,13 +88,12 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => {
 				error: 'Failed email verification for password reset'
 			});
 		}
-		
-		await TokenService.validateToken({
-			type: TOKEN_EMAIL_PASSWORD_RESET,
-			email,
-			token: code
-		});

+		await checkEmailVerification({
+			email,
+			code
+		});
+		
 		// generate temporary password-reset token
 		token = createToken({
 			payload: {
@ -99,7 +107,7 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => {
 		Sentry.captureException(err);
 		return res.status(400).send({
 			message: 'Failed email verification for password reset'
-		});
+		});	
 	}

 	return res.status(200).send({
@ -122,7 +130,7 @@ export const srp1 = async (req: Request, res: Response) => {
 		const user = await User.findOne({
 			email: req.user.email
 		}).select('+salt +verifier');
-
+		
 		if (!user) throw new Error('Failed to find user');

 		const server = new jsrp.server();
@ -131,15 +139,13 @@ export const srp1 = async (req: Request, res: Response) => {
 				salt: user.salt,
 				verifier: user.verifier
 			},
-			async () => {
+			() => {
 				// generate server-side public key
 				const serverPublicKey = server.getPublicKey();
-
-				await LoginSRPDetail.findOneAndReplace({ email: req.user.email }, {
-					email: req.user.email,
-					clientPublicKey: clientPublicKey,
-					serverBInt: bigintConversion.bigintToBuf(server.bInt),
-				}, { upsert: true, returnNewDocument: false })
+				clientPublicKeys[req.user.email] = {
+					clientPublicKey,
+					serverBInt: bigintConversion.bigintToBuf(server.bInt)
+				};

 				return res.status(200).send({
 					serverPublicKey,
@ -166,39 +172,25 @@ export const srp1 = async (req: Request, res: Response) => {
 */
 export const changePassword = async (req: Request, res: Response) => {
 	try {
-		const { 
-			clientProof, 
-			protectedKey,
-			protectedKeyIV,
-			protectedKeyTag,
-			encryptedPrivateKey,
-			encryptedPrivateKeyIV,
-			encryptedPrivateKeyTag,
-			salt,
-			verifier
-		} = req.body;
-
+		const { clientProof, encryptedPrivateKey, iv, tag, salt, verifier } =
+			req.body;
 		const user = await User.findOne({
 			email: req.user.email
 		}).select('+salt +verifier');

 		if (!user) throw new Error('Failed to find user');

-		const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email })
-
-		if (!loginSRPDetailFromDB) {
-			return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
-		}
-
 		const server = new jsrp.server();
 		server.init(
 			{
 				salt: user.salt,
 				verifier: user.verifier,
-				b: loginSRPDetailFromDB.serverBInt
+				b: clientPublicKeys[req.user.email].serverBInt
 			},
 			async () => {
-				server.setClientPublicKey(loginSRPDetailFromDB.clientPublicKey);
+				server.setClientPublicKey(
+					clientPublicKeys[req.user.email].clientPublicKey
+				);

 				// compare server and client shared keys
 				if (server.checkClientProof(clientProof)) {
@ -207,13 +199,9 @@ export const changePassword = async (req: Request, res: Response) => {
 					await User.findByIdAndUpdate(
 						req.user._id.toString(),
 						{
-							encryptionVersion: 2,
-							protectedKey,
-							protectedKeyIV,
-							protectedKeyTag,
 							encryptedPrivateKey,
-							iv: encryptedPrivateKeyIV,
-							tag: encryptedPrivateKeyTag,
+							iv,
+							tag,
 							salt,
 							verifier
 						},
@ -261,22 +249,16 @@ export const createBackupPrivateKey = async (req: Request, res: Response) => {

 		if (!user) throw new Error('Failed to find user');

-		const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email })
-
-		if (!loginSRPDetailFromDB) {
-			return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
-		}
-
 		const server = new jsrp.server();
 		server.init(
 			{
 				salt: user.salt,
 				verifier: user.verifier,
-				b: loginSRPDetailFromDB.serverBInt
+				b: clientPublicKeys[req.user.email].serverBInt
 			},
 			async () => {
 				server.setClientPublicKey(
-					loginSRPDetailFromDB.clientPublicKey
+					clientPublicKeys[req.user.email].clientPublicKey
 				);

 				// compare server and client shared keys
@ -329,16 +311,16 @@ export const getBackupPrivateKey = async (req: Request, res: Response) => {
 		backupPrivateKey = await BackupPrivateKey.findOne({
 			user: req.user._id
 		}).select('+encryptedPrivateKey +iv +tag');
-
+		
 		if (!backupPrivateKey) throw new Error('Failed to find backup private key');
 	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
+		Sentry.setUser({ email: req.user.email});
 		Sentry.captureException(err);
 		return res.status(400).send({
 			message: 'Failed to get backup private key'
 		});
 	}
-
+	
 	return res.status(200).send({
 		backupPrivateKey
 	});
@ -347,12 +329,9 @@ export const getBackupPrivateKey = async (req: Request, res: Response) => {
 export const resetPassword = async (req: Request, res: Response) => {
 	try {
 		const {
-			protectedKey,
-			protectedKeyIV,
-			protectedKeyTag,
 			encryptedPrivateKey,
-			encryptedPrivateKeyIV,
-			encryptedPrivateKeyTag,
+			iv,
+			tag,
 			salt,
 			verifier,
 		} = req.body;
@ -360,28 +339,24 @@ export const resetPassword = async (req: Request, res: Response) => {
 		await User.findByIdAndUpdate(
 			req.user._id.toString(),
 			{
-				encryptionVersion: 2,
-				protectedKey,
-				protectedKeyIV,
-				protectedKeyTag,	
 				encryptedPrivateKey,
-				iv: encryptedPrivateKeyIV,
-				tag: encryptedPrivateKeyTag,
+				iv,
+				tag,
 				salt,
 				verifier
 			},
 			{
 				new: true
 			}
-		);
+		);	
 	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
+		Sentry.setUser({ email: req.user.email});
 		Sentry.captureException(err);
 		return res.status(400).send({
 			message: 'Failed to get backup private key'
-		});
+		});	
 	}
-
+	
 	return res.status(200).send({
 		message: 'Successfully reset password'
 	});
--- a/backend/src/controllers/v1/signupController.ts
+++ b/backend/src/controllers/v1/signupController.ts
@ -1,13 +1,16 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { User } from '../../models';
-import { JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET, INVITE_ONLY_SIGNUP } from '../../config';
+import { NODE_ENV, JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET } from '../../config';
+import { User, MembershipOrg } from '../../models';
+import { completeAccount } from '../../helpers/user';
 import {
 	sendEmailVerification,
 	checkEmailVerification,
+	initializeDefaultOrg
 } from '../../helpers/signup';
-import { createToken } from '../../helpers/auth';
-import { BadRequestError } from '../../utils/errors';
+import { issueTokens, createToken } from '../../helpers/auth';
+import { INVITED, ACCEPTED } from '../../variables';
+import axios from 'axios';

 /**
 * Signup step 1: Initialize account for user under email [email] and send a verification code
@ -21,14 +24,6 @@ export const beginEmailSignup = async (req: Request, res: Response) => {
 	try {
 		email = req.body.email;

-		if (INVITE_ONLY_SIGNUP) {
-			// Only one user can create an account without being invited. The rest need to be invited in order to make an account
-			const userCount = await User.countDocuments({})
-			if (userCount != 0) {
-				throw BadRequestError({ message: "New user sign ups are not allowed at this time. You must be invited to sign up." })
-			}
-		}
-
 		const user = await User.findOne({ email }).select('+publicKey');
 		if (user && user?.publicKey) {
 			// case: user has already completed account
@ -108,3 +103,201 @@ export const verifyEmailSignup = async (req: Request, res: Response) => {
 		token
 	});
 };
+
+/**
+ * Complete setting up user by adding their personal and auth information as part of the
+ * signup flow
+ * @param req
+ * @param res
+ * @returns
+ */
+export const completeAccountSignup = async (req: Request, res: Response) => {
+	let user, token, refreshToken;
+	try {
+		const {
+			email,
+			firstName,
+			lastName,
+			publicKey,
+			encryptedPrivateKey,
+			iv,
+			tag,
+			salt,
+			verifier,
+			organizationName
+		} = req.body;
+
+		// get user
+		user = await User.findOne({ email });
+		
+		if (!user || (user && user?.publicKey)) {
+			// case 1: user doesn't exist.
+			// case 2: user has already completed account
+			return res.status(403).send({
+				error: 'Failed to complete account for complete user'
+			});
+		}
+
+		// complete setting up user's account
+		user = await completeAccount({
+			userId: user._id.toString(),
+			firstName,
+			lastName,
+			publicKey,
+			encryptedPrivateKey,
+			iv,
+			tag,
+			salt,
+			verifier
+		});
+
+		if (!user)
+			throw new Error('Failed to complete account for non-existent user'); // ensure user is non-null
+
+		// initialize default organization and workspace
+		await initializeDefaultOrg({
+			organizationName,
+			user
+		});
+
+		// update organization membership statuses that are
+		// invited to completed with user attached
+		await MembershipOrg.updateMany(
+			{
+				inviteEmail: email,
+				status: INVITED
+			},
+			{
+				user,
+				status: ACCEPTED
+			}
+		);
+
+		// issue tokens
+		const tokens = await issueTokens({
+			userId: user._id.toString()
+		});
+
+		token = tokens.token;
+		refreshToken = tokens.refreshToken;
+
+		// sending a welcome email to new users
+		if (process.env.LOOPS_API_KEY) {
+			await axios.post("https://app.loops.so/api/v1/events/send", {
+				"email": email,
+				"eventName": "Sign Up",
+				"firstName": firstName,
+				"lastName": lastName
+			}, {
+				headers: {
+					"Accept": "application/json",
+					"Authorization": "Bearer " + process.env.LOOPS_API_KEY
+				},
+			});
+		}
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to complete account setup'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully set up account',
+		user,
+		token,
+		refreshToken
+	});
+};
+/**
+ * Complete setting up user by adding their personal and auth information as part of the
+ * invite flow
+ * @param req
+ * @param res
+ * @returns
+ */
+export const completeAccountInvite = async (req: Request, res: Response) => {
+	let user, token, refreshToken;
+	try {
+		const {
+			email,
+			firstName,
+			lastName,
+			publicKey,
+			encryptedPrivateKey,
+			iv,
+			tag,
+			salt,
+			verifier
+		} = req.body;
+
+		// get user
+		user = await User.findOne({ email });
+
+		if (!user || (user && user?.publicKey)) {
+			// case 1: user doesn't exist.
+			// case 2: user has already completed account
+			return res.status(403).send({
+				error: 'Failed to complete account for complete user'
+			});
+		}
+
+		const membershipOrg = await MembershipOrg.findOne({
+			inviteEmail: email,
+			status: INVITED
+		});
+
+		if (!membershipOrg) throw new Error('Failed to find invitations for email');
+
+		// complete setting up user's account
+		user = await completeAccount({
+			userId: user._id.toString(),
+			firstName,
+			lastName,
+			publicKey,
+			encryptedPrivateKey,
+			iv,
+			tag,
+			salt,
+			verifier
+		});
+
+		if (!user)
+			throw new Error('Failed to complete account for non-existent user');
+
+		// update organization membership statuses that are
+		// invited to completed with user attached
+		await MembershipOrg.updateMany(
+			{
+				inviteEmail: email,
+				status: INVITED
+			},
+			{
+				user,
+				status: ACCEPTED
+			}
+		);
+
+		// issue tokens
+		const tokens = await issueTokens({
+			userId: user._id.toString()
+		});
+
+		token = tokens.token;
+		refreshToken = tokens.refreshToken;
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to complete account setup'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully set up account',
+		user,
+		token,
+		refreshToken
+	});
+};
--- a/backend/src/controllers/v1/workspaceController.ts
+++ b/backend/src/controllers/v1/workspaceController.ts
@ -1,21 +1,21 @@
-import { Request, Response } from "express";
-import * as Sentry from "@sentry/node";
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
 import {
-  Workspace,
-  Membership,
-  MembershipOrg,
-  Integration,
-  IntegrationAuth,
-  IUser,
-  ServiceToken,
-  ServiceTokenData,
-} from "../../models";
+	Workspace,
+	Membership,
+	MembershipOrg,
+	Integration,
+	IntegrationAuth,
+	IUser,
+	ServiceToken,
+	ServiceTokenData
+} from '../../models';
 import {
-  createWorkspace as create,
-  deleteWorkspace as deleteWork,
-} from "../../helpers/workspace";
-import { addMemberships } from "../../helpers/membership";
-import { ADMIN } from "../../variables";
+	createWorkspace as create,
+	deleteWorkspace as deleteWork
+} from '../../helpers/workspace';
+import { addMemberships } from '../../helpers/membership';
+import { ADMIN } from '../../variables';

 /**
 * Return public keys of members of workspace with id [workspaceId]
@ -24,31 +24,32 @@ import { ADMIN } from "../../variables";
 * @returns
 */
 export const getWorkspacePublicKeys = async (req: Request, res: Response) => {
-  let publicKeys;
-  try {
-    const { workspaceId } = req.params;
+	let publicKeys;
+	try {
+		const { workspaceId } = req.params;

-    publicKeys = (
-      await Membership.find({
-        workspace: workspaceId,
-      }).populate<{ user: IUser }>("user", "publicKey")
-    ).map((member) => {
-      return {
-        publicKey: member.user.publicKey,
-        userId: member.user._id,
-      };
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace member public keys",
-    });
-  }
+		publicKeys = (
+			await Membership.find({
+				workspace: workspaceId
+			}).populate<{ user: IUser }>('user', 'publicKey')
+		)
+		.map((member) => {
+			return {
+				publicKey: member.user.publicKey,
+				userId: member.user._id
+			};
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace member public keys'
+		});
+	}

-  return res.status(200).send({
-    publicKeys,
-  });
+	return res.status(200).send({
+		publicKeys
+	});
 };

 /**
@ -58,24 +59,24 @@ export const getWorkspacePublicKeys = async (req: Request, res: Response) => {
 * @returns
 */
 export const getWorkspaceMemberships = async (req: Request, res: Response) => {
-  let users;
-  try {
-    const { workspaceId } = req.params;
+	let users;
+	try {
+		const { workspaceId } = req.params;

-    users = await Membership.find({
-      workspace: workspaceId,
-    }).populate("user", "+publicKey");
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace members",
-    });
-  }
+		users = await Membership.find({
+			workspace: workspaceId
+		}).populate('user', '+publicKey');
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace members'
+		});
+	}

-  return res.status(200).send({
-    users,
-  });
+	return res.status(200).send({
+		users
+	});
 };

 /**
@ -85,24 +86,24 @@ export const getWorkspaceMemberships = async (req: Request, res: Response) => {
 * @returns
 */
 export const getWorkspaces = async (req: Request, res: Response) => {
-  let workspaces;
-  try {
-    workspaces = (
-      await Membership.find({
-        user: req.user._id,
-      }).populate("workspace")
-    ).map((m) => m.workspace);
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspaces",
-    });
-  }
+	let workspaces;
+	try {
+		workspaces = (
+			await Membership.find({
+				user: req.user._id
+			}).populate('workspace')
+		).map((m) => m.workspace);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspaces'
+		});
+	}

-  return res.status(200).send({
-    workspaces,
-  });
+	return res.status(200).send({
+		workspaces
+	});
 };

 /**
@ -112,24 +113,24 @@ export const getWorkspaces = async (req: Request, res: Response) => {
 * @returns
 */
 export const getWorkspace = async (req: Request, res: Response) => {
-  let workspace;
-  try {
-    const { workspaceId } = req.params;
+	let workspace;
+	try {
+		const { workspaceId } = req.params;

-    workspace = await Workspace.findOne({
-      _id: workspaceId,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace",
-    });
-  }
+		workspace = await Workspace.findOne({
+			_id: workspaceId
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace'
+		});
+	}

-  return res.status(200).send({
-    workspace,
-  });
+	return res.status(200).send({
+		workspace
+	});
 };

 /**
@ -140,46 +141,46 @@ export const getWorkspace = async (req: Request, res: Response) => {
 * @returns
 */
 export const createWorkspace = async (req: Request, res: Response) => {
-  let workspace;
-  try {
-    const { workspaceName, organizationId } = req.body;
+	let workspace;
+	try {
+		const { workspaceName, organizationId } = req.body;

-    // validate organization membership
-    const membershipOrg = await MembershipOrg.findOne({
-      user: req.user._id,
-      organization: organizationId,
-    });
+		// validate organization membership
+		const membershipOrg = await MembershipOrg.findOne({
+			user: req.user._id,
+			organization: organizationId
+		});

-    if (!membershipOrg) {
-      throw new Error("Failed to validate organization membership");
-    }
+		if (!membershipOrg) {
+			throw new Error('Failed to validate organization membership');
+		}

-    if (workspaceName.length < 1) {
-      throw new Error("Workspace names must be at least 1-character long");
-    }
+		if (workspaceName.length < 1) {
+			throw new Error('Workspace names must be at least 1-character long');
+		}

-    // create workspace and add user as member
-    workspace = await create({
-      name: workspaceName,
-      organizationId,
-    });
+		// create workspace and add user as member
+		workspace = await create({
+			name: workspaceName,
+			organizationId
+		});

-    await addMemberships({
-      userIds: [req.user._id],
-      workspaceId: workspace._id.toString(),
-      roles: [ADMIN],
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to create workspace",
-    });
-  }
+		await addMemberships({
+			userIds: [req.user._id],
+			workspaceId: workspace._id.toString(),
+			roles: [ADMIN]
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to create workspace'
+		});
+	}

-  return res.status(200).send({
-    workspace,
-  });
+	return res.status(200).send({
+		workspace
+	});
 };

 /**
@ -189,24 +190,24 @@ export const createWorkspace = async (req: Request, res: Response) => {
 * @returns
 */
 export const deleteWorkspace = async (req: Request, res: Response) => {
-  try {
-    const { workspaceId } = req.params;
+	try {
+		const { workspaceId } = req.params;

-    // delete workspace
-    await deleteWork({
-      id: workspaceId,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to delete workspace",
-    });
-  }
+		// delete workspace
+		await deleteWork({
+			id: workspaceId
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to delete workspace'
+		});
+	}

-  return res.status(200).send({
-    message: "Successfully deleted workspace",
-  });
+	return res.status(200).send({
+		message: 'Successfully deleted workspace'
+	});
 };

 /**
@ -216,34 +217,34 @@ export const deleteWorkspace = async (req: Request, res: Response) => {
 * @returns
 */
 export const changeWorkspaceName = async (req: Request, res: Response) => {
-  let workspace;
-  try {
-    const { workspaceId } = req.params;
-    const { name } = req.body;
+	let workspace;
+	try {
+		const { workspaceId } = req.params;
+		const { name } = req.body;

-    workspace = await Workspace.findOneAndUpdate(
-      {
-        _id: workspaceId,
-      },
-      {
-        name,
-      },
-      {
-        new: true,
-      }
-    );
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to change workspace name",
-    });
-  }
+		workspace = await Workspace.findOneAndUpdate(
+			{
+				_id: workspaceId
+			},
+			{
+				name
+			},
+			{
+				new: true
+			}
+		);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to change workspace name'
+		});
+	}

-  return res.status(200).send({
-    message: "Successfully changed workspace name",
-    workspace,
-  });
+	return res.status(200).send({
+		message: 'Successfully changed workspace name',
+		workspace
+	});
 };

 /**
@ -253,24 +254,24 @@ export const changeWorkspaceName = async (req: Request, res: Response) => {
 * @returns
 */
 export const getWorkspaceIntegrations = async (req: Request, res: Response) => {
-  let integrations;
-  try {
-    const { workspaceId } = req.params;
+	let integrations;
+	try {
+		const { workspaceId } = req.params;

-    integrations = await Integration.find({
-      workspace: workspaceId,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace integrations",
-    });
-  }
+		integrations = await Integration.find({
+			workspace: workspaceId
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace integrations'
+		});
+	}

-  return res.status(200).send({
-    integrations,
-  });
+	return res.status(200).send({
+		integrations
+	});
 };

 /**
@ -280,56 +281,56 @@ export const getWorkspaceIntegrations = async (req: Request, res: Response) => {
 * @returns
 */
 export const getWorkspaceIntegrationAuthorizations = async (
-  req: Request,
-  res: Response
+	req: Request,
+	res: Response
 ) => {
-  let authorizations;
-  try {
-    const { workspaceId } = req.params;
+	let authorizations;
+	try {
+		const { workspaceId } = req.params;

-    authorizations = await IntegrationAuth.find({
-      workspace: workspaceId,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace integration authorizations",
-    });
-  }
+		authorizations = await IntegrationAuth.find({
+			workspace: workspaceId
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace integration authorizations'
+		});
+	}

-  return res.status(200).send({
-    authorizations,
-  });
+	return res.status(200).send({
+		authorizations
+	});
 };

 /**
 * Return service service tokens for workspace [workspaceId] belonging to user
- * @param req
- * @param res
- * @returns
+ * @param req 
+ * @param res 
+ * @returns 
 */
 export const getWorkspaceServiceTokens = async (
-  req: Request,
-  res: Response
+	req: Request,
+	res: Response
 ) => {
-  let serviceTokens;
-  try {
-    const { workspaceId } = req.params;
-    // ?? FIX.
-    serviceTokens = await ServiceToken.find({
-      user: req.user._id,
-      workspace: workspaceId,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace service tokens",
-    });
-  }
-
-  return res.status(200).send({
-    serviceTokens,
-  });
-};
+	let serviceTokens;
+	try {
+		const { workspaceId } = req.params;
+		// ?? FIX.
+		serviceTokens = await ServiceToken.find({
+			user: req.user._id,
+			workspace: workspaceId
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace service tokens'
+		});
+	}
+	
+	return res.status(200).send({
+		serviceTokens
+	});
+}
--- a/backend/src/controllers/v2/authController.ts
+++ b/backend/src/controllers/v2/authController.ts
@ -1,351 +0,0 @@
-/* eslint-disable @typescript-eslint/no-var-requires */
-import { Request, Response } from 'express';
-import jwt from 'jsonwebtoken';
-import * as Sentry from '@sentry/node';
-import * as bigintConversion from 'bigint-conversion';
-const jsrp = require('jsrp');
-import { User, LoginSRPDetail } from '../../models';
-import { issueAuthTokens, createToken } from '../../helpers/auth';
-import { checkUserDevice } from '../../helpers/user';
-import { sendMail } from '../../helpers/nodemailer';
-import { TokenService } from '../../services';
-import { EELogService } from '../../ee/services';
-import {
-  NODE_ENV,
-  JWT_MFA_LIFETIME,
-  JWT_MFA_SECRET
-} from '../../config';
-import { BadRequestError, InternalServerError } from '../../utils/errors';
-import {
-  TOKEN_EMAIL_MFA,
-  ACTION_LOGIN
-} from '../../variables';
-import { getChannelFromUserAgent } from '../../utils/posthog'; // TODO: move this
-
-declare module 'jsonwebtoken' {
-  export interface UserIDJwtPayload extends jwt.JwtPayload {
-    userId: string;
-  }
-}
-
-const clientPublicKeys: any = {};
-
-/**
- * Log in user step 1: Return [salt] and [serverPublicKey] as part of step 1 of SRP protocol
- * @param req
- * @param res
- * @returns
- */
-export const login1 = async (req: Request, res: Response) => {
-  try {
-    const {
-      email,
-      clientPublicKey
-    }: { email: string; clientPublicKey: string } = req.body;
-
-    const user = await User.findOne({
-      email
-    }).select('+salt +verifier');
-
-    if (!user) throw new Error('Failed to find user');
-
-    const server = new jsrp.server();
-    server.init(
-      {
-        salt: user.salt,
-        verifier: user.verifier
-      },
-      async () => {
-        // generate server-side public key
-        const serverPublicKey = server.getPublicKey();
-
-        await LoginSRPDetail.findOneAndReplace({ email: email }, {
-          email: email,
-          clientPublicKey: clientPublicKey,
-          serverBInt: bigintConversion.bigintToBuf(server.bInt),
-        }, { upsert: true, returnNewDocument: false });
-
-        return res.status(200).send({
-          serverPublicKey,
-          salt: user.salt
-        });
-      }
-    );
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to start authentication process'
-    });
-  }
-};
-
-/**
- * Log in user step 2: complete step 2 of SRP protocol and return token and their (encrypted)
- * private key
- * @param req
- * @param res
- * @returns
- */
-export const login2 = async (req: Request, res: Response) => {
-  try {
-    
-    if (!req.headers['user-agent']) throw InternalServerError({ message: 'User-Agent header is required' });
-
-    const { email, clientProof } = req.body;
-    const user = await User.findOne({
-      email
-    }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag');
-
-    if (!user) throw new Error('Failed to find user');
-
-    const loginSRPDetail = await LoginSRPDetail.findOneAndDelete({ email: email })
-
-    if (!loginSRPDetail) {
-      return BadRequestError(Error("Failed to find login details for SRP"))
-    }
-
-    const server = new jsrp.server();
-    server.init(
-      {
-        salt: user.salt,
-        verifier: user.verifier,
-        b: loginSRPDetail.serverBInt
-      },
-      async () => {
-        server.setClientPublicKey(loginSRPDetail.clientPublicKey);
-
-        // compare server and client shared keys
-        if (server.checkClientProof(clientProof)) {
-
-          if (user.isMfaEnabled) {
-            // case: user has MFA enabled
-
-            // generate temporary MFA token
-            const token = createToken({
-              payload: {
-                userId: user._id.toString()
-              },
-              expiresIn: JWT_MFA_LIFETIME,
-              secret: JWT_MFA_SECRET
-            });
-          
-            const code = await TokenService.createToken({
-              type: TOKEN_EMAIL_MFA,
-              email
-            });
-            
-            // send MFA code [code] to [email]
-            await sendMail({
-              template: 'emailMfa.handlebars',
-              subjectLine: 'Infisical MFA code',
-              recipients: [email],
-              substitutions: {
-                code
-              }
-            });
-            
-            return res.status(200).send({
-              mfaEnabled: true,
-              token
-            });
-          }
-          
-          await checkUserDevice({
-            user,
-            ip: req.ip,
-            userAgent: req.headers['user-agent'] ?? ''
-          });
-
-          // issue tokens
-          const tokens = await issueAuthTokens({ userId: user._id.toString() });
-
-          // store (refresh) token in httpOnly cookie
-          res.cookie('jid', tokens.refreshToken, {
-            httpOnly: true,
-            path: '/',
-            sameSite: 'strict',
-            secure: NODE_ENV === 'production' ? true : false
-          });
-
-          // case: user does not have MFA enablgged
-          // return (access) token in response
-
-          interface ResponseData {
-            mfaEnabled: boolean;
-            encryptionVersion: any;
-            protectedKey?: string;
-            protectedKeyIV?: string;
-            protectedKeyTag?: string;
-            token: string;
-            publicKey?: string;
-            encryptedPrivateKey?: string;
-            iv?: string;
-            tag?: string;
-          }
-          
-          const response: ResponseData = {
-            mfaEnabled: false,
-            encryptionVersion: user.encryptionVersion,
-            token: tokens.token,
-            publicKey: user.publicKey,
-            encryptedPrivateKey: user.encryptedPrivateKey,
-            iv: user.iv,
-            tag: user.tag
-          }
-          
-          if (
-            user?.protectedKey &&
-            user?.protectedKeyIV &&
-            user?.protectedKeyTag
-          ) {
-            response.protectedKey = user.protectedKey;
-            response.protectedKeyIV = user.protectedKeyIV
-            response.protectedKeyTag = user.protectedKeyTag;
-          }
-
-          const loginAction = await EELogService.createAction({
-            name: ACTION_LOGIN,
-            userId: user._id
-          });
-          
-          loginAction && await EELogService.createLog({
-            userId: user._id,
-            actions: [loginAction],
-            channel: getChannelFromUserAgent(req.headers['user-agent']),
-            ipAddress: req.ip
-          });
-          
-          return res.status(200).send(response);
-        }
-
-        return res.status(400).send({
-          message: 'Failed to authenticate. Try again?'
-        });
-      }
-    );
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to authenticate. Try again?'
-    });
-  }
-};
-
-/**
- * Send MFA token to email [email]
- * @param req 
- * @param res 
- */
-export const sendMfaToken = async (req: Request, res: Response) => {
-  try {
-    const { email } = req.body;
-
-    const code = await TokenService.createToken({
-      type: TOKEN_EMAIL_MFA,
-      email
-    });
-    
-    // send MFA code [code] to [email]
-    await sendMail({
-      template: 'emailMfa.handlebars',
-      subjectLine: 'Infisical MFA code',
-      recipients: [email],
-      substitutions: {
-        code
-      }
-    });
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to send MFA code'
-    }); 
-  }
-  
-  return res.status(200).send({
-    message: 'Successfully sent new MFA code'
-  });
-}
-
-/**
- * Verify MFA token [mfaToken] and issue JWT and refresh tokens if the
- * MFA token [mfaToken] is valid
- * @param req 
- * @param res 
- */
-export const verifyMfaToken = async (req: Request, res: Response) => {
-    const { email, mfaToken } = req.body;
-
-    await TokenService.validateToken({
-      type: TOKEN_EMAIL_MFA,
-      email,
-      token: mfaToken
-    });
-
-    const user = await User.findOne({
-      email
-    }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag');
-
-    if (!user) throw new Error('Failed to find user'); 
-
-     await checkUserDevice({
-      user,
-      ip: req.ip,
-      userAgent: req.headers['user-agent'] ?? ''
-    });
-
-    // issue tokens
-    const tokens = await issueAuthTokens({ userId: user._id.toString() });
-
-    // store (refresh) token in httpOnly cookie
-    res.cookie('jid', tokens.refreshToken, {
-      httpOnly: true,
-      path: '/',
-      sameSite: 'strict',
-      secure: NODE_ENV === 'production' ? true : false
-    });
-    
-    interface VerifyMfaTokenRes {
-      encryptionVersion: number;
-      protectedKey?: string;
-      protectedKeyIV?: string;
-      protectedKeyTag?: string;
-      token: string;
-      publicKey: string;
-      encryptedPrivateKey: string;
-      iv: string;
-      tag: string;
-    }
-
-    const resObj: VerifyMfaTokenRes = {
-      encryptionVersion: user.encryptionVersion,
-      token: tokens.token,
-      publicKey: user.publicKey as string,
-      encryptedPrivateKey: user.encryptedPrivateKey as string,
-      iv: user.iv as string,
-      tag: user.tag as string
-    }
-    
-    if (user?.protectedKey && user?.protectedKeyIV && user?.protectedKeyTag) {
-      resObj.protectedKey = user.protectedKey;
-      resObj.protectedKeyIV = user.protectedKeyIV;
-      resObj.protectedKeyTag = user.protectedKeyTag;
-    }
-
-    const loginAction = await EELogService.createAction({
-      name: ACTION_LOGIN,
-      userId: user._id
-    });
-    
-    loginAction && await EELogService.createLog({
-      userId: user._id,
-      actions: [loginAction],
-      channel: getChannelFromUserAgent(req.headers['user-agent']),
-      ipAddress: req.ip
-    });
-
-    return res.status(200).send(resObj); 
-}
-
--- a/backend/src/controllers/v2/environmentController.ts
+++ b/backend/src/controllers/v2/environmentController.ts
@ -11,7 +11,7 @@ import {
 import { SecretVersion } from '../../ee/models';
 import { BadRequestError } from '../../utils/errors';
 import _ from 'lodash';
-import { ABILITY_READ, ABILITY_WRITE } from '../../variables/organization';
+import { ABILITY_READ } from '../../variables/organization';

 /**
 * Create new workspace environment named [environmentName] under workspace with id
@ -236,7 +236,7 @@ export const getAllAccessibleEnvironmentsOfWorkspace = async (
    throw BadRequestError()
  }

-  const accessibleEnvironments: any = []
+  const accessibleEnvironments: { name: string; slug: string; }[] = []
  const deniedPermission = workspacesUserIsMemberOf.deniedPermissions

  const relatedWorkspace = await Workspace.findById(workspaceId)
@ -245,16 +245,11 @@ export const getAllAccessibleEnvironmentsOfWorkspace = async (
  }
  relatedWorkspace.environments.forEach(environment => {
    const isReadBlocked = _.some(deniedPermission, { environmentSlug: environment.slug, ability: ABILITY_READ })
-    const isWriteBlocked = _.some(deniedPermission, { environmentSlug: environment.slug, ability: ABILITY_WRITE })
-    if (isReadBlocked && isWriteBlocked) {
+    // const isWriteBlocked = _.some(deniedPermission, { environmentSlug: environment.slug, ability: ABILITY_WRITE })
+    if (isReadBlocked) {
      return
    } else {
-      accessibleEnvironments.push({
-        name: environment.name,
-        slug: environment.slug,
-        isWriteDenied: isWriteBlocked,
-        isReadDenied: isReadBlocked
-      })
+      accessibleEnvironments.push(environment)
    }
  })

--- a/backend/src/controllers/v2/index.ts
+++ b/backend/src/controllers/v2/index.ts
@ -1,5 +1,3 @@
-import * as authController from './authController';
-import * as signupController from './signupController';
 import * as usersController from './usersController';
 import * as organizationsController from './organizationsController';
 import * as workspaceController from './workspaceController';
@ -8,11 +6,8 @@ import * as apiKeyDataController from './apiKeyDataController';
 import * as secretController from './secretController';
 import * as secretsController from './secretsController';
 import * as environmentController from './environmentController';
-import * as tagController from './tagController';

 export {
-    authController,
-    signupController,
    usersController,
    organizationsController,
    workspaceController,
@ -20,6 +15,5 @@ export {
    apiKeyDataController,
    secretController,
    secretsController,
-    environmentController,
-    tagController
+    environmentController
 }
--- a/backend/src/controllers/v2/secretsController.ts
+++ b/backend/src/controllers/v2/secretsController.ts
@ -1,8 +1,7 @@
 import to from 'await-to-js';
 import { Types } from 'mongoose';
 import { Request, Response } from 'express';
-import { ISecret, Secret } from '../../models';
-import { IAction } from '../../ee/models';
+import { ISecret, Membership, Secret, Workspace } from '../../models';
 import {
    SECRET_PERSONAL,
    SECRET_SHARED,
@ -18,255 +17,7 @@ import { EESecretService, EELogService } from '../../ee/services';
 import { postHogClient } from '../../services';
 import { getChannelFromUserAgent } from '../../utils/posthog';
 import { ABILITY_READ, ABILITY_WRITE } from '../../variables/organization';
-import { userHasNoAbility, userHasWorkspaceAccess, userHasWriteOnlyAbility } from '../../ee/helpers/checkMembershipPermissions';
-import Tag from '../../models/tag';
-import _ from 'lodash';
-import {
-    BatchSecretRequest, 
-    BatchSecret
-} from '../../types/secret';
-
-/**
- * Peform a batch of any specified CUD secret operations
- * @param req 
- * @param res 
- */
-export const batchSecrets = async (req: Request, res: Response) => {
-    const channel = getChannelFromUserAgent(req.headers['user-agent']);
-    const {
-        workspaceId,
-        environment,
-        requests
-    }: {
-        workspaceId: string;
-        environment: string;
-        requests: BatchSecretRequest[];
-    }= req.body;
-    
-    const createSecrets: BatchSecret[] = [];
-    const updateSecrets: BatchSecret[] = [];
-    const deleteSecrets: Types.ObjectId[] = [];
-    const actions: IAction[] = [];
-    
-    requests.forEach((request) => {
-        switch (request.method) {
-            case 'POST':
-                createSecrets.push({
-                    ...request.secret,
-                    version: 1,
-                    user: request.secret.type === SECRET_PERSONAL ? req.user : undefined,
-                    environment,
-                    workspace: new Types.ObjectId(workspaceId)
-                });
-                break;
-            case 'PATCH':
-                updateSecrets.push({
-                    ...request.secret,
-                    _id: new Types.ObjectId(request.secret._id)
-                });
-                break;
-            case 'DELETE':
-                deleteSecrets.push(new Types.ObjectId(request.secret._id));
-                break;
-        }
-    });
-    
-    // handle create secrets
-    let createdSecrets: ISecret[] = [];
-    if (createSecrets.length > 0) {
-        createdSecrets = await Secret.insertMany(createSecrets);
-        // (EE) add secret versions for new secrets
-        await EESecretService.addSecretVersions({
-            secretVersions: createdSecrets.map((n: any) => {
-                return ({
-                    ...n._doc,
-                    _id: new Types.ObjectId(),
-                    secret: n._id,
-                    isDeleted: false
-                });
-            })
-        });
-
-        const addAction = await EELogService.createAction({
-            name: ACTION_ADD_SECRETS,
-            userId: req.user._id,
-            workspaceId: new Types.ObjectId(workspaceId),
-            secretIds: createdSecrets.map((n) => n._id)
-        }) as IAction;
-        actions.push(addAction);
-
-        if (postHogClient) {
-            postHogClient.capture({
-                event: 'secrets added',
-                distinctId: req.user.email,
-                properties: {
-                    numberOfSecrets: createdSecrets.length,
-                    environment,
-                    workspaceId,
-                    channel,
-                    userAgent: req.headers?.['user-agent']
-                }
-            });
-        }
-    }
-    
-    // handle update secrets
-    let updatedSecrets: ISecret[] = [];
-    if (updateSecrets.length > 0 && req.secrets) {
-        // construct object containing all secrets
-        let listedSecretsObj: {
-            [key: string]: { 
-                version: number;
-                type: string;
-            }
-        } = {};
-        
-        listedSecretsObj = req.secrets.reduce((obj: any, secret: ISecret) => ({
-            ...obj,
-            [secret._id.toString()]: secret
-        }), {});
-
-        const updateOperations = updateSecrets.map((u) => ({
-            updateOne: {
-                filter: { _id: new Types.ObjectId(u._id) },
-                update: {
-                    $inc: {
-                        version: 1
-                    },
-                    ...u,
-                    _id: new Types.ObjectId(u._id)
-                }
-            }
-        }));
-
-        await Secret.bulkWrite(updateOperations);
-        
-        const secretVersions = updateSecrets.map((u) => ({
-            secret: new Types.ObjectId(u._id),
-            version: listedSecretsObj[u._id.toString()].version,
-            workspace: new Types.ObjectId(workspaceId),
-            type: listedSecretsObj[u._id.toString()].type,
-            environment,
-            isDeleted: false,
-            secretKeyCiphertext: u.secretKeyCiphertext,
-            secretKeyIV: u.secretKeyIV,
-            secretKeyTag: u.secretKeyTag,
-            secretValueCiphertext: u.secretValueCiphertext,
-            secretValueIV: u.secretValueIV,
-            secretValueTag: u.secretValueTag,
-            secretCommentCiphertext: u.secretCommentCiphertext,
-            secretCommentIV: u.secretCommentIV,
-            secretCommentTag: u.secretCommentTag,
-            tags: u.tags
-        }));
-
-        await EESecretService.addSecretVersions({
-            secretVersions
-        });
-
-        updatedSecrets = await Secret.find({
-            _id: {
-                $in: updateSecrets.map((u) => new Types.ObjectId(u._id))
-            }
-        });
-
-        const updateAction = await EELogService.createAction({
-            name: ACTION_UPDATE_SECRETS,
-            userId: req.user._id,
-            workspaceId: new Types.ObjectId(workspaceId),
-            secretIds: updatedSecrets.map((u) => u._id)
-        }) as IAction;
-        actions.push(updateAction);
-
-        if (postHogClient) {
-            postHogClient.capture({
-                event: 'secrets modified',
-                distinctId: req.user.email,
-                properties: {
-                    numberOfSecrets: updateSecrets.length,
-                    environment,
-                    workspaceId,
-                    channel,
-                    userAgent: req.headers?.['user-agent']
-                }
-            });
-        }
-    }
-
-    // handle delete secrets
-    if (deleteSecrets.length > 0) {
-        await Secret.deleteMany({
-            _id: {
-                $in: deleteSecrets
-            }
-        });
-
-        await EESecretService.markDeletedSecretVersions({
-            secretIds: deleteSecrets
-        });
-
-        const deleteAction = await EELogService.createAction({
-            name: ACTION_DELETE_SECRETS,
-            userId: req.user._id,
-            workspaceId: new Types.ObjectId(workspaceId),
-            secretIds: deleteSecrets
-        }) as IAction;
-        actions.push(deleteAction);
-
-        if (postHogClient) {
-            postHogClient.capture({
-                event: 'secrets deleted',
-                distinctId: req.user.email,
-                properties: {
-                    numberOfSecrets: deleteSecrets.length,
-                    environment,
-                    workspaceId,
-                    channel: channel,
-                    userAgent: req.headers?.['user-agent']
-                }
-            });
-        }
-    }
-    
-    if (actions.length > 0) {
-        // (EE) create (audit) log
-        await EELogService.createLog({
-            userId: req.user._id.toString(),
-            workspaceId: new Types.ObjectId(workspaceId),
-            actions,
-            channel,
-            ipAddress: req.ip
-        });
-    }
-
-    // // trigger event - push secrets
-    await EventService.handleEvent({
-        event: eventPushSecrets({
-            workspaceId
-        })
-    });
-
-    // (EE) take a secret snapshot
-    await EESecretService.takeSecretSnapshot({
-        workspaceId
-    });
-    
-    const resObj: { [key: string]: ISecret[] | string[] } = {}
-
-    if (createSecrets.length > 0) {
-        resObj['createdSecrets'] = createdSecrets;
-    }
-
-    if (updateSecrets.length > 0) {
-        resObj['updatedSecrets'] = updatedSecrets;
-    }
-    
-    if (deleteSecrets.length > 0) {
-        resObj['deletedSecrets'] = deleteSecrets.map((d) => d.toString());
-    }
-    
-    return res.status(200).send(resObj);
-}
+import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';

 /**
 * Create secret(s) for workspace with id [workspaceId] and environment [environment]
@ -328,38 +79,24 @@ export const createSecrets = async (req: Request, res: Response) => {
    */

    const channel = getChannelFromUserAgent(req.headers['user-agent'])
-    const { workspaceId, environment }: { workspaceId: string, environment: string } = req.body;
+    const { workspaceId, environment } = req.body;

    const hasAccess = await userHasWorkspaceAccess(req.user, workspaceId, environment, ABILITY_WRITE)
    if (!hasAccess) {
        throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
    }

-    let listOfSecretsToCreate;
+    let toAdd;
    if (Array.isArray(req.body.secrets)) {
        // case: create multiple secrets
-        listOfSecretsToCreate = req.body.secrets;
+        toAdd = req.body.secrets;
    } else if (typeof req.body.secrets === 'object') {
        // case: create 1 secret
-        listOfSecretsToCreate = [req.body.secrets];
+        toAdd = [req.body.secrets];
    }

-    type secretsToCreateType = {
-        type: string;
-        secretKeyCiphertext: string;
-        secretKeyIV: string;
-        secretKeyTag: string;
-        secretValueCiphertext: string;
-        secretValueIV: string;
-        secretValueTag: string;
-        secretCommentCiphertext: string;
-        secretCommentIV: string;
-        secretCommentTag: string;
-        tags: string[]
-    }
-
-    const newlyCreatedSecrets = await Secret.insertMany(
-        listOfSecretsToCreate.map(({
+    const newSecrets = await Secret.insertMany(
+        toAdd.map(({
            type,
            secretKeyCiphertext,
            secretKeyIV,
@ -367,29 +104,27 @@ export const createSecrets = async (req: Request, res: Response) => {
            secretValueCiphertext,
            secretValueIV,
            secretValueTag,
-            secretCommentCiphertext,
-            secretCommentIV,
-            secretCommentTag,
-            tags
-        }: secretsToCreateType) => {
-            return ({
-                version: 1,
-                workspace: new Types.ObjectId(workspaceId),
-                type,
-                user: type === SECRET_PERSONAL ? req.user : undefined,
-                environment,
-                secretKeyCiphertext,
-                secretKeyIV,
-                secretKeyTag,
-                secretValueCiphertext,
-                secretValueIV,
-                secretValueTag,
-                secretCommentCiphertext,
-                secretCommentIV,
-                secretCommentTag,
-                tags
-            });
-        })
+        }: {
+            type: string;
+            secretKeyCiphertext: string;
+            secretKeyIV: string;
+            secretKeyTag: string;
+            secretValueCiphertext: string;
+            secretValueIV: string;
+            secretValueTag: string;
+        }) => ({
+            version: 1,
+            workspace: new Types.ObjectId(workspaceId),
+            type,
+            user: type === SECRET_PERSONAL ? req.user : undefined,
+            environment,
+            secretKeyCiphertext,
+            secretKeyIV,
+            secretKeyTag,
+            secretValueCiphertext,
+            secretValueIV,
+            secretValueTag
+        }))
    );

    setTimeout(async () => {
@ -403,7 +138,7 @@ export const createSecrets = async (req: Request, res: Response) => {

    // (EE) add secret versions for new secrets
    await EESecretService.addSecretVersions({
-        secretVersions: newlyCreatedSecrets.map(({
+        secretVersions: newSecrets.map(({
            _id,
            version,
            workspace,
@ -413,13 +148,11 @@ export const createSecrets = async (req: Request, res: Response) => {
            secretKeyCiphertext,
            secretKeyIV,
            secretKeyTag,
+            secretKeyHash,
            secretValueCiphertext,
            secretValueIV,
            secretValueTag,
-            secretCommentCiphertext,
-            secretCommentIV,
-            secretCommentTag,
-            tags
+            secretValueHash
        }) => ({
            _id: new Types.ObjectId(),
            secret: _id,
@ -432,27 +165,25 @@ export const createSecrets = async (req: Request, res: Response) => {
            secretKeyCiphertext,
            secretKeyIV,
            secretKeyTag,
+            secretKeyHash,
            secretValueCiphertext,
            secretValueIV,
            secretValueTag,
-            secretCommentCiphertext,
-            secretCommentIV,
-            secretCommentTag,
-            tags
+            secretValueHash
        }))
    });

-    const addAction = await EELogService.createAction({
+    const addAction = await EELogService.createActionSecret({
        name: ACTION_ADD_SECRETS,
-        userId: req.user._id,
-        workspaceId: new Types.ObjectId(workspaceId),
-        secretIds: newlyCreatedSecrets.map((n) => n._id)
+        userId: req.user._id.toString(),
+        workspaceId,
+        secretIds: newSecrets.map((n) => n._id)
    });

    // (EE) create (audit) log
    addAction && await EELogService.createLog({
        userId: req.user._id.toString(),
-        workspaceId: new Types.ObjectId(workspaceId),
+        workspaceId,
        actions: [addAction],
        channel,
        ipAddress: req.ip
@ -468,7 +199,7 @@ export const createSecrets = async (req: Request, res: Response) => {
            event: 'secrets added',
            distinctId: req.user.email,
            properties: {
-                numberOfSecrets: listOfSecretsToCreate.length,
+                numberOfSecrets: toAdd.length,
                environment,
                workspaceId,
                channel: channel,
@ -478,7 +209,7 @@ export const createSecrets = async (req: Request, res: Response) => {
    }

    return res.status(200).send({
-        secrets: newlyCreatedSecrets
+        secrets: newSecrets
    });
 }

@ -529,108 +260,6 @@ export const getSecrets = async (req: Request, res: Response) => {
        }
    }   
    */
-
-
-    const { workspaceId, environment, tagSlugs } = req.query;
-    const tagNamesList = typeof tagSlugs === 'string' && tagSlugs !== '' ? tagSlugs.split(',') : [];
-    let userId = "" // used for getting personal secrets for user
-    let userEmail = "" // used for posthog 
-    if (req.user) {
-        userId = req.user._id;
-        userEmail = req.user.email;
-    }
-
-    if (req.serviceTokenData) {
-        userId = req.serviceTokenData.user._id
-        userEmail = req.serviceTokenData.user.email;
-    }
-
-    // none service token case as service tokens are already scoped to env and project
-    let hasWriteOnlyAccess
-    if (!req.serviceTokenData) {
-        hasWriteOnlyAccess = await userHasWriteOnlyAbility(userId, workspaceId, environment)
-        const hasNoAccess = await userHasNoAbility(userId, workspaceId, environment)
-        if (hasNoAccess) {
-            throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
-        }
-    }
-    let secrets: any
-    let secretQuery: any
-
-    if (tagNamesList != undefined && tagNamesList.length != 0) {
-        const workspaceFromDB = await Tag.find({ workspace: workspaceId })
-
-        const tagIds = _.map(tagNamesList, (tagName) => {
-            const tag = _.find(workspaceFromDB, { slug: tagName });
-            return tag ? tag.id : null;
-        });
-
-        secretQuery = {
-            workspace: workspaceId,
-            environment,
-            $or: [
-                { user: userId },
-                { user: { $exists: false } }
-            ],
-            tags: { $in: tagIds },
-            type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
-        }
-    } else {
-        secretQuery = {
-            workspace: workspaceId,
-            environment,
-            $or: [
-                { user: userId },
-                { user: { $exists: false } }
-            ],
-            type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
-        }
-    }
-
-    if (hasWriteOnlyAccess) {
-        secrets = await Secret.find(secretQuery).select("secretKeyCiphertext secretKeyIV secretKeyTag")
-    } else {
-        secrets = await Secret.find(secretQuery).populate("tags")
-    }
-
-    const channel = getChannelFromUserAgent(req.headers['user-agent'])
-
-    const readAction = await EELogService.createAction({
-        name: ACTION_READ_SECRETS,
-        userId: new Types.ObjectId(userId),
-        workspaceId: new Types.ObjectId(workspaceId as string),
-        secretIds: secrets.map((n: any) => n._id)
-    });
-
-    readAction && await EELogService.createLog({
-        userId: new Types.ObjectId(userId),
-        workspaceId: new Types.ObjectId(workspaceId as string),
-        actions: [readAction],
-        channel,
-        ipAddress: req.ip
-    });
-
-    if (postHogClient) {
-        postHogClient.capture({
-            event: 'secrets pulled',
-            distinctId: userEmail,
-            properties: {
-                numberOfSecrets: secrets.length,
-                environment,
-                workspaceId,
-                channel,
-                userAgent: req.headers?.['user-agent']
-            }
-        });
-    }
-
-    return res.status(200).send({
-        secrets
-    });
-}
-
-
-export const getOnlySecretKeys = async (req: Request, res: Response) => {
    const { workspaceId, environment } = req.query;

    let userId = "" // used for getting personal secrets for user
@ -653,7 +282,7 @@ export const getOnlySecretKeys = async (req: Request, res: Response) => {
        }
    }

-    const [err, secretKeys] = await to(Secret.find(
+    const [err, secrets] = await to(Secret.find(
        {
            workspace: workspaceId,
            environment,
@ -663,22 +292,43 @@ export const getOnlySecretKeys = async (req: Request, res: Response) => {
            ],
            type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
        }
-    )
-        .select("secretKeyIV secretKeyTag secretKeyCiphertext")
-        .then())
+    ).then())

    if (err) throw ValidationError({ message: 'Failed to get secrets', stack: err.stack });

-    // readAction && await EELogService.createLog({
-    //     userId: new Types.ObjectId(userId),
-    //     workspaceId: new Types.ObjectId(workspaceId as string),
-    //     actions: [readAction],
-    //     channel,
-    //     ipAddress: req.ip
-    // });
+    const channel = getChannelFromUserAgent(req.headers['user-agent'])
+
+    const readAction = await EELogService.createActionSecret({
+        name: ACTION_READ_SECRETS,
+        userId: userId,
+        workspaceId: workspaceId as string,
+        secretIds: secrets.map((n: any) => n._id)
+    });
+
+    readAction && await EELogService.createLog({
+        userId: userId,
+        workspaceId: workspaceId as string,
+        actions: [readAction],
+        channel,
+        ipAddress: req.ip
+    });
+
+    if (postHogClient) {
+        postHogClient.capture({
+            event: 'secrets pulled',
+            distinctId: userEmail,
+            properties: {
+                numberOfSecrets: secrets.length,
+                environment,
+                workspaceId,
+                channel,
+                userAgent: req.headers?.['user-agent']
+            }
+        });
+    }

    return res.status(200).send({
-        secretKeys
+        secrets
    });
 }

@ -746,7 +396,6 @@ export const updateSecrets = async (req: Request, res: Response) => {
        secretCommentCiphertext: string;
        secretCommentIV: string;
        secretCommentTag: string;
-        tags: string[]
    }

    const updateOperationsToPerform = req.body.secrets.map((secret: PatchSecret) => {
@ -759,8 +408,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
            secretValueTag,
            secretCommentCiphertext,
            secretCommentIV,
-            secretCommentTag,
-            tags
+            secretCommentTag
        } = secret;

        return ({
@ -776,9 +424,8 @@ export const updateSecrets = async (req: Request, res: Response) => {
                    secretValueCiphertext,
                    secretValueIV,
                    secretValueTag,
-                    tags,
                    ...((
-                        secretCommentCiphertext !== undefined &&
+                        secretCommentCiphertext &&
                        secretCommentIV &&
                        secretCommentTag
                    ) ? {
@ -811,7 +458,6 @@ export const updateSecrets = async (req: Request, res: Response) => {
                secretCommentCiphertext,
                secretCommentIV,
                secretCommentTag,
-                tags
            } = secretModificationsBySecretId[secret._id.toString()]

            return ({
@ -829,7 +475,6 @@ export const updateSecrets = async (req: Request, res: Response) => {
                secretCommentCiphertext: secretCommentCiphertext ? secretCommentCiphertext : secret.secretCommentCiphertext,
                secretCommentIV: secretCommentIV ? secretCommentIV : secret.secretCommentIV,
                secretCommentTag: secretCommentTag ? secretCommentTag : secret.secretCommentTag,
-                tags: tags ? tags : secret.tags
            });
        })
    }
@ -858,17 +503,17 @@ export const updateSecrets = async (req: Request, res: Response) => {
            });
        }, 10000);

-        const updateAction = await EELogService.createAction({
+        const updateAction = await EELogService.createActionSecret({
            name: ACTION_UPDATE_SECRETS,
-            userId: req.user._id,
-            workspaceId: new Types.ObjectId(key),
+            userId: req.user._id.toString(),
+            workspaceId: key,
            secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id)
        });

        // (EE) create (audit) log
        updateAction && await EELogService.createLog({
            userId: req.user._id.toString(),
-            workspaceId: new Types.ObjectId(key),
+            workspaceId: key,
            actions: [updateAction],
            channel,
            ipAddress: req.ip
@ -984,17 +629,17 @@ export const deleteSecrets = async (req: Request, res: Response) => {
                workspaceId: key
            })
        });
-        const deleteAction = await EELogService.createAction({
+        const deleteAction = await EELogService.createActionSecret({
            name: ACTION_DELETE_SECRETS,
-            userId: req.user._id,
-            workspaceId: new Types.ObjectId(key),
+            userId: req.user._id.toString(),
+            workspaceId: key,
            secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id)
        });

        // (EE) create (audit) log
        deleteAction && await EELogService.createLog({
            userId: req.user._id.toString(),
-            workspaceId: new Types.ObjectId(key),
+            workspaceId: key,
            actions: [deleteAction],
            channel,
            ipAddress: req.ip
--- a/backend/src/controllers/v2/serviceTokenDataController.ts
+++ b/backend/src/controllers/v2/serviceTokenDataController.ts
@ -8,8 +8,6 @@ import {
 import {
    SALT_ROUNDS
 } from '../../config';
-import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';
-import { ABILITY_READ } from '../../variables/organization';

 /**
 * Return service token data associated with service token on request
@ -39,11 +37,6 @@ export const createServiceTokenData = async (req: Request, res: Response) => {
            expiresIn
        } = req.body;

-        const hasAccess = await userHasWorkspaceAccess(req.user, workspaceId, environment, ABILITY_READ)
-        if (!hasAccess) {
-            throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
-        }
-
        const secret = crypto.randomBytes(16).toString('hex');
        const secretHash = await bcrypt.hash(secret, SALT_ROUNDS);

@ -107,8 +100,4 @@ export const deleteServiceTokenData = async (req: Request, res: Response) => {
    return res.status(200).send({
        serviceTokenData
    });
-}
-
-function UnauthorizedRequestError(arg0: { message: string; }) {
-    throw new Error('Function not implemented.');
-}
+}
--- a/backend/src/controllers/v2/signupController.ts
+++ b/backend/src/controllers/v2/signupController.ts
@ -1,250 +0,0 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { User, MembershipOrg } from '../../models';
-import { completeAccount } from '../../helpers/user';
-import {
-	initializeDefaultOrg
-} from '../../helpers/signup';
-import { issueAuthTokens } from '../../helpers/auth';
-import { INVITED, ACCEPTED } from '../../variables';
-import { NODE_ENV } from '../../config';
-import axios from 'axios';
-
-/**
- * Complete setting up user by adding their personal and auth information as part of the
- * signup flow
- * @param req
- * @param res
- * @returns
- */
-export const completeAccountSignup = async (req: Request, res: Response) => {
-	let user, token, refreshToken;
-	try {
-		const {
-			email,
-			firstName,
-			lastName,
-            protectedKey,
-            protectedKeyIV,
-            protectedKeyTag,
-			publicKey,
-			encryptedPrivateKey,
-			encryptedPrivateKeyIV,
-			encryptedPrivateKeyTag,
-			salt,
-			verifier,
-			organizationName
-		}: {
-			email: string;
-			firstName: string;
-			lastName: string;
-            protectedKey: string;
-            protectedKeyIV: string;
-            protectedKeyTag: string;
-			publicKey: string;
-			encryptedPrivateKey: string;
-			encryptedPrivateKeyIV: string;
-			encryptedPrivateKeyTag: string;
-			salt: string;
-			verifier: string;
-			organizationName: string;
-        } = req.body;
-
-		// get user
-		user = await User.findOne({ email });
-		
-		if (!user || (user && user?.publicKey)) {
-			// case 1: user doesn't exist.
-			// case 2: user has already completed account
-			return res.status(403).send({
-				error: 'Failed to complete account for complete user'
-			});
-		}
-
-		// complete setting up user's account
-		user = await completeAccount({
-			userId: user._id.toString(),
-			firstName,
-			lastName,
-            encryptionVersion: 2,
-            protectedKey,
-            protectedKeyIV,
-            protectedKeyTag,
-			publicKey,
-			encryptedPrivateKey,
-			encryptedPrivateKeyIV,
-			encryptedPrivateKeyTag,
-			salt,
-			verifier
-		});
-
-		if (!user)
-			throw new Error('Failed to complete account for non-existent user'); // ensure user is non-null
-
-		// initialize default organization and workspace
-		await initializeDefaultOrg({
-			organizationName,
-			user
-		});
-
-		// update organization membership statuses that are
-		// invited to completed with user attached
-		await MembershipOrg.updateMany(
-			{
-				inviteEmail: email,
-				status: INVITED
-			},
-			{
-				user,
-				status: ACCEPTED
-			}
-		);
-
-		// issue tokens
-		const tokens = await issueAuthTokens({
-			userId: user._id.toString()
-		});
-
-		token = tokens.token;
-
-		// sending a welcome email to new users
-		if (process.env.LOOPS_API_KEY) {
-			await axios.post("https://app.loops.so/api/v1/events/send", {
-				"email": email,
-				"eventName": "Sign Up",
-				"firstName": firstName,
-				"lastName": lastName
-			}, {
-				headers: {
-					"Accept": "application/json",
-					"Authorization": "Bearer " + process.env.LOOPS_API_KEY
-				},
-			});
-		}
-
-		// store (refresh) token in httpOnly cookie
-		res.cookie('jid', tokens.refreshToken, {
-			httpOnly: true,
-			path: '/',
-			sameSite: 'strict',
-			secure: NODE_ENV === 'production' ? true : false
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to complete account setup'
-		});
-	}
-
-	return res.status(200).send({
-		message: 'Successfully set up account',
-		user,
-		token
-	});
-};
-
-/**
- * Complete setting up user by adding their personal and auth information as part of the
- * invite flow
- * @param req
- * @param res
- * @returns
- */
-export const completeAccountInvite = async (req: Request, res: Response) => {
-	let user, token, refreshToken;
-	try {
-		const {
-			email,
-			firstName,
-			lastName,
-            protectedKey,
-            protectedKeyIV,
-            protectedKeyTag,
-			publicKey,
-			encryptedPrivateKey,
-			encryptedPrivateKeyIV,
-			encryptedPrivateKeyTag,
-			salt,
-			verifier
-		} = req.body;
-
-		// get user
-		user = await User.findOne({ email });
-
-		if (!user || (user && user?.publicKey)) {
-			// case 1: user doesn't exist.
-			// case 2: user has already completed account
-			return res.status(403).send({
-				error: 'Failed to complete account for complete user'
-			});
-		}
-
-		const membershipOrg = await MembershipOrg.findOne({
-			inviteEmail: email,
-			status: INVITED
-		});
-
-		if (!membershipOrg) throw new Error('Failed to find invitations for email');
-
-		// complete setting up user's account
-		user = await completeAccount({
-			userId: user._id.toString(),
-			firstName,
-			lastName,
-            encryptionVersion: 2,
-            protectedKey,
-            protectedKeyIV,
-            protectedKeyTag,
-			publicKey,
-			encryptedPrivateKey,
-			encryptedPrivateKeyIV,
-			encryptedPrivateKeyTag,
-			salt,
-			verifier
-		});
-
-		if (!user)
-			throw new Error('Failed to complete account for non-existent user');
-
-		// update organization membership statuses that are
-		// invited to completed with user attached
-		await MembershipOrg.updateMany(
-			{
-				inviteEmail: email,
-				status: INVITED
-			},
-			{
-				user,
-				status: ACCEPTED
-			}
-		);
-
-		// issue tokens
-		const tokens = await issueAuthTokens({
-			userId: user._id.toString()
-		});
-
-		token = tokens.token;
-
-		// store (refresh) token in httpOnly cookie
-		res.cookie('jid', tokens.refreshToken, {
-			httpOnly: true,
-			path: '/',
-			sameSite: 'strict',
-			secure: NODE_ENV === 'production' ? true : false
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to complete account setup'
-		});
-	}
-	
-	return res.status(200).send({
-		message: 'Successfully set up account',
-		user,
-		token
-	});
-};
--- a/backend/src/controllers/v2/tagController.ts
+++ b/backend/src/controllers/v2/tagController.ts
@ -1,72 +0,0 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
-import {
-	Membership, Secret,
-} from '../../models';
-import Tag, { ITag } from '../../models/tag';
-import { Builder } from "builder-pattern"
-import to from 'await-to-js';
-import { BadRequestError, UnauthorizedRequestError } from '../../utils/errors';
-import { MongoError } from 'mongodb';
-import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';
-
-export const createWorkspaceTag = async (req: Request, res: Response) => {
-	const { workspaceId } = req.params
-	const { name, slug } = req.body
-	const sanitizedTagToCreate = Builder<ITag>()
-		.name(name)
-		.workspace(new Types.ObjectId(workspaceId))
-		.slug(slug)
-		.user(new Types.ObjectId(req.user._id))
-		.build();
-
-	const [err, createdTag] = await to(Tag.create(sanitizedTagToCreate))
-
-	if (err) {
-		if ((err as MongoError).code === 11000) {
-			throw BadRequestError({ message: "Tags must be unique in a workspace" })
-		}
-
-		throw err
-	}
-
-	res.json(createdTag)
-}
-
-export const deleteWorkspaceTag = async (req: Request, res: Response) => {
-	const { tagId } = req.params
-
-	const tagFromDB = await Tag.findById(tagId)
-	if (!tagFromDB) {
-		throw BadRequestError()
-	}
-
-	// can only delete if the request user is one that belongs to the same workspace as the tag
-	const membership = await Membership.findOne({
-		user: req.user,
-		workspace: tagFromDB.workspace
-	});
-
-	if (!membership) {
-		UnauthorizedRequestError({ message: 'Failed to validate membership' });
-	}
-
-	const result = await Tag.findByIdAndDelete(tagId);
-
-	// remove the tag from secrets
-	await Secret.updateMany(
-		{ tags: { $in: [tagId] } },
-		{ $pull: { tags: tagId } }
-	);
-
-	res.json(result);
-}
-
-export const getWorkspaceTags = async (req: Request, res: Response) => {
-	const { workspaceId } = req.params
-	const workspaceTags = await Tag.find({ workspace: workspaceId })
-	return res.json({
-		workspaceTags
-	})
-}
--- a/backend/src/controllers/v2/usersController.ts
+++ b/backend/src/controllers/v2/usersController.ts
@ -55,44 +55,6 @@ export const getMe = async (req: Request, res: Response) => {
    });
 }

-/**
- * Update the current user's MFA-enabled status [isMfaEnabled].
- * Note: Infisical currently only supports email-based 2FA only; this will expand to
- * include SMS and authenticator app modes of authentication in the future.
- * @param req 
- * @param res 
- * @returns 
- */
-export const updateMyMfaEnabled = async (req: Request, res: Response) => {
-    let user;
-    try {
-        const { isMfaEnabled }: { isMfaEnabled: boolean } = req.body;
-        req.user.isMfaEnabled = isMfaEnabled;
-        
-        if (isMfaEnabled) { 
-            // TODO: adapt this route/controller 
-            // to work for different forms of MFA
-            req.user.mfaMethods = ['email'];
-        } else {
-            req.user.mfaMethods = [];
-        }
-
-        await req.user.save();
-        
-        user = req.user;
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: "Failed to update current user's MFA status"
-		}); 
-    }
-    
-    return res.status(200).send({
-        user
-    });
-}
-
 /**
 * Return organizations that the current user is part of.
 * @param req 
--- a/backend/src/controllers/v2/workspaceController.ts
+++ b/backend/src/controllers/v2/workspaceController.ts
@ -467,42 +467,4 @@ export const deleteWorkspaceMembership = async (req: Request, res: Response) =>
 	return res.status(200).send({
 		membership
 	});
-}
-
-/**
- * Change autoCapitilzation Rule of workspace
- * @param req
- * @param res
- * @returns
- */
-export const toggleAutoCapitalization = async (req: Request, res: Response) => {
-	let workspace;
-	try {
-		const { workspaceId } = req.params;
-		const { autoCapitalization } = req.body;
-
-		workspace = await Workspace.findOneAndUpdate(
-			{
-				_id: workspaceId
-			},
-			{
-				autoCapitalization
-			},
-			{
-				new: true
-			}
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to change autoCapitalization setting'
-		});
-	}
-
-	return res.status(200).send({
-		message: 'Successfully changed autoCapitalization setting',
-		workspace
-	});
-};
-
+}
--- a/backend/src/ee/controllers/v1/secretController.ts
+++ b/backend/src/ee/controllers/v1/secretController.ts
@ -158,9 +158,11 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
 			secretKeyCiphertext,
 			secretKeyIV,
 			secretKeyTag,
+			secretKeyHash,
 			secretValueCiphertext,
 			secretValueIV,
 			secretValueTag,
+			secretValueHash
 		} = oldSecretVersion;
 		
 		// update secret
@ -177,9 +179,11 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
 				secretKeyCiphertext,
 				secretKeyIV,
 				secretKeyTag,
+				secretKeyHash,
 				secretValueCiphertext,
 				secretValueIV,
 				secretValueTag,
+				secretValueHash
 			},
 			{
 				new: true
@ -200,9 +204,11 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
 			secretKeyCiphertext,
 			secretKeyIV,
 			secretKeyTag,
+			secretKeyHash,
 			secretValueCiphertext,
 			secretValueIV,
-			secretValueTag
+			secretValueTag,
+			secretValueHash	
 		}).save();
 		
 		// take secret snapshot
--- a/backend/src/ee/controllers/v1/secretSnapshotController.ts
+++ b/backend/src/ee/controllers/v1/secretSnapshotController.ts
@ -15,13 +15,7 @@ export const getSecretSnapshot = async (req: Request, res: Response) => {

        secretSnapshot = await SecretSnapshot
            .findById(secretSnapshotId)
-            .populate({
-                path: 'secretVersions',
-                populate: {
-                    path: 'tags',
-                    model: 'Tag',
-                }
-            });
+            .populate('secretVersions');
        
        if (!secretSnapshot) throw new Error('Failed to find secret snapshot');
        
--- a/backend/src/ee/helpers/action.ts
+++ b/backend/src/ee/helpers/action.ts
@ -1,40 +1,39 @@
 import * as Sentry from '@sentry/node';
 import { Types } from 'mongoose';
-import { Action } from '../models';
+import { SecretVersion, Action } from '../models';
 import { 
    getLatestSecretVersionIds,
    getLatestNSecretSecretVersionIds
 } from '../helpers/secretVersion';
-import { 
-    ACTION_LOGIN,
-    ACTION_LOGOUT,
-    ACTION_ADD_SECRETS,
-    ACTION_READ_SECRETS,
-    ACTION_DELETE_SECRETS,
-    ACTION_UPDATE_SECRETS,
-} from '../../variables';
+import { ACTION_UPDATE_SECRETS } from '../../variables';

 /**
- * Create an (audit) action for updating secrets
+ * Create an (audit) action for secrets including
+ * add, delete, update, and read actions.
 * @param {Object} obj
 * @param {String} obj.name - name of action
- * @param {Types.ObjectId} obj.secretIds - ids of relevant secrets
+ * @param {ObjectId[]} obj.secretIds - ids of relevant secrets
 * @returns {Action} action - new action
 */
-const createActionUpdateSecret = async ({
+const createActionSecretHelper = async ({
    name,
    userId,
    workspaceId,
    secretIds
 }: {
    name: string;
-    userId: Types.ObjectId;
-    workspaceId: Types.ObjectId;
+    userId: string;
+    workspaceId: string;
    secretIds: Types.ObjectId[];
 }) => {
+
    let action;
+    let latestSecretVersions;
    try {
-        const latestSecretVersions = (await getLatestNSecretSecretVersionIds({
+        if (name === ACTION_UPDATE_SECRETS) {
+            // case: action is updating secrets
+            // -> add old and new secret versions
+            latestSecretVersions = (await getLatestNSecretSecretVersionIds({
                secretIds,
                n: 2
            }))
@ -42,7 +41,17 @@ const createActionUpdateSecret = async ({
                oldSecretVersion: s.versions[0]._id,
                newSecretVersion: s.versions[1]._id
            }));
-        
+        } else {
+            // case: action is adding, deleting, or reading secrets
+            // -> add new secret versions
+            latestSecretVersions = (await getLatestSecretVersionIds({
+                secretIds
+            }))
+            .map((s) => ({
+                newSecretVersion: s.versionId
+            }));
+        }
+
        action = await new Action({
            name,
            user: userId,
@ -55,148 +64,10 @@ const createActionUpdateSecret = async ({
    } catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
-        throw new Error('Failed to create update secret action');
-    }
-    
-    return action;
-}
-
-/**
- * Create an (audit) action for creating, reading, and deleting
- * secrets
- * @param {Object} obj
- * @param {String} obj.name - name of action
- * @param {Types.ObjectId} obj.secretIds - ids of relevant secrets
- * @returns {Action} action - new action
- */
-const createActionSecret = async ({
-    name,
-    userId,
-    workspaceId,
-    secretIds
-}: {
-    name: string;
-    userId: Types.ObjectId;
-    workspaceId: Types.ObjectId;
-    secretIds: Types.ObjectId[];
-}) => {
-    let action;
-    try {
-        // case: action is adding, deleting, or reading secrets
-        // -> add new secret versions
-        const latestSecretVersions = (await getLatestSecretVersionIds({
-            secretIds
-        }))
-        .map((s) => ({
-            newSecretVersion: s.versionId
-        }));
-        
-       action = await new Action({
-            name,
-            user: userId,
-            workspace: workspaceId,
-            payload: {
-                secretVersions: latestSecretVersions
-            }
-        }).save(); 
-
-    } catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-        throw new Error('Failed to create action create/read/delete secret action');
-    }
-    
-    return action;
-}
-
-/**
- * Create an (audit) action for user with id [userId]
- * @param {Object} obj 
- * @param {String} obj.name - name of action
- * @param {String} obj.userId - id of user associated with action
- * @returns 
- */
-const createActionUser = ({
-    name,
-    userId
-}: {
-    name: string;
-    userId: Types.ObjectId;
-}) => {
-    let action;
-    try {
-        action = new Action({
-            name,
-            user: userId
-        }).save();
-    } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-        throw new Error('Failed to create user action');
-    }
-
-    return action; 
-}
-
-/**
- * Create an (audit) action. 
- * @param {Object} obj
- * @param {Object} obj.name - name of action
- * @param {Types.ObjectId} obj.userId - id of user associated with action
- * @param {Types.ObjectId} obj.workspaceId - id of workspace associated with action
- * @param {Types.ObjectId[]} obj.secretIds - ids of secrets associated with action
-*/
-const createActionHelper = async ({
-    name,
-    userId,
-    workspaceId,
-    secretIds,
-}: {
-    name: string;
-    userId: Types.ObjectId;
-    workspaceId?: Types.ObjectId;
-    secretIds?: Types.ObjectId[];
-}) => {
-    let action;
-    try {
-        switch (name) {
-            case ACTION_LOGIN:
-            case ACTION_LOGOUT:
-                action = await createActionUser({
-                    name,
-                    userId
-                });
-                break;
-            case ACTION_ADD_SECRETS:
-            case ACTION_READ_SECRETS:
-            case ACTION_DELETE_SECRETS:
-                if (!workspaceId || !secretIds) throw new Error('Missing required params workspace id or secret ids to create action secret');
-                action = await createActionSecret({
-                    name,
-                    userId,
-                    workspaceId,
-                    secretIds
-                });
-                break;
-            case ACTION_UPDATE_SECRETS:
-                if (!workspaceId || !secretIds) throw new Error('Missing required params workspace id or secret ids to create action secret');
-                action = await createActionUpdateSecret({
-                    name,
-                    userId,
-                    workspaceId,
-                    secretIds
-                });
-                break;
-        }
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
        throw new Error('Failed to create action');
    }
    
    return action;
 }

-export { 
-    createActionHelper
-};
+export { createActionSecretHelper };
--- a/backend/src/ee/helpers/checkMembershipPermissions.ts
+++ b/backend/src/ee/helpers/checkMembershipPermissions.ts
@ -1,6 +1,5 @@
 import _ from "lodash";
 import { Membership } from "../../models";
-import { ABILITY_READ, ABILITY_WRITE } from "../../variables/organization";

 export const userHasWorkspaceAccess = async (userId: any, workspaceId: any, environment: any, action: any) => {
  const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })
@ -16,39 +15,4 @@ export const userHasWorkspaceAccess = async (userId: any, workspaceId: any, envi
  }

  return true
-}
-
-export const userHasWriteOnlyAbility = async (userId: any, workspaceId: any, environment: any) => {
-  const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })
-  if (!membershipForWorkspace) {
-    return false
-  }
-
-  const deniedMembershipPermissions = membershipForWorkspace.deniedPermissions;
-  const isWriteDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: ABILITY_WRITE });
-  const isReadDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: ABILITY_READ });
-
-  // case: you have write only if read is blocked and write is not
-  if (isReadDisallowed && !isWriteDisallowed) {
-    return true
-  }
-
-  return false
-}
-
-export const userHasNoAbility = async (userId: any, workspaceId: any, environment: any) => {
-  const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })
-  if (!membershipForWorkspace) {
-    return true
-  }
-
-  const deniedMembershipPermissions = membershipForWorkspace.deniedPermissions;
-  const isWriteDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: ABILITY_WRITE });
-  const isReadBlocked = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: ABILITY_READ });
-
-  if (isReadBlocked && isWriteDisallowed) {
-    return true
-  }
-
-  return false
 }
--- a/backend/src/ee/helpers/log.ts
+++ b/backend/src/ee/helpers/log.ts
@ -1,19 +1,9 @@
 import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
 import { 
    Log,
    IAction
 } from '../models';
-/**
- * Create an (audit) log
- * @param {Object} obj
- * @param {Types.ObjectId} obj.userId - id of user associated with the log
- * @param {Types.ObjectId} obj.workspaceId - id of workspace associated with the log
- * @param {IAction[]} obj.actions - actions to include in log
- * @param {String} obj.channel - channel (web/cli/auto) associated with the log
- * @param {String} obj.ipAddress - ip address associated with the log
- * @returns {Log} log - new audit log
- */
+
 const createLogHelper = async ({
    userId,
    workspaceId,
@ -21,8 +11,8 @@ const createLogHelper = async ({
    channel,
    ipAddress
 }: {
-    userId: Types.ObjectId;
-    workspaceId?: Types.ObjectId;
+    userId: string;
+    workspaceId: string;
    actions: IAction[];
    channel: string;
    ipAddress: string;
@ -31,7 +21,7 @@ const createLogHelper = async ({
    try {
        log = await new Log({
            user: userId,
-            workspace: workspaceId ?? undefined,
+            workspace: workspaceId,
            actionNames: actions.map((a) => a.name),
            actions,
            channel,
--- a/backend/src/ee/models/action.ts
+++ b/backend/src/ee/models/action.ts
@ -1,18 +1,10 @@
 import { Schema, model, Types } from 'mongoose';
-import {
-    ACTION_LOGIN,
-    ACTION_LOGOUT,
-    ACTION_ADD_SECRETS,
-    ACTION_UPDATE_SECRETS,
-    ACTION_READ_SECRETS,
-    ACTION_DELETE_SECRETS
-} from '../../variables';

 export interface IAction {
    name: string;
    user?: Types.ObjectId,
    workspace?: Types.ObjectId,
-    payload?: {
+    payload: {
        secretVersions?: Types.ObjectId[]
    }
 }
@ -21,15 +13,7 @@ const actionSchema = new Schema<IAction>(
    {
        name: {
            type: String,
-            required: true,
-            enum: [
-                ACTION_LOGIN,
-                ACTION_LOGOUT,
-                ACTION_ADD_SECRETS,
-                ACTION_UPDATE_SECRETS,
-                ACTION_READ_SECRETS,
-                ACTION_DELETE_SECRETS
-            ]
+            required: true
        },
        user: {
            type: Schema.Types.ObjectId,
--- a/backend/src/ee/models/log.ts
+++ b/backend/src/ee/models/log.ts
@ -1,7 +1,5 @@
 import { Schema, model, Types } from 'mongoose';
 import {
-    ACTION_LOGIN,
-    ACTION_LOGOUT,
    ACTION_ADD_SECRETS,
    ACTION_UPDATE_SECRETS,
    ACTION_READ_SECRETS,
@ -31,8 +29,6 @@ const logSchema = new Schema<ILog>(
        actionNames: {
            type: [String],
            enum: [
-                ACTION_LOGIN,
-                ACTION_LOGOUT,
                ACTION_ADD_SECRETS,
                ACTION_UPDATE_SECRETS,
                ACTION_READ_SECRETS,
--- a/backend/src/ee/models/secretVersion.ts
+++ b/backend/src/ee/models/secretVersion.ts
@ -5,20 +5,22 @@ import {
 } from '../../variables';

 export interface ISecretVersion {
+	_id: Types.ObjectId;
 	secret: Types.ObjectId;
 	version: number;
 	workspace: Types.ObjectId; // new
 	type: string; // new
-	user?: Types.ObjectId; // new
+	user: Types.ObjectId; // new
 	environment: string; // new
 	isDeleted: boolean;
 	secretKeyCiphertext: string;
 	secretKeyIV: string;
 	secretKeyTag: string;
+	secretKeyHash: string;
 	secretValueCiphertext: string;
 	secretValueIV: string;
 	secretValueTag: string;
-	tags?: string[];
+	secretValueHash: string;
 }

 const secretVersionSchema = new Schema<ISecretVersion>(
@ -69,6 +71,9 @@ const secretVersionSchema = new Schema<ISecretVersion>(
 			type: String, // symmetric
 			required: true
 		},
+		secretKeyHash: {
+			type: String
+		},
 		secretValueCiphertext: {
 			type: String,
 			required: true
@ -81,11 +86,9 @@ const secretVersionSchema = new Schema<ISecretVersion>(
 			type: String, // symmetric
 			required: true
 		},
-		tags: {
-			ref: 'Tag',
-			type: [Schema.Types.ObjectId],
-			default: []
-		},
+		secretValueHash: {
+			type: String
+		}
 	},
 	{
 		timestamps: true
--- a/backend/src/ee/services/EELogService.ts
+++ b/backend/src/ee/services/EELogService.ts
@ -1,12 +1,14 @@
 import { Types } from 'mongoose';
 import { 
+    Log,
+    Action,
    IAction
 } from '../models';
 import {
    createLogHelper
 } from '../helpers/log';
 import {
-    createActionHelper
+    createActionSecretHelper
 } from '../helpers/action';
 import EELicenseService from './EELicenseService';

@ -31,8 +33,8 @@ class EELogService {
        channel,
        ipAddress
    }: {
-        userId: Types.ObjectId;
-        workspaceId?: Types.ObjectId;
+        userId: string;
+        workspaceId: string;
        actions: IAction[];
        channel: string;
        ipAddress: string;
@ -48,26 +50,26 @@ class EELogService {
    }
    
    /**
-     * Create an (audit) action
+     * Create an (audit) action for secrets including
+     * add, delete, update, and read actions.
     * @param {Object} obj
     * @param {String} obj.name - name of action
-     * @param {Types.ObjectId} obj.userId - id of user associated with the action
-     * @param {Types.ObjectId} obj.workspaceId - id of workspace associated with the action
-     * @param {ObjectId[]} obj.secretIds - ids of secrets associated with the action
+     * @param {ObjectId[]} obj.secretIds - secret ids
     * @returns {Action} action - new action
     */
-    static async createAction({
+    static async createActionSecret({
        name,
        userId,
        workspaceId,
        secretIds
    }: {
        name: string;
-        userId: Types.ObjectId;
-        workspaceId?: Types.ObjectId;
-        secretIds?: Types.ObjectId[];
+        userId: string;
+        workspaceId: string;
+        secretIds: Types.ObjectId[];
    }) {
-        return await createActionHelper({
+        if (!EELicenseService.isLicenseValid) return null; 
+        return await createActionSecretHelper({
            name,
            userId,
            workspaceId,
--- a/backend/src/helpers/auth.ts
+++ b/backend/src/helpers/auth.ts
@ -211,7 +211,7 @@ const getAuthAPIKeyPayload = async ({
 * @return {String} obj.token - issued JWT token
 * @return {String} obj.refreshToken - issued refresh token
 */
-const issueAuthTokens = async ({ userId }: { userId: string }) => {
+const issueTokens = async ({ userId }: { userId: string }) => {
 	let token: string;
 	let refreshToken: string;
 	try {
@ -298,6 +298,6 @@ export {
 	getAuthSTDPayload,
 	getAuthAPIKeyPayload,
 	createToken,
-	issueAuthTokens,
+	issueTokens,
 	clearTokens
 };
--- a/backend/src/helpers/database.ts
+++ b/backend/src/helpers/database.ts
@ -1,4 +1,5 @@
 import mongoose from 'mongoose';
+import { ISecret, Secret } from '../models';
 import { EESecretService } from '../ee/services';
 import { getLogger } from '../utils/logger';

@ -15,10 +16,6 @@ const initDatabaseHelper = async ({
 }) => {
    try {
        await mongoose.connect(mongoURL);
-    
-        // allow empty strings to pass the required validator
-        mongoose.Schema.Types.String.checkRequired(v => typeof v === 'string');
-
        getLogger("database").info("Database connection established");
        
        await EESecretService.initSecretVersioning();
--- a/backend/src/helpers/integration.ts
+++ b/backend/src/helpers/integration.ts
@ -30,7 +30,6 @@ interface Update {
 * @param {String} obj.workspaceId - id of workspace
 * @param {String} obj.integration - name of integration 
 * @param {String} obj.code - code
- * @returns {IntegrationAuth} integrationAuth - integration auth after OAuth2 code-token exchange
 */
 const handleOAuthExchangeHelper = async ({
    workspaceId,
@ -43,6 +42,7 @@ const handleOAuthExchangeHelper = async ({
    code: string;
    environment: string;
 }) => {
+    let action;
    let integrationAuth;
    try {
        const bot = await Bot.findOne({
@ -94,18 +94,25 @@ const handleOAuthExchangeHelper = async ({
            // set integration auth access token
            await setIntegrationAuthAccessHelper({
                integrationAuthId: integrationAuth._id.toString(),
-                accessId: null,
                accessToken: res.accessToken,
                accessExpiresAt: res.accessExpiresAt
            });
        }
+
+        // initialize new integration after exchange
+        await new Integration({
+            workspace: workspaceId,
+            isActive: false,
+            app: null,
+            environment,
+            integration,
+            integrationAuth: integrationAuth._id
+        }).save();
    } catch (err) {
        Sentry.setUser(null);
        Sentry.captureException(err);
        throw new Error('Failed to handle OAuth2 code-token exchange')
    }
-    
-    return integrationAuth;
 }
 /**
 * Sync/push environment variables in workspace with id [workspaceId] to
@ -139,7 +146,7 @@ const syncIntegrationsHelper = async ({
            if (!integrationAuth) throw new Error('Failed to find integration auth');
            
            // get integration auth access token
-            const access = await getIntegrationAuthAccessHelper({
+            const accessToken = await getIntegrationAuthAccessHelper({
                integrationAuthId: integration.integrationAuth.toString()
            });

@ -148,8 +155,7 @@ const syncIntegrationsHelper = async ({
                integration,
                integrationAuth,
                secrets,
-                accessId: access.accessId,
-                accessToken: access.accessToken
+                accessToken
            });
        }
    } catch (err) {
@ -205,12 +211,12 @@ const syncIntegrationsHelper = async ({
 * @returns {String} accessToken - decrypted access token
 */
 const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrationAuthId: string }) => {
-    let accessId;
    let accessToken;
+	
    try {
        const integrationAuth = await IntegrationAuth
            .findById(integrationAuthId)
-            .select('workspace integration +accessCiphertext +accessIV +accessTag +accessExpiresAt + refreshCiphertext +accessIdCiphertext +accessIdIV +accessIdTag');
+            .select('workspace integration +accessCiphertext +accessIV +accessTag +accessExpiresAt + refreshCiphertext');

        if (!integrationAuth) throw UnauthorizedRequestError({message: 'Failed to locate Integration Authentication credentials'});

@ -234,15 +240,6 @@ const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrati
                });
            }
        }
-        
-        if (integrationAuth?.accessIdCiphertext && integrationAuth?.accessIdIV && integrationAuth?.accessIdTag) {
-            accessId = await BotService.decryptSymmetric({
-                workspaceId: integrationAuth.workspace.toString(),
-                ciphertext: integrationAuth.accessIdCiphertext as string,
-                iv: integrationAuth.accessIdIV as string,
-                tag: integrationAuth.accessIdTag as string
-            });
-        }

    } catch (err) {
        Sentry.setUser(null);
@ -253,10 +250,7 @@ const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrati
            throw new Error('Failed to get integration access token');
    }
    
-    return ({
-        accessId,
-        accessToken
-    });
+    return accessToken;
 }

 /**
@ -306,9 +300,9 @@ const setIntegrationAuthRefreshHelper = async ({
 }

 /**
- * Encrypt access token [accessToken] and (optionally) access id [accessId]
- * using the bot's copy of the workspace key for workspace belonging to 
- * integration auth with id [integrationAuthId] and store it along with [accessExpiresAt]
+ * Encrypt access token [accessToken] using the bot's copy
+ * of the workspace key for workspace belonging to integration auth
+ * with id [integrationAuthId] and store it along with [accessExpiresAt]
 * @param {Object} obj
 * @param {String} obj.integrationAuthId - id of integration auth
 * @param {String} obj.accessToken - access token
@ -316,12 +310,10 @@ const setIntegrationAuthRefreshHelper = async ({
 */
 const setIntegrationAuthAccessHelper = async ({
    integrationAuthId,
-    accessId,
    accessToken,
    accessExpiresAt
 }: {
    integrationAuthId: string;
-    accessId: string | null;
    accessToken: string;
    accessExpiresAt: Date | undefined;
 }) => {
@ -331,28 +323,17 @@ const setIntegrationAuthAccessHelper = async ({
        
        if (!integrationAuth) throw new Error('Failed to find integration auth');
        
-        const encryptedAccessTokenObj = await BotService.encryptSymmetric({
+        const obj = await BotService.encryptSymmetric({
            workspaceId: integrationAuth.workspace.toString(),
            plaintext: accessToken
        });
        
-        let encryptedAccessIdObj;
-        if (accessId) {
-            encryptedAccessIdObj = await BotService.encryptSymmetric({
-                workspaceId: integrationAuth.workspace.toString(),
-                plaintext: accessId
-            }); 
-        }
-        
        integrationAuth = await IntegrationAuth.findOneAndUpdate({
            _id: integrationAuthId
        }, {
-            accessIdCiphertext: encryptedAccessIdObj?.ciphertext ?? undefined,
-            accessIdIV: encryptedAccessIdObj?.iv ?? undefined,
-            accessIdTag: encryptedAccessIdObj?.tag ?? undefined,
-            accessCiphertext: encryptedAccessTokenObj.ciphertext,
-            accessIV: encryptedAccessTokenObj.iv,
-            accessTag: encryptedAccessTokenObj.tag,
+            accessCiphertext: obj.ciphertext,
+            accessIV: obj.iv,
+            accessTag: obj.tag,
            accessExpiresAt
        }, {
            new: true
--- a/backend/src/helpers/organization.ts
+++ b/backend/src/helpers/organization.ts
@ -3,7 +3,6 @@ import Stripe from 'stripe';
 import {
 	STRIPE_SECRET_KEY,
 	STRIPE_PRODUCT_STARTER,
-	STRIPE_PRODUCT_TEAM,
 	STRIPE_PRODUCT_PRO
 } from '../config';
 const stripe = new Stripe(STRIPE_SECRET_KEY, {
@ -15,7 +14,6 @@ import { Organization, MembershipOrg } from '../models';

 const productToPriceMap = {
 	starter: STRIPE_PRODUCT_STARTER,
-	team: STRIPE_PRODUCT_TEAM,
 	pro: STRIPE_PRODUCT_PRO
 };

@ -57,7 +55,7 @@ const createOrganization = async ({
 	} catch (err) {
 		Sentry.setUser({ email });
 		Sentry.captureException(err);
-		throw new Error(`Failed to create organization [err=${err}]`);
+		throw new Error('Failed to create organization');
 	}

 	return organization;
--- a/backend/src/helpers/secret.ts
+++ b/backend/src/helpers/secret.ts
@ -406,10 +406,10 @@ const v2PushSecrets = async ({
 				secretIds: toDelete
 			});

-			const deleteAction = await EELogService.createAction({
+			const deleteAction = await EELogService.createActionSecret({
 				name: ACTION_DELETE_SECRETS,
-				userId: new Types.ObjectId(userId),
-				workspaceId: new Types.ObjectId(userId),
+				userId,
+				workspaceId,
 				secretIds: toDelete
 			});

@ -499,10 +499,10 @@ const v2PushSecrets = async ({
 				})
 			});

-			const updateAction = await EELogService.createAction({
+			const updateAction = await EELogService.createActionSecret({
 				name: ACTION_UPDATE_SECRETS,
-				userId: new Types.ObjectId(userId),
-				workspaceId: new Types.ObjectId(workspaceId),
+				userId,
+				workspaceId,
 				secretIds: toUpdate.map((u) => u._id)
 			});

@ -536,10 +536,10 @@ const v2PushSecrets = async ({
 				})
 			});

-			const addAction = await EELogService.createAction({
+			const addAction = await EELogService.createActionSecret({
 				name: ACTION_ADD_SECRETS,
-				userId: new Types.ObjectId(userId),
-				workspaceId: new Types.ObjectId(workspaceId),
+				userId,
+				workspaceId,
 				secretIds: newSecrets.map((n) => n._id)
 			});
 			addAction && actions.push(addAction);
@ -553,8 +553,8 @@ const v2PushSecrets = async ({
 		// (EE) create (audit) log
 		if (actions.length > 0) {
 			await EELogService.createLog({
-				userId: new Types.ObjectId(userId),
-				workspaceId: new Types.ObjectId(workspaceId),
+				userId,
+				workspaceId,
 				actions,
 				channel,
 				ipAddress
@ -645,16 +645,16 @@ const pullSecrets = async ({
 			environment
 		})

-		const readAction = await EELogService.createAction({
+		const readAction = await EELogService.createActionSecret({
 			name: ACTION_READ_SECRETS,
-			userId: new Types.ObjectId(userId),
-			workspaceId: new Types.ObjectId(workspaceId),
+			userId,
+			workspaceId,
 			secretIds: secrets.map((n: any) => n._id)
 		});

 		readAction && await EELogService.createLog({
-			userId: new Types.ObjectId(userId),
-			workspaceId: new Types.ObjectId(workspaceId),
+			userId,
+			workspaceId,
 			actions: [readAction],
 			channel,
 			ipAddress
--- a/backend/src/helpers/signup.ts
+++ b/backend/src/helpers/signup.ts
@ -1,11 +1,12 @@
 import * as Sentry from '@sentry/node';
-import { IUser } from '../models';
+import crypto from 'crypto';
+import { Token, IToken, IUser } from '../models';
 import { createOrganization } from './organization';
 import { addMembershipsOrg } from './membershipOrg';
-import { OWNER, ACCEPTED } from '../variables';
+import { createWorkspace } from './workspace';
+import { addMemberships } from './membership';
+import { OWNER, ADMIN, ACCEPTED } from '../variables';
 import { sendMail } from '../helpers/nodemailer';
-import { TokenService } from '../services';
-import { TOKEN_EMAIL_CONFIRMATION } from '../variables';

 /**
 * Send magic link to verify email to [email]
@ -13,13 +14,21 @@ import { TOKEN_EMAIL_CONFIRMATION } from '../variables';
 * @param {Object} obj
 * @param {String} obj.email - email
 * @returns {Boolean} success - whether or not operation was successful
+ *
 */
 const sendEmailVerification = async ({ email }: { email: string }) => {
 	try {
-		const token = await TokenService.createToken({
-			type: TOKEN_EMAIL_CONFIRMATION,
-			email
-		});
+		const token = String(crypto.randomInt(Math.pow(10, 5), Math.pow(10, 6) - 1));
+
+		await Token.findOneAndUpdate(
+			{ email },
+			{
+				email,
+				token,
+				createdAt: new Date()
+			},
+			{ upsert: true, new: true }
+		);

 		// send mail
 		await sendMail({
@ -53,11 +62,12 @@ const checkEmailVerification = async ({
 	code: string;
 }) => {
 	try {
-		await TokenService.validateToken({
-			type: TOKEN_EMAIL_CONFIRMATION,
+		const token = await Token.findOneAndDelete({
 			email,
 			token: code
 		});
+	
+		if (!token) throw new Error('Failed to find email verification token');
 	} catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
@ -93,8 +103,20 @@ const initializeDefaultOrg = async ({
 			roles: [OWNER],
 			statuses: [ACCEPTED]
 		});
+
+		// initialize a default workspace inside the new organization
+		const workspace = await createWorkspace({
+			name: `Example Project`,
+			organizationId: organization._id.toString()
+		});
+
+		await addMemberships({
+			userIds: [user._id.toString()],
+			workspaceId: workspace._id.toString(),
+			roles: [ADMIN]
+		});
 	} catch (err) {
-		throw new Error(`Failed to initialize default organization and workspace [err=${err}]`);
+		throw new Error('Failed to initialize default organization and workspace');
 	}
 };

--- a/backend/src/helpers/token.ts
+++ b/backend/src/helpers/token.ts
@ -1,217 +0,0 @@
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
-import { TokenData } from '../models';
-import crypto from 'crypto';
-import bcrypt from 'bcrypt';
-import {
-    TOKEN_EMAIL_CONFIRMATION,
-    TOKEN_EMAIL_MFA,
-    TOKEN_EMAIL_ORG_INVITATION,
-    TOKEN_EMAIL_PASSWORD_RESET
-} from '../variables';
-import {
-    SALT_ROUNDS
-} from '../config';
-import { UnauthorizedRequestError } from '../utils/errors';
-
-/**
- * Create and store a token in the database for purpose [type]
- * @param {Object} obj
- * @param {String} obj.type
- * @param {String} obj.email
- * @param {String} obj.phoneNumber
- * @param {Types.ObjectId} obj.organizationId
- * @returns {String} token - the created token
- */
-const createTokenHelper = async ({
-    type,
-    email,
-    phoneNumber,
-    organizationId
-}: {
-    type: 'emailConfirmation' | 'emailMfa' | 'organizationInvitation' | 'passwordReset';
-    email?: string;
-    phoneNumber?: string;
-    organizationId?: Types.ObjectId
-}) => {
-    let token, expiresAt, triesLeft;
-    try {
-        // generate random token based on specified token use-case
-        // type [type]
-        switch (type) {
-            case TOKEN_EMAIL_CONFIRMATION:
-                // generate random 6-digit code
-                token = String(crypto.randomInt(Math.pow(10, 5), Math.pow(10, 6) - 1));
-                expiresAt = new Date((new Date()).getTime() + 86400000);
-                break;
-            case TOKEN_EMAIL_MFA:
-                // generate random 6-digit code
-                token = String(crypto.randomInt(Math.pow(10, 5), Math.pow(10, 6) - 1));
-                triesLeft = 5;
-                expiresAt = new Date((new Date()).getTime() + 300000);
-                break;
-            case TOKEN_EMAIL_ORG_INVITATION:
-                // generate random hex
-                token = crypto.randomBytes(16).toString('hex');
-                expiresAt = new Date((new Date()).getTime() + 259200000);
-                break;
-            case TOKEN_EMAIL_PASSWORD_RESET:
-                // generate random hex
-                token = crypto.randomBytes(16).toString('hex');
-                expiresAt = new Date((new Date()).getTime() + 86400000); 
-                break;
-            default:
-                token = crypto.randomBytes(16).toString('hex');
-                expiresAt = new Date();
-                break;
-        }
-        
-       interface TokenDataQuery {
-            type: string;
-            email?: string;
-            phoneNumber?: string;
-            organization?: Types.ObjectId;
-        }
-        
-        interface TokenDataUpdate {
-            type: string;
-            email?: string;
-            phoneNumber?: string;
-            organization?: Types.ObjectId;
-            tokenHash: string;
-            triesLeft?: number;
-            expiresAt: Date;
-        }
-
-        const query: TokenDataQuery = { type };
-        const update: TokenDataUpdate = {
-            type,
-            tokenHash: await bcrypt.hash(token, SALT_ROUNDS),
-            expiresAt
-        }
-
-        if (email) {
-            query.email = email; 
-            update.email = email; 
-        }
-        if (phoneNumber) { 
-            query.phoneNumber = phoneNumber; 
-            update.phoneNumber = phoneNumber; 
-        }
-        if (organizationId) { 
-            query.organization = organizationId 
-            update.organization = organizationId 
-        } 
-        
-        if (triesLeft) {
-            update.triesLeft = triesLeft;
-        }
-       
-        await TokenData.findOneAndUpdate(
-            query,
-            update,
-            {
-                new: true,
-                upsert: true
-            }
-        );
-    } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-        throw new Error(
-            "Failed to create token"
-        ); 
-    }
-    
-    return token;
-}
-
-/**
- * 
- * @param {Object} obj
- * @param {String} obj.email - email associated with the token
- * @param {String} obj.token - value of the token
- */
-const validateTokenHelper = async ({
-    type,
-    email,
-    phoneNumber,
-    organizationId,
-    token
-}: {
-    type: 'emailConfirmation' | 'emailMfa' | 'organizationInvitation' | 'passwordReset';
-    email?: string;
-    phoneNumber?: string;
-    organizationId?: Types.ObjectId;
-    token: string;
-}) => {
-    interface Query {
-        type: string;
-        email?: string;
-        phoneNumber?: string;
-        organization?: Types.ObjectId;
-    }
-
-    const query: Query = { type };
-
-    if (email) { query.email = email; }
-    if (phoneNumber) { query.phoneNumber = phoneNumber; }
-    if (organizationId) { query.organization = organizationId; }
-
-    const tokenData = await TokenData.findOne(query).select('+tokenHash');
-    
-    if (!tokenData) throw new Error('Failed to find token to validate');
-    
-    if (tokenData.expiresAt < new Date()) {
-        // case: token expired
-        await TokenData.findByIdAndDelete(tokenData._id);
-        throw UnauthorizedRequestError({
-            message: 'MFA session expired. Please log in again',
-            context: {
-                code: 'mfa_expired'
-            }
-        });
-    }
-
-    const isValid = await bcrypt.compare(token, tokenData.tokenHash);
-    if (!isValid) {
-        // case: token is not valid
-        if (tokenData?.triesLeft !== undefined) {
-            // case: token has a try-limit
-            if (tokenData.triesLeft === 1) {
-                // case: token is out of tries
-                await TokenData.findByIdAndDelete(tokenData._id);
-            } else {
-                // case: token has more than 1 try left
-                await TokenData.findByIdAndUpdate(tokenData._id, {
-                    triesLeft: tokenData.triesLeft - 1
-                }, {
-                    new: true
-                });
-            }
-
-            throw UnauthorizedRequestError({
-                message: 'MFA code is invalid',
-                context: {
-                    code: 'mfa_invalid',
-                    triesLeft: tokenData.triesLeft - 1
-                }
-            });
-        }
-
-        throw UnauthorizedRequestError({
-            message: 'MFA code is invalid',
-            context: {
-                code: 'mfa_invalid'
-            }
-        });
-    }
-
-    // case: token is valid
-    await TokenData.findByIdAndDelete(tokenData._id);
-}
-
-export {
-    createTokenHelper,
-    validateTokenHelper
-}
--- a/backend/src/helpers/user.ts
+++ b/backend/src/helpers/user.ts
@ -1,6 +1,5 @@
 import * as Sentry from '@sentry/node';
-import { IUser, User } from '../models';
-import { sendMail } from './nodemailer';
+import { User, IUser } from '../models';

 /**
 * Initialize a user under email [email]
@ -29,14 +28,10 @@ const setupAccount = async ({ email }: { email: string }) => {
 * @param {String} obj.userId - id of user to finish setting up
 * @param {String} obj.firstName - first name of user
 * @param {String} obj.lastName - last name of user
- * @param {Number} obj.encryptionVersion - version of auth encryption scheme used
- * @param {String} obj.protectedKey - protected key in encryption version 2
- * @param {String} obj.protectedKeyIV - IV of protected key in encryption version 2
- * @param {String} obj.protectedKeyTag - tag of protected key in encryption version 2
 * @param {String} obj.publicKey - publickey of user
 * @param {String} obj.encryptedPrivateKey - (encrypted) private key of user
- * @param {String} obj.encryptedPrivateKeyIV - iv for (encrypted) private key of user
- * @param {String} obj.encryptedPrivateKeyTag - tag for (encrypted) private key of user
+ * @param {String} obj.iv - iv for (encrypted) private key of user
+ * @param {String} obj.tag - tag for (encrypted) private key of user
 * @param {String} obj.salt - salt for auth SRP
 * @param {String} obj.verifier - verifier for auth SRP
 * @returns {Object} user - the completed user
@ -45,28 +40,20 @@ const completeAccount = async ({
 	userId,
 	firstName,
 	lastName,
-	encryptionVersion,
-	protectedKey,
-	protectedKeyIV,
-	protectedKeyTag,
 	publicKey,
 	encryptedPrivateKey,
-	encryptedPrivateKeyIV,
-	encryptedPrivateKeyTag,
+	iv,
+	tag,
 	salt,
 	verifier
 }: {
 	userId: string;
 	firstName: string;
 	lastName: string;
-	encryptionVersion: number;
-	protectedKey: string;
-	protectedKeyIV: string;
-	protectedKeyTag: string;
 	publicKey: string;
 	encryptedPrivateKey: string;
-	encryptedPrivateKeyIV: string;
-	encryptedPrivateKeyTag: string;
+	iv: string;
+	tag: string;
 	salt: string;
 	verifier: string;
 }) => {
@ -80,14 +67,10 @@ const completeAccount = async ({
 			{
 				firstName,
 				lastName,
-				encryptionVersion,
-				protectedKey,
-				protectedKeyIV,
-				protectedKeyTag,
 				publicKey,
 				encryptedPrivateKey,
-				iv: encryptedPrivateKeyIV,
-				tag: encryptedPrivateKeyTag,
+				iv,
+				tag,
 				salt,
 				verifier
 			},
@ -102,48 +85,4 @@ const completeAccount = async ({
 	return user;
 };

-/**
- * Check if device with ip [ip] and user-agent [userAgent] has been seen for user [user].
- * If the device is unseen, then notify the user of the new device
- * @param {Object} obj
- * @param {String} obj.ip - login ip address
- * @param {String} obj.userAgent - login user-agent
- */
-const checkUserDevice = async ({
-	user,
-	ip,
-	userAgent
-}: {
-	user: IUser;
-	ip: string;
-	userAgent: string;
-}) => {
-	const isDeviceSeen = user.devices.some((device) => device.ip === ip && device.userAgent === userAgent);
-		
-	if (!isDeviceSeen) {
-		// case: unseen login ip detected for user
-		// -> notify user about the sign-in from new ip 
-		
-		user.devices = user.devices.concat([{
-			ip: String(ip),
-			userAgent
-		}]);
-		
-		await user.save();
-
-		// send MFA code [code] to [email]
-		await sendMail({
-			template: 'newDevice.handlebars',
-			subjectLine: `Successful login from new device`,
-			recipients: [user.email],
-			substitutions: {
-				email: user.email,
-				timestamp: new Date().toString(),
-				ip,
-				userAgent
-			}
-		}); 
-	}
-}
-
-export { setupAccount, completeAccount, checkUserDevice };
+export { setupAccount, completeAccount };
--- a/backend/src/integrations/apps.ts
+++ b/backend/src/integrations/apps.ts
@ -1,25 +1,20 @@
-import axios from "axios";
-import * as Sentry from "@sentry/node";
-import { Octokit } from "@octokit/rest";
-import { IIntegrationAuth } from "../models";
+import axios from 'axios';
+import * as Sentry from '@sentry/node';
+import { Octokit } from '@octokit/rest';
+import { IIntegrationAuth } from '../models';
 import {
-  INTEGRATION_AZURE_KEY_VAULT,
-  INTEGRATION_AWS_PARAMETER_STORE,
-  INTEGRATION_AWS_SECRET_MANAGER,
  INTEGRATION_HEROKU,
  INTEGRATION_VERCEL,
  INTEGRATION_NETLIFY,
  INTEGRATION_GITHUB,
  INTEGRATION_RENDER,
  INTEGRATION_FLYIO,
-  INTEGRATION_CIRCLECI,
  INTEGRATION_HEROKU_API_URL,
  INTEGRATION_VERCEL_API_URL,
  INTEGRATION_NETLIFY_API_URL,
  INTEGRATION_RENDER_API_URL,
-  INTEGRATION_FLYIO_API_URL,
-  INTEGRATION_CIRCLECI_API_URL,
-} from "../variables";
+  INTEGRATION_FLYIO_API_URL
+} from '../variables';

 /**
 * Return list of names of apps for integration named [integration]
@ -31,7 +26,7 @@ import {
 */
 const getApps = async ({
  integrationAuth,
-  accessToken,
+  accessToken
 }: {
  integrationAuth: IIntegrationAuth;
  accessToken: string;
@ -45,56 +40,42 @@ const getApps = async ({
  let apps: App[];
  try {
    switch (integrationAuth.integration) {
-      case INTEGRATION_AZURE_KEY_VAULT:
-        apps = [];
-        break;
-      case INTEGRATION_AWS_PARAMETER_STORE:
-        apps = [];
-        break;
-      case INTEGRATION_AWS_SECRET_MANAGER:
-        apps = [];
-        break;
      case INTEGRATION_HEROKU:
        apps = await getAppsHeroku({
-          accessToken,
+          accessToken
        });
        break;
      case INTEGRATION_VERCEL:
        apps = await getAppsVercel({
          integrationAuth,
-          accessToken,
+          accessToken
        });
        break;
      case INTEGRATION_NETLIFY:
        apps = await getAppsNetlify({
-          accessToken,
+          accessToken
        });
        break;
      case INTEGRATION_GITHUB:
        apps = await getAppsGithub({
-          accessToken,
+          accessToken
        });
        break;
      case INTEGRATION_RENDER:
        apps = await getAppsRender({
-          accessToken,
+          accessToken
        });
        break;
      case INTEGRATION_FLYIO:
        apps = await getAppsFlyio({
-          accessToken,
-        });
-        break;
-      case INTEGRATION_CIRCLECI:
-        apps = await getAppsCircleCI({
-          accessToken,
+          accessToken
        });
        break;
    }
  } catch (err) {
    Sentry.setUser(null);
    Sentry.captureException(err);
-    throw new Error("Failed to get integration apps");
+    throw new Error('Failed to get integration apps');
  }

  return apps;
@ -113,19 +94,19 @@ const getAppsHeroku = async ({ accessToken }: { accessToken: string }) => {
    const res = (
      await axios.get(`${INTEGRATION_HEROKU_API_URL}/apps`, {
        headers: {
-          Accept: "application/vnd.heroku+json; version=3",
-          Authorization: `Bearer ${accessToken}`,
-        },
+          Accept: 'application/vnd.heroku+json; version=3',
+          Authorization: `Bearer ${accessToken}`
+        }
      })
    ).data;

    apps = res.map((a: any) => ({
-      name: a.name,
+      name: a.name
    }));
  } catch (err) {
    Sentry.setUser(null);
    Sentry.captureException(err);
-    throw new Error("Failed to get Heroku integration apps");
+    throw new Error('Failed to get Heroku integration apps');
  }

  return apps;
@ -138,10 +119,10 @@ const getAppsHeroku = async ({ accessToken }: { accessToken: string }) => {
 * @returns {Object[]} apps - names of Vercel apps
 * @returns {String} apps.name - name of Vercel app
 */
-const getAppsVercel = async ({
+const getAppsVercel = async ({ 
  integrationAuth,
-  accessToken,
-}: {
+  accessToken 
+}: { 
  integrationAuth: IIntegrationAuth;
  accessToken: string;
 }) => {
@ -150,26 +131,23 @@ const getAppsVercel = async ({
    const res = (
      await axios.get(`${INTEGRATION_VERCEL_API_URL}/v9/projects`, {
        headers: {
-          Authorization: `Bearer ${accessToken}`,
-          'Accept-Encoding': 'application/json'
+          Authorization: `Bearer ${accessToken}`
        },
-        ...(integrationAuth?.teamId
-          ? {
-              params: {
-                teamId: integrationAuth.teamId,
-              },
-            }
-          : {}),
+       ...( integrationAuth?.teamId ? { 
+        params: {
+          teamId: integrationAuth.teamId
+        }
+      } : {}) 
      })
    ).data;
-
+    
    apps = res.projects.map((a: any) => ({
-      name: a.name,
+      name: a.name
    }));
  } catch (err) {
    Sentry.setUser(null);
    Sentry.captureException(err);
-    throw new Error("Failed to get Vercel integration apps");
+    throw new Error('Failed to get Vercel integration apps');
  }

  return apps;
@ -182,26 +160,29 @@ const getAppsVercel = async ({
 * @returns {Object[]} apps - names of Netlify sites
 * @returns {String} apps.name - name of Netlify site
 */
-const getAppsNetlify = async ({ accessToken }: { accessToken: string }) => {
+const getAppsNetlify = async ({
+  accessToken
+}: {
+  accessToken: string;
+}) => {
  let apps;
  try {
    const res = (
      await axios.get(`${INTEGRATION_NETLIFY_API_URL}/api/v1/sites`, {
        headers: {
-          Authorization: `Bearer ${accessToken}`,
-          'Accept-Encoding': 'application/json'
+          Authorization: `Bearer ${accessToken}`
        }
      })
    ).data;

    apps = res.map((a: any) => ({
      name: a.name,
-      appId: a.site_id,
+      appId: a.site_id
    }));
  } catch (err) {
    Sentry.setUser(null);
    Sentry.captureException(err);
-    throw new Error("Failed to get Netlify integration apps");
+    throw new Error('Failed to get Netlify integration apps');
  }

  return apps;
@ -214,32 +195,35 @@ const getAppsNetlify = async ({ accessToken }: { accessToken: string }) => {
 * @returns {Object[]} apps - names of Netlify sites
 * @returns {String} apps.name - name of Netlify site
 */
-const getAppsGithub = async ({ accessToken }: { accessToken: string }) => {
+const getAppsGithub = async ({
+  accessToken
+}: {
+  accessToken: string;
+}) => {
  let apps;
  try {
    const octokit = new Octokit({
-      auth: accessToken,
+      auth: accessToken
    });

-    const repos = (
-      await octokit.request(
-        "GET /user/repos{?visibility,affiliation,type,sort,direction,per_page,page,since,before}",
-        {
-          per_page: 100,
-        }
-      )
-    ).data;
+    const repos = (await octokit.request(
+      'GET /user/repos{?visibility,affiliation,type,sort,direction,per_page,page,since,before}',
+      {
+        per_page: 100
+      }
+    )).data;

    apps = repos
-      .filter((a: any) => a.permissions.admin === true)
+      .filter((a:any) => a.permissions.admin === true)
      .map((a: any) => ({
-        name: a.name,
-        owner: a.owner.login,
-      }));
+          name: a.name,
+          owner: a.owner.login
+        })
+      );
  } catch (err) {
    Sentry.setUser(null);
    Sentry.captureException(err);
-    throw new Error("Failed to get Github repos");
+    throw new Error('Failed to get Github repos');
  }

  return apps;
@ -253,16 +237,18 @@ const getAppsGithub = async ({ accessToken }: { accessToken: string }) => {
 * @returns {String} apps.name - name of Render service
 * @returns {String} apps.appId - id of Render service
 */
-const getAppsRender = async ({ accessToken }: { accessToken: string }) => {
+const getAppsRender = async ({
+  accessToken
+}: {
+  accessToken: string;
+}) => {
  let apps: any;
  try {
    const res = (
      await axios.get(`${INTEGRATION_RENDER_API_URL}/v1/services`, {
        headers: {
-          Authorization: `Bearer ${accessToken}`,
-          Accept: 'application/json',
-          'Accept-Encoding': 'application/json',
-        },
+          Authorization: `Bearer ${accessToken}`
+        }
      })
    ).data;
    
@ -271,15 +257,14 @@ const getAppsRender = async ({ accessToken }: { accessToken: string }) => {
        name: a.service.name,
        appId: a.service.id
      })); 
-    
  } catch (err) {
    Sentry.setUser(null);
    Sentry.captureException(err);
-    throw new Error("Failed to get Render services");
+    throw new Error('Failed to get Render services');
  }
-
+  
  return apps;
-};
+}

 /**
 * Return list of apps for Fly.io integration
@ -288,7 +273,11 @@ const getAppsRender = async ({ accessToken }: { accessToken: string }) => {
 * @returns {Object[]} apps - names and ids of Fly.io apps
 * @returns {String} apps.name - name of Fly.io apps
 */
-const getAppsFlyio = async ({ accessToken }: { accessToken: string }) => {
+const getAppsFlyio = async ({
+  accessToken
+}: {
+  accessToken: string;
+}) => {
  let apps;
  try {
    const query = `
@ -302,71 +291,32 @@ const getAppsFlyio = async ({ accessToken }: { accessToken: string }) => {
        }
      }
    `;
-
-    const res = (
-      await axios({
-        url: INTEGRATION_FLYIO_API_URL,
-        method: "post",
-        headers: {
-          Authorization: "Bearer " + accessToken,
-        'Accept': 'application/json',
-        'Accept-Encoding': 'application/json',
-        },
-        data: {
-          query,
-          variables: {
-            role: null,
-          },
-        },
-      })
-    ).data.data.apps.nodes;
-
-    apps = res.map((a: any) => ({
-      name: a.name,
-    }));
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error("Failed to get Fly.io apps");
-  }
-
-  return apps;
-};
-
-/**
- * Return list of projects for CircleCI integration
- * @param {Object} obj
- * @param {String} obj.accessToken - access token for CircleCI API
- * @returns {Object[]} apps -
- * @returns {String} apps.name - name of CircleCI apps
- */
-const getAppsCircleCI = async ({ accessToken }: { accessToken: string }) => {
-  let apps: any;
-  try {    
-    const res = (
-      await axios.get(
-        `${INTEGRATION_CIRCLECI_API_URL}/v1.1/projects`,
-        {
-          headers: {
-            "Circle-Token": accessToken,
-            "Accept-Encoding": "application/json",
-          },
+    
+    const res = (await axios({
+      url: INTEGRATION_FLYIO_API_URL,
+      method: 'post',
+      headers: {
+        'Authorization': 'Bearer ' + accessToken
+      },
+      data: {
+        query,
+        variables: {
+          role: null
        }
-      )
-    ).data
-
-    apps = res?.map((a: any) => {
-      return {
-        name: a?.reponame
      }
-    });
+    })).data.data.apps.nodes;
+    
+    apps = res
+      .map((a: any) => ({
+        name: a.name
+      })); 
  } catch (err) {
    Sentry.setUser(null);
    Sentry.captureException(err);
-    throw new Error("Failed to get CircleCI projects");
+    throw new Error('Failed to get Fly.io apps');
  }
  
  return apps;
-};
+}

 export { getApps };
--- a/backend/src/integrations/exchange.ts
+++ b/backend/src/integrations/exchange.ts
@ -1,12 +1,10 @@
 import axios from 'axios';
 import * as Sentry from '@sentry/node';
 import {
-  INTEGRATION_AZURE_KEY_VAULT,
  INTEGRATION_HEROKU,
  INTEGRATION_VERCEL,
  INTEGRATION_NETLIFY,
  INTEGRATION_GITHUB,
-  INTEGRATION_AZURE_TOKEN_URL,
  INTEGRATION_HEROKU_TOKEN_URL,
  INTEGRATION_VERCEL_TOKEN_URL,
  INTEGRATION_NETLIFY_TOKEN_URL,
@ -14,27 +12,15 @@ import {
 } from '../variables';
 import {
  SITE_URL,
-  CLIENT_ID_AZURE,
  CLIENT_ID_VERCEL,
  CLIENT_ID_NETLIFY,
  CLIENT_ID_GITHUB,
-  CLIENT_SECRET_AZURE,
  CLIENT_SECRET_HEROKU,
  CLIENT_SECRET_VERCEL,
  CLIENT_SECRET_NETLIFY,
  CLIENT_SECRET_GITHUB
 } from '../config';

-interface ExchangeCodeAzureResponse {
-  token_type: string;
-  scope: string;
-  expires_in: number;
-  ext_expires_in: number;
-  access_token: string;
-  refresh_token: string;
-  id_token: string;
-}
-
 interface ExchangeCodeHerokuResponse {
  token_type: string;
  access_token: string;
@ -89,11 +75,6 @@ const exchangeCode = async ({

  try {
    switch (integration) {
-      case INTEGRATION_AZURE_KEY_VAULT:
-        obj = await exchangeCodeAzure({
-          code
-        });
-        break;
      case INTEGRATION_HEROKU:
        obj = await exchangeCodeHeroku({
          code
@ -124,46 +105,6 @@ const exchangeCode = async ({
  return obj;
 };

-/**
- * Return [accessToken] for Azure OAuth2 code-token exchange
- * @param param0 
- */
-const exchangeCodeAzure = async ({
-  code
-}: {
-  code: string;
-}) => {
-  const accessExpiresAt = new Date();
-  let res: ExchangeCodeAzureResponse;
-  try {
-    res = (await axios.post(
-      INTEGRATION_AZURE_TOKEN_URL,
-      new URLSearchParams({
-        grant_type: 'authorization_code',
-        code: code,
-        scope: 'https://vault.azure.net/.default openid offline_access',
-        client_id: CLIENT_ID_AZURE,
-        client_secret: CLIENT_SECRET_AZURE,
-        redirect_uri: `${SITE_URL}/integrations/azure-key-vault/oauth2/callback`
-      } as any)
-    )).data;
-
-    accessExpiresAt.setSeconds(
-      accessExpiresAt.getSeconds() + res.expires_in
-    );
-  } catch (err: any) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed OAuth2 code-token exchange with Azure');
-  }
-
-  return ({
-    accessToken: res.access_token,
-    refreshToken: res.refresh_token,
-    accessExpiresAt
-  });
-}
-
 /**
 * Return [accessToken], [accessExpiresAt], and [refreshToken] for Heroku
 * OAuth2 code-token exchange
@ -175,36 +116,36 @@ const exchangeCodeAzure = async ({
 * @returns {Date} obj2.accessExpiresAt - date of expiration for access token
 */
 const exchangeCodeHeroku = async ({
-  code
+    code
 }: {
-  code: string;
+    code: string;
 }) => {
-  let res: ExchangeCodeHerokuResponse;
-  const accessExpiresAt = new Date();
-  try {
-    res = (await axios.post(
-      INTEGRATION_HEROKU_TOKEN_URL,
-      new URLSearchParams({
-        grant_type: 'authorization_code',
-        code: code,
-        client_secret: CLIENT_SECRET_HEROKU
-      } as any)
-    )).data;
-
-    accessExpiresAt.setSeconds(
-      accessExpiresAt.getSeconds() + res.expires_in
-    );
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed OAuth2 code-token exchange with Heroku');
-  }
-
-  return ({
-    accessToken: res.access_token,
-    refreshToken: res.refresh_token,
-    accessExpiresAt
-  });
+    let res: ExchangeCodeHerokuResponse;
+    const accessExpiresAt = new Date();
+    try {
+        res = (await axios.post(
+            INTEGRATION_HEROKU_TOKEN_URL,
+            new URLSearchParams({
+				grant_type: 'authorization_code',
+				code: code,
+				client_secret: CLIENT_SECRET_HEROKU
+			} as any)
+        )).data;
+        
+        accessExpiresAt.setSeconds(
+            accessExpiresAt.getSeconds() + res.expires_in
+        );
+    } catch (err) {
+        Sentry.setUser(null);
+        Sentry.captureException(err);
+        throw new Error('Failed OAuth2 code-token exchange with Heroku');
+    }
+    
+    return ({
+        accessToken: res.access_token,
+        refreshToken: res.refresh_token,
+        accessExpiresAt
+    });
 }

 /**
@ -227,14 +168,14 @@ const exchangeCodeVercel = async ({ code }: { code: string }) => {
          code: code,
          client_id: CLIENT_ID_VERCEL,
          client_secret: CLIENT_SECRET_VERCEL,
-          redirect_uri: `${SITE_URL}/integrations/vercel/oauth2/callback`
+          redirect_uri: `${SITE_URL}/vercel`
        } as any)
      )
    ).data;
  } catch (err) {
    Sentry.setUser(null);
    Sentry.captureException(err);
-    throw new Error(`Failed OAuth2 code-token exchange with Vercel [err=${err}]`);
+    throw new Error('Failed OAuth2 code-token exchange with Vercel');
  }

  return {
@ -267,7 +208,7 @@ const exchangeCodeNetlify = async ({ code }: { code: string }) => {
          code: code,
          client_id: CLIENT_ID_NETLIFY,
          client_secret: CLIENT_SECRET_NETLIFY,
-          redirect_uri: `${SITE_URL}/integrations/netlify/oauth2/callback`
+          redirect_uri: `${SITE_URL}/netlify`
        } as any)
      )
    ).data;
@ -319,11 +260,10 @@ const exchangeCodeGithub = async ({ code }: { code: string }) => {
          client_id: CLIENT_ID_GITHUB,
          client_secret: CLIENT_SECRET_GITHUB,
          code: code,
-          redirect_uri: `${SITE_URL}/integrations/github/oauth2/callback`
+          redirect_uri: `${SITE_URL}/github`
        },
        headers: {
-          'Accept': 'application/json',
-          'Accept-Encoding': 'application/json'
+          Accept: 'application/json'
        }
      })
    ).data;
--- a/backend/src/integrations/refresh.ts
+++ b/backend/src/integrations/refresh.ts
@ -1,26 +1,13 @@
 import axios from 'axios';
 import * as Sentry from '@sentry/node';
-import { INTEGRATION_AZURE_KEY_VAULT, INTEGRATION_HEROKU } from '../variables';
+import { INTEGRATION_HEROKU } from '../variables';
 import {
-  SITE_URL,
-  CLIENT_ID_AZURE,
-  CLIENT_SECRET_AZURE,
-  CLIENT_SECRET_HEROKU
+    CLIENT_SECRET_HEROKU
 } from '../config';
 import {
-  INTEGRATION_AZURE_TOKEN_URL,
-  INTEGRATION_HEROKU_TOKEN_URL
+    INTEGRATION_HEROKU_TOKEN_URL
 } from '../variables';

-interface RefreshTokenAzureResponse {
-  token_type: string;
-  scope: string;
-  expires_in: number;
-  ext_expires_in: 4871;
-  access_token: string;
-  refresh_token: string;
-}
-
 /**
 * Return new access token by exchanging refresh token [refreshToken] for integration
 * named [integration]
@ -38,11 +25,6 @@ const exchangeRefresh = async ({
  let accessToken;
  try {
    switch (integration) {
-      case INTEGRATION_AZURE_KEY_VAULT:
-        accessToken = await exchangeRefreshAzure({
-          refreshToken
-        });
-        break;
      case INTEGRATION_HEROKU:
        accessToken = await exchangeRefreshHeroku({
          refreshToken
@ -58,38 +40,6 @@ const exchangeRefresh = async ({
  return accessToken;
 };

-/**
- * Return new access token by exchanging refresh token [refreshToken] for the
- * Azure integration
- * @param {Object} obj
- * @param {String} obj.refreshToken - refresh token to use to get new access token for Azure
- * @returns
- */
-const exchangeRefreshAzure = async ({
-  refreshToken
-}: {
-  refreshToken: string;
-}) => {
-  try {
-    const res: RefreshTokenAzureResponse = (await axios.post(
-      INTEGRATION_AZURE_TOKEN_URL,
-       new URLSearchParams({
-        client_id: CLIENT_ID_AZURE,
-        scope: 'openid offline_access',
-        refresh_token: refreshToken,
-        grant_type: 'refresh_token',
-        client_secret: CLIENT_SECRET_AZURE
-      } as any)
-    )).data;
-    
-    return res.access_token;
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed to get refresh OAuth2 access token for Azure'); 
-  }
-}
-
 /**
 * Return new access token by exchanging refresh token [refreshToken] for the
 * Heroku integration
@ -102,23 +52,23 @@ const exchangeRefreshHeroku = async ({
 }: {
  refreshToken: string;
 }) => {
-  
-  let accessToken;
-  try {
-    const res = await axios.post(
-        INTEGRATION_HEROKU_TOKEN_URL,
-        new URLSearchParams({
-            grant_type: 'refresh_token',
-            refresh_token: refreshToken,
-            client_secret: CLIENT_SECRET_HEROKU
-        } as any)
-    );
+    let accessToken;
+	//TODO: Refactor code to take advantage of using RequestError. It's possible to create new types of errors for more detailed errors
+    try {
+        const res = await axios.post(
+            INTEGRATION_HEROKU_TOKEN_URL,
+            new URLSearchParams({
+                grant_type: 'refresh_token',
+                refresh_token: refreshToken,
+                client_secret: CLIENT_SECRET_HEROKU
+            } as any)
+        );

    accessToken = res.data.access_token;
  } catch (err) {
    Sentry.setUser(null);
    Sentry.captureException(err);
-    throw new Error('Failed to refresh OAuth2 access token for Heroku');
+    throw new Error('Failed to get new OAuth2 access token for Heroku');
  }

  return accessToken;
--- a/backend/src/integrations/sync.ts
+++ b/backend/src/integrations/sync.ts
--- a/backend/src/middleware/index.ts
+++ b/backend/src/middleware/index.ts
@ -1,5 +1,4 @@
 import requireAuth from './requireAuth';
-import requireMfaAuth from './requireMfaAuth';
 import requireBotAuth from './requireBotAuth';
 import requireSignupAuth from './requireSignupAuth';
 import requireWorkspaceAuth from './requireWorkspaceAuth';
@ -16,7 +15,6 @@ import validateRequest from './validateRequest';

 export {
 	requireAuth,
-	requireMfaAuth,
 	requireBotAuth,
 	requireSignupAuth,
 	requireWorkspaceAuth,
--- a/backend/src/middleware/requestErrorHandler.ts
+++ b/backend/src/middleware/requestErrorHandler.ts
@ -1,12 +1,11 @@
 import { ErrorRequestHandler } from "express";

 import * as Sentry from '@sentry/node';
-import { InternalServerError, UnauthorizedRequestError } from "../utils/errors";
+import { InternalServerError } from "../utils/errors";
 import { getLogger } from "../utils/logger";
 import RequestError, { LogLevel } from "../utils/requestError";
 import { NODE_ENV } from "../config";

-import { TokenExpiredError } from 'jsonwebtoken';

 export const requestErrorHandler: ErrorRequestHandler = (error: RequestError | Error, req, res, next) => {
    if (res.headersSent) return next();
--- a/backend/src/middleware/requireIntegrationAuthorizationAuth.ts
+++ b/backend/src/middleware/requireIntegrationAuthorizationAuth.ts
@ -45,10 +45,9 @@ const requireIntegrationAuthorizationAuth = ({

 		req.integrationAuth = integrationAuth;
 		if (attachAccessToken) {
-			const access = await IntegrationService.getIntegrationAuthAccess({
+			req.accessToken = await IntegrationService.getIntegrationAuthAccess({
 				integrationAuthId: integrationAuth._id.toString()
 			});
-			req.accessToken = access.accessToken;
 		}
 		
 		return next();
--- a/backend/src/middleware/requireMfaAuth.ts
+++ b/backend/src/middleware/requireMfaAuth.ts
@ -1,43 +0,0 @@
-import jwt from 'jsonwebtoken';
-import { Request, Response, NextFunction } from 'express';
-import { User } from '../models';
-import { JWT_MFA_SECRET } from '../config';
-import { BadRequestError, UnauthorizedRequestError } from '../utils/errors';
-
-declare module 'jsonwebtoken' {
-	export interface UserIDJwtPayload extends jwt.JwtPayload {
-		userId: string;
-	}
-}
-
-/**
- * Validate if (MFA) JWT temporary token on request is valid (e.g. not expired)
- * and if there is an associated user.
- */
-const requireMfaAuth = async (
-	req: Request,
-	res: Response,
-	next: NextFunction
-) => {
-	// JWT (temporary) authentication middleware for complete signup
-	const [ AUTH_TOKEN_TYPE, AUTH_TOKEN_VALUE ] = <[string, string]>req.headers['authorization']?.split(' ', 2) ?? [null, null]
-	if(AUTH_TOKEN_TYPE === null) return next(BadRequestError({message: `Missing Authorization Header in the request header.`}))
-	if(AUTH_TOKEN_TYPE.toLowerCase() !== 'bearer') return next(BadRequestError({message: `The provided authentication type '${AUTH_TOKEN_TYPE}' is not supported.`}))
-	if(AUTH_TOKEN_VALUE === null) return next(BadRequestError({message: 'Missing Authorization Body in the request header'}))
-	
-	const decodedToken = <jwt.UserIDJwtPayload>(
-		jwt.verify(AUTH_TOKEN_VALUE, JWT_MFA_SECRET)
-	);
-
-	const user = await User.findOne({
-		_id: decodedToken.userId
-	}).select('+publicKey');
-
-	if (!user)
-		return next(UnauthorizedRequestError({message: 'Unable to authenticate for User account completion. Try logging in again'}))
-
-	req.user = user;
-	return next();
-};
-
-export default requireMfaAuth;
--- a/backend/src/models/index.ts
+++ b/backend/src/models/index.ts
@ -10,13 +10,12 @@ import MembershipOrg, { IMembershipOrg } from './membershipOrg';
 import Organization, { IOrganization } from './organization';
 import Secret, { ISecret } from './secret';
 import ServiceToken, { IServiceToken } from './serviceToken';
-import TokenData, { ITokenData } from './tokenData';
+import Token, { IToken } from './token';
 import User, { IUser } from './user';
 import UserAction, { IUserAction } from './userAction';
 import Workspace, { IWorkspace } from './workspace';
 import ServiceTokenData, { IServiceTokenData } from './serviceTokenData';
 import APIKeyData, { IAPIKeyData } from './apiKeyData';
-import LoginSRPDetail, { ILoginSRPDetail } from './loginSRPDetail';

 export {
 	BackupPrivateKey,
@ -43,8 +42,8 @@ export {
 	ISecret,
 	ServiceToken,
 	IServiceToken,
-	TokenData,
-	ITokenData,
+	Token,
+	IToken,
 	User,
 	IUser,
 	UserAction,
@ -54,7 +53,5 @@ export {
 	ServiceTokenData,
 	IServiceTokenData,
 	APIKeyData,
-	IAPIKeyData,
-	LoginSRPDetail,
-	ILoginSRPDetail
+	IAPIKeyData
 };
--- a/backend/src/models/integration.ts
+++ b/backend/src/models/integration.ts
@ -1,16 +1,12 @@
-import { Schema, model, Types } from "mongoose";
+import { Schema, model, Types } from 'mongoose';
 import {
-  INTEGRATION_AZURE_KEY_VAULT,
-  INTEGRATION_AWS_PARAMETER_STORE,
-  INTEGRATION_AWS_SECRET_MANAGER,
  INTEGRATION_HEROKU,
  INTEGRATION_VERCEL,
  INTEGRATION_NETLIFY,
  INTEGRATION_GITHUB,
  INTEGRATION_RENDER,
-  INTEGRATION_FLYIO,
-  INTEGRATION_CIRCLECI,
-} from "../variables";
+  INTEGRATION_FLYIO
+} from '../variables';

 export interface IIntegration {
  _id: Types.ObjectId;
@ -21,96 +17,68 @@ export interface IIntegration {
  owner: string;
  targetEnvironment: string;
  appId: string;
-  path: string;
-  region: string;
-  integration:
-    | 'azure-key-vault' 
-    | 'aws-parameter-store'
-    | 'aws-secret-manager'
-    | 'heroku' 
-    | 'vercel' 
-    | 'netlify' 
-    | 'github' 
-    | 'render' 
-    | 'flyio'
-    | 'circleci';
+  integration: 'heroku' | 'vercel' | 'netlify' | 'github' | 'render' | 'flyio';
  integrationAuth: Types.ObjectId;
 }

 const integrationSchema = new Schema<IIntegration>(
  {
    workspace: {
-      type: Schema.Types.ObjectId,
-      ref: "Workspace",
-      required: true,
+        type: Schema.Types.ObjectId,
+        ref: 'Workspace',
+        required: true
    },
    environment: {
      type: String,
-      required: true,
+      required: true
    },
    isActive: {
      type: Boolean,
-      required: true,
+      required: true
    },
    app: {
      // name of app in provider
      type: String,
-      default: null,
+      default: null
    },
-    appId: {
-      // (new)
+    appId: { // (new)
      // id of app in provider
      type: String,
-      default: null,
-    },
-    targetEnvironment: {
-      // (new)
-      // target environment
-      type: String,
-      default: null,
-    },
-    owner: {
-      // github-specific repo owner-login
-      type: String,
-      default: null,
-    },
-    path: {
-      // aws-parameter-store-specific path
-      type: String,
      default: null
    },
-    region: {
-      // aws-parameter-store-specific path
+    targetEnvironment: { // (new)
+      // target environment 
+      type: String,
+      default: null
+    },
+    owner: {
+      // github-specific repo owner-login
      type: String,
      default: null
    },
    integration: {
      type: String,
      enum: [
-        INTEGRATION_AZURE_KEY_VAULT,
-        INTEGRATION_AWS_PARAMETER_STORE,
-        INTEGRATION_AWS_SECRET_MANAGER,
        INTEGRATION_HEROKU,
        INTEGRATION_VERCEL,
        INTEGRATION_NETLIFY,
        INTEGRATION_GITHUB,
        INTEGRATION_RENDER,
-        INTEGRATION_FLYIO,
-        INTEGRATION_CIRCLECI,
+        INTEGRATION_FLYIO
      ],
-      required: true,
+      required: true
    },
    integrationAuth: {
      type: Schema.Types.ObjectId,
-      ref: "IntegrationAuth",
-      required: true,
-    },
+      ref: 'IntegrationAuth',
+      required: true
+    }
  },
  {
-    timestamps: true,
+    timestamps: true
  }
 );

-const Integration = model<IIntegration>("Integration", integrationSchema);
+const Integration = model<IIntegration>('Integration', integrationSchema);

 export default Integration;
--- a/backend/src/models/integrationAuth.ts
+++ b/backend/src/models/integrationAuth.ts
@ -1,29 +1,20 @@
-import { Schema, model, Types } from "mongoose";
+import { Schema, model, Types } from 'mongoose';
 import {
-  INTEGRATION_AZURE_KEY_VAULT,
-  INTEGRATION_AWS_PARAMETER_STORE,
-  INTEGRATION_AWS_SECRET_MANAGER,
  INTEGRATION_HEROKU,
  INTEGRATION_VERCEL,
  INTEGRATION_NETLIFY,
-  INTEGRATION_GITHUB,
-  INTEGRATION_RENDER,
-  INTEGRATION_FLYIO,
-  INTEGRATION_CIRCLECI,
-} from "../variables";
+  INTEGRATION_GITHUB
+} from '../variables';

 export interface IIntegrationAuth {
  _id: Types.ObjectId;
  workspace: Types.ObjectId;
-  integration: 'heroku' | 'vercel' | 'netlify' | 'github' | 'render' | 'flyio' | 'azure-key-vault' | 'circleci' | 'aws-parameter-store' | 'aws-secret-manager';
+  integration: 'heroku' | 'vercel' | 'netlify' | 'github' | 'render' | 'flyio';
  teamId: string;
  accountId: string;
  refreshCiphertext?: string;
  refreshIV?: string;
  refreshTag?: string;
-  accessIdCiphertext?: string; // new
-  accessIdIV?: string; // new
-  accessIdTag?: string; // new
  accessCiphertext?: string;
  accessIV?: string;
  accessTag?: string;
@ -33,82 +24,64 @@ export interface IIntegrationAuth {
 const integrationAuthSchema = new Schema<IIntegrationAuth>(
  {
    workspace: {
-      type: Schema.Types.ObjectId,
-      ref: "Workspace",
-      required: true,
+        type: Schema.Types.ObjectId,
+        ref: 'Workspace',
+        required: true
    },
    integration: {
      type: String,
      enum: [
-        INTEGRATION_AZURE_KEY_VAULT,
-        INTEGRATION_AWS_PARAMETER_STORE,
-        INTEGRATION_AWS_SECRET_MANAGER,
        INTEGRATION_HEROKU,
        INTEGRATION_VERCEL,
        INTEGRATION_NETLIFY,
-        INTEGRATION_GITHUB,
-        INTEGRATION_RENDER,
-        INTEGRATION_FLYIO,
-        INTEGRATION_CIRCLECI,
+        INTEGRATION_GITHUB
      ],
-      required: true,
+      required: true
    },
    teamId: {
      // vercel-specific integration param
-      type: String,
+      type: String
    },
    accountId: {
      // netlify-specific integration param
-      type: String,
+      type: String
    },
    refreshCiphertext: {
      type: String,
-      select: false,
+      select: false
    },
    refreshIV: {
      type: String,
-      select: false,
+      select: false
    },
    refreshTag: {
-      type: String,
-      select: false,
-    },
-    accessIdCiphertext: {
-      type: String,
-      select: false
-    },
-    accessIdIV: {
-      type: String,
-      select: false
-    },
-    accessIdTag: {
      type: String,
      select: false
    },
    accessCiphertext: {
      type: String,
-      select: false,
+      select: false
    },
    accessIV: {
      type: String,
-      select: false,
+      select: false
    },
    accessTag: {
      type: String,
-      select: false,
+      select: false
    },
    accessExpiresAt: {
      type: Date,
-      select: false,
-    },
+      select: false
+    }
  },
  {
-    timestamps: true,
+    timestamps: true
  }
 );

 const IntegrationAuth = model<IIntegrationAuth>(
-  "IntegrationAuth",
+  'IntegrationAuth',
  integrationAuthSchema
 );

--- a/backend/src/models/loginSRPDetail.ts
+++ b/backend/src/models/loginSRPDetail.ts
@ -1,29 +0,0 @@
-import mongoose, { Schema, model, Types } from 'mongoose';
-
-export interface ILoginSRPDetail {
-	_id: Types.ObjectId;
-	clientPublicKey: string;
-	email: string;
-	serverBInt: mongoose.Schema.Types.Buffer;
-	expireAt: Date;
-}
-
-const loginSRPDetailSchema = new Schema<ILoginSRPDetail>(
-	{
-		clientPublicKey: {
-			type: String,
-			required: true
-		},
-		email: {
-			type: String,
-			required: true,
-			unique: true
-		},
-		serverBInt: { type: mongoose.Schema.Types.Buffer },
-		expireAt: { type: Date }
-	}
-);
-
-const LoginSRPDetail = model('LoginSRPDetail', loginSRPDetailSchema);
-
-export default LoginSRPDetail;
--- a/backend/src/models/secret.ts
+++ b/backend/src/models/secret.ts
@ -23,7 +23,6 @@ export interface ISecret {
 	secretCommentIV?: string;
 	secretCommentTag?: string;
 	secretCommentHash?: string;
-	tags?: string[];
 }

 const secretSchema = new Schema<ISecret>(
@ -48,11 +47,6 @@ const secretSchema = new Schema<ISecret>(
 			type: Schema.Types.ObjectId,
 			ref: 'User'
 		},
-		tags: {
-			ref: 'Tag',
-			type: [Schema.Types.ObjectId],
-			default: []
-		},
 		environment: {
 			type: String,
 			required: true
@ -109,9 +103,6 @@ const secretSchema = new Schema<ISecret>(
 	}
 );

-
-secretSchema.index({ tags: 1 }, { background: true })
-
 const Secret = model<ISecret>('Secret', secretSchema);

 export default Secret;
--- a/backend/src/models/secretApprovalRequest.ts
+++ b/backend/src/models/secretApprovalRequest.ts
@ -1,83 +0,0 @@
-import mongoose, { Schema, model } from 'mongoose';
-import Secret, { ISecret } from './secret';
-
-interface ISecretApprovalRequest {
-	secret: mongoose.Types.ObjectId;
-	requestedChanges: ISecret;
-	requestedBy: mongoose.Types.ObjectId;
-	approvers: IApprover[];
-	status: ApprovalStatus;
-	timestamp: Date;
-	requestType: RequestType;
-	requestId: string;
-}
-
-interface IApprover {
-	userId: mongoose.Types.ObjectId;
-	status: ApprovalStatus;
-}
-
-export enum ApprovalStatus {
-	PENDING = 'pending',
-	APPROVED = 'approved',
-	REJECTED = 'rejected'
-}
-
-export enum RequestType {
-	UPDATE = 'update',
-	DELETE = 'delete',
-	CREATE = 'create'
-}
-
-const approverSchema = new mongoose.Schema({
-	user: {
-		type: mongoose.Schema.Types.ObjectId,
-		ref: 'User',
-		required: true
-	},
-	status: {
-		type: String,
-		enum: [ApprovalStatus],
-		default: ApprovalStatus.PENDING
-	}
-});
-
-const secretApprovalRequestSchema = new Schema<ISecretApprovalRequest>(
-	{
-		secret: {
-			type: mongoose.Schema.Types.ObjectId,
-			ref: 'Secret'
-		},
-		requestedChanges: Secret,
-		requestedBy: {
-			type: mongoose.Schema.Types.ObjectId,
-			ref: 'User'
-		},
-		approvers: [approverSchema],
-		status: {
-			type: String,
-			enum: ApprovalStatus,
-			default: ApprovalStatus.PENDING
-		},
-		timestamp: {
-			type: Date,
-			default: Date.now
-		},
-		requestType: {
-			type: String,
-			enum: RequestType,
-			required: true
-		},
-		requestId: {
-			type: String,
-			required: false
-		}
-	},
-	{
-		timestamps: true
-	}
-);
-
-const SecretApprovalRequest = model<ISecretApprovalRequest>('SecretApprovalRequest', secretApprovalRequestSchema);
-
-export default SecretApprovalRequest;
--- a/backend/src/models/tag.ts
+++ b/backend/src/models/tag.ts
@ -1,49 +0,0 @@
-import { Schema, model, Types } from 'mongoose';
-
-export interface ITag {
-	_id: Types.ObjectId;
-	name: string;
-	slug: string;
-	user: Types.ObjectId;
-	workspace: Types.ObjectId;
-}
-
-const tagSchema = new Schema<ITag>(
-	{
-		name: {
-			type: String,
-			required: true,
-			trim: true,
-		},
-		slug: {
-			type: String,
-			required: true,
-			trim: true,
-			lowercase: true,
-			validate: [
-				function (value: any) {
-					return value.indexOf(' ') === -1;
-				},
-				'slug cannot contain spaces'
-			]
-		},
-		user: {
-			type: Schema.Types.ObjectId,
-			ref: 'User'
-		},
-		workspace: {
-			type: Schema.Types.ObjectId,
-			ref: 'Workspace'
-		},
-	},
-	{
-		timestamps: true
-	}
-);
-
-tagSchema.index({ slug: 1, workspace: 1 }, { unique: true })
-tagSchema.index({ workspace: 1 })
-
-const Tag = model<ITag>('Tag', tagSchema);
-
-export default Tag;
--- a/backend/src/models/token.ts
+++ b/backend/src/models/token.ts
@ -5,7 +5,6 @@ export interface IToken {
  email: string;
  token: string;
  createdAt: Date;
-  ttl: number;
 }

 const tokenSchema = new Schema<IToken>({
@ -20,13 +19,14 @@ const tokenSchema = new Schema<IToken>({
  createdAt: {
    type: Date,
    default: Date.now
-  },
-  ttl: {
-    type: Number,
  }
 });

-tokenSchema.index({ email: 1 });
+tokenSchema.index({ 
+  createdAt: 1 
+}, { 
+  expireAfterSeconds: parseInt(EMAIL_TOKEN_LIFETIME) 
+});

 const Token = model<IToken>('Token', tokenSchema);

--- a/backend/src/models/tokenData.ts
+++ b/backend/src/models/tokenData.ts
@ -1,61 +0,0 @@
-import { Schema, Types, model } from 'mongoose';
-
-export interface ITokenData {
-  type: string;
-  email?: string;
-  phoneNumber?: string;
-  organization?: Types.ObjectId;
-  tokenHash: string;
-  triesLeft?: number;
-  expiresAt: Date;
-  createdAt: Date;
-  updatedAt: Date;
-}
-
-const tokenDataSchema = new Schema<ITokenData>({
-  type: {
-    type: String,
-    enum: [
-      'emailConfirmation', 
-      'emailMfa', 
-      'organizationInvitation', 
-      'passwordReset'
-    ],
-    required: true
-  },
-  email: {
-    type: String
-  },
-  phoneNumber: {
-    type: String
-  },
-  organization: { // organizationInvitation-specific field
-    type: Schema.Types.ObjectId,
-    ref: 'Organization'
-  },
-  tokenHash: {
-    type: String,
-    select: false,
-    required: true
-  },
-  triesLeft: {
-    type: Number
-  },
-  expiresAt: {
-    type: Date,
-    expires: 0,
-    required: true
-  }
-}, {
-  timestamps: true
-});
-
-tokenDataSchema.index({
-  expiresAt: 1
-}, {
-  expireAfterSeconds: 0
-});
-
-const TokenData = model<ITokenData>('TokenData', tokenDataSchema);
-
-export default TokenData;
--- a/backend/src/models/user.ts
+++ b/backend/src/models/user.ts
@ -1,14 +1,10 @@
-import { Schema, model, Types, Document } from 'mongoose';
+import { Schema, model, Types } from 'mongoose';

-export interface IUser extends Document {
+export interface IUser {
 	_id: Types.ObjectId;
 	email: string;
 	firstName?: string;
 	lastName?: string;
-	encryptionVersion: number;
-	protectedKey: string;
-	protectedKeyIV: string;
-	protectedKeyTag: string;
 	publicKey?: string;
 	encryptedPrivateKey?: string;
 	iv?: string;
@ -16,12 +12,6 @@ export interface IUser extends Document {
 	salt?: string;
 	verifier?: string;
 	refreshVersion?: number;
-	isMfaEnabled: boolean;
-	mfaMethods: boolean;
-	devices: {
-		ip: string;
-		userAgent: string;
-	}[];
 }

 const userSchema = new Schema<IUser>(
@ -36,23 +26,6 @@ const userSchema = new Schema<IUser>(
 		lastName: {
 			type: String
 		},
-		encryptionVersion: {
-			type: Number,
-			select: false,
-			default: 1 // to resolve backward-compatibility issues
-		},
-		protectedKey: { // introduced as part of encryption version 2
-			type: String,
-			select: false
-		},
-		protectedKeyIV: { // introduced as part of encryption version 2
-			type: String,
-			select: false
-		},
-		protectedKeyTag: { // introduced as part of encryption version 2
-			type: String,
-			select: false
-		},
 		publicKey: {
 			type: String,
 			select: false
@ -61,11 +34,11 @@ const userSchema = new Schema<IUser>(
 			type: String,
 			select: false
 		},
-		iv: { // iv of [encryptedPrivateKey]
+		iv: {
 			type: String,
 			select: false
 		},
-		tag: { // tag of [encryptedPrivateKey]
+		tag: {
 			type: String,
 			select: false
 		},
@ -81,22 +54,8 @@ const userSchema = new Schema<IUser>(
 			type: Number,
 			default: 0,
 			select: false
-		},
-		isMfaEnabled: {
-			type: Boolean,
-			default: false
-		},
-		mfaMethods: [{
-			type: String
-		}],
-		devices: {
-			type: [{
-				ip: String,
-				userAgent: String
-			}],
-			default: []
 		}
-	}, 
+	},
 	{
 		timestamps: true
 	}
--- a/backend/src/models/workspace.ts
+++ b/backend/src/models/workspace.ts
@ -8,7 +8,6 @@ export interface IWorkspace {
 		name: string;
 		slug: string;
 	}>;
-	autoCapitalization: boolean;
 }

 const workspaceSchema = new Schema<IWorkspace>({
@ -16,10 +15,6 @@ const workspaceSchema = new Schema<IWorkspace>({
 		type: String,
 		required: true
 	},
-	autoCapitalization: {
-		type: Boolean,
-		default: true,
-	},
 	organization: {
 		type: Schema.Types.ObjectId,
 		ref: 'Organization',
--- a/backend/src/routes/v1/auth.ts
+++ b/backend/src/routes/v1/auth.ts
@ -7,7 +7,7 @@ import { authLimiter } from '../../helpers/rateLimiter';

 router.post('/token', validateRequest, authController.getNewToken);

-router.post( // deprecated (moved to api/v2/auth/login1)
+router.post(
  '/login1',
  authLimiter,
  body('email').exists().trim().notEmpty(),
@ -16,7 +16,7 @@ router.post( // deprecated (moved to api/v2/auth/login1)
  authController.login1
 );

-router.post( // deprecated (moved to api/v2/auth/login2)
+router.post(
  '/login2',
  authLimiter,
  body('email').exists().trim().notEmpty(),
--- a/backend/src/routes/v1/bot.ts
+++ b/backend/src/routes/v1/bot.ts
@ -31,7 +31,7 @@ router.patch(
    requireBotAuth({
 		acceptedRoles: [ADMIN, MEMBER]
    }),
-    body('isActive').exists().isBoolean(),
+    body('isActive').isBoolean(),
    body('botKey'),
    validateRequest,
    botController.setBotActiveState
--- a/backend/src/routes/v1/integration.ts
+++ b/backend/src/routes/v1/integration.ts
@ -10,7 +10,7 @@ import { ADMIN, MEMBER } from '../../variables';
 import { body, param } from 'express-validator';
 import { integrationController } from '../../controllers/v1';

-router.post( // new: add new integration for integration auth
+router.post( // new: add new integration
 	'/',
 	requireAuth({
        acceptedAuthModes: ['jwt', 'apiKey']
@ -19,15 +19,7 @@ router.post( // new: add new integration for integration auth
 		acceptedRoles: [ADMIN, MEMBER],
 		location: 'body'
 	}),
-	body('integrationAuthId').exists().isString().trim(),
-	body('app').trim(),
-	body('isActive').exists().isBoolean(),
-	body('appId').trim(),
-	body('sourceEnvironment').trim(),
-	body('targetEnvironment').trim(),
-	body('owner').trim(),
-	body('path').trim(),
-	body('region').trim(),
+	body('integrationAuthId').exists().trim(),
 	validateRequest,
 	integrationController.createIntegration
 );
--- a/backend/src/routes/v1/integrationAuth.ts
+++ b/backend/src/routes/v1/integrationAuth.ts
@ -18,19 +18,6 @@ router.get(
 	integrationAuthController.getIntegrationOptions
 );

-router.get(
-	'/:integrationAuthId',
-	requireAuth({
-        acceptedAuthModes: ['jwt']
-    }),
-	requireIntegrationAuthorizationAuth({
-		acceptedRoles: [ADMIN, MEMBER]
-	}),
-	param('integrationAuthId'),
-	validateRequest,
-	integrationAuthController.getIntegrationAuth	
-);
-
 router.post(
 	'/oauth-token',
 	requireAuth({
@ -57,7 +44,6 @@ router.post(
 		location: 'body'
 	}),
 	body('workspaceId').exists().trim().notEmpty(),
-	body('accessId').trim(),
 	body('accessToken').exists().trim().notEmpty(),
 	body('integration').exists().trim().notEmpty(),
 	validateRequest,
--- a/backend/src/routes/v1/organization.ts
+++ b/backend/src/routes/v1/organization.ts
@ -156,19 +156,4 @@ router.get(
 	organizationController.getOrganizationSubscriptions
 );

-router.get(
-	'/:organizationId/workspace-memberships',
-	requireAuth({
-		acceptedAuthModes: ['jwt']
-	}),
-	requireOrganizationAuth({
-		acceptedRoles: [OWNER, ADMIN, MEMBER],
-		acceptedStatuses: [ACCEPTED]
-	}),
-	param('organizationId').exists().trim(),
-	validateRequest,
-	organizationController.getOrganizationMembersAndTheirWorkspaces
-);
-
-
 export default router;
--- a/backend/src/routes/v1/password.ts
+++ b/backend/src/routes/v1/password.ts
@ -10,7 +10,7 @@ router.post(
 	requireAuth({
 		acceptedAuthModes: ['jwt']
 	}),
-	body('clientPublicKey').exists().isString().trim().notEmpty(),
+	body('clientPublicKey').exists().trim().notEmpty(),
 	validateRequest,
 	passwordController.srp1
 );
@ -22,14 +22,11 @@ router.post(
 		acceptedAuthModes: ['jwt']
 	}),
 	body('clientProof').exists().trim().notEmpty(),
-	body('protectedKey').exists().isString().trim().notEmpty(),
-	body('protectedKeyIV').exists().isString().trim().notEmpty(),
-	body('protectedKeyTag').exists().isString().trim().notEmpty(),
-	body('encryptedPrivateKey').exists().isString().trim().notEmpty(), // private key encrypted under new pwd
-	body('encryptedPrivateKeyIV').exists().isString().trim().notEmpty(), // new iv for private key
-	body('encryptedPrivateKeyTag').exists().isString().trim().notEmpty(), // new tag for private key
-	body('salt').exists().isString().trim().notEmpty(), // part of new pwd
-	body('verifier').exists().isString().trim().notEmpty(), // part of new pwd
+	body('encryptedPrivateKey').exists().trim().notEmpty().notEmpty(), // private key encrypted under new pwd
+	body('iv').exists().trim().notEmpty(), // new iv for private key
+	body('tag').exists().trim().notEmpty(), // new tag for private key
+	body('salt').exists().trim().notEmpty(), // part of new pwd
+	body('verifier').exists().trim().notEmpty(), // part of new pwd
 	validateRequest,
 	passwordController.changePassword
 );
@ -37,7 +34,7 @@ router.post(
 router.post(
 	'/email/password-reset',
 	passwordLimiter,
-	body('email').exists().isString().trim().notEmpty().isEmail(),
+	body('email').exists().trim().notEmpty(),
 	validateRequest,
 	passwordController.emailPasswordReset
 );
@ -45,8 +42,8 @@ router.post(
 router.post(
 	'/email/password-reset-verify',
 	passwordLimiter,
-	body('email').exists().isString().trim().notEmpty().isEmail(),
-	body('code').exists().isString().trim().notEmpty(),
+	body('email').exists().trim().notEmpty().isEmail(),
+	body('code').exists().trim().notEmpty(),
 	validateRequest,
 	passwordController.emailPasswordResetVerify
 );
@ -64,12 +61,12 @@ router.post(
 	requireAuth({
 		acceptedAuthModes: ['jwt']
 	}),
-	body('clientProof').exists().isString().trim().notEmpty(),
-	body('encryptedPrivateKey').exists().isString().trim().notEmpty(), // (backup) private key encrypted under a strong key
-	body('iv').exists().isString().trim().notEmpty(), // new iv for (backup) private key
-	body('tag').exists().isString().trim().notEmpty(), // new tag for (backup) private key
-	body('salt').exists().isString().trim().notEmpty(), // salt generated from strong key
-	body('verifier').exists().isString().trim().notEmpty(), // salt generated from strong key
+	body('clientProof').exists().trim().notEmpty(),
+	body('encryptedPrivateKey').exists().trim().notEmpty(), // (backup) private key encrypted under a strong key
+	body('iv').exists().trim().notEmpty(), // new iv for (backup) private key
+	body('tag').exists().trim().notEmpty(), // new tag for (backup) private key
+	body('salt').exists().trim().notEmpty(), // salt generated from strong key
+	body('verifier').exists().trim().notEmpty(), // salt generated from strong key
 	validateRequest,
 	passwordController.createBackupPrivateKey
 );
@ -77,14 +74,11 @@ router.post(
 router.post(
 	'/password-reset',
 	requireSignupAuth,
-	body('protectedKey').exists().isString().trim().notEmpty(),
-	body('protectedKeyIV').exists().isString().trim().notEmpty(),
-	body('protectedKeyTag').exists().isString().trim().notEmpty(),
-	body('encryptedPrivateKey').exists().isString().trim().notEmpty(), // private key encrypted under new pwd
-	body('encryptedPrivateKeyIV').exists().isString().trim().notEmpty(), // new iv for private key
-	body('encryptedPrivateKeyTag').exists().isString().trim().notEmpty(), // new tag for private key 
-	body('salt').exists().isString().trim().notEmpty(), // part of new pwd
-	body('verifier').exists().isString().trim().notEmpty(), // part of new pwd
+	body('encryptedPrivateKey').exists().trim().notEmpty(), // private key encrypted under new pwd
+	body('iv').exists().trim().notEmpty(), // new iv for private key
+	body('tag').exists().trim().notEmpty(), // new tag for private key 
+	body('salt').exists().trim().notEmpty(), // part of new pwd
+	body('verifier').exists().trim().notEmpty(), // part of new pwd
 	validateRequest,
 	passwordController.resetPassword
 );
--- a/backend/src/routes/v1/signup.ts
+++ b/backend/src/routes/v1/signup.ts
@ -1,7 +1,7 @@
 import express from 'express';
 const router = express.Router();
 import { body } from 'express-validator';
-import { validateRequest } from '../../middleware';
+import { requireSignupAuth, validateRequest } from '../../middleware';
 import { signupController } from '../../controllers/v1';
 import { authLimiter } from '../../helpers/rateLimiter';

@ -22,4 +22,39 @@ router.post(
 	signupController.verifyEmailSignup
 );

+router.post(
+	'/complete-account/signup',
+	authLimiter,
+	requireSignupAuth,
+	body('email').exists().trim().notEmpty().isEmail(),
+	body('firstName').exists().trim().notEmpty(),
+	body('lastName').exists().trim().notEmpty(),
+	body('publicKey').exists().trim().notEmpty(),
+	body('encryptedPrivateKey').exists().trim().notEmpty(),
+	body('iv').exists().trim().notEmpty(),
+	body('tag').exists().trim().notEmpty(),
+	body('salt').exists().trim().notEmpty(),
+	body('verifier').exists().trim().notEmpty(),
+	body('organizationName').exists().trim().notEmpty(),
+	validateRequest,
+	signupController.completeAccountSignup
+);
+
+router.post(
+	'/complete-account/invite',
+	authLimiter,
+	requireSignupAuth,
+	body('email').exists().trim().notEmpty().isEmail(),
+	body('firstName').exists().trim().notEmpty(),
+	body('lastName').exists().trim().notEmpty(),
+	body('publicKey').exists().trim().notEmpty(),
+	body('encryptedPrivateKey').exists().trim().notEmpty(),
+	body('iv').exists().trim().notEmpty(),
+	body('tag').exists().trim().notEmpty(),
+	body('salt').exists().trim().notEmpty(),
+	body('verifier').exists().trim().notEmpty(),
+	validateRequest,
+	signupController.completeAccountInvite
+);
+
 export default router;
--- a/backend/src/routes/v2/auth.ts
+++ b/backend/src/routes/v2/auth.ts
@ -1,44 +0,0 @@
-import express from 'express';
-const router = express.Router();
-import { body } from 'express-validator';
-import { requireMfaAuth, validateRequest } from '../../middleware';
-import { authController } from '../../controllers/v2';
-import { authLimiter } from '../../helpers/rateLimiter';
-
-router.post(
-  '/login1',
-  authLimiter,
-  body('email').isString().trim().notEmpty(),
-  body('clientPublicKey').isString().trim().notEmpty(),
-  validateRequest,
-  authController.login1
-);
-
-router.post(
-  '/login2',
-  authLimiter,
-  body('email').isString().trim().notEmpty(),
-  body('clientProof').isString().trim().notEmpty(),
-  validateRequest,
-  authController.login2
-);
-
-router.post(
-  '/mfa/send',
-  authLimiter,
-  body('email').isString().trim().notEmpty(),
-  validateRequest,
-  authController.sendMfaToken
-);
-
-router.post(
-  '/mfa/verify',
-  authLimiter,
-  requireMfaAuth,
-  body('email').isString().trim().notEmpty(),
-  body('mfaToken').isString().trim().notEmpty(),
-  validateRequest,
-  authController.verifyMfaToken
-);
-
-export default router;
--- a/backend/src/routes/v2/index.ts
+++ b/backend/src/routes/v2/index.ts
@ -1,5 +1,3 @@
-import auth from './auth';
-import signup from './signup';
 import users from './users';
 import organizations from './organizations';
 import workspace from './workspace';
@ -8,11 +6,8 @@ import secrets from './secrets';
 import serviceTokenData from './serviceTokenData';
 import apiKeyData from './apiKeyData';
 import environment from "./environment"
-import tags from "./tags"

 export {
-    auth,
-    signup,
    users,
    organizations,
    workspace,
@ -20,6 +15,5 @@ export {
    secrets,
    serviceTokenData,
    apiKeyData,
-    environment,
-    tags
+    environment
 }
--- a/backend/src/routes/v2/organizations.ts
+++ b/backend/src/routes/v2/organizations.ts
@ -30,7 +30,7 @@ router.patch(
    '/:organizationId/memberships/:membershipId',
    param('organizationId').exists().trim(),
    param('membershipId').exists().trim(),
-    body('role').exists().isString().trim().isIn([OWNER, ADMIN, MEMBER]),
+    body('role').exists().isString().trim().isIn([ADMIN, MEMBER]),
    validateRequest,
    requireAuth({
        acceptedAuthModes: ['jwt', 'apiKey']
--- a/backend/src/routes/v2/secrets.ts
+++ b/backend/src/routes/v2/secrets.ts
@ -6,52 +6,14 @@ import {
    requireSecretsAuth,
    validateRequest
 } from '../../middleware';
-import { query, body } from 'express-validator';
+import { query, check, body } from 'express-validator';
 import { secretsController } from '../../controllers/v2';
-import { validateSecrets } from '../../helpers/secret';
 import {
    ADMIN,
    MEMBER,
    SECRET_PERSONAL,
    SECRET_SHARED
 } from '../../variables';
-import {
-    BatchSecretRequest
-} from '../../types/secret';
-
-router.post(
-    '/batch',
-    requireAuth({
-        acceptedAuthModes: ['jwt', 'apiKey']
-    }),
-    requireWorkspaceAuth({
-        acceptedRoles: [ADMIN, MEMBER],
-        location: 'body'
-    }),
-    body('workspaceId').exists().isString().trim(),
-    body('environment').exists().isString().trim(),
-    body('requests')
-        .exists()
-        .custom(async (requests: BatchSecretRequest[], { req }) => {
-            if (Array.isArray(requests)) {
-                const secretIds = requests
-                    .map((request) => request.secret._id)
-                    .filter((secretId) => secretId !== undefined)
-                
-                if (secretIds.length > 0) {
-                    const relevantSecrets = await validateSecrets({
-                        userId: req.user._id.toString(),
-                        secretIds
-                    });
-                    
-                    req.secrets = relevantSecrets;
-                }
-            }
-        return true;
-    }),
-    validateRequest,
-    secretsController.batchSecrets
-);

 router.post(
    '/',
@ -70,7 +32,7 @@ router.post(
                        !secret.secretKeyCiphertext ||
                        !secret.secretKeyIV ||
                        !secret.secretKeyTag ||
-                        (typeof secret.secretValueCiphertext !== 'string') ||
+                        !secret.secretValueCiphertext ||
                        !secret.secretValueIV ||
                        !secret.secretValueTag
                    ) {
@ -112,7 +74,6 @@ router.get(
    '/',
    query('workspaceId').exists().trim(),
    query('environment').exists().trim(),
-    query('tagSlugs'),
    validateRequest,
    requireAuth({
        acceptedAuthModes: ['jwt', 'apiKey', 'serviceToken']
--- a/backend/src/routes/v2/signup.ts
+++ b/backend/src/routes/v2/signup.ts
@ -1,49 +0,0 @@
-import express from 'express';
-const router = express.Router();
-import { body } from 'express-validator';
-import { requireSignupAuth, validateRequest } from '../../middleware';
-import { signupController } from '../../controllers/v2';
-import { authLimiter } from '../../helpers/rateLimiter';
-
-router.post(
-    '/complete-account/signup',
-    authLimiter,
-    requireSignupAuth,
-    body('email').exists().isString().trim().notEmpty().isEmail(),
-	body('firstName').exists().isString().trim().notEmpty(),
-	body('lastName').exists().isString().trim().notEmpty(),
-	body('protectedKey').exists().isString().trim().notEmpty(),
-	body('protectedKeyIV').exists().isString().trim().notEmpty(),
-	body('protectedKeyTag').exists().isString().trim().notEmpty(),
-	body('publicKey').exists().isString().trim().notEmpty(),
-	body('encryptedPrivateKey').exists().isString().trim().notEmpty(),
-	body('encryptedPrivateKeyIV').exists().isString().trim().notEmpty(),
-	body('encryptedPrivateKeyTag').exists().isString().trim().notEmpty(),
-	body('salt').exists().isString().trim().notEmpty(),
-	body('verifier').exists().isString().trim().notEmpty(),
-	body('organizationName').exists().isString().trim().notEmpty(),
-    validateRequest,
-    signupController.completeAccountSignup
-);
-
-router.post(
-	'/complete-account/invite',
-	authLimiter,
-	requireSignupAuth,
-	body('email').exists().isString().trim().notEmpty().isEmail(),
-	body('firstName').exists().isString().trim().notEmpty(),
-	body('lastName').exists().isString().trim().notEmpty(),
-	body('protectedKey').exists().isString().trim().notEmpty(),
-	body('protectedKeyIV').exists().isString().trim().notEmpty(),
-	body('protectedKeyTag').exists().isString().trim().notEmpty(),
-	body('publicKey').exists().trim().notEmpty(),
-	body('encryptedPrivateKey').exists().isString().trim().notEmpty(),
-	body('encryptedPrivateKeyIV').exists().isString().trim().notEmpty(),
-	body('encryptedPrivateKeyTag').exists().isString().trim().notEmpty(),
-	body('salt').exists().isString().trim().notEmpty(),
-	body('verifier').exists().isString().trim().notEmpty(),
-	validateRequest,
-	signupController.completeAccountInvite
-);
-
-export default router;
--- a/backend/src/routes/v2/tags.ts
+++ b/backend/src/routes/v2/tags.ts
@ -1,50 +0,0 @@
-import express, { Response, Request } from 'express';
-const router = express.Router();
-import { body, param } from 'express-validator';
-import { tagController } from '../../controllers/v2';
-import {
-  requireAuth,
-  requireWorkspaceAuth,
-  validateRequest,
-} from '../../middleware';
-import { ADMIN, MEMBER } from '../../variables';
-
-router.get(
-  '/:workspaceId/tags',
-  requireAuth({
-    acceptedAuthModes: ['jwt'],
-  }),
-  requireWorkspaceAuth({
-    acceptedRoles: [MEMBER, ADMIN],
-  }),
-  param('workspaceId').exists().trim(),
-  validateRequest,
-  tagController.getWorkspaceTags
-);
-
-router.delete(
-  '/tags/:tagId',
-  requireAuth({
-    acceptedAuthModes: ['jwt'],
-  }),
-  param('tagId').exists().trim(),
-  validateRequest,
-  tagController.deleteWorkspaceTag
-);
-
-router.post(
-  '/:workspaceId/tags',
-  requireAuth({
-    acceptedAuthModes: ['jwt'],
-  }),
-  requireWorkspaceAuth({
-    acceptedRoles: [MEMBER, ADMIN],
-  }),
-  param('workspaceId').exists().trim(),
-  body('name').exists().trim(),
-  body('slug').exists().trim(),
-  validateRequest,
-  tagController.createWorkspaceTag
-);
-
-export default router;
--- a/backend/src/routes/v2/users.ts
+++ b/backend/src/routes/v2/users.ts
@ -1,10 +1,8 @@
 import express from 'express';
 const router = express.Router();
 import {
-    requireAuth,
-    validateRequest
+    requireAuth
 } from '../../middleware';
-import { body } from 'express-validator';
 import { usersController } from '../../controllers/v2';

 router.get(
@ -15,16 +13,6 @@ router.get(
    usersController.getMe
 );

-router.patch(
-    '/me/mfa',
-    requireAuth({
-        acceptedAuthModes: ['jwt', 'apiKey']
-    }),
-    body('isMfaEnabled').exists().isBoolean(),
-    validateRequest,
-    usersController.updateMyMfaEnabled
-);
-
 router.get(
    '/me/organizations',
    requireAuth({
--- a/backend/src/routes/v2/workspace.ts
+++ b/backend/src/routes/v2/workspace.ts
@ -118,19 +118,4 @@ router.delete( // TODO - rewire dashboard to this route
 	workspaceController.deleteWorkspaceMembership
 );

-
-router.patch(
-	'/:workspaceId/auto-capitalization',
-	requireAuth({
-		acceptedAuthModes: ['jwt']
-	}),
-	requireWorkspaceAuth({
-		acceptedRoles: [ADMIN, MEMBER]
-	}),
-	param('workspaceId').exists().trim(),
-	body('autoCapitalization').exists().trim().notEmpty(),
-	validateRequest,
-	workspaceController.toggleAutoCapitalization
-);
-
 export default router;
--- a/backend/src/services/IntegrationService.ts
+++ b/backend/src/services/IntegrationService.ts
@ -1,3 +1,7 @@
+import * as Sentry from '@sentry/node';
+import {
+    Integration
+} from '../models';
 import { 
    handleOAuthExchangeHelper,
    syncIntegrationsHelper,
@ -6,6 +10,7 @@ import {
    setIntegrationAuthRefreshHelper,
    setIntegrationAuthAccessHelper,
 } from '../helpers/integration';
+import { exchangeCode } from '../integrations';

 // should sync stuff be here too? Probably.
 // TODO: move bot functions to IntegrationService.
@ -21,12 +26,11 @@ class IntegrationService {
     * - Store integration access and refresh tokens returned from the OAuth2 code-token exchange
     * - Add placeholder inactive integration
     * - Create bot sequence for integration
-     * @param {Object} obj1
-     * @param {String} obj1.workspaceId - id of workspace
-     * @param {String} obj1.environment - workspace environment
-     * @param {String} obj1.integration - name of integration 
-     * @param {String} obj1.code - code
-     * @returns {IntegrationAuth} integrationAuth - integration authorization after OAuth2 code-token exchange
+     * @param {Object} obj
+     * @param {String} obj.workspaceId - id of workspace
+     * @param {String} obj.environment - workspace environment
+     * @param {String} obj.integration - name of integration 
+     * @param {String} obj.code - code
     */
    static async handleOAuthExchange({ 
        workspaceId,
@ -39,7 +43,7 @@ class IntegrationService {
        code: string;
        environment: string;
    }) {
-        return await handleOAuthExchangeHelper({
+        await handleOAuthExchangeHelper({
            workspaceId,
            integration,
            code,
@ -112,30 +116,26 @@ class IntegrationService {
    }

    /**
-     * Encrypt access token [accessToken] and (optionally) access id using the 
-     * bot's copy of the workspace key for workspace belonging to integration auth
+     * Encrypt access token [accessToken] using the bot's copy
+     * of the workspace key for workspace belonging to integration auth
     * with id [integrationAuthId]
     * @param {Object} obj
     * @param {String} obj.integrationAuthId - id of integration auth
-     * @param {String} obj.accessId - access id
     * @param {String} obj.accessToken - access token
     * @param {Date} obj.accessExpiresAt - expiration date of access token
     * @returns {IntegrationAuth} - updated integration auth
     */
    static async setIntegrationAuthAccess({ 
        integrationAuthId,
-        accessId,
        accessToken,
        accessExpiresAt
    }: { 
        integrationAuthId: string;
-        accessId: string | null;
        accessToken: string;
        accessExpiresAt: Date | undefined;
    }) {
        return await setIntegrationAuthAccessHelper({
            integrationAuthId,
-            accessId,
            accessToken,
            accessExpiresAt
        });
--- a/backend/src/services/TokenService.ts
+++ b/backend/src/services/TokenService.ts
@ -1,69 +0,0 @@
-import { Types } from 'mongoose';
-import { createTokenHelper, validateTokenHelper } from '../helpers/token';
-
-/**
- * Class to handle token actions
- * TODO: elaborate more on this class
- */
-class TokenService {
-    /**
-     * Create a token [token] for type [type] with associated details
-     * @param {Object} obj
-     * @param {String} obj.type - type or context of token (e.g. emailConfirmation)
-     * @param {String} obj.email - email associated with the token
-     * @param {String} obj.phoneNumber - phone number associated with the token
-     * @param {Types.ObjectId} obj.organizationId - id of organization associated with the token
-     * @returns {String} token - the token to create
-     */
-    static async createToken({
-        type,
-        email,
-        phoneNumber,
-        organizationId
-    }: {
-        type: 'emailConfirmation' | 'emailMfa' | 'organizationInvitation' | 'passwordReset';
-        email?: string;
-        phoneNumber?: string;
-        organizationId?: Types.ObjectId;
-    }) {
-        return await createTokenHelper({
-            type,
-            email,
-            phoneNumber,
-            organizationId
-        });
-    }
-    
-    /**
-     * Validate whether or not token [token] and its associated details match a token in the DB
-     * @param {Object} obj
-     * @param {String} obj.type - type or context of token (e.g. emailConfirmation)
-     * @param {String} obj.email - email associated with the token
-     * @param {String} obj.phoneNumber - phone number associated with the token
-     * @param {Types.ObjectId} obj.organizationId - id of organization associated with the token
-     * @param {String} obj.token - the token to validate
-     */
-    static async validateToken({
-        type,
-        email,
-        phoneNumber,
-        organizationId,
-        token
-    }: {
-        type: 'emailConfirmation' | 'emailMfa' | 'organizationInvitation' | 'passwordReset';
-        email?: string;
-        phoneNumber?: string;
-        organizationId?: Types.ObjectId;
-        token: string;
-    }) {
-        return await validateTokenHelper({
-            type,
-            email,
-            phoneNumber,
-            organizationId,
-            token
-        });
-    }
-}
-
-export default TokenService;
--- a/backend/src/services/index.ts
+++ b/backend/src/services/index.ts
@ -3,13 +3,11 @@ import postHogClient from './PostHogClient';
 import BotService from './BotService';
 import EventService from './EventService';
 import IntegrationService from './IntegrationService';
-import TokenService from './TokenService';

 export {
    DatabaseService,
    postHogClient,
    BotService,
    EventService,
-    IntegrationService,
-    TokenService
+    IntegrationService
 }
--- a/backend/src/services/smtp.ts
+++ b/backend/src/services/smtp.ts
@ -1,10 +1,6 @@
 import nodemailer from 'nodemailer';
 import { SMTP_HOST, SMTP_PORT, SMTP_USERNAME, SMTP_PASSWORD, SMTP_SECURE } from '../config';
-import {
-  SMTP_HOST_SENDGRID, 
-  SMTP_HOST_MAILGUN,
-  SMTP_HOST_SOCKETLABS
-} from '../variables';
+import { SMTP_HOST_SENDGRID, SMTP_HOST_MAILGUN } from '../variables';
 import SMTPConnection from 'nodemailer/lib/smtp-connection';
 import * as Sentry from '@sentry/node';

@ -31,12 +27,6 @@ if (SMTP_SECURE) {
        ciphers: 'TLSv1.2'
      }
      break;
-    case SMTP_HOST_SOCKETLABS:
-      mailOpts.requireTLS = true; 
-      mailOpts.tls = {
-        ciphers: 'TLSv1.2'
-      }
-      break;
    default:
      if (SMTP_HOST.includes('amazonaws.com')) {
        mailOpts.tls = {
--- a/backend/src/templates/emailMfa.handlebars
+++ b/backend/src/templates/emailMfa.handlebars
@ -1,19 +0,0 @@
-<!DOCTYPE html>
-<html>
-
-<head>
-    <meta charset="utf-8">
-    <meta http-equiv="x-ua-compatible" content="ie=edge">
-    <title>MFA Code</title>
-</head>
-
-<body>
-    <h2>Infisical</h2>
-    <h2>Sign in attempt requires further verification</h2>
-    <p>Your MFA code is below — enter it where you started signing in to Infisical.</p>
-    <h2>{{code}}</h2>
-    <p>The MFA code will be valid for 2 minutes.</p>
-    <p>Not you? Contact Infisical or your administrator immediately.</p>
-</body>
-
-</html>
--- a/backend/src/templates/emailVerification.handlebars
+++ b/backend/src/templates/emailVerification.handlebars
@ -1,17 +1,15 @@
 <!DOCTYPE html>
 <html>
-
 <head>
    <meta charset="utf-8">
    <meta http-equiv="x-ua-compatible" content="ie=edge">
-    <title>Code</title>
+    <title>Email Verification</title>
 </head>
-
 <body>
+    <h2>Infisical</h2>
    <h2>Confirm your email address</h2>
    <p>Your confirmation code is below — enter it in the browser window where you've started signing up for Infisical.</p>
-    <h1>{{code}}</h1>
+    <h2>{{code}}</h2>
    <p>Questions about setting up Infisical? Email us at support@infisical.com</p>
 </body>
-
 </html>
--- a/backend/src/templates/newDevice.handlebars
+++ b/backend/src/templates/newDevice.handlebars
@ -1,19 +0,0 @@
-<!DOCTYPE html>
-<html>
-
-<head>
-    <meta charset="utf-8">
-    <meta http-equiv="x-ua-compatible" content="ie=edge">
-    <title>Successful login for {{email}} from new device</title>
-</head>
-
-<body>
-    <h2>Infisical</h2>
-    <p>We're verifying a recent login for {{email}}:</p>
-    <p><strong>Timestamp</strong>: {{timestamp}}</p>
-    <p><strong>IP address</strong>: {{ip}}</p>
-    <p><strong>User agent</strong>: {{userAgent}}</p>
-    <p>If you believe that this login is suspicious, please contact Infisical or reset your password immediately.</p>
-</body>
-
-</html>
--- a/backend/src/templates/organizationInvitation.handlebars
+++ b/backend/src/templates/organizationInvitation.handlebars
@ -7,10 +7,12 @@
    <title>Organization Invitation</title>
 </head>
 <body>
-    <h2>Join your organization on Infisical</h2>
-    <p>{{inviterFirstName}} ({{inviterEmail}}) has invited you to their Infisical organization — {{organizationName}}</p>
+    <h2>Infisical</h2>
+    <h2>Join your team on Infisical</h2>
+    <p>{{inviterFirstName}}({{inviterEmail}}) has invited you to their Infisical organization — {{organizationName}}</p>
    <a href="{{callback_url}}?token={{token}}&to={{email}}">Join now</a>
    <h3>What is Infisical?</h3>
-    <p>Infisical is an easy-to-use end-to-end encrypted tool that enables developers to sync and manage their secrets and configs.</p>
+    <p>Infisical is a simple end-to-end encrypted solution that enables teams to sync and manage their environment
+        variables.</p>
 </body>
 </html>
--- a/backend/src/templates/passwordReset.handlebars
+++ b/backend/src/templates/passwordReset.handlebars
@ -6,6 +6,7 @@
    <title>Account Recovery</title>
 </head>
 <body>
+    <h2>Infisical</h2>
    <h2>Reset your password</h2>
    <p>Someone requested a password reset.</p>
    <a href="{{callback_url}}?token={{token}}&to={{email}}">Reset password</a>
--- a/backend/src/templates/workspaceInvitation.handlebars
+++ b/backend/src/templates/workspaceInvitation.handlebars
@ -6,10 +6,11 @@
    <title>Project Invitation</title>
 </head>
 <body>
+    <h2>Infisical</h2>
    <h2>Join your team on Infisical</h2>
-    <p>{{inviterFirstName}} ({{inviterEmail}}) has invited you to their Infisical project — {{workspaceName}}</p>
+    <p>{{inviterFirstName}}({{inviterEmail}}) has invited you to their Infisical workspace — {{workspaceName}}</p>
    <a href="{{callback_url}}">Join now</a>
    <h3>What is Infisical?</h3>
-    <p>Infisical is an easy-to-use end-to-end encrypted tool that enables developers to sync and manage their secrets and configs.</p>
+    <p>Infisical is a simple end-to-end encrypted solution that enables teams to sync and manage their environment variables.</p>
 </body>
 </html>
--- a/backend/src/types/secret/index.d.ts
+++ b/backend/src/types/secret/index.d.ts
@ -1,7 +1,5 @@
-import { Types } from 'mongoose';
 import { Assign, Omit } from 'utility-types';
 import { ISecret } from '../../models';
-import { mongo } from 'mongoose';

 // Everything is required, except the omitted types
 export type CreateSecretRequestBody = Omit<ISecret, "user" | "version" | "environment" | "workspace">;
@ -14,39 +12,3 @@ export type SanitizedSecretModify = Partial<Omit<ISecret, "user" | "version" | "

 // Everything is required, except the omitted types
 export type SanitizedSecretForCreate = Omit<ISecret, "version" | "_id">;
-
-export interface BatchSecretRequest {
-    id: string;
-    method: 'POST' | 'PATCH' | 'DELETE';
-    secret: Secret;
-}
-
-export interface BatchSecret {
-    _id: string;
-    type: 'shared' | 'personal',
-    secretKeyCiphertext: string;
-    secretKeyIV: string;
-    secretKeyTag: string;
-    secretValueCiphertext: string;
-    secretValueIV: string;
-    secretValueTag: string;
-    secretCommentCiphertext: string;
-    secretCommentIV: string;
-    secretCommentTag: string;
-    tags: string[];
-}
-
-export interface BatchSecret {
-    _id: string;
-    type: 'shared' | 'personal',
-    secretKeyCiphertext: string;
-    secretKeyIV: string;
-    secretKeyTag: string;
-    secretValueCiphertext: string;
-    secretValueIV: string;
-    secretValueTag: string;
-    secretCommentCiphertext: string;
-    secretCommentIV: string;
-    secretCommentTag: string;
-    tags: string[];
-}
--- a/backend/src/variables/action.ts
+++ b/backend/src/variables/action.ts
@ -1,13 +1,9 @@
-const ACTION_LOGIN = 'login';
-const ACTION_LOGOUT = 'logout';
 const ACTION_ADD_SECRETS = 'addSecrets';
 const ACTION_DELETE_SECRETS = 'deleteSecrets';
 const ACTION_UPDATE_SECRETS = 'updateSecrets';
 const ACTION_READ_SECRETS = 'readSecrets';

 export {
-    ACTION_LOGIN,
-    ACTION_LOGOUT,
    ACTION_ADD_SECRETS,
    ACTION_DELETE_SECRETS,
    ACTION_UPDATE_SECRETS,
--- a/backend/src/variables/index.ts
+++ b/backend/src/variables/index.ts
@ -3,22 +3,17 @@ import {
  ENV_TESTING,
  ENV_STAGING,
  ENV_PROD,
-  ENV_SET,
-} from "./environment";
+  ENV_SET
+} from './environment';
 import {
-  INTEGRATION_AZURE_KEY_VAULT,
-  INTEGRATION_AWS_PARAMETER_STORE,
-  INTEGRATION_AWS_SECRET_MANAGER,
  INTEGRATION_HEROKU,
  INTEGRATION_VERCEL,
  INTEGRATION_NETLIFY,
  INTEGRATION_GITHUB,
  INTEGRATION_RENDER,
  INTEGRATION_FLYIO,
-  INTEGRATION_CIRCLECI,
  INTEGRATION_SET,
  INTEGRATION_OAUTH2,
-  INTEGRATION_AZURE_TOKEN_URL,
  INTEGRATION_HEROKU_TOKEN_URL,
  INTEGRATION_VERCEL_TOKEN_URL,
  INTEGRATION_NETLIFY_TOKEN_URL,
@ -28,35 +23,25 @@ import {
  INTEGRATION_NETLIFY_API_URL,
  INTEGRATION_RENDER_API_URL,
  INTEGRATION_FLYIO_API_URL,
-  INTEGRATION_CIRCLECI_API_URL,
-  INTEGRATION_OPTIONS,
-} from "./integration";
-import { OWNER, ADMIN, MEMBER, INVITED, ACCEPTED } from "./organization";
-import { SECRET_SHARED, SECRET_PERSONAL } from "./secret";
-import { EVENT_PUSH_SECRETS, EVENT_PULL_SECRETS } from "./event";
+  INTEGRATION_OPTIONS
+} from './integration';
+import {
+  OWNER,
+  ADMIN,
+  MEMBER,
+  INVITED,
+  ACCEPTED,
+} from './organization';
+import { SECRET_SHARED, SECRET_PERSONAL } from './secret';
+import { EVENT_PUSH_SECRETS, EVENT_PULL_SECRETS } from './event';
 import {
-  ACTION_LOGIN,
-  ACTION_LOGOUT,
  ACTION_ADD_SECRETS,
  ACTION_UPDATE_SECRETS,
  ACTION_DELETE_SECRETS,
  ACTION_READ_SECRETS
 } from './action';
-import { 
-  SMTP_HOST_SENDGRID, 
-  SMTP_HOST_MAILGUN,
-  SMTP_HOST_SOCKETLABS
-} from './smtp';
+import { SMTP_HOST_SENDGRID, SMTP_HOST_MAILGUN } from './smtp';
 import { PLAN_STARTER, PLAN_PRO } from './stripe';
-import {
-  MFA_METHOD_EMAIL
-} from './user';
-import {
-  TOKEN_EMAIL_CONFIRMATION,
-  TOKEN_EMAIL_MFA,
-  TOKEN_EMAIL_ORG_INVITATION,
-  TOKEN_EMAIL_PASSWORD_RESET
-} from './token';

 export {
  OWNER,
@ -71,19 +56,14 @@ export {
  ENV_STAGING,
  ENV_PROD,
  ENV_SET,
-  INTEGRATION_AZURE_KEY_VAULT,
-  INTEGRATION_AWS_PARAMETER_STORE,
-  INTEGRATION_AWS_SECRET_MANAGER,
  INTEGRATION_HEROKU,
  INTEGRATION_VERCEL,
  INTEGRATION_NETLIFY,
  INTEGRATION_GITHUB,
  INTEGRATION_RENDER,
  INTEGRATION_FLYIO,
-  INTEGRATION_CIRCLECI,
  INTEGRATION_SET,
  INTEGRATION_OAUTH2,
-  INTEGRATION_AZURE_TOKEN_URL,
  INTEGRATION_HEROKU_TOKEN_URL,
  INTEGRATION_VERCEL_TOKEN_URL,
  INTEGRATION_NETLIFY_TOKEN_URL,
@ -93,11 +73,8 @@ export {
  INTEGRATION_NETLIFY_API_URL,
  INTEGRATION_RENDER_API_URL,
  INTEGRATION_FLYIO_API_URL,
-  INTEGRATION_CIRCLECI_API_URL,
  EVENT_PUSH_SECRETS,
  EVENT_PULL_SECRETS,
-  ACTION_LOGIN,
-  ACTION_LOGOUT,
  ACTION_ADD_SECRETS,
  ACTION_UPDATE_SECRETS,
  ACTION_DELETE_SECRETS,
@ -105,12 +82,6 @@ export {
  INTEGRATION_OPTIONS,
  SMTP_HOST_SENDGRID,
  SMTP_HOST_MAILGUN,
-  SMTP_HOST_SOCKETLABS,
  PLAN_STARTER,
  PLAN_PRO,
-  MFA_METHOD_EMAIL,
-  TOKEN_EMAIL_CONFIRMATION,
-  TOKEN_EMAIL_MFA,
-  TOKEN_EMAIL_ORG_INVITATION,
-  TOKEN_EMAIL_PASSWORD_RESET
 };
--- a/backend/src/variables/integration.ts
+++ b/backend/src/variables/integration.ts
@ -1,55 +1,43 @@
 import {
-    CLIENT_ID_AZURE,
-    TENANT_ID_AZURE
+    CLIENT_ID_HEROKU,
+    CLIENT_ID_NETLIFY,
+    CLIENT_ID_GITHUB,
+    CLIENT_SLUG_VERCEL
 } from '../config';
-import {
-  CLIENT_ID_HEROKU,
-  CLIENT_ID_NETLIFY,
-  CLIENT_ID_GITHUB,
-  CLIENT_SLUG_VERCEL,
-} from "../config";

 // integrations
-const INTEGRATION_AZURE_KEY_VAULT = 'azure-key-vault';
-const INTEGRATION_AWS_PARAMETER_STORE = 'aws-parameter-store';
-const INTEGRATION_AWS_SECRET_MANAGER = 'aws-secret-manager';
-const INTEGRATION_HEROKU = "heroku";
-const INTEGRATION_VERCEL = "vercel";
-const INTEGRATION_NETLIFY = "netlify";
-const INTEGRATION_GITHUB = "github";
-const INTEGRATION_RENDER = "render";
-const INTEGRATION_FLYIO = "flyio";
-const INTEGRATION_CIRCLECI = "circleci";
+const INTEGRATION_HEROKU = 'heroku';
+const INTEGRATION_VERCEL = 'vercel';
+const INTEGRATION_NETLIFY = 'netlify';
+const INTEGRATION_GITHUB = 'github';
+const INTEGRATION_RENDER = 'render';
+const INTEGRATION_FLYIO = 'flyio';
 const INTEGRATION_SET = new Set([
-    INTEGRATION_AZURE_KEY_VAULT,
-  INTEGRATION_HEROKU,
-  INTEGRATION_VERCEL,
-  INTEGRATION_NETLIFY,
-  INTEGRATION_GITHUB,
-  INTEGRATION_RENDER,
-  INTEGRATION_FLYIO,
-  INTEGRATION_CIRCLECI,
+    INTEGRATION_HEROKU,
+    INTEGRATION_VERCEL,
+    INTEGRATION_NETLIFY,
+    INTEGRATION_GITHUB,
+    INTEGRATION_RENDER,
+    INTEGRATION_FLYIO
 ]);

 // integration types
-const INTEGRATION_OAUTH2 = "oauth2";
+const INTEGRATION_OAUTH2 = 'oauth2';

 // integration oauth endpoints
-const INTEGRATION_AZURE_TOKEN_URL = `https://login.microsoftonline.com/${TENANT_ID_AZURE}/oauth2/v2.0/token`;
 const INTEGRATION_HEROKU_TOKEN_URL = 'https://id.heroku.com/oauth/token';
 const INTEGRATION_VERCEL_TOKEN_URL =
-  "https://api.vercel.com/v2/oauth/access_token";
-const INTEGRATION_NETLIFY_TOKEN_URL = "https://api.netlify.com/oauth/token";
+    'https://api.vercel.com/v2/oauth/access_token';
+const INTEGRATION_NETLIFY_TOKEN_URL = 'https://api.netlify.com/oauth/token';
 const INTEGRATION_GITHUB_TOKEN_URL =
-  "https://github.com/login/oauth/access_token";
+    'https://github.com/login/oauth/access_token';

 // integration apps endpoints
-const INTEGRATION_HEROKU_API_URL = "https://api.heroku.com";
-const INTEGRATION_VERCEL_API_URL = "https://api.vercel.com";
-const INTEGRATION_NETLIFY_API_URL = "https://api.netlify.com";
-const INTEGRATION_RENDER_API_URL = "https://api.render.com";
-const INTEGRATION_FLYIO_API_URL = "https://api.fly.io/graphql";
-const INTEGRATION_CIRCLECI_API_URL = "https://circleci.com/api";
+const INTEGRATION_HEROKU_API_URL = 'https://api.heroku.com';
+const INTEGRATION_VERCEL_API_URL = 'https://api.vercel.com';
+const INTEGRATION_NETLIFY_API_URL = 'https://api.netlify.com';
+const INTEGRATION_RENDER_API_URL = 'https://api.render.com';
+const INTEGRATION_FLYIO_API_URL = 'https://api.fly.io/graphql';

 const INTEGRATION_OPTIONS = [
    {
@ -102,46 +90,9 @@ const INTEGRATION_OPTIONS = [
        name: 'Fly.io',
        slug: 'flyio',
        image: 'Flyio.svg',
-        isAvailable: true,
-        type: 'pat',
-        clientId: '',
-        docsLink: ''
-    },
-    {
-        name: 'AWS Parameter Store',
-        slug: 'aws-parameter-store',
-        image: 'Amazon Web Services.png',
-        isAvailable: true,
-        type: 'custom',
-        clientId: '',
-        docsLink: ''
-    },
-    {
-        name: 'AWS Secret Manager',
-        slug: 'aws-secret-manager',
-        image: 'Amazon Web Services.png',
-        isAvailable: true,
-        type: 'custom',
-        clientId: '',
-        docsLink: ''
-    },
-    {
-        name: 'Circle CI',
-        slug: 'circleci',
-        image: 'Circle CI.png',
-        isAvailable: true,
-        type: 'pat',
-        clientId: '',
-        docsLink: ''
-    },
-    {
-        name: 'Azure Key Vault',
-        slug: 'azure-key-vault',
-        image: 'Microsoft Azure.png',
        isAvailable: false,
-        type: 'oauth',
-        clientId: CLIENT_ID_AZURE,
-        tenantId: TENANT_ID_AZURE,
+        type: 'pat',
+        clientId: '',
        docsLink: ''
    },
    {
@ -153,6 +104,24 @@ const INTEGRATION_OPTIONS = [
        clientId: '',
        docsLink: ''
    },
+    {
+        name: 'Amazon Web Services',
+        slug: 'aws',
+        image: 'Amazon Web Services.png',
+        isAvailable: false,
+        type: '',
+        clientId: '',
+        docsLink: ''
+    },
+    {
+        name: 'Microsoft Azure',
+        slug: 'azure',
+        image: 'Microsoft Azure.png',
+        isAvailable: false,
+        type: '',
+        clientId: '',
+        docsLink: ''
+    },
    {
        name: 'Travis CI',
        slug: 'travisci',
@ -161,32 +130,35 @@ const INTEGRATION_OPTIONS = [
        type: '',
        clientId: '',
        docsLink: ''
+    },
+    {
+        name: 'Circle CI',
+        slug: 'circleci',
+        image: 'Circle CI.png',
+        isAvailable: false,
+        type: '',
+        clientId: '',
+        docsLink: ''
    }
 ]

 export {
-    INTEGRATION_AZURE_KEY_VAULT,
-    INTEGRATION_AWS_PARAMETER_STORE,
-    INTEGRATION_AWS_SECRET_MANAGER,
-  INTEGRATION_HEROKU,
-  INTEGRATION_VERCEL,
-  INTEGRATION_NETLIFY,
-  INTEGRATION_GITHUB,
-  INTEGRATION_RENDER,
-  INTEGRATION_FLYIO,
-  INTEGRATION_CIRCLECI,
-  INTEGRATION_SET,
-  INTEGRATION_OAUTH2,
-    INTEGRATION_AZURE_TOKEN_URL,
-  INTEGRATION_HEROKU_TOKEN_URL,
-  INTEGRATION_VERCEL_TOKEN_URL,
-  INTEGRATION_NETLIFY_TOKEN_URL,
-  INTEGRATION_GITHUB_TOKEN_URL,
-  INTEGRATION_HEROKU_API_URL,
-  INTEGRATION_VERCEL_API_URL,
-  INTEGRATION_NETLIFY_API_URL,
-  INTEGRATION_RENDER_API_URL,
-  INTEGRATION_FLYIO_API_URL,
-  INTEGRATION_CIRCLECI_API_URL,
-  INTEGRATION_OPTIONS,
+    INTEGRATION_HEROKU,
+    INTEGRATION_VERCEL,
+    INTEGRATION_NETLIFY,
+    INTEGRATION_GITHUB,
+    INTEGRATION_RENDER,
+    INTEGRATION_FLYIO,
+    INTEGRATION_SET,
+    INTEGRATION_OAUTH2,
+    INTEGRATION_HEROKU_TOKEN_URL,
+    INTEGRATION_VERCEL_TOKEN_URL,
+    INTEGRATION_NETLIFY_TOKEN_URL,
+    INTEGRATION_GITHUB_TOKEN_URL,
+    INTEGRATION_HEROKU_API_URL,
+    INTEGRATION_VERCEL_API_URL,
+    INTEGRATION_NETLIFY_API_URL,
+    INTEGRATION_RENDER_API_URL,
+    INTEGRATION_FLYIO_API_URL,
+    INTEGRATION_OPTIONS
 };
--- a/backend/src/variables/organization.ts
+++ b/backend/src/variables/organization.ts
@ -1,16 +1,24 @@
 // membership roles
-const OWNER = "owner";
-const ADMIN = "admin";
-const MEMBER = "member";
+const OWNER = 'owner';
+const ADMIN = 'admin';
+const MEMBER = 'member';

 // membership statuses
-const INVITED = "invited";
+const INVITED = 'invited';

 // membership permissions ability
-const ABILITY_READ = "read";
-const ABILITY_WRITE = "write";
+const ABILITY_READ = 'read';
+const ABILITY_WRITE = 'write';

 // -- organization
-const ACCEPTED = "accepted";
+const ACCEPTED = 'accepted';

-export { OWNER, ADMIN, MEMBER, INVITED, ACCEPTED, ABILITY_READ, ABILITY_WRITE };
+export {
+    OWNER,
+    ADMIN,
+    MEMBER,
+    INVITED,
+    ACCEPTED,
+    ABILITY_READ,
+    ABILITY_WRITE
+}
--- a/backend/src/variables/smtp.ts
+++ b/backend/src/variables/smtp.ts
@ -1,9 +1,7 @@
 const SMTP_HOST_SENDGRID = 'smtp.sendgrid.net';
 const SMTP_HOST_MAILGUN = 'smtp.mailgun.org';
-const SMTP_HOST_SOCKETLABS = 'smtp.socketlabs.com';

 export {
    SMTP_HOST_SENDGRID,
-    SMTP_HOST_MAILGUN,
-    SMTP_HOST_SOCKETLABS
+    SMTP_HOST_MAILGUN
 }
--- a/backend/src/variables/token.ts
+++ b/backend/src/variables/token.ts
@ -1,11 +0,0 @@
-const TOKEN_EMAIL_CONFIRMATION = 'emailConfirmation';
-const TOKEN_EMAIL_MFA = 'emailMfa';
-const TOKEN_EMAIL_ORG_INVITATION = 'organizationInvitation';
-const TOKEN_EMAIL_PASSWORD_RESET = 'passwordReset';
-
-export {
-    TOKEN_EMAIL_CONFIRMATION,
-    TOKEN_EMAIL_MFA,
-    TOKEN_EMAIL_ORG_INVITATION,
-    TOKEN_EMAIL_PASSWORD_RESET
-}
--- a/backend/src/variables/user.ts
+++ b/backend/src/variables/user.ts
@ -1,5 +0,0 @@
-const MFA_METHOD_EMAIL = 'email';
-
-export {
-    MFA_METHOD_EMAIL
-}
--- a/cli/docker/Dockerfile
+++ b/cli/docker/Dockerfile
@ -1,4 +0,0 @@
-FROM alpine
-RUN apk add --no-cache tini
-COPY infisical /bin/infisical
-ENTRYPOINT ["/sbin/tini", "--", "/bin/infisical"]
--- a/cli/go.mod
+++ b/cli/go.mod
@ -7,8 +7,8 @@ require (
 	github.com/muesli/mango-cobra v1.2.0
 	github.com/muesli/roff v0.1.0
 	github.com/spf13/cobra v1.6.1
-	golang.org/x/crypto v0.6.0
-	golang.org/x/term v0.5.0
+	golang.org/x/crypto v0.3.0
+	golang.org/x/term v0.3.0
 )

 require (
@ -31,8 +31,8 @@ require (
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
 	go.mongodb.org/mongo-driver v1.10.0 // indirect
-	golang.org/x/net v0.6.0 // indirect
-	golang.org/x/sys v0.5.0 // indirect
+	golang.org/x/net v0.2.0 // indirect
+	golang.org/x/sys v0.3.0 // indirect
 )

 require (
--- a/cli/go.sum
+++ b/cli/go.sum
@ -106,14 +106,10 @@ go.mongodb.org/mongo-driver v1.10.0/go.mod h1:wsihk0Kdgv8Kqu1Anit4sfK+22vSFbUrAV
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.3.0 h1:a06MkbcxBrEFc0w0QIZWXrH/9cCX6KJyWbBOIwAn+7A=
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/crypto v0.6.0 h1:qfktjS5LUO+fFKeJXZ+ikTRijMmljikvG68fpMMruSc=
-golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/net v0.0.0-20211029224645-99673261e6eb/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.2.0 h1:sZfSu1wtKLGlWI4ZZayP0ck9Y73K1ynO6gqzTdBVdPU=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
-golang.org/x/net v0.6.0 h1:L4ZwwTvKW9gr0ZMS1yrHD9GZhIuVjOBBnaKH+SPQK0Q=
-golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@ -127,13 +123,9 @@ golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ=
 golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.3.0 h1:qoo4akIqOcDME5bhc/NgxUdovd6BSS2uMsVjB56q1xI=
 golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
-golang.org/x/term v0.5.0 h1:n2a8QNdAb0sZNpU9R1ALUXBbY+w51fCQDN+7EdxNBsY=
-golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
--- a/cli/main.go
+++ b/cli/main.go
@ -1,5 +1,5 @@
 /*
-Copyright (c) 2023 Infisical Inc.
+Copyright © 2022 NAME HERE <EMAIL ADDRESS>
 */
 package main

--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Maidul Islam	e8213799c8	Add deny api/get envs api	2023-01-29 21:04:47 -08:00
Maidul Islam	967df7282e	add basic auth model for Organization	2023-01-24 23:16:08 -08:00