bring back tags to secret version

feat(folders): resolved auth issues and added the env dropdown change…

.dockerignore

@@ -0,0 +1,2 @@
+backend/node_modules
+frontend/node_modules

.env.example

@@ -1,5 +1,6 @@
 # Keys
 # Required key for platform encryption/decryption ops
+# THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NOT BE USED FOR PRODUCTION
 ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218
 
 # JWT
@@ -8,6 +9,7 @@ JWT_SIGNUP_SECRET=3679e04ca949f914c03332aaaeba805a
 JWT_REFRESH_SECRET=5f2f3c8f0159068dc2bbb3a652a716ff
 JWT_AUTH_SECRET=4be6ba5602e0fa0ac6ac05c3cd4d247f
 JWT_SERVICE_SECRET=f32f716d70a42c5703f4656015e76200
+JWT_PROVIDER_AUTH_SECRET=f32f716d70a42c5703f4656015e76201
 
 # JWT lifetime
 # Optional lifetimes for JWT tokens expressed in seconds or a string 
@@ -15,9 +17,7 @@ JWT_SERVICE_SECRET=f32f716d70a42c5703f4656015e76200
 JWT_AUTH_LIFETIME=
 JWT_REFRESH_LIFETIME=
 JWT_SIGNUP_LIFETIME=
-
-# Optional lifetimes for OTP expressed in seconds
-EMAIL_TOKEN_LIFETIME=
+JWT_PROVIDER_AUTH_LIFETIME=
 
 # MongoDB
 # Backend will connect to the MongoDB instance at connection string MONGO_URL which can either be a ref
@@ -33,14 +33,12 @@ MONGO_PASSWORD=example
 # Required
 SITE_URL=http://localhost:8080
 
-# Mail/SMTP
-SMTP_HOST= # required
-SMTP_USERNAME= # required
-SMTP_PASSWORD= # required
-SMTP_PORT=587
-SMTP_SECURE=false
-SMTP_FROM_ADDRESS= # required
-SMTP_FROM_NAME=Infisical
+# Mail/SMTP 
+SMTP_HOST=
+SMTP_PORT=
+SMTP_NAME=
+SMTP_USERNAME=
+SMTP_PASSWORD=
 
 # Integration
 # Optional only if integration is used
@@ -48,10 +46,12 @@ CLIENT_ID_HEROKU=
 CLIENT_ID_VERCEL=
 CLIENT_ID_NETLIFY=
 CLIENT_ID_GITHUB=
+CLIENT_ID_GITLAB=
 CLIENT_SECRET_HEROKU=
 CLIENT_SECRET_VERCEL=
 CLIENT_SECRET_NETLIFY=
 CLIENT_SECRET_GITHUB=
+CLIENT_SECRET_GITLAB=
 CLIENT_SLUG_VERCEL=
 
 # Sentry (optional) for monitoring errors
@@ -67,4 +67,7 @@ STRIPE_WEBHOOK_SECRET=
 STRIPE_PRODUCT_STARTER=
 STRIPE_PRODUCT_TEAM=
 STRIPE_PRODUCT_PRO=
-NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=
+NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=
+
+CLIENT_ID_GOOGLE=
+CLIENT_SECRET_GOOGLE=

.github/pull_request_template.md

@@ -1,6 +1,6 @@
 # Description 📣
 
-*Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.*
+<!-- Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change. -->
 
 ## Type ✨
 
@@ -11,7 +11,7 @@
 
 # Tests 🛠️
 
-*Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration. You may want to add screenshots when relevant and possible*
+<!-- Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration. You may want to add screenshots when relevant and possible -->
 
 ```sh
 # Here's some code block to paste some code snippets

.github/resources/docker-compose.be-test.yml

@@ -13,6 +13,7 @@ services:
       - MONGO_URL=mongodb://test:example@mongo:27017/?authSource=admin
       - MONGO_USERNAME=test
       - MONGO_PASSWORD=example
+      - ENCRYPTION_KEY=a984ecdf82ec779e55dbcc21303a900f
     networks:
       - infisical-test
 

.github/workflows/check-be-pull-request.yml

@@ -13,6 +13,7 @@ jobs:
   check-be-pr:
     name: Check
     runs-on: ubuntu-latest
+    timeout-minutes: 15
 
     steps:
       - name: ☁️ Checkout source
@@ -26,17 +27,17 @@ jobs:
       - name: 📦 Install dependencies
         run: npm ci --only-production
         working-directory: backend
-      - name: 🧪 Run tests
-        run: npm run test:ci
-        working-directory: backend
-      - name: 📁 Upload test results
-        uses: actions/upload-artifact@v3
-        if: always()
-        with:
-          name: be-test-results
-          path: |
-            ./backend/reports
-            ./backend/coverage
+      # - name: 🧪 Run tests
+      #   run: npm run test:ci
+      #   working-directory: backend
+      # - name: 📁 Upload test results
+      #   uses: actions/upload-artifact@v3
+      #   if: always()
+      #   with:
+      #     name: be-test-results
+      #     path: |
+      #       ./backend/reports
+      #       ./backend/coverage
       - name: 🏗️ Run build
         run: npm run build
         working-directory: backend

.github/workflows/check-fe-pull-request.yml

@@ -2,40 +2,35 @@ name: Check Frontend Pull Request
 
 on:
   pull_request:
-    types: [ opened, synchronize ]
+    types: [opened, synchronize]
     paths:
-      - 'frontend/**'
-      - '!frontend/README.md'
-      - '!frontend/.*'
-      - 'frontend/.eslintrc.js'
-
+      - "frontend/**"
+      - "!frontend/README.md"
+      - "!frontend/.*"
+      - "frontend/.eslintrc.js"
 
 jobs:
-
   check-fe-pr:
     name: Check
     runs-on: ubuntu-latest
+    timeout-minutes: 15
 
     steps:
-      -
-        name: ☁️ Checkout source
+      - name: ☁️ Checkout source
         uses: actions/checkout@v3
-      -
-        name: 🔧 Setup Node 16
+      - name: 🔧 Setup Node 16
         uses: actions/setup-node@v3
         with:
-          node-version: '16'
-          cache: 'npm'
+          node-version: "16"
+          cache: "npm"
           cache-dependency-path: frontend/package-lock.json
-      -
-        name: 📦 Install dependencies
+      - name: 📦 Install dependencies
         run: npm ci --only-production --ignore-scripts
         working-directory: frontend
       # -
       #   name: 🧪 Run tests
       #   run: npm run test:ci
       #   working-directory: frontend
-      -
-        name: 🏗️ Run build
+      - name: 🏗️ Run build
         run: npm run build
         working-directory: frontend

.github/workflows/docker-image.yml

@@ -1,14 +1,25 @@
 name: Build, Publish and Deploy to Gamma
-on: [workflow_dispatch]
+on:
+  push:
+    tags:
+      - "infisical/v*.*.*"
 
 jobs:
   backend-image:
     name: Build backend image
     runs-on: ubuntu-latest
-
     steps:
+      - name: Extract version from tag
+        id: extract_version
+        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
       - name: ☁️ Checkout source
         uses: actions/checkout@v3
+      - name: 📦 Install dependencies to test all dependencies
+        run: npm ci --only-production
+        working-directory: backend
+      - name: 🧪 Run tests
+        run: npm run test:ci
+        working-directory: backend
       - name: Save commit hashes for tag
         id: commit
         uses: pr-mpt/actions-commit-hash@v2
@@ -45,15 +56,19 @@ jobs:
           token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
           push: true
           context: backend
-          tags: infisical/backend:${{ steps.commit.outputs.short }}, 
-                infisical/backend:latest
+          tags: |
+            infisical/backend:${{ steps.commit.outputs.short }}
+            infisical/backend:latest
+            infisical/backend:${{ steps.extract_version.outputs.version }}
           platforms: linux/amd64,linux/arm64
 
   frontend-image:
     name: Build frontend image
     runs-on: ubuntu-latest
-
     steps:
+      - name: Extract version from tag
+        id: extract_version
+        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
       - name: ☁️ Checkout source
         uses: actions/checkout@v3
       - name: Save commit hashes for tag
@@ -94,8 +109,10 @@ jobs:
           push: true
           token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
           context: frontend
-          tags: infisical/frontend:${{ steps.commit.outputs.short }}, 
-                infisical/frontend:latest
+          tags: |
+            infisical/frontend:${{ steps.commit.outputs.short }}
+            infisical/frontend:latest
+            infisical/frontend:${{ steps.extract_version.outputs.version }}
           platforms: linux/amd64,linux/arm64
           build-args: |
             POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
@@ -122,7 +139,7 @@ jobs:
           token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
       - name: Save DigitalOcean kubeconfig with short-lived credentials
         run: doctl kubernetes cluster kubeconfig save --expiry-seconds 600 k8s-1-25-4-do-0-nyc1-1670645170179
-      - name: switch to gamma namespace 
+      - name: switch to gamma namespace
         run: kubectl config set-context --current --namespace=gamma
       - name: test kubectl
         run: kubectl get ingress
@@ -135,4 +152,4 @@ jobs:
             exit 1
           else
             echo "Helm upgrade was successful"
-          fi
+          fi

.github/workflows/release-standalone-docker-img.yml

@@ -0,0 +1,68 @@
+name: Release standalone docker image
+on: [workflow_dispatch]
+
+jobs:
+  infisical-standalone:
+    name: Build infisical standalone image
+    runs-on: ubuntu-latest
+    steps:
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: 📦 Install dependencies to test all dependencies
+        run: npm ci --only-production
+        working-directory: backend
+      - uses: paulhatch/semantic-version@v5.0.2
+        id: version
+        with:
+          # The prefix to use to identify tags
+          tag_prefix: "infisical-standalone/v"
+          # A string which, if present in a git commit, indicates that a change represents a
+          # major (breaking) change, supports regular expressions wrapped with '/'
+          major_pattern: "(MAJOR)"
+          # Same as above except indicating a minor change, supports regular expressions wrapped with '/'
+          minor_pattern: "(MINOR)"
+          # A string to determine the format of the version output
+          version_format: "${major}.${minor}.${patch}-prerelease${increment}"
+          # Optional path to check for changes. If any changes are detected in the path the
+          # 'changed' output will true. Enter multiple paths separated by spaces.
+          change_path: "backend,frontend"
+          # Prevents pre-v1.0.0 version from automatically incrementing the major version.
+          # If enabled, when the major version is 0, major releases will be treated as minor and minor as patch. Note that the version_type output is unchanged.
+          enable_prerelease_mode: true
+      # - name: 🧪 Run tests
+      #   run: npm run test:ci
+      #   working-directory: backend
+      - name: version output
+        run: |
+          echo "Output Value: ${{ steps.version.outputs.major }}"
+          echo "Output Value: ${{ steps.version.outputs.minor }}"
+          echo "Output Value: ${{ steps.version.outputs.patch }}"
+          echo "Output Value: ${{ steps.version.outputs.version }}"
+          echo "Output Value: ${{ steps.version.outputs.version_type }}"
+          echo "Output Value: ${{ steps.version.outputs.increment }}"
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
+      - name: 📦 Build backend and export to Docker
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          push: true
+          context: .
+          tags: |
+            infisical/infisical:latest
+            infisical/infisical:${{ steps.commit.outputs.short }}
+          platforms: linux/amd64,linux/arm64
+          file: Dockerfile.standalone-infisical

.github/workflows/release_build.yml

@@ -4,7 +4,7 @@ on:
   push:
     # run only against tags
     tags:
-      - "v*"
+      - "infisical-cli/v*.*.*"
 
 permissions:
   contents: write
@@ -41,13 +41,15 @@ jobs:
           git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
       - uses: goreleaser/goreleaser-action@v4
         with:
-          distribution: goreleaser
+          distribution: goreleaser-pro
           version: latest
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
+          POSTHOG_API_KEY_FOR_CLI: ${{ secrets.POSTHOG_API_KEY_FOR_CLI }}
           FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
           AUR_KEY: ${{ secrets.AUR_KEY }}
+          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
       - uses: actions/setup-python@v4
       - run: pip install --upgrade cloudsmith-cli
       - name: Publish to CloudSmith

.goreleaser.yaml

@@ -11,10 +11,16 @@ before:
     - ./cli/scripts/completions.sh
     - ./cli/scripts/manpages.sh
 
+monorepo:
+  tag_prefix: infisical-cli/
+  dir: cli
+
 builds:
   - id: darwin-build
     binary: infisical
-    ldflags: -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+    ldflags:
+      - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+      - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
     flags:
       - -trimpath
     env:
@@ -32,7 +38,9 @@ builds:
     env:
       - CGO_ENABLED=0
     binary: infisical
-    ldflags: -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+    ldflags:
+      - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+      - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
     flags:
       - -trimpath
     goos:
@@ -61,10 +69,10 @@ archives:
       - goos: windows
         format: zip
     files:
-      - README*
-      - LICENSE*
-      - manpages/*
-      - completions/*
+      - ../README*
+      - ../LICENSE*
+      - ../manpages/*
+      - ../completions/*
 
 release:
   replace_existing_draft: true
@@ -74,14 +82,7 @@ checksum:
   name_template: "checksums.txt"
 
 snapshot:
-  name_template: "{{ incpatch .Version }}-devel"
-
-changelog:
-  sort: asc
-  filters:
-    exclude:
-      - "^docs:"
-      - "^test:"
+  name_template: "{{ .Version }}-devel"
 
 # publishers:
 #   - name: fury.io
@@ -164,7 +165,7 @@ aurs:
       mkdir -p "${pkgdir}/usr/share/zsh/site-functions/"
       mkdir -p "${pkgdir}/usr/share/fish/vendor_completions.d/"
       install -Dm644 "./completions/infisical.bash" "${pkgdir}/usr/share/bash-completion/completions/infisical"
-      install -Dm644 "./completions/infisical.zsh" "${pkgdir}/usr/share/zsh/site-functions/infisical"
+      install -Dm644 "./completions/infisical.zsh" "${pkgdir}/usr/share/zsh/site-functions/_infisical"
       install -Dm644 "./completions/infisical.fish" "${pkgdir}/usr/share/fish/vendor_completions.d/infisical.fish"
       # man pages
       install -Dm644 "./manpages/infisical.1.gz" "${pkgdir}/usr/share/man/man1/infisical.1.gz"

.husky/pre-commit

@@ -3,3 +3,5 @@
 . "$(dirname -- "$0")/_/husky.sh"
 
 npx lint-staged
+
+infisical scan git-changes --staged -v

.infisicalignore

@@ -0,0 +1 @@
+.github/resources/docker-compose.be-test.yml:generic-api-key:16

Dockerfile.standalone-infisical

@@ -0,0 +1,102 @@
+ARG POSTHOG_HOST=https://app.posthog.com
+ARG POSTHOG_API_KEY=posthog-api-key
+
+FROM node:16-alpine AS frontend-dependencies
+
+WORKDIR /app
+
+COPY frontend/package.json frontend/package-lock.json frontend/next.config.js ./
+
+# Install dependencies
+RUN npm ci --only-production --ignore-scripts
+
+# Rebuild the source code only when needed
+FROM node:16-alpine AS frontend-builder
+WORKDIR /app
+
+# Copy dependencies
+COPY --from=frontend-dependencies /app/node_modules ./node_modules
+# Copy all files 
+COPY /frontend .
+
+ENV NODE_ENV production
+ENV NEXT_PUBLIC_ENV production
+ARG POSTHOG_HOST
+ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
+ARG POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
+
+# Build
+RUN npm run build
+
+# Production image
+FROM node:16-alpine AS frontend-runner
+WORKDIR /app
+
+RUN addgroup --system --gid 1001 nodejs
+RUN adduser --system --uid 1001 nextjs
+
+RUN mkdir -p /app/.next/cache/images && chown nextjs:nodejs /app/.next/cache/images
+VOLUME /app/.next/cache/images
+
+ARG POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
+  BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
+
+COPY --chown=nextjs:nodejs --chmod=555 frontend/scripts ./scripts
+COPY --from=frontend-builder /app/public ./public
+RUN chown nextjs:nodejs ./public/data
+COPY --from=frontend-builder --chown=nextjs:nodejs /app/.next/standalone ./
+COPY --from=frontend-builder --chown=nextjs:nodejs /app/.next/static ./.next/static
+
+USER nextjs
+
+ENV NEXT_TELEMETRY_DISABLED 1
+
+##
+## BACKEND
+##
+FROM node:16-alpine AS backend-build
+
+WORKDIR /app
+
+COPY backend/package*.json ./
+RUN npm ci --only-production
+
+COPY /backend .
+RUN npm run build
+
+# Production stage
+FROM node:16-alpine AS backend-runner
+
+WORKDIR /app
+
+COPY backend/package*.json ./
+RUN npm ci --only-production
+
+COPY --from=backend-build /app .
+
+# Production stage
+FROM node:16-alpine AS production
+
+WORKDIR / 
+
+# Install PM2
+RUN npm install -g pm2
+# Copy ecosystem.config.js
+COPY ecosystem.config.js .
+
+RUN apk add --no-cache nginx
+
+COPY nginx/default-stand-alone-docker.conf /etc/nginx/nginx.conf
+
+COPY --from=backend-runner /app /backend
+
+COPY --from=frontend-runner /app/ /app/
+
+EXPOSE 80
+ENV HTTPS_ENABLED false 
+
+CMD ["pm2-runtime", "start", "ecosystem.config.js"]
+
+

SECURITY.md

@@ -1,9 +1,13 @@
 # Security Policy
 
-## Supported Versions
+## Supported versions
 
 We always recommend using the latest version of Infisical to ensure you get all security updates.
 
-## Reporting a Vulnerability
+## Reporting vulnerabilities
 
-Please report security vulnerabilities or concerns to team@infisical.com.
+Please do not file GitHub issues or post on our public forum for security vulnerabilities, as they are public!
+
+Infisical takes security issues very seriously. If you have any concerns about Infisical or believe you have uncovered a vulnerability, please get in touch via the e-mail address security@infisical.com. In the message, try to provide a description of the issue and ideally a way of reproducing it. The security team will get back to you as soon as possible.
+
+Note that this security address should be used only for undisclosed vulnerabilities. Please report any security problems to us before disclosing it publicly.

backend/Dockerfile

@@ -1,18 +1,27 @@
-FROM node:16-bullseye-slim
+# Build stage
+FROM node:16-alpine AS build
 
 WORKDIR /app
 
-COPY package.json package-lock.json ./
-
-# RUN npm ci --only-production --ignore-scripts
-# "prepare": "cd .. && npm install"
-
+COPY package*.json ./
 RUN npm ci --only-production
 
 COPY . .
+RUN npm run build
+
+# Production stage
+FROM node:16-alpine
+
+WORKDIR /app
+
+COPY package*.json ./
+RUN npm ci --only-production
+
+COPY --from=build /app .
 
 HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \  
   CMD node healthcheck.js
 
+EXPOSE 4000
 
-CMD ["npm", "run", "start"]
+CMD ["npm", "run", "start"]

backend/__tests__/healthcheck.test.ts

@@ -1,19 +0,0 @@
-import { server } from '../src/app';
-import { describe, expect, it, beforeAll, afterAll } from '@jest/globals';
-import supertest from 'supertest';
-import { setUpHealthEndpoint } from '../src/services/health';
-
-const requestWithSupertest = supertest(server);
-describe('Healthcheck endpoint', () => {
-  beforeAll(async () => {
-    setUpHealthEndpoint(server);
-  });
-  afterAll(async () => {
-    server.close();
-  });
-
-  it('GET /healthcheck should return OK', async () => {
-    const res = await requestWithSupertest.get('/healthcheck');
-    expect(res.status).toEqual(200);
-  });
-});

backend/environment.d.ts

@@ -4,7 +4,6 @@ declare global {
   namespace NodeJS {
     interface ProcessEnv {
       PORT: string;
-      EMAIL_TOKEN_LIFETIME: string;
       ENCRYPTION_KEY: string;
       SALT_ROUNDS: string;
       JWT_AUTH_LIFETIME: string;
@@ -22,10 +21,12 @@ declare global {
       CLIENT_ID_VERCEL: string;
       CLIENT_ID_NETLIFY: string;
       CLIENT_ID_GITHUB: string;
+      CLIENT_ID_GITLAB: string;
       CLIENT_SECRET_HEROKU: string;
       CLIENT_SECRET_VERCEL: string;
       CLIENT_SECRET_NETLIFY: string;
       CLIENT_SECRET_GITHUB: string;
+      CLIENT_SECRET_GITLAB: string;
       CLIENT_SLUG_VERCEL: string;
 			POSTHOG_HOST: string;
 			POSTHOG_PROJECT_API_KEY: string;

backend/jest.config.ts

@@ -0,0 +1,9 @@
+export default {
+  preset: 'ts-jest',
+  testEnvironment: 'node',
+  collectCoverageFrom: ['src/*.{js,ts}', '!**/node_modules/**'],
+  modulePaths: ['<rootDir>/src'],
+  testMatch: ['<rootDir>/tests/**/*.test.ts'],
+  setupFiles: ['<rootDir>/test-resources/env-vars.js'],
+  setupFilesAfterEnv: ['<rootDir>/tests/setupTests.ts']
+};

backend/package.json

@@ -1,17 +1,19 @@
 {
   "dependencies": {
-    "@aws-sdk/client-secrets-manager": "^3.267.0",
-    "@godaddy/terminus": "^4.11.2",
+    "@aws-sdk/client-secrets-manager": "^3.319.0",
+    "@godaddy/terminus": "^4.12.0",
     "@octokit/rest": "^19.0.5",
-    "@sentry/node": "^7.14.0",
-    "@sentry/tracing": "^7.19.0",
+    "@sentry/node": "^7.49.0",
+    "@sentry/tracing": "^7.48.0",
     "@types/crypto-js": "^4.1.1",
     "@types/libsodium-wrappers": "^0.7.10",
+    "argon2": "^0.30.3",
     "await-to-js": "^3.0.0",
-    "aws-sdk": "^2.1311.0",
-    "axios": "^1.1.3",
+    "aws-sdk": "^2.1364.0",
+    "axios": "^1.3.5",
+    "axios-retry": "^3.4.0",
     "bcrypt": "^5.1.0",
-    "bigint-conversion": "^2.2.2",
+    "bigint-conversion": "^2.4.0",
     "builder-pattern": "^2.2.0",
     "cookie-parser": "^1.4.6",
     "cors": "^2.8.5",
@@ -22,20 +24,26 @@
     "express-validator": "^6.14.2",
     "handlebars": "^4.7.7",
     "helmet": "^5.1.1",
+    "infisical-node": "^1.2.1",
     "js-yaml": "^4.1.0",
     "jsonwebtoken": "^9.0.0",
     "jsrp": "^0.2.4",
     "libsodium-wrappers": "^0.7.10",
     "lodash": "^4.17.21",
-    "mongoose": "^6.7.2",
+    "mongoose": "^6.10.5",
+    "node-cache": "^5.1.2",
+    "nanoid": "^3.3.6",
     "nodemailer": "^6.8.0",
-    "posthog-node": "^2.2.2",
+    "passport": "^0.6.0",
+    "passport-google-oauth20": "^2.0.0",
+    "posthog-node": "^2.6.0",
     "query-string": "^7.1.3",
+    "rate-limit-mongo": "^2.3.2",
     "request-ip": "^3.3.0",
     "rimraf": "^3.0.2",
     "stripe": "^10.7.0",
     "swagger-autogen": "^2.22.0",
-    "swagger-ui-express": "^4.6.0",
+    "swagger-ui-express": "^4.6.2",
     "tweetnacl": "^1.0.3",
     "tweetnacl-util": "^0.15.1",
     "typescript": "^4.9.3",
@@ -47,7 +55,7 @@
   "version": "1.0.0",
   "main": "src/index.js",
   "scripts": {
-    "start": "npm run build && node build/index.js",
+    "start": "node build/index.js",
     "dev": "nodemon",
     "swagger-autogen": "node ./swagger/index.ts",
     "build": "rimraf ./build && tsc && cp -R ./src/templates ./build",
@@ -55,7 +63,7 @@
     "lint-and-fix": "eslint . --ext .ts --fix",
     "lint-staged": "lint-staged",
     "pretest": "docker compose -f test-resources/docker-compose.test.yml up -d",
-    "test": "cross-env NODE_ENV=test jest --testTimeout=10000 --detectOpenHandles",
+    "test": "cross-env NODE_ENV=test jest --verbose --testTimeout=10000 --detectOpenHandles; npm run posttest",
     "test:ci": "npm test -- --watchAll=false --ci --reporters=default --reporters=jest-junit --reporters=github-actions --coverage --testLocationInResults --json --outputFile=coverage/report.json",
     "posttest": "docker compose -f test-resources/docker-compose.test.yml down"
   },
@@ -78,15 +86,16 @@
     "@types/cookie-parser": "^1.4.3",
     "@types/cors": "^2.8.12",
     "@types/express": "^4.17.14",
-    "@types/jest": "^29.2.4",
+    "@types/jest": "^29.5.0",
     "@types/jsonwebtoken": "^8.5.9",
     "@types/lodash": "^4.14.191",
     "@types/node": "^18.11.3",
     "@types/nodemailer": "^6.4.6",
+    "@types/passport": "^1.0.12",
     "@types/supertest": "^2.0.12",
     "@types/swagger-jsdoc": "^6.0.1",
     "@types/swagger-ui-express": "^4.1.3",
-    "@typescript-eslint/eslint-plugin": "^5.40.1",
+    "@typescript-eslint/eslint-plugin": "^5.54.0",
     "@typescript-eslint/parser": "^5.40.1",
     "cross-env": "^7.0.3",
     "eslint": "^8.26.0",
@@ -99,17 +108,6 @@
     "ts-jest": "^29.0.3",
     "ts-node": "^10.9.1"
   },
-  "jest": {
-    "preset": "ts-jest",
-    "testEnvironment": "node",
-    "collectCoverageFrom": [
-      "src/*.{js,ts}",
-      "!**/node_modules/**"
-    ],
-    "setupFiles": [
-      "<rootDir>/test-resources/env-vars.js"
-    ]
-  },
   "jest-junit": {
     "outputDirectory": "reports",
     "outputName": "jest-junit.xml",

backend/src/app.ts

@@ -1,144 +0,0 @@
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const { patchRouterParam } = require('./utils/patchAsyncRoutes');
-
-import express from 'express';
-import helmet from 'helmet';
-import cors from 'cors';
-import cookieParser from 'cookie-parser';
-import dotenv from 'dotenv';
-import swaggerUi = require('swagger-ui-express');
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const swaggerFile = require('../spec.json');
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const requestIp = require('request-ip');
-
-dotenv.config();
-import { PORT, NODE_ENV, SITE_URL } from './config';
-import { apiLimiter } from './helpers/rateLimiter';
-
-import {
-  workspace as eeWorkspaceRouter,
-  secret as eeSecretRouter,
-  secretSnapshot as eeSecretSnapshotRouter,
-  action as eeActionRouter
-} from './ee/routes/v1';
-import {
-  signup as v1SignupRouter,
-  auth as v1AuthRouter,
-  bot as v1BotRouter,
-  organization as v1OrganizationRouter,
-  workspace as v1WorkspaceRouter,
-  membershipOrg as v1MembershipOrgRouter,
-  membership as v1MembershipRouter,
-  key as v1KeyRouter,
-  inviteOrg as v1InviteOrgRouter,
-  user as v1UserRouter,
-  userAction as v1UserActionRouter,
-  secret as v1SecretRouter,
-  serviceToken as v1ServiceTokenRouter,
-  password as v1PasswordRouter,
-  stripe as v1StripeRouter,
-  integration as v1IntegrationRouter,
-  integrationAuth as v1IntegrationAuthRouter
-} from './routes/v1';
-import {
-  signup as v2SignupRouter,
-  auth as v2AuthRouter,
-  users as v2UsersRouter,
-  organizations as v2OrganizationsRouter,
-  workspace as v2WorkspaceRouter,
-  secret as v2SecretRouter, // begin to phase out
-  secrets as v2SecretsRouter,
-  serviceTokenData as v2ServiceTokenDataRouter,
-  apiKeyData as v2APIKeyDataRouter,
-  environment as v2EnvironmentRouter,
-  tags as v2TagsRouter,
-} from './routes/v2';
-
-import { healthCheck } from './routes/status';
-
-import { getLogger } from './utils/logger';
-import { RouteNotFoundError } from './utils/errors';
-import { requestErrorHandler } from './middleware/requestErrorHandler';
-
-// patch async route params to handle Promise Rejections
-patchRouterParam();
-
-export const app = express();
-
-app.enable('trust proxy');
-app.use(express.json());
-app.use(cookieParser());
-app.use(
-  cors({
-    credentials: true,
-    origin: SITE_URL
-  })
-);
-
-app.use(requestIp.mw())
-
-if (NODE_ENV === 'production') {
-  // enable app-wide rate-limiting + helmet security
-  // in production
-  app.disable('x-powered-by');
-  app.use(apiLimiter);
-  app.use(helmet());
-}
-
-// (EE) routes
-app.use('/api/v1/secret', eeSecretRouter);
-app.use('/api/v1/secret-snapshot', eeSecretSnapshotRouter);
-app.use('/api/v1/workspace', eeWorkspaceRouter);
-app.use('/api/v1/action', eeActionRouter);
-
-// v1 routes
-app.use('/api/v1/signup', v1SignupRouter);
-app.use('/api/v1/auth', v1AuthRouter);
-app.use('/api/v1/bot', v1BotRouter);
-app.use('/api/v1/user', v1UserRouter);
-app.use('/api/v1/user-action', v1UserActionRouter);
-app.use('/api/v1/organization', v1OrganizationRouter);
-app.use('/api/v1/workspace', v1WorkspaceRouter);
-app.use('/api/v1/membership-org', v1MembershipOrgRouter);
-app.use('/api/v1/membership', v1MembershipRouter);
-app.use('/api/v1/key', v1KeyRouter);
-app.use('/api/v1/invite-org', v1InviteOrgRouter);
-app.use('/api/v1/secret', v1SecretRouter);
-app.use('/api/v1/service-token', v1ServiceTokenRouter); // deprecated
-app.use('/api/v1/password', v1PasswordRouter);
-app.use('/api/v1/stripe', v1StripeRouter);
-app.use('/api/v1/integration', v1IntegrationRouter);
-app.use('/api/v1/integration-auth', v1IntegrationAuthRouter);
-
-// v2 routes
-app.use('/api/v2/signup', v2SignupRouter);
-app.use('/api/v2/auth', v2AuthRouter);
-app.use('/api/v2/users', v2UsersRouter);
-app.use('/api/v2/organizations', v2OrganizationsRouter);
-app.use('/api/v2/workspace', v2EnvironmentRouter);
-app.use('/api/v2/workspace', v2TagsRouter);
-app.use('/api/v2/workspace', v2WorkspaceRouter);
-app.use('/api/v2/secret', v2SecretRouter); // deprecated
-app.use('/api/v2/secrets', v2SecretsRouter);
-app.use('/api/v2/service-token', v2ServiceTokenDataRouter); // TODO: turn into plural route
-app.use('/api/v2/api-key', v2APIKeyDataRouter);
-
-// api docs 
-app.use('/api-docs', swaggerUi.serve, swaggerUi.setup(swaggerFile))
-
-// Server status
-app.use('/api', healthCheck)
-
-//* Handle unrouted requests and respond with proper error message as well as status code
-app.use((req, res, next) => {
-  if (res.headersSent) return next();
-  next(RouteNotFoundError({ message: `The requested source '(${req.method})${req.url}' was not found` }))
-})
-
-//* Error Handling Middleware (must be after all routing logic)
-app.use(requestErrorHandler)
-
-export const server = app.listen(PORT, () => {
-  getLogger("backend-main").info(`Server started listening at port ${PORT}`)
-});

backend/src/config/index.ts

@@ -1,103 +1,93 @@
-const PORT = process.env.PORT || 4000;
-const EMAIL_TOKEN_LIFETIME = parseInt(process.env.EMAIL_TOKEN_LIFETIME! || '86400');
-const INVITE_ONLY_SIGNUP = process.env.INVITE_ONLY_SIGNUP == undefined ? false : process.env.INVITE_ONLY_SIGNUP
-const ENCRYPTION_KEY = process.env.ENCRYPTION_KEY!;
-const SALT_ROUNDS = parseInt(process.env.SALT_ROUNDS!) || 10;
-const JWT_AUTH_LIFETIME = process.env.JWT_AUTH_LIFETIME! || '10d';
-const JWT_AUTH_SECRET = process.env.JWT_AUTH_SECRET!;
-const JWT_MFA_LIFETIME = process.env.JWT_MFA_LIFETIME! || '5m';
-const JWT_MFA_SECRET = process.env.JWT_MFA_SECRET!;
-const JWT_REFRESH_LIFETIME = process.env.JWT_REFRESH_LIFETIME! || '90d';
-const JWT_REFRESH_SECRET = process.env.JWT_REFRESH_SECRET!;
-const JWT_SERVICE_SECRET = process.env.JWT_SERVICE_SECRET!;
-const JWT_SIGNUP_LIFETIME = process.env.JWT_SIGNUP_LIFETIME! || '15m';
-const JWT_SIGNUP_SECRET = process.env.JWT_SIGNUP_SECRET!;
-const MONGO_URL = process.env.MONGO_URL!;
-const NODE_ENV = process.env.NODE_ENV! || 'production';
-const VERBOSE_ERROR_OUTPUT = process.env.VERBOSE_ERROR_OUTPUT! === 'true' && true;
-const LOKI_HOST = process.env.LOKI_HOST || undefined;
-const CLIENT_ID_AZURE = process.env.CLIENT_ID_AZURE!;
-const TENANT_ID_AZURE = process.env.TENANT_ID_AZURE!;
-const CLIENT_ID_HEROKU = process.env.CLIENT_ID_HEROKU!;
-const CLIENT_ID_VERCEL = process.env.CLIENT_ID_VERCEL!;
-const CLIENT_ID_NETLIFY = process.env.CLIENT_ID_NETLIFY!;
-const CLIENT_ID_GITHUB = process.env.CLIENT_ID_GITHUB!;
-const CLIENT_SECRET_AZURE = process.env.CLIENT_SECRET_AZURE!;
-const CLIENT_SECRET_HEROKU = process.env.CLIENT_SECRET_HEROKU!;
-const CLIENT_SECRET_VERCEL = process.env.CLIENT_SECRET_VERCEL!;
-const CLIENT_SECRET_NETLIFY = process.env.CLIENT_SECRET_NETLIFY!;
-const CLIENT_SECRET_GITHUB = process.env.CLIENT_SECRET_GITHUB!;
-const CLIENT_SLUG_VERCEL = process.env.CLIENT_SLUG_VERCEL!;
-const POSTHOG_HOST = process.env.POSTHOG_HOST! || 'https://app.posthog.com';
-const POSTHOG_PROJECT_API_KEY =
-  process.env.POSTHOG_PROJECT_API_KEY! ||
-  'phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE';
-const SENTRY_DSN = process.env.SENTRY_DSN!;
-const SITE_URL = process.env.SITE_URL!;
-const SMTP_HOST = process.env.SMTP_HOST!;
-const SMTP_SECURE = process.env.SMTP_SECURE! === 'true' || false;
-const SMTP_PORT = parseInt(process.env.SMTP_PORT!) || 587;
-const SMTP_USERNAME = process.env.SMTP_USERNAME!;
-const SMTP_PASSWORD = process.env.SMTP_PASSWORD!;
-const SMTP_FROM_ADDRESS = process.env.SMTP_FROM_ADDRESS!;
-const SMTP_FROM_NAME = process.env.SMTP_FROM_NAME! || 'Infisical';
-const STRIPE_PRODUCT_STARTER = process.env.STRIPE_PRODUCT_STARTER!;
-const STRIPE_PRODUCT_PRO = process.env.STRIPE_PRODUCT_PRO!;
-const STRIPE_PRODUCT_TEAM = process.env.STRIPE_PRODUCT_TEAM!;
-const STRIPE_PUBLISHABLE_KEY = process.env.STRIPE_PUBLISHABLE_KEY!;
-const STRIPE_SECRET_KEY = process.env.STRIPE_SECRET_KEY!;
-const STRIPE_WEBHOOK_SECRET = process.env.STRIPE_WEBHOOK_SECRET!;
-const TELEMETRY_ENABLED = process.env.TELEMETRY_ENABLED! !== 'false' && true;
-const LICENSE_KEY = process.env.LICENSE_KEY!;
+import InfisicalClient from 'infisical-node';
 
-export {
-  PORT,
-  EMAIL_TOKEN_LIFETIME,
-  INVITE_ONLY_SIGNUP,
-  ENCRYPTION_KEY,
-  SALT_ROUNDS,
-  JWT_AUTH_LIFETIME,
-  JWT_AUTH_SECRET,
-  JWT_MFA_LIFETIME,
-  JWT_MFA_SECRET,
-  JWT_REFRESH_LIFETIME,
-  JWT_REFRESH_SECRET,
-  JWT_SERVICE_SECRET,
-  JWT_SIGNUP_LIFETIME,
-  JWT_SIGNUP_SECRET,
-  MONGO_URL,
-  NODE_ENV,
-  VERBOSE_ERROR_OUTPUT,
-  LOKI_HOST,
-  CLIENT_ID_AZURE,
-  TENANT_ID_AZURE,
-  CLIENT_ID_HEROKU,
-  CLIENT_ID_VERCEL,
-  CLIENT_ID_NETLIFY,
-  CLIENT_ID_GITHUB,
-  CLIENT_SECRET_AZURE,
-  CLIENT_SECRET_HEROKU,
-  CLIENT_SECRET_VERCEL,
-  CLIENT_SECRET_NETLIFY,
-  CLIENT_SECRET_GITHUB,
-  CLIENT_SLUG_VERCEL,
-  POSTHOG_HOST,
-  POSTHOG_PROJECT_API_KEY,
-  SENTRY_DSN,
-  SITE_URL,
-  SMTP_HOST,
-  SMTP_PORT,
-  SMTP_SECURE,
-  SMTP_USERNAME,
-  SMTP_PASSWORD,
-  SMTP_FROM_ADDRESS,
-  SMTP_FROM_NAME,
-  STRIPE_PRODUCT_STARTER,
-  STRIPE_PRODUCT_TEAM,
-  STRIPE_PRODUCT_PRO,
-  STRIPE_PUBLISHABLE_KEY,
-  STRIPE_SECRET_KEY,
-  STRIPE_WEBHOOK_SECRET,
-  TELEMETRY_ENABLED,
-  LICENSE_KEY
-};
+export const client = new InfisicalClient({
+  token: process.env.INFISICAL_TOKEN!
+});
+
+export const getPort = async () => (await client.getSecret('PORT')).secretValue || 4000;
+export const getEncryptionKey = async () => {
+  const secretValue = (await client.getSecret('ENCRYPTION_KEY')).secretValue;
+  return secretValue === '' ? undefined : secretValue;
+}
+export const getRootEncryptionKey = async () => {
+  const secretValue = (await client.getSecret('ROOT_ENCRYPTION_KEY')).secretValue; 
+  return secretValue === '' ? undefined : secretValue;
+}
+export const getInviteOnlySignup = async () => (await client.getSecret('INVITE_ONLY_SIGNUP')).secretValue === 'true'
+export const getSaltRounds = async () => parseInt((await client.getSecret('SALT_ROUNDS')).secretValue) || 10;
+export const getJwtAuthLifetime = async () => (await client.getSecret('JWT_AUTH_LIFETIME')).secretValue || '10d';
+export const getJwtAuthSecret = async () => (await client.getSecret('JWT_AUTH_SECRET')).secretValue;
+export const getJwtMfaLifetime = async () => (await client.getSecret('JWT_MFA_LIFETIME')).secretValue || '5m';
+export const getJwtMfaSecret = async () => (await client.getSecret('JWT_MFA_LIFETIME')).secretValue || '5m';
+export const getJwtRefreshLifetime = async () => (await client.getSecret('JWT_REFRESH_LIFETIME')).secretValue || '90d';
+export const getJwtRefreshSecret = async () => (await client.getSecret('JWT_REFRESH_SECRET')).secretValue;
+export const getJwtServiceSecret = async () => (await client.getSecret('JWT_SERVICE_SECRET')).secretValue;
+export const getJwtSignupLifetime = async () => (await client.getSecret('JWT_SIGNUP_LIFETIME')).secretValue || '15m';
+export const getJwtProviderAuthSecret = async () => (await client.getSecret('JWT_PROVIDER_AUTH_SECRET')).secretValue;
+export const getJwtProviderAuthLifetime = async () => (await client.getSecret('JWT_PROVIDER_AUTH_LIFETIME')).secretValue || '15m';
+export const getJwtSignupSecret = async () => (await client.getSecret('JWT_SIGNUP_SECRET')).secretValue;
+export const getMongoURL = async () => (await client.getSecret('MONGO_URL')).secretValue;
+export const getNodeEnv = async () => (await client.getSecret('NODE_ENV')).secretValue || 'production';
+export const getVerboseErrorOutput = async () => (await client.getSecret('VERBOSE_ERROR_OUTPUT')).secretValue === 'true' && true;
+export const getLokiHost = async () => (await client.getSecret('LOKI_HOST')).secretValue;
+export const getClientIdAzure = async () => (await client.getSecret('CLIENT_ID_AZURE')).secretValue;
+export const getClientIdHeroku = async () => (await client.getSecret('CLIENT_ID_HEROKU')).secretValue;
+export const getClientIdVercel = async () => (await client.getSecret('CLIENT_ID_VERCEL')).secretValue;
+export const getClientIdNetlify = async () => (await client.getSecret('CLIENT_ID_NETLIFY')).secretValue;
+export const getClientIdGitHub = async () => (await client.getSecret('CLIENT_ID_GITHUB')).secretValue;
+export const getClientIdGitLab = async () => (await client.getSecret('CLIENT_ID_GITLAB')).secretValue;
+export const getClientIdGoogle = async () => (await client.getSecret('CLIENT_ID_GOOGLE')).secretValue;
+export const getClientSecretAzure = async () => (await client.getSecret('CLIENT_SECRET_AZURE')).secretValue;
+export const getClientSecretHeroku = async () => (await client.getSecret('CLIENT_SECRET_HEROKU')).secretValue;
+export const getClientSecretVercel = async () => (await client.getSecret('CLIENT_SECRET_VERCEL')).secretValue;
+export const getClientSecretNetlify = async () => (await client.getSecret('CLIENT_SECRET_NETLIFY')).secretValue;
+export const getClientSecretGitHub = async () => (await client.getSecret('CLIENT_SECRET_GITHUB')).secretValue;
+export const getClientSecretGitLab = async () => (await client.getSecret('CLIENT_SECRET_GITLAB')).secretValue;
+export const getClientSecretGoogle = async () => (await client.getSecret('CLIENT_SECRET_GOOGLE')).secretValue;
+export const getClientSlugVercel = async () => (await client.getSecret('CLIENT_SLUG_VERCEL')).secretValue;
+export const getPostHogHost = async () => (await client.getSecret('POSTHOG_HOST')).secretValue || 'https://app.posthog.com';
+export const getPostHogProjectApiKey = async () => (await client.getSecret('POSTHOG_PROJECT_API_KEY')).secretValue || 'phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE';
+export const getSentryDSN = async () => (await client.getSecret('SENTRY_DSN')).secretValue;
+export const getSiteURL = async () => (await client.getSecret('SITE_URL')).secretValue;
+export const getSmtpHost = async () => (await client.getSecret('SMTP_HOST')).secretValue;
+export const getSmtpSecure = async () => (await client.getSecret('SMTP_SECURE')).secretValue === 'true' || false;
+export const getSmtpPort = async () => parseInt((await client.getSecret('SMTP_PORT')).secretValue) || 587;
+export const getSmtpUsername = async () => (await client.getSecret('SMTP_USERNAME')).secretValue;
+export const getSmtpPassword = async () => (await client.getSecret('SMTP_PASSWORD')).secretValue;
+export const getSmtpFromAddress = async () => (await client.getSecret('SMTP_FROM_ADDRESS')).secretValue;
+export const getSmtpFromName = async () => (await client.getSecret('SMTP_FROM_NAME')).secretValue || 'Infisical';
+
+export const getLicenseKey = async () => {
+  const secretValue = (await client.getSecret('LICENSE_KEY')).secretValue;
+  return secretValue === '' ? undefined : secretValue;
+}
+export const getLicenseServerKey = async () => {
+  const secretValue = (await client.getSecret('LICENSE_SERVER_KEY')).secretValue;
+  return secretValue === '' ? undefined : secretValue;
+}
+export const getLicenseServerUrl = async () => (await client.getSecret('LICENSE_SERVER_URL')).secretValue || 'https://portal.infisical.com';
+
+// TODO: deprecate from here
+export const getStripeProductStarter = async () => (await client.getSecret('STRIPE_PRODUCT_STARTER')).secretValue;
+export const getStripeProductPro = async () => (await client.getSecret('STRIPE_PRODUCT_PRO')).secretValue;
+export const getStripeProductTeam = async () => (await client.getSecret('STRIPE_PRODUCT_TEAM')).secretValue;
+export const getStripePublishableKey = async () => (await client.getSecret('STRIPE_PUBLISHABLE_KEY')).secretValue;
+export const getStripeSecretKey = async () => (await client.getSecret('STRIPE_SECRET_KEY')).secretValue;
+export const getStripeWebhookSecret = async () => (await client.getSecret('STRIPE_WEBHOOK_SECRET')).secretValue;
+
+export const getTelemetryEnabled = async () => (await client.getSecret('TELEMETRY_ENABLED')).secretValue !== 'false' && true;
+export const getLoopsApiKey = async () => (await client.getSecret('LOOPS_API_KEY')).secretValue;
+export const getSmtpConfigured = async () => (await client.getSecret('SMTP_HOST')).secretValue == '' || (await client.getSecret('SMTP_HOST')).secretValue == undefined ? false : true
+export const getHttpsEnabled = async () => {
+  if ((await getNodeEnv()) != "production") {
+    // no https for anything other than prod
+    return false
+  }
+
+  if ((await client.getSecret('HTTPS_ENABLED')).secretValue == undefined || (await client.getSecret('HTTPS_ENABLED')).secretValue == "") {
+    // default when no value present
+    return true
+  }
+
+  return (await client.getSecret('HTTPS_ENABLED')).secretValue === 'true' && true
+}

backend/src/config/request.ts

@@ -0,0 +1,124 @@
+import axios from 'axios';
+import axiosRetry from 'axios-retry';
+import {
+  getLicenseServerKeyAuthToken,
+  setLicenseServerKeyAuthToken,
+  getLicenseKeyAuthToken,
+  setLicenseKeyAuthToken
+} from './storage';
+import {
+  getLicenseKey,
+  getLicenseServerKey, 
+  getLicenseServerUrl
+} from './index';
+
+// should have JWT to interact with the license server
+export const licenseServerKeyRequest = axios.create();
+export const licenseKeyRequest = axios.create();
+export const standardRequest = axios.create();
+
+// add retry functionality to the axios instance
+axiosRetry(standardRequest, {
+  retries: 3,
+  retryDelay: axiosRetry.exponentialDelay, // exponential back-off delay between retries
+  retryCondition: (error) => {
+    // only retry if the error is a network error or a 5xx server error
+    return axiosRetry.isNetworkError(error) || axiosRetry.isRetryableError(error);
+  },
+});
+
+export const refreshLicenseServerKeyToken = async () => {
+  const licenseServerKey = await getLicenseServerKey();
+  const licenseServerUrl = await getLicenseServerUrl();
+
+  const { data: { token } } = await standardRequest.post(
+    `${licenseServerUrl}/api/auth/v1/license-server-login`, {},
+    {
+      headers: {
+        'X-API-KEY': licenseServerKey
+      }
+    }
+  );
+
+  setLicenseServerKeyAuthToken(token);
+
+  return token;
+}
+
+export const refreshLicenseKeyToken = async () => {
+  const licenseKey = await getLicenseKey();
+  const licenseServerUrl = await getLicenseServerUrl();
+
+  const { data: { token } } = await standardRequest.post(
+    `${licenseServerUrl}/api/auth/v1/license-login`, {},
+    {
+      headers: {
+        'X-API-KEY': licenseKey
+      }
+    }
+  );
+
+  setLicenseKeyAuthToken(token);
+
+  return token;
+}
+
+licenseServerKeyRequest.interceptors.request.use((config) => {
+  const token = getLicenseServerKeyAuthToken();
+
+  if (token && config.headers) {
+      // eslint-disable-next-line no-param-reassign
+      config.headers.Authorization = `Bearer ${token}`;
+  }
+  return config;
+}, (err) => {
+  return Promise.reject(err);
+});
+
+licenseServerKeyRequest.interceptors.response.use((response) => {
+  return response
+}, async function (err) {
+  const originalRequest = err.config;
+  
+  if (err.response.status === 401 && !originalRequest._retry) {
+    originalRequest._retry = true;
+    
+    // refresh
+    const token = await refreshLicenseServerKeyToken();            
+    
+    axios.defaults.headers.common['Authorization'] = 'Bearer ' + token;
+    return licenseServerKeyRequest(originalRequest);
+  }
+
+  return Promise.reject(err);
+});
+
+licenseKeyRequest.interceptors.request.use((config) => {
+  const token = getLicenseKeyAuthToken();
+
+  if (token && config.headers) {
+      // eslint-disable-next-line no-param-reassign
+      config.headers.Authorization = `Bearer ${token}`;
+  }
+  return config;
+}, (err) => {
+  return Promise.reject(err);
+});
+
+licenseKeyRequest.interceptors.response.use((response) => {
+  return response
+}, async function (err) {
+  const originalRequest = err.config;
+  
+  if (err.response.status === 401 && !originalRequest._retry) {
+    originalRequest._retry = true;
+    
+    // refresh
+    const token = await refreshLicenseKeyToken();            
+    
+    axios.defaults.headers.common['Authorization'] = 'Bearer ' + token;
+    return licenseKeyRequest(originalRequest);
+  }
+
+  return Promise.reject(err);
+});

backend/src/config/storage.ts

@@ -0,0 +1,30 @@
+const MemoryLicenseServerKeyTokenStorage = () => {
+    let authToken: string;
+  
+    return {
+      setToken: (token: string) => {
+        authToken = token;
+      },
+      getToken: () => authToken
+    };
+};
+
+const MemoryLicenseKeyTokenStorage = () => {
+    let authToken: string;
+  
+    return {
+      setToken: (token: string) => {
+        authToken = token;
+      },
+      getToken: () => authToken
+    };
+};
+
+const licenseServerTokenStorage = MemoryLicenseServerKeyTokenStorage();
+const licenseTokenStorage = MemoryLicenseKeyTokenStorage();
+
+export const getLicenseServerKeyAuthToken = licenseServerTokenStorage.getToken;
+export const setLicenseServerKeyAuthToken = licenseServerTokenStorage.setToken;
+
+export const getLicenseKeyAuthToken = licenseTokenStorage.getToken;
+export const setLicenseKeyAuthToken = licenseTokenStorage.setToken;

backend/src/controllers/v1/authController.ts

@@ -1,8 +1,8 @@
-/* eslint-disable @typescript-eslint/no-var-requires */
+import * as Sentry from '@sentry/node';
 import { Request, Response } from 'express';
 import jwt from 'jsonwebtoken';
-import * as Sentry from '@sentry/node';
 import * as bigintConversion from 'bigint-conversion';
+// eslint-disable-next-line @typescript-eslint/no-var-requires
 const jsrp = require('jsrp');
 import { User, LoginSRPDetail } from '../../models';
 import { createToken, issueAuthTokens, clearTokens } from '../../helpers/auth';
@@ -11,15 +11,15 @@ import {
   ACTION_LOGIN,
   ACTION_LOGOUT
 } from '../../variables';
-import {
-  NODE_ENV,
-  JWT_AUTH_LIFETIME,
-  JWT_AUTH_SECRET,
-  JWT_REFRESH_SECRET
-} from '../../config';
 import { BadRequestError } from '../../utils/errors';
 import { EELogService } from '../../ee/services';
 import { getChannelFromUserAgent } from '../../utils/posthog'; // TODO: move this
+import {
+  getJwtRefreshSecret,
+  getJwtAuthLifetime,
+  getJwtAuthSecret,
+  getHttpsEnabled
+} from '../../config';
 
 declare module 'jsonwebtoken' {
   export interface UserIDJwtPayload extends jwt.JwtPayload {
@@ -126,21 +126,21 @@ export const login2 = async (req: Request, res: Response) => {
             httpOnly: true,
             path: '/',
             sameSite: 'strict',
-            secure: NODE_ENV === 'production' ? true : false
+            secure: await getHttpsEnabled()
           });
 
           const loginAction = await EELogService.createAction({
             name: ACTION_LOGIN,
             userId: user._id
           });
-          
+
           loginAction && await EELogService.createLog({
             userId: user._id,
             actions: [loginAction],
             channel: getChannelFromUserAgent(req.headers['user-agent']),
             ipAddress: req.ip
           });
-          
+
           // return (access) token in response
           return res.status(200).send({
             token: tokens.token,
@@ -182,14 +182,14 @@ export const logout = async (req: Request, res: Response) => {
       httpOnly: true,
       path: '/',
       sameSite: 'strict',
-      secure: NODE_ENV === 'production' ? true : false
+      secure: (await getHttpsEnabled()) as boolean
     });
 
     const logoutAction = await EELogService.createAction({
       name: ACTION_LOGOUT,
       userId: req.user._id
     });
-    
+
     logoutAction && await EELogService.createLog({
       userId: req.user._id,
       actions: [logoutAction],
@@ -237,7 +237,7 @@ export const getNewToken = async (req: Request, res: Response) => {
     }
 
     const decodedToken = <jwt.UserIDJwtPayload>(
-      jwt.verify(refreshToken, JWT_REFRESH_SECRET)
+      jwt.verify(refreshToken, await getJwtRefreshSecret())
     );
 
     const user = await User.findOne({
@@ -252,8 +252,8 @@ export const getNewToken = async (req: Request, res: Response) => {
       payload: {
         userId: decodedToken.userId
       },
-      expiresIn: JWT_AUTH_LIFETIME,
-      secret: JWT_AUTH_SECRET
+      expiresIn: await getJwtAuthLifetime(),
+      secret: await getJwtAuthSecret()
     });
 
     return res.status(200).send({
@@ -267,3 +267,7 @@ export const getNewToken = async (req: Request, res: Response) => {
     });
   }
 };
+
+export const handleAuthProviderCallback = (req: Request, res: Response) => {
+  res.redirect(`/login/provider/success?token=${encodeURIComponent(req.providerAuthToken)}`);
+}

backend/src/controllers/v1/botController.ts

@@ -1,4 +1,5 @@
 import { Request, Response } from 'express';
+import { Types } from 'mongoose';
 import * as Sentry from '@sentry/node';
 import { Bot, BotKey } from '../../models';
 import { createBot } from '../../helpers/bot';
@@ -29,7 +30,7 @@ export const getBotByWorkspaceId = async (req: Request, res: Response) => {
             // -> create a new bot and return it
             bot = await createBot({
                 name: 'Infisical Bot',
-                workspaceId
+                workspaceId: new Types.ObjectId(workspaceId)
             });
         }
 	} catch (err) {

backend/src/controllers/v1/integrationAuthController.ts

@@ -2,13 +2,21 @@ import { Request, Response } from 'express';
 import { Types } from 'mongoose';
 import * as Sentry from '@sentry/node';
 import {
-	Integration, 
 	IntegrationAuth,
 	Bot 
 } from '../../models';
-import { INTEGRATION_SET, INTEGRATION_OPTIONS } from '../../variables';
+import { ALGORITHM_AES_256_GCM, ENCODING_SCHEME_UTF8, INTEGRATION_SET, getIntegrationOptions as getIntegrationOptionsFunc } from '../../variables';
 import { IntegrationService } from '../../services';
-import { getApps, revokeAccess } from '../../integrations';
+import {
+	getApps, 
+	getTeams,
+	revokeAccess 
+} from '../../integrations';
+import {
+	INTEGRATION_VERCEL_API_URL,
+	INTEGRATION_RAILWAY_API_URL
+} from '../../variables';
+import { standardRequest } from '../../config/request';
 
 /***
  * Return integration authorization with id [integrationAuthId]
@@ -36,9 +44,11 @@ export const getIntegrationAuth = async (req: Request, res: Response) => {
 }
 
 export const getIntegrationOptions = async (req: Request, res: Response) => {
-  return res.status(200).send({
-    integrationOptions: INTEGRATION_OPTIONS,
-  });
+	const INTEGRATION_OPTIONS = await getIntegrationOptionsFunc();
+
+	return res.status(200).send({
+		integrationOptions: INTEGRATION_OPTIONS,
+	});
 };
 
 /**
@@ -119,7 +129,9 @@ export const saveIntegrationAccessToken = async (
             integration
         }, {
             workspace: new Types.ObjectId(workspaceId),
-            integration
+            integration,
+			algorithm: ALGORITHM_AES_256_GCM,
+			keyEncoding: ENCODING_SCHEME_UTF8
 		}, {
             new: true,
             upsert: true
@@ -154,25 +166,235 @@ export const saveIntegrationAccessToken = async (
  * @returns
  */
 export const getIntegrationAuthApps = async (req: Request, res: Response) => {
-  let apps;
-  try {
-    apps = await getApps({
-      integrationAuth: req.integrationAuth,
-      accessToken: req.accessToken,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get integration authorization applications",
-    });
-  }
+	let apps;
+	try {
+		const teamId = req.query.teamId as string;
+		
+		apps = await getApps({
+			integrationAuth: req.integrationAuth,
+			accessToken: req.accessToken,
+			...teamId && { teamId }
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: "Failed to get integration authorization applications",
+		});
+	}
 
-  return res.status(200).send({
-    apps,
-  });
+	return res.status(200).send({
+		apps
+	});
 };
 
+/**
+ * Return list of teams allowed for integration with integration authorization id [integrationAuthId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getIntegrationAuthTeams = async (req: Request, res: Response) => {
+	const teams = await getTeams({
+		integrationAuth: req.integrationAuth,
+		accessToken: req.accessToken
+	});
+	
+	return res.status(200).send({
+		teams
+	});
+}
+
+/**
+ * Return list of available Vercel (preview) branches for Vercel project with
+ * id [appId]
+ * @param req 
+ * @param res 
+ */
+export const getIntegrationAuthVercelBranches = async (req: Request, res: Response) => {
+	const { integrationAuthId } = req.params;
+	const appId = req.query.appId as string;
+	
+	interface VercelBranch {
+		ref: string;
+		lastCommit: string;
+		isProtected: boolean;
+	}
+
+	const params = new URLSearchParams({
+		projectId: appId,
+		...(req.integrationAuth.teamId ? {
+			teamId: req.integrationAuth.teamId
+		} : {})
+	});
+
+	let branches: string[] = [];
+	
+	if (appId && appId !== '') {
+		const { data }: { data: VercelBranch[] } = await standardRequest.get(
+			`${INTEGRATION_VERCEL_API_URL}/v1/integrations/git-branches`,
+			{
+				params,
+				headers: {
+					Authorization: `Bearer ${req.accessToken}`,
+					'Accept-Encoding': 'application/json'
+				}
+			}
+		);
+		
+		branches = data.map((b) => b.ref);
+	}
+
+	return res.status(200).send({
+		branches
+	});
+}
+
+/**
+ * Return list of Railway environments for Railway project with
+ * id [appId]
+ * @param req 
+ * @param res 
+ */
+export const getIntegrationAuthRailwayEnvironments = async (req: Request, res: Response) => {
+	const { integrationAuthId } = req.params;
+	const appId = req.query.appId as string;
+	
+	interface RailwayEnvironment {
+		node: {
+			id: string;
+			name: string;
+			isEphemeral: boolean;
+		}
+	}
+	
+	interface Environment {
+		environmentId: string;
+		name: string;
+	}
+	
+	let environments: Environment[] = [];
+
+	if (appId && appId !== '') {
+		const query = `
+			query GetEnvironments($projectId: String!, $after: String, $before: String, $first: Int, $isEphemeral: Boolean, $last: Int) {
+				environments(projectId: $projectId, after: $after, before: $before, first: $first, isEphemeral: $isEphemeral, last: $last) {
+				edges {
+					node {
+					id
+					name
+					isEphemeral
+					}
+				}
+				}
+			}
+			`;
+		
+		const variables = {
+			projectId: appId
+		}
+		
+		const { data: { data: { environments: { edges } } } } = await standardRequest.post(INTEGRATION_RAILWAY_API_URL, {
+			query,
+			variables,
+		}, {
+			headers: {
+				'Authorization': `Bearer ${req.accessToken}`,
+				'Content-Type': 'application/json',
+			},
+		});
+		
+		environments = edges.map((e: RailwayEnvironment) => {
+			return ({
+				name: e.node.name,
+				environmentId: e.node.id
+			});
+		});
+	}
+	
+	return res.status(200).send({
+		environments
+	});
+}
+
+/**
+ * Return list of Railway services for Railway project with id
+ * [appId]
+ * @param req 
+ * @param res 
+ */
+export const getIntegrationAuthRailwayServices = async (req: Request, res: Response) => {
+	const { integrationAuthId } = req.params;
+	const appId = req.query.appId as string;
+	
+	interface RailwayService {
+		node: {
+			id: string;
+			name: string;
+		}
+	}
+	
+	interface Service {
+		name: string;
+		serviceId: string;
+	}
+	
+	let services: Service[] = [];
+	
+	const query = `
+      query project($id: String!) {
+        project(id: $id) {
+          createdAt
+          deletedAt
+          id
+          description
+          expiredAt
+          isPublic
+          isTempProject
+          isUpdatable
+          name
+          prDeploys
+          teamId
+          updatedAt
+          upstreamUrl
+		  services {
+			edges {
+				node {
+					id
+					name
+				}
+			}
+		  }
+        }
+      }
+    `;
+
+	if (appId && appId !== '') {
+		const variables = {
+			id: appId
+		}
+		
+		const { data: { data: { project: { services: { edges } } } } } = await standardRequest.post(INTEGRATION_RAILWAY_API_URL, {
+			query,
+			variables
+		}, {
+			headers: {
+				'Authorization': `Bearer ${req.accessToken}`,
+				'Content-Type': 'application/json',
+			},
+		});
+		
+		services = edges.map((e: RailwayService) => ({
+			name: e.node.name,
+			serviceId: e.node.id
+		}));
+	}
+	
+	return res.status(200).send({
+		services
+	});
+}
+
 /**
  * Delete integration authorization with id [integrationAuthId]
  * @param req

backend/src/controllers/v1/integrationController.ts

@@ -2,10 +2,7 @@ import { Request, Response } from 'express';
 import { Types } from 'mongoose';
 import * as Sentry from '@sentry/node';
 import { 
-	Integration, 
-	Workspace,
-	Bot, 
-	BotKey 
+	Integration
 } from '../../models';
 import { EventService } from '../../services';
 import { eventPushSecrets } from '../../events';
@@ -18,6 +15,7 @@ import { eventPushSecrets } from '../../events';
  */
 export const createIntegration = async (req: Request, res: Response) => {
 	let integration;
+
 	try {
 		const {
 			integrationAuthId,
@@ -26,6 +24,9 @@ export const createIntegration = async (req: Request, res: Response) => {
 			isActive,
 			sourceEnvironment,
 			targetEnvironment,
+			targetEnvironmentId,
+      targetService,
+      targetServiceId,
 			owner,
 			path,
 			region
@@ -34,25 +35,29 @@ export const createIntegration = async (req: Request, res: Response) => {
 		// TODO: validate [sourceEnvironment] and [targetEnvironment]
 
 		// initialize new integration after saving integration access token
-        integration = await new Integration({
-            workspace: req.integrationAuth.workspace._id,
-            environment: sourceEnvironment,
-            isActive,
-            app,
+    integration = await new Integration({
+      workspace: req.integrationAuth.workspace._id,
+      environment: sourceEnvironment,
+      isActive,
+      app,
 			appId,
 			targetEnvironment,
+			targetEnvironmentId,
+      targetService,
+      targetServiceId,
 			owner,
 			path,
 			region,
-            integration: req.integrationAuth.integration,
-            integrationAuth: new Types.ObjectId(integrationAuthId)
-        }).save();
+      integration: req.integrationAuth.integration,
+      integrationAuth: new Types.ObjectId(integrationAuthId)
+    }).save();
 		
 		if (integration) {
 			// trigger event - push secrets
 			EventService.handleEvent({
 				event: eventPushSecrets({
-					workspaceId: integration.workspace.toString()
+					workspaceId: integration.workspace,
+          environment: sourceEnvironment
 				})
 			});
 		}
@@ -113,7 +118,8 @@ export const updateIntegration = async (req: Request, res: Response) => {
       // trigger event - push secrets
       EventService.handleEvent({
         event: eventPushSecrets({
-          workspaceId: integration.workspace.toString(),
+          workspaceId: integration.workspace,
+          environment
         }),
       });
     }

backend/src/controllers/v1/membershipController.ts

@@ -1,13 +1,13 @@
-import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { Membership, MembershipOrg, User, Key, IMembership, Workspace } from '../../models';
+import { Request, Response } from 'express';
+import { Membership, MembershipOrg, User, Key } from '../../models';
 import {
 	findMembership,
 	deleteMembership as deleteMember
 } from '../../helpers/membership';
 import { sendMail } from '../../helpers/nodemailer';
-import { SITE_URL } from '../../config';
 import { ADMIN, MEMBER, ACCEPTED } from '../../variables';
+import { getSiteURL } from '../../config';
 
 /**
  * Check that user is a member of workspace with id [workspaceId]
@@ -215,7 +215,7 @@ export const inviteUserToWorkspace = async (req: Request, res: Response) => {
 				inviterFirstName: req.user.firstName,
 				inviterEmail: req.user.email,
 				workspaceName: req.membership.workspace.name,
-				callback_url: SITE_URL + '/login'
+				callback_url: (await getSiteURL()) + '/login'
 			}
 		});
 	} catch (err) {

backend/src/controllers/v1/membershipOrgController.ts

@@ -1,6 +1,6 @@
+import { Types } from 'mongoose';
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { SITE_URL, JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET } from '../../config';
 import { MembershipOrg, Organization, User } from '../../models';
 import { deleteMembershipOrg as deleteMemberFromOrg } from '../../helpers/membershipOrg';
 import { createToken } from '../../helpers/auth';
@@ -8,6 +8,7 @@ import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
 import { sendMail } from '../../helpers/nodemailer';
 import { TokenService } from '../../services';
 import { OWNER, ADMIN, MEMBER, ACCEPTED, INVITED, TOKEN_EMAIL_ORG_INVITATION } from '../../variables';
+import { getSiteURL, getJwtSignupLifetime, getJwtSignupSecret, getSmtpConfigured } from '../../config';
 
 /**
  * Delete organization membership with id [membershipOrgId] from organization
@@ -99,9 +100,11 @@ export const changeMembershipOrgRole = async (req: Request, res: Response) => {
  * @returns
  */
 export const inviteUserToOrganization = async (req: Request, res: Response) => {
-	let invitee, inviteeMembershipOrg;
+	let invitee, inviteeMembershipOrg, completeInviteLink;
 	try {
 		const { organizationId, inviteeEmail } = req.body;
+		const host = req.headers.host;
+		const siteUrl = `${req.protocol}://${host}`;
 
 		// validate membership
 		const membershipOrg = await MembershipOrg.findOne({
@@ -132,12 +135,13 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 			}
 
 			if (!inviteeMembershipOrg) {
+				
 				await new MembershipOrg({
 					user: invitee,
 					inviteEmail: inviteeEmail,
 					organization: organizationId,
 					role: MEMBER,
-					status: invitee?.publicKey ? ACCEPTED : INVITED
+					status: INVITED
 				}).save();
 			}
 		} else {
@@ -162,6 +166,7 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 		const organization = await Organization.findOne({ _id: organizationId });
 
 		if (organization) {
+
 			const token = await TokenService.createToken({
 				type: TOKEN_EMAIL_ORG_INVITATION,
 				email: inviteeEmail,
@@ -177,10 +182,15 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 					inviterEmail: req.user.email,
 					organizationName: organization.name,
 					email: inviteeEmail,
+					organizationId: organization._id.toString(),
 					token,
-					callback_url: SITE_URL + '/signupinvite'
+					callback_url: (await getSiteURL()) + '/signupinvite'
 				}
 			});
+
+			if (!(await getSmtpConfigured())) {
+				completeInviteLink = `${siteUrl + '/signupinvite'}?token=${token}&to=${inviteeEmail}&organization_id=${organization._id}`
+			}
 		}
 
 		await updateSubscriptionOrgQuantity({ organizationId });
@@ -193,7 +203,8 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 	}
 
 	return res.status(200).send({
-		message: `Sent an invite link to ${req.body.inviteeEmail}`
+		message: `Sent an invite link to ${req.body.inviteeEmail}`,
+		completeInviteLink
 	});
 };
 
@@ -207,18 +218,23 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 export const verifyUserToOrganization = async (req: Request, res: Response) => {
 	let user, token;
 	try {
-		const { email, code } = req.body;
+		const {
+			email,
+			organizationId,
+			code
+		} = req.body;
 
 		user = await User.findOne({ email }).select('+publicKey');
 
 		const membershipOrg = await MembershipOrg.findOne({
 			inviteEmail: email,
-			status: INVITED
+			status: INVITED,
+			organization: new Types.ObjectId(organizationId)
 		});
 
 		if (!membershipOrg)
 			throw new Error('Failed to find any invitations for email');
-		
+
 		await TokenService.validateToken({
 			type: TOKEN_EMAIL_ORG_INVITATION,
 			email,
@@ -231,6 +247,10 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
 			// membership can be approved and redirected to login/dashboard
 			membershipOrg.status = ACCEPTED;
 			await membershipOrg.save();
+			
+			await updateSubscriptionOrgQuantity({
+				organizationId
+			});
 
 			return res.status(200).send({
 				message: 'Successfully verified email',
@@ -250,8 +270,8 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
 			payload: {
 				userId: user._id.toString()
 			},
-			expiresIn: JWT_SIGNUP_LIFETIME,
-			secret: JWT_SIGNUP_SECRET
+			expiresIn: await getJwtSignupLifetime(),
+			secret: await getJwtSignupSecret()
 		});
 	} catch (err) {
 		Sentry.setUser(null);

backend/src/controllers/v1/organizationController.ts

@@ -1,33 +1,26 @@
-import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import {
-	SITE_URL,
-	STRIPE_SECRET_KEY
-} from '../../config';
+import { Request, Response } from 'express';
 import Stripe from 'stripe';
-
-const stripe = new Stripe(STRIPE_SECRET_KEY, {
-	apiVersion: '2022-08-01'
-});
 import {
 	Membership,
 	MembershipOrg,
 	Organization,
 	Workspace,
-	IncidentContactOrg,
-	IMembershipOrg
+	IncidentContactOrg
 } from '../../models';
 import { createOrganization as create } from '../../helpers/organization';
 import { addMembershipsOrg } from '../../helpers/membershipOrg';
 import { OWNER, ACCEPTED } from '../../variables';
 import _ from 'lodash';
+import { getStripeSecretKey, getSiteURL } from '../../config';
 
 export const getOrganizations = async (req: Request, res: Response) => {
 	let organizations;
 	try {
 		organizations = (
 			await MembershipOrg.find({
-				user: req.user._id
+				user: req.user._id,
+				status: ACCEPTED
 			}).populate('organization')
 		).map((m) => m.organization);
 	} catch (err) {
@@ -93,7 +86,7 @@ export const createOrganization = async (req: Request, res: Response) => {
 export const getOrganization = async (req: Request, res: Response) => {
 	let organization;
 	try {
-		organization = req.membershipOrg.organization;
+		organization = req.organization
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);
@@ -325,25 +318,29 @@ export const createOrganizationPortalSession = async (
 ) => {
 	let session;
 	try {
-		// check if there is a payment method on file
-		const paymentMethods = await stripe.paymentMethods.list({
-			customer: req.membershipOrg.organization.customerId,
-			type: 'card'
+		const stripe = new Stripe(await getStripeSecretKey(), {
+			apiVersion: '2022-08-01'
 		});
 
+		// check if there is a payment method on file
+		const paymentMethods = await stripe.paymentMethods.list({
+			customer: req.organization.customerId,
+			type: 'card'
+		});
+		
 		if (paymentMethods.data.length < 1) {
 			// case: no payment method on file
 			session = await stripe.checkout.sessions.create({
-				customer: req.membershipOrg.organization.customerId,
+				customer: req.organization.customerId,
 				mode: 'setup',
 				payment_method_types: ['card'],
-				success_url: SITE_URL + '/dashboard',
-				cancel_url: SITE_URL + '/dashboard'
+				success_url: (await getSiteURL()) + '/dashboard',
+				cancel_url: (await getSiteURL()) + '/dashboard'
 			});
 		} else {
 			session = await stripe.billingPortal.sessions.create({
-				customer: req.membershipOrg.organization.customerId,
-				return_url: SITE_URL + '/dashboard'
+				customer: req.organization.customerId,
+				return_url: (await getSiteURL()) + '/dashboard'
 			});
 		}
 
@@ -369,8 +366,12 @@ export const getOrganizationSubscriptions = async (
 ) => {
 	let subscriptions;
 	try {
+		const stripe = new Stripe(await getStripeSecretKey(), {
+			apiVersion: '2022-08-01'
+		});
+		
 		subscriptions = await stripe.subscriptions.list({
-			customer: req.membershipOrg.organization.customerId
+			customer: req.organization.customerId
 		});
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });

backend/src/controllers/v1/passwordController.ts

@@ -7,9 +7,9 @@ import { User, BackupPrivateKey, LoginSRPDetail } from '../../models';
 import { createToken } from '../../helpers/auth';
 import { sendMail } from '../../helpers/nodemailer';
 import { TokenService } from '../../services';
-import { JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET, SITE_URL } from '../../config';
 import { TOKEN_EMAIL_PASSWORD_RESET } from '../../variables';
 import { BadRequestError } from '../../utils/errors';
+import { getSiteURL, getJwtSignupLifetime, getJwtSignupSecret } from '../../config';
 
 /**
  * Password reset step 1: Send email verification link to email [email] 
@@ -44,7 +44,7 @@ export const emailPasswordReset = async (req: Request, res: Response) => {
 			substitutions: {
 				email,
 				token,
-				callback_url: SITE_URL + '/password-reset'
+				callback_url: (await getSiteURL()) + '/password-reset'
 			}
 		});
 	} catch (err) {
@@ -91,8 +91,8 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => {
 			payload: {
 				userId: user._id.toString()
 			},
-			expiresIn: JWT_SIGNUP_LIFETIME,
-			secret: JWT_SIGNUP_SECRET
+			expiresIn: await getJwtSignupLifetime(),
+			secret: await getJwtSignupSecret()
 		});
 	} catch (err) {
 		Sentry.setUser(null);

backend/src/controllers/v1/secretController.ts

@@ -1,5 +1,6 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
 import { Key, Secret } from '../../models';
 import {
 	v1PushSecrets as push,
@@ -9,7 +10,7 @@ import {
 import { pushKeys } from '../../helpers/key';
 import { eventPushSecrets } from '../../events';
 import { EventService } from '../../services';
-import { postHogClient } from '../../services';
+import { TelemetryService } from '../../services';
 
 interface PushSecret {
 	ciphertextKey: string;
@@ -38,6 +39,7 @@ export const pushSecrets = async (req: Request, res: Response) => {
 	// upload (encrypted) secrets to workspace with id [workspaceId]
 
 	try {
+		const postHogClient = await TelemetryService.getPostHogClient();
 		let { secrets }: { secrets: PushSecret[] } = req.body;
 		const { keys, environment, channel } = req.body;
 		const { workspaceId } = req.params;
@@ -83,7 +85,8 @@ export const pushSecrets = async (req: Request, res: Response) => {
 		// trigger event - push secrets
 		EventService.handleEvent({
 			event: eventPushSecrets({
-				workspaceId
+				workspaceId: new Types.ObjectId(workspaceId),
+				environment
 			})
 		});
 
@@ -111,6 +114,7 @@ export const pullSecrets = async (req: Request, res: Response) => {
 	let secrets;
 	let key;
 	try {
+		const postHogClient = await TelemetryService.getPostHogClient();
 		const environment: string = req.query.environment as string;
 		const channel: string = req.query.channel as string;
 		const { workspaceId } = req.params;
@@ -179,6 +183,7 @@ export const pullSecretsServiceToken = async (req: Request, res: Response) => {
 	let secrets;
 	let key;
 	try {
+		const postHogClient = await TelemetryService.getPostHogClient();
 		const environment: string = req.query.environment as string;
 		const channel: string = req.query.channel as string;
 		const { workspaceId } = req.params;

backend/src/controllers/v1/secretsFolderController.ts

@@ -0,0 +1,218 @@
+import { Request, Response } from "express";
+import { Secret } from "../../models";
+import Folder from "../../models/folder";
+import { BadRequestError } from "../../utils/errors";
+import {
+  appendFolder,
+  deleteFolderById,
+  getAllFolderIds,
+  searchByFolderIdWithDir,
+  searchByFolderId,
+  validateFolderName,
+  generateFolderId,
+  getParentFromFolderId,
+} from "../../services/FolderService";
+import { ADMIN, MEMBER } from "../../variables";
+import { validateMembership } from "../../helpers/membership";
+import { FolderVersion } from "../../ee/models";
+import { EESecretService } from "../../ee/services";
+
+// TODO
+// verify workspace id/environment
+export const createFolder = async (req: Request, res: Response) => {
+  const { workspaceId, environment, folderName, parentFolderId } = req.body;
+  if (!validateFolderName(folderName)) {
+    throw BadRequestError({
+      message: "Folder name cannot contain spaces. Only underscore and dashes",
+    });
+  }
+
+  const folders = await Folder.findOne({
+    workspace: workspaceId,
+    environment,
+  }).lean();
+  // space has no folders initialized
+  if (!folders) {
+    const id = generateFolderId();
+    const folder = new Folder({
+      workspace: workspaceId,
+      environment,
+      nodes: {
+        id: "root",
+        name: "root",
+        version: 1,
+        children: [{ id, name: folderName, children: [], version: 1 }],
+      },
+    });
+    await folder.save();
+    const folderVersion = new FolderVersion({
+      workspace: workspaceId,
+      environment,
+      nodes: folder.nodes,
+    });
+    await folderVersion.save();
+    await EESecretService.takeSecretSnapshot({
+      workspaceId,
+      environment,
+    });
+    return res.json({ folder: { id, name: folderName } });
+  }
+
+  const folder = appendFolder(folders.nodes, { folderName, parentFolderId });
+  await Folder.findByIdAndUpdate(folders._id, folders);
+
+  const parentFolder = searchByFolderId(folders.nodes, parentFolderId);
+  const folderVersion = new FolderVersion({
+    workspace: workspaceId,
+    environment,
+    nodes: parentFolder,
+  });
+  await folderVersion.save();
+
+  await EESecretService.takeSecretSnapshot({
+    workspaceId,
+    environment,
+    folderId: parentFolderId,
+  });
+
+  return res.json({ folder });
+};
+
+export const updateFolderById = async (req: Request, res: Response) => {
+  const { folderId } = req.params;
+  const { name, workspaceId, environment } = req.body;
+
+  const folders = await Folder.findOne({ workspace: workspaceId, environment });
+  if (!folders) {
+    throw BadRequestError({ message: "The folder doesn't exist" });
+  }
+
+  // check that user is a member of the workspace
+  await validateMembership({
+    userId: req.user._id.toString(),
+    workspaceId,
+    acceptedRoles: [ADMIN, MEMBER],
+  });
+
+  const parentFolder = getParentFromFolderId(folders.nodes, folderId);
+  if (!parentFolder) {
+    throw BadRequestError({ message: "The folder doesn't exist" });
+  }
+  const folder = parentFolder.children.find(({ id }) => id === folderId);
+  if (!folder) {
+    throw BadRequestError({ message: "The folder doesn't exist" });
+  }
+
+  parentFolder.version += 1;
+  folder.name = name;
+
+  await Folder.findByIdAndUpdate(folders._id, folders);
+  const folderVersion = new FolderVersion({
+    workspace: workspaceId,
+    environment,
+    nodes: parentFolder,
+  });
+  await folderVersion.save();
+
+  await EESecretService.takeSecretSnapshot({
+    workspaceId,
+    environment,
+    folderId: parentFolder.id,
+  });
+
+  return res.json({
+    message: "Successfully updated folder",
+    folder: { name: folder.name, id: folder.id },
+  });
+};
+
+export const deleteFolder = async (req: Request, res: Response) => {
+  const { folderId } = req.params;
+  const { workspaceId, environment } = req.body;
+
+  const folders = await Folder.findOne({ workspace: workspaceId, environment });
+  if (!folders) {
+    throw BadRequestError({ message: "The folder doesn't exist" });
+  }
+
+  // check that user is a member of the workspace
+  await validateMembership({
+    userId: req.user._id.toString(),
+    workspaceId,
+    acceptedRoles: [ADMIN, MEMBER],
+  });
+
+  const delOp = deleteFolderById(folders.nodes, folderId);
+  if (!delOp) {
+    throw BadRequestError({ message: "The folder doesn't exist" });
+  }
+  const { deletedNode: delFolder, parent: parentFolder } = delOp;
+
+  parentFolder.version += 1;
+  const delFolderIds = getAllFolderIds(delFolder);
+
+  await Folder.findByIdAndUpdate(folders._id, folders);
+  const folderVersion = new FolderVersion({
+    workspace: workspaceId,
+    environment,
+    nodes: parentFolder,
+  });
+  await folderVersion.save();
+  if (delFolderIds.length) {
+    await Secret.deleteMany({
+      folder: { $in: delFolderIds.map(({ id }) => id) },
+      workspace: workspaceId,
+      environment,
+    });
+  }
+
+  await EESecretService.takeSecretSnapshot({
+    workspaceId,
+    environment,
+    folderId: parentFolder.id,
+  });
+
+  res.send({ message: "successfully deleted folders", folders: delFolderIds });
+};
+
+// TODO: validate workspace
+export const getFolders = async (req: Request, res: Response) => {
+  const { workspaceId, environment, parentFolderId } = req.query as {
+    workspaceId: string;
+    environment: string;
+    parentFolderId?: string;
+  };
+
+  const folders = await Folder.findOne({ workspace: workspaceId, environment });
+  if (!folders) {
+    res.send({ folders: [], dir: [] });
+    return;
+  }
+
+  // check that user is a member of the workspace
+  await validateMembership({
+    userId: req.user._id.toString(),
+    workspaceId,
+    acceptedRoles: [ADMIN, MEMBER],
+  });
+
+  if (!parentFolderId) {
+    const rootFolders = folders.nodes.children.map(({ id, name }) => ({
+      id,
+      name,
+    }));
+    res.send({ folders: rootFolders });
+    return;
+  }
+
+  const folderBySearch = searchByFolderIdWithDir(folders.nodes, parentFolderId);
+  if (!folderBySearch) {
+    throw BadRequestError({ message: "The folder doesn't exist" });
+  }
+  const { folder, dir } = folderBySearch;
+
+  res.send({
+    folders: folder.children.map(({ id, name }) => ({ id, name })),
+    dir,
+  });
+};

backend/src/controllers/v1/serviceTokenController.ts

@@ -1,7 +1,7 @@
 import { Request, Response } from 'express';
 import { ServiceToken } from '../../models';
 import { createToken } from '../../helpers/auth';
-import { JWT_SERVICE_SECRET } from '../../config';
+import { getJwtServiceSecret } from '../../config';
 
 /**
  * Return service token on request
@@ -61,7 +61,7 @@ export const createServiceToken = async (req: Request, res: Response) => {
 				workspaceId
 			},
 			expiresIn: expiresIn,
-			secret: JWT_SERVICE_SECRET
+			secret: await getJwtServiceSecret()
 		});
 	} catch (err) {
 		return res.status(400).send({

backend/src/controllers/v1/signupController.ts

@@ -1,13 +1,13 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
 import { User } from '../../models';
-import { JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET, INVITE_ONLY_SIGNUP } from '../../config';
 import {
 	sendEmailVerification,
 	checkEmailVerification,
 } from '../../helpers/signup';
 import { createToken } from '../../helpers/auth';
 import { BadRequestError } from '../../utils/errors';
+import { getInviteOnlySignup, getJwtSignupLifetime, getJwtSignupSecret, getSmtpConfigured } from '../../config';
 
 /**
  * Signup step 1: Initialize account for user under email [email] and send a verification code
@@ -21,14 +21,6 @@ export const beginEmailSignup = async (req: Request, res: Response) => {
 	try {
 		email = req.body.email;
 
-		if (INVITE_ONLY_SIGNUP) {
-			// Only one user can create an account without being invited. The rest need to be invited in order to make an account
-			const userCount = await User.countDocuments({})
-			if (userCount != 0) {
-				throw BadRequestError({ message: "New user sign ups are not allowed at this time. You must be invited to sign up." })
-			}
-		}
-
 		const user = await User.findOne({ email }).select('+publicKey');
 		if (user && user?.publicKey) {
 			// case: user has already completed account
@@ -47,7 +39,7 @@ export const beginEmailSignup = async (req: Request, res: Response) => {
 			error: 'Failed to send email verification code'
 		});
 	}
-
+	
 	return res.status(200).send({
 		message: `Sent an email verification code to ${email}`
 	});
@@ -66,7 +58,7 @@ export const verifyEmailSignup = async (req: Request, res: Response) => {
 		const { email, code } = req.body;
 
 		// initialize user account
-		user = await User.findOne({ email });
+		user = await User.findOne({ email }).select('+publicKey');
 		if (user && user?.publicKey) {
 			// case: user has already completed account
 			return res.status(403).send({
@@ -74,11 +66,21 @@ export const verifyEmailSignup = async (req: Request, res: Response) => {
 			});
 		}
 
+		if (await getInviteOnlySignup()) {
+			// Only one user can create an account without being invited. The rest need to be invited in order to make an account
+			const userCount = await User.countDocuments({})
+			if (userCount != 0) {
+				throw BadRequestError({ message: "New user sign ups are not allowed at this time. You must be invited to sign up." })
+			}
+		}
+
 		// verify email
-		await checkEmailVerification({
-			email,
-			code
-		});
+		if (await getSmtpConfigured()) {
+			await checkEmailVerification({
+				email,
+				code
+			});
+		}
 
 		if (!user) {
 			user = await new User({
@@ -91,8 +93,8 @@ export const verifyEmailSignup = async (req: Request, res: Response) => {
 			payload: {
 				userId: user._id.toString()
 			},
-			expiresIn: JWT_SIGNUP_LIFETIME,
-			secret: JWT_SIGNUP_SECRET
+			expiresIn: await getJwtSignupLifetime(),
+			secret: await getJwtSignupSecret()
 		});
 	} catch (err) {
 		Sentry.setUser(null);

backend/src/controllers/v1/stripeController.ts

@@ -1,10 +1,7 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
 import Stripe from 'stripe';
-import { STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET } from '../../config';
-const stripe = new Stripe(STRIPE_SECRET_KEY, {
-	apiVersion: '2022-08-01'
-});
+import { getStripeSecretKey, getStripeWebhookSecret } from '../../config';
 
 /**
  * Handle service provisioning/un-provisioning via Stripe
@@ -16,11 +13,15 @@ export const handleWebhook = async (req: Request, res: Response) => {
 	let event;
 	try {
 		// check request for valid stripe signature
+		const stripe = new Stripe(await getStripeSecretKey(), {
+			apiVersion: '2022-08-01'
+		});
+
 		const sig = req.headers['stripe-signature'] as string;
 		event = stripe.webhooks.constructEvent(
 			req.body,
 			sig,
-			STRIPE_WEBHOOK_SECRET // ?
+			await getStripeWebhookSecret()
 		);
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });

backend/src/controllers/v2/apiKeyDataController.ts

@@ -1,13 +1,11 @@
-import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
+import { Request, Response } from 'express';
 import crypto from 'crypto';
 import bcrypt from 'bcrypt';
 import {
     APIKeyData
 } from '../../models';
-import {
-    SALT_ROUNDS
-} from '../../config';
+import { getSaltRounds } from '../../config';
 
 /**
  * Return API key data for user with id [req.user_id]
@@ -45,13 +43,14 @@ export const createAPIKeyData = async (req: Request, res: Response) => {
         const { name, expiresIn } = req.body;
         
         const secret = crypto.randomBytes(16).toString('hex');
-        const secretHash = await bcrypt.hash(secret, SALT_ROUNDS);
+        const secretHash = await bcrypt.hash(secret, await getSaltRounds());
         
 		const expiresAt = new Date();
 		expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
         
         apiKeyData = await new APIKeyData({
             name,
+            lastUsed: new Date(),
             expiresAt,
             user: req.user._id,
             secretHash

backend/src/controllers/v2/authController.ts

@@ -10,17 +10,17 @@ import { checkUserDevice } from '../../helpers/user';
 import { sendMail } from '../../helpers/nodemailer';
 import { TokenService } from '../../services';
 import { EELogService } from '../../ee/services';
-import {
-  NODE_ENV,
-  JWT_MFA_LIFETIME,
-  JWT_MFA_SECRET
-} from '../../config';
 import { BadRequestError, InternalServerError } from '../../utils/errors';
 import {
   TOKEN_EMAIL_MFA,
   ACTION_LOGIN
 } from '../../variables';
 import { getChannelFromUserAgent } from '../../utils/posthog'; // TODO: move this
+import {
+  getJwtMfaLifetime,
+  getJwtMfaSecret,
+  getHttpsEnabled
+} from '../../config';
 
 declare module 'jsonwebtoken' {
   export interface UserIDJwtPayload extends jwt.JwtPayload {
@@ -28,8 +28,6 @@ declare module 'jsonwebtoken' {
   }
 }
 
-const clientPublicKeys: any = {};
-
 /**
  * Log in user step 1: Return [salt] and [serverPublicKey] as part of step 1 of SRP protocol
  * @param req
@@ -89,7 +87,7 @@ export const login1 = async (req: Request, res: Response) => {
  */
 export const login2 = async (req: Request, res: Response) => {
   try {
-    
+
     if (!req.headers['user-agent']) throw InternalServerError({ message: 'User-Agent header is required' });
 
     const { email, clientProof } = req.body;
@@ -126,15 +124,15 @@ export const login2 = async (req: Request, res: Response) => {
               payload: {
                 userId: user._id.toString()
               },
-              expiresIn: JWT_MFA_LIFETIME,
-              secret: JWT_MFA_SECRET
+              expiresIn: await getJwtMfaLifetime(),
+              secret: await getJwtMfaSecret()
             });
-          
+
             const code = await TokenService.createToken({
               type: TOKEN_EMAIL_MFA,
               email
             });
-            
+
             // send MFA code [code] to [email]
             await sendMail({
               template: 'emailMfa.handlebars',
@@ -144,13 +142,13 @@ export const login2 = async (req: Request, res: Response) => {
                 code
               }
             });
-            
+
             return res.status(200).send({
               mfaEnabled: true,
               token
             });
           }
-          
+
           await checkUserDevice({
             user,
             ip: req.ip,
@@ -165,7 +163,7 @@ export const login2 = async (req: Request, res: Response) => {
             httpOnly: true,
             path: '/',
             sameSite: 'strict',
-            secure: NODE_ENV === 'production' ? true : false
+            secure: await getHttpsEnabled()
           });
 
           // case: user does not have MFA enablgged
@@ -183,7 +181,7 @@ export const login2 = async (req: Request, res: Response) => {
             iv?: string;
             tag?: string;
           }
-          
+
           const response: ResponseData = {
             mfaEnabled: false,
             encryptionVersion: user.encryptionVersion,
@@ -193,7 +191,7 @@ export const login2 = async (req: Request, res: Response) => {
             iv: user.iv,
             tag: user.tag
           }
-          
+
           if (
             user?.protectedKey &&
             user?.protectedKeyIV &&
@@ -208,14 +206,14 @@ export const login2 = async (req: Request, res: Response) => {
             name: ACTION_LOGIN,
             userId: user._id
           });
-          
+
           loginAction && await EELogService.createLog({
             userId: user._id,
             actions: [loginAction],
             channel: getChannelFromUserAgent(req.headers['user-agent']),
             ipAddress: req.ip
           });
-          
+
           return res.status(200).send(response);
         }
 
@@ -246,7 +244,7 @@ export const sendMfaToken = async (req: Request, res: Response) => {
       type: TOKEN_EMAIL_MFA,
       email
     });
-    
+
     // send MFA code [code] to [email]
     await sendMail({
       template: 'emailMfa.handlebars',
@@ -261,9 +259,9 @@ export const sendMfaToken = async (req: Request, res: Response) => {
     Sentry.captureException(err);
     return res.status(400).send({
       message: 'Failed to send MFA code'
-    }); 
+    });
   }
-  
+
   return res.status(200).send({
     message: 'Successfully sent new MFA code'
   });
@@ -276,76 +274,89 @@ export const sendMfaToken = async (req: Request, res: Response) => {
  * @param res 
  */
 export const verifyMfaToken = async (req: Request, res: Response) => {
-    const { email, mfaToken } = req.body;
+  const { email, mfaToken } = req.body;
 
-    await TokenService.validateToken({
-      type: TOKEN_EMAIL_MFA,
-      email,
-      token: mfaToken
-    });
+  await TokenService.validateToken({
+    type: TOKEN_EMAIL_MFA,
+    email,
+    token: mfaToken
+  });
 
-    const user = await User.findOne({
-      email
-    }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag');
+  const user = await User.findOne({
+    email
+  }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag');
 
-    if (!user) throw new Error('Failed to find user'); 
+  if (!user) throw new Error('Failed to find user');
 
-     await checkUserDevice({
-      user,
-      ip: req.ip,
-      userAgent: req.headers['user-agent'] ?? ''
-    });
+  await LoginSRPDetail.deleteOne({ userId: user.id })
 
-    // issue tokens
-    const tokens = await issueAuthTokens({ userId: user._id.toString() });
+  await checkUserDevice({
+    user,
+    ip: req.ip,
+    userAgent: req.headers['user-agent'] ?? ''
+  });
 
-    // store (refresh) token in httpOnly cookie
-    res.cookie('jid', tokens.refreshToken, {
-      httpOnly: true,
-      path: '/',
-      sameSite: 'strict',
-      secure: NODE_ENV === 'production' ? true : false
-    });
-    
-    interface VerifyMfaTokenRes {
-      encryptionVersion: number;
-      protectedKey?: string;
-      protectedKeyIV?: string;
-      protectedKeyTag?: string;
-      token: string;
-      publicKey: string;
-      encryptedPrivateKey: string;
-      iv: string;
-      tag: string;
-    }
+  // issue tokens
+  const tokens = await issueAuthTokens({ userId: user._id.toString() });
 
-    const resObj: VerifyMfaTokenRes = {
-      encryptionVersion: user.encryptionVersion,
-      token: tokens.token,
-      publicKey: user.publicKey as string,
-      encryptedPrivateKey: user.encryptedPrivateKey as string,
-      iv: user.iv as string,
-      tag: user.tag as string
-    }
-    
-    if (user?.protectedKey && user?.protectedKeyIV && user?.protectedKeyTag) {
-      resObj.protectedKey = user.protectedKey;
-      resObj.protectedKeyIV = user.protectedKeyIV;
-      resObj.protectedKeyTag = user.protectedKeyTag;
-    }
+  // store (refresh) token in httpOnly cookie
+  res.cookie('jid', tokens.refreshToken, {
+    httpOnly: true,
+    path: '/',
+    sameSite: 'strict',
+    secure: await getHttpsEnabled()
+  });
 
-    const loginAction = await EELogService.createAction({
-      name: ACTION_LOGIN,
-      userId: user._id
-    });
-    
-    loginAction && await EELogService.createLog({
-      userId: user._id,
-      actions: [loginAction],
-      channel: getChannelFromUserAgent(req.headers['user-agent']),
-      ipAddress: req.ip
-    });
+  interface VerifyMfaTokenRes {
+    encryptionVersion: number;
+    protectedKey?: string;
+    protectedKeyIV?: string;
+    protectedKeyTag?: string;
+    token: string;
+    publicKey: string;
+    encryptedPrivateKey: string;
+    iv: string;
+    tag: string;
+  }
 
-    return res.status(200).send(resObj); 
+  interface VerifyMfaTokenRes {
+    encryptionVersion: number;
+    protectedKey?: string;
+    protectedKeyIV?: string;
+    protectedKeyTag?: string;
+    token: string;
+    publicKey: string;
+    encryptedPrivateKey: string;
+    iv: string;
+    tag: string;
+  }
+
+  const resObj: VerifyMfaTokenRes = {
+    encryptionVersion: user.encryptionVersion,
+    token: tokens.token,
+    publicKey: user.publicKey as string,
+    encryptedPrivateKey: user.encryptedPrivateKey as string,
+    iv: user.iv as string,
+    tag: user.tag as string
+  }
+
+  if (user?.protectedKey && user?.protectedKeyIV && user?.protectedKeyTag) {
+    resObj.protectedKey = user.protectedKey;
+    resObj.protectedKeyIV = user.protectedKeyIV;
+    resObj.protectedKeyTag = user.protectedKeyTag;
+  }
+
+  const loginAction = await EELogService.createAction({
+    name: ACTION_LOGIN,
+    userId: user._id
+  });
+
+  loginAction && await EELogService.createLog({
+    userId: user._id,
+    actions: [loginAction],
+    channel: getChannelFromUserAgent(req.headers['user-agent']),
+    ipAddress: req.ip
+  });
+
+  return res.status(200).send(resObj);
 }
-

backend/src/controllers/v2/environmentController.ts

@@ -11,7 +11,7 @@ import {
 import { SecretVersion } from '../../ee/models';
 import { BadRequestError } from '../../utils/errors';
 import _ from 'lodash';
-import { ABILITY_READ, ABILITY_WRITE } from '../../variables/organization';
+import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from '../../variables';
 
 /**
  * Create new workspace environment named [environmentName] under workspace with id
@@ -244,8 +244,8 @@ export const getAllAccessibleEnvironmentsOfWorkspace = async (
     throw BadRequestError()
   }
   relatedWorkspace.environments.forEach(environment => {
-    const isReadBlocked = _.some(deniedPermission, { environmentSlug: environment.slug, ability: ABILITY_READ })
-    const isWriteBlocked = _.some(deniedPermission, { environmentSlug: environment.slug, ability: ABILITY_WRITE })
+    const isReadBlocked = _.some(deniedPermission, { environmentSlug: environment.slug, ability: PERMISSION_READ_SECRETS })
+    const isWriteBlocked = _.some(deniedPermission, { environmentSlug: environment.slug, ability: PERMISSION_WRITE_SECRETS })
     if (isReadBlocked && isWriteBlocked) {
       return
     } else {

backend/src/controllers/v2/index.ts

@@ -7,6 +7,7 @@ import * as serviceTokenDataController from './serviceTokenDataController';
 import * as apiKeyDataController from './apiKeyDataController';
 import * as secretController from './secretController';
 import * as secretsController from './secretsController';
+import * as serviceAccountsController from './serviceAccountsController';
 import * as environmentController from './environmentController';
 import * as tagController from './tagController';
 
@@ -20,6 +21,7 @@ export {
     apiKeyDataController,
     secretController,
     secretsController,
+    serviceAccountsController,
     environmentController,
     tagController
 }

backend/src/controllers/v2/organizationsController.ts

@@ -1,9 +1,11 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
 import { 
     MembershipOrg,
     Membership,
-    Workspace
+    Workspace,
+    ServiceAccount
 } from '../../models';
 import { deleteMembershipOrg } from '../../helpers/membershipOrg';
 import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
@@ -260,37 +262,45 @@ export const getOrganizationWorkspaces = async (req: Request, res: Response) =>
         }
     }   
     */
-    let workspaces;
-    try {
-        const { organizationId } = req.params;
+    const { organizationId } = req.params;
 
-		const workspacesSet = new Set(
-			(
-				await Workspace.find(
-					{
-						organization: organizationId
-					},
-					'_id'
-				)
-			).map((w) => w._id.toString())
-		);
+    const workspacesSet = new Set(
+        (
+            await Workspace.find(
+                {
+                    organization: organizationId
+                },
+                '_id'
+            )
+        ).map((w) => w._id.toString())
+    );
 
-		workspaces = (
-			await Membership.find({
-				user: req.user._id
-			}).populate('workspace')
-		)
-			.filter((m) => workspacesSet.has(m.workspace._id.toString()))
-			.map((m) => m.workspace);
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get organization workspaces'
-		});	
-    }
-    
-    return res.status(200).send({
+    const workspaces = (
+        await Membership.find({
+            user: req.user._id
+        }).populate('workspace')
+    )
+    .filter((m) => workspacesSet.has(m.workspace._id.toString()))
+    .map((m) => m.workspace);
+
+return res.status(200).send({
         workspaces
     });
+}
+
+/**
+ * Return service accounts for organization with id [organizationId]
+ * @param req 
+ * @param res 
+ */
+export const getOrganizationServiceAccounts = async (req: Request, res: Response) => {
+    const { organizationId } = req.params;
+    
+    const serviceAccounts = await ServiceAccount.find({
+        organization: new Types.ObjectId(organizationId)
+    });
+    
+    return res.status(200).send({
+        serviceAccounts
+    });
 }

backend/src/controllers/v2/secretController.ts

@@ -6,8 +6,10 @@ import { CreateSecretRequestBody, ModifySecretRequestBody, SanitizedSecretForCre
 const { ValidationError } = mongoose.Error;
 import { BadRequestError, InternalServerError, UnauthorizedRequestError, ValidationError as RouteValidationError } from '../../utils/errors';
 import { AnyBulkWriteOperation } from 'mongodb';
-import { SECRET_PERSONAL, SECRET_SHARED } from "../../variables";
-import { postHogClient } from '../../services';
+import { ALGORITHM_AES_256_GCM, ENCODING_SCHEME_UTF8, SECRET_PERSONAL, SECRET_SHARED } from "../../variables";
+import { TelemetryService } from '../../services';
+import { User } from "../../models";
+import { AccountNotFoundError } from '../../utils/errors';
 
 /**
  * Create secret for workspace with id [workspaceId] and environment [environment]
@@ -15,6 +17,7 @@ import { postHogClient } from '../../services';
  * @param res 
  */
 export const createSecret = async (req: Request, res: Response) => {
+  const postHogClient = await TelemetryService.getPostHogClient();
   const secretToCreate: CreateSecretRequestBody = req.body.secret;
   const { workspaceId, environment } = req.params
   const sanitizedSecret: SanitizedSecretForCreate = {
@@ -33,7 +36,9 @@ export const createSecret = async (req: Request, res: Response) => {
     workspace: new Types.ObjectId(workspaceId),
     environment,
     type: secretToCreate.type,
-    user: new Types.ObjectId(req.user._id)
+    user: new Types.ObjectId(req.user._id),
+    algorithm: ALGORITHM_AES_256_GCM,
+    keyEncoding: ENCODING_SCHEME_UTF8
   }
 
 
@@ -67,6 +72,7 @@ export const createSecret = async (req: Request, res: Response) => {
  * @param res 
  */
 export const createSecrets = async (req: Request, res: Response) => {
+  const postHogClient = await TelemetryService.getPostHogClient();
   const secretsToCreate: CreateSecretRequestBody[] = req.body.secrets;
   const { workspaceId, environment } = req.params
   const sanitizedSecretesToCreate: SanitizedSecretForCreate[] = []
@@ -88,7 +94,9 @@ export const createSecrets = async (req: Request, res: Response) => {
       workspace: new Types.ObjectId(workspaceId),
       environment,
       type: rawSecret.type,
-      user: new Types.ObjectId(req.user._id)
+      user: new Types.ObjectId(req.user._id),
+      algorithm: ALGORITHM_AES_256_GCM,
+      keyEncoding: ENCODING_SCHEME_UTF8
     }
 
     sanitizedSecretesToCreate.push(safeUpdateFields)
@@ -128,6 +136,7 @@ export const createSecrets = async (req: Request, res: Response) => {
  * @param res 
  */
 export const deleteSecrets = async (req: Request, res: Response) => {
+  const postHogClient = await TelemetryService.getPostHogClient();
   const { workspaceId, environmentName } = req.params
   const secretIdsToDelete: string[] = req.body.secretIds
 
@@ -181,6 +190,7 @@ export const deleteSecrets = async (req: Request, res: Response) => {
  * @param res
  */
 export const deleteSecret = async (req: Request, res: Response) => {
+  const postHogClient = await TelemetryService.getPostHogClient();
   await Secret.findByIdAndDelete(req._secret._id)
 
   if (postHogClient) {
@@ -209,6 +219,7 @@ export const deleteSecret = async (req: Request, res: Response) => {
  * @returns 
  */
 export const updateSecrets = async (req: Request, res: Response) => {
+  const postHogClient = await TelemetryService.getPostHogClient();
   const { workspaceId, environmentName } = req.params
   const secretsModificationsRequested: ModifySecretRequestBody[] = req.body.secrets;
   const [secretIdsUserCanModifyError, secretIdsUserCanModify] = await to(Secret.find({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
@@ -276,6 +287,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
  * @returns 
  */
 export const updateSecret = async (req: Request, res: Response) => {
+  const postHogClient = await TelemetryService.getPostHogClient();
   const { workspaceId, environmentName } = req.params
   const secretModificationsRequested: ModifySecretRequestBody = req.body.secret;
 
@@ -329,19 +341,23 @@ export const updateSecret = async (req: Request, res: Response) => {
  * @returns 
  */
 export const getSecrets = async (req: Request, res: Response) => {
+  const postHogClient = await TelemetryService.getPostHogClient();
   const { environment } = req.query;
   const { workspaceId } = req.params;
 
   let userId: Types.ObjectId | undefined = undefined // used for getting personal secrets for user
-  let userEmail: Types.ObjectId | undefined = undefined // used for posthog 
+  let userEmail: string | undefined = undefined // used for posthog 
   if (req.user) {
     userId = req.user._id;
     userEmail = req.user.email;
   }
 
   if (req.serviceTokenData) {
-    userId = req.serviceTokenData.user._id
-    userEmail = req.serviceTokenData.user.email;
+    userId = req.serviceTokenData.user;
+    
+    const user = await User.findById(req.serviceTokenData.user, 'email');
+    if (!user) throw AccountNotFoundError();
+    userEmail = user.email;
   }
 
   const [err, secrets] = await to(Secret.find(

backend/src/controllers/v2/serviceAccountsController.ts

@@ -0,0 +1,306 @@
+import { Request, Response } from 'express';
+import { Types } from 'mongoose';
+import crypto from 'crypto';
+import bcrypt from 'bcrypt';
+import { 
+    ServiceAccount,
+    ServiceAccountKey,
+    ServiceAccountOrganizationPermission,
+    ServiceAccountWorkspacePermission
+} from '../../models';
+import {
+    CreateServiceAccountDto
+} from '../../interfaces/serviceAccounts/dto';
+import { BadRequestError, ServiceAccountNotFoundError } from '../../utils/errors';
+import { getSaltRounds } from '../../config';
+
+/**
+ * Return service account tied to the request (service account) client
+ * @param req
+ * @param res
+ */
+export const getCurrentServiceAccount = async (req: Request, res: Response) => {
+    const serviceAccount = await ServiceAccount.findById(req.serviceAccount._id);
+    
+    if (!serviceAccount) {
+        throw ServiceAccountNotFoundError({ message: 'Failed to find service account' });
+    }
+    
+    return res.status(200).send({
+        serviceAccount
+    });
+}
+
+/**
+ * Return service account with id [serviceAccountId]
+ * @param req 
+ * @param res 
+ */
+export const getServiceAccountById = async (req: Request, res: Response) => {
+    const { serviceAccountId } = req.params;
+    
+    const serviceAccount = await ServiceAccount.findById(serviceAccountId);
+    
+    if (!serviceAccount) {
+        throw ServiceAccountNotFoundError({ message: 'Failed to find service account' });
+    }
+    
+    return res.status(200).send({
+        serviceAccount
+    });
+}
+
+/**
+ * Create a new service account under organization with id [organizationId]
+ * that has access to workspaces [workspaces]
+ * @param req 
+ * @param res 
+ * @returns
+ */
+export const createServiceAccount = async (req: Request, res: Response) => {
+    const {
+        name,
+        organizationId,
+        publicKey,
+        expiresIn,
+    }: CreateServiceAccountDto = req.body;
+
+    let expiresAt;
+    if (expiresIn) {
+        expiresAt = new Date();
+        expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
+    }
+
+    const secret = crypto.randomBytes(16).toString('base64');
+    const secretHash = await bcrypt.hash(secret, await getSaltRounds());
+    
+    // create service account
+    const serviceAccount = await new ServiceAccount({
+        name,
+        organization: new Types.ObjectId(organizationId),
+        user: req.user,
+        publicKey,
+        lastUsed: new Date(),
+        expiresAt,
+        secretHash
+    }).save();
+    
+    const serviceAccountObj = serviceAccount.toObject();
+    
+    delete serviceAccountObj.secretHash;
+
+    // provision default org-level permission for service account
+    await new ServiceAccountOrganizationPermission({
+        serviceAccount: serviceAccount._id
+    }).save();
+    
+    const secretId = Buffer.from(serviceAccount._id.toString(), 'hex').toString('base64');
+
+    return res.status(200).send({
+        serviceAccountAccessKey: `sa.${secretId}.${secret}`,
+        serviceAccount: serviceAccountObj
+    });
+}
+
+/**
+ * Change name of service account with id [serviceAccountId] to [name]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const changeServiceAccountName = async (req: Request, res: Response) => {
+    const { serviceAccountId } = req.params;
+    const { name } = req.body;
+    
+    const serviceAccount = await ServiceAccount.findOneAndUpdate(
+        {
+            _id: new Types.ObjectId(serviceAccountId)
+        },
+        {
+            name
+        },
+        {
+            new: true
+        }
+    );
+    
+    return res.status(200).send({
+        serviceAccount
+    });
+}
+
+/**
+ * Add a service account key to service account with id [serviceAccountId]
+ * for workspace with id [workspaceId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const addServiceAccountKey = async (req: Request, res: Response) => {
+    const {
+        workspaceId,
+        encryptedKey,
+        nonce
+    } = req.body;
+    
+    const serviceAccountKey = await new ServiceAccountKey({
+        encryptedKey,
+        nonce,
+        sender: req.user._id,
+        serviceAccount: req.serviceAccount._d,
+        workspace: new Types.ObjectId(workspaceId)
+    }).save();
+
+    return serviceAccountKey;
+}
+
+/**
+ * Return workspace-level permission for service account with id [serviceAccountId]
+ * @param req 
+ * @param res 
+ */
+export const getServiceAccountWorkspacePermissions = async (req: Request, res: Response) => {
+    const serviceAccountWorkspacePermissions = await ServiceAccountWorkspacePermission.find({
+        serviceAccount: req.serviceAccount._id
+    }).populate('workspace');
+    
+    return res.status(200).send({
+        serviceAccountWorkspacePermissions
+    });
+}
+
+/**
+ * Add a workspace permission to service account with id [serviceAccountId]
+ * @param req 
+ * @param res 
+ */
+export const addServiceAccountWorkspacePermission = async (req: Request, res: Response) => {
+    const { serviceAccountId } = req.params;
+    const {
+        environment,
+        workspaceId,
+        read = false,
+        write = false,
+        encryptedKey,
+        nonce
+    } = req.body;
+    
+    if (!req.membership.workspace.environments.some((e: { name: string; slug: string }) => e.slug === environment)) {
+        return res.status(400).send({
+            message: 'Failed to validate workspace environment'
+        });
+    }
+    
+    const existingPermission = await ServiceAccountWorkspacePermission.findOne({
+        serviceAccount: new Types.ObjectId(serviceAccountId),
+        workspace: new Types.ObjectId(workspaceId),
+        environment
+    });
+    
+    if (existingPermission) throw BadRequestError({ message: 'Failed to add workspace permission to service account due to already-existing ' });
+
+    const serviceAccountWorkspacePermission = await new ServiceAccountWorkspacePermission({
+        serviceAccount: new Types.ObjectId(serviceAccountId),
+        workspace: new Types.ObjectId(workspaceId),
+        environment,
+        read,
+        write
+    }).save();
+    
+    const existingServiceAccountKey = await ServiceAccountKey.findOne({
+        serviceAccount: new Types.ObjectId(serviceAccountId),
+        workspace: new Types.ObjectId(workspaceId) 
+    });
+    
+    if (!existingServiceAccountKey) {
+        await new ServiceAccountKey({
+            encryptedKey,
+            nonce,
+            sender: req.user._id,
+            serviceAccount: new Types.ObjectId(serviceAccountId),
+            workspace: new Types.ObjectId(workspaceId)
+        }).save();
+    }
+
+    return res.status(200).send({
+        serviceAccountWorkspacePermission
+    });
+}
+
+/**
+ * Delete workspace permission from service account with id [serviceAccountId]
+ * @param req 
+ * @param res 
+ */
+export const deleteServiceAccountWorkspacePermission = async (req: Request, res: Response) => {
+    const { serviceAccountWorkspacePermissionId } = req.params;
+    const serviceAccountWorkspacePermission = await ServiceAccountWorkspacePermission.findByIdAndDelete(serviceAccountWorkspacePermissionId);
+
+    if (serviceAccountWorkspacePermission) {
+        const { serviceAccount, workspace } = serviceAccountWorkspacePermission;
+        const count = await ServiceAccountWorkspacePermission.countDocuments({
+            serviceAccount,
+            workspace
+        });
+        
+        if (count === 0) {
+            await ServiceAccountKey.findOneAndDelete({
+                serviceAccount,
+                workspace
+            });
+        }
+    }
+
+    return res.status(200).send({
+        serviceAccountWorkspacePermission
+    });
+}
+
+/**
+ * Delete service account with id [serviceAccountId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const deleteServiceAccount = async (req: Request, res: Response) => {
+    const { serviceAccountId } = req.params;
+
+    const serviceAccount = await ServiceAccount.findByIdAndDelete(serviceAccountId);
+
+    if (serviceAccount) {
+        await ServiceAccountKey.deleteMany({
+            serviceAccount: serviceAccount._id
+        });
+
+        await ServiceAccountOrganizationPermission.deleteMany({
+            serviceAccount: new Types.ObjectId(serviceAccountId)
+        });
+
+        await ServiceAccountWorkspacePermission.deleteMany({
+            serviceAccount: new Types.ObjectId(serviceAccountId)
+        });
+    }
+
+    return res.status(200).send({
+        serviceAccount
+    });
+}
+
+/**
+ * Return service account keys for service account with id [serviceAccountId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getServiceAccountKeys = async (req: Request, res: Response) => {
+    const workspaceId = req.query.workspaceId as string;
+    
+    const serviceAccountKeys = await ServiceAccountKey.find({
+        serviceAccount: req.serviceAccount._id,
+        ...(workspaceId ? { workspace: new Types.ObjectId(workspaceId) } : {})
+    });
+    
+    return res.status(200).send({
+        serviceAccountKeys
+    });
+}

backend/src/controllers/v2/serviceTokenDataController.ts

@@ -1,15 +1,21 @@
-import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
+import { Request, Response } from 'express';
 import crypto from 'crypto';
 import bcrypt from 'bcrypt';
 import {
+    User,
+    ServiceAccount,
     ServiceTokenData
 } from '../../models';
-import {
-    SALT_ROUNDS
-} from '../../config';
 import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';
-import { ABILITY_READ } from '../../variables/organization';
+import { 
+    PERMISSION_READ_SECRETS,
+    AUTH_MODE_JWT,
+    AUTH_MODE_SERVICE_ACCOUNT,
+    AUTH_MODE_SERVICE_TOKEN
+} from '../../variables';
+import { getSaltRounds } from '../../config';
+import { BadRequestError } from '../../utils/errors';
 
 /**
  * Return service token data associated with service token on request
@@ -17,7 +23,44 @@ import { ABILITY_READ } from '../../variables/organization';
  * @param res 
  * @returns 
  */
-export const getServiceTokenData = async (req: Request, res: Response) => res.status(200).json(req.serviceTokenData);
+export const getServiceTokenData = async (req: Request, res: Response) => {
+    /* 
+    #swagger.summary = 'Return Infisical Token data'
+    #swagger.description = 'Return Infisical Token data'
+    
+    #swagger.security = [{
+        "bearerAuth": []
+    }]
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "object",
+					"properties": {
+                        "serviceTokenData": {
+                            "type": "object",
+                            $ref: "#/components/schemas/ServiceTokenData",
+                            "description": "Details of service token"
+                        }
+					}
+                }
+            }           
+        }
+    }   
+    */
+
+    if (!(req.authData.authPayload instanceof ServiceTokenData)) throw BadRequestError({
+        message: 'Failed accepted client validation for service token data'
+    });
+
+    const serviceTokenData = await ServiceTokenData
+        .findById(req.authData.authPayload._id)
+        .select('+encryptedKey +iv +tag')
+        .populate('user');
+
+    return res.status(200).json(serviceTokenData);
+}
 
 /**
  * Create new service token data for workspace with id [workspaceId] and
@@ -27,56 +70,60 @@ export const getServiceTokenData = async (req: Request, res: Response) => res.st
  * @returns 
  */
 export const createServiceTokenData = async (req: Request, res: Response) => {
-    let serviceToken, serviceTokenData;
-    try {
-        const {
-            name,
-            workspaceId,
-            environment,
-            encryptedKey,
-            iv,
-            tag,
-            expiresIn
-        } = req.body;
+    let serviceTokenData;
 
-        const hasAccess = await userHasWorkspaceAccess(req.user, workspaceId, environment, ABILITY_READ)
-        if (!hasAccess) {
-            throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
-        }
+    const {
+        name,
+        workspaceId,
+        environment,
+        encryptedKey,
+        iv,
+        tag,
+        expiresIn,
+        permissions
+    } = req.body;
 
-        const secret = crypto.randomBytes(16).toString('hex');
-        const secretHash = await bcrypt.hash(secret, SALT_ROUNDS);
+    const secret = crypto.randomBytes(16).toString('hex');
+    const secretHash = await bcrypt.hash(secret, await getSaltRounds());
 
-        const expiresAt = new Date();
+    let expiresAt; 
+    if (expiresIn) {
+        expiresAt = new Date()
         expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
-
-        serviceTokenData = await new ServiceTokenData({
-            name,
-            workspace: workspaceId,
-            environment,
-            user: req.user._id,
-            expiresAt,
-            secretHash,
-            encryptedKey,
-            iv,
-            tag
-        }).save();
-
-        // return service token data without sensitive data
-        serviceTokenData = await ServiceTokenData.findById(serviceTokenData._id);
-
-        if (!serviceTokenData) throw new Error('Failed to find service token data');
-
-        serviceToken = `st.${serviceTokenData._id.toString()}.${secret}`;
-
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-        Sentry.captureException(err);
-        return res.status(400).send({
-            message: 'Failed to create service token data'
-        });
     }
 
+    let user, serviceAccount;
+    
+    if (req.authData.authMode === AUTH_MODE_JWT && req.authData.authPayload instanceof User) {
+        user = req.authData.authPayload._id;
+    }
+
+    if (req.authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && req.authData.authPayload instanceof ServiceAccount) {
+        serviceAccount = req.authData.authPayload._id;
+    }
+        
+    serviceTokenData = await new ServiceTokenData({
+        name,
+        workspace: workspaceId,
+        environment,
+        user,
+        serviceAccount,
+        lastUsed: new Date(),
+        expiresAt,
+        secretHash,
+        encryptedKey,
+        iv,
+        tag,
+        permissions
+    }).save();
+
+    // return service token data without sensitive data
+    serviceTokenData = await ServiceTokenData.findById(serviceTokenData._id);
+
+    if (!serviceTokenData) throw new Error('Failed to find service token data');
+
+    const serviceToken = `st.${serviceTokenData._id.toString()}.${secret}`;
+
     return res.status(200).send({
         serviceToken,
         serviceTokenData
@@ -90,25 +137,11 @@ export const createServiceTokenData = async (req: Request, res: Response) => {
  * @returns 
  */
 export const deleteServiceTokenData = async (req: Request, res: Response) => {
-    let serviceTokenData;
-    try {
-        const { serviceTokenDataId } = req.params;
+    const { serviceTokenDataId } = req.params;
 
-        serviceTokenData = await ServiceTokenData.findByIdAndDelete(serviceTokenDataId);
-
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-        Sentry.captureException(err);
-        return res.status(400).send({
-            message: 'Failed to delete service token data'
-        });
-    }
+    const serviceTokenData = await ServiceTokenData.findByIdAndDelete(serviceTokenDataId);
 
     return res.status(200).send({
         serviceTokenData
     });
-}
-
-function UnauthorizedRequestError(arg0: { message: string; }) {
-    throw new Error('Function not implemented.');
-}
+}

backend/src/controllers/v2/signupController.ts

@@ -7,8 +7,9 @@ import {
 } from '../../helpers/signup';
 import { issueAuthTokens } from '../../helpers/auth';
 import { INVITED, ACCEPTED } from '../../variables';
-import { NODE_ENV } from '../../config';
-import axios from 'axios';
+import { standardRequest } from '../../config/request';
+import { getLoopsApiKey, getHttpsEnabled } from '../../config';
+import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
 
 /**
  * Complete setting up user by adding their personal and auth information as part of the
@@ -24,9 +25,9 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 			email,
 			firstName,
 			lastName,
-            protectedKey,
-            protectedKeyIV,
-            protectedKeyTag,
+			protectedKey,
+			protectedKeyIV,
+			protectedKeyTag,
 			publicKey,
 			encryptedPrivateKey,
 			encryptedPrivateKeyIV,
@@ -38,9 +39,9 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 			email: string;
 			firstName: string;
 			lastName: string;
-            protectedKey: string;
-            protectedKeyIV: string;
-            protectedKeyTag: string;
+			protectedKey: string;
+			protectedKeyIV: string;
+			protectedKeyTag: string;
 			publicKey: string;
 			encryptedPrivateKey: string;
 			encryptedPrivateKeyIV: string;
@@ -48,11 +49,11 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 			salt: string;
 			verifier: string;
 			organizationName: string;
-        } = req.body;
+		} = req.body;
 
 		// get user
 		user = await User.findOne({ email });
-		
+
 		if (!user || (user && user?.publicKey)) {
 			// case 1: user doesn't exist.
 			// case 2: user has already completed account
@@ -66,10 +67,10 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 			userId: user._id.toString(),
 			firstName,
 			lastName,
-            encryptionVersion: 2,
-            protectedKey,
-            protectedKeyIV,
-            protectedKeyTag,
+			encryptionVersion: 2,
+			protectedKey,
+			protectedKeyIV,
+			protectedKeyTag,
 			publicKey,
 			encryptedPrivateKey,
 			encryptedPrivateKeyIV,
@@ -87,6 +88,19 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 			user
 		});
 
+		// update organization membership statuses that are
+		// invited to completed with user attached
+		const membershipsToUpdate = await MembershipOrg.find({
+			inviteEmail: email,
+			status: INVITED
+		});
+		
+		membershipsToUpdate.forEach(async (membership) => {
+			await updateSubscriptionOrgQuantity({
+				organizationId: membership.organization.toString()
+			});
+		});
+
 		// update organization membership statuses that are
 		// invited to completed with user attached
 		await MembershipOrg.updateMany(
@@ -108,8 +122,8 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 		token = tokens.token;
 
 		// sending a welcome email to new users
-		if (process.env.LOOPS_API_KEY) {
-			await axios.post("https://app.loops.so/api/v1/events/send", {
+		if (await getLoopsApiKey()) {
+			await standardRequest.post("https://app.loops.so/api/v1/events/send", {
 				"email": email,
 				"eventName": "Sign Up",
 				"firstName": firstName,
@@ -117,7 +131,7 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 			}, {
 				headers: {
 					"Accept": "application/json",
-					"Authorization": "Bearer " + process.env.LOOPS_API_KEY
+					"Authorization": "Bearer " + (await getLoopsApiKey())
 				},
 			});
 		}
@@ -127,7 +141,7 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 			httpOnly: true,
 			path: '/',
 			sameSite: 'strict',
-			secure: NODE_ENV === 'production' ? true : false
+			secure: await getHttpsEnabled()
 		});
 	} catch (err) {
 		Sentry.setUser(null);
@@ -158,9 +172,9 @@ export const completeAccountInvite = async (req: Request, res: Response) => {
 			email,
 			firstName,
 			lastName,
-            protectedKey,
-            protectedKeyIV,
-            protectedKeyTag,
+			protectedKey,
+			protectedKeyIV,
+			protectedKeyTag,
 			publicKey,
 			encryptedPrivateKey,
 			encryptedPrivateKeyIV,
@@ -192,10 +206,10 @@ export const completeAccountInvite = async (req: Request, res: Response) => {
 			userId: user._id.toString(),
 			firstName,
 			lastName,
-            encryptionVersion: 2,
-            protectedKey,
-            protectedKeyIV,
-            protectedKeyTag,
+			encryptionVersion: 2,
+			protectedKey,
+			protectedKeyIV,
+			protectedKeyTag,
 			publicKey,
 			encryptedPrivateKey,
 			encryptedPrivateKeyIV,
@@ -206,9 +220,20 @@ export const completeAccountInvite = async (req: Request, res: Response) => {
 
 		if (!user)
 			throw new Error('Failed to complete account for non-existent user');
-
+		
 		// update organization membership statuses that are
 		// invited to completed with user attached
+		const membershipsToUpdate = await MembershipOrg.find({
+			inviteEmail: email,
+			status: INVITED
+		});
+		
+		membershipsToUpdate.forEach(async (membership) => {
+			await updateSubscriptionOrgQuantity({
+				organizationId: membership.organization.toString()
+			});
+		});
+
 		await MembershipOrg.updateMany(
 			{
 				inviteEmail: email,
@@ -232,7 +257,7 @@ export const completeAccountInvite = async (req: Request, res: Response) => {
 			httpOnly: true,
 			path: '/',
 			sameSite: 'strict',
-			secure: NODE_ENV === 'production' ? true : false
+			secure: await getHttpsEnabled()
 		});
 	} catch (err) {
 		Sentry.setUser(null);
@@ -241,7 +266,7 @@ export const completeAccountInvite = async (req: Request, res: Response) => {
 			message: 'Failed to complete account setup'
 		});
 	}
-	
+
 	return res.status(200).send({
 		message: 'Successfully set up account',
 		user,

backend/src/controllers/v2/usersController.ts

@@ -41,7 +41,7 @@ export const getMe = async (req: Request, res: Response) => {
     try {
         user = await User
             .findById(req.user._id)
-            .select('+publicKey +encryptedPrivateKey +iv +tag');
+            .select('+salt +publicKey +encryptedPrivateKey +iv +tag +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag');
     } catch (err) {
         Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);

backend/src/controllers/v2/workspaceController.ts

@@ -19,7 +19,7 @@ import {
 	reformatPullSecrets
 } from '../../helpers/secret';
 import { pushKeys } from '../../helpers/key';
-import { postHogClient, EventService } from '../../services';
+import { TelemetryService, EventService } from '../../services';
 import { eventPushSecrets } from '../../events';
 
 interface V2PushSecret {
@@ -48,6 +48,7 @@ interface V2PushSecret {
 export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
 	// upload (encrypted) secrets to workspace with id [workspaceId]
 	try {
+		const postHogClient = await TelemetryService.getPostHogClient();
 		let { secrets }: { secrets: V2PushSecret[] } = req.body;
 		const { keys, environment, channel } = req.body;
 		const { workspaceId } = req.params;
@@ -94,7 +95,8 @@ export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
 		// trigger event - push secrets
 		EventService.handleEvent({
 			event: eventPushSecrets({
-				workspaceId
+				workspaceId: new Types.ObjectId(workspaceId),
+				environment
 			})
 		});
 
@@ -121,6 +123,7 @@ export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
 export const pullSecrets = async (req: Request, res: Response) => {
 	let secrets;
 	try {
+		const postHogClient = await TelemetryService.getPostHogClient();
 		const environment: string = req.query.environment as string;
 		const channel: string = req.query.channel as string;
 		const { workspaceId } = req.params;
@@ -129,7 +132,7 @@ export const pullSecrets = async (req: Request, res: Response) => {
 		if (req.user) {
 			userId = req.user._id.toString();
 		} else if (req.serviceTokenData) {
-			userId = req.serviceTokenData.user._id
+			userId = req.serviceTokenData.user.toString();
 		}
 		// validate environment
 		const workspaceEnvs = req.membership.workspace.environments;
@@ -504,5 +507,4 @@ export const toggleAutoCapitalization = async (req: Request, res: Response) => {
 		message: 'Successfully changed autoCapitalization setting',
 		workspace
 	});
-};
-
+};

backend/src/controllers/v3/authController.ts

@@ -0,0 +1,260 @@
+/* eslint-disable @typescript-eslint/no-var-requires */
+import { Request, Response } from 'express';
+import jwt from 'jsonwebtoken';
+import * as Sentry from '@sentry/node';
+import * as bigintConversion from 'bigint-conversion';
+const jsrp = require('jsrp');
+import { User, LoginSRPDetail } from '../../models';
+import { issueAuthTokens, createToken, validateProviderAuthToken } from '../../helpers/auth';
+import { checkUserDevice } from '../../helpers/user';
+import { sendMail } from '../../helpers/nodemailer';
+import { TokenService } from '../../services';
+import { EELogService } from '../../ee/services';
+import { BadRequestError, InternalServerError } from '../../utils/errors';
+import {
+    TOKEN_EMAIL_MFA,
+    ACTION_LOGIN
+} from '../../variables';
+import { getChannelFromUserAgent } from '../../utils/posthog'; // TODO: move this
+import {
+    getJwtMfaLifetime,
+    getJwtMfaSecret,
+    getHttpsEnabled,
+} from '../../config';
+import { AuthProvider } from '../../models/user';
+
+declare module 'jsonwebtoken' {
+    export interface ProviderAuthJwtPayload extends jwt.JwtPayload {
+        userId: string;
+        email: string;
+        authProvider: AuthProvider;
+        isUserCompleted: boolean,
+    }
+}
+
+/**
+ * Log in user step 1: Return [salt] and [serverPublicKey] as part of step 1 of SRP protocol
+ * @param req
+ * @param res
+ * @returns
+ */
+export const login1 = async (req: Request, res: Response) => {
+    try {
+        const {
+            email,
+            providerAuthToken,
+            clientPublicKey
+        }: {
+            email: string;
+            clientPublicKey: string,
+            providerAuthToken?: string;
+        } = req.body;
+
+        const user = await User.findOne({
+            email,
+        }).select('+salt +verifier');
+
+        if (!user) throw new Error('Failed to find user');
+
+        if (user.authProvider) {
+            await validateProviderAuthToken({
+                email,
+                user,
+                providerAuthToken,
+            })
+        }
+
+        const server = new jsrp.server();
+        server.init(
+            {
+                salt: user.salt,
+                verifier: user.verifier
+            },
+            async () => {
+                // generate server-side public key
+                const serverPublicKey = server.getPublicKey();
+                await LoginSRPDetail.findOneAndReplace({
+                    email: email
+                }, {
+                    email,
+                    userId: user.id,
+                    clientPublicKey: clientPublicKey,
+                    serverBInt: bigintConversion.bigintToBuf(server.bInt),
+                }, { upsert: true, returnNewDocument: false });
+
+                return res.status(200).send({
+                    serverPublicKey,
+                    salt: user.salt
+                });
+            }
+        );
+    } catch (err) {
+        Sentry.setUser(null);
+        Sentry.captureException(err);
+        return res.status(400).send({
+            message: 'Failed to start authentication process'
+        });
+    }
+};
+
+/**
+ * Log in user step 2: complete step 2 of SRP protocol and return token and their (encrypted)
+ * private key
+ * @param req
+ * @param res
+ * @returns
+ */
+export const login2 = async (req: Request, res: Response) => {
+    try {
+
+        if (!req.headers['user-agent']) throw InternalServerError({ message: 'User-Agent header is required' });
+
+        const { email, clientProof, providerAuthToken } = req.body;
+
+        const user = await User.findOne({
+            email,
+        }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag');
+
+        if (!user) throw new Error('Failed to find user');
+
+        if (user.authProvider) {
+            await validateProviderAuthToken({
+                email,
+                user,
+                providerAuthToken,
+            })
+        }
+
+        const loginSRPDetail = await LoginSRPDetail.findOneAndDelete({ email: email })
+
+        if (!loginSRPDetail) {
+            return BadRequestError(Error("Failed to find login details for SRP"))
+        }
+
+        const server = new jsrp.server();
+        server.init(
+            {
+                salt: user.salt,
+                verifier: user.verifier,
+                b: loginSRPDetail.serverBInt
+            },
+            async () => {
+                server.setClientPublicKey(loginSRPDetail.clientPublicKey);
+
+                // compare server and client shared keys
+                if (server.checkClientProof(clientProof)) {
+
+                    if (user.isMfaEnabled) {
+                        // case: user has MFA enabled
+
+                        // generate temporary MFA token
+                        const token = createToken({
+                            payload: {
+                                userId: user._id.toString()
+                            },
+                            expiresIn: await getJwtMfaLifetime(),
+                            secret: await getJwtMfaSecret()
+                        });
+
+                        const code = await TokenService.createToken({
+                            type: TOKEN_EMAIL_MFA,
+                            email
+                        });
+
+                        // send MFA code [code] to [email]
+                        await sendMail({
+                            template: 'emailMfa.handlebars',
+                            subjectLine: 'Infisical MFA code',
+                            recipients: [user.email],
+                            substitutions: {
+                                code
+                            }
+                        });
+
+                        return res.status(200).send({
+                            mfaEnabled: true,
+                            token
+                        });
+                    }
+
+                    await checkUserDevice({
+                        user,
+                        ip: req.ip,
+                        userAgent: req.headers['user-agent'] ?? ''
+                    });
+
+                    // issue tokens
+                    const tokens = await issueAuthTokens({ userId: user._id.toString() });
+
+                    // store (refresh) token in httpOnly cookie
+                    res.cookie('jid', tokens.refreshToken, {
+                        httpOnly: true,
+                        path: '/',
+                        sameSite: 'strict',
+                        secure: await getHttpsEnabled()
+                    });
+
+                    // case: user does not have MFA enablgged
+                    // return (access) token in response
+
+                    interface ResponseData {
+                        mfaEnabled: boolean;
+                        encryptionVersion: any;
+                        protectedKey?: string;
+                        protectedKeyIV?: string;
+                        protectedKeyTag?: string;
+                        token: string;
+                        publicKey?: string;
+                        encryptedPrivateKey?: string;
+                        iv?: string;
+                        tag?: string;
+                    }
+
+                    const response: ResponseData = {
+                        mfaEnabled: false,
+                        encryptionVersion: user.encryptionVersion,
+                        token: tokens.token,
+                        publicKey: user.publicKey,
+                        encryptedPrivateKey: user.encryptedPrivateKey,
+                        iv: user.iv,
+                        tag: user.tag
+                    }
+
+                    if (
+                        user?.protectedKey &&
+                        user?.protectedKeyIV &&
+                        user?.protectedKeyTag
+                    ) {
+                        response.protectedKey = user.protectedKey;
+                        response.protectedKeyIV = user.protectedKeyIV
+                        response.protectedKeyTag = user.protectedKeyTag;
+                    }
+
+                    const loginAction = await EELogService.createAction({
+                        name: ACTION_LOGIN,
+                        userId: user._id
+                    });
+
+                    loginAction && await EELogService.createLog({
+                        userId: user._id,
+                        actions: [loginAction],
+                        channel: getChannelFromUserAgent(req.headers['user-agent']),
+                        ipAddress: req.ip
+                    });
+
+                    return res.status(200).send(response);
+                }
+
+                return res.status(400).send({
+                    message: 'Failed to authenticate. Try again?'
+                });
+            }
+        );
+    } catch (err) {
+        Sentry.setUser(null);
+        Sentry.captureException(err);
+        return res.status(400).send({
+            message: 'Failed to authenticate. Try again?'
+        });
+    }
+};

backend/src/controllers/v3/index.ts

@@ -0,0 +1,11 @@
+import * as secretsController from './secretsController';
+import * as workspacesController from './workspacesController';
+import * as authController from './authController';
+import * as signupController from './signupController';
+
+export {
+    authController,
+    secretsController,
+    signupController,
+    workspacesController,
+}

backend/src/controllers/v3/secretsController.ts

@@ -0,0 +1,183 @@
+import { Request, Response } from 'express';
+import { Types } from 'mongoose';
+import { 
+    SecretService, 
+    TelemetryService,
+    EventService
+} from '../../services';
+import { eventPushSecrets } from '../../events';
+import { getAuthDataPayloadIdObj } from '../../utils/auth';
+import { BadRequestError } from '../../utils/errors';
+
+/**
+ * Get secrets for workspace with id [workspaceId] and environment
+ * [environment]
+ * @param req 
+ * @param res 
+ */
+export const getSecrets = async (req: Request, res: Response) => {
+    const workspaceId = req.query.workspaceId as string;
+    const environment = req.query.environment as string;
+
+    const secrets = await SecretService.getSecrets({
+        workspaceId: new Types.ObjectId(workspaceId),
+        environment,
+        authData: req.authData
+    });
+
+    return res.status(200).send({
+        secrets
+    });
+}
+
+/**
+ * Get secret with name [secretName]
+ * @param req 
+ * @param res 
+ */
+export const getSecretByName = async (req: Request, res: Response) => {
+    const { secretName } = req.params;
+    const workspaceId = req.query.workspaceId as string;
+    const environment = req.query.environment as string;
+    const type = req.query.type as 'shared' | 'personal' | undefined;
+
+    const secret = await SecretService.getSecret({
+        secretName,
+        workspaceId: new Types.ObjectId(workspaceId),
+        environment,
+        type,
+        authData: req.authData
+    });
+    
+    return res.status(200).send({
+        secret
+    });
+}
+
+/**
+ * Create secret with name [secretName]
+ * @param req 
+ * @param res 
+ */
+export const createSecret = async (req: Request, res: Response) => {
+    const { secretName } = req.params;
+    const { 
+        workspaceId,
+        environment,
+        type,
+        secretKeyCiphertext,
+        secretKeyIV,
+        secretKeyTag,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag,
+        secretCommentCiphertext,
+        secretCommentIV,
+        secretCommentTag
+    } = req.body;
+    
+    const secret = await SecretService.createSecret({
+        secretName,
+        workspaceId: new Types.ObjectId(workspaceId),
+        environment,
+        type,
+        authData: req.authData,
+        secretKeyCiphertext,
+        secretKeyIV,
+        secretKeyTag,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag,
+        ...((secretCommentCiphertext && secretCommentIV && secretCommentTag) ? {
+            secretCommentCiphertext,
+            secretCommentIV,
+            secretCommentTag
+        } : {})
+    });
+
+    await EventService.handleEvent({
+        event: eventPushSecrets({
+            workspaceId: new Types.ObjectId(workspaceId),
+            environment
+        })
+    });
+
+    const secretWithoutBlindIndex = secret.toObject();
+    delete secretWithoutBlindIndex.secretBlindIndex;
+    
+    return res.status(200).send({
+        secret: secretWithoutBlindIndex
+    });
+}
+
+/**
+ * Update secret with name [secretName]
+ * @param req
+ * @param res 
+ */
+export const updateSecretByName = async (req: Request, res: Response) => {
+    const { secretName } = req.params;
+    const {
+        workspaceId,
+        environment,
+        type,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag
+    } = req.body;
+
+    const secret = await SecretService.updateSecret({
+        secretName,
+        workspaceId,
+        environment,
+        type,
+        authData: req.authData,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag
+    });
+    
+    await EventService.handleEvent({
+        event: eventPushSecrets({
+            workspaceId: new Types.ObjectId(workspaceId),
+            environment
+        })
+    });
+
+    return res.status(200).send({
+        secret
+    });
+}
+
+/**
+ * Delete secret with name [secretName]
+ * @param req 
+ * @param res 
+ */
+export const deleteSecretByName = async (req: Request, res: Response) => {
+    const { secretName } = req.params;
+    const {
+        workspaceId,
+        environment,
+        type
+    } = req.body;
+    
+    const { secret, secrets } = await SecretService.deleteSecret({
+        secretName,
+        workspaceId,
+        environment,
+        type,
+        authData: req.authData
+    });
+
+    await EventService.handleEvent({
+        event: eventPushSecrets({
+            workspaceId: new Types.ObjectId(workspaceId),
+            environment
+        })
+    });
+
+    return res.status(200).send({
+        secret
+    });
+}

backend/src/controllers/v3/signupController.ts

@@ -0,0 +1,192 @@
+import jwt from 'jsonwebtoken';
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { User, MembershipOrg } from '../../models';
+import { completeAccount } from '../../helpers/user';
+import {
+	initializeDefaultOrg
+} from '../../helpers/signup';
+import { issueAuthTokens, validateProviderAuthToken } from '../../helpers/auth';
+import { INVITED, ACCEPTED } from '../../variables';
+import { standardRequest } from '../../config/request';
+import { getLoopsApiKey, getHttpsEnabled, getJwtSignupSecret } from '../../config';
+import { BadRequestError } from '../../utils/errors';
+import { TelemetryService } from '../../services';
+
+/**
+ * Complete setting up user by adding their personal and auth information as part of the
+ * signup flow
+ * @param req
+ * @param res
+ * @returns
+ */
+export const completeAccountSignup = async (req: Request, res: Response) => {
+	let user, token, refreshToken;
+	try {
+		const {
+			email,
+			firstName,
+			lastName,
+			protectedKey,
+			protectedKeyIV,
+			protectedKeyTag,
+			publicKey,
+			encryptedPrivateKey,
+			encryptedPrivateKeyIV,
+			encryptedPrivateKeyTag,
+			salt,
+			verifier,
+			organizationName,
+			providerAuthToken,
+			attributionSource,
+		}: {
+			email: string;
+			firstName: string;
+			lastName: string;
+			protectedKey: string;
+			protectedKeyIV: string;
+			protectedKeyTag: string;
+			publicKey: string;
+			encryptedPrivateKey: string;
+			encryptedPrivateKeyIV: string;
+			encryptedPrivateKeyTag: string;
+			salt: string;
+			verifier: string;
+			organizationName: string;
+			providerAuthToken?: string;
+			attributionSource?: string;
+		} = req.body;
+
+		user = await User.findOne({ email });
+
+		if (!user || (user && user?.publicKey)) {
+			// case 1: user doesn't exist.
+			// case 2: user has already completed account
+			return res.status(403).send({
+				error: 'Failed to complete account for complete user'
+			});
+		}
+
+		if (providerAuthToken) {
+			await validateProviderAuthToken({
+				email,
+				providerAuthToken,
+				user,
+			});
+		} else {
+			const [AUTH_TOKEN_TYPE, AUTH_TOKEN_VALUE] = <[string, string]>req.headers['authorization']?.split(' ', 2) ?? [null, null]
+			if (AUTH_TOKEN_TYPE === null) {
+				throw BadRequestError({ message: `Missing Authorization Header in the request header.` });
+			}
+			if (AUTH_TOKEN_TYPE.toLowerCase() !== 'bearer') {
+				throw BadRequestError({ message: `The provided authentication type '${AUTH_TOKEN_TYPE}' is not supported.` })
+			}
+			if (AUTH_TOKEN_VALUE === null) {
+				throw BadRequestError({
+					message: 'Missing Authorization Body in the request header',
+				})
+			}
+
+			const decodedToken = <jwt.UserIDJwtPayload>(
+				jwt.verify(AUTH_TOKEN_VALUE, await getJwtSignupSecret())
+			);
+
+			if (decodedToken.userId !== user.id) {
+				throw BadRequestError();
+			}
+		}
+
+		// complete setting up user's account
+		user = await completeAccount({
+			userId: user._id.toString(),
+			firstName,
+			lastName,
+			encryptionVersion: 2,
+			protectedKey,
+			protectedKeyIV,
+			protectedKeyTag,
+			publicKey,
+			encryptedPrivateKey,
+			encryptedPrivateKeyIV,
+			encryptedPrivateKeyTag,
+			salt,
+			verifier
+		});
+
+		if (!user)
+			throw new Error('Failed to complete account for non-existent user'); // ensure user is non-null
+
+		// initialize default organization and workspace
+		await initializeDefaultOrg({
+			organizationName,
+			user
+		});
+
+		// update organization membership statuses that are
+		// invited to completed with user attached
+		await MembershipOrg.updateMany(
+			{
+				inviteEmail: email,
+				status: INVITED
+			},
+			{
+				user,
+				status: ACCEPTED
+			}
+		);
+
+		// issue tokens
+		const tokens = await issueAuthTokens({
+			userId: user._id.toString()
+		});
+
+		token = tokens.token;
+
+		// sending a welcome email to new users
+		if (await getLoopsApiKey()) {
+			await standardRequest.post("https://app.loops.so/api/v1/events/send", {
+				"email": email,
+				"eventName": "Sign Up",
+				"firstName": firstName,
+				"lastName": lastName
+			}, {
+				headers: {
+					"Accept": "application/json",
+					"Authorization": "Bearer " + (await getLoopsApiKey())
+				},
+			});
+		}
+
+		// store (refresh) token in httpOnly cookie
+		res.cookie('jid', tokens.refreshToken, {
+			httpOnly: true,
+			path: '/',
+			sameSite: 'strict',
+			secure: await getHttpsEnabled()
+		});
+
+		const postHogClient = await TelemetryService.getPostHogClient();
+		if (postHogClient) {
+			postHogClient.capture({
+				event: 'User Signed Up',
+				distinctId: email,
+				properties: {
+					email,
+					attributionSource
+				}
+			});
+		}
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to complete account setup'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully set up account',
+		user,
+		token
+	});
+};

backend/src/controllers/v3/workspacesController.ts

@@ -0,0 +1,90 @@
+import { Request, Response } from 'express';
+import { Types } from 'mongoose';
+import { Secret } from '../../models';
+import { SecretService } from'../../services';
+
+/**
+ * Return whether or not all secrets in workspace with id [workspaceId]
+ * are blind-indexed
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getWorkspaceBlindIndexStatus = async (req: Request, res: Response) => {
+    const { workspaceId } = req.params;
+
+    const secretsWithoutBlindIndex = await Secret.countDocuments({
+        workspace: new Types.ObjectId(workspaceId),
+        secretBlindIndex: {
+            $exists: false
+        }
+    });
+
+    return res.status(200).send(secretsWithoutBlindIndex === 0);
+}
+
+/**
+ * Get all secrets for workspace with id [workspaceId]
+ */
+export const getWorkspaceSecrets = async (req: Request, res: Response) => {
+    const { workspaceId } = req.params;
+
+    const secrets = await Secret.find({
+        workspace: new Types.ObjectId (workspaceId)
+    });
+    
+    return res.status(200).send({
+        secrets
+    });
+}
+
+/**
+ * Update blind indices for secrets in workspace with id [workspaceId]
+ * @param req 
+ * @param res 
+ */
+export const nameWorkspaceSecrets = async (req: Request, res: Response) => {
+    interface SecretToUpdate {
+        secretName: string;
+        _id: string;
+    }
+
+    const { workspaceId } = req.params;
+    const { 
+        secretsToUpdate 
+    }: {
+        secretsToUpdate: SecretToUpdate[];
+    } = req.body;
+
+    // get secret blind index salt
+    const salt = await SecretService.getSecretBlindIndexSalt({
+        workspaceId: new Types.ObjectId(workspaceId)
+    });
+
+    // update secret blind indices
+    const operations = await Promise.all(
+        secretsToUpdate.map(async (secretToUpdate: SecretToUpdate) => {
+            const secretBlindIndex = await SecretService.generateSecretBlindIndexWithSalt({
+                secretName: secretToUpdate.secretName,
+                salt
+            });
+    
+            return ({
+                updateOne: {
+                    filter: {
+                        _id: new Types.ObjectId(secretToUpdate._id)
+                    },
+                    update: {
+                        secretBlindIndex
+                    }
+                }
+            });
+        })
+    );
+
+    await Secret.bulkWrite(operations);
+
+    return res.status(200).send({
+        message: 'Successfully named workspace secrets'
+    });
+}

backend/src/ee/controllers/v1/cloudProductsController.ts

@@ -0,0 +1,34 @@
+import * as Sentry from '@sentry/node';
+import { Request, Response } from 'express';
+import { EELicenseService } from '../../services';
+import { getLicenseServerUrl } from '../../../config';
+import { licenseServerKeyRequest } from '../../../config/request';
+
+/**
+ * Return available cloud product information.
+ * Note: Nicely formatted to easily construct a table from
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getCloudProducts = async (req: Request, res: Response) => {
+    try {
+        const billingCycle = req.query['billing-cycle'] as string;
+
+        if (EELicenseService.instanceType === 'cloud') {
+            const { data } = await licenseServerKeyRequest.get(
+                `${await getLicenseServerUrl()}/api/license-server/v1/cloud-products?billing-cycle=${billingCycle}`
+            ); 
+
+            return res.status(200).send(data);
+        }
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+        Sentry.captureException(err);
+    }
+    
+    return res.status(200).send({
+        head: [],
+        rows: []
+    });
+}

backend/src/ee/controllers/v1/index.ts

@@ -1,15 +1,19 @@
 import * as stripeController from './stripeController';
 import * as secretController from './secretController';
 import * as secretSnapshotController from './secretSnapshotController';
+import * as organizationsController from './organizationsController';
 import * as workspaceController from './workspaceController';
 import * as actionController from './actionController';
 import * as membershipController from './membershipController';
+import * as cloudProductsController from './cloudProductsController';
 
 export {
     stripeController,
     secretController,
     secretSnapshotController,
+    organizationsController,
     workspaceController,
     actionController,
-    membershipController
+    membershipController,
+    cloudProductsController
 }

backend/src/ee/controllers/v1/membershipController.ts

@@ -2,7 +2,8 @@ import { Request, Response } from "express";
 import { Membership, Workspace } from "../../../models";
 import { IMembershipPermission } from "../../../models/membership";
 import { BadRequestError, UnauthorizedRequestError } from "../../../utils/errors";
-import { ABILITY_READ, ABILITY_WRITE, ADMIN, MEMBER } from "../../../variables/organization";
+import { ADMIN, MEMBER } from "../../../variables/organization";
+import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from '../../../variables';
 import { Builder } from "builder-pattern"
 import _ from "lodash";
 
@@ -10,7 +11,7 @@ export const denyMembershipPermissions = async (req: Request, res: Response) =>
   const { membershipId } = req.params;
   const { permissions } = req.body;
   const sanitizedMembershipPermissions: IMembershipPermission[] = permissions.map((permission: IMembershipPermission) => {
-    if (!permission.ability || !permission.environmentSlug || ![ABILITY_READ, ABILITY_WRITE].includes(permission.ability)) {
+    if (!permission.ability || !permission.environmentSlug || ![PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS].includes(permission.ability)) {
       throw BadRequestError({ message: "One or more required fields are missing from the request or have incorrect type" })
     }
 

backend/src/ee/controllers/v1/organizationsController.ts

@@ -0,0 +1,83 @@
+import { Request, Response } from 'express';
+import { getLicenseServerUrl } from '../../../config';
+import { licenseServerKeyRequest } from '../../../config/request';
+import { EELicenseService } from '../../services';
+
+/**
+ * Return the organization's current plan and allowed feature set
+ */
+export const getOrganizationPlan = async (req: Request, res: Response) => {
+    const { organizationId } = req.params;
+
+    const plan = await EELicenseService.getOrganizationPlan(organizationId);
+
+    return res.status(200).send({
+        plan,
+    });
+}
+
+/**
+ * Update the organization plan to product with id [productId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const updateOrganizationPlan = async (req: Request, res: Response) => {
+    const {
+        productId
+    } = req.body;
+
+    const { data  } = await licenseServerKeyRequest.patch(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/cloud-plan`,
+        {
+            productId
+        }
+    ); 
+    
+    return res.status(200).send(data);
+}
+
+/**
+ * Return the organization's payment methods on file
+ */
+export const getOrganizationPmtMethods = async (req: Request, res: Response) => {
+    const { data: { pmtMethods } } = await licenseServerKeyRequest.get(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/payment-methods`
+    );
+
+    return res.status(200).send({
+        pmtMethods
+    }); 
+}
+
+/**
+ * Return a Stripe session URL to add payment method for organization
+ */
+export const addOrganizationPmtMethod = async (req: Request, res: Response) => {
+    const {
+        success_url,
+        cancel_url
+    } = req.body;
+    
+    const { data: { url } } = await licenseServerKeyRequest.post(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/payment-methods`,
+        {
+            success_url,
+            cancel_url
+        }
+    );
+    
+    return res.status(200).send({
+        url
+    }); 
+}
+
+export const deleteOrganizationPmtMethod = async (req: Request, res: Response) => {
+    const { pmtMethodId } = req.params;
+
+    const { data } = await licenseServerKeyRequest.delete(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/payment-methods/${pmtMethodId}`,
+    );
+        
+    return res.status(200).send(data);
+}

backend/src/ee/controllers/v1/secretController.ts

@@ -1,16 +1,16 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { Secret } from '../../../models';
-import { SecretVersion } from '../../models';
-import { EESecretService } from '../../services';
+import { Request, Response } from "express";
+import * as Sentry from "@sentry/node";
+import { Secret } from "../../../models";
+import { SecretVersion } from "../../models";
+import { EESecretService } from "../../services";
 
 /**
  * Return secret versions for secret with id [secretId]
- * @param req 
- * @param res 
+ * @param req
+ * @param res
  */
- export const getSecretVersions = async (req: Request, res: Response) => {
-	/* 
+export const getSecretVersions = async (req: Request, res: Response) => {
+  /* 
     #swagger.summary = 'Return secret versions'
     #swagger.description = 'Return secret versions'
     
@@ -55,41 +55,43 @@ import { EESecretService } from '../../services';
         }
     }   
     */
-	let secretVersions;
-	try {
-		const { secretId } = req.params;
+  let secretVersions;
+  try {
+    const { secretId, workspaceId, environment, folderId } = req.params;
 
-		const offset: number = parseInt(req.query.offset as string);
-		const limit: number = parseInt(req.query.limit as string);
-		
-		secretVersions = await SecretVersion.find({
-			secret: secretId
-		})
-		.sort({ createdAt: -1 })
-		.skip(offset)
-		.limit(limit);
+    const offset: number = parseInt(req.query.offset as string);
+    const limit: number = parseInt(req.query.limit as string);
 
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get secret versions'
-		});
-	}
-	
-	return res.status(200).send({
-		secretVersions
-	});
-}
+    secretVersions = await SecretVersion.find({
+      secret: secretId,
+      workspace: workspaceId,
+      environment,
+      folder: folderId,
+    })
+      .sort({ createdAt: -1 })
+      .skip(offset)
+      .limit(limit);
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get secret versions",
+    });
+  }
+
+  return res.status(200).send({
+    secretVersions,
+  });
+};
 
 /**
  * Roll back secret with id [secretId] to version [version]
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
  */
 export const rollbackSecretVersion = async (req: Request, res: Response) => {
-	/* 
+  /* 
     #swagger.summary = 'Roll back secret to a version.'
     #swagger.description = 'Roll back secret to a version.'
     
@@ -137,88 +139,101 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
         }
     }   
     */
-	let secret;
-	try {
-		const { secretId } = req.params;
-		const { version } = req.body;
-		
-		// validate secret version
-		const oldSecretVersion = await SecretVersion.findOne({
-			secret: secretId,
-			version
-		});
-		
-		if (!oldSecretVersion) throw new Error('Failed to find secret version');
-		
-		const {
-			workspace,
-			type,
-			user,
-			environment,
-			secretKeyCiphertext,
-			secretKeyIV,
-			secretKeyTag,
-			secretValueCiphertext,
-			secretValueIV,
-			secretValueTag,
-		} = oldSecretVersion;
-		
-		// update secret
-		secret = await Secret.findByIdAndUpdate(
-			secretId,
-			{
-				$inc: {
-					version: 1
-				},
-				workspace,
-				type,
-				user,
-				environment,
-				secretKeyCiphertext,
-				secretKeyIV,
-				secretKeyTag,
-				secretValueCiphertext,
-				secretValueIV,
-				secretValueTag,
-			},
-			{
-				new: true
-			}
-		);
-		
-		if (!secret) throw new Error('Failed to find and update secret');
+  let secret;
+  try {
+    const { secretId } = req.params;
+    const { version } = req.body;
 
-		// add new secret version
-		await new SecretVersion({
-			secret: secretId,
-			version: secret.version,
-			workspace,
-			type,
-			user,
-			environment,
-			isDeleted: false,
-			secretKeyCiphertext,
-			secretKeyIV,
-			secretKeyTag,
-			secretValueCiphertext,
-			secretValueIV,
-			secretValueTag
-		}).save();
-		
-		// take secret snapshot
-		await EESecretService.takeSecretSnapshot({
-			workspaceId: secret.workspace.toString()
-		});
-		
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to roll back secret version'
-		});
-	}
-	
-	return res.status(200).send({
-		secret
-	});
-}
+    // validate secret version
+    const oldSecretVersion = await SecretVersion.findOne({
+      secret: secretId,
+      version,
+    }).select("+secretBlindIndex");
+
+    if (!oldSecretVersion) throw new Error("Failed to find secret version");
+
+    const {
+      workspace,
+      type,
+      user,
+      environment,
+      secretBlindIndex,
+      secretKeyCiphertext,
+      secretKeyIV,
+      secretKeyTag,
+      secretValueCiphertext,
+      secretValueIV,
+      secretValueTag,
+      folder,
+      algorithm,
+      keyEncoding,
+    } = oldSecretVersion;
+
+    // update secret
+    secret = await Secret.findByIdAndUpdate(
+      secretId,
+      {
+        $inc: {
+          version: 1,
+        },
+        workspace,
+        type,
+        user,
+        environment,
+        ...(secretBlindIndex ? { secretBlindIndex } : {}),
+        secretKeyCiphertext,
+        secretKeyIV,
+        secretKeyTag,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag,
+        folderId: folder,
+        algorithm,
+        keyEncoding,
+      },
+      {
+        new: true,
+      }
+    );
+
+    if (!secret) throw new Error("Failed to find and update secret");
+
+    // add new secret version
+    await new SecretVersion({
+      secret: secretId,
+      version: secret.version,
+      workspace,
+      type,
+      user,
+      environment,
+      isDeleted: false,
+      ...(secretBlindIndex ? { secretBlindIndex } : {}),
+      secretKeyCiphertext,
+      secretKeyIV,
+      secretKeyTag,
+      secretValueCiphertext,
+      secretValueIV,
+      secretValueTag,
+      folder,
+      algorithm,
+      keyEncoding,
+    }).save();
+
+    // take secret snapshot
+    await EESecretService.takeSecretSnapshot({
+      workspaceId: secret.workspace,
+      environment,
+      folderId: folder,
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to roll back secret version",
+    });
+  }
+
+  return res.status(200).send({
+    secret,
+  });
+};

backend/src/ee/controllers/v1/secretSnapshotController.ts

@@ -1,39 +1,54 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { SecretSnapshot } from '../../models';
+import { Request, Response } from "express";
+import * as Sentry from "@sentry/node";
+import {
+  ISecretVersion,
+  SecretSnapshot,
+  TFolderRootVersionSchema,
+} from "../../models";
 
 /**
  * Return secret snapshot with id [secretSnapshotId]
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
  */
 export const getSecretSnapshot = async (req: Request, res: Response) => {
-    let secretSnapshot;
-    try {
-        const { secretSnapshotId } = req.params;
+  let secretSnapshot;
+  try {
+    const { secretSnapshotId } = req.params;
 
-        secretSnapshot = await SecretSnapshot
-            .findById(secretSnapshotId)
-            .populate({
-                path: 'secretVersions',
-                populate: {
-                    path: 'tags',
-                    model: 'Tag',
-                }
-            });
-        
-        if (!secretSnapshot) throw new Error('Failed to find secret snapshot');
-        
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get secret snapshot'
-		});
-    }
-    
-    return res.status(200).send({
-        secretSnapshot
+    secretSnapshot = await SecretSnapshot.findById(secretSnapshotId)
+      .lean()
+      .populate<{ secretVersions: ISecretVersion[] }>({
+        path: 'secretVersions',
+        populate: {
+          path: 'tags',
+          model: 'Tag'
+        }
+      })
+      .populate<{ folderVersion: TFolderRootVersionSchema }>("folderVersion");
+
+    if (!secretSnapshot) throw new Error("Failed to find secret snapshot");
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get secret snapshot",
     });
-}
+  }
+  const folderId = secretSnapshot.folderId;
+  // to show only the folder required secrets
+  secretSnapshot.secretVersions = secretSnapshot.secretVersions.filter(
+    ({ folder }) => folder === folderId
+  );
+
+  secretSnapshot.folderVersion =
+    secretSnapshot?.folderVersion?.nodes?.children?.map(({ id, name }) => ({
+      id,
+      name,
+    })) as any;
+
+  return res.status(200).send({
+    secretSnapshot,
+  });
+};

backend/src/ee/controllers/v1/stripeController.ts

@@ -1,10 +1,7 @@
-import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
+import { Request, Response } from 'express';
 import Stripe from 'stripe';
-import { STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET } from '../../../config';
-const stripe = new Stripe(STRIPE_SECRET_KEY, {
-	apiVersion: '2022-08-01'
-});
+import { getStripeSecretKey, getStripeWebhookSecret } from '../../../config';
 
 /**
  * Handle service provisioning/un-provisioning via Stripe
@@ -15,12 +12,16 @@ const stripe = new Stripe(STRIPE_SECRET_KEY, {
 export const handleWebhook = async (req: Request, res: Response) => {
 	let event;
 	try {
+		const stripe = new Stripe(await getStripeSecretKey(), {
+			apiVersion: '2022-08-01'
+		});
+
 		// check request for valid stripe signature
 		const sig = req.headers['stripe-signature'] as string;
 		event = stripe.webhooks.constructEvent(
 			req.body,
 			sig,
-			STRIPE_WEBHOOK_SECRET // ?
+			await getStripeWebhookSecret()
 		);
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });

backend/src/ee/controllers/v1/workspaceController.ts

@@ -1,25 +1,30 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
+import { Request, Response } from "express";
+import * as Sentry from "@sentry/node";
+import { PipelineStage, Types } from "mongoose";
+import { Secret } from "../../../models";
 import {
-	Secret
-} from '../../../models';
-import { 
-	SecretSnapshot,
-	Log,
-	SecretVersion,
-	ISecretVersion
-} from '../../models';
-import { EESecretService } from '../../services';
-import { getLatestSecretVersionIds } from '../../helpers/secretVersion';
+  SecretSnapshot,
+  Log,
+  SecretVersion,
+  ISecretVersion,
+  FolderVersion,
+  TFolderRootVersionSchema,
+} from "../../models";
+import { EESecretService } from "../../services";
+import { getLatestSecretVersionIds } from "../../helpers/secretVersion";
+import Folder, { TFolderSchema } from "../../../models/folder";
+import { searchByFolderId } from "../../../services/FolderService";
 
 /**
  * Return secret snapshots for workspace with id [workspaceId]
- * @param req 
- * @param res 
+ * @param req
+ * @param res
  */
- export const getWorkspaceSecretSnapshots = async (req: Request, res: Response) => {
-	/* 
+export const getWorkspaceSecretSnapshots = async (
+  req: Request,
+  res: Response
+) => {
+  /* 
     #swagger.summary = 'Return project secret snapshot ids'
     #swagger.description = 'Return project secret snapshots ids'
     
@@ -64,66 +69,78 @@ import { getLatestSecretVersionIds } from '../../helpers/secretVersion';
         }
     }
     */
-	let secretSnapshots;
-	try {
-		const { workspaceId } = req.params;
+  let secretSnapshots;
+  try {
+    const { workspaceId } = req.params;
+    const { environment, folderId } = req.query;
 
-		const offset: number = parseInt(req.query.offset as string);
-		const limit: number = parseInt(req.query.limit as string);
-		
-		secretSnapshots = await SecretSnapshot.find({
-			workspace: workspaceId
-		})
-		.sort({ createdAt: -1 })
-		.skip(offset)
-		.limit(limit);
+    const offset: number = parseInt(req.query.offset as string);
+    const limit: number = parseInt(req.query.limit as string);
 
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get secret snapshots'
-		});
-	}
-	
-	return res.status(200).send({
-		secretSnapshots
-	});
-}
+    secretSnapshots = await SecretSnapshot.find({
+      workspace: workspaceId,
+      environment,
+      folderId: folderId || "root",
+    })
+      .sort({ createdAt: -1 })
+      .skip(offset)
+      .limit(limit);
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get secret snapshots",
+    });
+  }
+
+  return res.status(200).send({
+    secretSnapshots,
+  });
+};
 
 /**
  * Return count of secret snapshots for workspace with id [workspaceId]
- * @param req 
- * @param res 
+ * @param req
+ * @param res
  */
-export const getWorkspaceSecretSnapshotsCount = async (req: Request, res: Response) => {
-	let count;
-	try {
-		const { workspaceId } = req.params;
-		count = await SecretSnapshot.countDocuments({
-			workspace: workspaceId
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to count number of secret snapshots'
-		});
-	}
-	
-	return res.status(200).send({
-		count
-	});
-}
+export const getWorkspaceSecretSnapshotsCount = async (
+  req: Request,
+  res: Response
+) => {
+  let count;
+  try {
+    const { workspaceId } = req.params;
+    const { environment, folderId } = req.query;
+
+    count = await SecretSnapshot.countDocuments({
+      workspace: workspaceId,
+      environment,
+      folderId: folderId || "root",
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to count number of secret snapshots",
+    });
+  }
+
+  return res.status(200).send({
+    count,
+  });
+};
 
 /**
  * Rollback secret snapshot with id [secretSnapshotId] to version [version]
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
  */
-export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Response) => {
-	/* 
+export const rollbackWorkspaceSecretSnapshot = async (
+  req: Request,
+  res: Response
+) => {
+  /* 
     #swagger.summary = 'Roll back project secrets to those captured in a secret snapshot version.'
     #swagger.description = 'Roll back project secrets to those captured in a secret snapshot version.'
     
@@ -173,160 +190,338 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
         }
     }   
     */
-	let secrets;
-    try {	
-        const { workspaceId } = req.params;
-        const { version } = req.body;
-        
-		// validate secret snapshot
-		const secretSnapshot = await SecretSnapshot.findOne({
-			workspace: workspaceId,
-			version
-		}).populate<{ secretVersions: ISecretVersion[]}>('secretVersions');
-        
-        if (!secretSnapshot) throw new Error('Failed to find secret snapshot');
 
-		// TODO: fix any
-		const oldSecretVersionsObj: any = secretSnapshot.secretVersions
-			.reduce((accumulator, s) => ({ 
-				...accumulator, 
-				[`${s.secret.toString()}`]: s 
-			}), {});	
-		
-		const latestSecretVersionIds = await getLatestSecretVersionIds({
-			secretIds: secretSnapshot.secretVersions.map((sv) => sv.secret)
-		});
-		
-		// TODO: fix any
-		const latestSecretVersions: any = (await SecretVersion.find({
-			_id: {
-				$in: latestSecretVersionIds.map((s) => s.versionId)
-			}
-		}, 'secret version'))
-		.reduce((accumulator, s) => ({ 
-			...accumulator, 
-			[`${s.secret.toString()}`]: s 
-		}), {});
-		
-		// delete existing secrets
-		await Secret.deleteMany({
-			workspace: workspaceId
-		});
+  let secrets;
+  try {
+    const { workspaceId } = req.params;
+    const { version, environment, folderId = "root" } = req.body;
 
-		// add secrets
-        secrets = await Secret.insertMany(
-			secretSnapshot.secretVersions.map((sv) => {
-				const secretId = sv.secret;
-				const {
-					workspace,
-					type,
-					user,
-					environment,
-					secretKeyCiphertext,
-					secretKeyIV,
-					secretKeyTag,
-					secretKeyHash,
-					secretValueCiphertext,
-					secretValueIV,
-					secretValueTag,
-					secretValueHash,
-					createdAt
-				} = oldSecretVersionsObj[secretId.toString()];
-				
-				return ({
-					_id: secretId,
-					version: latestSecretVersions[secretId.toString()].version + 1,
-					workspace,
-					type,
-					user,
-					environment,
-					secretKeyCiphertext,
-					secretKeyIV,
-					secretKeyTag,
-					secretKeyHash,
-					secretValueCiphertext,
-					secretValueIV,
-					secretValueTag,
-					secretValueHash,
-					secretCommentCiphertext: '',
-					secretCommentIV: '',
-					secretCommentTag: '',
-					createdAt
-				});
-			})
-		);
-		
-		// add secret versions
-		await SecretVersion.insertMany(
-			secrets.map(({
-				_id,
-				version,
-				workspace,
-				type,
-				user,
-				environment,
-				secretKeyCiphertext,
-				secretKeyIV,
-				secretKeyTag,
-				secretKeyHash,
-				secretValueCiphertext,
-				secretValueIV,
-				secretValueTag,
-				secretValueHash
-			}) => ({
-				_id: new Types.ObjectId(),
-				secret: _id,
-				version,
-				workspace,
-				type,
-				user,
-				environment,
-				isDeleted: false,
-				secretKeyCiphertext,
-				secretKeyIV,
-				secretKeyTag,
-				secretKeyHash,
-				secretValueCiphertext,
-				secretValueIV,
-				secretValueTag,
-				secretValueHash
-			}))
-		);
-		
-		// update secret versions of restored secrets as not deleted
-		await SecretVersion.updateMany({
-			secret: {
-				$in: secretSnapshot.secretVersions.map((sv) => sv.secret)
-			}
-		}, {
-			isDeleted: false
-		});
-		
-        // take secret snapshot
-		await EESecretService.takeSecretSnapshot({
-			workspaceId
-		});
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to roll back secret snapshot'
-		}); 
+    // validate secret snapshot
+    const secretSnapshot = await SecretSnapshot.findOne({
+      workspace: workspaceId,
+      version,
+      environment,
+      folderId: folderId,
+    })
+      .populate<{ secretVersions: ISecretVersion[] }>({
+        path: "secretVersions",
+        select: "+secretBlindIndex",
+      })
+      .populate<{ folderVersion: TFolderRootVersionSchema }>("folderVersion");
+
+    if (!secretSnapshot) throw new Error("Failed to find secret snapshot");
+
+    const snapshotFolderTree = secretSnapshot.folderVersion;
+    const latestFolderTree = await Folder.findOne({
+      workspace: workspaceId,
+      environment,
+    });
+
+    const latestFolderVersion = await FolderVersion.findOne({
+      environment,
+      workspace: workspaceId,
+      "nodes.id": folderId,
+    }).sort({ "nodes.version": -1 });
+
+    const oldSecretVersionsObj: Record<string, ISecretVersion> = {};
+    const secretIds: Types.ObjectId[] = [];
+    const folderIds: string[] = [folderId];
+
+    secretSnapshot.secretVersions.forEach((snapSecVer) => {
+      oldSecretVersionsObj[snapSecVer.secret.toString()] = snapSecVer;
+      secretIds.push(snapSecVer.secret);
+    });
+
+    // the parent node from current latest one
+    // this will be modified according to the snapshot and latest snapshots
+    const newFolderTree =
+      latestFolderTree && searchByFolderId(latestFolderTree.nodes, folderId);
+
+    if (newFolderTree) {
+      newFolderTree.children = snapshotFolderTree?.nodes?.children || [];
+      const queue = [newFolderTree];
+      // a bfs algorithm in which we take the latest snapshots of all the folders in a level
+      while (queue.length) {
+        const groupByFolderId: Record<string, TFolderSchema> = {};
+        // the original queue is popped out completely to get what ever in a level
+        // subqueue is filled with all the children thus next level folders
+        // subQueue will then be transfered to the oriinal queue
+        const subQueue: TFolderSchema[] = [];
+        // get everything inside a level
+        while (queue.length) {
+          const folder = queue.pop() as TFolderSchema;
+          folder.children.forEach((el) => {
+            folderIds.push(el.id); // push ids and data into queu
+            subQueue.push(el);
+            // to modify the original tree very fast we keep a reference object
+            // key with folder id and pointing to the various nodes
+            groupByFolderId[el.id] = el;
+          });
+        }
+        // get latest snapshots of all the folder
+        const matchWsFoldersPipeline = {
+          $match: {
+            workspace: new Types.ObjectId(workspaceId),
+            environment,
+            folderId: {
+              $in: Object.keys(groupByFolderId),
+            },
+          },
+        };
+        const sortByFolderIdAndVersion: PipelineStage = {
+          $sort: { folderId: 1, version: -1 },
+        };
+        const pickLatestVersionOfEachFolder = {
+          $group: {
+            _id: "$folderId",
+            latestVersion: { $first: "$version" },
+            doc: {
+              $first: "$$ROOT",
+            },
+          },
+        };
+        const populateSecVersion = {
+          $lookup: {
+            from: SecretVersion.collection.name,
+            localField: "doc.secretVersions",
+            foreignField: "_id",
+            as: "doc.secretVersions",
+          },
+        };
+        const populateFolderVersion = {
+          $lookup: {
+            from: FolderVersion.collection.name,
+            localField: "doc.folderVersion",
+            foreignField: "_id",
+            as: "doc.folderVersion",
+          },
+        };
+        const unwindFolderVerField = {
+          $unwind: {
+            path: "$doc.folderVersion",
+            preserveNullAndEmptyArrays: true,
+          },
+        };
+        const latestSnapshotsByFolders: Array<{ doc: typeof secretSnapshot }> =
+          await SecretSnapshot.aggregate([
+            matchWsFoldersPipeline,
+            sortByFolderIdAndVersion,
+            pickLatestVersionOfEachFolder,
+            populateSecVersion,
+            populateFolderVersion,
+            unwindFolderVerField,
+          ]);
+
+        // recursive snapshotting each level
+        latestSnapshotsByFolders.forEach((snap) => {
+          // mutate the folder tree to update the nodes to the latest version tree
+          // we are reconstructing the folder tree by latest snapshots here
+          if (groupByFolderId[snap.doc.folderId]) {
+            groupByFolderId[snap.doc.folderId].children =
+              snap.doc?.folderVersion?.nodes?.children || [];
+          }
+
+          // push all children of next level snapshots
+          if (snap.doc.folderVersion?.nodes?.children) {
+            queue.push(...snap.doc.folderVersion.nodes.children);
+          }
+
+          snap.doc.secretVersions.forEach((snapSecVer) => {
+            // record all the secrets
+            oldSecretVersionsObj[snapSecVer.secret.toString()] = snapSecVer;
+            secretIds.push(snapSecVer.secret);
+          });
+        });
+
+        queue.push(...subQueue);
+      }
     }
-    
-	return res.status(200).send({
-		secrets
-	});
-}
+
+    // TODO: fix any
+    const latestSecretVersionIds = await getLatestSecretVersionIds({
+      secretIds,
+    });
+
+    // TODO: fix any
+    const latestSecretVersions: any = (
+      await SecretVersion.find(
+        {
+          _id: {
+            $in: latestSecretVersionIds.map((s) => s.versionId),
+          },
+        },
+        "secret version"
+      )
+    ).reduce(
+      (accumulator, s) => ({
+        ...accumulator,
+        [`${s.secret.toString()}`]: s,
+      }),
+      {}
+    );
+
+    const secDelQuery: Record<string, unknown> = {
+      workspace: workspaceId,
+      environment,
+      // undefined means root thus collect all secrets
+    };
+    if (folderId !== "root" && folderIds.length)
+      secDelQuery.folder = { $in: folderIds };
+
+    // delete existing secrets
+    await Secret.deleteMany(secDelQuery);
+    await Folder.deleteOne({
+      workspace: workspaceId,
+      environment,
+    });
+
+    // add secrets
+    secrets = await Secret.insertMany(
+      Object.keys(oldSecretVersionsObj).map((sv) => {
+        const {
+          secret: secretId,
+          workspace,
+          type,
+          user,
+          environment,
+          secretBlindIndex,
+          secretKeyCiphertext,
+          secretKeyIV,
+          secretKeyTag,
+          secretValueCiphertext,
+          secretValueIV,
+          secretValueTag,
+          createdAt,
+          algorithm,
+          keyEncoding,
+          folder: secFolderId,
+        } = oldSecretVersionsObj[sv];
+
+        return {
+          _id: secretId,
+          version: latestSecretVersions[secretId.toString()].version + 1,
+          workspace,
+          type,
+          user,
+          environment,
+          secretBlindIndex: secretBlindIndex ?? undefined,
+          secretKeyCiphertext,
+          secretKeyIV,
+          secretKeyTag,
+          secretValueCiphertext,
+          secretValueIV,
+          secretValueTag,
+          secretCommentCiphertext: "",
+          secretCommentIV: "",
+          secretCommentTag: "",
+          createdAt,
+          algorithm,
+          keyEncoding,
+          folder: secFolderId,
+        };
+      })
+    );
+
+    // add secret versions
+    const secretV = await SecretVersion.insertMany(
+      secrets.map(
+        ({
+          _id,
+          version,
+          workspace,
+          type,
+          user,
+          environment,
+          secretBlindIndex,
+          secretKeyCiphertext,
+          secretKeyIV,
+          secretKeyTag,
+          secretValueCiphertext,
+          secretValueIV,
+          secretValueTag,
+          algorithm,
+          keyEncoding,
+          folder: secFolderId,
+        }) => ({
+          _id: new Types.ObjectId(),
+          secret: _id,
+          version,
+          workspace,
+          type,
+          user,
+          environment,
+          isDeleted: false,
+          secretBlindIndex: secretBlindIndex ?? undefined,
+          secretKeyCiphertext,
+          secretKeyIV,
+          secretKeyTag,
+          secretValueCiphertext,
+          secretValueIV,
+          secretValueTag,
+          algorithm,
+          keyEncoding,
+          folder: secFolderId,
+        })
+      )
+    );
+
+    if (newFolderTree && latestFolderTree) {
+      // save the updated folder tree to the present one
+      newFolderTree.version = (latestFolderVersion?.nodes?.version || 0) + 1;
+      latestFolderTree._id = new Types.ObjectId();
+      latestFolderTree.isNew = true;
+      await latestFolderTree.save();
+
+      // create new folder version
+      const newFolderVersion = new FolderVersion({
+        workspace: workspaceId,
+        environment,
+        nodes: newFolderTree,
+      });
+      await newFolderVersion.save();
+    }
+
+    // update secret versions of restored secrets as not deleted
+    await SecretVersion.updateMany(
+      {
+        secret: {
+          $in: Object.keys(oldSecretVersionsObj).map(
+            (sv) => oldSecretVersionsObj[sv].secret
+          ),
+        },
+      },
+      {
+        isDeleted: false,
+      }
+    );
+
+    // take secret snapshot
+    await EESecretService.takeSecretSnapshot({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+      folderId,
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to roll back secret snapshot",
+    });
+  }
+
+  return res.status(200).send({
+    secrets,
+  });
+};
 
 /**
  * Return (audit) logs for workspace with id [workspaceId]
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
  */
 export const getWorkspaceLogs = async (req: Request, res: Response) => {
-	/* 
+  /* 
     #swagger.summary = 'Return project (audit) logs'
     #swagger.description = 'Return project (audit) logs'
     
@@ -392,43 +587,41 @@ export const getWorkspaceLogs = async (req: Request, res: Response) => {
         }
     }   
     */
-	let logs
-	try {
-		const { workspaceId } = req.params;
+  let logs;
+  try {
+    const { workspaceId } = req.params;
 
-		const offset: number = parseInt(req.query.offset as string);
-		const limit: number = parseInt(req.query.limit as string);
-		const sortBy: string = req.query.sortBy as string;
-		const userId: string = req.query.userId as string;
-		const actionNames: string = req.query.actionNames as string;
-		
-		logs = await Log.find({
-			workspace: workspaceId,
-			...( userId ? { user: userId } : {}),
-			...( 
-				actionNames 
-				? { 
-					actionNames: {
-						$in: actionNames.split(',')
-					}
-				} : {}
-			)
-		})
-		.sort({ createdAt: sortBy === 'recent' ? -1 : 1 })
-		.skip(offset)
-		.limit(limit)
-		.populate('actions')
-		.populate('user');
+    const offset: number = parseInt(req.query.offset as string);
+    const limit: number = parseInt(req.query.limit as string);
+    const sortBy: string = req.query.sortBy as string;
+    const userId: string = req.query.userId as string;
+    const actionNames: string = req.query.actionNames as string;
 
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get workspace logs'
-		});
-	}
-	
-	return res.status(200).send({
-		logs
-	});
-}
+    logs = await Log.find({
+      workspace: workspaceId,
+      ...(userId ? { user: userId } : {}),
+      ...(actionNames
+        ? {
+            actionNames: {
+              $in: actionNames.split(","),
+            },
+          }
+        : {}),
+    })
+      .sort({ createdAt: sortBy === "recent" ? -1 : 1 })
+      .skip(offset)
+      .limit(limit)
+      .populate("actions")
+      .populate("user serviceAccount serviceTokenData");
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get workspace logs",
+    });
+  }
+
+  return res.status(200).send({
+    logs,
+  });
+};

backend/src/ee/helpers/action.ts

@@ -1,4 +1,3 @@
-import * as Sentry from '@sentry/node';
 import { Types } from 'mongoose';
 import { Action } from '../models';
 import { 
@@ -24,39 +23,37 @@ import {
 const createActionUpdateSecret = async ({
     name,
     userId,
+    serviceAccountId,
+    serviceTokenDataId,
     workspaceId,
     secretIds
 }: {
     name: string;
-    userId: Types.ObjectId;
+    userId?: Types.ObjectId;
+    serviceAccountId?: Types.ObjectId;
+    serviceTokenDataId?: Types.ObjectId;
     workspaceId: Types.ObjectId;
     secretIds: Types.ObjectId[];
 }) => {
-    let action;
-    try {
-        const latestSecretVersions = (await getLatestNSecretSecretVersionIds({
-                secretIds,
-                n: 2
-            }))
-            .map((s) => ({
-                oldSecretVersion: s.versions[0]._id,
-                newSecretVersion: s.versions[1]._id
-            }));
-        
-        action = await new Action({
-            name,
-            user: userId,
-            workspace: workspaceId,
-            payload: {
-                secretVersions: latestSecretVersions
-            }
-        }).save();
-
-    } catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-        throw new Error('Failed to create update secret action');
-    }
+    const latestSecretVersions = (await getLatestNSecretSecretVersionIds({
+            secretIds,
+            n: 2
+        }))
+        .map((s) => ({
+            oldSecretVersion: s.versions[0]._id,
+            newSecretVersion: s.versions[1]._id
+        }));
+    
+    const action = await new Action({
+        name,
+        user: userId,
+        serviceAccount: serviceAccountId,
+        serviceTokenData: serviceTokenDataId,
+        workspace: workspaceId,
+        payload: {
+            secretVersions: latestSecretVersions
+        }
+    }).save();
     
     return action;
 }
@@ -72,68 +69,66 @@ const createActionUpdateSecret = async ({
 const createActionSecret = async ({
     name,
     userId,
+    serviceAccountId,
+    serviceTokenDataId,
     workspaceId,
     secretIds
 }: {
     name: string;
-    userId: Types.ObjectId;
+    userId?: Types.ObjectId;
+    serviceAccountId?: Types.ObjectId;
+    serviceTokenDataId?: Types.ObjectId;
     workspaceId: Types.ObjectId;
     secretIds: Types.ObjectId[];
 }) => {
-    let action;
-    try {
-        // case: action is adding, deleting, or reading secrets
-        // -> add new secret versions
-        const latestSecretVersions = (await getLatestSecretVersionIds({
-            secretIds
-        }))
-        .map((s) => ({
-            newSecretVersion: s.versionId
-        }));
-        
-       action = await new Action({
-            name,
-            user: userId,
-            workspace: workspaceId,
-            payload: {
-                secretVersions: latestSecretVersions
-            }
-        }).save(); 
-
-    } catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-        throw new Error('Failed to create action create/read/delete secret action');
-    }
+    // case: action is adding, deleting, or reading secrets
+    // -> add new secret versions
+    const latestSecretVersions = (await getLatestSecretVersionIds({
+        secretIds
+    }))
+    .map((s) => ({
+        newSecretVersion: s.versionId
+    }));
+    
+   const action = await new Action({
+        name,
+        user: userId,
+        serviceAccount: serviceAccountId,
+        serviceTokenData: serviceTokenDataId,
+        workspace: workspaceId,
+        payload: {
+            secretVersions: latestSecretVersions
+        }
+    }).save(); 
     
     return action;
 }
 
 /**
- * Create an (audit) action for user with id [userId]
+ * Create an (audit) action for client with id [userId],
+ * [serviceAccountId], or [serviceTokenDataId]
  * @param {Object} obj 
  * @param {String} obj.name - name of action
  * @param {String} obj.userId - id of user associated with action
  * @returns 
  */
-const createActionUser = ({
+const createActionClient = ({
     name,
-    userId
+    userId,
+    serviceAccountId,
+    serviceTokenDataId
 }: {
     name: string;
-    userId: Types.ObjectId;
+    userId?: Types.ObjectId;
+    serviceAccountId?: Types.ObjectId;
+    serviceTokenDataId?: Types.ObjectId;
 }) => {
-    let action;
-    try {
-        action = new Action({
-            name,
-            user: userId
-        }).save();
-    } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-        throw new Error('Failed to create user action');
-    }
+    const action = new Action({
+        name,
+        user: userId,
+        serviceAccount: serviceAccountId,
+        serviceTokenData: serviceTokenDataId
+    }).save();
 
     return action; 
 }
@@ -149,49 +144,47 @@ const createActionUser = ({
 const createActionHelper = async ({
     name,
     userId,
+    serviceAccountId,
+    serviceTokenDataId,
     workspaceId,
     secretIds,
 }: {
     name: string;
-    userId: Types.ObjectId;
+    userId?: Types.ObjectId;
+    serviceAccountId?: Types.ObjectId;
+    serviceTokenDataId?: Types.ObjectId;
     workspaceId?: Types.ObjectId;
     secretIds?: Types.ObjectId[];
 }) => {
     let action;
-    try {
-        switch (name) {
-            case ACTION_LOGIN:
-            case ACTION_LOGOUT:
-                action = await createActionUser({
-                    name,
-                    userId
-                });
-                break;
-            case ACTION_ADD_SECRETS:
-            case ACTION_READ_SECRETS:
-            case ACTION_DELETE_SECRETS:
-                if (!workspaceId || !secretIds) throw new Error('Missing required params workspace id or secret ids to create action secret');
-                action = await createActionSecret({
-                    name,
-                    userId,
-                    workspaceId,
-                    secretIds
-                });
-                break;
-            case ACTION_UPDATE_SECRETS:
-                if (!workspaceId || !secretIds) throw new Error('Missing required params workspace id or secret ids to create action secret');
-                action = await createActionUpdateSecret({
-                    name,
-                    userId,
-                    workspaceId,
-                    secretIds
-                });
-                break;
-        }
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-        throw new Error('Failed to create action');
+    switch (name) {
+        case ACTION_LOGIN:
+        case ACTION_LOGOUT:
+            action = await createActionClient({
+                name,
+                userId
+            });
+            break;
+        case ACTION_ADD_SECRETS:
+        case ACTION_READ_SECRETS:
+        case ACTION_DELETE_SECRETS:
+            if (!workspaceId || !secretIds) throw new Error('Missing required params workspace id or secret ids to create action secret');
+            action = await createActionSecret({
+                name,
+                userId,
+                workspaceId,
+                secretIds
+            });
+            break;
+        case ACTION_UPDATE_SECRETS:
+            if (!workspaceId || !secretIds) throw new Error('Missing required params workspace id or secret ids to create action secret');
+            action = await createActionUpdateSecret({
+                name,
+                userId,
+                workspaceId,
+                secretIds
+            });
+            break;
     }
     
     return action;
@@ -199,4 +192,4 @@ const createActionHelper = async ({
 
 export { 
     createActionHelper
-};
+};

backend/src/ee/helpers/checkMembershipPermissions.ts

@@ -1,8 +1,9 @@
+import { Types } from 'mongoose';
 import _ from "lodash";
 import { Membership } from "../../models";
-import { ABILITY_READ, ABILITY_WRITE } from "../../variables/organization";
+import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from '../../variables';
 
-export const userHasWorkspaceAccess = async (userId: any, workspaceId: any, environment: any, action: any) => {
+export const userHasWorkspaceAccess = async (userId: Types.ObjectId, workspaceId: Types.ObjectId, environment: string, action: any) => {
   const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })
   if (!membershipForWorkspace) {
     return false
@@ -18,15 +19,15 @@ export const userHasWorkspaceAccess = async (userId: any, workspaceId: any, envi
   return true
 }
 
-export const userHasWriteOnlyAbility = async (userId: any, workspaceId: any, environment: any) => {
+export const userHasWriteOnlyAbility = async (userId: Types.ObjectId, workspaceId: Types.ObjectId, environment: string) => {
   const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })
   if (!membershipForWorkspace) {
     return false
   }
 
   const deniedMembershipPermissions = membershipForWorkspace.deniedPermissions;
-  const isWriteDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: ABILITY_WRITE });
-  const isReadDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: ABILITY_READ });
+  const isWriteDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: PERMISSION_WRITE_SECRETS });
+  const isReadDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: PERMISSION_READ_SECRETS });
 
   // case: you have write only if read is blocked and write is not
   if (isReadDisallowed && !isWriteDisallowed) {
@@ -36,15 +37,15 @@ export const userHasWriteOnlyAbility = async (userId: any, workspaceId: any, env
   return false
 }
 
-export const userHasNoAbility = async (userId: any, workspaceId: any, environment: any) => {
+export const userHasNoAbility = async (userId: Types.ObjectId, workspaceId: Types.ObjectId, environment: string) => {
   const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })
   if (!membershipForWorkspace) {
     return true
   }
 
   const deniedMembershipPermissions = membershipForWorkspace.deniedPermissions;
-  const isWriteDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: ABILITY_WRITE });
-  const isReadBlocked = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: ABILITY_READ });
+  const isWriteDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: PERMISSION_WRITE_SECRETS });
+  const isReadBlocked = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: PERMISSION_READ_SECRETS });
 
   if (isReadBlocked && isWriteDisallowed) {
     return true

backend/src/ee/helpers/log.ts

@@ -1,9 +1,9 @@
-import * as Sentry from '@sentry/node';
 import { Types } from 'mongoose';
 import { 
     Log,
     IAction
 } from '../models';
+
 /**
  * Create an (audit) log
  * @param {Object} obj
@@ -16,36 +16,35 @@ import {
  */
 const createLogHelper = async ({
     userId,
+    serviceAccountId,
+    serviceTokenDataId,
     workspaceId,
     actions,
     channel,
     ipAddress
 }: {
-    userId: Types.ObjectId;
+    userId?: Types.ObjectId;
+    serviceAccountId?: Types.ObjectId;
+    serviceTokenDataId?: Types.ObjectId;
     workspaceId?: Types.ObjectId;
     actions: IAction[];
     channel: string;
     ipAddress: string;
 }) => {
-    let log;
-    try {
-        log = await new Log({
-            user: userId,
-            workspace: workspaceId ?? undefined,
-            actionNames: actions.map((a) => a.name),
-            actions,
-            channel,
-            ipAddress
-        }).save();
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to create log');
-    }
+    const log = await new Log({
+        user: userId,
+        serviceAccount: serviceAccountId,
+        serviceTokenData: serviceTokenDataId,
+        workspace: workspaceId ?? undefined,
+        actionNames: actions.map((a) => a.name),
+        actions,
+        channel,
+        ipAddress
+    }).save();
 
     return log;
 }
 
 export {
     createLogHelper
-}
+}

backend/src/ee/helpers/secret.ts

@@ -1,14 +1,11 @@
-import { Types } from 'mongoose';
-import * as Sentry from '@sentry/node';
+import { Types } from "mongoose";
+import { Secret, ISecret } from "../../models";
 import {
-	Secret,
-	ISecret
-} from '../../models';
-import {
-	SecretSnapshot,
-	SecretVersion,
-	ISecretVersion
-} from '../models';
+  SecretSnapshot,
+  SecretVersion,
+  ISecretVersion,
+  FolderVersion,
+} from "../models";
 
 /**
  * Save a secret snapshot that is a copy of the current state of secrets in workspace with id
@@ -19,56 +16,70 @@ import {
  * @returns {SecretSnapshot} secretSnapshot - new secret snapshot
  */
 const takeSecretSnapshotHelper = async ({
-	workspaceId
+  workspaceId,
+  environment,
+  folderId = "root",
 }: {
-	workspaceId: string;
+  workspaceId: Types.ObjectId;
+  environment: string;
+  folderId?: string;
 }) => {
+  // get all folder ids
+  const secretIds = (
+    await Secret.find(
+      {
+        workspace: workspaceId,
+        environment,
+        folder: folderId,
+      },
+      "_id"
+    ).lean()
+  ).map((s) => s._id);
 
-	let secretSnapshot;
-	try {
-		const secretIds = (await Secret.find({
-			workspace: workspaceId
-		}, '_id')).map((s) => s._id);
+  const latestSecretVersions = (
+    await SecretVersion.aggregate([
+      {
+        $match: {
+          environment,
+          workspace: new Types.ObjectId(workspaceId),
+          secret: {
+            $in: secretIds,
+          },
+        },
+      },
+      {
+        $group: {
+          _id: "$secret",
+          version: { $max: "$version" },
+          versionId: { $max: "$_id" }, // secret version id
+        },
+      },
+      {
+        $sort: { version: -1 },
+      },
+    ]).exec()
+  ).map((s) => s.versionId);
+  const latestFolderVersion = await FolderVersion.findOne({
+    environment,
+    workspace: workspaceId,
+    "nodes.id": folderId,
+  }).sort({ "nodes.version": -1 });
 
-		const latestSecretVersions = (await SecretVersion.aggregate([
-			{
-				$match: {
-					secret: {
-						$in: secretIds
-					}
-				}
-			},
-			{
-				$group: {
-					_id: '$secret',
-					version: { $max: '$version' },
-					versionId: { $max: '$_id' } // secret version id
-				}
-			},
-			{
-				$sort: { version: -1 }
-			}
-		])
-			.exec())
-			.map((s) => s.versionId);
+  const latestSecretSnapshot = await SecretSnapshot.findOne({
+    workspace: workspaceId,
+  }).sort({ version: -1 });
 
-		const latestSecretSnapshot = await SecretSnapshot.findOne({
-			workspace: workspaceId
-		}).sort({ version: -1 });
+  const secretSnapshot = await new SecretSnapshot({
+    workspace: workspaceId,
+    environment,
+    version: latestSecretSnapshot ? latestSecretSnapshot.version + 1 : 1,
+    secretVersions: latestSecretVersions,
+    folderId,
+    folderVersion: latestFolderVersion,
+  }).save();
 
-		secretSnapshot = await new SecretSnapshot({
-			workspace: workspaceId,
-			version: latestSecretSnapshot ? latestSecretSnapshot.version + 1 : 1,
-			secretVersions: latestSecretVersions
-		}).save();
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to take a secret snapshot');
-	}
-
-	return secretSnapshot;
-}
+  return secretSnapshot;
+};
 
 /**
  * Add secret versions [secretVersions] to the SecretVersion collection.
@@ -77,93 +88,35 @@ const takeSecretSnapshotHelper = async ({
  * @returns {SecretVersion[]} newSecretVersions - new secret versions
  */
 const addSecretVersionsHelper = async ({
-	secretVersions
+  secretVersions,
 }: {
-	secretVersions: ISecretVersion[]
+  secretVersions: ISecretVersion[];
 }) => {
-	let newSecretVersions;
-	try {
-		newSecretVersions = await SecretVersion.insertMany(secretVersions);
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error(`Failed to add secret versions [err=${err}]`);
-	}
+  const newSecretVersions = await SecretVersion.insertMany(secretVersions);
 
-	return newSecretVersions;
-}
+  return newSecretVersions;
+};
 
 const markDeletedSecretVersionsHelper = async ({
-	secretIds
+  secretIds,
 }: {
-	secretIds: Types.ObjectId[];
+  secretIds: Types.ObjectId[];
 }) => {
-	try {
-		await SecretVersion.updateMany({
-			secret: { $in: secretIds }
-		}, {
-			isDeleted: true
-		}, {
-			new: true
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to mark secret versions as deleted');
-	}
-}
-
-/**
- * Initialize secret versioning by setting previously unversioned
- * secrets to version 1 and begin populating secret versions.
- */
-const initSecretVersioningHelper = async () => {
-	try {
-
-		await Secret.updateMany(
-			{ version: { $exists: false } },
-			{ $set: { version: 1 } }
-		);
-
-		const unversionedSecrets: ISecret[] = await Secret.aggregate([
-			{
-				$lookup: {
-					from: 'secretversions',
-					localField: '_id',
-					foreignField: 'secret',
-					as: 'versions',
-				},
-			},
-			{
-				$match: {
-					versions: { $size: 0 },
-				},
-			},
-		]);
-
-		if (unversionedSecrets.length > 0) {
-			await addSecretVersionsHelper({
-				secretVersions: unversionedSecrets.map((s, idx) => ({
-					...s,
-					secret: s._id,
-					version: s.version ? s.version : 1,
-					isDeleted: false,
-					workspace: s.workspace,
-					environment: s.environment
-				}))
-			});
-		}
-
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to ensure that secrets are versioned');
-	}
-}
+  await SecretVersion.updateMany(
+    {
+      secret: { $in: secretIds },
+    },
+    {
+      isDeleted: true,
+    },
+    {
+      new: true,
+    }
+  );
+};
 
 export {
-	takeSecretSnapshotHelper,
-	addSecretVersionsHelper,
-	markDeletedSecretVersionsHelper,
-	initSecretVersioningHelper
-}
+  takeSecretSnapshotHelper,
+  addSecretVersionsHelper,
+  markDeletedSecretVersionsHelper,
+};

backend/src/ee/helpers/secretVersion.ts

@@ -1,110 +1,82 @@
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
-import { SecretVersion } from '../models';
+import { Types } from "mongoose";
+import { SecretVersion } from "../models";
 
 /**
  * Return latest secret versions for secrets with ids [secretIds]
  * @param {Object} obj
  * @param {Object} obj.secretIds = ids of secrets to get latest versions for
- * @returns 
+ * @returns
  */
 const getLatestSecretVersionIds = async ({
-    secretIds
+  secretIds,
 }: {
-    secretIds: Types.ObjectId[];
+  secretIds: Types.ObjectId[];
 }) => {
-    
-    interface LatestSecretVersionId {
-        _id: Types.ObjectId;
-        version: number;
-        versionId: Types.ObjectId;
-    }
-    
-    let latestSecretVersionIds: LatestSecretVersionId[];
-    try {
-        latestSecretVersionIds = (await SecretVersion.aggregate([
-            {
-                $match: { 
-                    secret: { 
-                        $in: secretIds 
-                    } 
-                }
-            },
-            {
-                $group: {
-                    _id: '$secret',
-                    version: { $max: '$version' },
-                    versionId: { $max: '$_id' } // id of latest secret version
-                }
-            },
-            {
-                $sort: { version: -1 }
-            }
-            ])
-            .exec());
-            
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-        throw new Error('Failed to get latest secret versions');
-    }
-    
-    return latestSecretVersionIds;
-}
+  const latestSecretVersionIds = await SecretVersion.aggregate([
+    {
+      $match: {
+        secret: {
+          $in: secretIds,
+        },
+      },
+    },
+    {
+      $group: {
+        _id: "$secret",
+        version: { $max: "$version" },
+        versionId: { $max: "$_id" }, // id of latest secret version
+      },
+    },
+    {
+      $sort: { version: -1 },
+    },
+  ]).exec();
+
+  return latestSecretVersionIds;
+};
 
 /**
  * Return latest [n] secret versions for secrets with ids [secretIds]
  * @param {Object} obj
  * @param {Object} obj.secretIds = ids of secrets to get latest versions for
  * @param {Number} obj.n - number of latest secret versions to return for each secret
- * @returns 
+ * @returns
  */
 const getLatestNSecretSecretVersionIds = async ({
-    secretIds,
-    n
+  secretIds,
+  n,
 }: {
-    secretIds: Types.ObjectId[];
-    n: number;
+  secretIds: Types.ObjectId[];
+  n: number;
 }) => {
-    
-    // TODO: optimize query
-    let latestNSecretVersions;
-    try {
-        latestNSecretVersions = (await SecretVersion.aggregate([
-            {
-                $match: {
-                secret: {
-                    $in: secretIds,
-                },
-                },
-            },
-            {
-                $sort: { version: -1 },
-            },
-            {
-                $group: {
-                _id: "$secret",
-                versions: { $push: "$$ROOT" },
-                },
-            },
-            {
-                $project: {
-                _id: 0,
-                secret: "$_id",
-                versions: { $slice: ["$versions", n] },
-                },
-            }
-        ]));
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-        throw new Error('Failed to get latest n secret versions');
-    }
-    
-    return latestNSecretVersions;
-}
+  // TODO: optimize query
+  const latestNSecretVersions = await SecretVersion.aggregate([
+    {
+      $match: {
+        secret: {
+          $in: secretIds,
+        },
+      },
+    },
+    {
+      $sort: { version: -1 },
+    },
+    {
+      $group: {
+        _id: "$secret",
+        versions: { $push: "$$ROOT" },
+      },
+    },
+    {
+      $project: {
+        _id: 0,
+        secret: "$_id",
+        versions: { $slice: ["$versions", n] },
+      },
+    },
+  ]);
 
-export {
-    getLatestSecretVersionIds,
-    getLatestNSecretSecretVersionIds
-}
+  return latestNSecretVersions;
+};
+
+export { getLatestSecretVersionIds, getLatestNSecretSecretVersionIds };

backend/src/ee/middleware/requireSecretSnapshotAuth.ts

@@ -15,32 +15,28 @@ import {
 const requireSecretSnapshotAuth = ({
     acceptedRoles,
 }: {
-    acceptedRoles: string[];
+    acceptedRoles: Array<'admin' | 'member'>;
 }) => {
     return async (req: Request, res: Response, next: NextFunction) => {
-        try {
-            const { secretSnapshotId } = req.params;
-            
-            const secretSnapshot = await SecretSnapshot.findById(secretSnapshotId);
-            
-            if (!secretSnapshot) {
-                return next(SecretSnapshotNotFoundError({
-                    message: 'Failed to find secret snapshot'
-                }));
-            }
-            
-            await validateMembership({
-                userId: req.user._id.toString(),
-                workspaceId: secretSnapshot.workspace.toString(),
-                acceptedRoles
-            });
-            
-            req.secretSnapshot = secretSnapshot as any;
-
-            next();
-        } catch (err) {
-            return next(UnauthorizedRequestError({ message: 'Unable to authenticate secret snapshot' }));
+        const { secretSnapshotId } = req.params;
+        
+        const secretSnapshot = await SecretSnapshot.findById(secretSnapshotId);
+        
+        if (!secretSnapshot) {
+            return next(SecretSnapshotNotFoundError({
+                message: 'Failed to find secret snapshot'
+            }));
         }
+        
+        await validateMembership({
+            userId: req.user._id,
+            workspaceId: secretSnapshot.workspace,
+            acceptedRoles
+        });
+        
+        req.secretSnapshot = secretSnapshot as any;
+
+        next();
     }
 }
 

backend/src/ee/models/action.ts

@@ -11,6 +11,8 @@ import {
 export interface IAction {
     name: string;
     user?: Types.ObjectId,
+    serviceAccount?: Types.ObjectId,
+    serviceTokenData?: Types.ObjectId,
     workspace?: Types.ObjectId,
     payload?: {
         secretVersions?: Types.ObjectId[]
@@ -33,8 +35,15 @@ const actionSchema = new Schema<IAction>(
         },
         user: {
             type: Schema.Types.ObjectId,
-            ref: 'User',
-            required: true
+            ref: 'User'
+        },
+        serviceAccount: {
+            type: Schema.Types.ObjectId,
+            ref: 'ServiceAccount'
+        },
+        serviceTokenData: {
+            type: Schema.Types.ObjectId,
+            ref: 'ServiceTokenData'
         },
         workspace: {
             type: Schema.Types.ObjectId,

backend/src/ee/models/folderVersion.ts

@@ -0,0 +1,60 @@
+import { model, Schema, Types } from "mongoose";
+
+export type TFolderRootVersionSchema = {
+  _id: Types.ObjectId;
+  workspace: Types.ObjectId;
+  environment: string;
+  nodes: TFolderVersionSchema;
+};
+
+export type TFolderVersionSchema = {
+  id: string;
+  name: string;
+  version: number;
+  children: TFolderVersionSchema[];
+};
+
+const folderVersionSchema = new Schema<TFolderVersionSchema>({
+  id: {
+    required: true,
+    type: String,
+    default: "root",
+  },
+  name: {
+    required: true,
+    type: String,
+    default: "root",
+  },
+  version: {
+    required: true,
+    type: Number,
+    default: 1,
+  },
+});
+
+folderVersionSchema.add({ children: [folderVersionSchema] });
+
+const folderRootVersionSchema = new Schema<TFolderRootVersionSchema>(
+  {
+    workspace: {
+      type: Schema.Types.ObjectId,
+      ref: "Workspace",
+      required: true,
+    },
+    environment: {
+      type: String,
+      required: true,
+    },
+    nodes: folderVersionSchema,
+  },
+  {
+    timestamps: true,
+  }
+);
+
+const FolderVersion = model<TFolderRootVersionSchema>(
+  "FolderVersion",
+  folderRootVersionSchema
+);
+
+export default FolderVersion;

backend/src/ee/models/index.ts

@@ -1,15 +1,18 @@
-import SecretSnapshot, { ISecretSnapshot } from './secretSnapshot';
-import SecretVersion, { ISecretVersion } from './secretVersion';
-import Log, { ILog } from './log';
-import Action, { IAction } from './action';
+import SecretSnapshot, { ISecretSnapshot } from "./secretSnapshot";
+import SecretVersion, { ISecretVersion } from "./secretVersion";
+import FolderVersion, { TFolderRootVersionSchema } from "./folderVersion";
+import Log, { ILog } from "./log";
+import Action, { IAction } from "./action";
 
 export {
-    SecretSnapshot,
-    ISecretSnapshot,
-    SecretVersion,
-    ISecretVersion,
-    Log,
-    ILog,
-    Action,
-    IAction
-}
+  SecretSnapshot,
+  ISecretSnapshot,
+  SecretVersion,
+  ISecretVersion,
+  FolderVersion,
+  TFolderRootVersionSchema,
+  Log,
+  ILog,
+  Action,
+  IAction,
+};

backend/src/ee/models/log.ts

@@ -11,6 +11,8 @@ import {
 export interface ILog {
     _id: Types.ObjectId;
     user?: Types.ObjectId;
+    serviceAccount?: Types.ObjectId;
+    serviceTokenData?: Types.ObjectId;
     workspace?: Types.ObjectId;
     actionNames: string[];
     actions: Types.ObjectId[];
@@ -24,6 +26,14 @@ const logSchema = new Schema<ILog>(
             type: Schema.Types.ObjectId,
             ref: 'User'
         },
+        serviceAccount: {
+            type: Schema.Types.ObjectId,
+            ref: 'ServiceAccount'
+        },
+        serviceTokenData: {
+            type: Schema.Types.ObjectId,
+            ref: 'ServiceTokenData'
+        },
         workspace: {
             type: Schema.Types.ObjectId,
             ref: 'Workspace'

backend/src/ee/models/secretSnapshot.ts

@@ -1,33 +1,54 @@
-import { Schema, model, Types } from 'mongoose';
+import { Schema, model, Types } from "mongoose";
 
 export interface ISecretSnapshot {
-    workspace: Types.ObjectId;
-    version: number;
-    secretVersions: Types.ObjectId[];
+  workspace: Types.ObjectId;
+  environment: string;
+  folderId: string | "root";
+  version: number;
+  secretVersions: Types.ObjectId[];
+  folderVersion: Types.ObjectId;
 }
 
 const secretSnapshotSchema = new Schema<ISecretSnapshot>(
-    {
-        workspace: {
-            type: Schema.Types.ObjectId,
-            ref: 'Workspace',
-            required: true
-        },
-        version: {
-            type: Number,
-            required: true
-        },
-        secretVersions: [{
-            type: Schema.Types.ObjectId,
-            ref: 'SecretVersion',
-            required: true
-        }]
+  {
+    workspace: {
+      type: Schema.Types.ObjectId,
+      ref: "Workspace",
+      required: true,
     },
-    {
-        timestamps: true
-    }
+    environment: {
+      type: String,
+      required: true,
+    },
+    folderId: {
+      type: String,
+      default: "root",
+    },
+    version: {
+      type: Number,
+      default: 1,
+      required: true,
+    },
+    secretVersions: [
+      {
+        type: Schema.Types.ObjectId,
+        ref: "SecretVersion",
+        required: true,
+      },
+    ],
+    folderVersion: {
+      type: Schema.Types.ObjectId,
+      ref: "FolderVersion",
+    },
+  },
+  {
+    timestamps: true,
+  }
 );
 
-const SecretSnapshot = model<ISecretSnapshot>('SecretSnapshot', secretSnapshotSchema);
+const SecretSnapshot = model<ISecretSnapshot>(
+  "SecretSnapshot",
+  secretSnapshotSchema
+);
 
-export default SecretSnapshot;
+export default SecretSnapshot;

backend/src/ee/models/secretVersion.ts

@@ -1,97 +1,132 @@
-import { Schema, model, Types } from 'mongoose';
+import { Schema, model, Types } from "mongoose";
 import {
-	SECRET_SHARED,
-	SECRET_PERSONAL,
-} from '../../variables';
+  SECRET_SHARED,
+  SECRET_PERSONAL,
+  ALGORITHM_AES_256_GCM,
+  ENCODING_SCHEME_UTF8,
+  ENCODING_SCHEME_BASE64,
+} from "../../variables";
 
 export interface ISecretVersion {
-	secret: Types.ObjectId;
-	version: number;
-	workspace: Types.ObjectId; // new
-	type: string; // new
-	user?: Types.ObjectId; // new
-	environment: string; // new
-	isDeleted: boolean;
-	secretKeyCiphertext: string;
-	secretKeyIV: string;
-	secretKeyTag: string;
-	secretValueCiphertext: string;
-	secretValueIV: string;
-	secretValueTag: string;
-	tags?: string[];
+  _id: Types.ObjectId;
+  secret: Types.ObjectId;
+  version: number;
+  workspace: Types.ObjectId; // new
+  type: string; // new
+  user?: Types.ObjectId; // new
+  environment: string; // new
+  isDeleted: boolean;
+  secretBlindIndex?: string;
+  secretKeyCiphertext: string;
+  secretKeyIV: string;
+  secretKeyTag: string;
+  secretValueCiphertext: string;
+  secretValueIV: string;
+  secretValueTag: string;
+  algorithm: "aes-256-gcm";
+  keyEncoding: "utf8" | "base64";
+  createdAt: string;
+  folder?: string;
+  tags?: string[];
 }
 
 const secretVersionSchema = new Schema<ISecretVersion>(
-	{
-		secret: { // could be deleted
-			type: Schema.Types.ObjectId,
-			ref: 'Secret',
-			required: true
-		},
-		version: {
-			type: Number,
-			default: 1,
-			required: true
-		},
-		workspace: {
-			type: Schema.Types.ObjectId,
-			ref: 'Workspace',
-			required: true
-		},
-		type: {
-			type: String,
-			enum: [SECRET_SHARED, SECRET_PERSONAL],
-			required: true
-		},
-		user: {
-			// user associated with the personal secret
-			type: Schema.Types.ObjectId,
-			ref: 'User'
-		},
-		environment: {
-			type: String,
-			required: true
-		},
-		isDeleted: { // consider removing field
-			type: Boolean,
-			default: false,
-			required: true
-		},
-		secretKeyCiphertext: {
-			type: String,
-			required: true
-		},
-		secretKeyIV: {
-			type: String, // symmetric
-			required: true
-		},
-		secretKeyTag: {
-			type: String, // symmetric
-			required: true
-		},
-		secretValueCiphertext: {
-			type: String,
-			required: true
-		},
-		secretValueIV: {
-			type: String, // symmetric
-			required: true
-		},
-		secretValueTag: {
-			type: String, // symmetric
-			required: true
-		},
-		tags: {
-			ref: 'Tag',
-			type: [Schema.Types.ObjectId],
-			default: []
-		},
-	},
-	{
-		timestamps: true
-	}
+  {
+    secret: {
+      // could be deleted
+      type: Schema.Types.ObjectId,
+      ref: "Secret",
+      required: true,
+    },
+    version: {
+      type: Number,
+      default: 1,
+      required: true,
+    },
+    workspace: {
+      type: Schema.Types.ObjectId,
+      ref: "Workspace",
+      required: true,
+    },
+    type: {
+      type: String,
+      enum: [SECRET_SHARED, SECRET_PERSONAL],
+      required: true,
+    },
+    user: {
+      // user associated with the personal secret
+      type: Schema.Types.ObjectId,
+      ref: "User",
+    },
+    environment: {
+      type: String,
+      required: true,
+    },
+    isDeleted: {
+      // consider removing field
+      type: Boolean,
+      default: false,
+      required: true,
+    },
+    secretBlindIndex: {
+      type: String,
+      select: false,
+    },
+    secretKeyCiphertext: {
+      type: String,
+      required: true,
+    },
+    secretKeyIV: {
+      type: String, // symmetric
+      required: true,
+    },
+    secretKeyTag: {
+      type: String, // symmetric
+      required: true,
+    },
+    secretValueCiphertext: {
+      type: String,
+      required: true,
+    },
+    secretValueIV: {
+      type: String, // symmetric
+      required: true,
+    },
+    secretValueTag: {
+      type: String, // symmetric
+      required: true,
+    },
+    algorithm: {
+      // the encryption algorithm used
+      type: String,
+      enum: [ALGORITHM_AES_256_GCM],
+      required: true,
+      default: ALGORITHM_AES_256_GCM,
+    },
+    keyEncoding: {
+      type: String,
+      enum: [ENCODING_SCHEME_UTF8, ENCODING_SCHEME_BASE64],
+      required: true,
+      default: ENCODING_SCHEME_UTF8,
+    },
+    folder: {
+      type: String,
+      required: true,
+    },
+    tags: {
+      ref: 'Tag',
+      type: [Schema.Types.ObjectId],
+      default: []
+    },
+  },
+  {
+    timestamps: true,
+  }
 );
 
-const SecretVersion = model<ISecretVersion>('SecretVersion', secretVersionSchema);
+const SecretVersion = model<ISecretVersion>(
+  "SecretVersion",
+  secretVersionSchema
+);
 
-export default SecretVersion;
+export default SecretVersion;

backend/src/ee/routes/v1/cloudProducts.ts

@@ -0,0 +1,20 @@
+import express from 'express';
+const router = express.Router();
+import {
+    requireAuth,
+    validateRequest
+} from '../../../middleware';
+import { query } from 'express-validator';
+import { cloudProductsController } from '../../controllers/v1';
+
+router.get(
+    '/',
+    requireAuth({
+		acceptedAuthModes: ['jwt', 'apiKey']
+	}),
+    query('billing-cycle').exists().isIn(['monthly', 'yearly']),
+    validateRequest,
+    cloudProductsController.getCloudProducts 
+);
+
+export default router;

backend/src/ee/routes/v1/index.ts

@@ -1,11 +1,15 @@
 import secret from './secret';
 import secretSnapshot from './secretSnapshot';
+import organizations from './organizations';
 import workspace from './workspace';
 import action from './action';
+import cloudProducts from './cloudProducts';
 
 export {
     secret,
     secretSnapshot,
+    organizations,
     workspace,
-    action
+    action,
+    cloudProducts
 }

backend/src/ee/routes/v1/organizations.ts

@@ -0,0 +1,87 @@
+import express from 'express';
+const router = express.Router();
+import {
+    requireAuth,
+    requireOrganizationAuth,
+    validateRequest
+} from '../../../middleware';
+import { param, body } from 'express-validator';
+import { organizationsController } from '../../controllers/v1';
+import {
+    OWNER, ADMIN, MEMBER, ACCEPTED
+} from '../../../variables';
+
+router.get(
+    '/:organizationId/plan',
+    requireAuth({
+		acceptedAuthModes: ['jwt', 'apiKey']
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED]
+    }),
+    param('organizationId').exists().trim(),
+    validateRequest,
+    organizationsController.getOrganizationPlan
+);
+
+router.patch(
+    '/:organizationId/plan',
+    requireAuth({
+		acceptedAuthModes: ['jwt', 'apiKey']
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED]
+    }),
+    param('organizationId').exists().trim(),
+    body('productId').exists().isString(),
+    validateRequest,
+    organizationsController.updateOrganizationPlan
+);
+
+router.get(
+    '/:organizationId/billing-details/payment-methods',
+    requireAuth({
+		acceptedAuthModes: ['jwt', 'apiKey']
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED]
+    }),
+    param('organizationId').exists().trim(),
+    validateRequest,
+    organizationsController.getOrganizationPmtMethods
+);
+
+router.post(
+    '/:organizationId/billing-details/payment-methods',
+    requireAuth({
+		acceptedAuthModes: ['jwt', 'apiKey']
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED]
+    }),
+    param('organizationId').exists().trim(),
+    body('success_url').exists().isString(),
+    body('cancel_url').exists().isString(),
+    validateRequest,
+    organizationsController.addOrganizationPmtMethod
+);
+
+router.delete(
+    '/:organizationId/billing-details/payment-methods/:pmtMethodId',
+    requireAuth({
+		acceptedAuthModes: ['jwt', 'apiKey']
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED]
+    }),
+    param('organizationId').exists().trim(),
+    validateRequest,
+    organizationsController.deleteOrganizationPmtMethod
+);
+
+export default router;

backend/src/ee/routes/v1/secret.ts

@@ -7,7 +7,12 @@ import {
 } from '../../../middleware';
 import { query, param, body } from 'express-validator';
 import { secretController } from '../../controllers/v1';
-import { ADMIN, MEMBER } from '../../../variables';
+import {
+	ADMIN, 
+	MEMBER,
+	PERMISSION_READ_SECRETS,
+	PERMISSION_WRITE_SECRETS
+} from '../../../variables';
 
 router.get(
 	'/:secretId/secret-versions',
@@ -15,7 +20,8 @@ router.get(
 		acceptedAuthModes: ['jwt', 'apiKey']
 	}),
 	requireSecretAuth({
-		acceptedRoles: [ADMIN, MEMBER]
+		acceptedRoles: [ADMIN, MEMBER],
+		requiredPermissions: [PERMISSION_READ_SECRETS]
 	}),
 	param('secretId').exists().trim(),
 	query('offset').exists().isInt(),
@@ -30,7 +36,8 @@ router.post(
 		acceptedAuthModes: ['jwt', 'apiKey']
 	}),
 	requireSecretAuth({
-		acceptedRoles: [ADMIN, MEMBER]
+		acceptedRoles: [ADMIN, MEMBER],
+		requiredPermissions: [PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS]
 	}),
 	param('secretId').exists().trim(),
 	body('version').exists().isInt(),

backend/src/ee/routes/v1/secretSnapshot.ts

@@ -7,7 +7,7 @@ import {
     requireAuth,
     validateRequest
 } from '../../../middleware';
-import { param, body } from 'express-validator';
+import { param } from 'express-validator';
 import { ADMIN, MEMBER } from '../../../variables';
 import { secretSnapshotController } from '../../controllers/v1';
 

backend/src/ee/routes/v1/workspace.ts

@@ -1,72 +1,82 @@
-import express from 'express';
+import express from "express";
 const router = express.Router();
 import {
-	requireAuth,
-	requireWorkspaceAuth,
-	validateRequest
-} from '../../../middleware';
-import { param, query, body } from 'express-validator';
-import { ADMIN, MEMBER } from '../../../variables';
-import { workspaceController } from '../../controllers/v1';
+  requireAuth,
+  requireWorkspaceAuth,
+  validateRequest,
+} from "../../../middleware";
+import { param, query, body } from "express-validator";
+import { ADMIN, MEMBER } from "../../../variables";
+import { workspaceController } from "../../controllers/v1";
 
 router.get(
-	'/:workspaceId/secret-snapshots',
-	requireAuth({
-		acceptedAuthModes: ['jwt', 'apiKey']
-	}),
-	requireWorkspaceAuth({
-		acceptedRoles: [ADMIN, MEMBER]
-	}),
-	param('workspaceId').exists().trim(),
-	query('offset').exists().isInt(),
-	query('limit').exists().isInt(),
-	validateRequest,
-	workspaceController.getWorkspaceSecretSnapshots
+  "/:workspaceId/secret-snapshots",
+  requireAuth({
+    acceptedAuthModes: ["jwt", "apiKey"],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: "params",
+  }),
+  param("workspaceId").exists().trim(),
+  query("environment").isString().exists().trim(),
+  query("folderId").default("root").isString().trim(),
+  query("offset").exists().isInt(),
+  query("limit").exists().isInt(),
+  validateRequest,
+  workspaceController.getWorkspaceSecretSnapshots
 );
 
 router.get(
-	'/:workspaceId/secret-snapshots/count',
-	requireAuth({
-		acceptedAuthModes: ['jwt']
-	}),
-	requireWorkspaceAuth({
-		acceptedRoles: [ADMIN, MEMBER]
-	}),
-	param('workspaceId').exists().trim(),
-	validateRequest,
-	workspaceController.getWorkspaceSecretSnapshotsCount
+  "/:workspaceId/secret-snapshots/count",
+  requireAuth({
+    acceptedAuthModes: ["jwt"],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: "params",
+  }),
+  param("workspaceId").exists().trim(),
+  query("environment").isString().exists().trim(),
+  query("folderId").default("root").isString().trim(),
+  validateRequest,
+  workspaceController.getWorkspaceSecretSnapshotsCount
 );
 
 router.post(
-	'/:workspaceId/secret-snapshots/rollback',
-	requireAuth({
-		acceptedAuthModes: ['jwt', 'apiKey']
-	}),
-	requireWorkspaceAuth({
-		acceptedRoles: [ADMIN, MEMBER]
-	}),
-	param('workspaceId').exists().trim(),
-	body('version').exists().isInt(),
-	validateRequest,
-	workspaceController.rollbackWorkspaceSecretSnapshot
+  "/:workspaceId/secret-snapshots/rollback",
+  requireAuth({
+    acceptedAuthModes: ["jwt", "apiKey"],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: "params",
+  }),
+  param("workspaceId").exists().trim(),
+  body("environment").isString().exists().trim(),
+  query("folderId").default("root").isString().exists().trim(),
+  body("version").exists().isInt(),
+  validateRequest,
+  workspaceController.rollbackWorkspaceSecretSnapshot
 );
 
 router.get(
-	'/:workspaceId/logs',
-	requireAuth({
-		acceptedAuthModes: ['jwt', 'apiKey']
-	}),
-	requireWorkspaceAuth({
-		acceptedRoles: [ADMIN, MEMBER]
-	}),
-	param('workspaceId').exists().trim(),
-	query('offset').exists().isInt(),
-	query('limit').exists().isInt(),
-	query('sortBy'),
-	query('userId'),
-	query('actionNames'),
-	validateRequest,
-	workspaceController.getWorkspaceLogs
+  "/:workspaceId/logs",
+  requireAuth({
+    acceptedAuthModes: ["jwt", "apiKey"],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: "params",
+  }),
+  param("workspaceId").exists().trim(),
+  query("offset").exists().isInt(),
+  query("limit").exists().isInt(),
+  query("sortBy"),
+  query("userId"),
+  query("actionNames"),
+  validateRequest,
+  workspaceController.getWorkspaceLogs
 );
 
-export default router;
+export default router;

backend/src/ee/services/EELicenseService.ts

@@ -1,14 +1,133 @@
-import { LICENSE_KEY } from '../../config';
+import NodeCache from 'node-cache';
+import * as Sentry from '@sentry/node';
+import { 
+    getLicenseKey,
+    getLicenseServerKey,
+    getLicenseServerUrl
+} from '../../config';
+import { 
+    licenseKeyRequest,
+    licenseServerKeyRequest,
+    refreshLicenseServerKeyToken,
+    refreshLicenseKeyToken
+} from '../../config/request';
+import { Organization } from '../../models';
+import { OrganizationNotFoundError } from '../../utils/errors';
+
+interface FeatureSet {
+    _id: string | null;
+    slug: 'starter' | 'team' | 'pro' | 'enterprise' | null;
+    tier: number;
+    workspaceLimit: number | null;
+    workspacesUsed: number;
+    memberLimit: number | null;
+    membersUsed: number;
+    secretVersioning: boolean;
+    pitRecovery: boolean;
+    rbac: boolean;
+    customRateLimits: boolean;
+    customAlerts: boolean;
+    auditLogs: boolean;
+}
 
 /**
- * Class to handle Enterprise Edition license actions
+ * Class to handle license/plan configurations:
+ * - Infisical Cloud: Fetch and cache customer plans in [localFeatureSet]
+ * - Self-hosted regular: Use default global feature set
+ * - Self-hosted enterprise: Fetch and update global feature set
  */
 class EELicenseService {
     
-    private readonly _isLicenseValid: boolean;
+    private readonly _isLicenseValid: boolean; // TODO: deprecate
+
+    public instanceType: 'self-hosted' | 'enterprise-self-hosted' | 'cloud' = 'self-hosted';
+
+    public globalFeatureSet: FeatureSet = {
+        _id: null,
+        slug: null,
+        tier: -1,
+        workspaceLimit: null,
+        workspacesUsed: 0,
+        memberLimit: null,
+        membersUsed: 0,
+        secretVersioning: true,
+        pitRecovery: true,
+        rbac: true,
+        customRateLimits: true,
+        customAlerts: true,
+        auditLogs: false
+    }
+
+    public localFeatureSet: NodeCache;
     
-    constructor(licenseKey: string) {
+    constructor() {
         this._isLicenseValid = true;
+        this.localFeatureSet = new NodeCache({
+            stdTTL: 300
+        });
+    }
+    
+    public async getOrganizationPlan(organizationId: string): Promise<FeatureSet> {
+        try {
+            if (this.instanceType === 'cloud') {
+                const cachedPlan = this.localFeatureSet.get<FeatureSet>(organizationId);
+                if (cachedPlan) {
+                    return cachedPlan;
+                }
+
+                const organization = await Organization.findById(organizationId);
+                if (!organization) throw OrganizationNotFoundError();
+
+                const { data: { currentPlan } } = await licenseServerKeyRequest.get(
+                    `${await getLicenseServerUrl()}/api/license-server/v1/customers/${organization.customerId}/cloud-plan`
+                );
+
+                // cache fetched plan for organization
+                this.localFeatureSet.set(organizationId, currentPlan);
+
+                return currentPlan;
+            }
+        } catch (err) {
+            return this.globalFeatureSet;
+        }
+
+        return this.globalFeatureSet;
+    }
+
+    public async initGlobalFeatureSet() {
+        const licenseServerKey = await getLicenseServerKey();
+        const licenseKey = await getLicenseKey();
+
+        try {
+            if (licenseServerKey) {
+                // license server key is present -> validate it
+                const token = await refreshLicenseServerKeyToken()
+                    
+                if (token) {
+                    this.instanceType = 'cloud';
+                }
+                
+                return;
+            }
+            
+            if (licenseKey) {
+                // license key is present -> validate it
+                const token = await refreshLicenseKeyToken();
+                    
+                if (token) {
+                    const { data: { currentPlan } } = await licenseKeyRequest.get(
+                        `${await getLicenseServerUrl()}/api/license/v1/plan`
+                    );
+                    
+                    this.globalFeatureSet = currentPlan;
+                    this.instanceType = 'enterprise-self-hosted';
+                }
+            }
+        } catch (err) {
+            // case: self-hosted free
+            Sentry.setUser(null);
+            Sentry.captureException(err);
+        }
     }
 
     public get isLicenseValid(): boolean {
@@ -16,4 +135,4 @@ class EELicenseService {
     }
 }
 
-export default new EELicenseService(LICENSE_KEY);
+export default new EELicenseService();

backend/src/ee/services/EELogService.ts

@@ -26,12 +26,16 @@ class EELogService {
      */
     static async createLog({
         userId,
+        serviceAccountId,
+        serviceTokenDataId,
         workspaceId,
         actions,
         channel,
         ipAddress
     }: {
-        userId: Types.ObjectId;
+        userId?: Types.ObjectId;
+        serviceAccountId?: Types.ObjectId;
+        serviceTokenDataId?: Types.ObjectId;
         workspaceId?: Types.ObjectId;
         actions: IAction[];
         channel: string;
@@ -40,6 +44,8 @@ class EELogService {
         if (!EELicenseService.isLicenseValid) return null;
         return await createLogHelper({
             userId,
+            serviceAccountId,
+            serviceTokenDataId,
             workspaceId,
             actions,
             channel,
@@ -59,17 +65,23 @@ class EELogService {
     static async createAction({
         name,
         userId,
+        serviceAccountId,
+        serviceTokenDataId,
         workspaceId,
         secretIds
     }: {
         name: string;
-        userId: Types.ObjectId;
+        userId?: Types.ObjectId;
+        serviceAccountId?: Types.ObjectId;
+        serviceTokenDataId?: Types.ObjectId;
         workspaceId?: Types.ObjectId;
         secretIds?: Types.ObjectId[];
     }) {
         return await createActionHelper({
             name,
             userId,
+            serviceAccountId,
+            serviceTokenDataId,
             workspaceId,
             secretIds
         });

backend/src/ee/services/EESecretService.ts

@@ -1,10 +1,9 @@
 import { Types } from 'mongoose';
 import { ISecretVersion } from '../models';
-import { 
-    takeSecretSnapshotHelper,
-    addSecretVersionsHelper,
-    markDeletedSecretVersionsHelper,
-    initSecretVersioningHelper
+import {
+  takeSecretSnapshotHelper,
+  addSecretVersionsHelper,
+  markDeletedSecretVersionsHelper,
 } from '../helpers/secret';
 import EELicenseService from './EELicenseService';
 
@@ -12,67 +11,65 @@ import EELicenseService from './EELicenseService';
  * Class to handle Enterprise Edition secret actions
  */
 class EESecretService {
-    
-    /**
-     * Save a secret snapshot that is a copy of the current state of secrets in workspace with id
-     * [workspaceId] under a new snapshot with incremented version under the
-     * SecretSnapshot collection.
-     * Requires a valid license key [licenseKey]
-     * @param {Object} obj
-     * @param {String} obj.workspaceId
-     * @returns {SecretSnapshot} secretSnapshot - new secret snpashot
-     */
-    static async takeSecretSnapshot({
-        workspaceId
-    }: {
-        workspaceId: string;
-    }) {
-        if (!EELicenseService.isLicenseValid) return;
-        return await takeSecretSnapshotHelper({ workspaceId });
-    }
-    
-    /**
-     * Add secret versions [secretVersions] to the SecretVersion collection.
-     * @param {Object} obj
-     * @param {Object[]} obj.secretVersions
-     * @returns {SecretVersion[]} newSecretVersions - new secret versions
-     */
-    static async addSecretVersions({
-        secretVersions
-    }: {
-        secretVersions: ISecretVersion[];
-    }) {
-        if (!EELicenseService.isLicenseValid) return;
-        return await addSecretVersionsHelper({
-            secretVersions
-        });
-    }
+  /**
+   * Save a secret snapshot that is a copy of the current state of secrets in workspace with id
+   * [workspaceId] under a new snapshot with incremented version under the
+   * SecretSnapshot collection.
+   * Requires a valid license key [licenseKey]
+   * @param {Object} obj
+   * @param {String} obj.workspaceId
+   * @returns {SecretSnapshot} secretSnapshot - new secret snpashot
+   */
+  static async takeSecretSnapshot({
+    workspaceId,
+    environment,
+    folderId,
+  }: {
+    workspaceId: Types.ObjectId;
+    environment: string;
+    folderId?: string;
+  }) {
+    if (!EELicenseService.isLicenseValid) return;
+    return await takeSecretSnapshotHelper({
+      workspaceId,
+      environment,
+      folderId,
+    });
+  }
 
-    /**
-     * Mark secret versions associated with secrets with ids [secretIds]
-     * as deleted.
-     * @param {Object} obj
-     * @param {ObjectId[]} obj.secretIds - secret ids
-     */
-    static async markDeletedSecretVersions({
-        secretIds
-    }: {
-        secretIds: Types.ObjectId[];
-    }) {
-        if (!EELicenseService.isLicenseValid) return;
-        await markDeletedSecretVersionsHelper({
-            secretIds
-        });
-    }
-    
-    /**
-     * Initialize secret versioning by setting previously unversioned
-     * secrets to version 1 and begin populating secret versions.
-     */
-    static async initSecretVersioning() {
-        if (!EELicenseService.isLicenseValid) return; 
-        await initSecretVersioningHelper();
-    }
+  /**
+   * Add secret versions [secretVersions] to the SecretVersion collection.
+   * @param {Object} obj
+   * @param {Object[]} obj.secretVersions
+   * @returns {SecretVersion[]} newSecretVersions - new secret versions
+   */
+  static async addSecretVersions({
+    secretVersions,
+  }: {
+    secretVersions: ISecretVersion[];
+  }) {
+    if (!EELicenseService.isLicenseValid) return;
+    return await addSecretVersionsHelper({
+      secretVersions,
+    });
+  }
+
+  /**
+   * Mark secret versions associated with secrets with ids [secretIds]
+   * as deleted.
+   * @param {Object} obj
+   * @param {ObjectId[]} obj.secretIds - secret ids
+   */
+  static async markDeletedSecretVersions({
+    secretIds,
+  }: {
+    secretIds: Types.ObjectId[];
+  }) {
+    if (!EELicenseService.isLicenseValid) return;
+    await markDeletedSecretVersionsHelper({
+      secretIds,
+    });
+  }
 }
 
-export default EESecretService;
+export default EESecretService;

backend/src/events/secret.ts

@@ -1,3 +1,4 @@
+import { Types } from 'mongoose';
 import { 
     EVENT_PUSH_SECRETS, 
     EVENT_PULL_SECRETS 
@@ -22,13 +23,16 @@ interface PushSecret {
  * @returns 
  */
 const eventPushSecrets = ({
-    workspaceId
+    workspaceId,
+    environment
 }: {
-    workspaceId: string;
+    workspaceId: Types.ObjectId;
+    environment?: string;
 }) => {
     return ({
         name: EVENT_PUSH_SECRETS,
         workspaceId,
+        environment,
         payload: {
 
         }

backend/src/helpers/auth.ts

@@ -1,24 +1,34 @@
+import { Types } from 'mongoose';
 import jwt from 'jsonwebtoken';
-import * as Sentry from '@sentry/node';
 import bcrypt from 'bcrypt';
 import {
+	IUser,
 	User,
 	ServiceTokenData,
+	ServiceAccount,
 	APIKeyData
 } from '../models';
-import {
-	JWT_AUTH_LIFETIME,
-	JWT_AUTH_SECRET,
-	JWT_REFRESH_LIFETIME,
-	JWT_REFRESH_SECRET
-} from '../config';
 import {
 	AccountNotFoundError,
 	ServiceTokenDataNotFoundError,
+	ServiceAccountNotFoundError,
 	APIKeyDataNotFoundError,
 	UnauthorizedRequestError,
 	BadRequestError
 } from '../utils/errors';
+import {
+	getJwtAuthLifetime,
+	getJwtAuthSecret,
+	getJwtProviderAuthSecret,
+	getJwtRefreshLifetime,
+	getJwtRefreshSecret
+} from '../config';
+import {
+	AUTH_MODE_JWT,
+	AUTH_MODE_SERVICE_ACCOUNT,
+	AUTH_MODE_SERVICE_TOKEN,
+	AUTH_MODE_API_KEY
+} from '../variables';
 
 /**
  * 
@@ -32,11 +42,10 @@ const validateAuthMode = ({
 	headers: { [key: string]: string | string[] | undefined },
 	acceptedAuthModes: string[]
 }) => {
-	// TODO: refactor middleware
 	const apiKey = headers['x-api-key'];
 	const authHeader = headers['authorization'];
 
-	let authTokenType, authTokenValue;
+	let authMode, authTokenValue;
 	if (apiKey === undefined && authHeader === undefined) {
 		// case: no auth or X-API-KEY header present
 		throw BadRequestError({ message: 'Missing Authorization or X-API-KEY in request header.' });
@@ -44,7 +53,7 @@ const validateAuthMode = ({
 
 	if (typeof apiKey === 'string') {
 		// case: treat request authentication type as via X-API-KEY (i.e. API Key)
-		authTokenType = 'apiKey';
+		authMode = AUTH_MODE_API_KEY;
 		authTokenValue = apiKey;
 	}
 
@@ -60,20 +69,24 @@ const validateAuthMode = ({
 
 		switch (tokenValue.split('.', 1)[0]) {
 			case 'st':
-				authTokenType = 'serviceToken';
+				authMode = AUTH_MODE_SERVICE_TOKEN;
+				break;
+			case 'sa':
+				authMode = AUTH_MODE_SERVICE_ACCOUNT;
 				break;
 			default:
-				authTokenType = 'jwt';
+				authMode = AUTH_MODE_JWT;
 		}
+
 		authTokenValue = tokenValue;
 	}
 
-	if (!authTokenType || !authTokenValue) throw BadRequestError({ message: 'Missing valid Authorization or X-API-KEY in request header.' });
+	if (!authMode || !authTokenValue) throw BadRequestError({ message: 'Missing valid Authorization or X-API-KEY in request header.' });
 
-	if (!acceptedAuthModes.includes(authTokenType)) throw BadRequestError({ message: 'The provided authentication type is not supported.' });
+	if (!acceptedAuthModes.includes(authMode)) throw BadRequestError({ message: 'The provided authentication type is not supported.' });
 
 	return ({
-		authTokenType,
+		authMode,
 		authTokenValue
 	});
 }
@@ -89,25 +102,17 @@ const getAuthUserPayload = async ({
 }: {
 	authTokenValue: string;
 }) => {
-	let user;
-	try {
-		const decodedToken = <jwt.UserIDJwtPayload>(
-			jwt.verify(authTokenValue, JWT_AUTH_SECRET)
-		);
+	const decodedToken = <jwt.UserIDJwtPayload>(
+		jwt.verify(authTokenValue, await getJwtAuthSecret())
+	);
 
-		user = await User.findOne({
-			_id: decodedToken.userId
-		}).select('+publicKey');
+	const user = await User.findOne({
+		_id: decodedToken.userId
+	}).select('+publicKey');
 
-		if (!user) throw AccountNotFoundError({ message: 'Failed to find User' });
+	if (!user) throw AccountNotFoundError({ message: 'Failed to find User' });
 
-		if (!user?.publicKey) throw UnauthorizedRequestError({ message: 'Failed to authenticate User with partially set up account' });
-
-	} catch (err) {
-		throw UnauthorizedRequestError({
-			message: 'Failed to authenticate JWT token'
-		});
-	}
+	if (!user?.publicKey) throw UnauthorizedRequestError({ message: 'Failed to authenticate User with partially set up account' });
 
 	return user;
 }
@@ -123,42 +128,70 @@ const getAuthSTDPayload = async ({
 }: {
 	authTokenValue: string;
 }) => {
-	let serviceTokenData;
-	try {
-		const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split('.', 3);
+	const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split('.', 3);
 
-		// TODO: optimize double query
-		serviceTokenData = await ServiceTokenData
-			.findById(TOKEN_IDENTIFIER, '+secretHash +expiresAt');
+	let serviceTokenData = await ServiceTokenData
+		.findById(TOKEN_IDENTIFIER, '+secretHash +expiresAt');
 
-		if (!serviceTokenData) {
-			throw ServiceTokenDataNotFoundError({ message: 'Failed to find service token data' });
-		} else if (serviceTokenData?.expiresAt && new Date(serviceTokenData.expiresAt) < new Date()) {
-			// case: service token expired
-			await ServiceTokenData.findByIdAndDelete(serviceTokenData._id);
-			throw UnauthorizedRequestError({
-				message: 'Failed to authenticate expired service token'
-			});
-		}
-
-		const isMatch = await bcrypt.compare(TOKEN_SECRET, serviceTokenData.secretHash);
-		if (!isMatch) throw UnauthorizedRequestError({
-			message: 'Failed to authenticate service token'
-		});
-
-		serviceTokenData = await ServiceTokenData
-			.findById(TOKEN_IDENTIFIER)
-			.select('+encryptedKey +iv +tag').populate('user');
-
-	} catch (err) {
+	if (!serviceTokenData) {
+		throw ServiceTokenDataNotFoundError({ message: 'Failed to find service token data' });
+	} else if (serviceTokenData?.expiresAt && new Date(serviceTokenData.expiresAt) < new Date()) {
+		// case: service token expired
+		await ServiceTokenData.findByIdAndDelete(serviceTokenData._id);
 		throw UnauthorizedRequestError({
-			message: 'Failed to authenticate service token'
+			message: 'Failed to authenticate expired service token'
 		});
 	}
 
+	const isMatch = await bcrypt.compare(TOKEN_SECRET, serviceTokenData.secretHash);
+	if (!isMatch) throw UnauthorizedRequestError({
+		message: 'Failed to authenticate service token'
+	});
+
+	serviceTokenData = await ServiceTokenData
+		.findOneAndUpdate({
+			_id: new Types.ObjectId(TOKEN_IDENTIFIER)
+		}, {
+			lastUsed: new Date()
+		}, {
+			new: true
+		})
+		.select('+encryptedKey +iv +tag');
+
+	if (!serviceTokenData) throw ServiceTokenDataNotFoundError({ message: 'Failed to find service token data' });
+
 	return serviceTokenData;
 }
 
+/**
+ * Return service account access key payload
+ * @param {Object} obj
+ * @param {String} obj.authTokenValue - service account access token value
+ * @returns {ServiceAccount} serviceAccount
+ */
+const getAuthSAAKPayload = async ({
+	authTokenValue
+}: {
+	authTokenValue: string;
+}) => {
+	const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split('.', 3);
+
+	const serviceAccount = await ServiceAccount.findById(
+		Buffer.from(TOKEN_IDENTIFIER, 'base64').toString('hex')
+	).select('+secretHash');
+
+	if (!serviceAccount) {
+		throw ServiceAccountNotFoundError({ message: 'Failed to find service account' });
+	}
+
+	const result = await bcrypt.compare(TOKEN_SECRET, serviceAccount.secretHash);
+	if (!result) throw UnauthorizedRequestError({
+		message: 'Failed to authenticate service account access key'
+	});
+
+	return serviceAccount;
+}
+
 /**
  * Return API key data payload corresponding to API key [authTokenValue]
  * @param {Object} obj
@@ -170,33 +203,44 @@ const getAuthAPIKeyPayload = async ({
 }: {
 	authTokenValue: string;
 }) => {
-	let user;
-	try {
-		const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split('.', 3);
+	const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split('.', 3);
 
-		const apiKeyData = await APIKeyData
-			.findById(TOKEN_IDENTIFIER, '+secretHash +expiresAt')
-			.populate('user', '+publicKey');
+	let apiKeyData = await APIKeyData
+		.findById(TOKEN_IDENTIFIER, '+secretHash +expiresAt')
+		.populate<{ user: IUser }>('user', '+publicKey');
 
-		if (!apiKeyData) {
-			throw APIKeyDataNotFoundError({ message: 'Failed to find API key data' });
-		} else if (apiKeyData?.expiresAt && new Date(apiKeyData.expiresAt) < new Date()) {
-			// case: API key expired
-			await APIKeyData.findByIdAndDelete(apiKeyData._id);
-			throw UnauthorizedRequestError({
-				message: 'Failed to authenticate expired API key'
-			});
-		}
-
-		const isMatch = await bcrypt.compare(TOKEN_SECRET, apiKeyData.secretHash);
-		if (!isMatch) throw UnauthorizedRequestError({
-			message: 'Failed to authenticate API key'
-		});
-
-		user = apiKeyData.user;
-	} catch (err) {
+	if (!apiKeyData) {
+		throw APIKeyDataNotFoundError({ message: 'Failed to find API key data' });
+	} else if (apiKeyData?.expiresAt && new Date(apiKeyData.expiresAt) < new Date()) {
+		// case: API key expired
+		await APIKeyData.findByIdAndDelete(apiKeyData._id);
 		throw UnauthorizedRequestError({
-			message: 'Failed to authenticate API key'
+			message: 'Failed to authenticate expired API key'
+		});
+	}
+
+	const isMatch = await bcrypt.compare(TOKEN_SECRET, apiKeyData.secretHash);
+	if (!isMatch) throw UnauthorizedRequestError({
+		message: 'Failed to authenticate API key'
+	});
+
+	apiKeyData = await APIKeyData.findOneAndUpdate({
+		_id: new Types.ObjectId(TOKEN_IDENTIFIER)
+	}, {
+		lastUsed: new Date()
+	}, {
+		new: true
+	});
+
+	if (!apiKeyData) {
+		throw APIKeyDataNotFoundError({ message: 'Failed to find API key data' });
+	}
+
+	const user = await User.findById(apiKeyData.user).select('+publicKey');
+
+	if (!user) {
+		throw AccountNotFoundError({
+			message: 'Failed to find user'
 		});
 	}
 
@@ -212,30 +256,23 @@ const getAuthAPIKeyPayload = async ({
  * @return {String} obj.refreshToken - issued refresh token
  */
 const issueAuthTokens = async ({ userId }: { userId: string }) => {
-	let token: string;
-	let refreshToken: string;
-	try {
-		// issue tokens
-		token = createToken({
-			payload: {
-				userId
-			},
-			expiresIn: JWT_AUTH_LIFETIME,
-			secret: JWT_AUTH_SECRET
-		});
 
-		refreshToken = createToken({
-			payload: {
-				userId
-			},
-			expiresIn: JWT_REFRESH_LIFETIME,
-			secret: JWT_REFRESH_SECRET
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to issue tokens');
-	}
+	// issue tokens
+	const token = createToken({
+		payload: {
+			userId
+		},
+		expiresIn: await getJwtAuthLifetime(),
+		secret: await getJwtAuthSecret()
+	});
+
+	const refreshToken = createToken({
+		payload: {
+			userId
+		},
+		expiresIn: await getJwtRefreshLifetime(),
+		secret: await getJwtRefreshSecret()
+	});
 
 	return {
 		token,
@@ -249,19 +286,14 @@ const issueAuthTokens = async ({ userId }: { userId: string }) => {
  * @param {String} obj.userId - id of user whose tokens are cleared.
  */
 const clearTokens = async ({ userId }: { userId: string }): Promise<void> => {
-	try {
-		// increment refreshVersion on user by 1
-		User.findOneAndUpdate({
-			_id: userId
-		}, {
-			$inc: {
-				refreshVersion: 1
-			}
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-	}
+	// increment refreshVersion on user by 1
+	User.findOneAndUpdate({
+		_id: userId
+	}, {
+		$inc: {
+			refreshVersion: 1
+		}
+	});
 };
 
 /**
@@ -281,21 +313,42 @@ const createToken = ({
 	expiresIn: string | number;
 	secret: string;
 }) => {
-	try {
-		return jwt.sign(payload, secret, {
-			expiresIn
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to create a token');
-	}
+	return jwt.sign(payload, secret, {
+		expiresIn
+	});
 };
 
+const validateProviderAuthToken = async ({
+	email,
+	user,
+	providerAuthToken,
+}: {
+	email: string;
+	user: IUser,
+	providerAuthToken?: string;
+}) => {
+	if (!providerAuthToken) {
+		throw new Error('Invalid authentication request.');
+	}
+
+	const decodedToken = <jwt.ProviderAuthJwtPayload>(
+		jwt.verify(providerAuthToken, await getJwtProviderAuthSecret())
+	);
+	
+	if (
+		decodedToken.authProvider !== user.authProvider ||
+		decodedToken.email !== email
+	) {
+		throw new Error('Invalid authentication credentials.')
+	}
+}
+
 export {
 	validateAuthMode,
+	validateProviderAuthToken,
 	getAuthUserPayload,
 	getAuthSTDPayload,
+	getAuthSAAKPayload,
 	getAuthAPIKeyPayload,
 	createToken,
 	issueAuthTokens,

backend/src/helpers/bot.ts

@@ -1,58 +1,90 @@
-import * as Sentry from '@sentry/node';
+import { Types } from "mongoose";
 import {
-    Bot,
-    BotKey,
-    Secret,
-    ISecret,
-    IUser
-} from '../models';
-import { 
-    generateKeyPair, 
-    encryptSymmetric,
-    decryptSymmetric,
-    decryptAsymmetric
+  Bot,
+  BotKey,
+  Secret,
+  ISecret,
+  IUser
+} from "../models";
+import {
+  generateKeyPair,
+  encryptSymmetric128BitHexKeyUTF8,
+  decryptSymmetric128BitHexKeyUTF8,
+  decryptAsymmetric
 } from '../utils/crypto';
-import { ENCRYPTION_KEY } from '../config';
-import { SECRET_SHARED } from '../variables';
+import {
+  SECRET_SHARED,
+  ALGORITHM_AES_256_GCM,
+  ENCODING_SCHEME_UTF8,
+  ENCODING_SCHEME_BASE64
+} from "../variables";
+import { 
+  getEncryptionKey, 
+  getRootEncryptionKey,
+  client
+} from "../config";
+import { InternalServerError } from "../utils/errors";
 
 /**
  * Create an inactive bot with name [name] for workspace with id [workspaceId]
- * @param {Object} obj 
+ * @param {Object} obj
  * @param {String} obj.name - name of bot
  * @param {String} obj.workspaceId - id of workspace that bot belongs to
  */
 const createBot = async ({
-    name,
-    workspaceId,
+  name,
+  workspaceId,
 }: {
-    name: string;
-    workspaceId: string;
+  name: string;
+  workspaceId: Types.ObjectId;
 }) => {
-    let bot;
-    try {
-        const { publicKey, privateKey } = generateKeyPair();
-        const { ciphertext, iv, tag } = encryptSymmetric({
-            plaintext: privateKey,
-            key: ENCRYPTION_KEY
-        });
+  const encryptionKey = await getEncryptionKey();
+  const rootEncryptionKey = await getRootEncryptionKey();
+  
+  const { publicKey, privateKey } = generateKeyPair();
+  
+  if (rootEncryptionKey) {
+    const { 
+      ciphertext, 
+      iv, 
+      tag 
+    } = client.encryptSymmetric(privateKey, rootEncryptionKey);
 
-        bot = await new Bot({
-            name,
-            workspace: workspaceId,
-            isActive: false,
-            publicKey,
-            encryptedPrivateKey: ciphertext,
-            iv,
-            tag
-        }).save();
-    } catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to create bot');
-    }
-    
-    return bot;
-}
+    return await new Bot({
+      name,
+      workspace: workspaceId,
+      isActive: false,
+      publicKey,
+      encryptedPrivateKey: ciphertext,
+      iv,
+      tag,
+      algorithm: ALGORITHM_AES_256_GCM,
+      keyEncoding: ENCODING_SCHEME_BASE64
+    }).save();
+  
+  } else if (encryptionKey) {
+    const { ciphertext, iv, tag } = encryptSymmetric128BitHexKeyUTF8({
+      plaintext: privateKey,
+      key: await getEncryptionKey(),
+    });
+
+    return await new Bot({
+      name,
+      workspace: workspaceId,
+      isActive: false,
+      publicKey,
+      encryptedPrivateKey: ciphertext,
+      iv,
+      tag,
+      algorithm: ALGORITHM_AES_256_GCM,
+      keyEncoding: ENCODING_SCHEME_UTF8
+    }).save();
+  }
+
+  throw InternalServerError({
+    message: 'Failed to create new bot due to missing encryption key'
+  });
+};
 
 /**
  * Return decrypted secrets for workspace with id [workspaceId]
@@ -62,125 +94,125 @@ const createBot = async ({
  * @param {String} obj.environment - environment
  */
 const getSecretsHelper = async ({
-    workspaceId,
-    environment
+  workspaceId,
+  environment,
 }: {
-    workspaceId: string;
-    environment: string;
+  workspaceId: Types.ObjectId;
+  environment: string;
 }) => {
-    const content = {} as any;
-    try {
-        const key = await getKey({ workspaceId });
-        const secrets = await Secret.find({
-            workspace: workspaceId,
-            environment,
-            type: SECRET_SHARED
-        });
-        
-        secrets.forEach((secret: ISecret) => {
-            const secretKey = decryptSymmetric({
-                ciphertext: secret.secretKeyCiphertext,
-                iv: secret.secretKeyIV,
-                tag: secret.secretKeyTag,
-                key
-            });
+  const content = {} as any;
+  const key = await getKey({ workspaceId: workspaceId.toString() });
+  const secrets = await Secret.find({
+    workspace: workspaceId,
+    environment,
+    type: SECRET_SHARED,
+  });
 
-            const secretValue = decryptSymmetric({
-                ciphertext: secret.secretValueCiphertext,
-                iv: secret.secretValueIV,
-                tag: secret.secretValueTag,
-                key
-            });
+  secrets.forEach((secret: ISecret) => {
+    const secretKey = decryptSymmetric128BitHexKeyUTF8({
+      ciphertext: secret.secretKeyCiphertext,
+      iv: secret.secretKeyIV,
+      tag: secret.secretKeyTag,
+      key,
+    });
 
-            content[secretKey] = secretValue;
-        });
-    } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-        throw new Error('Failed to get secrets');
-    }
+    const secretValue = decryptSymmetric128BitHexKeyUTF8({
+      ciphertext: secret.secretValueCiphertext,
+      iv: secret.secretValueIV,
+      tag: secret.secretValueTag,
+      key,
+    });
 
-    return content;
-}
+    content[secretKey] = secretValue;
+  });
+
+  return content;
+};
 
 /**
- * Return bot's copy of the workspace key for workspace 
+ * Return bot's copy of the workspace key for workspace
  * with id [workspaceId]
  * @param {Object} obj
  * @param {String} obj.workspaceId - id of workspace
  * @returns {String} key - decrypted workspace key
  */
 const getKey = async ({ workspaceId }: { workspaceId: string }) => {
-    let key;
-    try {
-        const botKey = await BotKey.findOne({
-            workspace: workspaceId
-        }).populate<{ sender: IUser }>('sender', 'publicKey');
-        
-        if (!botKey) throw new Error('Failed to find bot key');
-        
-        const bot = await Bot.findOne({
-            workspace: workspaceId
-        }).select('+encryptedPrivateKey +iv +tag');
-        
-        if (!bot) throw new Error('Failed to find bot');
-        if (!bot.isActive) throw new Error('Bot is not active');
-        
-        const privateKeyBot = decryptSymmetric({
-            ciphertext: bot.encryptedPrivateKey,
-            iv: bot.iv,
-            tag: bot.tag,
-            key: ENCRYPTION_KEY
-        });
-        
-        key = decryptAsymmetric({
-            ciphertext: botKey.encryptedKey,
-            nonce: botKey.nonce,
-            publicKey: botKey.sender.publicKey as string,
-            privateKey: privateKeyBot
-        });
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to get workspace key');
-    }
+  const encryptionKey = await getEncryptionKey();
+  const rootEncryptionKey = await getRootEncryptionKey();
+
+  const botKey = await BotKey.findOne({
+    workspace: workspaceId,
+  })
+  .populate<{ sender: IUser }>("sender", "publicKey");
+
+  if (!botKey) throw new Error("Failed to find bot key");
+
+  const bot = await Bot.findOne({
+    workspace: workspaceId,
+  }).select("+encryptedPrivateKey +iv +tag +algorithm +keyEncoding");
+
+  if (!bot) throw new Error("Failed to find bot");
+  if (!bot.isActive) throw new Error("Bot is not active");
+
+  if (rootEncryptionKey && bot.keyEncoding === ENCODING_SCHEME_BASE64) {
+    // case: encoding scheme is base64
+    const privateKeyBot = client.decryptSymmetric(bot.encryptedPrivateKey, rootEncryptionKey, bot.iv, bot.tag);
+
+    return decryptAsymmetric({
+      ciphertext: botKey.encryptedKey,
+      nonce: botKey.nonce,
+      publicKey: botKey.sender.publicKey as string,
+      privateKey: privateKeyBot,
+    });
+  } else if (encryptionKey && bot.keyEncoding === ENCODING_SCHEME_UTF8) {
     
-    return key;
-}
+    // case: encoding scheme is utf8
+    const privateKeyBot = decryptSymmetric128BitHexKeyUTF8({
+      ciphertext: bot.encryptedPrivateKey,
+      iv: bot.iv,
+      tag: bot.tag,
+      key: encryptionKey
+    });
+    
+    return decryptAsymmetric({
+      ciphertext: botKey.encryptedKey,
+      nonce: botKey.nonce,
+      publicKey: botKey.sender.publicKey as string,
+      privateKey: privateKeyBot,
+    });
+  }
+
+  throw InternalServerError({
+    message: "Failed to obtain bot's copy of workspace key needed for bot operations"
+  });
+};
 
 /**
  * Return symmetrically encrypted [plaintext] using the
- * key for workspace with id [workspaceId] 
+ * key for workspace with id [workspaceId]
  * @param {Object} obj1
  * @param {String} obj1.workspaceId - id of workspace
  * @param {String} obj1.plaintext - plaintext to encrypt
  */
 const encryptSymmetricHelper = async ({
-    workspaceId,
-    plaintext
+  workspaceId,
+  plaintext,
 }: {
-    workspaceId: string;
-    plaintext: string;
+  workspaceId: Types.ObjectId;
+  plaintext: string;
 }) => {
-    
-    try {
-        const key = await getKey({ workspaceId });
-        const { ciphertext, iv, tag } = encryptSymmetric({
-            plaintext,
-            key
-        });
-        
-        return ({
-            ciphertext,
-            iv,
-            tag
-        });
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to perform symmetric encryption with bot');
-    }
-}
+  const key = await getKey({ workspaceId: workspaceId.toString() });
+  const { ciphertext, iv, tag } = encryptSymmetric128BitHexKeyUTF8({
+    plaintext,
+    key,
+  });
+
+  return {
+    ciphertext,
+    iv,
+    tag,
+  };
+};
 /**
  * Return symmetrically decrypted [ciphertext] using the
  * key for workspace with id [workspaceId]
@@ -191,39 +223,30 @@ const encryptSymmetricHelper = async ({
  * @param {String} obj.tag - tag
  */
 const decryptSymmetricHelper = async ({
-    workspaceId,
+  workspaceId,
+  ciphertext,
+  iv,
+  tag,
+}: {
+  workspaceId: Types.ObjectId;
+  ciphertext: string;
+  iv: string;
+  tag: string;
+}) => {
+  const key = await getKey({ workspaceId: workspaceId.toString() });
+  const plaintext = decryptSymmetric128BitHexKeyUTF8({
     ciphertext,
     iv,
-    tag
-}: {
-    workspaceId: string;
-    ciphertext: string;
-    iv: string;
-    tag: string;
-}) => {
-    let plaintext;
-    try {
-        const key = await getKey({ workspaceId });
-        const plaintext = decryptSymmetric({
-            ciphertext,
-            iv,
-            tag,
-            key
-        });
-        
-        return plaintext;
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to perform symmetric decryption with bot');
-    }
-    
-    return plaintext;
-}
+    tag,
+    key,
+  });
+
+  return plaintext;
+};
 
 export {
-    createBot,
-    getSecretsHelper,
-    encryptSymmetricHelper,
-    decryptSymmetricHelper
-}
+  createBot,
+  getSecretsHelper,
+  encryptSymmetricHelper,
+  decryptSymmetricHelper
+};

backend/src/helpers/database.ts

@@ -1,5 +1,4 @@
 import mongoose from 'mongoose';
-import { EESecretService } from '../ee/services';
 import { getLogger } from '../utils/logger';
 
 /**
@@ -19,16 +18,32 @@ const initDatabaseHelper = async ({
         // allow empty strings to pass the required validator
         mongoose.Schema.Types.String.checkRequired(v => typeof v === 'string');
 
-        getLogger("database").info("Database connection established");
-        
-        await EESecretService.initSecretVersioning();
+        (await getLogger("database")).info("Database connection established");
+
     } catch (err) {
-        getLogger("database").error(`Unable to establish Database connection due to the error.\n${err}`);
+        (await getLogger("database")).error(`Unable to establish Database connection due to the error.\n${err}`);
     }
 
     return mongoose.connection;
 }
 
+/**
+ * Close database conection
+ */
+const closeDatabaseHelper = async () => {
+    return Promise.all([
+        new Promise((resolve) => {
+            if (mongoose.connection && mongoose.connection.readyState == 1) {
+            mongoose.connection.close()
+                .then(() => resolve('Database connection closed'));
+            } else {
+            resolve('Database connection already closed');
+            }
+        })
+    ]);
+}
+
 export {
-    initDatabaseHelper
+    initDatabaseHelper,
+    closeDatabaseHelper
 }

backend/src/helpers/event.ts

@@ -1,12 +1,13 @@
-import { Bot, IBot } from '../models';
-import * as Sentry from '@sentry/node';
-import { EVENT_PUSH_SECRETS } from '../variables';
-import { IntegrationService } from '../services';
+import { Types } from "mongoose";
+import { Bot, IBot } from "../models";
+import { EVENT_PUSH_SECRETS } from "../variables";
+import { IntegrationService } from "../services";
 
 interface Event {
-    name: string;
-    workspaceId: string;
-    payload: any;
+  name: string;
+  workspaceId: Types.ObjectId;
+  environment?: string;
+  payload: any;
 }
 
 /**
@@ -17,35 +18,25 @@ interface Event {
  * @param {String} obj.event.workspaceId - id of workspace that event is part of
  * @param {Object} obj.event.payload - payload of event (depends on event)
  */
-const handleEventHelper = async ({
-    event
-}: {
-    event: Event;
-}) => {
-    const { workspaceId } = event;
-    
-    // TODO: moduralize bot check into separate function
-    const bot = await Bot.findOne({
-        workspace: workspaceId,
-        isActive: true
-    });
-    
-    if (!bot) return;
-    
-    try {
-        switch (event.name) {
-            case EVENT_PUSH_SECRETS:
-                IntegrationService.syncIntegrations({
-                    workspaceId
-                });
-                break;
-        }
-    } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-    }
-}
+const handleEventHelper = async ({ event }: { event: Event }) => {
+  const { workspaceId, environment } = event;
 
-export {
-    handleEventHelper
-}
+  // TODO: moduralize bot check into separate function
+  const bot = await Bot.findOne({
+    workspace: workspaceId,
+    isActive: true,
+  });
+
+  if (!bot) return;
+
+  switch (event.name) {
+    case EVENT_PUSH_SECRETS:
+      IntegrationService.syncIntegrations({
+        workspaceId,
+        environment,
+      });
+      break;
+  }
+};
+
+export { handleEventHelper };

backend/src/helpers/integration.ts

@@ -1,16 +1,21 @@
 import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
 import {
     Bot,
     Integration,
-    IntegrationAuth,
+    IntegrationAuth
 } from '../models';
 import { exchangeCode, exchangeRefresh, syncSecrets } from '../integrations';
 import { BotService } from '../services';
 import {
     INTEGRATION_VERCEL,
-    INTEGRATION_NETLIFY
+    INTEGRATION_NETLIFY,
+    ALGORITHM_AES_256_GCM,
+    ENCODING_SCHEME_UTF8
 } from '../variables';
-import { UnauthorizedRequestError } from '../utils/errors';
+import { 
+    UnauthorizedRequestError,
+} from '../utils/errors';
 import RequestError from '../utils/requestError';
 
 interface Update {
@@ -114,14 +119,19 @@ const handleOAuthExchangeHelper = async ({
  * @param {Object} obj.workspaceId - id of workspace
  */
 const syncIntegrationsHelper = async ({
-    workspaceId
+    workspaceId,
+    environment
 }: {
-    workspaceId: string;
+    workspaceId: Types.ObjectId;
+    environment?: string;
 }) => {
     let integrations;
     try {
         integrations = await Integration.find({
             workspace: workspaceId,
+            ...(environment ? {
+                environment
+            } : {}),
             isActive: true,
             app: { $ne: null }
         });
@@ -131,7 +141,7 @@ const syncIntegrationsHelper = async ({
         for await (const integration of integrations) {
             // get workspace, environment (shared) secrets
             const secrets = await BotService.getSecrets({ // issue here?
-                workspaceId: integration.workspace.toString(),
+                workspaceId: integration.workspace,
                 environment: integration.environment
             });
 
@@ -140,7 +150,7 @@ const syncIntegrationsHelper = async ({
             
             // get integration auth access token
             const access = await getIntegrationAuthAccessHelper({
-                integrationAuthId: integration.integrationAuth.toString()
+                integrationAuthId: integration.integrationAuth
             });
 
             // sync secrets to integration
@@ -148,7 +158,7 @@ const syncIntegrationsHelper = async ({
                 integration,
                 integrationAuth,
                 secrets,
-                accessId: access.accessId,
+                accessId: access.accessId === undefined ? null : access.accessId,
                 accessToken: access.accessToken
             });
         }
@@ -167,7 +177,7 @@ const syncIntegrationsHelper = async ({
  * @param {String} obj.integrationAuthId - id of integration auth
  * @param {String} refreshToken - decrypted refresh token
  */
- const getIntegrationAuthRefreshHelper = async ({ integrationAuthId }: { integrationAuthId: string }) => {
+ const getIntegrationAuthRefreshHelper = async ({ integrationAuthId }: { integrationAuthId: Types.ObjectId }) => {
     let refreshToken;
 	
     try {
@@ -178,7 +188,7 @@ const syncIntegrationsHelper = async ({
         if (!integrationAuth) throw UnauthorizedRequestError({message: 'Failed to locate Integration Authentication credentials'});
 
         refreshToken = await BotService.decryptSymmetric({
-            workspaceId: integrationAuth.workspace.toString(),
+            workspaceId: integrationAuth.workspace,
             ciphertext: integrationAuth.refreshCiphertext as string,
             iv: integrationAuth.refreshIV as string,
             tag: integrationAuth.refreshTag as string
@@ -204,7 +214,7 @@ const syncIntegrationsHelper = async ({
  * @param {String} obj.integrationAuthId - id of integration auth
  * @returns {String} accessToken - decrypted access token
  */
-const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrationAuthId: string }) => {
+const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrationAuthId: Types.ObjectId }) => {
     let accessId;
     let accessToken;
     try {
@@ -215,7 +225,7 @@ const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrati
         if (!integrationAuth) throw UnauthorizedRequestError({message: 'Failed to locate Integration Authentication credentials'});
 
         accessToken = await BotService.decryptSymmetric({
-            workspaceId: integrationAuth.workspace.toString(),
+            workspaceId: integrationAuth.workspace,
             ciphertext: integrationAuth.accessCiphertext as string,
             iv: integrationAuth.accessIV as string,
             tag: integrationAuth.accessTag as string
@@ -229,7 +239,7 @@ const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrati
                 // access token is expired
                 const refreshToken = await getIntegrationAuthRefreshHelper({ integrationAuthId });
                 accessToken = await exchangeRefresh({
-                    integration: integrationAuth.integration,
+                    integrationAuth,
                     refreshToken
                 });
             }
@@ -237,7 +247,7 @@ const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrati
         
         if (integrationAuth?.accessIdCiphertext && integrationAuth?.accessIdIV && integrationAuth?.accessIdTag) {
             accessId = await BotService.decryptSymmetric({
-                workspaceId: integrationAuth.workspace.toString(),
+                workspaceId: integrationAuth.workspace,
                 ciphertext: integrationAuth.accessIdCiphertext as string,
                 iv: integrationAuth.accessIdIV as string,
                 tag: integrationAuth.accessIdTag as string
@@ -283,7 +293,7 @@ const setIntegrationAuthRefreshHelper = async ({
         if (!integrationAuth) throw new Error('Failed to find integration auth');
         
         const obj = await BotService.encryptSymmetric({
-            workspaceId: integrationAuth.workspace.toString(),
+            workspaceId: integrationAuth.workspace,
             plaintext: refreshToken
         });
         
@@ -292,7 +302,9 @@ const setIntegrationAuthRefreshHelper = async ({
         }, {
             refreshCiphertext: obj.ciphertext,
             refreshIV: obj.iv,
-            refreshTag: obj.tag
+            refreshTag: obj.tag,
+            algorithm: ALGORITHM_AES_256_GCM,
+            keyEncoding: ENCODING_SCHEME_UTF8
         }, {
             new: true
         });
@@ -332,14 +344,14 @@ const setIntegrationAuthAccessHelper = async ({
         if (!integrationAuth) throw new Error('Failed to find integration auth');
         
         const encryptedAccessTokenObj = await BotService.encryptSymmetric({
-            workspaceId: integrationAuth.workspace.toString(),
+            workspaceId: integrationAuth.workspace,
             plaintext: accessToken
         });
         
         let encryptedAccessIdObj;
         if (accessId) {
             encryptedAccessIdObj = await BotService.encryptSymmetric({
-                workspaceId: integrationAuth.workspace.toString(),
+                workspaceId: integrationAuth.workspace,
                 plaintext: accessId
             }); 
         }
@@ -353,7 +365,9 @@ const setIntegrationAuthAccessHelper = async ({
             accessCiphertext: encryptedAccessTokenObj.ciphertext,
             accessIV: encryptedAccessTokenObj.iv,
             accessTag: encryptedAccessTokenObj.tag,
-            accessExpiresAt
+            accessExpiresAt,
+            algorithm: ALGORITHM_AES_256_GCM,
+            keyEncoding: ENCODING_SCHEME_UTF8
         }, {
             new: true
         });
@@ -373,4 +387,4 @@ export {
     getIntegrationAuthAccessHelper,
     setIntegrationAuthRefreshHelper,
     setIntegrationAuthAccessHelper
-}
+}

backend/src/helpers/key.ts

@@ -1,4 +1,3 @@
-import * as Sentry from '@sentry/node';
 import { Key, IKey } from '../models';
 
 interface Key {
@@ -27,36 +26,30 @@ const pushKeys = async ({
 	workspaceId: string;
 	keys: Key[];
 }): Promise<void> => {
-	try {
-		// filter out already-inserted keys
-		const keysSet = new Set(
-			(
-				await Key.find(
-					{
-						workspace: workspaceId
-					},
-					'receiver'
-				)
-			).map((k: IKey) => k.receiver.toString())
-		);
+  // filter out already-inserted keys
+  const keysSet = new Set(
+    (
+      await Key.find(
+        {
+          workspace: workspaceId
+        },
+        'receiver'
+      )
+    ).map((k: IKey) => k.receiver.toString())
+  );
 
-		keys = keys.filter((key) => !keysSet.has(key.userId));
+  keys = keys.filter((key) => !keysSet.has(key.userId));
 
-		// add new shared keys only
-		await Key.insertMany(
-			keys.map((k) => ({
-				encryptedKey: k.encryptedKey,
-				nonce: k.nonce,
-				sender: userId,
-				receiver: k.userId,
-				workspace: workspaceId
-			}))
-		);
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to push access keys');
-	}
+  // add new shared keys only
+  await Key.insertMany(
+    keys.map((k) => ({
+      encryptedKey: k.encryptedKey,
+      nonce: k.nonce,
+      sender: userId,
+      receiver: k.userId,
+      workspace: workspaceId
+    }))
+  );
 };
 
 export { pushKeys };

backend/src/helpers/membership.ts

@@ -1,5 +1,7 @@
 import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
 import { Membership, Key } from '../models';
+import { MembershipNotFoundError, BadRequestError } from '../utils/errors';
 
 /**
  * Validate that user with id [userId] is a member of workspace with id [workspaceId]
@@ -10,36 +12,35 @@ import { Membership, Key } from '../models';
  * @returns {Membership} membership - membership of user with id [userId] for workspace with id [workspaceId]
  */
 const validateMembership = async ({
-	userId,
-	workspaceId,
-	acceptedRoles,
+  userId,
+  workspaceId,
+  acceptedRoles,
 }: {
-	userId: string;
-	workspaceId: string;
-	acceptedRoles: string[];
+  userId: Types.ObjectId | string;
+  workspaceId: Types.ObjectId | string;
+  acceptedRoles?: Array<'admin' | 'member'>;
 }) => {
-	
-	let membership;
-	//TODO: Refactor code to take advantage of using RequestError. It's possible to create new types of errors for more detailed errors
-	try {
-		membership = await Membership.findOne({
-			user: userId,
-			workspace: workspaceId
-		}).populate("workspace");
-		
-		if (!membership) throw new Error('Failed to find membership');
-		
-		if (!acceptedRoles.includes(membership.role)) {
-			throw new Error('Failed to validate membership role');
-		}
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to validate membership');
-	}
-	
-	return membership;
-}
+  const membership = await Membership.findOne({
+    user: userId,
+    workspace: workspaceId,
+  }).populate('workspace');
+
+  if (!membership) {
+    throw MembershipNotFoundError({
+      message: 'Failed to find workspace membership',
+    });
+  }
+
+  if (acceptedRoles) {
+    if (!acceptedRoles.includes(membership.role)) {
+      throw BadRequestError({
+        message: 'Failed authorization for membership role',
+      });
+    }
+  }
+
+  return membership;
+};
 
 /**
  * Return membership matching criteria specified in query [queryObj]
@@ -47,16 +48,16 @@ const validateMembership = async ({
  * @return {Object} membership - membership
  */
 const findMembership = async (queryObj: any) => {
-	let membership;
-	try {
-		membership = await Membership.findOne(queryObj);
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to find membership');
-	}
+  let membership;
+  try {
+    membership = await Membership.findOne(queryObj);
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed to find membership');
+  }
 
-	return membership;
+  return membership;
 };
 
 /**
@@ -68,39 +69,39 @@ const findMembership = async (queryObj: any) => {
  * @param {String[]} obj.roles - roles of users.
  */
 const addMemberships = async ({
-	userIds,
-	workspaceId,
-	roles
+  userIds,
+  workspaceId,
+  roles,
 }: {
-	userIds: string[];
-	workspaceId: string;
-	roles: string[];
+  userIds: string[];
+  workspaceId: string;
+  roles: string[];
 }): Promise<void> => {
-	try {
-		const operations = userIds.map((userId, idx) => {
-			return {
-				updateOne: {
-					filter: {
-						user: userId,
-						workspace: workspaceId,
-						role: roles[idx]
-					},
-					update: {
-						user: userId,
-						workspace: workspaceId,
-						role: roles[idx]
-					},
-					upsert: true
-				}
-			};
-		});
+  try {
+    const operations = userIds.map((userId, idx) => {
+      return {
+        updateOne: {
+          filter: {
+            user: userId,
+            workspace: workspaceId,
+            role: roles[idx],
+          },
+          update: {
+            user: userId,
+            workspace: workspaceId,
+            role: roles[idx],
+          },
+          upsert: true,
+        },
+      };
+    });
 
-		await Membership.bulkWrite(operations as any);
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to add users to workspace');
-	}
+    await Membership.bulkWrite(operations as any);
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed to add users to workspace');
+  }
 };
 
 /**
@@ -109,32 +110,27 @@ const addMemberships = async ({
  * @param {String} obj.membershipId - id of membership to delete
  */
 const deleteMembership = async ({ membershipId }: { membershipId: string }) => {
-	let deletedMembership;
-	try {
-		deletedMembership = await Membership.findOneAndDelete({
-			_id: membershipId
-		});
+  let deletedMembership;
+  try {
+    deletedMembership = await Membership.findOneAndDelete({
+      _id: membershipId,
+    });
 
-		// delete keys associated with the membership
-		if (deletedMembership?.user) {
-			// case: membership had a registered user
-			await Key.deleteMany({
-				receiver: deletedMembership.user,
-				workspace: deletedMembership.workspace
-			});
-		}
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to delete membership');
-	}
+    // delete keys associated with the membership
+    if (deletedMembership?.user) {
+      // case: membership had a registered user
+      await Key.deleteMany({
+        receiver: deletedMembership.user,
+        workspace: deletedMembership.workspace,
+      });
+    }
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed to delete membership');
+  }
 
-	return deletedMembership;
+  return deletedMembership;
 };
 
-export { 
-	validateMembership,
-	addMemberships, 
-	findMembership, 
-	deleteMembership 
-};
+export { validateMembership, addMemberships, findMembership, deleteMembership };

backend/src/helpers/membershipOrg.ts

@@ -1,40 +1,56 @@
-import * as Sentry from '@sentry/node';
 import { Types } from 'mongoose';
-import { MembershipOrg, Workspace, Membership, Key } from '../models';
+import { 
+	MembershipOrg, 
+	Workspace, 
+	Membership, 
+	Key
+} from '../models';
+import {
+	MembershipOrgNotFoundError,
+	UnauthorizedRequestError
+} from '../utils/errors';
 
 /**
  * Validate that user with id [userId] is a member of organization with id [organizationId]
  * and has at least one of the roles in [acceptedRoles]
- *
+ * @param {Object} obj
+ * @param {Types.ObjectId} obj.userId
+ * @param {Types.ObjectId} obj.organizationId
+ * @param {String[]} obj.acceptedRoles
  */
-const validateMembership = async ({
+const validateMembershipOrg = async ({
 	userId,
 	organizationId,
-	acceptedRoles
+	acceptedRoles,
+	acceptedStatuses
 }: {
-	userId: string;
-	organizationId: string;
-	acceptedRoles: string[];
+	userId: Types.ObjectId;
+	organizationId: Types.ObjectId;
+	acceptedRoles?: Array<'owner' | 'admin' | 'member'>;
+	acceptedStatuses?: Array<'invited' | 'accepted'>;
 }) => {
-	let membership;
-	try {
-		membership = await MembershipOrg.findOne({
-			user: new Types.ObjectId(userId),
-			organization: new Types.ObjectId(organizationId)
-		});
-		
-		if (!membership) throw new Error('Failed to find organization membership');
-		
-		if (!acceptedRoles.includes(membership.role)) {
-			throw new Error('Failed to validate organization membership role');
-		}
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to validate organization membership');
+	const membershipOrg = await MembershipOrg.findOne({
+		user: userId,
+		organization: organizationId
+	});
+	
+	if (!membershipOrg) {
+		throw MembershipOrgNotFoundError({ message: 'Failed to find organization membership' });
 	}
 	
-	return membership;
+	if (acceptedRoles) {
+		if (!acceptedRoles.includes(membershipOrg.role)) {
+			throw UnauthorizedRequestError({ message: 'Failed to validate organization membership role' });
+		}
+	}
+	
+	if (acceptedStatuses) {
+		if (!acceptedStatuses.includes(membershipOrg.status)) {
+			throw UnauthorizedRequestError({ message: 'Failed to validate organization membership status' });
+		}
+	}
+	
+	return membershipOrg;
 }
 
 /**
@@ -44,15 +60,7 @@ const validateMembership = async ({
  * @return {Object} membershipOrg - membership
  */
 const findMembershipOrg = (queryObj: any) => {
-	let membershipOrg;
-	try {
-		membershipOrg = MembershipOrg.findOne(queryObj);
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to find organization membership');
-	}
-
+	const membershipOrg = MembershipOrg.findOne(queryObj);
 	return membershipOrg;
 };
 
@@ -75,33 +83,27 @@ const addMembershipsOrg = async ({
 	roles: string[];
 	statuses: string[];
 }) => {
-	try {
-		const operations = userIds.map((userId, idx) => {
-			return {
-				updateOne: {
-					filter: {
-						user: userId,
-						organization: organizationId,
-						role: roles[idx],
-						status: statuses[idx]
-					},
-					update: {
-						user: userId,
-						organization: organizationId,
-						role: roles[idx],
-						status: statuses[idx]
-					},
-					upsert: true
-				}
-			};
-		});
+  const operations = userIds.map((userId, idx) => {
+    return {
+      updateOne: {
+        filter: {
+          user: userId,
+          organization: organizationId,
+          role: roles[idx],
+          status: statuses[idx]
+        },
+        update: {
+          user: userId,
+          organization: organizationId,
+          role: roles[idx],
+          status: statuses[idx]
+        },
+        upsert: true
+      }
+    };
+  });
 
-		await MembershipOrg.bulkWrite(operations as any);
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to add users to organization');
-	}
+  await MembershipOrg.bulkWrite(operations as any);
 };
 
 /**
@@ -114,49 +116,42 @@ const deleteMembershipOrg = async ({
 }: {
 	membershipOrgId: string;
 }) => {
-	let deletedMembershipOrg;
-	try {
-		deletedMembershipOrg = await MembershipOrg.findOneAndDelete({
-			_id: membershipOrgId
-		});
+  const deletedMembershipOrg = await MembershipOrg.findOneAndDelete({
+    _id: membershipOrgId
+  });
 
-		if (!deletedMembershipOrg) throw new Error('Failed to delete organization membership');
+  if (!deletedMembershipOrg) throw new Error('Failed to delete organization membership');
 
-		// delete keys associated with organization membership
-		if (deletedMembershipOrg?.user) {
-			// case: organization membership had a registered user
+  // delete keys associated with organization membership
+  if (deletedMembershipOrg?.user) {
+    // case: organization membership had a registered user
 
-			const workspaces = (
-				await Workspace.find({
-					organization: deletedMembershipOrg.organization
-				})
-			).map((w) => w._id.toString());
+    const workspaces = (
+      await Workspace.find({
+        organization: deletedMembershipOrg.organization
+      })
+    ).map((w) => w._id.toString());
 
-			await Membership.deleteMany({
-				user: deletedMembershipOrg.user,
-				workspace: {
-					$in: workspaces
-				}
-			});
+    await Membership.deleteMany({
+      user: deletedMembershipOrg.user,
+      workspace: {
+        $in: workspaces
+      }
+    });
 
-			await Key.deleteMany({
-				receiver: deletedMembershipOrg.user,
-				workspace: {
-					$in: workspaces
-				}
-			});
-		}
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to delete organization membership');
-	}
+    await Key.deleteMany({
+      receiver: deletedMembershipOrg.user,
+      workspace: {
+        $in: workspaces
+      }
+    });
+  }
 
 	return deletedMembershipOrg;
 };
 
 export {
-	validateMembership,
+	validateMembershipOrg,
 	findMembershipOrg,
 	addMembershipsOrg, 
 	deleteMembershipOrg 

backend/src/helpers/nodemailer.ts

@@ -1,9 +1,9 @@
+import * as Sentry from '@sentry/node';
 import fs from 'fs';
 import path from 'path';
 import handlebars from 'handlebars';
 import nodemailer from 'nodemailer';
-import { SMTP_FROM_NAME, SMTP_FROM_ADDRESS } from '../config';
-import * as Sentry from '@sentry/node';
+import { getSmtpFromName, getSmtpFromAddress, getSmtpConfigured } from '../config';
 
 let smtpTransporter: nodemailer.Transporter;
 
@@ -25,23 +25,25 @@ const sendMail = async ({
   recipients: string[];
   substitutions: any;
 }) => {
-  try {
-    const html = fs.readFileSync(
-      path.resolve(__dirname, '../templates/' + template),
-      'utf8'
-    );
-    const temp = handlebars.compile(html);
-    const htmlToSend = temp(substitutions);
+  if (await getSmtpConfigured()) {
+    try {
+      const html = fs.readFileSync(
+        path.resolve(__dirname, '../templates/' + template),
+        'utf8'
+      );
+      const temp = handlebars.compile(html);
+      const htmlToSend = temp(substitutions);
 
-    await smtpTransporter.sendMail({
-      from: `"${SMTP_FROM_NAME}" <${SMTP_FROM_ADDRESS}>`,
-      to: recipients.join(', '),
-      subject: subjectLine,
-      html: htmlToSend
-    });
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
+      await smtpTransporter.sendMail({
+        from: `"${await getSmtpFromName()}" <${await getSmtpFromAddress()}>`,
+        to: recipients.join(', '),
+        subject: subjectLine,
+        html: htmlToSend
+      });
+    } catch (err) {
+      Sentry.setUser(null);
+      Sentry.captureException(err);
+    }
   }
 };
 

backend/src/helpers/organization.ts

@@ -1,23 +1,25 @@
-import * as Sentry from '@sentry/node';
-import Stripe from 'stripe';
+import Stripe from "stripe";
+import { Types } from "mongoose";
+import { Organization, MembershipOrg } from "../models";
 import {
-	STRIPE_SECRET_KEY,
-	STRIPE_PRODUCT_STARTER,
-	STRIPE_PRODUCT_TEAM,
-	STRIPE_PRODUCT_PRO
+  ACCEPTED
+} from "../variables";
+import {
+  getStripeSecretKey,
+  getStripeProductPro,
+  getStripeProductTeam,
+  getStripeProductStarter,
+} from "../config";
+import {
+  EELicenseService
+} from '../ee/services';
+import {
+  getLicenseServerUrl
 } from '../config';
-const stripe = new Stripe(STRIPE_SECRET_KEY, {
-	apiVersion: '2022-08-01'
-});
-import { Types } from 'mongoose';
-import { ACCEPTED } from '../variables';
-import { Organization, MembershipOrg } from '../models';
-
-const productToPriceMap = {
-	starter: STRIPE_PRODUCT_STARTER,
-	team: STRIPE_PRODUCT_TEAM,
-	pro: STRIPE_PRODUCT_PRO
-};
+import {
+  licenseServerKeyRequest,
+  licenseKeyRequest
+} from '../config/request';
 
 /**
  * Create an organization with name [name]
@@ -27,40 +29,37 @@ const productToPriceMap = {
  * @param {Object} organization - new organization
  */
 const createOrganization = async ({
-	name,
-	email
+  name,
+  email,
 }: {
-	name: string;
-	email: string;
+  name: string;
+  email: string;
 }) => {
-	let organization;
-	try {
-		// register stripe account
+  let organization;
+  // register stripe account
+  const stripe = new Stripe(await getStripeSecretKey(), {
+    apiVersion: "2022-08-01",
+  });
 
-		if (STRIPE_SECRET_KEY) {
-			const customer = await stripe.customers.create({
-				email,
-				description: name
-			});
+  if (await getStripeSecretKey()) {
+    const customer = await stripe.customers.create({
+      email,
+      description: name,
+    });
 
-			organization = await new Organization({
-				name,
-				customerId: customer.id
-			}).save();
-		} else {
-			organization = await new Organization({
-				name
-			}).save();
-		}
+    organization = await new Organization({
+      name,
+      customerId: customer.id,
+    }).save();
+  } else {
+    organization = await new Organization({
+      name,
+    }).save();
+  }
 
-		await initSubscriptionOrg({ organizationId: organization._id });
-	} catch (err) {
-		Sentry.setUser({ email });
-		Sentry.captureException(err);
-		throw new Error(`Failed to create organization [err=${err}]`);
-	}
+  await initSubscriptionOrg({ organizationId: organization._id });
 
-	return organization;
+  return organization;
 };
 
 /**
@@ -72,47 +71,52 @@ const createOrganization = async ({
  * @return {Subscription} obj.subscription - new subscription
  */
 const initSubscriptionOrg = async ({
-	organizationId
+  organizationId,
 }: {
-	organizationId: Types.ObjectId;
+  organizationId: Types.ObjectId;
 }) => {
-	let stripeSubscription;
-	let subscription;
-	try {
-		// find organization
-		const organization = await Organization.findOne({
-			_id: organizationId
-		});
+  let stripeSubscription;
+  let subscription;
 
-		if (organization) {
-			if (organization.customerId) {
-				// initialize starter subscription with quantity of 0
-				stripeSubscription = await stripe.subscriptions.create({
-					customer: organization.customerId,
-					items: [
-						{
-							price: productToPriceMap['starter'],
-							quantity: 1
-						}
-					],
-					payment_behavior: 'default_incomplete',
-					proration_behavior: 'none',
-					expand: ['latest_invoice.payment_intent']
-				});
-			}
-		} else {
-			throw new Error('Failed to initialize free organization subscription');
-		}
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to initialize free organization subscription');
-	}
+  // find organization
+  const organization = await Organization.findOne({
+    _id: organizationId,
+  });
 
-	return {
-		stripeSubscription,
-		subscription
-	};
+  if (organization) {
+    if (organization.customerId) {
+      // initialize starter subscription with quantity of 0
+      const stripe = new Stripe(await getStripeSecretKey(), {
+        apiVersion: "2022-08-01",
+      });
+
+      const productToPriceMap = {
+        starter: await getStripeProductStarter(),
+        team: await getStripeProductTeam(),
+        pro: await getStripeProductPro(),
+      };
+
+      stripeSubscription = await stripe.subscriptions.create({
+        customer: organization.customerId,
+        items: [
+          {
+            price: productToPriceMap["starter"],
+            quantity: 1,
+          },
+        ],
+        payment_behavior: "default_incomplete",
+        proration_behavior: "none",
+        expand: ["latest_invoice.payment_intent"],
+      });
+    }
+  } else {
+    throw new Error("Failed to initialize free organization subscription");
+  }
+
+  return {
+    stripeSubscription,
+    subscription,
+  };
 };
 
 /**
@@ -122,49 +126,55 @@ const initSubscriptionOrg = async ({
  * @param {Number} obj.organizationId - id of subscription's organization
  */
 const updateSubscriptionOrgQuantity = async ({
-	organizationId
+  organizationId,
 }: {
-	organizationId: string;
+  organizationId: string;
 }) => {
-	let stripeSubscription;
-	try {
-		// find organization
-		const organization = await Organization.findOne({
-			_id: organizationId
-		});
+  let stripeSubscription;
+  // find organization
+  const organization = await Organization.findOne({
+    _id: organizationId,
+  });
 
-		if (organization && organization.customerId) {
-			const quantity = await MembershipOrg.countDocuments({
-				organization: organizationId,
-				status: ACCEPTED
-			});
+  if (organization && organization.customerId) {
+    if (EELicenseService.instanceType === 'cloud') {
+      // instance of Infisical is a cloud instance
+      const quantity = await MembershipOrg.countDocuments({
+        organization: new Types.ObjectId(organizationId),
+        status: ACCEPTED,
+      });
+      
+      await licenseServerKeyRequest.patch(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${organization.customerId}/cloud-plan`,
+        {
+          quantity
+        }
+      );
 
-			const subscription = (
-				await stripe.subscriptions.list({
-					customer: organization.customerId
-				})
-			).data[0];
+      EELicenseService.localFeatureSet.del(organizationId);
+    }
+    
+    if (EELicenseService.instanceType === 'enterprise-self-hosted') {
+      // instance of Infisical is an enterprise self-hosted instance
+      
+      const usedSeats = await MembershipOrg.countDocuments({
+        status: ACCEPTED
+      });
 
-			stripeSubscription = await stripe.subscriptions.update(subscription.id, {
-				items: [
-					{
-						id: subscription.items.data[0].id,
-						price: subscription.items.data[0].price.id,
-						quantity
-					}
-				]
-			});
-		}
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-	}
+      await licenseKeyRequest.patch(
+        `${await getLicenseServerUrl()}/api/license/v1/license`,
+        {
+          usedSeats
+        }
+      );
+    }
+  }
 
-	return stripeSubscription;
+  return stripeSubscription;
 };
 
 export {
-	createOrganization,
-	initSubscriptionOrg,
-	updateSubscriptionOrgQuantity
+  createOrganization,
+  initSubscriptionOrg,
+  updateSubscriptionOrgQuantity
 };

backend/src/helpers/rateLimiter.ts

@@ -1,9 +1,16 @@
 import rateLimit from 'express-rate-limit';
+const MongoStore = require('rate-limit-mongo');
 
-// 120 requests per minute
+// 200 per minute
 const apiLimiter = rateLimit({
-  windowMs: 60 * 1000,
-  max: 240,
+  store: new MongoStore({
+    uri: process.env.MONGO_URL,
+    expireTimeMs: 1000 * 60,
+    collectionName: "expressRateRecords-apiLimiter",
+    errorHandler: console.error.bind(null, 'rate-limit-mongo')
+  }),
+  windowMs: 1000 * 60,
+  max: 200,
   standardHeaders: true,
   legacyHeaders: false,
   skip: (request) => {
@@ -14,10 +21,16 @@ const apiLimiter = rateLimit({
   }
 });
 
-// 10 requests per minute
-const authLimiter = rateLimit({
-  windowMs: 60 * 1000,
-  max: 10,
+// 50 requests per 1 hours
+const authLimit = rateLimit({
+  store: new MongoStore({
+    uri: process.env.MONGO_URL,
+    expireTimeMs: 1000 * 60 * 60,
+    errorHandler: console.error.bind(null, 'rate-limit-mongo'),
+    collectionName: "expressRateRecords-authLimit",
+  }),
+  windowMs: 1000 * 60 * 60,
+  max: 50,
   standardHeaders: true,
   legacyHeaders: false,
   keyGenerator: (req, res) => {
@@ -25,10 +38,16 @@ const authLimiter = rateLimit({
   }
 });
 
-// 10 requests per hour
+// 50 requests per 1 hour
 const passwordLimiter = rateLimit({
-  windowMs: 60 * 60 * 1000,
-  max: 10,
+  store: new MongoStore({
+    uri: process.env.MONGO_URL,
+    expireTimeMs: 1000 * 60 * 60,
+    errorHandler: console.error.bind(null, 'rate-limit-mongo'),
+    collectionName: "expressRateRecords-passwordLimiter",
+  }),
+  windowMs: 1000 * 60 * 60,
+  max: 50,
   standardHeaders: true,
   legacyHeaders: false,
   keyGenerator: (req, res) => {
@@ -36,8 +55,16 @@ const passwordLimiter = rateLimit({
   }
 });
 
-export { 
-  apiLimiter, 
-  authLimiter,
-  passwordLimiter 
+const authLimiter = (req: any, res: any, next: any) => {
+  if (process.env.NODE_ENV === 'production') {
+    authLimit(req, res, next);
+  } else {
+    next();
+  }
+};
+
+export {
+  apiLimiter,
+  authLimiter,
+  passwordLimiter
 };