update go releaser distribution

Only trigger CLI builds for tags with prefix infisical-cli/v*.*.*

.env.example

@@ -16,9 +16,6 @@ JWT_AUTH_LIFETIME=
 JWT_REFRESH_LIFETIME=
 JWT_SIGNUP_LIFETIME=
 
-# Optional lifetimes for OTP expressed in seconds
-EMAIL_TOKEN_LIFETIME=
-
 # MongoDB
 # Backend will connect to the MongoDB instance at connection string MONGO_URL which can either be a ref
 # to the MongoDB container instance or Mongo Cloud
@@ -34,12 +31,12 @@ MONGO_PASSWORD=example
 SITE_URL=http://localhost:8080
 
 # Mail/SMTP
-SMTP_HOST= # required
-SMTP_USERNAME= # required
-SMTP_PASSWORD= # required
+SMTP_HOST= 
+SMTP_USERNAME= 
+SMTP_PASSWORD= 
 SMTP_PORT=587
 SMTP_SECURE=false
-SMTP_FROM_ADDRESS= # required
+SMTP_FROM_ADDRESS= 
 SMTP_FROM_NAME=Infisical
 
 # Integration
@@ -48,10 +45,12 @@ CLIENT_ID_HEROKU=
 CLIENT_ID_VERCEL=
 CLIENT_ID_NETLIFY=
 CLIENT_ID_GITHUB=
+CLIENT_ID_GITLAB=
 CLIENT_SECRET_HEROKU=
 CLIENT_SECRET_VERCEL=
 CLIENT_SECRET_NETLIFY=
 CLIENT_SECRET_GITHUB=
+CLIENT_SECRET_GITLAB=
 CLIENT_SLUG_VERCEL=
 
 # Sentry (optional) for monitoring errors
@@ -67,4 +66,4 @@ STRIPE_WEBHOOK_SECRET=
 STRIPE_PRODUCT_STARTER=
 STRIPE_PRODUCT_TEAM=
 STRIPE_PRODUCT_PRO=
-NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=
+NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=

.github/pull_request_template.md

@@ -1,6 +1,6 @@
 # Description 📣
 
-*Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.*
+<!-- Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change. -->
 
 ## Type ✨
 
@@ -11,7 +11,7 @@
 
 # Tests 🛠️
 
-*Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration. You may want to add screenshots when relevant and possible*
+<!-- Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration. You may want to add screenshots when relevant and possible -->
 
 ```sh
 # Here's some code block to paste some code snippets

.github/workflows/docker-image.yml

@@ -9,6 +9,12 @@ jobs:
     steps:
       - name: ☁️ Checkout source
         uses: actions/checkout@v3
+      - name: 📦 Install dependencies to test all dependencies
+        run: npm ci --only-production
+        working-directory: backend
+      - name: 🧪 Run tests
+        run: npm run test:ci
+        working-directory: backend
       - name: Save commit hashes for tag
         id: commit
         uses: pr-mpt/actions-commit-hash@v2
@@ -45,8 +51,8 @@ jobs:
           token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
           push: true
           context: backend
-          tags: infisical/backend:${{ steps.commit.outputs.short }}, 
-                infisical/backend:latest
+          tags: infisical/backend:${{ steps.commit.outputs.short }},
+            infisical/backend:latest
           platforms: linux/amd64,linux/arm64
 
   frontend-image:
@@ -94,8 +100,8 @@ jobs:
           push: true
           token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
           context: frontend
-          tags: infisical/frontend:${{ steps.commit.outputs.short }}, 
-                infisical/frontend:latest
+          tags: infisical/frontend:${{ steps.commit.outputs.short }},
+            infisical/frontend:latest
           platforms: linux/amd64,linux/arm64
           build-args: |
             POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
@@ -122,7 +128,7 @@ jobs:
           token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
       - name: Save DigitalOcean kubeconfig with short-lived credentials
         run: doctl kubernetes cluster kubeconfig save --expiry-seconds 600 k8s-1-25-4-do-0-nyc1-1670645170179
-      - name: switch to gamma namespace 
+      - name: switch to gamma namespace
         run: kubectl config set-context --current --namespace=gamma
       - name: test kubectl
         run: kubectl get ingress
@@ -135,4 +141,4 @@ jobs:
             exit 1
           else
             echo "Helm upgrade was successful"
-          fi
+          fi

.github/workflows/release_build.yml

@@ -4,7 +4,7 @@ on:
   push:
     # run only against tags
     tags:
-      - "v*"
+      - "infisical-cli/v*.*.*"
 
 permissions:
   contents: write
@@ -41,13 +41,14 @@ jobs:
           git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
       - uses: goreleaser/goreleaser-action@v4
         with:
-          distribution: goreleaser
+          distribution: goreleaser-pro
           version: latest
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
           FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
           AUR_KEY: ${{ secrets.AUR_KEY }}
+          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
       - uses: actions/setup-python@v4
       - run: pip install --upgrade cloudsmith-cli
       - name: Publish to CloudSmith

.goreleaser.yaml

@@ -11,6 +11,10 @@ before:
     - ./cli/scripts/completions.sh
     - ./cli/scripts/manpages.sh
 
+monorepo:
+  tag_prefix: infisical-cli/
+  dir: cli
+
 builds:
   - id: darwin-build
     binary: infisical
@@ -74,14 +78,7 @@ checksum:
   name_template: "checksums.txt"
 
 snapshot:
-  name_template: "{{ incpatch .Version }}-devel"
-
-changelog:
-  sort: asc
-  filters:
-    exclude:
-      - "^docs:"
-      - "^test:"
+  name_template: "{{ .Version }}-devel"
 
 # publishers:
 #   - name: fury.io

SECURITY.md

@@ -1,9 +1,13 @@
 # Security Policy
 
-## Supported Versions
+## Supported versions
 
 We always recommend using the latest version of Infisical to ensure you get all security updates.
 
-## Reporting a Vulnerability
+## Reporting vulnerabilities
 
-Please report security vulnerabilities or concerns to team@infisical.com.
+Please do not file GitHub issues or post on our public forum for security vulnerabilities, as they are public!
+
+Infisical takes security issues very seriously. If you have any concerns about Infisical or believe you have uncovered a vulnerability, please get in touch via the e-mail address security@infisical.com. In the message, try to provide a description of the issue and ideally a way of reproducing it. The security team will get back to you as soon as possible.
+
+Note that this security address should be used only for undisclosed vulnerabilities. Please report any security problems to us before disclosing it publicly.

backend/Dockerfile

@@ -1,18 +1,27 @@
-FROM node:16-bullseye-slim
+# Build stage
+FROM node:16-alpine AS build
 
 WORKDIR /app
 
-COPY package.json package-lock.json ./
-
-# RUN npm ci --only-production --ignore-scripts
-# "prepare": "cd .. && npm install"
-
+COPY package*.json ./
 RUN npm ci --only-production
 
 COPY . .
+RUN npm run build
+
+# Production stage
+FROM node:16-alpine
+
+WORKDIR /app
+
+COPY package*.json ./
+RUN npm ci --only-production
+
+COPY --from=build /app .
 
 HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \  
   CMD node healthcheck.js
 
+EXPOSE 4000
 
-CMD ["npm", "run", "start"]
+CMD ["npm", "run", "start"]

backend/__tests__/healthcheck.test.ts

@@ -1,19 +0,0 @@
-import { server } from '../src/app';
-import { describe, expect, it, beforeAll, afterAll } from '@jest/globals';
-import supertest from 'supertest';
-import { setUpHealthEndpoint } from '../src/services/health';
-
-const requestWithSupertest = supertest(server);
-describe('Healthcheck endpoint', () => {
-  beforeAll(async () => {
-    setUpHealthEndpoint(server);
-  });
-  afterAll(async () => {
-    server.close();
-  });
-
-  it('GET /healthcheck should return OK', async () => {
-    const res = await requestWithSupertest.get('/healthcheck');
-    expect(res.status).toEqual(200);
-  });
-});

backend/environment.d.ts

@@ -4,7 +4,6 @@ declare global {
   namespace NodeJS {
     interface ProcessEnv {
       PORT: string;
-      EMAIL_TOKEN_LIFETIME: string;
       ENCRYPTION_KEY: string;
       SALT_ROUNDS: string;
       JWT_AUTH_LIFETIME: string;
@@ -22,10 +21,12 @@ declare global {
       CLIENT_ID_VERCEL: string;
       CLIENT_ID_NETLIFY: string;
       CLIENT_ID_GITHUB: string;
+      CLIENT_ID_GITLAB: string;
       CLIENT_SECRET_HEROKU: string;
       CLIENT_SECRET_VERCEL: string;
       CLIENT_SECRET_NETLIFY: string;
       CLIENT_SECRET_GITHUB: string;
+      CLIENT_SECRET_GITLAB: string;
       CLIENT_SLUG_VERCEL: string;
 			POSTHOG_HOST: string;
 			POSTHOG_PROJECT_API_KEY: string;

backend/jest.config.ts

@@ -0,0 +1,9 @@
+export default {
+  preset: 'ts-jest',
+  testEnvironment: 'node',
+  collectCoverageFrom: ['src/*.{js,ts}', '!**/node_modules/**'],
+  modulePaths: ['<rootDir>/src'],
+  testMatch: ['<rootDir>/tests/**/*.test.ts'],
+  setupFiles: ['<rootDir>/test-resources/env-vars.js'],
+  setupFilesAfterEnv: ['<rootDir>/tests/setupTests.ts']
+};

backend/package.json

@@ -1,15 +1,17 @@
 {
   "dependencies": {
-    "@aws-sdk/client-secrets-manager": "^3.267.0",
+    "@aws-sdk/client-secrets-manager": "^3.309.0",
     "@godaddy/terminus": "^4.11.2",
     "@octokit/rest": "^19.0.5",
-    "@sentry/node": "^7.14.0",
-    "@sentry/tracing": "^7.19.0",
+    "@sentry/node": "^7.41.0",
+    "@sentry/tracing": "^7.47.0",
     "@types/crypto-js": "^4.1.1",
     "@types/libsodium-wrappers": "^0.7.10",
+    "argon2": "^0.30.3",
     "await-to-js": "^3.0.0",
-    "aws-sdk": "^2.1311.0",
-    "axios": "^1.1.3",
+    "aws-sdk": "^2.1338.0",
+    "axios": "^1.3.5",
+    "axios-retry": "^3.4.0",
     "bcrypt": "^5.1.0",
     "bigint-conversion": "^2.2.2",
     "builder-pattern": "^2.2.0",
@@ -22,20 +24,21 @@
     "express-validator": "^6.14.2",
     "handlebars": "^4.7.7",
     "helmet": "^5.1.1",
+    "infisical-node": "^1.1.3",
     "js-yaml": "^4.1.0",
     "jsonwebtoken": "^9.0.0",
     "jsrp": "^0.2.4",
     "libsodium-wrappers": "^0.7.10",
     "lodash": "^4.17.21",
-    "mongoose": "^6.7.2",
+    "mongoose": "^6.10.4",
     "nodemailer": "^6.8.0",
-    "posthog-node": "^2.2.2",
+    "posthog-node": "^2.6.0",
     "query-string": "^7.1.3",
     "request-ip": "^3.3.0",
     "rimraf": "^3.0.2",
     "stripe": "^10.7.0",
     "swagger-autogen": "^2.22.0",
-    "swagger-ui-express": "^4.6.0",
+    "swagger-ui-express": "^4.6.2",
     "tweetnacl": "^1.0.3",
     "tweetnacl-util": "^0.15.1",
     "typescript": "^4.9.3",
@@ -47,7 +50,7 @@
   "version": "1.0.0",
   "main": "src/index.js",
   "scripts": {
-    "start": "npm run build && node build/index.js",
+    "start": "node build/index.js",
     "dev": "nodemon",
     "swagger-autogen": "node ./swagger/index.ts",
     "build": "rimraf ./build && tsc && cp -R ./src/templates ./build",
@@ -55,7 +58,7 @@
     "lint-and-fix": "eslint . --ext .ts --fix",
     "lint-staged": "lint-staged",
     "pretest": "docker compose -f test-resources/docker-compose.test.yml up -d",
-    "test": "cross-env NODE_ENV=test jest --testTimeout=10000 --detectOpenHandles",
+    "test": "cross-env NODE_ENV=test jest --verbose --testTimeout=10000 --detectOpenHandles; npm run posttest",
     "test:ci": "npm test -- --watchAll=false --ci --reporters=default --reporters=jest-junit --reporters=github-actions --coverage --testLocationInResults --json --outputFile=coverage/report.json",
     "posttest": "docker compose -f test-resources/docker-compose.test.yml down"
   },
@@ -78,7 +81,7 @@
     "@types/cookie-parser": "^1.4.3",
     "@types/cors": "^2.8.12",
     "@types/express": "^4.17.14",
-    "@types/jest": "^29.2.4",
+    "@types/jest": "^29.5.0",
     "@types/jsonwebtoken": "^8.5.9",
     "@types/lodash": "^4.14.191",
     "@types/node": "^18.11.3",
@@ -86,7 +89,7 @@
     "@types/supertest": "^2.0.12",
     "@types/swagger-jsdoc": "^6.0.1",
     "@types/swagger-ui-express": "^4.1.3",
-    "@typescript-eslint/eslint-plugin": "^5.40.1",
+    "@typescript-eslint/eslint-plugin": "^5.54.0",
     "@typescript-eslint/parser": "^5.40.1",
     "cross-env": "^7.0.3",
     "eslint": "^8.26.0",
@@ -99,17 +102,6 @@
     "ts-jest": "^29.0.3",
     "ts-node": "^10.9.1"
   },
-  "jest": {
-    "preset": "ts-jest",
-    "testEnvironment": "node",
-    "collectCoverageFrom": [
-      "src/*.{js,ts}",
-      "!**/node_modules/**"
-    ],
-    "setupFiles": [
-      "<rootDir>/test-resources/env-vars.js"
-    ]
-  },
   "jest-junit": {
     "outputDirectory": "reports",
     "outputName": "jest-junit.xml",

backend/src/app.ts

@@ -1,144 +0,0 @@
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const { patchRouterParam } = require('./utils/patchAsyncRoutes');
-
-import express from 'express';
-import helmet from 'helmet';
-import cors from 'cors';
-import cookieParser from 'cookie-parser';
-import dotenv from 'dotenv';
-import swaggerUi = require('swagger-ui-express');
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const swaggerFile = require('../spec.json');
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const requestIp = require('request-ip');
-
-dotenv.config();
-import { PORT, NODE_ENV, SITE_URL } from './config';
-import { apiLimiter } from './helpers/rateLimiter';
-
-import {
-  workspace as eeWorkspaceRouter,
-  secret as eeSecretRouter,
-  secretSnapshot as eeSecretSnapshotRouter,
-  action as eeActionRouter
-} from './ee/routes/v1';
-import {
-  signup as v1SignupRouter,
-  auth as v1AuthRouter,
-  bot as v1BotRouter,
-  organization as v1OrganizationRouter,
-  workspace as v1WorkspaceRouter,
-  membershipOrg as v1MembershipOrgRouter,
-  membership as v1MembershipRouter,
-  key as v1KeyRouter,
-  inviteOrg as v1InviteOrgRouter,
-  user as v1UserRouter,
-  userAction as v1UserActionRouter,
-  secret as v1SecretRouter,
-  serviceToken as v1ServiceTokenRouter,
-  password as v1PasswordRouter,
-  stripe as v1StripeRouter,
-  integration as v1IntegrationRouter,
-  integrationAuth as v1IntegrationAuthRouter
-} from './routes/v1';
-import {
-  signup as v2SignupRouter,
-  auth as v2AuthRouter,
-  users as v2UsersRouter,
-  organizations as v2OrganizationsRouter,
-  workspace as v2WorkspaceRouter,
-  secret as v2SecretRouter, // begin to phase out
-  secrets as v2SecretsRouter,
-  serviceTokenData as v2ServiceTokenDataRouter,
-  apiKeyData as v2APIKeyDataRouter,
-  environment as v2EnvironmentRouter,
-  tags as v2TagsRouter,
-} from './routes/v2';
-
-import { healthCheck } from './routes/status';
-
-import { getLogger } from './utils/logger';
-import { RouteNotFoundError } from './utils/errors';
-import { requestErrorHandler } from './middleware/requestErrorHandler';
-
-// patch async route params to handle Promise Rejections
-patchRouterParam();
-
-export const app = express();
-
-app.enable('trust proxy');
-app.use(express.json());
-app.use(cookieParser());
-app.use(
-  cors({
-    credentials: true,
-    origin: SITE_URL
-  })
-);
-
-app.use(requestIp.mw())
-
-if (NODE_ENV === 'production') {
-  // enable app-wide rate-limiting + helmet security
-  // in production
-  app.disable('x-powered-by');
-  app.use(apiLimiter);
-  app.use(helmet());
-}
-
-// (EE) routes
-app.use('/api/v1/secret', eeSecretRouter);
-app.use('/api/v1/secret-snapshot', eeSecretSnapshotRouter);
-app.use('/api/v1/workspace', eeWorkspaceRouter);
-app.use('/api/v1/action', eeActionRouter);
-
-// v1 routes
-app.use('/api/v1/signup', v1SignupRouter);
-app.use('/api/v1/auth', v1AuthRouter);
-app.use('/api/v1/bot', v1BotRouter);
-app.use('/api/v1/user', v1UserRouter);
-app.use('/api/v1/user-action', v1UserActionRouter);
-app.use('/api/v1/organization', v1OrganizationRouter);
-app.use('/api/v1/workspace', v1WorkspaceRouter);
-app.use('/api/v1/membership-org', v1MembershipOrgRouter);
-app.use('/api/v1/membership', v1MembershipRouter);
-app.use('/api/v1/key', v1KeyRouter);
-app.use('/api/v1/invite-org', v1InviteOrgRouter);
-app.use('/api/v1/secret', v1SecretRouter);
-app.use('/api/v1/service-token', v1ServiceTokenRouter); // deprecated
-app.use('/api/v1/password', v1PasswordRouter);
-app.use('/api/v1/stripe', v1StripeRouter);
-app.use('/api/v1/integration', v1IntegrationRouter);
-app.use('/api/v1/integration-auth', v1IntegrationAuthRouter);
-
-// v2 routes
-app.use('/api/v2/signup', v2SignupRouter);
-app.use('/api/v2/auth', v2AuthRouter);
-app.use('/api/v2/users', v2UsersRouter);
-app.use('/api/v2/organizations', v2OrganizationsRouter);
-app.use('/api/v2/workspace', v2EnvironmentRouter);
-app.use('/api/v2/workspace', v2TagsRouter);
-app.use('/api/v2/workspace', v2WorkspaceRouter);
-app.use('/api/v2/secret', v2SecretRouter); // deprecated
-app.use('/api/v2/secrets', v2SecretsRouter);
-app.use('/api/v2/service-token', v2ServiceTokenDataRouter); // TODO: turn into plural route
-app.use('/api/v2/api-key', v2APIKeyDataRouter);
-
-// api docs 
-app.use('/api-docs', swaggerUi.serve, swaggerUi.setup(swaggerFile))
-
-// Server status
-app.use('/api', healthCheck)
-
-//* Handle unrouted requests and respond with proper error message as well as status code
-app.use((req, res, next) => {
-  if (res.headersSent) return next();
-  next(RouteNotFoundError({ message: `The requested source '(${req.method})${req.url}' was not found` }))
-})
-
-//* Error Handling Middleware (must be after all routing logic)
-app.use(requestErrorHandler)
-
-export const server = app.listen(PORT, () => {
-  getLogger("backend-main").info(`Server started listening at port ${PORT}`)
-});

backend/src/config/index.ts

@@ -1,103 +1,69 @@
-const PORT = process.env.PORT || 4000;
-const EMAIL_TOKEN_LIFETIME = parseInt(process.env.EMAIL_TOKEN_LIFETIME! || '86400');
-const INVITE_ONLY_SIGNUP = process.env.INVITE_ONLY_SIGNUP == undefined ? false : process.env.INVITE_ONLY_SIGNUP
-const ENCRYPTION_KEY = process.env.ENCRYPTION_KEY!;
-const SALT_ROUNDS = parseInt(process.env.SALT_ROUNDS!) || 10;
-const JWT_AUTH_LIFETIME = process.env.JWT_AUTH_LIFETIME! || '10d';
-const JWT_AUTH_SECRET = process.env.JWT_AUTH_SECRET!;
-const JWT_MFA_LIFETIME = process.env.JWT_MFA_LIFETIME! || '5m';
-const JWT_MFA_SECRET = process.env.JWT_MFA_SECRET!;
-const JWT_REFRESH_LIFETIME = process.env.JWT_REFRESH_LIFETIME! || '90d';
-const JWT_REFRESH_SECRET = process.env.JWT_REFRESH_SECRET!;
-const JWT_SERVICE_SECRET = process.env.JWT_SERVICE_SECRET!;
-const JWT_SIGNUP_LIFETIME = process.env.JWT_SIGNUP_LIFETIME! || '15m';
-const JWT_SIGNUP_SECRET = process.env.JWT_SIGNUP_SECRET!;
-const MONGO_URL = process.env.MONGO_URL!;
-const NODE_ENV = process.env.NODE_ENV! || 'production';
-const VERBOSE_ERROR_OUTPUT = process.env.VERBOSE_ERROR_OUTPUT! === 'true' && true;
-const LOKI_HOST = process.env.LOKI_HOST || undefined;
-const CLIENT_ID_AZURE = process.env.CLIENT_ID_AZURE!;
-const TENANT_ID_AZURE = process.env.TENANT_ID_AZURE!;
-const CLIENT_ID_HEROKU = process.env.CLIENT_ID_HEROKU!;
-const CLIENT_ID_VERCEL = process.env.CLIENT_ID_VERCEL!;
-const CLIENT_ID_NETLIFY = process.env.CLIENT_ID_NETLIFY!;
-const CLIENT_ID_GITHUB = process.env.CLIENT_ID_GITHUB!;
-const CLIENT_SECRET_AZURE = process.env.CLIENT_SECRET_AZURE!;
-const CLIENT_SECRET_HEROKU = process.env.CLIENT_SECRET_HEROKU!;
-const CLIENT_SECRET_VERCEL = process.env.CLIENT_SECRET_VERCEL!;
-const CLIENT_SECRET_NETLIFY = process.env.CLIENT_SECRET_NETLIFY!;
-const CLIENT_SECRET_GITHUB = process.env.CLIENT_SECRET_GITHUB!;
-const CLIENT_SLUG_VERCEL = process.env.CLIENT_SLUG_VERCEL!;
-const POSTHOG_HOST = process.env.POSTHOG_HOST! || 'https://app.posthog.com';
-const POSTHOG_PROJECT_API_KEY =
-  process.env.POSTHOG_PROJECT_API_KEY! ||
-  'phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE';
-const SENTRY_DSN = process.env.SENTRY_DSN!;
-const SITE_URL = process.env.SITE_URL!;
-const SMTP_HOST = process.env.SMTP_HOST!;
-const SMTP_SECURE = process.env.SMTP_SECURE! === 'true' || false;
-const SMTP_PORT = parseInt(process.env.SMTP_PORT!) || 587;
-const SMTP_USERNAME = process.env.SMTP_USERNAME!;
-const SMTP_PASSWORD = process.env.SMTP_PASSWORD!;
-const SMTP_FROM_ADDRESS = process.env.SMTP_FROM_ADDRESS!;
-const SMTP_FROM_NAME = process.env.SMTP_FROM_NAME! || 'Infisical';
-const STRIPE_PRODUCT_STARTER = process.env.STRIPE_PRODUCT_STARTER!;
-const STRIPE_PRODUCT_PRO = process.env.STRIPE_PRODUCT_PRO!;
-const STRIPE_PRODUCT_TEAM = process.env.STRIPE_PRODUCT_TEAM!;
-const STRIPE_PUBLISHABLE_KEY = process.env.STRIPE_PUBLISHABLE_KEY!;
-const STRIPE_SECRET_KEY = process.env.STRIPE_SECRET_KEY!;
-const STRIPE_WEBHOOK_SECRET = process.env.STRIPE_WEBHOOK_SECRET!;
-const TELEMETRY_ENABLED = process.env.TELEMETRY_ENABLED! !== 'false' && true;
-const LICENSE_KEY = process.env.LICENSE_KEY!;
+import InfisicalClient from 'infisical-node';
 
-export {
-  PORT,
-  EMAIL_TOKEN_LIFETIME,
-  INVITE_ONLY_SIGNUP,
-  ENCRYPTION_KEY,
-  SALT_ROUNDS,
-  JWT_AUTH_LIFETIME,
-  JWT_AUTH_SECRET,
-  JWT_MFA_LIFETIME,
-  JWT_MFA_SECRET,
-  JWT_REFRESH_LIFETIME,
-  JWT_REFRESH_SECRET,
-  JWT_SERVICE_SECRET,
-  JWT_SIGNUP_LIFETIME,
-  JWT_SIGNUP_SECRET,
-  MONGO_URL,
-  NODE_ENV,
-  VERBOSE_ERROR_OUTPUT,
-  LOKI_HOST,
-  CLIENT_ID_AZURE,
-  TENANT_ID_AZURE,
-  CLIENT_ID_HEROKU,
-  CLIENT_ID_VERCEL,
-  CLIENT_ID_NETLIFY,
-  CLIENT_ID_GITHUB,
-  CLIENT_SECRET_AZURE,
-  CLIENT_SECRET_HEROKU,
-  CLIENT_SECRET_VERCEL,
-  CLIENT_SECRET_NETLIFY,
-  CLIENT_SECRET_GITHUB,
-  CLIENT_SLUG_VERCEL,
-  POSTHOG_HOST,
-  POSTHOG_PROJECT_API_KEY,
-  SENTRY_DSN,
-  SITE_URL,
-  SMTP_HOST,
-  SMTP_PORT,
-  SMTP_SECURE,
-  SMTP_USERNAME,
-  SMTP_PASSWORD,
-  SMTP_FROM_ADDRESS,
-  SMTP_FROM_NAME,
-  STRIPE_PRODUCT_STARTER,
-  STRIPE_PRODUCT_TEAM,
-  STRIPE_PRODUCT_PRO,
-  STRIPE_PUBLISHABLE_KEY,
-  STRIPE_SECRET_KEY,
-  STRIPE_WEBHOOK_SECRET,
-  TELEMETRY_ENABLED,
-  LICENSE_KEY
-};
+const client = new InfisicalClient({
+  token: process.env.INFISICAL_TOKEN!
+});
+
+export const getPort = async () => (await client.getSecret('PORT')).secretValue || 4000;
+export const getInviteOnlySignup = async () => (await client.getSecret('INVITE_ONLY_SIGNUP')).secretValue == undefined ? false : (await client.getSecret('INVITE_ONLY_SIGNUP')).secretValue;
+export const getEncryptionKey = async () => (await client.getSecret('ENCRYPTION_KEY')).secretValue;
+export const getSaltRounds = async () => parseInt((await client.getSecret('SALT_ROUNDS')).secretValue) || 10;
+export const getJwtAuthLifetime = async () => (await client.getSecret('JWT_AUTH_LIFETIME')).secretValue || '10d';
+export const getJwtAuthSecret = async () => (await client.getSecret('JWT_AUTH_SECRET')).secretValue;
+export const getJwtMfaLifetime = async () => (await client.getSecret('JWT_MFA_LIFETIME')).secretValue || '5m';
+export const getJwtMfaSecret = async () => (await client.getSecret('JWT_MFA_LIFETIME')).secretValue || '5m';
+export const getJwtRefreshLifetime = async () => (await client.getSecret('JWT_REFRESH_LIFETIME')).secretValue || '90d';
+export const getJwtRefreshSecret = async () => (await client.getSecret('JWT_REFRESH_SECRET')).secretValue;
+export const getJwtServiceSecret = async () => (await client.getSecret('JWT_SERVICE_SECRET')).secretValue;
+export const getJwtSignupLifetime = async () => (await client.getSecret('JWT_SIGNUP_LIFETIME')).secretValue || '15m';
+export const getJwtSignupSecret = async () => (await client.getSecret('JWT_SIGNUP_SECRET')).secretValue;
+export const getMongoURL = async () => (await client.getSecret('MONGO_URL')).secretValue;
+export const getNodeEnv = async () => (await client.getSecret('NODE_ENV')).secretValue || 'production';
+export const getVerboseErrorOutput = async () => (await client.getSecret('VERBOSE_ERROR_OUTPUT')).secretValue === 'true' && true;
+export const getLokiHost = async () => (await client.getSecret('LOKI_HOST')).secretValue;
+export const getClientIdAzure = async () => (await client.getSecret('CLIENT_ID_AZURE')).secretValue;
+export const getClientIdHeroku = async () => (await client.getSecret('CLIENT_ID_HEROKU')).secretValue;
+export const getClientIdVercel = async () => (await client.getSecret('CLIENT_ID_VERCEL')).secretValue;
+export const getClientIdNetlify = async () => (await client.getSecret('CLIENT_ID_NETLIFY')).secretValue;
+export const getClientIdGitHub = async () => (await client.getSecret('CLIENT_ID_GITHUB')).secretValue;
+export const getClientIdGitLab = async () => (await client.getSecret('CLIENT_ID_GITLAB')).secretValue;
+export const getClientSecretAzure = async () => (await client.getSecret('CLIENT_SECRET_AZURE')).secretValue;
+export const getClientSecretHeroku = async () => (await client.getSecret('CLIENT_SECRET_HEROKU')).secretValue;
+export const getClientSecretVercel = async () => (await client.getSecret('CLIENT_SECRET_VERCEL')).secretValue;
+export const getClientSecretNetlify = async () => (await client.getSecret('CLIENT_SECRET_NETLIFY')).secretValue;
+export const getClientSecretGitHub = async () => (await client.getSecret('CLIENT_SECRET_GITHUB')).secretValue;
+export const getClientSecretGitLab = async () => (await client.getSecret('CLIENT_SECRET_GITLAB')).secretValue;
+export const getClientSlugVercel = async () => (await client.getSecret('CLIENT_SLUG_VERCEL')).secretValue;
+export const getPostHogHost = async () => (await client.getSecret('POSTHOG_HOST')).secretValue || 'https://app.posthog.com';
+export const getPostHogProjectApiKey = async () => (await client.getSecret('POSTHOG_PROJECT_API_KEY')).secretValue || 'phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE';
+export const getSentryDSN = async () => (await client.getSecret('SENTRY_DSN')).secretValue;
+export const getSiteURL = async () => (await client.getSecret('SITE_URL')).secretValue;
+export const getSmtpHost = async () => (await client.getSecret('SMTP_HOST')).secretValue;
+export const getSmtpSecure = async () => (await client.getSecret('SMTP_SECURE')).secretValue === 'true' || false;
+export const getSmtpPort = async () => parseInt((await client.getSecret('SMTP_PORT')).secretValue) || 587;
+export const getSmtpUsername = async () => (await client.getSecret('SMTP_USERNAME')).secretValue;
+export const getSmtpPassword = async () => (await client.getSecret('SMTP_PASSWORD')).secretValue;
+export const getSmtpFromAddress = async () => (await client.getSecret('SMTP_FROM_ADDRESS')).secretValue;
+export const getSmtpFromName = async () => (await client.getSecret('SMTP_FROM_NAME')).secretValue || 'Infisical';
+export const getStripeProductStarter = async () => (await client.getSecret('STRIPE_PRODUCT_STARTER')).secretValue;
+export const getStripeProductPro = async () => (await client.getSecret('STRIPE_PRODUCT_PRO')).secretValue;
+export const getStripeProductTeam = async () => (await client.getSecret('STRIPE_PRODUCT_TEAM')).secretValue;
+export const getStripePublishableKey = async () => (await client.getSecret('STRIPE_PUBLISHABLE_KEY')).secretValue;
+export const getStripeSecretKey = async () => (await client.getSecret('STRIPE_SECRET_KEY')).secretValue;
+export const getStripeWebhookSecret = async () => (await client.getSecret('STRIPE_WEBHOOK_SECRET')).secretValue;
+export const getTelemetryEnabled = async () => (await client.getSecret('TELEMETRY_ENABLED')).secretValue !== 'false' && true;
+export const getLoopsApiKey = async () => (await client.getSecret('LOOPS_API_KEY')).secretValue;
+export const getSmtpConfigured = async () => (await client.getSecret('SMTP_HOST')).secretValue == '' || (await client.getSecret('SMTP_HOST')).secretValue == undefined ? false : true
+export const getHttpsEnabled = async () => {
+  if ((await getNodeEnv()) != "production") {
+    // no https for anything other than prod
+    return false
+  }
+
+  if ((await client.getSecret('HTTPS_ENABLED')).secretValue == undefined || (await client.getSecret('HTTPS_ENABLED')).secretValue == "") {
+    // default when no value present
+    return true
+  }
+
+  return (await client.getSecret('HTTPS_ENABLED')).secretValue === 'true' && true
+}

backend/src/config/request.ts

@@ -0,0 +1,16 @@
+import axios from 'axios';
+import axiosRetry from 'axios-retry';
+
+const axiosInstance = axios.create();
+
+// add retry functionality to the axios instance
+axiosRetry(axiosInstance, {
+  retries: 3,
+  retryDelay: axiosRetry.exponentialDelay, // exponential back-off delay between retries
+  retryCondition: (error) => {
+    // only retry if the error is a network error or a 5xx server error
+    return axiosRetry.isNetworkError(error) || axiosRetry.isRetryableError(error);
+  },
+});
+
+export default axiosInstance;

backend/src/controllers/v1/authController.ts

@@ -1,8 +1,8 @@
-/* eslint-disable @typescript-eslint/no-var-requires */
+import * as Sentry from '@sentry/node';
 import { Request, Response } from 'express';
 import jwt from 'jsonwebtoken';
-import * as Sentry from '@sentry/node';
 import * as bigintConversion from 'bigint-conversion';
+// eslint-disable-next-line @typescript-eslint/no-var-requires
 const jsrp = require('jsrp');
 import { User, LoginSRPDetail } from '../../models';
 import { createToken, issueAuthTokens, clearTokens } from '../../helpers/auth';
@@ -11,15 +11,15 @@ import {
   ACTION_LOGIN,
   ACTION_LOGOUT
 } from '../../variables';
-import {
-  NODE_ENV,
-  JWT_AUTH_LIFETIME,
-  JWT_AUTH_SECRET,
-  JWT_REFRESH_SECRET
-} from '../../config';
 import { BadRequestError } from '../../utils/errors';
 import { EELogService } from '../../ee/services';
 import { getChannelFromUserAgent } from '../../utils/posthog'; // TODO: move this
+import {
+  getJwtRefreshSecret,
+  getJwtAuthLifetime,
+  getJwtAuthSecret,
+  getHttpsEnabled
+} from '../../config';
 
 declare module 'jsonwebtoken' {
   export interface UserIDJwtPayload extends jwt.JwtPayload {
@@ -126,21 +126,21 @@ export const login2 = async (req: Request, res: Response) => {
             httpOnly: true,
             path: '/',
             sameSite: 'strict',
-            secure: NODE_ENV === 'production' ? true : false
+            secure: await getHttpsEnabled()
           });
 
           const loginAction = await EELogService.createAction({
             name: ACTION_LOGIN,
             userId: user._id
           });
-          
+
           loginAction && await EELogService.createLog({
             userId: user._id,
             actions: [loginAction],
             channel: getChannelFromUserAgent(req.headers['user-agent']),
             ipAddress: req.ip
           });
-          
+
           // return (access) token in response
           return res.status(200).send({
             token: tokens.token,
@@ -182,14 +182,14 @@ export const logout = async (req: Request, res: Response) => {
       httpOnly: true,
       path: '/',
       sameSite: 'strict',
-      secure: NODE_ENV === 'production' ? true : false
+      secure: (await getHttpsEnabled()) as boolean
     });
 
     const logoutAction = await EELogService.createAction({
       name: ACTION_LOGOUT,
       userId: req.user._id
     });
-    
+
     logoutAction && await EELogService.createLog({
       userId: req.user._id,
       actions: [logoutAction],
@@ -237,7 +237,7 @@ export const getNewToken = async (req: Request, res: Response) => {
     }
 
     const decodedToken = <jwt.UserIDJwtPayload>(
-      jwt.verify(refreshToken, JWT_REFRESH_SECRET)
+      jwt.verify(refreshToken, await getJwtRefreshSecret())
     );
 
     const user = await User.findOne({
@@ -252,8 +252,8 @@ export const getNewToken = async (req: Request, res: Response) => {
       payload: {
         userId: decodedToken.userId
       },
-      expiresIn: JWT_AUTH_LIFETIME,
-      secret: JWT_AUTH_SECRET
+      expiresIn: await getJwtAuthLifetime(),
+      secret: await getJwtAuthSecret()
     });
 
     return res.status(200).send({

backend/src/controllers/v1/botController.ts

@@ -1,4 +1,5 @@
 import { Request, Response } from 'express';
+import { Types } from 'mongoose';
 import * as Sentry from '@sentry/node';
 import { Bot, BotKey } from '../../models';
 import { createBot } from '../../helpers/bot';
@@ -29,7 +30,7 @@ export const getBotByWorkspaceId = async (req: Request, res: Response) => {
             // -> create a new bot and return it
             bot = await createBot({
                 name: 'Infisical Bot',
-                workspaceId
+                workspaceId: new Types.ObjectId(workspaceId)
             });
         }
 	} catch (err) {

backend/src/controllers/v1/integrationAuthController.ts

@@ -2,13 +2,21 @@ import { Request, Response } from 'express';
 import { Types } from 'mongoose';
 import * as Sentry from '@sentry/node';
 import {
-	Integration, 
 	IntegrationAuth,
 	Bot 
 } from '../../models';
-import { INTEGRATION_SET, INTEGRATION_OPTIONS } from '../../variables';
+import { INTEGRATION_SET, getIntegrationOptions as getIntegrationOptionsFunc } from '../../variables';
 import { IntegrationService } from '../../services';
-import { getApps, revokeAccess } from '../../integrations';
+import {
+	getApps, 
+	getTeams,
+	revokeAccess 
+} from '../../integrations';
+import {
+	INTEGRATION_VERCEL_API_URL,
+	INTEGRATION_RAILWAY_API_URL
+} from '../../variables';
+import request from '../../config/request';
 
 /***
  * Return integration authorization with id [integrationAuthId]
@@ -36,9 +44,11 @@ export const getIntegrationAuth = async (req: Request, res: Response) => {
 }
 
 export const getIntegrationOptions = async (req: Request, res: Response) => {
-  return res.status(200).send({
-    integrationOptions: INTEGRATION_OPTIONS,
-  });
+	const INTEGRATION_OPTIONS = await getIntegrationOptionsFunc();
+
+	return res.status(200).send({
+		integrationOptions: INTEGRATION_OPTIONS,
+	});
 };
 
 /**
@@ -154,25 +164,235 @@ export const saveIntegrationAccessToken = async (
  * @returns
  */
 export const getIntegrationAuthApps = async (req: Request, res: Response) => {
-  let apps;
-  try {
-    apps = await getApps({
-      integrationAuth: req.integrationAuth,
-      accessToken: req.accessToken,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get integration authorization applications",
-    });
-  }
+	let apps;
+	try {
+		const teamId = req.query.teamId as string;
+		
+		apps = await getApps({
+			integrationAuth: req.integrationAuth,
+			accessToken: req.accessToken,
+			...teamId && { teamId }
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: "Failed to get integration authorization applications",
+		});
+	}
 
-  return res.status(200).send({
-    apps,
-  });
+	return res.status(200).send({
+		apps
+	});
 };
 
+/**
+ * Return list of teams allowed for integration with integration authorization id [integrationAuthId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getIntegrationAuthTeams = async (req: Request, res: Response) => {
+	const teams = await getTeams({
+		integrationAuth: req.integrationAuth,
+		accessToken: req.accessToken
+	});
+	
+	return res.status(200).send({
+		teams
+	});
+}
+
+/**
+ * Return list of available Vercel (preview) branches for Vercel project with
+ * id [appId]
+ * @param req 
+ * @param res 
+ */
+export const getIntegrationAuthVercelBranches = async (req: Request, res: Response) => {
+	const { integrationAuthId } = req.params;
+	const appId = req.query.appId as string;
+	
+	interface VercelBranch {
+		ref: string;
+		lastCommit: string;
+		isProtected: boolean;
+	}
+
+	const params = new URLSearchParams({
+		projectId: appId,
+		...(req.integrationAuth.teamId ? {
+			teamId: req.integrationAuth.teamId
+		} : {})
+	});
+
+	let branches: string[] = [];
+	
+	if (appId && appId !== '') {
+		const { data }: { data: VercelBranch[] } = await request.get(
+			`${INTEGRATION_VERCEL_API_URL}/v1/integrations/git-branches`,
+			{
+				params,
+				headers: {
+					Authorization: `Bearer ${req.accessToken}`,
+					'Accept-Encoding': 'application/json'
+				}
+			}
+		);
+		
+		branches = data.map((b) => b.ref);
+	}
+
+	return res.status(200).send({
+		branches
+	});
+}
+
+/**
+ * Return list of Railway environments for Railway project with
+ * id [appId]
+ * @param req 
+ * @param res 
+ */
+export const getIntegrationAuthRailwayEnvironments = async (req: Request, res: Response) => {
+	const { integrationAuthId } = req.params;
+	const appId = req.query.appId as string;
+	
+	interface RailwayEnvironment {
+		node: {
+			id: string;
+			name: string;
+			isEphemeral: boolean;
+		}
+	}
+	
+	interface Environment {
+		environmentId: string;
+		name: string;
+	}
+	
+	let environments: Environment[] = [];
+
+	if (appId && appId !== '') {
+		const query = `
+			query GetEnvironments($projectId: String!, $after: String, $before: String, $first: Int, $isEphemeral: Boolean, $last: Int) {
+				environments(projectId: $projectId, after: $after, before: $before, first: $first, isEphemeral: $isEphemeral, last: $last) {
+				edges {
+					node {
+					id
+					name
+					isEphemeral
+					}
+				}
+				}
+			}
+			`;
+		
+		const variables = {
+			projectId: appId
+		}
+		
+		const { data: { data: { environments: { edges } } } } = await request.post(INTEGRATION_RAILWAY_API_URL, {
+			query,
+			variables,
+		}, {
+			headers: {
+				'Authorization': `Bearer ${req.accessToken}`,
+				'Content-Type': 'application/json',
+			},
+		});
+		
+		environments = edges.map((e: RailwayEnvironment) => {
+			return ({
+				name: e.node.name,
+				environmentId: e.node.id
+			});
+		});
+	}
+	
+	return res.status(200).send({
+		environments
+	});
+}
+
+/**
+ * Return list of Railway services for Railway project with id
+ * [appId]
+ * @param req 
+ * @param res 
+ */
+export const getIntegrationAuthRailwayServices = async (req: Request, res: Response) => {
+	const { integrationAuthId } = req.params;
+	const appId = req.query.appId as string;
+	
+	interface RailwayService {
+		node: {
+			id: string;
+			name: string;
+		}
+	}
+	
+	interface Service {
+		name: string;
+		serviceId: string;
+	}
+	
+	let services: Service[] = [];
+	
+	const query = `
+      query project($id: String!) {
+        project(id: $id) {
+          createdAt
+          deletedAt
+          id
+          description
+          expiredAt
+          isPublic
+          isTempProject
+          isUpdatable
+          name
+          prDeploys
+          teamId
+          updatedAt
+          upstreamUrl
+		  services {
+			edges {
+				node {
+					id
+					name
+				}
+			}
+		  }
+        }
+      }
+    `;
+
+	if (appId && appId !== '') {
+		const variables = {
+			id: appId
+		}
+		
+		const { data: { data: { project: { services: { edges } } } } } = await request.post(INTEGRATION_RAILWAY_API_URL, {
+			query,
+			variables
+		}, {
+			headers: {
+				'Authorization': `Bearer ${req.accessToken}`,
+				'Content-Type': 'application/json',
+			},
+		});
+		
+		services = edges.map((e: RailwayService) => ({
+			name: e.node.name,
+			serviceId: e.node.id
+		}));
+	}
+	
+	return res.status(200).send({
+		services
+	});
+}
+
 /**
  * Delete integration authorization with id [integrationAuthId]
  * @param req

backend/src/controllers/v1/integrationController.ts

@@ -2,10 +2,7 @@ import { Request, Response } from 'express';
 import { Types } from 'mongoose';
 import * as Sentry from '@sentry/node';
 import { 
-	Integration, 
-	Workspace,
-	Bot, 
-	BotKey 
+	Integration
 } from '../../models';
 import { EventService } from '../../services';
 import { eventPushSecrets } from '../../events';
@@ -18,6 +15,7 @@ import { eventPushSecrets } from '../../events';
  */
 export const createIntegration = async (req: Request, res: Response) => {
 	let integration;
+
 	try {
 		const {
 			integrationAuthId,
@@ -26,6 +24,9 @@ export const createIntegration = async (req: Request, res: Response) => {
 			isActive,
 			sourceEnvironment,
 			targetEnvironment,
+			targetEnvironmentId,
+      targetService,
+      targetServiceId,
 			owner,
 			path,
 			region
@@ -34,25 +35,29 @@ export const createIntegration = async (req: Request, res: Response) => {
 		// TODO: validate [sourceEnvironment] and [targetEnvironment]
 
 		// initialize new integration after saving integration access token
-        integration = await new Integration({
-            workspace: req.integrationAuth.workspace._id,
-            environment: sourceEnvironment,
-            isActive,
-            app,
+    integration = await new Integration({
+      workspace: req.integrationAuth.workspace._id,
+      environment: sourceEnvironment,
+      isActive,
+      app,
 			appId,
 			targetEnvironment,
+			targetEnvironmentId,
+      targetService,
+      targetServiceId,
 			owner,
 			path,
 			region,
-            integration: req.integrationAuth.integration,
-            integrationAuth: new Types.ObjectId(integrationAuthId)
-        }).save();
+      integration: req.integrationAuth.integration,
+      integrationAuth: new Types.ObjectId(integrationAuthId)
+    }).save();
 		
 		if (integration) {
 			// trigger event - push secrets
 			EventService.handleEvent({
 				event: eventPushSecrets({
-					workspaceId: integration.workspace.toString()
+					workspaceId: integration.workspace,
+          environment: sourceEnvironment
 				})
 			});
 		}
@@ -113,7 +118,8 @@ export const updateIntegration = async (req: Request, res: Response) => {
       // trigger event - push secrets
       EventService.handleEvent({
         event: eventPushSecrets({
-          workspaceId: integration.workspace.toString(),
+          workspaceId: integration.workspace,
+          environment
         }),
       });
     }

backend/src/controllers/v1/membershipController.ts

@@ -1,13 +1,13 @@
-import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { Membership, MembershipOrg, User, Key, IMembership, Workspace } from '../../models';
+import { Request, Response } from 'express';
+import { Membership, MembershipOrg, User, Key } from '../../models';
 import {
 	findMembership,
 	deleteMembership as deleteMember
 } from '../../helpers/membership';
 import { sendMail } from '../../helpers/nodemailer';
-import { SITE_URL } from '../../config';
 import { ADMIN, MEMBER, ACCEPTED } from '../../variables';
+import { getSiteURL } from '../../config';
 
 /**
  * Check that user is a member of workspace with id [workspaceId]
@@ -215,7 +215,7 @@ export const inviteUserToWorkspace = async (req: Request, res: Response) => {
 				inviterFirstName: req.user.firstName,
 				inviterEmail: req.user.email,
 				workspaceName: req.membership.workspace.name,
-				callback_url: SITE_URL + '/login'
+				callback_url: (await getSiteURL()) + '/login'
 			}
 		});
 	} catch (err) {

backend/src/controllers/v1/membershipOrgController.ts

@@ -1,6 +1,6 @@
+import { Types } from 'mongoose';
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { SITE_URL, JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET } from '../../config';
 import { MembershipOrg, Organization, User } from '../../models';
 import { deleteMembershipOrg as deleteMemberFromOrg } from '../../helpers/membershipOrg';
 import { createToken } from '../../helpers/auth';
@@ -8,6 +8,7 @@ import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
 import { sendMail } from '../../helpers/nodemailer';
 import { TokenService } from '../../services';
 import { OWNER, ADMIN, MEMBER, ACCEPTED, INVITED, TOKEN_EMAIL_ORG_INVITATION } from '../../variables';
+import { getSiteURL, getJwtSignupLifetime, getJwtSignupSecret, getSmtpConfigured } from '../../config';
 
 /**
  * Delete organization membership with id [membershipOrgId] from organization
@@ -99,9 +100,11 @@ export const changeMembershipOrgRole = async (req: Request, res: Response) => {
  * @returns
  */
 export const inviteUserToOrganization = async (req: Request, res: Response) => {
-	let invitee, inviteeMembershipOrg;
+	let invitee, inviteeMembershipOrg, completeInviteLink;
 	try {
 		const { organizationId, inviteeEmail } = req.body;
+		const host = req.headers.host;
+		const siteUrl = `${req.protocol}://${host}`;
 
 		// validate membership
 		const membershipOrg = await MembershipOrg.findOne({
@@ -137,7 +140,7 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 					inviteEmail: inviteeEmail,
 					organization: organizationId,
 					role: MEMBER,
-					status: invitee?.publicKey ? ACCEPTED : INVITED
+					status: INVITED
 				}).save();
 			}
 		} else {
@@ -162,6 +165,7 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 		const organization = await Organization.findOne({ _id: organizationId });
 
 		if (organization) {
+
 			const token = await TokenService.createToken({
 				type: TOKEN_EMAIL_ORG_INVITATION,
 				email: inviteeEmail,
@@ -177,10 +181,15 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 					inviterEmail: req.user.email,
 					organizationName: organization.name,
 					email: inviteeEmail,
+					organizationId: organization._id.toString(),
 					token,
-					callback_url: SITE_URL + '/signupinvite'
+					callback_url: (await getSiteURL()) + '/signupinvite'
 				}
 			});
+
+			if (!(await getSmtpConfigured())) {
+				completeInviteLink = `${siteUrl + '/signupinvite'}?token=${token}&to=${inviteeEmail}`
+			}
 		}
 
 		await updateSubscriptionOrgQuantity({ organizationId });
@@ -193,7 +202,8 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 	}
 
 	return res.status(200).send({
-		message: `Sent an invite link to ${req.body.inviteeEmail}`
+		message: `Sent an invite link to ${req.body.inviteeEmail}`,
+		completeInviteLink
 	});
 };
 
@@ -207,18 +217,23 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 export const verifyUserToOrganization = async (req: Request, res: Response) => {
 	let user, token;
 	try {
-		const { email, code } = req.body;
+		const { 
+			email, 
+			organizationId,
+			code 
+		} = req.body;
 
 		user = await User.findOne({ email }).select('+publicKey');
 
 		const membershipOrg = await MembershipOrg.findOne({
 			inviteEmail: email,
-			status: INVITED
+			status: INVITED,
+			organization: new Types.ObjectId(organizationId)
 		});
 
 		if (!membershipOrg)
 			throw new Error('Failed to find any invitations for email');
-		
+
 		await TokenService.validateToken({
 			type: TOKEN_EMAIL_ORG_INVITATION,
 			email,
@@ -250,8 +265,8 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
 			payload: {
 				userId: user._id.toString()
 			},
-			expiresIn: JWT_SIGNUP_LIFETIME,
-			secret: JWT_SIGNUP_SECRET
+			expiresIn: await getJwtSignupLifetime(),
+			secret: await getJwtSignupSecret()
 		});
 	} catch (err) {
 		Sentry.setUser(null);

backend/src/controllers/v1/organizationController.ts

@@ -1,26 +1,18 @@
-import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import {
-	SITE_URL,
-	STRIPE_SECRET_KEY
-} from '../../config';
+import { Request, Response } from 'express';
 import Stripe from 'stripe';
-
-const stripe = new Stripe(STRIPE_SECRET_KEY, {
-	apiVersion: '2022-08-01'
-});
 import {
 	Membership,
 	MembershipOrg,
 	Organization,
 	Workspace,
-	IncidentContactOrg,
-	IMembershipOrg
+	IncidentContactOrg
 } from '../../models';
 import { createOrganization as create } from '../../helpers/organization';
 import { addMembershipsOrg } from '../../helpers/membershipOrg';
 import { OWNER, ACCEPTED } from '../../variables';
 import _ from 'lodash';
+import { getStripeSecretKey, getSiteURL } from '../../config';
 
 export const getOrganizations = async (req: Request, res: Response) => {
 	let organizations;
@@ -93,7 +85,7 @@ export const createOrganization = async (req: Request, res: Response) => {
 export const getOrganization = async (req: Request, res: Response) => {
 	let organization;
 	try {
-		organization = req.membershipOrg.organization;
+		organization = req.organization
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);
@@ -325,25 +317,29 @@ export const createOrganizationPortalSession = async (
 ) => {
 	let session;
 	try {
-		// check if there is a payment method on file
-		const paymentMethods = await stripe.paymentMethods.list({
-			customer: req.membershipOrg.organization.customerId,
-			type: 'card'
+		const stripe = new Stripe(await getStripeSecretKey(), {
+			apiVersion: '2022-08-01'
 		});
 
+		// check if there is a payment method on file
+		const paymentMethods = await stripe.paymentMethods.list({
+			customer: req.organization.customerId,
+			type: 'card'
+		});
+		
 		if (paymentMethods.data.length < 1) {
 			// case: no payment method on file
 			session = await stripe.checkout.sessions.create({
-				customer: req.membershipOrg.organization.customerId,
+				customer: req.organization.customerId,
 				mode: 'setup',
 				payment_method_types: ['card'],
-				success_url: SITE_URL + '/dashboard',
-				cancel_url: SITE_URL + '/dashboard'
+				success_url: (await getSiteURL()) + '/dashboard',
+				cancel_url: (await getSiteURL()) + '/dashboard'
 			});
 		} else {
 			session = await stripe.billingPortal.sessions.create({
-				customer: req.membershipOrg.organization.customerId,
-				return_url: SITE_URL + '/dashboard'
+				customer: req.organization.customerId,
+				return_url: (await getSiteURL()) + '/dashboard'
 			});
 		}
 
@@ -369,8 +365,12 @@ export const getOrganizationSubscriptions = async (
 ) => {
 	let subscriptions;
 	try {
+		const stripe = new Stripe(await getStripeSecretKey(), {
+			apiVersion: '2022-08-01'
+		});
+		
 		subscriptions = await stripe.subscriptions.list({
-			customer: req.membershipOrg.organization.customerId
+			customer: req.organization.customerId
 		});
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });

backend/src/controllers/v1/passwordController.ts

@@ -7,9 +7,9 @@ import { User, BackupPrivateKey, LoginSRPDetail } from '../../models';
 import { createToken } from '../../helpers/auth';
 import { sendMail } from '../../helpers/nodemailer';
 import { TokenService } from '../../services';
-import { JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET, SITE_URL } from '../../config';
 import { TOKEN_EMAIL_PASSWORD_RESET } from '../../variables';
 import { BadRequestError } from '../../utils/errors';
+import { getSiteURL, getJwtSignupLifetime, getJwtSignupSecret } from '../../config';
 
 /**
  * Password reset step 1: Send email verification link to email [email] 
@@ -44,7 +44,7 @@ export const emailPasswordReset = async (req: Request, res: Response) => {
 			substitutions: {
 				email,
 				token,
-				callback_url: SITE_URL + '/password-reset'
+				callback_url: (await getSiteURL()) + '/password-reset'
 			}
 		});
 	} catch (err) {
@@ -91,8 +91,8 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => {
 			payload: {
 				userId: user._id.toString()
 			},
-			expiresIn: JWT_SIGNUP_LIFETIME,
-			secret: JWT_SIGNUP_SECRET
+			expiresIn: await getJwtSignupLifetime(),
+			secret: await getJwtSignupSecret()
 		});
 	} catch (err) {
 		Sentry.setUser(null);

backend/src/controllers/v1/secretController.ts

@@ -1,5 +1,6 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
 import { Key, Secret } from '../../models';
 import {
 	v1PushSecrets as push,
@@ -9,7 +10,7 @@ import {
 import { pushKeys } from '../../helpers/key';
 import { eventPushSecrets } from '../../events';
 import { EventService } from '../../services';
-import { postHogClient } from '../../services';
+import { TelemetryService } from '../../services';
 
 interface PushSecret {
 	ciphertextKey: string;
@@ -38,6 +39,7 @@ export const pushSecrets = async (req: Request, res: Response) => {
 	// upload (encrypted) secrets to workspace with id [workspaceId]
 
 	try {
+		const postHogClient = await TelemetryService.getPostHogClient();
 		let { secrets }: { secrets: PushSecret[] } = req.body;
 		const { keys, environment, channel } = req.body;
 		const { workspaceId } = req.params;
@@ -83,7 +85,8 @@ export const pushSecrets = async (req: Request, res: Response) => {
 		// trigger event - push secrets
 		EventService.handleEvent({
 			event: eventPushSecrets({
-				workspaceId
+				workspaceId: new Types.ObjectId(workspaceId),
+				environment
 			})
 		});
 
@@ -111,6 +114,7 @@ export const pullSecrets = async (req: Request, res: Response) => {
 	let secrets;
 	let key;
 	try {
+		const postHogClient = await TelemetryService.getPostHogClient();
 		const environment: string = req.query.environment as string;
 		const channel: string = req.query.channel as string;
 		const { workspaceId } = req.params;
@@ -179,6 +183,7 @@ export const pullSecretsServiceToken = async (req: Request, res: Response) => {
 	let secrets;
 	let key;
 	try {
+		const postHogClient = await TelemetryService.getPostHogClient();
 		const environment: string = req.query.environment as string;
 		const channel: string = req.query.channel as string;
 		const { workspaceId } = req.params;

backend/src/controllers/v1/secretsFolderController.ts

@@ -0,0 +1,89 @@
+import { Request, Response } from 'express';
+import { Secret } from '../../models';
+import Folder from '../../models/folder';
+import { BadRequestError } from '../../utils/errors';
+import { ROOT_FOLDER_PATH, getFolderPath, getParentPath, normalizePath, validateFolderName } from '../../utils/folder';
+import { ADMIN, MEMBER } from '../../variables';
+import { validateMembership } from '../../helpers/membership';
+
+// TODO
+// verify workspace id/environment
+export const createFolder = async (req: Request, res: Response) => {
+  const { workspaceId, environment, folderName, parentFolderId } = req.body
+  if (!validateFolderName(folderName)) {
+    throw BadRequestError({ message: "Folder name cannot contain spaces. Only underscore and dashes" })
+  }
+
+  if (parentFolderId) {
+    const parentFolder = await Folder.find({ environment: environment, workspace: workspaceId, id: parentFolderId });
+    if (!parentFolder) {
+      throw BadRequestError({ message: "The parent folder doesn't exist" })
+    }
+  }
+
+  let completePath = await getFolderPath(parentFolderId)
+  if (completePath == ROOT_FOLDER_PATH) {
+    completePath = ""
+  }
+
+  const currentFolderPath = completePath + "/" + folderName // construct new path with current folder to be created
+  const normalizedCurrentPath = normalizePath(currentFolderPath)
+  const normalizedParentPath = getParentPath(normalizedCurrentPath)
+
+  const existingFolder = await Folder.findOne({
+    name: folderName,
+    workspace: workspaceId,
+    environment: environment,
+    parent: parentFolderId,
+    path: normalizedCurrentPath
+  });
+
+  if (existingFolder) {
+    return res.json(existingFolder)
+  }
+
+  const newFolder = new Folder({
+    name: folderName,
+    workspace: workspaceId,
+    environment: environment,
+    parent: parentFolderId,
+    path: normalizedCurrentPath,
+    parentPath: normalizedParentPath
+  });
+
+  await newFolder.save();
+
+  return res.json(newFolder)
+}
+
+export const deleteFolder = async (req: Request, res: Response) => {
+  const { folderId } = req.params
+  const queue: any[] = [folderId];
+
+  const folder = await Folder.findById(folderId);
+  if (!folder) {
+    throw BadRequestError({ message: "The folder doesn't exist" })
+  }
+
+  // check that user is a member of the workspace
+  await validateMembership({
+    userId: req.user._id.toString(),
+    workspaceId: folder.workspace as any,
+    acceptedRoles: [ADMIN, MEMBER]
+  });
+
+  while (queue.length > 0) {
+    const currentFolderId = queue.shift();
+
+    const childFolders = await Folder.find({ parent: currentFolderId });
+    for (const childFolder of childFolders) {
+      queue.push(childFolder._id);
+    }
+
+    await Secret.deleteMany({ folder: currentFolderId });
+
+    await Folder.deleteOne({ _id: currentFolderId });
+  }
+
+  res.send()
+}

backend/src/controllers/v1/serviceTokenController.ts

@@ -1,7 +1,7 @@
 import { Request, Response } from 'express';
 import { ServiceToken } from '../../models';
 import { createToken } from '../../helpers/auth';
-import { JWT_SERVICE_SECRET } from '../../config';
+import { getJwtServiceSecret } from '../../config';
 
 /**
  * Return service token on request
@@ -61,7 +61,7 @@ export const createServiceToken = async (req: Request, res: Response) => {
 				workspaceId
 			},
 			expiresIn: expiresIn,
-			secret: JWT_SERVICE_SECRET
+			secret: await getJwtServiceSecret()
 		});
 	} catch (err) {
 		return res.status(400).send({

backend/src/controllers/v1/signupController.ts

@@ -1,13 +1,13 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
 import { User } from '../../models';
-import { JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET, INVITE_ONLY_SIGNUP } from '../../config';
 import {
 	sendEmailVerification,
 	checkEmailVerification,
 } from '../../helpers/signup';
 import { createToken } from '../../helpers/auth';
 import { BadRequestError } from '../../utils/errors';
+import { getInviteOnlySignup, getJwtSignupLifetime, getJwtSignupSecret, getSmtpConfigured } from '../../config';
 
 /**
  * Signup step 1: Initialize account for user under email [email] and send a verification code
@@ -21,7 +21,7 @@ export const beginEmailSignup = async (req: Request, res: Response) => {
 	try {
 		email = req.body.email;
 
-		if (INVITE_ONLY_SIGNUP) {
+		if (await getInviteOnlySignup()) {
 			// Only one user can create an account without being invited. The rest need to be invited in order to make an account
 			const userCount = await User.countDocuments({})
 			if (userCount != 0) {
@@ -66,7 +66,7 @@ export const verifyEmailSignup = async (req: Request, res: Response) => {
 		const { email, code } = req.body;
 
 		// initialize user account
-		user = await User.findOne({ email });
+		user = await User.findOne({ email }).select('+publicKey');
 		if (user && user?.publicKey) {
 			// case: user has already completed account
 			return res.status(403).send({
@@ -75,10 +75,12 @@ export const verifyEmailSignup = async (req: Request, res: Response) => {
 		}
 
 		// verify email
-		await checkEmailVerification({
-			email,
-			code
-		});
+		if (await getSmtpConfigured()) {
+			await checkEmailVerification({
+				email,
+				code
+			});
+		}
 
 		if (!user) {
 			user = await new User({
@@ -91,8 +93,8 @@ export const verifyEmailSignup = async (req: Request, res: Response) => {
 			payload: {
 				userId: user._id.toString()
 			},
-			expiresIn: JWT_SIGNUP_LIFETIME,
-			secret: JWT_SIGNUP_SECRET
+			expiresIn: await getJwtSignupLifetime(),
+			secret: await getJwtSignupSecret()
 		});
 	} catch (err) {
 		Sentry.setUser(null);

backend/src/controllers/v1/stripeController.ts

@@ -1,10 +1,7 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
 import Stripe from 'stripe';
-import { STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET } from '../../config';
-const stripe = new Stripe(STRIPE_SECRET_KEY, {
-	apiVersion: '2022-08-01'
-});
+import { getStripeSecretKey, getStripeWebhookSecret } from '../../config';
 
 /**
  * Handle service provisioning/un-provisioning via Stripe
@@ -16,11 +13,15 @@ export const handleWebhook = async (req: Request, res: Response) => {
 	let event;
 	try {
 		// check request for valid stripe signature
+		const stripe = new Stripe(await getStripeSecretKey(), {
+			apiVersion: '2022-08-01'
+		});
+
 		const sig = req.headers['stripe-signature'] as string;
 		event = stripe.webhooks.constructEvent(
 			req.body,
 			sig,
-			STRIPE_WEBHOOK_SECRET // ?
+			await getStripeWebhookSecret()
 		);
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });

backend/src/controllers/v2/apiKeyDataController.ts

@@ -1,13 +1,11 @@
-import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
+import { Request, Response } from 'express';
 import crypto from 'crypto';
 import bcrypt from 'bcrypt';
 import {
     APIKeyData
 } from '../../models';
-import {
-    SALT_ROUNDS
-} from '../../config';
+import { getSaltRounds } from '../../config';
 
 /**
  * Return API key data for user with id [req.user_id]
@@ -45,13 +43,14 @@ export const createAPIKeyData = async (req: Request, res: Response) => {
         const { name, expiresIn } = req.body;
         
         const secret = crypto.randomBytes(16).toString('hex');
-        const secretHash = await bcrypt.hash(secret, SALT_ROUNDS);
+        const secretHash = await bcrypt.hash(secret, await getSaltRounds());
         
 		const expiresAt = new Date();
 		expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
         
         apiKeyData = await new APIKeyData({
             name,
+            lastUsed: new Date(),
             expiresAt,
             user: req.user._id,
             secretHash

backend/src/controllers/v2/authController.ts

@@ -10,17 +10,17 @@ import { checkUserDevice } from '../../helpers/user';
 import { sendMail } from '../../helpers/nodemailer';
 import { TokenService } from '../../services';
 import { EELogService } from '../../ee/services';
-import {
-  NODE_ENV,
-  JWT_MFA_LIFETIME,
-  JWT_MFA_SECRET
-} from '../../config';
 import { BadRequestError, InternalServerError } from '../../utils/errors';
 import {
   TOKEN_EMAIL_MFA,
   ACTION_LOGIN
 } from '../../variables';
 import { getChannelFromUserAgent } from '../../utils/posthog'; // TODO: move this
+import {
+  getJwtMfaLifetime,
+  getJwtMfaSecret,
+  getHttpsEnabled
+} from '../../config';
 
 declare module 'jsonwebtoken' {
   export interface UserIDJwtPayload extends jwt.JwtPayload {
@@ -28,8 +28,6 @@ declare module 'jsonwebtoken' {
   }
 }
 
-const clientPublicKeys: any = {};
-
 /**
  * Log in user step 1: Return [salt] and [serverPublicKey] as part of step 1 of SRP protocol
  * @param req
@@ -89,7 +87,7 @@ export const login1 = async (req: Request, res: Response) => {
  */
 export const login2 = async (req: Request, res: Response) => {
   try {
-    
+
     if (!req.headers['user-agent']) throw InternalServerError({ message: 'User-Agent header is required' });
 
     const { email, clientProof } = req.body;
@@ -126,15 +124,15 @@ export const login2 = async (req: Request, res: Response) => {
               payload: {
                 userId: user._id.toString()
               },
-              expiresIn: JWT_MFA_LIFETIME,
-              secret: JWT_MFA_SECRET
+              expiresIn: await getJwtMfaLifetime(),
+              secret: await getJwtMfaSecret()
             });
-          
+
             const code = await TokenService.createToken({
               type: TOKEN_EMAIL_MFA,
               email
             });
-            
+
             // send MFA code [code] to [email]
             await sendMail({
               template: 'emailMfa.handlebars',
@@ -144,13 +142,13 @@ export const login2 = async (req: Request, res: Response) => {
                 code
               }
             });
-            
+
             return res.status(200).send({
               mfaEnabled: true,
               token
             });
           }
-          
+
           await checkUserDevice({
             user,
             ip: req.ip,
@@ -165,7 +163,7 @@ export const login2 = async (req: Request, res: Response) => {
             httpOnly: true,
             path: '/',
             sameSite: 'strict',
-            secure: NODE_ENV === 'production' ? true : false
+            secure: await getHttpsEnabled()
           });
 
           // case: user does not have MFA enablgged
@@ -183,7 +181,7 @@ export const login2 = async (req: Request, res: Response) => {
             iv?: string;
             tag?: string;
           }
-          
+
           const response: ResponseData = {
             mfaEnabled: false,
             encryptionVersion: user.encryptionVersion,
@@ -193,7 +191,7 @@ export const login2 = async (req: Request, res: Response) => {
             iv: user.iv,
             tag: user.tag
           }
-          
+
           if (
             user?.protectedKey &&
             user?.protectedKeyIV &&
@@ -208,14 +206,14 @@ export const login2 = async (req: Request, res: Response) => {
             name: ACTION_LOGIN,
             userId: user._id
           });
-          
+
           loginAction && await EELogService.createLog({
             userId: user._id,
             actions: [loginAction],
             channel: getChannelFromUserAgent(req.headers['user-agent']),
             ipAddress: req.ip
           });
-          
+
           return res.status(200).send(response);
         }
 
@@ -246,7 +244,7 @@ export const sendMfaToken = async (req: Request, res: Response) => {
       type: TOKEN_EMAIL_MFA,
       email
     });
-    
+
     // send MFA code [code] to [email]
     await sendMail({
       template: 'emailMfa.handlebars',
@@ -261,9 +259,9 @@ export const sendMfaToken = async (req: Request, res: Response) => {
     Sentry.captureException(err);
     return res.status(400).send({
       message: 'Failed to send MFA code'
-    }); 
+    });
   }
-  
+
   return res.status(200).send({
     message: 'Successfully sent new MFA code'
   });
@@ -276,76 +274,87 @@ export const sendMfaToken = async (req: Request, res: Response) => {
  * @param res 
  */
 export const verifyMfaToken = async (req: Request, res: Response) => {
-    const { email, mfaToken } = req.body;
+  const { email, mfaToken } = req.body;
 
-    await TokenService.validateToken({
-      type: TOKEN_EMAIL_MFA,
-      email,
-      token: mfaToken
-    });
+  await TokenService.validateToken({
+    type: TOKEN_EMAIL_MFA,
+    email,
+    token: mfaToken
+  });
 
-    const user = await User.findOne({
-      email
-    }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag');
+  const user = await User.findOne({
+    email
+  }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag');
 
-    if (!user) throw new Error('Failed to find user'); 
+  if (!user) throw new Error('Failed to find user');
 
-     await checkUserDevice({
-      user,
-      ip: req.ip,
-      userAgent: req.headers['user-agent'] ?? ''
-    });
+  await checkUserDevice({
+    user,
+    ip: req.ip,
+    userAgent: req.headers['user-agent'] ?? ''
+  });
 
-    // issue tokens
-    const tokens = await issueAuthTokens({ userId: user._id.toString() });
+  // issue tokens
+  const tokens = await issueAuthTokens({ userId: user._id.toString() });
 
-    // store (refresh) token in httpOnly cookie
-    res.cookie('jid', tokens.refreshToken, {
-      httpOnly: true,
-      path: '/',
-      sameSite: 'strict',
-      secure: NODE_ENV === 'production' ? true : false
-    });
-    
-    interface VerifyMfaTokenRes {
-      encryptionVersion: number;
-      protectedKey?: string;
-      protectedKeyIV?: string;
-      protectedKeyTag?: string;
-      token: string;
-      publicKey: string;
-      encryptedPrivateKey: string;
-      iv: string;
-      tag: string;
-    }
+  // store (refresh) token in httpOnly cookie
+  res.cookie('jid', tokens.refreshToken, {
+    httpOnly: true,
+    path: '/',
+    sameSite: 'strict',
+    secure: await getHttpsEnabled()
+  });
 
-    const resObj: VerifyMfaTokenRes = {
-      encryptionVersion: user.encryptionVersion,
-      token: tokens.token,
-      publicKey: user.publicKey as string,
-      encryptedPrivateKey: user.encryptedPrivateKey as string,
-      iv: user.iv as string,
-      tag: user.tag as string
-    }
-    
-    if (user?.protectedKey && user?.protectedKeyIV && user?.protectedKeyTag) {
-      resObj.protectedKey = user.protectedKey;
-      resObj.protectedKeyIV = user.protectedKeyIV;
-      resObj.protectedKeyTag = user.protectedKeyTag;
-    }
+  interface VerifyMfaTokenRes {
+    encryptionVersion: number;
+    protectedKey?: string;
+    protectedKeyIV?: string;
+    protectedKeyTag?: string;
+    token: string;
+    publicKey: string;
+    encryptedPrivateKey: string;
+    iv: string;
+    tag: string;
+  }
 
-    const loginAction = await EELogService.createAction({
-      name: ACTION_LOGIN,
-      userId: user._id
-    });
-    
-    loginAction && await EELogService.createLog({
-      userId: user._id,
-      actions: [loginAction],
-      channel: getChannelFromUserAgent(req.headers['user-agent']),
-      ipAddress: req.ip
-    });
+  interface VerifyMfaTokenRes {
+    encryptionVersion: number;
+    protectedKey?: string;
+    protectedKeyIV?: string;
+    protectedKeyTag?: string;
+    token: string;
+    publicKey: string;
+    encryptedPrivateKey: string;
+    iv: string;
+    tag: string;
+  }
 
-    return res.status(200).send(resObj); 
+  const resObj: VerifyMfaTokenRes = {
+    encryptionVersion: user.encryptionVersion,
+    token: tokens.token,
+    publicKey: user.publicKey as string,
+    encryptedPrivateKey: user.encryptedPrivateKey as string,
+    iv: user.iv as string,
+    tag: user.tag as string
+  }
+
+  if (user?.protectedKey && user?.protectedKeyIV && user?.protectedKeyTag) {
+    resObj.protectedKey = user.protectedKey;
+    resObj.protectedKeyIV = user.protectedKeyIV;
+    resObj.protectedKeyTag = user.protectedKeyTag;
+  }
+
+  const loginAction = await EELogService.createAction({
+    name: ACTION_LOGIN,
+    userId: user._id
+  });
+
+  loginAction && await EELogService.createLog({
+    userId: user._id,
+    actions: [loginAction],
+    channel: getChannelFromUserAgent(req.headers['user-agent']),
+    ipAddress: req.ip
+  });
+
+  return res.status(200).send(resObj);
 }
-

backend/src/controllers/v2/environmentController.ts

@@ -11,7 +11,7 @@ import {
 import { SecretVersion } from '../../ee/models';
 import { BadRequestError } from '../../utils/errors';
 import _ from 'lodash';
-import { ABILITY_READ, ABILITY_WRITE } from '../../variables/organization';
+import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from '../../variables';
 
 /**
  * Create new workspace environment named [environmentName] under workspace with id
@@ -244,8 +244,8 @@ export const getAllAccessibleEnvironmentsOfWorkspace = async (
     throw BadRequestError()
   }
   relatedWorkspace.environments.forEach(environment => {
-    const isReadBlocked = _.some(deniedPermission, { environmentSlug: environment.slug, ability: ABILITY_READ })
-    const isWriteBlocked = _.some(deniedPermission, { environmentSlug: environment.slug, ability: ABILITY_WRITE })
+    const isReadBlocked = _.some(deniedPermission, { environmentSlug: environment.slug, ability: PERMISSION_READ_SECRETS })
+    const isWriteBlocked = _.some(deniedPermission, { environmentSlug: environment.slug, ability: PERMISSION_WRITE_SECRETS })
     if (isReadBlocked && isWriteBlocked) {
       return
     } else {

backend/src/controllers/v2/index.ts

@@ -7,6 +7,7 @@ import * as serviceTokenDataController from './serviceTokenDataController';
 import * as apiKeyDataController from './apiKeyDataController';
 import * as secretController from './secretController';
 import * as secretsController from './secretsController';
+import * as serviceAccountsController from './serviceAccountsController';
 import * as environmentController from './environmentController';
 import * as tagController from './tagController';
 
@@ -20,6 +21,7 @@ export {
     apiKeyDataController,
     secretController,
     secretsController,
+    serviceAccountsController,
     environmentController,
     tagController
 }

backend/src/controllers/v2/organizationsController.ts

@@ -1,9 +1,11 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
 import { 
     MembershipOrg,
     Membership,
-    Workspace
+    Workspace,
+    ServiceAccount
 } from '../../models';
 import { deleteMembershipOrg } from '../../helpers/membershipOrg';
 import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
@@ -260,37 +262,45 @@ export const getOrganizationWorkspaces = async (req: Request, res: Response) =>
         }
     }   
     */
-    let workspaces;
-    try {
-        const { organizationId } = req.params;
+    const { organizationId } = req.params;
 
-		const workspacesSet = new Set(
-			(
-				await Workspace.find(
-					{
-						organization: organizationId
-					},
-					'_id'
-				)
-			).map((w) => w._id.toString())
-		);
+    const workspacesSet = new Set(
+        (
+            await Workspace.find(
+                {
+                    organization: organizationId
+                },
+                '_id'
+            )
+        ).map((w) => w._id.toString())
+    );
 
-		workspaces = (
-			await Membership.find({
-				user: req.user._id
-			}).populate('workspace')
-		)
-			.filter((m) => workspacesSet.has(m.workspace._id.toString()))
-			.map((m) => m.workspace);
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get organization workspaces'
-		});	
-    }
-    
-    return res.status(200).send({
+    const workspaces = (
+        await Membership.find({
+            user: req.user._id
+        }).populate('workspace')
+    )
+    .filter((m) => workspacesSet.has(m.workspace._id.toString()))
+    .map((m) => m.workspace);
+
+return res.status(200).send({
         workspaces
     });
+}
+
+/**
+ * Return service accounts for organization with id [organizationId]
+ * @param req 
+ * @param res 
+ */
+export const getOrganizationServiceAccounts = async (req: Request, res: Response) => {
+    const { organizationId } = req.params;
+    
+    const serviceAccounts = await ServiceAccount.find({
+        organization: new Types.ObjectId(organizationId)
+    });
+    
+    return res.status(200).send({
+        serviceAccounts
+    });
 }

backend/src/controllers/v2/secretController.ts

@@ -7,7 +7,9 @@ const { ValidationError } = mongoose.Error;
 import { BadRequestError, InternalServerError, UnauthorizedRequestError, ValidationError as RouteValidationError } from '../../utils/errors';
 import { AnyBulkWriteOperation } from 'mongodb';
 import { SECRET_PERSONAL, SECRET_SHARED } from "../../variables";
-import { postHogClient } from '../../services';
+import { TelemetryService } from '../../services';
+import { User } from "../../models";
+import { AccountNotFoundError } from '../../utils/errors';
 
 /**
  * Create secret for workspace with id [workspaceId] and environment [environment]
@@ -15,6 +17,7 @@ import { postHogClient } from '../../services';
  * @param res 
  */
 export const createSecret = async (req: Request, res: Response) => {
+  const postHogClient = await TelemetryService.getPostHogClient();
   const secretToCreate: CreateSecretRequestBody = req.body.secret;
   const { workspaceId, environment } = req.params
   const sanitizedSecret: SanitizedSecretForCreate = {
@@ -67,6 +70,7 @@ export const createSecret = async (req: Request, res: Response) => {
  * @param res 
  */
 export const createSecrets = async (req: Request, res: Response) => {
+  const postHogClient = await TelemetryService.getPostHogClient();
   const secretsToCreate: CreateSecretRequestBody[] = req.body.secrets;
   const { workspaceId, environment } = req.params
   const sanitizedSecretesToCreate: SanitizedSecretForCreate[] = []
@@ -128,6 +132,7 @@ export const createSecrets = async (req: Request, res: Response) => {
  * @param res 
  */
 export const deleteSecrets = async (req: Request, res: Response) => {
+  const postHogClient = await TelemetryService.getPostHogClient();
   const { workspaceId, environmentName } = req.params
   const secretIdsToDelete: string[] = req.body.secretIds
 
@@ -181,6 +186,7 @@ export const deleteSecrets = async (req: Request, res: Response) => {
  * @param res
  */
 export const deleteSecret = async (req: Request, res: Response) => {
+  const postHogClient = await TelemetryService.getPostHogClient();
   await Secret.findByIdAndDelete(req._secret._id)
 
   if (postHogClient) {
@@ -209,6 +215,7 @@ export const deleteSecret = async (req: Request, res: Response) => {
  * @returns 
  */
 export const updateSecrets = async (req: Request, res: Response) => {
+  const postHogClient = await TelemetryService.getPostHogClient();
   const { workspaceId, environmentName } = req.params
   const secretsModificationsRequested: ModifySecretRequestBody[] = req.body.secrets;
   const [secretIdsUserCanModifyError, secretIdsUserCanModify] = await to(Secret.find({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
@@ -276,6 +283,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
  * @returns 
  */
 export const updateSecret = async (req: Request, res: Response) => {
+  const postHogClient = await TelemetryService.getPostHogClient();
   const { workspaceId, environmentName } = req.params
   const secretModificationsRequested: ModifySecretRequestBody = req.body.secret;
 
@@ -329,19 +337,23 @@ export const updateSecret = async (req: Request, res: Response) => {
  * @returns 
  */
 export const getSecrets = async (req: Request, res: Response) => {
+  const postHogClient = await TelemetryService.getPostHogClient();
   const { environment } = req.query;
   const { workspaceId } = req.params;
 
   let userId: Types.ObjectId | undefined = undefined // used for getting personal secrets for user
-  let userEmail: Types.ObjectId | undefined = undefined // used for posthog 
+  let userEmail: string | undefined = undefined // used for posthog 
   if (req.user) {
     userId = req.user._id;
     userEmail = req.user.email;
   }
 
   if (req.serviceTokenData) {
-    userId = req.serviceTokenData.user._id
-    userEmail = req.serviceTokenData.user.email;
+    userId = req.serviceTokenData.user;
+    
+    const user = await User.findById(req.serviceTokenData.user, 'email');
+    if (!user) throw AccountNotFoundError();
+    userEmail = user.email;
   }
 
   const [err, secrets] = await to(Secret.find(

backend/src/controllers/v2/secretsController.ts

@@ -2,7 +2,7 @@ import to from 'await-to-js';
 import { Types } from 'mongoose';
 import { Request, Response } from 'express';
 import { ISecret, Secret } from '../../models';
-import { IAction } from '../../ee/models';
+import { IAction, SecretVersion } from '../../ee/models';
 import {
     SECRET_PERSONAL,
     SECRET_SHARED,
@@ -15,24 +15,30 @@ import { UnauthorizedRequestError, ValidationError } from '../../utils/errors';
 import { EventService } from '../../services';
 import { eventPushSecrets } from '../../events';
 import { EESecretService, EELogService } from '../../ee/services';
-import { postHogClient } from '../../services';
+import { TelemetryService, SecretService } from '../../services';
 import { getChannelFromUserAgent } from '../../utils/posthog';
-import { ABILITY_READ, ABILITY_WRITE } from '../../variables/organization';
+import { PERMISSION_WRITE_SECRETS } from '../../variables';
 import { userHasNoAbility, userHasWorkspaceAccess, userHasWriteOnlyAbility } from '../../ee/helpers/checkMembershipPermissions';
 import Tag from '../../models/tag';
-import _ from 'lodash';
+import _, { eq } from 'lodash';
 import {
-    BatchSecretRequest, 
+    BatchSecretRequest,
     BatchSecret
 } from '../../types/secret';
+import { getFolderPath, getFoldersInDirectory, normalizePath } from '../../utils/folder';
+import { ROOT_FOLDER_PATH } from '../../utils/folder';
 
 /**
  * Peform a batch of any specified CUD secret operations
+ * (used by dashboard)
  * @param req 
  * @param res 
  */
 export const batchSecrets = async (req: Request, res: Response) => {
+
     const channel = getChannelFromUserAgent(req.headers['user-agent']);
+    const postHogClient = await TelemetryService.getPostHogClient();
+
     const {
         workspaceId,
         environment,
@@ -41,36 +47,63 @@ export const batchSecrets = async (req: Request, res: Response) => {
         workspaceId: string;
         environment: string;
         requests: BatchSecretRequest[];
-    }= req.body;
-    
+    } = req.body;
+
     const createSecrets: BatchSecret[] = [];
     const updateSecrets: BatchSecret[] = [];
     const deleteSecrets: Types.ObjectId[] = [];
     const actions: IAction[] = [];
-    
-    requests.forEach((request) => {
+
+    // get secret blind index salt
+    const salt = await SecretService.getSecretBlindIndexSalt({
+        workspaceId: new Types.ObjectId(workspaceId)
+    });
+
+    for await (const request of requests) {
+        const folderId = request.secret.folderId
+
+        // TODO: need to auth folder
+        const fullFolderPath = await getFolderPath(folderId)
+
+        let secretBlindIndex = '';
         switch (request.method) {
             case 'POST':
+                secretBlindIndex = await SecretService.generateSecretBlindIndexWithSalt({
+                    secretName: request.secret.secretName,
+                    salt
+                });
+
                 createSecrets.push({
                     ...request.secret,
                     version: 1,
                     user: request.secret.type === SECRET_PERSONAL ? req.user : undefined,
                     environment,
-                    workspace: new Types.ObjectId(workspaceId)
+                    workspace: new Types.ObjectId(workspaceId),
+                    path: fullFolderPath,
+                    folder: folderId,
+                    secretBlindIndex
                 });
                 break;
             case 'PATCH':
+                secretBlindIndex = await SecretService.generateSecretBlindIndexWithSalt({
+                    secretName: request.secret.secretName,
+                    salt,
+                });
+
                 updateSecrets.push({
                     ...request.secret,
-                    _id: new Types.ObjectId(request.secret._id)
+                    _id: new Types.ObjectId(request.secret._id),
+                    secretBlindIndex,
+                    folder: folderId,
+                    path: fullFolderPath,
                 });
                 break;
             case 'DELETE':
                 deleteSecrets.push(new Types.ObjectId(request.secret._id));
                 break;
         }
-    });
-    
+    }
+
     // handle create secrets
     let createdSecrets: ISecret[] = [];
     if (createSecrets.length > 0) {
@@ -89,7 +122,9 @@ export const batchSecrets = async (req: Request, res: Response) => {
 
         const addAction = await EELogService.createAction({
             name: ACTION_ADD_SECRETS,
-            userId: req.user._id,
+            userId: req.user?._id,
+            serviceAccountId: req.serviceAccount?._id,
+            serviceTokenDataId: req.serviceTokenData?._id,
             workspaceId: new Types.ObjectId(workspaceId),
             secretIds: createdSecrets.map((n) => n._id)
         }) as IAction;
@@ -109,18 +144,18 @@ export const batchSecrets = async (req: Request, res: Response) => {
             });
         }
     }
-    
+
     // handle update secrets
     let updatedSecrets: ISecret[] = [];
     if (updateSecrets.length > 0 && req.secrets) {
         // construct object containing all secrets
         let listedSecretsObj: {
-            [key: string]: { 
+            [key: string]: {
                 version: number;
                 type: string;
             }
         } = {};
-        
+
         listedSecretsObj = req.secrets.reduce((obj: any, secret: ISecret) => ({
             ...obj,
             [secret._id.toString()]: secret
@@ -128,7 +163,10 @@ export const batchSecrets = async (req: Request, res: Response) => {
 
         const updateOperations = updateSecrets.map((u) => ({
             updateOne: {
-                filter: { _id: new Types.ObjectId(u._id) },
+                filter: {
+                    _id: new Types.ObjectId(u._id),
+                    workspace: new Types.ObjectId(workspaceId)
+                },
                 update: {
                     $inc: {
                         version: 1
@@ -140,14 +178,15 @@ export const batchSecrets = async (req: Request, res: Response) => {
         }));
 
         await Secret.bulkWrite(updateOperations);
-        
-        const secretVersions = updateSecrets.map((u) => ({
+
+        const secretVersions = updateSecrets.map((u) => new SecretVersion({
             secret: new Types.ObjectId(u._id),
             version: listedSecretsObj[u._id.toString()].version,
             workspace: new Types.ObjectId(workspaceId),
             type: listedSecretsObj[u._id.toString()].type,
             environment,
             isDeleted: false,
+            secretBlindIndex: u.secretBlindIndex,
             secretKeyCiphertext: u.secretKeyCiphertext,
             secretKeyIV: u.secretKeyIV,
             secretKeyTag: u.secretKeyTag,
@@ -227,7 +266,7 @@ export const batchSecrets = async (req: Request, res: Response) => {
             });
         }
     }
-    
+
     if (actions.length > 0) {
         // (EE) create (audit) log
         await EELogService.createLog({
@@ -242,15 +281,15 @@ export const batchSecrets = async (req: Request, res: Response) => {
     // // trigger event - push secrets
     await EventService.handleEvent({
         event: eventPushSecrets({
-            workspaceId
+            workspaceId: new Types.ObjectId(workspaceId)
         })
     });
 
     // (EE) take a secret snapshot
     await EESecretService.takeSecretSnapshot({
-        workspaceId
+        workspaceId: new Types.ObjectId(workspaceId)
     });
-    
+
     const resObj: { [key: string]: ISecret[] | string[] } = {}
 
     if (createSecrets.length > 0) {
@@ -260,11 +299,11 @@ export const batchSecrets = async (req: Request, res: Response) => {
     if (updateSecrets.length > 0) {
         resObj['updatedSecrets'] = updatedSecrets;
     }
-    
+
     if (deleteSecrets.length > 0) {
         resObj['deletedSecrets'] = deleteSecrets.map((d) => d.toString());
     }
-    
+
     return res.status(200).send(resObj);
 }
 
@@ -330,9 +369,11 @@ export const createSecrets = async (req: Request, res: Response) => {
     const channel = getChannelFromUserAgent(req.headers['user-agent'])
     const { workspaceId, environment }: { workspaceId: string, environment: string } = req.body;
 
-    const hasAccess = await userHasWorkspaceAccess(req.user, workspaceId, environment, ABILITY_WRITE)
-    if (!hasAccess) {
-        throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
+    if (req.user) {
+        const hasAccess = await userHasWorkspaceAccess(req.user, new Types.ObjectId(workspaceId), environment, PERMISSION_WRITE_SECRETS)
+        if (!hasAccess) {
+            throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
+        }
     }
 
     let listOfSecretsToCreate;
@@ -344,8 +385,14 @@ export const createSecrets = async (req: Request, res: Response) => {
         listOfSecretsToCreate = [req.body.secrets];
     }
 
+    // get secret blind index salt
+    const salt = await SecretService.getSecretBlindIndexSalt({
+        workspaceId: new Types.ObjectId(workspaceId)
+    });
+
     type secretsToCreateType = {
         type: string;
+        secretName?: string;
         secretKeyCiphertext: string;
         secretKeyIV: string;
         secretKeyTag: string;
@@ -358,9 +405,10 @@ export const createSecrets = async (req: Request, res: Response) => {
         tags: string[]
     }
 
-    const newlyCreatedSecrets = await Secret.insertMany(
-        listOfSecretsToCreate.map(({
+    const secretsToInsert: ISecret[] = await Promise.all(
+        listOfSecretsToCreate.map(async ({
             type,
+            secretName,
             secretKeyCiphertext,
             secretKeyIV,
             secretKeyTag,
@@ -372,11 +420,20 @@ export const createSecrets = async (req: Request, res: Response) => {
             secretCommentTag,
             tags
         }: secretsToCreateType) => {
+            let secretBlindIndex;
+            if (secretName) {
+                secretBlindIndex = await SecretService.generateSecretBlindIndexWithSalt({
+                    secretName,
+                    salt
+                });
+            }
+
             return ({
                 version: 1,
                 workspace: new Types.ObjectId(workspaceId),
                 type,
-                user: type === SECRET_PERSONAL ? req.user : undefined,
+                ...(secretBlindIndex ? { secretBlindIndex } : {}),
+                user: (req.user && type === SECRET_PERSONAL) ? req.user : undefined,
                 environment,
                 secretKeyCiphertext,
                 secretKeyIV,
@@ -392,11 +449,13 @@ export const createSecrets = async (req: Request, res: Response) => {
         })
     );
 
+    const newlyCreatedSecrets: ISecret[] = (await Secret.insertMany(secretsToInsert)).map((insertedSecret) => insertedSecret.toObject());
+
     setTimeout(async () => {
         // trigger event - push secrets
         await EventService.handleEvent({
             event: eventPushSecrets({
-                workspaceId
+                workspaceId: new Types.ObjectId(workspaceId)
             })
         });
     }, 5000);
@@ -410,48 +469,45 @@ export const createSecrets = async (req: Request, res: Response) => {
             type,
             user,
             environment,
+            secretBlindIndex,
             secretKeyCiphertext,
             secretKeyIV,
             secretKeyTag,
             secretValueCiphertext,
             secretValueIV,
-            secretValueTag,
-            secretCommentCiphertext,
-            secretCommentIV,
-            secretCommentTag,
-            tags
-        }) => ({
-            _id: new Types.ObjectId(),
+            secretValueTag
+        }) => new SecretVersion({
             secret: _id,
             version,
             workspace,
             type,
             user,
             environment,
+            secretBlindIndex,
             isDeleted: false,
             secretKeyCiphertext,
             secretKeyIV,
             secretKeyTag,
             secretValueCiphertext,
             secretValueIV,
-            secretValueTag,
-            secretCommentCiphertext,
-            secretCommentIV,
-            secretCommentTag,
-            tags
+            secretValueTag
         }))
     });
 
     const addAction = await EELogService.createAction({
         name: ACTION_ADD_SECRETS,
-        userId: req.user._id,
+        userId: req.user?._id,
+        serviceAccountId: req.serviceAccount?._id,
+        serviceTokenDataId: req.serviceTokenData?._id,
         workspaceId: new Types.ObjectId(workspaceId),
         secretIds: newlyCreatedSecrets.map((n) => n._id)
     });
 
     // (EE) create (audit) log
     addAction && await EELogService.createLog({
-        userId: req.user._id.toString(),
+        userId: req.user?._id,
+        serviceAccountId: req.serviceAccount?._id,
+        serviceTokenDataId: req.serviceTokenData?._id,
         workspaceId: new Types.ObjectId(workspaceId),
         actions: [addAction],
         channel,
@@ -460,13 +516,16 @@ export const createSecrets = async (req: Request, res: Response) => {
 
     // (EE) take a secret snapshot
     await EESecretService.takeSecretSnapshot({
-        workspaceId
+        workspaceId: new Types.ObjectId(workspaceId)
     });
 
+    const postHogClient = await TelemetryService.getPostHogClient();
     if (postHogClient) {
         postHogClient.capture({
             event: 'secrets added',
-            distinctId: req.user.email,
+            distinctId: await TelemetryService.getDistinctId({
+                authData: req.authData
+            }),
             properties: {
                 numberOfSecrets: listOfSecretsToCreate.length,
                 environment,
@@ -530,90 +589,139 @@ export const getSecrets = async (req: Request, res: Response) => {
     }   
     */
 
+    const { tagSlugs, secretsPath } = req.query;
+    const workspaceId = req.query.workspaceId as string;
+    const environment = req.query.environment as string;
+    const normalizedPath = normalizePath(secretsPath as string)
+    const folders = await getFoldersInDirectory(workspaceId as string, environment as string, normalizedPath)
 
-    const { workspaceId, environment, tagSlugs } = req.query;
+    // secrets to return 
+    let secrets: ISecret[] = [];
+
+    // query tags table to get all tags ids for the tag names for the given workspace
+    let tagIds = [];
     const tagNamesList = typeof tagSlugs === 'string' && tagSlugs !== '' ? tagSlugs.split(',') : [];
-    let userId = "" // used for getting personal secrets for user
-    let userEmail = "" // used for posthog 
-    if (req.user) {
-        userId = req.user._id;
-        userEmail = req.user.email;
-    }
-
-    if (req.serviceTokenData) {
-        userId = req.serviceTokenData.user._id
-        userEmail = req.serviceTokenData.user.email;
-    }
-
-    // none service token case as service tokens are already scoped to env and project
-    let hasWriteOnlyAccess
-    if (!req.serviceTokenData) {
-        hasWriteOnlyAccess = await userHasWriteOnlyAbility(userId, workspaceId, environment)
-        const hasNoAccess = await userHasNoAbility(userId, workspaceId, environment)
-        if (hasNoAccess) {
-            throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
-        }
-    }
-    let secrets: any
-    let secretQuery: any
-
     if (tagNamesList != undefined && tagNamesList.length != 0) {
-        const workspaceFromDB = await Tag.find({ workspace: workspaceId })
-
-        const tagIds = _.map(tagNamesList, (tagName) => {
+        const workspaceFromDB = await Tag.find({ workspace: workspaceId });
+        tagIds = _.map(tagNamesList, (tagName) => {
             const tag = _.find(workspaceFromDB, { slug: tagName });
             return tag ? tag.id : null;
         });
+    }
 
-        secretQuery = {
-            workspace: workspaceId,
-            environment,
-            $or: [
-                { user: userId },
-                { user: { $exists: false } }
-            ],
-            tags: { $in: tagIds },
-            type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
+    if (req.user) {
+        // case: client authorization is via JWT
+        const hasWriteOnlyAccess = await userHasWriteOnlyAbility(req.user._id, new Types.ObjectId(workspaceId), environment)
+        const hasNoAccess = await userHasNoAbility(req.user._id, new Types.ObjectId(workspaceId), environment)
+        if (hasNoAccess) {
+            throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
         }
-    } else {
-        secretQuery = {
+
+        const secretQuery: any = {
             workspace: workspaceId,
             environment,
             $or: [
-                { user: userId },
-                { user: { $exists: false } }
-            ],
-            type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
+                { user: req.user._id }, // personal secrets for this user
+                { user: { $exists: false } } // shared secrets from workspace
+            ]
+        }
+
+        if (normalizedPath == ROOT_FOLDER_PATH) {
+            secretQuery.path = { $in: [ROOT_FOLDER_PATH, null, undefined] }
+        } else if (normalizedPath) {
+            secretQuery.path = normalizedPath
+        }
+
+        if (tagIds.length > 0) {
+            secretQuery.tags = { $in: tagIds };
+        }
+
+        if (hasWriteOnlyAccess) {
+            // only return the secret keys and not the values since user does not have right to see values
+            secrets = await Secret.find(secretQuery).select("secretKeyCiphertext secretKeyIV secretKeyTag").populate("tags")
+        } else {
+            secrets = await Secret.find(secretQuery).populate("tags")
         }
     }
 
-    if (hasWriteOnlyAccess) {
-        secrets = await Secret.find(secretQuery).select("secretKeyCiphertext secretKeyIV secretKeyTag")
-    } else {
-        secrets = await Secret.find(secretQuery).populate("tags")
+    // case: client authorization is via service token
+    if (req.serviceTokenData) {
+        const userId = req.serviceTokenData.user;
+
+        const secretQuery: any = {
+            workspace: workspaceId,
+            environment,
+            $or: [
+                { user: userId }, // personal secrets for this user
+                { user: { $exists: false } } // shared secrets from workspace
+            ]
+        }
+
+        // TODO: check if user can query for given path
+        if (normalizedPath == ROOT_FOLDER_PATH) {
+            secretQuery.path = { $in: [ROOT_FOLDER_PATH, null, undefined] }
+        } else if (normalizedPath) {
+            secretQuery.path = normalizedPath
+        }
+
+        if (tagIds.length > 0) {
+            secretQuery.tags = { $in: tagIds };
+        }
+
+        // TODO check if service token has write only permission 
+
+        secrets = await Secret.find(secretQuery).populate("tags");
+    }
+
+    // case: client authorization is via service account
+    if (req.serviceAccount) {
+        const secretQuery: any = {
+            workspace: workspaceId,
+            environment,
+            user: { $exists: false } // shared secrets only from workspace
+        }
+
+        if (normalizedPath == ROOT_FOLDER_PATH) {
+            secretQuery.path = { $in: [ROOT_FOLDER_PATH, null, undefined] }
+        } else if (normalizedPath) {
+            secretQuery.path = normalizedPath
+        }
+
+        if (tagIds.length > 0) {
+            secretQuery.tags = { $in: tagIds };
+        }
+
+        secrets = await Secret.find(secretQuery).populate("tags");
     }
 
     const channel = getChannelFromUserAgent(req.headers['user-agent'])
 
     const readAction = await EELogService.createAction({
         name: ACTION_READ_SECRETS,
-        userId: new Types.ObjectId(userId),
+        userId: req.user?._id,
+        serviceAccountId: req.serviceAccount?._id,
+        serviceTokenDataId: req.serviceTokenData?._id,
         workspaceId: new Types.ObjectId(workspaceId as string),
         secretIds: secrets.map((n: any) => n._id)
     });
 
     readAction && await EELogService.createLog({
-        userId: new Types.ObjectId(userId),
+        userId: req.user?._id,
+        serviceAccountId: req.serviceAccount?._id,
+        serviceTokenDataId: req.serviceTokenData?._id,
         workspaceId: new Types.ObjectId(workspaceId as string),
         actions: [readAction],
         channel,
         ipAddress: req.ip
     });
 
+    const postHogClient = await TelemetryService.getPostHogClient();
     if (postHogClient) {
         postHogClient.capture({
             event: 'secrets pulled',
-            distinctId: userEmail,
+            distinctId: await TelemetryService.getDistinctId({
+                authData: req.authData
+            }),
             properties: {
                 numberOfSecrets: secrets.length,
                 environment,
@@ -625,60 +733,8 @@ export const getSecrets = async (req: Request, res: Response) => {
     }
 
     return res.status(200).send({
-        secrets
-    });
-}
-
-
-export const getOnlySecretKeys = async (req: Request, res: Response) => {
-    const { workspaceId, environment } = req.query;
-
-    let userId = "" // used for getting personal secrets for user
-    let userEmail = "" // used for posthog 
-    if (req.user) {
-        userId = req.user._id;
-        userEmail = req.user.email;
-    }
-
-    if (req.serviceTokenData) {
-        userId = req.serviceTokenData.user._id
-        userEmail = req.serviceTokenData.user.email;
-    }
-
-    // none service token case as service tokens are already scoped
-    if (!req.serviceTokenData) {
-        const hasAccess = await userHasWorkspaceAccess(userId, workspaceId, environment, ABILITY_READ)
-        if (!hasAccess) {
-            throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
-        }
-    }
-
-    const [err, secretKeys] = await to(Secret.find(
-        {
-            workspace: workspaceId,
-            environment,
-            $or: [
-                { user: userId },
-                { user: { $exists: false } }
-            ],
-            type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
-        }
-    )
-        .select("secretKeyIV secretKeyTag secretKeyCiphertext")
-        .then())
-
-    if (err) throw ValidationError({ message: 'Failed to get secrets', stack: err.stack });
-
-    // readAction && await EELogService.createLog({
-    //     userId: new Types.ObjectId(userId),
-    //     workspaceId: new Types.ObjectId(workspaceId as string),
-    //     actions: [readAction],
-    //     channel,
-    //     ipAddress: req.ip
-    // });
-
-    return res.status(200).send({
-        secretKeys
+        secrets,
+        folders
     });
 }
 
@@ -734,7 +790,6 @@ export const updateSecrets = async (req: Request, res: Response) => {
     */
     const channel = req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli';
 
-    // TODO: move type
     interface PatchSecret {
         id: string;
         secretKeyCiphertext: string;
@@ -853,21 +908,25 @@ export const updateSecrets = async (req: Request, res: Response) => {
         setTimeout(async () => {
             await EventService.handleEvent({
                 event: eventPushSecrets({
-                    workspaceId: key
+                    workspaceId: new Types.ObjectId(key)
                 })
             });
         }, 10000);
 
         const updateAction = await EELogService.createAction({
             name: ACTION_UPDATE_SECRETS,
-            userId: req.user._id,
+            userId: req.user?._id,
+            serviceAccountId: req.serviceAccount?._id,
+            serviceTokenDataId: req.serviceTokenData?._id,
             workspaceId: new Types.ObjectId(key),
             secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id)
         });
 
         // (EE) create (audit) log
         updateAction && await EELogService.createLog({
-            userId: req.user._id.toString(),
+            userId: req.user?._id,
+            serviceAccountId: req.serviceAccount?._id,
+            serviceTokenDataId: req.serviceTokenData?._id,
             workspaceId: new Types.ObjectId(key),
             actions: [updateAction],
             channel,
@@ -876,13 +935,16 @@ export const updateSecrets = async (req: Request, res: Response) => {
 
         // (EE) take a secret snapshot
         await EESecretService.takeSecretSnapshot({
-            workspaceId: key
+            workspaceId: new Types.ObjectId(key)
         })
 
+        const postHogClient = await TelemetryService.getPostHogClient();
         if (postHogClient) {
             postHogClient.capture({
                 event: 'secrets modified',
-                distinctId: req.user.email,
+                distinctId: await TelemetryService.getDistinctId({
+                    authData: req.authData
+                }),
                 properties: {
                     numberOfSecrets: workspaceSecretObj[key].length,
                     environment: workspaceSecretObj[key][0].environment,
@@ -904,7 +966,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
 }
 
 /**
- * Delete secret(s) with id [workspaceId] and environment [environment]
+ * Delete secret(s)
  * @param req 
  * @param res 
  */
@@ -953,6 +1015,7 @@ export const deleteSecrets = async (req: Request, res: Response) => {
         }
     }   
     */
+
     const channel = getChannelFromUserAgent(req.headers['user-agent'])
     const toDelete = req.secrets.map((s: any) => s._id);
 
@@ -981,19 +1044,23 @@ export const deleteSecrets = async (req: Request, res: Response) => {
         // trigger event - push secrets
         await EventService.handleEvent({
             event: eventPushSecrets({
-                workspaceId: key
+                workspaceId: new Types.ObjectId(key)
             })
         });
         const deleteAction = await EELogService.createAction({
             name: ACTION_DELETE_SECRETS,
-            userId: req.user._id,
+            userId: req.user?._id,
+            serviceAccountId: req.serviceAccount?._id,
+            serviceTokenDataId: req.serviceTokenData?._id,
             workspaceId: new Types.ObjectId(key),
             secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id)
         });
 
         // (EE) create (audit) log
         deleteAction && await EELogService.createLog({
-            userId: req.user._id.toString(),
+            userId: req.user?._id,
+            serviceAccountId: req.serviceAccount?._id,
+            serviceTokenDataId: req.serviceTokenData?._id,
             workspaceId: new Types.ObjectId(key),
             actions: [deleteAction],
             channel,
@@ -1002,13 +1069,16 @@ export const deleteSecrets = async (req: Request, res: Response) => {
 
         // (EE) take a secret snapshot
         await EESecretService.takeSecretSnapshot({
-            workspaceId: key
-        })
+            workspaceId: new Types.ObjectId(key)
+        });
 
+        const postHogClient = await TelemetryService.getPostHogClient();
         if (postHogClient) {
             postHogClient.capture({
                 event: 'secrets deleted',
-                distinctId: req.user.email,
+                distinctId: await TelemetryService.getDistinctId({
+                    authData: req.authData
+                }),
                 properties: {
                     numberOfSecrets: workspaceSecretObj[key].length,
                     environment: workspaceSecretObj[key][0].environment,

backend/src/controllers/v2/serviceAccountsController.ts

@@ -0,0 +1,306 @@
+import { Request, Response } from 'express';
+import { Types } from 'mongoose';
+import crypto from 'crypto';
+import bcrypt from 'bcrypt';
+import { 
+    ServiceAccount,
+    ServiceAccountKey,
+    ServiceAccountOrganizationPermission,
+    ServiceAccountWorkspacePermission
+} from '../../models';
+import {
+    CreateServiceAccountDto
+} from '../../interfaces/serviceAccounts/dto';
+import { BadRequestError, ServiceAccountNotFoundError } from '../../utils/errors';
+import { getSaltRounds } from '../../config';
+
+/**
+ * Return service account tied to the request (service account) client
+ * @param req
+ * @param res
+ */
+export const getCurrentServiceAccount = async (req: Request, res: Response) => {
+    const serviceAccount = await ServiceAccount.findById(req.serviceAccount._id);
+    
+    if (!serviceAccount) {
+        throw ServiceAccountNotFoundError({ message: 'Failed to find service account' });
+    }
+    
+    return res.status(200).send({
+        serviceAccount
+    });
+}
+
+/**
+ * Return service account with id [serviceAccountId]
+ * @param req 
+ * @param res 
+ */
+export const getServiceAccountById = async (req: Request, res: Response) => {
+    const { serviceAccountId } = req.params;
+    
+    const serviceAccount = await ServiceAccount.findById(serviceAccountId);
+    
+    if (!serviceAccount) {
+        throw ServiceAccountNotFoundError({ message: 'Failed to find service account' });
+    }
+    
+    return res.status(200).send({
+        serviceAccount
+    });
+}
+
+/**
+ * Create a new service account under organization with id [organizationId]
+ * that has access to workspaces [workspaces]
+ * @param req 
+ * @param res 
+ * @returns
+ */
+export const createServiceAccount = async (req: Request, res: Response) => {
+    const {
+        name,
+        organizationId,
+        publicKey,
+        expiresIn,
+    }: CreateServiceAccountDto = req.body;
+
+    let expiresAt;
+    if (expiresIn) {
+        expiresAt = new Date();
+        expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
+    }
+
+    const secret = crypto.randomBytes(16).toString('base64');
+    const secretHash = await bcrypt.hash(secret, await getSaltRounds());
+    
+    // create service account
+    const serviceAccount = await new ServiceAccount({
+        name,
+        organization: new Types.ObjectId(organizationId),
+        user: req.user,
+        publicKey,
+        lastUsed: new Date(),
+        expiresAt,
+        secretHash
+    }).save();
+    
+    const serviceAccountObj = serviceAccount.toObject();
+    
+    delete serviceAccountObj.secretHash;
+
+    // provision default org-level permission for service account
+    await new ServiceAccountOrganizationPermission({
+        serviceAccount: serviceAccount._id
+    }).save();
+    
+    const secretId = Buffer.from(serviceAccount._id.toString(), 'hex').toString('base64');
+
+    return res.status(200).send({
+        serviceAccountAccessKey: `sa.${secretId}.${secret}`,
+        serviceAccount: serviceAccountObj
+    });
+}
+
+/**
+ * Change name of service account with id [serviceAccountId] to [name]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const changeServiceAccountName = async (req: Request, res: Response) => {
+    const { serviceAccountId } = req.params;
+    const { name } = req.body;
+    
+    const serviceAccount = await ServiceAccount.findOneAndUpdate(
+        {
+            _id: new Types.ObjectId(serviceAccountId)
+        },
+        {
+            name
+        },
+        {
+            new: true
+        }
+    );
+    
+    return res.status(200).send({
+        serviceAccount
+    });
+}
+
+/**
+ * Add a service account key to service account with id [serviceAccountId]
+ * for workspace with id [workspaceId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const addServiceAccountKey = async (req: Request, res: Response) => {
+    const {
+        workspaceId,
+        encryptedKey,
+        nonce
+    } = req.body;
+    
+    const serviceAccountKey = await new ServiceAccountKey({
+        encryptedKey,
+        nonce,
+        sender: req.user._id,
+        serviceAccount: req.serviceAccount._d,
+        workspace: new Types.ObjectId(workspaceId)
+    }).save();
+
+    return serviceAccountKey;
+}
+
+/**
+ * Return workspace-level permission for service account with id [serviceAccountId]
+ * @param req 
+ * @param res 
+ */
+export const getServiceAccountWorkspacePermissions = async (req: Request, res: Response) => {
+    const serviceAccountWorkspacePermissions = await ServiceAccountWorkspacePermission.find({
+        serviceAccount: req.serviceAccount._id
+    }).populate('workspace');
+    
+    return res.status(200).send({
+        serviceAccountWorkspacePermissions
+    });
+}
+
+/**
+ * Add a workspace permission to service account with id [serviceAccountId]
+ * @param req 
+ * @param res 
+ */
+export const addServiceAccountWorkspacePermission = async (req: Request, res: Response) => {
+    const { serviceAccountId } = req.params;
+    const {
+        environment,
+        workspaceId,
+        read = false,
+        write = false,
+        encryptedKey,
+        nonce
+    } = req.body;
+    
+    if (!req.membership.workspace.environments.some((e: { name: string; slug: string }) => e.slug === environment)) {
+        return res.status(400).send({
+            message: 'Failed to validate workspace environment'
+        });
+    }
+    
+    const existingPermission = await ServiceAccountWorkspacePermission.findOne({
+        serviceAccount: new Types.ObjectId(serviceAccountId),
+        workspace: new Types.ObjectId(workspaceId),
+        environment
+    });
+    
+    if (existingPermission) throw BadRequestError({ message: 'Failed to add workspace permission to service account due to already-existing ' });
+
+    const serviceAccountWorkspacePermission = await new ServiceAccountWorkspacePermission({
+        serviceAccount: new Types.ObjectId(serviceAccountId),
+        workspace: new Types.ObjectId(workspaceId),
+        environment,
+        read,
+        write
+    }).save();
+    
+    const existingServiceAccountKey = await ServiceAccountKey.findOne({
+        serviceAccount: new Types.ObjectId(serviceAccountId),
+        workspace: new Types.ObjectId(workspaceId) 
+    });
+    
+    if (!existingServiceAccountKey) {
+        await new ServiceAccountKey({
+            encryptedKey,
+            nonce,
+            sender: req.user._id,
+            serviceAccount: new Types.ObjectId(serviceAccountId),
+            workspace: new Types.ObjectId(workspaceId)
+        }).save();
+    }
+
+    return res.status(200).send({
+        serviceAccountWorkspacePermission
+    });
+}
+
+/**
+ * Delete workspace permission from service account with id [serviceAccountId]
+ * @param req 
+ * @param res 
+ */
+export const deleteServiceAccountWorkspacePermission = async (req: Request, res: Response) => {
+    const { serviceAccountWorkspacePermissionId } = req.params;
+    const serviceAccountWorkspacePermission = await ServiceAccountWorkspacePermission.findByIdAndDelete(serviceAccountWorkspacePermissionId);
+
+    if (serviceAccountWorkspacePermission) {
+        const { serviceAccount, workspace } = serviceAccountWorkspacePermission;
+        const count = await ServiceAccountWorkspacePermission.countDocuments({
+            serviceAccount,
+            workspace
+        });
+        
+        if (count === 0) {
+            await ServiceAccountKey.findOneAndDelete({
+                serviceAccount,
+                workspace
+            });
+        }
+    }
+
+    return res.status(200).send({
+        serviceAccountWorkspacePermission
+    });
+}
+
+/**
+ * Delete service account with id [serviceAccountId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const deleteServiceAccount = async (req: Request, res: Response) => {
+    const { serviceAccountId } = req.params;
+
+    const serviceAccount = await ServiceAccount.findByIdAndDelete(serviceAccountId);
+
+    if (serviceAccount) {
+        await ServiceAccountKey.deleteMany({
+            serviceAccount: serviceAccount._id
+        });
+
+        await ServiceAccountOrganizationPermission.deleteMany({
+            serviceAccount: new Types.ObjectId(serviceAccountId)
+        });
+
+        await ServiceAccountWorkspacePermission.deleteMany({
+            serviceAccount: new Types.ObjectId(serviceAccountId)
+        });
+    }
+
+    return res.status(200).send({
+        serviceAccount
+    });
+}
+
+/**
+ * Return service account keys for service account with id [serviceAccountId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getServiceAccountKeys = async (req: Request, res: Response) => {
+    const workspaceId = req.query.workspaceId as string;
+    
+    const serviceAccountKeys = await ServiceAccountKey.find({
+        serviceAccount: req.serviceAccount._id,
+        ...(workspaceId ? { workspace: new Types.ObjectId(workspaceId) } : {})
+    });
+    
+    return res.status(200).send({
+        serviceAccountKeys
+    });
+}

backend/src/controllers/v2/serviceTokenDataController.ts

@@ -1,15 +1,21 @@
-import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
+import { Request, Response } from 'express';
 import crypto from 'crypto';
 import bcrypt from 'bcrypt';
 import {
+    User,
+    ServiceAccount,
     ServiceTokenData
 } from '../../models';
-import {
-    SALT_ROUNDS
-} from '../../config';
 import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';
-import { ABILITY_READ } from '../../variables/organization';
+import { 
+    PERMISSION_READ_SECRETS,
+    AUTH_MODE_JWT,
+    AUTH_MODE_SERVICE_ACCOUNT,
+    AUTH_MODE_SERVICE_TOKEN
+} from '../../variables';
+import { getSaltRounds } from '../../config';
+import { BadRequestError } from '../../utils/errors';
 
 /**
  * Return service token data associated with service token on request
@@ -17,7 +23,44 @@ import { ABILITY_READ } from '../../variables/organization';
  * @param res 
  * @returns 
  */
-export const getServiceTokenData = async (req: Request, res: Response) => res.status(200).json(req.serviceTokenData);
+export const getServiceTokenData = async (req: Request, res: Response) => {
+    /* 
+    #swagger.summary = 'Return Infisical Token data'
+    #swagger.description = 'Return Infisical Token data'
+    
+    #swagger.security = [{
+        "bearerAuth": []
+    }]
+
+    #swagger.responses[200] = {
+        content: {
+            "application/json": {
+                "schema": { 
+                    "type": "object",
+					"properties": {
+                        "serviceTokenData": {
+                            "type": "object",
+                            $ref: "#/components/schemas/ServiceTokenData",
+                            "description": "Details of service token"
+                        }
+					}
+                }
+            }           
+        }
+    }   
+    */
+
+    if (!(req.authData.authPayload instanceof ServiceTokenData)) throw BadRequestError({
+        message: 'Failed accepted client validation for service token data'
+    });
+
+    const serviceTokenData = await ServiceTokenData
+        .findById(req.authData.authPayload._id)
+        .select('+encryptedKey +iv +tag')
+        .populate('user');
+
+    return res.status(200).json(serviceTokenData);
+}
 
 /**
  * Create new service token data for workspace with id [workspaceId] and
@@ -27,56 +70,60 @@ export const getServiceTokenData = async (req: Request, res: Response) => res.st
  * @returns 
  */
 export const createServiceTokenData = async (req: Request, res: Response) => {
-    let serviceToken, serviceTokenData;
-    try {
-        const {
-            name,
-            workspaceId,
-            environment,
-            encryptedKey,
-            iv,
-            tag,
-            expiresIn
-        } = req.body;
+    let serviceTokenData;
 
-        const hasAccess = await userHasWorkspaceAccess(req.user, workspaceId, environment, ABILITY_READ)
-        if (!hasAccess) {
-            throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
-        }
+    const {
+        name,
+        workspaceId,
+        environment,
+        encryptedKey,
+        iv,
+        tag,
+        expiresIn,
+        permissions
+    } = req.body;
 
-        const secret = crypto.randomBytes(16).toString('hex');
-        const secretHash = await bcrypt.hash(secret, SALT_ROUNDS);
+    const secret = crypto.randomBytes(16).toString('hex');
+    const secretHash = await bcrypt.hash(secret, await getSaltRounds());
 
-        const expiresAt = new Date();
+    let expiresAt; 
+    if (expiresIn) {
+        expiresAt = new Date()
         expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
-
-        serviceTokenData = await new ServiceTokenData({
-            name,
-            workspace: workspaceId,
-            environment,
-            user: req.user._id,
-            expiresAt,
-            secretHash,
-            encryptedKey,
-            iv,
-            tag
-        }).save();
-
-        // return service token data without sensitive data
-        serviceTokenData = await ServiceTokenData.findById(serviceTokenData._id);
-
-        if (!serviceTokenData) throw new Error('Failed to find service token data');
-
-        serviceToken = `st.${serviceTokenData._id.toString()}.${secret}`;
-
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-        Sentry.captureException(err);
-        return res.status(400).send({
-            message: 'Failed to create service token data'
-        });
     }
 
+    let user, serviceAccount;
+    
+    if (req.authData.authMode === AUTH_MODE_JWT && req.authData.authPayload instanceof User) {
+        user = req.authData.authPayload._id;
+    }
+
+    if (req.authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && req.authData.authPayload instanceof ServiceAccount) {
+        serviceAccount = req.authData.authPayload._id;
+    }
+        
+    serviceTokenData = await new ServiceTokenData({
+        name,
+        workspace: workspaceId,
+        environment,
+        user,
+        serviceAccount,
+        lastUsed: new Date(),
+        expiresAt,
+        secretHash,
+        encryptedKey,
+        iv,
+        tag,
+        permissions
+    }).save();
+
+    // return service token data without sensitive data
+    serviceTokenData = await ServiceTokenData.findById(serviceTokenData._id);
+
+    if (!serviceTokenData) throw new Error('Failed to find service token data');
+
+    const serviceToken = `st.${serviceTokenData._id.toString()}.${secret}`;
+
     return res.status(200).send({
         serviceToken,
         serviceTokenData
@@ -90,25 +137,11 @@ export const createServiceTokenData = async (req: Request, res: Response) => {
  * @returns 
  */
 export const deleteServiceTokenData = async (req: Request, res: Response) => {
-    let serviceTokenData;
-    try {
-        const { serviceTokenDataId } = req.params;
+    const { serviceTokenDataId } = req.params;
 
-        serviceTokenData = await ServiceTokenData.findByIdAndDelete(serviceTokenDataId);
-
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-        Sentry.captureException(err);
-        return res.status(400).send({
-            message: 'Failed to delete service token data'
-        });
-    }
+    const serviceTokenData = await ServiceTokenData.findByIdAndDelete(serviceTokenDataId);
 
     return res.status(200).send({
         serviceTokenData
     });
-}
-
-function UnauthorizedRequestError(arg0: { message: string; }) {
-    throw new Error('Function not implemented.');
-}
+}

backend/src/controllers/v2/signupController.ts

@@ -7,8 +7,8 @@ import {
 } from '../../helpers/signup';
 import { issueAuthTokens } from '../../helpers/auth';
 import { INVITED, ACCEPTED } from '../../variables';
-import { NODE_ENV } from '../../config';
-import axios from 'axios';
+import request from '../../config/request';
+import { getLoopsApiKey, getHttpsEnabled } from '../../config';
 
 /**
  * Complete setting up user by adding their personal and auth information as part of the
@@ -24,9 +24,9 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 			email,
 			firstName,
 			lastName,
-            protectedKey,
-            protectedKeyIV,
-            protectedKeyTag,
+			protectedKey,
+			protectedKeyIV,
+			protectedKeyTag,
 			publicKey,
 			encryptedPrivateKey,
 			encryptedPrivateKeyIV,
@@ -38,9 +38,9 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 			email: string;
 			firstName: string;
 			lastName: string;
-            protectedKey: string;
-            protectedKeyIV: string;
-            protectedKeyTag: string;
+			protectedKey: string;
+			protectedKeyIV: string;
+			protectedKeyTag: string;
 			publicKey: string;
 			encryptedPrivateKey: string;
 			encryptedPrivateKeyIV: string;
@@ -48,11 +48,11 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 			salt: string;
 			verifier: string;
 			organizationName: string;
-        } = req.body;
+		} = req.body;
 
 		// get user
 		user = await User.findOne({ email });
-		
+
 		if (!user || (user && user?.publicKey)) {
 			// case 1: user doesn't exist.
 			// case 2: user has already completed account
@@ -66,10 +66,10 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 			userId: user._id.toString(),
 			firstName,
 			lastName,
-            encryptionVersion: 2,
-            protectedKey,
-            protectedKeyIV,
-            protectedKeyTag,
+			encryptionVersion: 2,
+			protectedKey,
+			protectedKeyIV,
+			protectedKeyTag,
 			publicKey,
 			encryptedPrivateKey,
 			encryptedPrivateKeyIV,
@@ -108,8 +108,8 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 		token = tokens.token;
 
 		// sending a welcome email to new users
-		if (process.env.LOOPS_API_KEY) {
-			await axios.post("https://app.loops.so/api/v1/events/send", {
+		if (await getLoopsApiKey()) {
+			await request.post("https://app.loops.so/api/v1/events/send", {
 				"email": email,
 				"eventName": "Sign Up",
 				"firstName": firstName,
@@ -117,7 +117,7 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 			}, {
 				headers: {
 					"Accept": "application/json",
-					"Authorization": "Bearer " + process.env.LOOPS_API_KEY
+					"Authorization": "Bearer " + (await getLoopsApiKey())
 				},
 			});
 		}
@@ -127,7 +127,7 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 			httpOnly: true,
 			path: '/',
 			sameSite: 'strict',
-			secure: NODE_ENV === 'production' ? true : false
+			secure: await getHttpsEnabled()
 		});
 	} catch (err) {
 		Sentry.setUser(null);
@@ -158,9 +158,9 @@ export const completeAccountInvite = async (req: Request, res: Response) => {
 			email,
 			firstName,
 			lastName,
-            protectedKey,
-            protectedKeyIV,
-            protectedKeyTag,
+			protectedKey,
+			protectedKeyIV,
+			protectedKeyTag,
 			publicKey,
 			encryptedPrivateKey,
 			encryptedPrivateKeyIV,
@@ -192,10 +192,10 @@ export const completeAccountInvite = async (req: Request, res: Response) => {
 			userId: user._id.toString(),
 			firstName,
 			lastName,
-            encryptionVersion: 2,
-            protectedKey,
-            protectedKeyIV,
-            protectedKeyTag,
+			encryptionVersion: 2,
+			protectedKey,
+			protectedKeyIV,
+			protectedKeyTag,
 			publicKey,
 			encryptedPrivateKey,
 			encryptedPrivateKeyIV,
@@ -232,7 +232,7 @@ export const completeAccountInvite = async (req: Request, res: Response) => {
 			httpOnly: true,
 			path: '/',
 			sameSite: 'strict',
-			secure: NODE_ENV === 'production' ? true : false
+			secure: await getHttpsEnabled()
 		});
 	} catch (err) {
 		Sentry.setUser(null);
@@ -241,7 +241,7 @@ export const completeAccountInvite = async (req: Request, res: Response) => {
 			message: 'Failed to complete account setup'
 		});
 	}
-	
+
 	return res.status(200).send({
 		message: 'Successfully set up account',
 		user,

backend/src/controllers/v2/usersController.ts

@@ -41,7 +41,7 @@ export const getMe = async (req: Request, res: Response) => {
     try {
         user = await User
             .findById(req.user._id)
-            .select('+publicKey +encryptedPrivateKey +iv +tag');
+            .select('+salt +publicKey +encryptedPrivateKey +iv +tag +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag');
     } catch (err) {
         Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);

backend/src/controllers/v2/workspaceController.ts

@@ -19,7 +19,7 @@ import {
 	reformatPullSecrets
 } from '../../helpers/secret';
 import { pushKeys } from '../../helpers/key';
-import { postHogClient, EventService } from '../../services';
+import { TelemetryService, EventService } from '../../services';
 import { eventPushSecrets } from '../../events';
 
 interface V2PushSecret {
@@ -48,6 +48,7 @@ interface V2PushSecret {
 export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
 	// upload (encrypted) secrets to workspace with id [workspaceId]
 	try {
+		const postHogClient = await TelemetryService.getPostHogClient();
 		let { secrets }: { secrets: V2PushSecret[] } = req.body;
 		const { keys, environment, channel } = req.body;
 		const { workspaceId } = req.params;
@@ -94,7 +95,8 @@ export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
 		// trigger event - push secrets
 		EventService.handleEvent({
 			event: eventPushSecrets({
-				workspaceId
+				workspaceId: new Types.ObjectId(workspaceId),
+				environment
 			})
 		});
 
@@ -121,6 +123,7 @@ export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
 export const pullSecrets = async (req: Request, res: Response) => {
 	let secrets;
 	try {
+		const postHogClient = await TelemetryService.getPostHogClient();
 		const environment: string = req.query.environment as string;
 		const channel: string = req.query.channel as string;
 		const { workspaceId } = req.params;
@@ -129,7 +132,7 @@ export const pullSecrets = async (req: Request, res: Response) => {
 		if (req.user) {
 			userId = req.user._id.toString();
 		} else if (req.serviceTokenData) {
-			userId = req.serviceTokenData.user._id
+			userId = req.serviceTokenData.user.toString();
 		}
 		// validate environment
 		const workspaceEnvs = req.membership.workspace.environments;
@@ -504,5 +507,4 @@ export const toggleAutoCapitalization = async (req: Request, res: Response) => {
 		message: 'Successfully changed autoCapitalization setting',
 		workspace
 	});
-};
-
+};

backend/src/controllers/v3/index.ts

@@ -0,0 +1,7 @@
+import * as secretsController from './secretsController';
+import * as workspacesController from './workspacesController';
+
+export {
+    secretsController,
+    workspacesController
+}

backend/src/controllers/v3/secretsController.ts

@@ -0,0 +1,183 @@
+import { Request, Response } from 'express';
+import { Types } from 'mongoose';
+import { 
+    SecretService, 
+    TelemetryService,
+    EventService
+} from '../../services';
+import { eventPushSecrets } from '../../events';
+import { getAuthDataPayloadIdObj } from '../../utils/auth';
+import { BadRequestError } from '../../utils/errors';
+
+/**
+ * Get secrets for workspace with id [workspaceId] and environment
+ * [environment]
+ * @param req 
+ * @param res 
+ */
+export const getSecrets = async (req: Request, res: Response) => {
+    const workspaceId = req.query.workspaceId as string;
+    const environment = req.query.environment as string;
+
+    const secrets = await SecretService.getSecrets({
+        workspaceId: new Types.ObjectId(workspaceId),
+        environment,
+        authData: req.authData
+    });
+
+    return res.status(200).send({
+        secrets
+    });
+}
+
+/**
+ * Get secret with name [secretName]
+ * @param req 
+ * @param res 
+ */
+export const getSecretByName = async (req: Request, res: Response) => {
+    const { secretName } = req.params;
+    const workspaceId = req.query.workspaceId as string;
+    const environment = req.query.environment as string;
+    const type = req.query.type as 'shared' | 'personal' | undefined;
+
+    const secret = await SecretService.getSecret({
+        secretName,
+        workspaceId: new Types.ObjectId(workspaceId),
+        environment,
+        type,
+        authData: req.authData
+    });
+    
+    return res.status(200).send({
+        secret
+    });
+}
+
+/**
+ * Create secret with name [secretName]
+ * @param req 
+ * @param res 
+ */
+export const createSecret = async (req: Request, res: Response) => {
+    const { secretName } = req.params;
+    const { 
+        workspaceId,
+        environment,
+        type,
+        secretKeyCiphertext,
+        secretKeyIV,
+        secretKeyTag,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag,
+        secretCommentCiphertext,
+        secretCommentIV,
+        secretCommentTag
+    } = req.body;
+    
+    const secret = await SecretService.createSecret({
+        secretName,
+        workspaceId: new Types.ObjectId(workspaceId),
+        environment,
+        type,
+        authData: req.authData,
+        secretKeyCiphertext,
+        secretKeyIV,
+        secretKeyTag,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag,
+        ...((secretCommentCiphertext && secretCommentIV && secretCommentTag) ? {
+            secretCommentCiphertext,
+            secretCommentIV,
+            secretCommentTag
+        } : {})
+    });
+
+    await EventService.handleEvent({
+        event: eventPushSecrets({
+            workspaceId: new Types.ObjectId(workspaceId),
+            environment
+        })
+    });
+
+    const secretWithoutBlindIndex = secret.toObject();
+    delete secretWithoutBlindIndex.secretBlindIndex;
+    
+    return res.status(200).send({
+        secret: secretWithoutBlindIndex
+    });
+}
+
+/**
+ * Update secret with name [secretName]
+ * @param req
+ * @param res 
+ */
+export const updateSecretByName = async (req: Request, res: Response) => {
+    const { secretName } = req.params;
+    const {
+        workspaceId,
+        environment,
+        type,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag
+    } = req.body;
+
+    const secret = await SecretService.updateSecret({
+        secretName,
+        workspaceId,
+        environment,
+        type,
+        authData: req.authData,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag
+    });
+    
+    await EventService.handleEvent({
+        event: eventPushSecrets({
+            workspaceId: new Types.ObjectId(workspaceId),
+            environment
+        })
+    });
+
+    return res.status(200).send({
+        secret
+    });
+}
+
+/**
+ * Delete secret with name [secretName]
+ * @param req 
+ * @param res 
+ */
+export const deleteSecretByName = async (req: Request, res: Response) => {
+    const { secretName } = req.params;
+    const {
+        workspaceId,
+        environment,
+        type
+    } = req.body;
+    
+    const { secret, secrets } = await SecretService.deleteSecret({
+        secretName,
+        workspaceId,
+        environment,
+        type,
+        authData: req.authData
+    });
+
+    await EventService.handleEvent({
+        event: eventPushSecrets({
+            workspaceId: new Types.ObjectId(workspaceId),
+            environment
+        })
+    });
+
+    return res.status(200).send({
+        secret
+    });
+}

backend/src/controllers/v3/workspacesController.ts

@@ -0,0 +1,90 @@
+import { Request, Response } from 'express';
+import { Types } from 'mongoose';
+import { Secret } from '../../models';
+import { SecretService } from'../../services';
+
+/**
+ * Return whether or not all secrets in workspace with id [workspaceId]
+ * are blind-indexed
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getWorkspaceBlindIndexStatus = async (req: Request, res: Response) => {
+    const { workspaceId } = req.params;
+
+    const secretsWithoutBlindIndex = await Secret.countDocuments({
+        workspace: new Types.ObjectId(workspaceId),
+        secretBlindIndex: {
+            $exists: false
+        }
+    });
+
+    return res.status(200).send(secretsWithoutBlindIndex === 0);
+}
+
+/**
+ * Get all secrets for workspace with id [workspaceId]
+ */
+export const getWorkspaceSecrets = async (req: Request, res: Response) => {
+    const { workspaceId } = req.params;
+
+    const secrets = await Secret.find({
+        workspace: new Types.ObjectId (workspaceId)
+    });
+    
+    return res.status(200).send({
+        secrets
+    });
+}
+
+/**
+ * Update blind indices for secrets in workspace with id [workspaceId]
+ * @param req 
+ * @param res 
+ */
+export const nameWorkspaceSecrets = async (req: Request, res: Response) => {
+    interface SecretToUpdate {
+        secretName: string;
+        _id: string;
+    }
+
+    const { workspaceId } = req.params;
+    const { 
+        secretsToUpdate 
+    }: {
+        secretsToUpdate: SecretToUpdate[];
+    } = req.body;
+
+    // get secret blind index salt
+    const salt = await SecretService.getSecretBlindIndexSalt({
+        workspaceId: new Types.ObjectId(workspaceId)
+    });
+
+    // update secret blind indices
+    const operations = await Promise.all(
+        secretsToUpdate.map(async (secretToUpdate: SecretToUpdate) => {
+            const secretBlindIndex = await SecretService.generateSecretBlindIndexWithSalt({
+                secretName: secretToUpdate.secretName,
+                salt
+            });
+    
+            return ({
+                updateOne: {
+                    filter: {
+                        _id: new Types.ObjectId(secretToUpdate._id)
+                    },
+                    update: {
+                        secretBlindIndex
+                    }
+                }
+            });
+        })
+    );
+
+    await Secret.bulkWrite(operations);
+
+    return res.status(200).send({
+        message: 'Successfully named workspace secrets'
+    });
+}

backend/src/ee/controllers/v1/membershipController.ts

@@ -2,7 +2,8 @@ import { Request, Response } from "express";
 import { Membership, Workspace } from "../../../models";
 import { IMembershipPermission } from "../../../models/membership";
 import { BadRequestError, UnauthorizedRequestError } from "../../../utils/errors";
-import { ABILITY_READ, ABILITY_WRITE, ADMIN, MEMBER } from "../../../variables/organization";
+import { ADMIN, MEMBER } from "../../../variables/organization";
+import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from '../../../variables';
 import { Builder } from "builder-pattern"
 import _ from "lodash";
 
@@ -10,7 +11,7 @@ export const denyMembershipPermissions = async (req: Request, res: Response) =>
   const { membershipId } = req.params;
   const { permissions } = req.body;
   const sanitizedMembershipPermissions: IMembershipPermission[] = permissions.map((permission: IMembershipPermission) => {
-    if (!permission.ability || !permission.environmentSlug || ![ABILITY_READ, ABILITY_WRITE].includes(permission.ability)) {
+    if (!permission.ability || !permission.environmentSlug || ![PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS].includes(permission.ability)) {
       throw BadRequestError({ message: "One or more required fields are missing from the request or have incorrect type" })
     }
 

backend/src/ee/controllers/v1/secretController.ts

@@ -146,7 +146,7 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
 		const oldSecretVersion = await SecretVersion.findOne({
 			secret: secretId,
 			version
-		});
+		}).select('+secretBlindIndex')
 		
 		if (!oldSecretVersion) throw new Error('Failed to find secret version');
 		
@@ -155,6 +155,7 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
 			type,
 			user,
 			environment,
+			secretBlindIndex,
 			secretKeyCiphertext,
 			secretKeyIV,
 			secretKeyTag,
@@ -174,6 +175,7 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
 				type,
 				user,
 				environment,
+				...(secretBlindIndex ? { secretBlindIndex } : {}),
 				secretKeyCiphertext,
 				secretKeyIV,
 				secretKeyTag,
@@ -197,6 +199,7 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
 			user,
 			environment,
 			isDeleted: false,
+			...(secretBlindIndex ? { secretBlindIndex } : {}),
 			secretKeyCiphertext,
 			secretKeyIV,
 			secretKeyTag,
@@ -207,7 +210,7 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
 		
 		// take secret snapshot
 		await EESecretService.takeSecretSnapshot({
-			workspaceId: secret.workspace.toString()
+			workspaceId: secret.workspace
 		});
 		
 	} catch (err) {

backend/src/ee/controllers/v1/secretSnapshotController.ts

@@ -15,16 +15,10 @@ export const getSecretSnapshot = async (req: Request, res: Response) => {
 
         secretSnapshot = await SecretSnapshot
             .findById(secretSnapshotId)
-            .populate({
-                path: 'secretVersions',
-                populate: {
-                    path: 'tags',
-                    model: 'Tag',
-                }
-            });
+            .populate('secretVersions');
         
         if (!secretSnapshot) throw new Error('Failed to find secret snapshot');
-        
+
     } catch (err) {
         Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);

backend/src/ee/controllers/v1/stripeController.ts

@@ -1,10 +1,7 @@
-import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
+import { Request, Response } from 'express';
 import Stripe from 'stripe';
-import { STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET } from '../../../config';
-const stripe = new Stripe(STRIPE_SECRET_KEY, {
-	apiVersion: '2022-08-01'
-});
+import { getStripeSecretKey, getStripeWebhookSecret } from '../../../config';
 
 /**
  * Handle service provisioning/un-provisioning via Stripe
@@ -15,12 +12,16 @@ const stripe = new Stripe(STRIPE_SECRET_KEY, {
 export const handleWebhook = async (req: Request, res: Response) => {
 	let event;
 	try {
+		const stripe = new Stripe(await getStripeSecretKey(), {
+			apiVersion: '2022-08-01'
+		});
+
 		// check request for valid stripe signature
 		const sig = req.headers['stripe-signature'] as string;
 		event = stripe.webhooks.constructEvent(
 			req.body,
 			sig,
-			STRIPE_WEBHOOK_SECRET // ?
+			await getStripeWebhookSecret()
 		);
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });

backend/src/ee/controllers/v1/workspaceController.ts

@@ -173,6 +173,7 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
         }
     }   
     */
+	
 	let secrets;
     try {	
         const { workspaceId } = req.params;
@@ -182,7 +183,10 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
 		const secretSnapshot = await SecretSnapshot.findOne({
 			workspace: workspaceId,
 			version
-		}).populate<{ secretVersions: ISecretVersion[]}>('secretVersions');
+		}).populate<{ secretVersions: ISecretVersion[]}>({
+			path: 'secretVersions',
+			select: '+secretBlindIndex'
+		});
         
         if (!secretSnapshot) throw new Error('Failed to find secret snapshot');
 
@@ -222,6 +226,7 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
 					type,
 					user,
 					environment,
+					secretBlindIndex,
 					secretKeyCiphertext,
 					secretKeyIV,
 					secretKeyTag,
@@ -240,6 +245,7 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
 					type,
 					user,
 					environment,
+					secretBlindIndex: secretBlindIndex ?? undefined,
 					secretKeyCiphertext,
 					secretKeyIV,
 					secretKeyTag,
@@ -257,7 +263,7 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
 		);
 		
 		// add secret versions
-		await SecretVersion.insertMany(
+		const secretV = await SecretVersion.insertMany(
 			secrets.map(({
 				_id,
 				version,
@@ -265,6 +271,7 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
 				type,
 				user,
 				environment,
+				secretBlindIndex,
 				secretKeyCiphertext,
 				secretKeyIV,
 				secretKeyTag,
@@ -282,6 +289,7 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
 				user,
 				environment,
 				isDeleted: false,
+				secretBlindIndex: secretBlindIndex ?? undefined,
 				secretKeyCiphertext,
 				secretKeyIV,
 				secretKeyTag,
@@ -304,7 +312,7 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
 		
         // take secret snapshot
 		await EESecretService.takeSecretSnapshot({
-			workspaceId
+			workspaceId: new Types.ObjectId(workspaceId)
 		});
     } catch (err) {
         Sentry.setUser({ email: req.user.email });
@@ -418,7 +426,7 @@ export const getWorkspaceLogs = async (req: Request, res: Response) => {
 		.skip(offset)
 		.limit(limit)
 		.populate('actions')
-		.populate('user');
+		.populate('user serviceAccount serviceTokenData');
 
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });

backend/src/ee/helpers/action.ts

@@ -24,11 +24,15 @@ import {
 const createActionUpdateSecret = async ({
     name,
     userId,
+    serviceAccountId,
+    serviceTokenDataId,
     workspaceId,
     secretIds
 }: {
     name: string;
-    userId: Types.ObjectId;
+    userId?: Types.ObjectId;
+    serviceAccountId?: Types.ObjectId;
+    serviceTokenDataId?: Types.ObjectId;
     workspaceId: Types.ObjectId;
     secretIds: Types.ObjectId[];
 }) => {
@@ -46,6 +50,8 @@ const createActionUpdateSecret = async ({
         action = await new Action({
             name,
             user: userId,
+            serviceAccount: serviceAccountId,
+            serviceTokenData: serviceTokenDataId,
             workspace: workspaceId,
             payload: {
                 secretVersions: latestSecretVersions
@@ -72,11 +78,15 @@ const createActionUpdateSecret = async ({
 const createActionSecret = async ({
     name,
     userId,
+    serviceAccountId,
+    serviceTokenDataId,
     workspaceId,
     secretIds
 }: {
     name: string;
-    userId: Types.ObjectId;
+    userId?: Types.ObjectId;
+    serviceAccountId?: Types.ObjectId;
+    serviceTokenDataId?: Types.ObjectId;
     workspaceId: Types.ObjectId;
     secretIds: Types.ObjectId[];
 }) => {
@@ -94,6 +104,8 @@ const createActionSecret = async ({
        action = await new Action({
             name,
             user: userId,
+            serviceAccount: serviceAccountId,
+            serviceTokenData: serviceTokenDataId,
             workspace: workspaceId,
             payload: {
                 secretVersions: latestSecretVersions
@@ -110,29 +122,36 @@ const createActionSecret = async ({
 }
 
 /**
- * Create an (audit) action for user with id [userId]
+ * Create an (audit) action for client with id [userId],
+ * [serviceAccountId], or [serviceTokenDataId]
  * @param {Object} obj 
  * @param {String} obj.name - name of action
  * @param {String} obj.userId - id of user associated with action
  * @returns 
  */
-const createActionUser = ({
+const createActionClient = ({
     name,
-    userId
+    userId,
+    serviceAccountId,
+    serviceTokenDataId
 }: {
     name: string;
-    userId: Types.ObjectId;
+    userId?: Types.ObjectId;
+    serviceAccountId?: Types.ObjectId;
+    serviceTokenDataId?: Types.ObjectId;
 }) => {
     let action;
     try {
         action = new Action({
             name,
-            user: userId
+            user: userId,
+            serviceAccount: serviceAccountId,
+            serviceTokenData: serviceTokenDataId
         }).save();
     } catch (err) {
         Sentry.setUser(null);
         Sentry.captureException(err);
-        throw new Error('Failed to create user action');
+        throw new Error('Failed to create client action');
     }
 
     return action; 
@@ -149,11 +168,15 @@ const createActionUser = ({
 const createActionHelper = async ({
     name,
     userId,
+    serviceAccountId,
+    serviceTokenDataId,
     workspaceId,
     secretIds,
 }: {
     name: string;
-    userId: Types.ObjectId;
+    userId?: Types.ObjectId;
+    serviceAccountId?: Types.ObjectId;
+    serviceTokenDataId?: Types.ObjectId;
     workspaceId?: Types.ObjectId;
     secretIds?: Types.ObjectId[];
 }) => {
@@ -162,7 +185,7 @@ const createActionHelper = async ({
         switch (name) {
             case ACTION_LOGIN:
             case ACTION_LOGOUT:
-                action = await createActionUser({
+                action = await createActionClient({
                     name,
                     userId
                 });

backend/src/ee/helpers/checkMembershipPermissions.ts

@@ -1,8 +1,9 @@
+import { Types } from 'mongoose';
 import _ from "lodash";
 import { Membership } from "../../models";
-import { ABILITY_READ, ABILITY_WRITE } from "../../variables/organization";
+import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from '../../variables';
 
-export const userHasWorkspaceAccess = async (userId: any, workspaceId: any, environment: any, action: any) => {
+export const userHasWorkspaceAccess = async (userId: Types.ObjectId, workspaceId: Types.ObjectId, environment: string, action: any) => {
   const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })
   if (!membershipForWorkspace) {
     return false
@@ -18,15 +19,15 @@ export const userHasWorkspaceAccess = async (userId: any, workspaceId: any, envi
   return true
 }
 
-export const userHasWriteOnlyAbility = async (userId: any, workspaceId: any, environment: any) => {
+export const userHasWriteOnlyAbility = async (userId: Types.ObjectId, workspaceId: Types.ObjectId, environment: string) => {
   const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })
   if (!membershipForWorkspace) {
     return false
   }
 
   const deniedMembershipPermissions = membershipForWorkspace.deniedPermissions;
-  const isWriteDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: ABILITY_WRITE });
-  const isReadDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: ABILITY_READ });
+  const isWriteDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: PERMISSION_WRITE_SECRETS });
+  const isReadDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: PERMISSION_READ_SECRETS });
 
   // case: you have write only if read is blocked and write is not
   if (isReadDisallowed && !isWriteDisallowed) {
@@ -36,15 +37,15 @@ export const userHasWriteOnlyAbility = async (userId: any, workspaceId: any, env
   return false
 }
 
-export const userHasNoAbility = async (userId: any, workspaceId: any, environment: any) => {
+export const userHasNoAbility = async (userId: Types.ObjectId, workspaceId: Types.ObjectId, environment: string) => {
   const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })
   if (!membershipForWorkspace) {
     return true
   }
 
   const deniedMembershipPermissions = membershipForWorkspace.deniedPermissions;
-  const isWriteDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: ABILITY_WRITE });
-  const isReadBlocked = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: ABILITY_READ });
+  const isWriteDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: PERMISSION_WRITE_SECRETS });
+  const isReadBlocked = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: PERMISSION_READ_SECRETS });
 
   if (isReadBlocked && isWriteDisallowed) {
     return true

backend/src/ee/helpers/log.ts

@@ -4,6 +4,7 @@ import {
     Log,
     IAction
 } from '../models';
+
 /**
  * Create an (audit) log
  * @param {Object} obj
@@ -16,12 +17,16 @@ import {
  */
 const createLogHelper = async ({
     userId,
+    serviceAccountId,
+    serviceTokenDataId,
     workspaceId,
     actions,
     channel,
     ipAddress
 }: {
-    userId: Types.ObjectId;
+    userId?: Types.ObjectId;
+    serviceAccountId?: Types.ObjectId;
+    serviceTokenDataId?: Types.ObjectId;
     workspaceId?: Types.ObjectId;
     actions: IAction[];
     channel: string;
@@ -31,6 +36,8 @@ const createLogHelper = async ({
     try {
         log = await new Log({
             user: userId,
+            serviceAccount: serviceAccountId,
+            serviceTokenData: serviceTokenDataId,
             workspace: workspaceId ?? undefined,
             actionNames: actions.map((a) => a.name),
             actions,

backend/src/ee/helpers/secret.ts

@@ -2,7 +2,7 @@ import { Types } from 'mongoose';
 import * as Sentry from '@sentry/node';
 import {
 	Secret,
-	ISecret
+	ISecret,
 } from '../../models';
 import {
 	SecretSnapshot,
@@ -21,7 +21,7 @@ import {
 const takeSecretSnapshotHelper = async ({
 	workspaceId
 }: {
-	workspaceId: string;
+	workspaceId: Types.ObjectId;
 }) => {
 
 	let secretSnapshot;
@@ -143,7 +143,7 @@ const initSecretVersioningHelper = async () => {
 
 		if (unversionedSecrets.length > 0) {
 			await addSecretVersionsHelper({
-				secretVersions: unversionedSecrets.map((s, idx) => ({
+				secretVersions: unversionedSecrets.map((s, idx) => new SecretVersion({
 					...s,
 					secret: s._id,
 					version: s.version ? s.version : 1,

backend/src/ee/middleware/requireSecretSnapshotAuth.ts

@@ -15,32 +15,28 @@ import {
 const requireSecretSnapshotAuth = ({
     acceptedRoles,
 }: {
-    acceptedRoles: string[];
+    acceptedRoles: Array<'admin' | 'member'>;
 }) => {
     return async (req: Request, res: Response, next: NextFunction) => {
-        try {
-            const { secretSnapshotId } = req.params;
-            
-            const secretSnapshot = await SecretSnapshot.findById(secretSnapshotId);
-            
-            if (!secretSnapshot) {
-                return next(SecretSnapshotNotFoundError({
-                    message: 'Failed to find secret snapshot'
-                }));
-            }
-            
-            await validateMembership({
-                userId: req.user._id.toString(),
-                workspaceId: secretSnapshot.workspace.toString(),
-                acceptedRoles
-            });
-            
-            req.secretSnapshot = secretSnapshot as any;
-
-            next();
-        } catch (err) {
-            return next(UnauthorizedRequestError({ message: 'Unable to authenticate secret snapshot' }));
+        const { secretSnapshotId } = req.params;
+        
+        const secretSnapshot = await SecretSnapshot.findById(secretSnapshotId);
+        
+        if (!secretSnapshot) {
+            return next(SecretSnapshotNotFoundError({
+                message: 'Failed to find secret snapshot'
+            }));
         }
+        
+        await validateMembership({
+            userId: req.user._id,
+            workspaceId: secretSnapshot.workspace,
+            acceptedRoles
+        });
+        
+        req.secretSnapshot = secretSnapshot as any;
+
+        next();
     }
 }
 

backend/src/ee/models/action.ts

@@ -11,6 +11,8 @@ import {
 export interface IAction {
     name: string;
     user?: Types.ObjectId,
+    serviceAccount?: Types.ObjectId,
+    serviceTokenData?: Types.ObjectId,
     workspace?: Types.ObjectId,
     payload?: {
         secretVersions?: Types.ObjectId[]
@@ -33,8 +35,15 @@ const actionSchema = new Schema<IAction>(
         },
         user: {
             type: Schema.Types.ObjectId,
-            ref: 'User',
-            required: true
+            ref: 'User'
+        },
+        serviceAccount: {
+            type: Schema.Types.ObjectId,
+            ref: 'ServiceAccount'
+        },
+        serviceTokenData: {
+            type: Schema.Types.ObjectId,
+            ref: 'ServiceTokenData'
         },
         workspace: {
             type: Schema.Types.ObjectId,

backend/src/ee/models/log.ts

@@ -11,6 +11,8 @@ import {
 export interface ILog {
     _id: Types.ObjectId;
     user?: Types.ObjectId;
+    serviceAccount?: Types.ObjectId;
+    serviceTokenData?: Types.ObjectId;
     workspace?: Types.ObjectId;
     actionNames: string[];
     actions: Types.ObjectId[];
@@ -24,6 +26,14 @@ const logSchema = new Schema<ILog>(
             type: Schema.Types.ObjectId,
             ref: 'User'
         },
+        serviceAccount: {
+            type: Schema.Types.ObjectId,
+            ref: 'ServiceAccount'
+        },
+        serviceTokenData: {
+            type: Schema.Types.ObjectId,
+            ref: 'ServiceTokenData'
+        },
         workspace: {
             type: Schema.Types.ObjectId,
             ref: 'Workspace'

backend/src/ee/models/secretVersion.ts

@@ -5,6 +5,7 @@ import {
 } from '../../variables';
 
 export interface ISecretVersion {
+	_id: Types.ObjectId;
 	secret: Types.ObjectId;
 	version: number;
 	workspace: Types.ObjectId; // new
@@ -12,13 +13,13 @@ export interface ISecretVersion {
 	user?: Types.ObjectId; // new
 	environment: string; // new
 	isDeleted: boolean;
+	secretBlindIndex?: string;
 	secretKeyCiphertext: string;
 	secretKeyIV: string;
 	secretKeyTag: string;
 	secretValueCiphertext: string;
 	secretValueIV: string;
 	secretValueTag: string;
-	tags?: string[];
 }
 
 const secretVersionSchema = new Schema<ISecretVersion>(
@@ -57,6 +58,10 @@ const secretVersionSchema = new Schema<ISecretVersion>(
 			default: false,
 			required: true
 		},
+		secretBlindIndex: {
+			type: String,
+			select: false
+		},
 		secretKeyCiphertext: {
 			type: String,
 			required: true
@@ -80,12 +85,7 @@ const secretVersionSchema = new Schema<ISecretVersion>(
 		secretValueTag: {
 			type: String, // symmetric
 			required: true
-		},
-		tags: {
-			ref: 'Tag',
-			type: [Schema.Types.ObjectId],
-			default: []
-		},
+		}
 	},
 	{
 		timestamps: true

backend/src/ee/routes/v1/secret.ts

@@ -7,7 +7,12 @@ import {
 } from '../../../middleware';
 import { query, param, body } from 'express-validator';
 import { secretController } from '../../controllers/v1';
-import { ADMIN, MEMBER } from '../../../variables';
+import {
+	ADMIN, 
+	MEMBER,
+	PERMISSION_READ_SECRETS,
+	PERMISSION_WRITE_SECRETS
+} from '../../../variables';
 
 router.get(
 	'/:secretId/secret-versions',
@@ -15,7 +20,8 @@ router.get(
 		acceptedAuthModes: ['jwt', 'apiKey']
 	}),
 	requireSecretAuth({
-		acceptedRoles: [ADMIN, MEMBER]
+		acceptedRoles: [ADMIN, MEMBER],
+		requiredPermissions: [PERMISSION_READ_SECRETS]
 	}),
 	param('secretId').exists().trim(),
 	query('offset').exists().isInt(),
@@ -30,7 +36,8 @@ router.post(
 		acceptedAuthModes: ['jwt', 'apiKey']
 	}),
 	requireSecretAuth({
-		acceptedRoles: [ADMIN, MEMBER]
+		acceptedRoles: [ADMIN, MEMBER],
+		requiredPermissions: [PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS]
 	}),
 	param('secretId').exists().trim(),
 	body('version').exists().isInt(),

backend/src/ee/routes/v1/workspace.ts

@@ -15,7 +15,8 @@ router.get(
 		acceptedAuthModes: ['jwt', 'apiKey']
 	}),
 	requireWorkspaceAuth({
-		acceptedRoles: [ADMIN, MEMBER]
+		acceptedRoles: [ADMIN, MEMBER],
+		locationWorkspaceId: 'params'
 	}),
 	param('workspaceId').exists().trim(),
 	query('offset').exists().isInt(),
@@ -30,7 +31,8 @@ router.get(
 		acceptedAuthModes: ['jwt']
 	}),
 	requireWorkspaceAuth({
-		acceptedRoles: [ADMIN, MEMBER]
+		acceptedRoles: [ADMIN, MEMBER],
+		locationWorkspaceId: 'params'
 	}),
 	param('workspaceId').exists().trim(),
 	validateRequest,
@@ -43,7 +45,8 @@ router.post(
 		acceptedAuthModes: ['jwt', 'apiKey']
 	}),
 	requireWorkspaceAuth({
-		acceptedRoles: [ADMIN, MEMBER]
+		acceptedRoles: [ADMIN, MEMBER],
+		locationWorkspaceId: 'params'
 	}),
 	param('workspaceId').exists().trim(),
 	body('version').exists().isInt(),
@@ -57,7 +60,8 @@ router.get(
 		acceptedAuthModes: ['jwt', 'apiKey']
 	}),
 	requireWorkspaceAuth({
-		acceptedRoles: [ADMIN, MEMBER]
+		acceptedRoles: [ADMIN, MEMBER],
+		locationWorkspaceId: 'params'
 	}),
 	param('workspaceId').exists().trim(),
 	query('offset').exists().isInt(),

backend/src/ee/services/EELicenseService.ts

@@ -1,5 +1,3 @@
-import { LICENSE_KEY } from '../../config';
-
 /**
  * Class to handle Enterprise Edition license actions
  */
@@ -16,4 +14,4 @@ class EELicenseService {
     }
 }
 
-export default new EELicenseService(LICENSE_KEY);
+export default new EELicenseService('N/A');

backend/src/ee/services/EELogService.ts

@@ -26,12 +26,16 @@ class EELogService {
      */
     static async createLog({
         userId,
+        serviceAccountId,
+        serviceTokenDataId,
         workspaceId,
         actions,
         channel,
         ipAddress
     }: {
-        userId: Types.ObjectId;
+        userId?: Types.ObjectId;
+        serviceAccountId?: Types.ObjectId;
+        serviceTokenDataId?: Types.ObjectId;
         workspaceId?: Types.ObjectId;
         actions: IAction[];
         channel: string;
@@ -40,6 +44,8 @@ class EELogService {
         if (!EELicenseService.isLicenseValid) return null;
         return await createLogHelper({
             userId,
+            serviceAccountId,
+            serviceTokenDataId,
             workspaceId,
             actions,
             channel,
@@ -59,17 +65,23 @@ class EELogService {
     static async createAction({
         name,
         userId,
+        serviceAccountId,
+        serviceTokenDataId,
         workspaceId,
         secretIds
     }: {
         name: string;
-        userId: Types.ObjectId;
+        userId?: Types.ObjectId;
+        serviceAccountId?: Types.ObjectId;
+        serviceTokenDataId?: Types.ObjectId;
         workspaceId?: Types.ObjectId;
         secretIds?: Types.ObjectId[];
     }) {
         return await createActionHelper({
             name,
             userId,
+            serviceAccountId,
+            serviceTokenDataId,
             workspaceId,
             secretIds
         });

backend/src/ee/services/EESecretService.ts

@@ -25,7 +25,7 @@ class EESecretService {
     static async takeSecretSnapshot({
         workspaceId
     }: {
-        workspaceId: string;
+        workspaceId: Types.ObjectId;
     }) {
         if (!EELicenseService.isLicenseValid) return;
         return await takeSecretSnapshotHelper({ workspaceId });

backend/src/events/secret.ts

@@ -1,3 +1,4 @@
+import { Types } from 'mongoose';
 import { 
     EVENT_PUSH_SECRETS, 
     EVENT_PULL_SECRETS 
@@ -22,13 +23,16 @@ interface PushSecret {
  * @returns 
  */
 const eventPushSecrets = ({
-    workspaceId
+    workspaceId,
+    environment
 }: {
-    workspaceId: string;
+    workspaceId: Types.ObjectId;
+    environment?: string;
 }) => {
     return ({
         name: EVENT_PUSH_SECRETS,
         workspaceId,
+        environment,
         payload: {
 
         }

backend/src/helpers/auth.ts

@@ -1,24 +1,34 @@
-import jwt from 'jsonwebtoken';
 import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
+import jwt from 'jsonwebtoken';
 import bcrypt from 'bcrypt';
 import {
+	IUser,
 	User,
 	ServiceTokenData,
+	ServiceAccount,
 	APIKeyData
 } from '../models';
-import {
-	JWT_AUTH_LIFETIME,
-	JWT_AUTH_SECRET,
-	JWT_REFRESH_LIFETIME,
-	JWT_REFRESH_SECRET
-} from '../config';
 import {
 	AccountNotFoundError,
 	ServiceTokenDataNotFoundError,
+	ServiceAccountNotFoundError,
 	APIKeyDataNotFoundError,
 	UnauthorizedRequestError,
 	BadRequestError
 } from '../utils/errors';
+import {
+	getJwtAuthLifetime,
+	getJwtAuthSecret,
+	getJwtRefreshLifetime,
+	getJwtRefreshSecret
+} from '../config';
+import {
+	AUTH_MODE_JWT,
+	AUTH_MODE_SERVICE_ACCOUNT,
+	AUTH_MODE_SERVICE_TOKEN,
+	AUTH_MODE_API_KEY
+} from '../variables';
 
 /**
  * 
@@ -36,7 +46,7 @@ const validateAuthMode = ({
 	const apiKey = headers['x-api-key'];
 	const authHeader = headers['authorization'];
 
-	let authTokenType, authTokenValue;
+	let authMode, authTokenValue;
 	if (apiKey === undefined && authHeader === undefined) {
 		// case: no auth or X-API-KEY header present
 		throw BadRequestError({ message: 'Missing Authorization or X-API-KEY in request header.' });
@@ -44,7 +54,7 @@ const validateAuthMode = ({
 
 	if (typeof apiKey === 'string') {
 		// case: treat request authentication type as via X-API-KEY (i.e. API Key)
-		authTokenType = 'apiKey';
+		authMode = AUTH_MODE_API_KEY;
 		authTokenValue = apiKey;
 	}
 
@@ -60,20 +70,24 @@ const validateAuthMode = ({
 
 		switch (tokenValue.split('.', 1)[0]) {
 			case 'st':
-				authTokenType = 'serviceToken';
+				authMode = AUTH_MODE_SERVICE_TOKEN;
+				break;
+			case 'sa':
+				authMode = AUTH_MODE_SERVICE_ACCOUNT;
 				break;
 			default:
-				authTokenType = 'jwt';
+				authMode = AUTH_MODE_JWT;
 		}
+
 		authTokenValue = tokenValue;
 	}
 
-	if (!authTokenType || !authTokenValue) throw BadRequestError({ message: 'Missing valid Authorization or X-API-KEY in request header.' });
+	if (!authMode || !authTokenValue) throw BadRequestError({ message: 'Missing valid Authorization or X-API-KEY in request header.' });
 
-	if (!acceptedAuthModes.includes(authTokenType)) throw BadRequestError({ message: 'The provided authentication type is not supported.' });
+	if (!acceptedAuthModes.includes(authMode)) throw BadRequestError({ message: 'The provided authentication type is not supported.' });
 
 	return ({
-		authTokenType,
+		authMode,
 		authTokenValue
 	});
 }
@@ -89,25 +103,17 @@ const getAuthUserPayload = async ({
 }: {
 	authTokenValue: string;
 }) => {
-	let user;
-	try {
-		const decodedToken = <jwt.UserIDJwtPayload>(
-			jwt.verify(authTokenValue, JWT_AUTH_SECRET)
-		);
+	const decodedToken = <jwt.UserIDJwtPayload>(
+		jwt.verify(authTokenValue, await getJwtAuthSecret())
+	);
 
-		user = await User.findOne({
-			_id: decodedToken.userId
-		}).select('+publicKey');
+	const user = await User.findOne({
+		_id: decodedToken.userId
+	}).select('+publicKey');
 
-		if (!user) throw AccountNotFoundError({ message: 'Failed to find User' });
+	if (!user) throw AccountNotFoundError({ message: 'Failed to find User' });
 
-		if (!user?.publicKey) throw UnauthorizedRequestError({ message: 'Failed to authenticate User with partially set up account' });
-
-	} catch (err) {
-		throw UnauthorizedRequestError({
-			message: 'Failed to authenticate JWT token'
-		});
-	}
+	if (!user?.publicKey) throw UnauthorizedRequestError({ message: 'Failed to authenticate User with partially set up account' });
 
 	return user;
 }
@@ -123,42 +129,70 @@ const getAuthSTDPayload = async ({
 }: {
 	authTokenValue: string;
 }) => {
-	let serviceTokenData;
-	try {
-		const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split('.', 3);
+	const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split('.', 3);
 
-		// TODO: optimize double query
-		serviceTokenData = await ServiceTokenData
-			.findById(TOKEN_IDENTIFIER, '+secretHash +expiresAt');
+	let serviceTokenData = await ServiceTokenData
+		.findById(TOKEN_IDENTIFIER, '+secretHash +expiresAt');
 
-		if (!serviceTokenData) {
-			throw ServiceTokenDataNotFoundError({ message: 'Failed to find service token data' });
-		} else if (serviceTokenData?.expiresAt && new Date(serviceTokenData.expiresAt) < new Date()) {
-			// case: service token expired
-			await ServiceTokenData.findByIdAndDelete(serviceTokenData._id);
-			throw UnauthorizedRequestError({
-				message: 'Failed to authenticate expired service token'
-			});
-		}
-
-		const isMatch = await bcrypt.compare(TOKEN_SECRET, serviceTokenData.secretHash);
-		if (!isMatch) throw UnauthorizedRequestError({
-			message: 'Failed to authenticate service token'
-		});
-
-		serviceTokenData = await ServiceTokenData
-			.findById(TOKEN_IDENTIFIER)
-			.select('+encryptedKey +iv +tag').populate('user');
-
-	} catch (err) {
+	if (!serviceTokenData) {
+		throw ServiceTokenDataNotFoundError({ message: 'Failed to find service token data' });
+	} else if (serviceTokenData?.expiresAt && new Date(serviceTokenData.expiresAt) < new Date()) {
+		// case: service token expired
+		await ServiceTokenData.findByIdAndDelete(serviceTokenData._id);
 		throw UnauthorizedRequestError({
-			message: 'Failed to authenticate service token'
+			message: 'Failed to authenticate expired service token'
 		});
 	}
 
+	const isMatch = await bcrypt.compare(TOKEN_SECRET, serviceTokenData.secretHash);
+	if (!isMatch) throw UnauthorizedRequestError({
+		message: 'Failed to authenticate service token'
+	});
+
+	serviceTokenData = await ServiceTokenData
+		.findOneAndUpdate({
+			_id: new Types.ObjectId(TOKEN_IDENTIFIER)
+		}, {
+			lastUsed: new Date()
+		}, {
+			new: true
+		})
+		.select('+encryptedKey +iv +tag');
+
+	if (!serviceTokenData) throw ServiceTokenDataNotFoundError({ message: 'Failed to find service token data' });
+
 	return serviceTokenData;
 }
 
+/**
+ * Return service account access key payload
+ * @param {Object} obj
+ * @param {String} obj.authTokenValue - service account access token value
+ * @returns {ServiceAccount} serviceAccount
+ */
+const getAuthSAAKPayload = async ({
+	authTokenValue
+}: {
+	authTokenValue: string;
+}) => {
+	const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split('.', 3);
+
+	const serviceAccount = await ServiceAccount.findById(
+		Buffer.from(TOKEN_IDENTIFIER, 'base64').toString('hex')
+	).select('+secretHash');
+
+	if (!serviceAccount) {
+		throw ServiceAccountNotFoundError({ message: 'Failed to find service account' });
+	}
+
+	const result = await bcrypt.compare(TOKEN_SECRET, serviceAccount.secretHash);
+	if (!result) throw UnauthorizedRequestError({
+		message: 'Failed to authenticate service account access key'
+	});
+
+	return serviceAccount;
+}
+
 /**
  * Return API key data payload corresponding to API key [authTokenValue]
  * @param {Object} obj
@@ -170,33 +204,44 @@ const getAuthAPIKeyPayload = async ({
 }: {
 	authTokenValue: string;
 }) => {
-	let user;
-	try {
-		const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split('.', 3);
+	const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split('.', 3);
 
-		const apiKeyData = await APIKeyData
-			.findById(TOKEN_IDENTIFIER, '+secretHash +expiresAt')
-			.populate('user', '+publicKey');
+	let apiKeyData = await APIKeyData
+		.findById(TOKEN_IDENTIFIER, '+secretHash +expiresAt')
+		.populate<{ user: IUser }>('user', '+publicKey');
 
-		if (!apiKeyData) {
-			throw APIKeyDataNotFoundError({ message: 'Failed to find API key data' });
-		} else if (apiKeyData?.expiresAt && new Date(apiKeyData.expiresAt) < new Date()) {
-			// case: API key expired
-			await APIKeyData.findByIdAndDelete(apiKeyData._id);
-			throw UnauthorizedRequestError({
-				message: 'Failed to authenticate expired API key'
-			});
-		}
-
-		const isMatch = await bcrypt.compare(TOKEN_SECRET, apiKeyData.secretHash);
-		if (!isMatch) throw UnauthorizedRequestError({
-			message: 'Failed to authenticate API key'
-		});
-
-		user = apiKeyData.user;
-	} catch (err) {
+	if (!apiKeyData) {
+		throw APIKeyDataNotFoundError({ message: 'Failed to find API key data' });
+	} else if (apiKeyData?.expiresAt && new Date(apiKeyData.expiresAt) < new Date()) {
+		// case: API key expired
+		await APIKeyData.findByIdAndDelete(apiKeyData._id);
 		throw UnauthorizedRequestError({
-			message: 'Failed to authenticate API key'
+			message: 'Failed to authenticate expired API key'
+		});
+	}
+
+	const isMatch = await bcrypt.compare(TOKEN_SECRET, apiKeyData.secretHash);
+	if (!isMatch) throw UnauthorizedRequestError({
+		message: 'Failed to authenticate API key'
+	});
+
+	apiKeyData = await APIKeyData.findOneAndUpdate({
+		_id: new Types.ObjectId(TOKEN_IDENTIFIER)
+	}, {
+		lastUsed: new Date()
+	}, {
+		new: true
+	});
+
+	if (!apiKeyData) {
+		throw APIKeyDataNotFoundError({ message: 'Failed to find API key data' });
+	}
+
+	const user = await User.findById(apiKeyData.user).select('+publicKey');
+
+	if (!user) {
+		throw AccountNotFoundError({
+			message: 'Failed to find user'
 		});
 	}
 
@@ -212,30 +257,23 @@ const getAuthAPIKeyPayload = async ({
  * @return {String} obj.refreshToken - issued refresh token
  */
 const issueAuthTokens = async ({ userId }: { userId: string }) => {
-	let token: string;
-	let refreshToken: string;
-	try {
-		// issue tokens
-		token = createToken({
-			payload: {
-				userId
-			},
-			expiresIn: JWT_AUTH_LIFETIME,
-			secret: JWT_AUTH_SECRET
-		});
 
-		refreshToken = createToken({
-			payload: {
-				userId
-			},
-			expiresIn: JWT_REFRESH_LIFETIME,
-			secret: JWT_REFRESH_SECRET
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to issue tokens');
-	}
+	// issue tokens
+	const token = createToken({
+		payload: {
+			userId
+		},
+		expiresIn: await getJwtAuthLifetime(),
+		secret: await getJwtAuthSecret()
+	});
+
+	const refreshToken = createToken({
+		payload: {
+			userId
+		},
+		expiresIn: await getJwtRefreshLifetime(),
+		secret: await getJwtRefreshSecret()
+	});
 
 	return {
 		token,
@@ -249,19 +287,14 @@ const issueAuthTokens = async ({ userId }: { userId: string }) => {
  * @param {String} obj.userId - id of user whose tokens are cleared.
  */
 const clearTokens = async ({ userId }: { userId: string }): Promise<void> => {
-	try {
-		// increment refreshVersion on user by 1
-		User.findOneAndUpdate({
-			_id: userId
-		}, {
-			$inc: {
-				refreshVersion: 1
-			}
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-	}
+	// increment refreshVersion on user by 1
+	User.findOneAndUpdate({
+		_id: userId
+	}, {
+		$inc: {
+			refreshVersion: 1
+		}
+	});
 };
 
 /**
@@ -281,21 +314,16 @@ const createToken = ({
 	expiresIn: string | number;
 	secret: string;
 }) => {
-	try {
-		return jwt.sign(payload, secret, {
-			expiresIn
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to create a token');
-	}
+	return jwt.sign(payload, secret, {
+		expiresIn
+	});
 };
 
 export {
 	validateAuthMode,
 	getAuthUserPayload,
 	getAuthSTDPayload,
+	getAuthSAAKPayload,
 	getAuthAPIKeyPayload,
 	createToken,
 	issueAuthTokens,

backend/src/helpers/bot.ts

@@ -1,10 +1,16 @@
 import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
 import {
     Bot,
     BotKey,
     Secret,
     ISecret,
-    IUser
+    IUser,
+    User,
+    IServiceAccount,
+    ServiceAccount,
+    IServiceTokenData,
+    ServiceTokenData
 } from '../models';
 import { 
     generateKeyPair, 
@@ -12,8 +18,88 @@ import {
     decryptSymmetric,
     decryptAsymmetric
 } from '../utils/crypto';
-import { ENCRYPTION_KEY } from '../config';
-import { SECRET_SHARED } from '../variables';
+import {
+    SECRET_SHARED,
+    AUTH_MODE_JWT,
+    AUTH_MODE_SERVICE_ACCOUNT,
+    AUTH_MODE_SERVICE_TOKEN,
+    AUTH_MODE_API_KEY
+} from '../variables';
+import { getEncryptionKey } from '../config';
+import { BotNotFoundError, UnauthorizedRequestError } from '../utils/errors';
+import {
+    validateMembership
+} from '../helpers/membership';
+import {
+    validateUserClientForWorkspace
+} from '../helpers/user';
+import {
+    validateServiceAccountClientForWorkspace
+} from '../helpers/serviceAccount';
+
+/**
+ * Validate authenticated clients for bot with id [botId] based
+ * on any known permissions.
+ * @param {Object} obj
+ * @param {Object} obj.authData - authenticated client details
+ * @param {Types.ObjectId} obj.botId - id of bot to validate against
+ * @param {Array<'admin' | 'member'>} obj.acceptedRoles - accepted workspace roles
+ */
+const validateClientForBot = async ({
+    authData,
+    botId,
+    acceptedRoles
+}: {
+    authData: {
+		authMode: string;
+		authPayload: IUser | IServiceAccount | IServiceTokenData;
+	};
+    botId: Types.ObjectId;
+    acceptedRoles: Array<'admin' | 'member'>;
+}) => {
+    const bot = await Bot.findById(botId);
+    
+    if (!bot) throw BotNotFoundError();
+    
+    if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
+        await validateUserClientForWorkspace({
+            user: authData.authPayload,
+            workspaceId: bot.workspace,
+            acceptedRoles
+        });
+        
+        return bot;
+    }
+
+    if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
+        await validateServiceAccountClientForWorkspace({
+            serviceAccount: authData.authPayload,
+            workspaceId: bot.workspace
+        });
+
+        return bot;
+    }
+
+    if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
+        throw UnauthorizedRequestError({
+            message: 'Failed service token authorization for bot'
+        });
+    }
+
+    if (authData.authMode === AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
+        await validateUserClientForWorkspace({
+            user: authData.authPayload,
+            workspaceId: bot.workspace,
+            acceptedRoles
+        });
+        
+        return bot;
+    }
+    
+    throw BotNotFoundError({
+        message: 'Failed client authorization for bot'
+    });
+}
 
 /**
  * Create an inactive bot with name [name] for workspace with id [workspaceId]
@@ -26,14 +112,14 @@ const createBot = async ({
     workspaceId,
 }: {
     name: string;
-    workspaceId: string;
+    workspaceId: Types.ObjectId;
 }) => {
     let bot;
     try {
         const { publicKey, privateKey } = generateKeyPair();
         const { ciphertext, iv, tag } = encryptSymmetric({
             plaintext: privateKey,
-            key: ENCRYPTION_KEY
+            key: await getEncryptionKey()
         });
 
         bot = await new Bot({
@@ -65,7 +151,7 @@ const getSecretsHelper = async ({
     workspaceId,
     environment
 }: {
-    workspaceId: string;
+    workspaceId: Types.ObjectId;
     environment: string;
 }) => {
     const content = {} as any;
@@ -110,7 +196,7 @@ const getSecretsHelper = async ({
  * @param {String} obj.workspaceId - id of workspace
  * @returns {String} key - decrypted workspace key
  */
-const getKey = async ({ workspaceId }: { workspaceId: string }) => {
+const getKey = async ({ workspaceId }: { workspaceId: Types.ObjectId }) => {
     let key;
     try {
         const botKey = await BotKey.findOne({
@@ -130,7 +216,7 @@ const getKey = async ({ workspaceId }: { workspaceId: string }) => {
             ciphertext: bot.encryptedPrivateKey,
             iv: bot.iv,
             tag: bot.tag,
-            key: ENCRYPTION_KEY
+            key: await getEncryptionKey()
         });
         
         key = decryptAsymmetric({
@@ -159,7 +245,7 @@ const encryptSymmetricHelper = async ({
     workspaceId,
     plaintext
 }: {
-    workspaceId: string;
+    workspaceId: Types.ObjectId;
     plaintext: string;
 }) => {
     
@@ -196,7 +282,7 @@ const decryptSymmetricHelper = async ({
     iv,
     tag
 }: {
-    workspaceId: string;
+    workspaceId: Types.ObjectId;
     ciphertext: string;
     iv: string;
     tag: string;
@@ -222,6 +308,7 @@ const decryptSymmetricHelper = async ({
 }
 
 export {
+    validateClientForBot,
     createBot,
     getSecretsHelper,
     encryptSymmetricHelper,

backend/src/helpers/database.ts

@@ -1,5 +1,6 @@
 import mongoose from 'mongoose';
 import { EESecretService } from '../ee/services';
+import { SecretService } from '../services';
 import { getLogger } from '../utils/logger';
 
 /**
@@ -19,16 +20,34 @@ const initDatabaseHelper = async ({
         // allow empty strings to pass the required validator
         mongoose.Schema.Types.String.checkRequired(v => typeof v === 'string');
 
-        getLogger("database").info("Database connection established");
+        (await getLogger("database")).info("Database connection established");
         
         await EESecretService.initSecretVersioning();
+        await SecretService.initSecretBlindIndexDataHelper();
     } catch (err) {
-        getLogger("database").error(`Unable to establish Database connection due to the error.\n${err}`);
+        (await getLogger("database")).error(`Unable to establish Database connection due to the error.\n${err}`);
     }
 
     return mongoose.connection;
 }
 
+/**
+ * Close database conection
+ */
+const closeDatabaseHelper = async () => {
+    return Promise.all([
+        new Promise((resolve) => {
+            if (mongoose.connection && mongoose.connection.readyState == 1) {
+            mongoose.connection.close()
+                .then(() => resolve('Database connection closed'));
+            } else {
+            resolve('Database connection already closed');
+            }
+        })
+    ]);
+}
+
 export {
-    initDatabaseHelper
+    initDatabaseHelper,
+    closeDatabaseHelper
 }

backend/src/helpers/event.ts

@@ -1,11 +1,13 @@
-import { Bot, IBot } from '../models';
+import { Types } from 'mongoose';
 import * as Sentry from '@sentry/node';
+import { Bot, IBot } from '../models';
 import { EVENT_PUSH_SECRETS } from '../variables';
 import { IntegrationService } from '../services';
 
 interface Event {
     name: string;
-    workspaceId: string;
+    workspaceId: Types.ObjectId;
+    environment?: string;
     payload: any;
 }
 
@@ -22,7 +24,10 @@ const handleEventHelper = async ({
 }: {
     event: Event;
 }) => {
-    const { workspaceId } = event;
+    const { 
+        workspaceId,
+        environment
+    } = event;
     
     // TODO: moduralize bot check into separate function
     const bot = await Bot.findOne({
@@ -36,7 +41,8 @@ const handleEventHelper = async ({
         switch (event.name) {
             case EVENT_PUSH_SECRETS:
                 IntegrationService.syncIntegrations({
-                    workspaceId
+                    workspaceId,
+                    environment
                 });
                 break;
         }

backend/src/helpers/integration.ts

@@ -1,17 +1,42 @@
 import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
 import {
     Bot,
     Integration,
     IntegrationAuth,
+    IUser,
+    User,
+    IServiceAccount,
+    ServiceAccount,
+    IServiceTokenData,
+    ServiceTokenData
 } from '../models';
 import { exchangeCode, exchangeRefresh, syncSecrets } from '../integrations';
 import { BotService } from '../services';
 import {
+    AUTH_MODE_JWT,
+	AUTH_MODE_SERVICE_ACCOUNT,
+	AUTH_MODE_SERVICE_TOKEN,
+	AUTH_MODE_API_KEY,
     INTEGRATION_VERCEL,
     INTEGRATION_NETLIFY
 } from '../variables';
-import { UnauthorizedRequestError } from '../utils/errors';
+import { 
+    UnauthorizedRequestError,
+    IntegrationAuthNotFoundError,
+    IntegrationNotFoundError
+} from '../utils/errors';
 import RequestError from '../utils/requestError';
+import {
+    validateClientForIntegrationAuth 
+} from '../helpers/integrationAuth';
+import {
+    validateUserClientForWorkspace
+} from '../helpers/user';
+import {
+    validateServiceAccountClientForWorkspace
+} from '../helpers/serviceAccount';
+import { IntegrationService } from '../services';
 
 interface Update {
     workspace: string;
@@ -20,6 +45,84 @@ interface Update {
     accountId?: string;
 }
 
+/**
+ * Validate authenticated clients for integration with id [integrationId] based
+ * on any known permissions.
+ * @param {Object} obj
+ * @param {Object} obj.authData - authenticated client details
+ * @param {Types.ObjectId} obj.integrationId - id of integration to validate against
+ * @param {String} obj.environment - (optional) environment in workspace to validate against
+ * @param {Array<'admin' | 'member'>} obj.acceptedRoles - accepted workspace roles
+ * @param {String[]} obj.requiredPermissions - required permissions as part of the endpoint
+ */
+ const validateClientForIntegration = async ({
+    authData,
+    integrationId,
+    acceptedRoles
+}: {
+    authData: {
+		authMode: string;
+		authPayload: IUser | IServiceAccount | IServiceTokenData;
+	};
+    integrationId: Types.ObjectId;
+    acceptedRoles: Array<'admin' | 'member'>;
+}) => {
+    
+    const integration = await Integration.findById(integrationId);
+    if (!integration) throw IntegrationNotFoundError();
+
+    const integrationAuth = await IntegrationAuth
+        .findById(integration.integrationAuth)
+        .select(
+			'+refreshCiphertext +refreshIV +refreshTag +accessCiphertext +accessIV +accessTag +accessExpiresAt'
+        );
+    
+    if (!integrationAuth) throw IntegrationAuthNotFoundError();
+
+    const accessToken = (await IntegrationService.getIntegrationAuthAccess({
+        integrationAuthId: integrationAuth._id
+    })).accessToken;
+
+    if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
+        await validateUserClientForWorkspace({
+            user: authData.authPayload,
+            workspaceId: integration.workspace,
+            acceptedRoles
+        });
+        
+        return ({ integration, accessToken });
+    }
+    
+    if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
+        await validateServiceAccountClientForWorkspace({
+            serviceAccount: authData.authPayload,
+            workspaceId: integration.workspace
+        });
+        
+        return ({ integration, accessToken });
+    }
+
+    if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
+        throw UnauthorizedRequestError({
+            message: 'Failed service token authorization for integration'
+        });
+    }
+
+    if (authData.authMode === AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
+        await validateUserClientForWorkspace({
+            user: authData.authPayload,
+            workspaceId: integration.workspace,
+            acceptedRoles
+        });
+        
+        return ({ integration, accessToken });
+    }
+    
+    throw UnauthorizedRequestError({
+        message: 'Failed client authorization for integration'
+    });
+}
+
 /**
  * Perform OAuth2 code-token exchange for workspace with id [workspaceId] and integration
  * named [integration]
@@ -114,14 +217,19 @@ const handleOAuthExchangeHelper = async ({
  * @param {Object} obj.workspaceId - id of workspace
  */
 const syncIntegrationsHelper = async ({
-    workspaceId
+    workspaceId,
+    environment
 }: {
-    workspaceId: string;
+    workspaceId: Types.ObjectId;
+    environment?: string;
 }) => {
     let integrations;
     try {
         integrations = await Integration.find({
             workspace: workspaceId,
+            ...(environment ? {
+                environment
+            } : {}),
             isActive: true,
             app: { $ne: null }
         });
@@ -131,7 +239,7 @@ const syncIntegrationsHelper = async ({
         for await (const integration of integrations) {
             // get workspace, environment (shared) secrets
             const secrets = await BotService.getSecrets({ // issue here?
-                workspaceId: integration.workspace.toString(),
+                workspaceId: integration.workspace,
                 environment: integration.environment
             });
 
@@ -140,7 +248,7 @@ const syncIntegrationsHelper = async ({
             
             // get integration auth access token
             const access = await getIntegrationAuthAccessHelper({
-                integrationAuthId: integration.integrationAuth.toString()
+                integrationAuthId: integration.integrationAuth
             });
 
             // sync secrets to integration
@@ -167,7 +275,7 @@ const syncIntegrationsHelper = async ({
  * @param {String} obj.integrationAuthId - id of integration auth
  * @param {String} refreshToken - decrypted refresh token
  */
- const getIntegrationAuthRefreshHelper = async ({ integrationAuthId }: { integrationAuthId: string }) => {
+ const getIntegrationAuthRefreshHelper = async ({ integrationAuthId }: { integrationAuthId: Types.ObjectId }) => {
     let refreshToken;
 	
     try {
@@ -178,7 +286,7 @@ const syncIntegrationsHelper = async ({
         if (!integrationAuth) throw UnauthorizedRequestError({message: 'Failed to locate Integration Authentication credentials'});
 
         refreshToken = await BotService.decryptSymmetric({
-            workspaceId: integrationAuth.workspace.toString(),
+            workspaceId: integrationAuth.workspace,
             ciphertext: integrationAuth.refreshCiphertext as string,
             iv: integrationAuth.refreshIV as string,
             tag: integrationAuth.refreshTag as string
@@ -204,7 +312,7 @@ const syncIntegrationsHelper = async ({
  * @param {String} obj.integrationAuthId - id of integration auth
  * @returns {String} accessToken - decrypted access token
  */
-const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrationAuthId: string }) => {
+const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrationAuthId: Types.ObjectId }) => {
     let accessId;
     let accessToken;
     try {
@@ -215,7 +323,7 @@ const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrati
         if (!integrationAuth) throw UnauthorizedRequestError({message: 'Failed to locate Integration Authentication credentials'});
 
         accessToken = await BotService.decryptSymmetric({
-            workspaceId: integrationAuth.workspace.toString(),
+            workspaceId: integrationAuth.workspace,
             ciphertext: integrationAuth.accessCiphertext as string,
             iv: integrationAuth.accessIV as string,
             tag: integrationAuth.accessTag as string
@@ -229,7 +337,7 @@ const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrati
                 // access token is expired
                 const refreshToken = await getIntegrationAuthRefreshHelper({ integrationAuthId });
                 accessToken = await exchangeRefresh({
-                    integration: integrationAuth.integration,
+                    integrationAuth,
                     refreshToken
                 });
             }
@@ -237,7 +345,7 @@ const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrati
         
         if (integrationAuth?.accessIdCiphertext && integrationAuth?.accessIdIV && integrationAuth?.accessIdTag) {
             accessId = await BotService.decryptSymmetric({
-                workspaceId: integrationAuth.workspace.toString(),
+                workspaceId: integrationAuth.workspace,
                 ciphertext: integrationAuth.accessIdCiphertext as string,
                 iv: integrationAuth.accessIdIV as string,
                 tag: integrationAuth.accessIdTag as string
@@ -283,7 +391,7 @@ const setIntegrationAuthRefreshHelper = async ({
         if (!integrationAuth) throw new Error('Failed to find integration auth');
         
         const obj = await BotService.encryptSymmetric({
-            workspaceId: integrationAuth.workspace.toString(),
+            workspaceId: integrationAuth.workspace,
             plaintext: refreshToken
         });
         
@@ -332,14 +440,14 @@ const setIntegrationAuthAccessHelper = async ({
         if (!integrationAuth) throw new Error('Failed to find integration auth');
         
         const encryptedAccessTokenObj = await BotService.encryptSymmetric({
-            workspaceId: integrationAuth.workspace.toString(),
+            workspaceId: integrationAuth.workspace,
             plaintext: accessToken
         });
         
         let encryptedAccessIdObj;
         if (accessId) {
             encryptedAccessIdObj = await BotService.encryptSymmetric({
-                workspaceId: integrationAuth.workspace.toString(),
+                workspaceId: integrationAuth.workspace,
                 plaintext: accessId
             }); 
         }
@@ -367,6 +475,7 @@ const setIntegrationAuthAccessHelper = async ({
 }
 
 export {
+    validateClientForIntegration,
     handleOAuthExchangeHelper,
     syncIntegrationsHelper,
     getIntegrationAuthRefreshHelper,

backend/src/helpers/integrationAuth.ts

@@ -0,0 +1,108 @@
+import { Types } from 'mongoose';
+import {
+    IntegrationAuth,
+    IUser,
+    User,
+    IServiceAccount,
+    ServiceAccount,
+    IServiceTokenData,
+    ServiceTokenData,
+    IWorkspace
+} from '../models';
+import { 
+    AUTH_MODE_JWT,
+    AUTH_MODE_SERVICE_ACCOUNT,
+    AUTH_MODE_SERVICE_TOKEN,
+    AUTH_MODE_API_KEY
+} from '../variables';
+import {
+    IntegrationAuthNotFoundError,
+    UnauthorizedRequestError
+} from '../utils/errors';
+import { IntegrationService } from '../services';
+import { validateUserClientForWorkspace } from '../helpers/user';
+import { validateServiceAccountClientForWorkspace } from '../helpers/serviceAccount';
+
+/**
+ * Validate authenticated clients for integration authorization with id [integrationAuthId] based
+ * on any known permissions.
+ * @param {Object} obj
+ * @param {Object} obj.authData - authenticated client details
+ * @param {Types.ObjectId} obj.integrationAuthId - id of integration authorization to validate against
+ * @param {Array<'admin' | 'member'>} obj.acceptedRoles - accepted workspace roles
+ * @param {String[]} obj.requiredPermissions - required permissions as part of the endpoint
+ */
+ const validateClientForIntegrationAuth = async ({
+    authData,
+    integrationAuthId,
+    acceptedRoles,
+    attachAccessToken
+}: {
+    authData: {
+		authMode: string;
+		authPayload: IUser | IServiceAccount | IServiceTokenData;
+	};
+    integrationAuthId: Types.ObjectId;
+    acceptedRoles: Array<'admin' | 'member'>;
+    attachAccessToken?: boolean;
+}) => {
+
+    const integrationAuth = await IntegrationAuth
+        .findById(integrationAuthId)
+        .populate<{ workspace: IWorkspace }>('workspace')
+        .select(
+			'+refreshCiphertext +refreshIV +refreshTag +accessCiphertext +accessIV +accessTag +accessExpiresAt'
+        );
+    
+    if (!integrationAuth) throw IntegrationAuthNotFoundError();
+    
+    let accessToken;
+    if (attachAccessToken) {
+        accessToken = (await IntegrationService.getIntegrationAuthAccess({
+            integrationAuthId: integrationAuth._id
+        })).accessToken;
+    }
+    
+    if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
+        await validateUserClientForWorkspace({
+            user: authData.authPayload,
+            workspaceId: integrationAuth.workspace._id,
+            acceptedRoles
+        });
+
+        return ({ integrationAuth, accessToken });
+    }
+    
+    if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
+        await validateServiceAccountClientForWorkspace({
+            serviceAccount: authData.authPayload,
+            workspaceId: integrationAuth.workspace._id
+        });
+
+        return ({ integrationAuth, accessToken });
+    }
+
+    if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
+        throw UnauthorizedRequestError({
+            message: 'Failed service token authorization for integration authorization'
+        });
+    }
+
+    if (authData.authMode === AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
+        await validateUserClientForWorkspace({
+            user: authData.authPayload,
+            workspaceId: integrationAuth.workspace._id,
+            acceptedRoles
+        });
+
+        return ({ integrationAuth, accessToken });
+    }
+    
+    throw UnauthorizedRequestError({
+        message: 'Failed client authorization for integration authorization'
+    });
+}
+
+export {
+    validateClientForIntegrationAuth
+};

backend/src/helpers/membership.ts

@@ -1,5 +1,106 @@
 import * as Sentry from '@sentry/node';
-import { Membership, Key } from '../models';
+import { Types } from 'mongoose';
+import { 
+	Membership, 
+	Key,
+	IUser,
+	User,
+	IServiceAccount,
+	ServiceAccount,
+	IServiceTokenData,
+	ServiceTokenData
+} from '../models';
+import {
+	MembershipNotFoundError,
+	BadRequestError,
+	UnauthorizedRequestError
+} from '../utils/errors';
+import {
+	AUTH_MODE_JWT,
+	AUTH_MODE_SERVICE_ACCOUNT,
+	AUTH_MODE_SERVICE_TOKEN,
+	AUTH_MODE_API_KEY
+} from '../variables';
+import {
+	validateUserClientForWorkspace
+} from '../helpers/user';
+import {
+	validateServiceAccountClientForWorkspace
+} from '../helpers/serviceAccount';
+import {
+	validateServiceTokenDataClientForWorkspace
+} from '../helpers/serviceTokenData';
+
+/**
+ * Validate authenticated clients for membership with id [membershipId] based
+ * on any known permissions.
+ * @param {Object} obj
+ * @param {Object} obj.authData - authenticated client details
+ * @param {Types.ObjectId} obj.membershipId - id of membership to validate against
+ * @param {Array<'admin' | 'member'>} obj.acceptedRoles - accepted workspaceRoles
+ * @returns {Membership} - validated membership
+ */
+const validateClientForMembership = async ({
+	authData,
+	membershipId,
+	acceptedRoles
+}: {
+	authData: {
+		authMode: string;
+		authPayload: IUser | IServiceAccount | IServiceTokenData;
+	};
+	membershipId: Types.ObjectId;
+    acceptedRoles: Array<'admin' | 'member'>;
+}) => {
+	
+	const membership = await Membership.findById(membershipId);
+	
+	if (!membership) throw MembershipNotFoundError({
+		message: 'Failed to find membership'
+	});
+
+	if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
+		await validateUserClientForWorkspace({
+			user: authData.authPayload,
+			workspaceId: membership.workspace,
+			acceptedRoles
+		});
+		
+		return membership;
+	}
+	
+	if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
+		await validateServiceAccountClientForWorkspace({
+			serviceAccount: authData.authPayload,
+			workspaceId: membership.workspace
+		});
+
+		return membership;
+	}
+	
+	if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
+		await validateServiceTokenDataClientForWorkspace({
+			serviceTokenData: authData.authPayload,
+			workspaceId: new Types.ObjectId(membership.workspace)
+		});
+		
+		return membership;
+	}
+
+	if (authData.authMode == AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
+		await validateUserClientForWorkspace({
+			user: authData.authPayload,
+			workspaceId: membership.workspace,
+			acceptedRoles 
+		});
+		
+		return membership;
+	}
+	
+	throw UnauthorizedRequestError({
+		message: 'Failed client authorization for membership'
+	});
+}
 
 /**
  * Validate that user with id [userId] is a member of workspace with id [workspaceId]
@@ -14,28 +115,24 @@ const validateMembership = async ({
 	workspaceId,
 	acceptedRoles,
 }: {
-	userId: string;
-	workspaceId: string;
-	acceptedRoles: string[];
+	userId: Types.ObjectId;
+	workspaceId: Types.ObjectId;
+	acceptedRoles?: Array<'admin' | 'member'>;
 }) => {
 	
-	let membership;
-	//TODO: Refactor code to take advantage of using RequestError. It's possible to create new types of errors for more detailed errors
-	try {
-		membership = await Membership.findOne({
-			user: userId,
-			workspace: workspaceId
-		}).populate("workspace");
-		
-		if (!membership) throw new Error('Failed to find membership');
-		
+	const membership = await Membership.findOne({
+		user: userId,
+		workspace: workspaceId
+	}).populate("workspace");
+	
+	if (!membership) {
+		throw MembershipNotFoundError({ message: 'Failed to find workspace membership' });
+	}
+	
+	if (acceptedRoles) {
 		if (!acceptedRoles.includes(membership.role)) {
-			throw new Error('Failed to validate membership role');
+			throw BadRequestError({ message: 'Failed authorization for membership role' });
 		}
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to validate membership');
 	}
 	
 	return membership;
@@ -133,6 +230,7 @@ const deleteMembership = async ({ membershipId }: { membershipId: string }) => {
 };
 
 export { 
+	validateClientForMembership,
 	validateMembership,
 	addMemberships, 
 	findMembership, 

backend/src/helpers/membershipOrg.ts

@@ -1,40 +1,140 @@
 import * as Sentry from '@sentry/node';
 import { Types } from 'mongoose';
-import { MembershipOrg, Workspace, Membership, Key } from '../models';
+import { 
+	MembershipOrg, 
+	Workspace, 
+	Membership, 
+	Key,
+	IUser,
+	User,
+	IServiceAccount,
+	ServiceAccount,
+	IServiceTokenData,
+	ServiceTokenData
+} from '../models';
+import {
+	MembershipOrgNotFoundError,
+	BadRequestError,
+	UnauthorizedRequestError
+} from '../utils/errors';
+import {
+	AUTH_MODE_JWT,
+	AUTH_MODE_SERVICE_ACCOUNT,
+	AUTH_MODE_SERVICE_TOKEN,
+	AUTH_MODE_API_KEY
+} from '../variables';
+
+/**
+ * Validate authenticated clients for organization membership with id [membershipOrgId] based
+ * on any known permissions.
+ * @param {Object} obj
+ * @param {Object} obj.authData - authenticated client details
+ * @param {Types.ObjectId} obj.membershipOrgId - id of organization membership to validate against
+ * @param {Array<'owner' | 'admin' | 'member'>} obj.acceptedRoles - accepted organization roles
+ * @param {MembershipOrg} - validated organization membership
+ */
+const validateClientForMembershipOrg = async ({
+	authData,
+	membershipOrgId,
+	acceptedRoles,
+	acceptedStatuses
+}: {
+	authData: {
+		authMode: string;
+		authPayload: IUser | IServiceAccount | IServiceTokenData;
+	};
+	membershipOrgId: Types.ObjectId;
+    acceptedRoles: Array<'owner' | 'admin' | 'member'>;
+    acceptedStatuses: Array<'invited' | 'accepted'>;
+}) => {
+	const membershipOrg = await MembershipOrg.findById(membershipOrgId);
+
+	if (!membershipOrg) throw MembershipOrgNotFoundError({
+		message: 'Failed to find organization membership '
+	});
+
+	if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
+		await validateMembershipOrg({
+			userId: authData.authPayload._id,
+			organizationId: membershipOrg.organization,
+			acceptedRoles,
+			acceptedStatuses
+		});
+		
+		return membershipOrg;
+	}
+
+	if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
+		if (!authData.authPayload.organization.equals(membershipOrg.organization)) throw UnauthorizedRequestError({
+			message: 'Failed service account client authorization for organization membership'
+		});
+		
+		return membershipOrg;
+	}
+
+	if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
+		throw UnauthorizedRequestError({
+			message: 'Failed service account client authorization for organization membership'
+		});
+	}
+	
+	if (authData.authMode === AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
+		await validateMembershipOrg({
+			userId: authData.authPayload._id,
+			organizationId: membershipOrg.organization,
+			acceptedRoles,
+			acceptedStatuses
+		});
+		
+		return membershipOrg;
+	}
+	
+	throw UnauthorizedRequestError({
+		message: 'Failed client authorization for organization membership'
+	});
+}
 
 /**
  * Validate that user with id [userId] is a member of organization with id [organizationId]
  * and has at least one of the roles in [acceptedRoles]
- *
+ * @param {Object} obj
+ * @param {Types.ObjectId} obj.userId
+ * @param {Types.ObjectId} obj.organizationId
+ * @param {String[]} obj.acceptedRoles
  */
-const validateMembership = async ({
+const validateMembershipOrg = async ({
 	userId,
 	organizationId,
-	acceptedRoles
+	acceptedRoles,
+	acceptedStatuses
 }: {
-	userId: string;
-	organizationId: string;
-	acceptedRoles: string[];
+	userId: Types.ObjectId;
+	organizationId: Types.ObjectId;
+	acceptedRoles?: Array<'owner' | 'admin' | 'member'>;
+	acceptedStatuses?: Array<'invited' | 'accepted'>;
 }) => {
-	let membership;
-	try {
-		membership = await MembershipOrg.findOne({
-			user: new Types.ObjectId(userId),
-			organization: new Types.ObjectId(organizationId)
-		});
-		
-		if (!membership) throw new Error('Failed to find organization membership');
-		
-		if (!acceptedRoles.includes(membership.role)) {
-			throw new Error('Failed to validate organization membership role');
-		}
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to validate organization membership');
+	const membershipOrg = await MembershipOrg.findOne({
+		user: userId,
+		organization: organizationId
+	});
+	
+	if (!membershipOrg) {
+		throw MembershipOrgNotFoundError({ message: 'Failed to find organization membership' });
 	}
 	
-	return membership;
+	if (acceptedRoles) {
+		if (!acceptedRoles.includes(membershipOrg.role)) {
+			throw UnauthorizedRequestError({ message: 'Failed to validate organization membership role' });
+		}
+	}
+	
+	if (acceptedStatuses) {
+		if (!acceptedStatuses.includes(membershipOrg.status)) {
+			throw UnauthorizedRequestError({ message: 'Failed to validate organization membership status' });
+		}
+	}
+	
+	return membershipOrg;
 }
 
 /**
@@ -156,7 +256,8 @@ const deleteMembershipOrg = async ({
 };
 
 export {
-	validateMembership,
+	validateClientForMembershipOrg,
+	validateMembershipOrg,
 	findMembershipOrg,
 	addMembershipsOrg, 
 	deleteMembershipOrg 

backend/src/helpers/nodemailer.ts

@@ -1,9 +1,9 @@
+import * as Sentry from '@sentry/node';
 import fs from 'fs';
 import path from 'path';
 import handlebars from 'handlebars';
 import nodemailer from 'nodemailer';
-import { SMTP_FROM_NAME, SMTP_FROM_ADDRESS } from '../config';
-import * as Sentry from '@sentry/node';
+import { getSmtpFromName, getSmtpFromAddress, getSmtpConfigured } from '../config';
 
 let smtpTransporter: nodemailer.Transporter;
 
@@ -25,23 +25,25 @@ const sendMail = async ({
   recipients: string[];
   substitutions: any;
 }) => {
-  try {
-    const html = fs.readFileSync(
-      path.resolve(__dirname, '../templates/' + template),
-      'utf8'
-    );
-    const temp = handlebars.compile(html);
-    const htmlToSend = temp(substitutions);
+  if (await getSmtpConfigured()) {
+    try {
+      const html = fs.readFileSync(
+        path.resolve(__dirname, '../templates/' + template),
+        'utf8'
+      );
+      const temp = handlebars.compile(html);
+      const htmlToSend = temp(substitutions);
 
-    await smtpTransporter.sendMail({
-      from: `"${SMTP_FROM_NAME}" <${SMTP_FROM_ADDRESS}>`,
-      to: recipients.join(', '),
-      subject: subjectLine,
-      html: htmlToSend
-    });
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
+      await smtpTransporter.sendMail({
+        from: `"${await getSmtpFromName()}" <${await getSmtpFromAddress()}>`,
+        to: recipients.join(', '),
+        subject: subjectLine,
+        html: htmlToSend
+      });
+    } catch (err) {
+      Sentry.setUser(null);
+      Sentry.captureException(err);
+    }
   }
 };
 

backend/src/helpers/organization.ts

@@ -1,23 +1,110 @@
 import * as Sentry from '@sentry/node';
 import Stripe from 'stripe';
-import {
-	STRIPE_SECRET_KEY,
-	STRIPE_PRODUCT_STARTER,
-	STRIPE_PRODUCT_TEAM,
-	STRIPE_PRODUCT_PRO
-} from '../config';
-const stripe = new Stripe(STRIPE_SECRET_KEY, {
-	apiVersion: '2022-08-01'
-});
 import { Types } from 'mongoose';
-import { ACCEPTED } from '../variables';
+import {
+	IUser,
+	User,
+	IServiceAccount,
+	ServiceAccount,
+	IServiceTokenData,
+	ServiceTokenData
+} from '../models';
 import { Organization, MembershipOrg } from '../models';
+import { 
+	ACCEPTED,
+	AUTH_MODE_JWT,
+	AUTH_MODE_SERVICE_ACCOUNT,
+	AUTH_MODE_SERVICE_TOKEN,
+	AUTH_MODE_API_KEY,
+	OWNER
+} from '../variables';
+import { 
+	getStripeSecretKey,
+	getStripeProductPro,
+	getStripeProductTeam,
+	getStripeProductStarter
+} from '../config';
+import {
+	UnauthorizedRequestError,
+	OrganizationNotFoundError
+} from '../utils/errors';
+import {
+	validateUserClientForOrganization
+} from '../helpers/user';
+import {
+	validateServiceAccountClientForOrganization
+} from '../helpers/serviceAccount';
 
-const productToPriceMap = {
-	starter: STRIPE_PRODUCT_STARTER,
-	team: STRIPE_PRODUCT_TEAM,
-	pro: STRIPE_PRODUCT_PRO
-};
+/**
+ * Validate accepted clients for organization with id [organizationId]
+ * @param {Object} obj
+ * @param {Object} obj.authData - authenticated client details
+ * @param {Types.ObjectId} obj.organizationId - id of organization to validate against
+ */
+const validateClientForOrganization = async ({
+	authData,
+	organizationId,
+	acceptedRoles,
+	acceptedStatuses
+}: {
+	authData: {
+		authMode: string;
+		authPayload: IUser | IServiceAccount | IServiceTokenData;
+	},
+	organizationId: Types.ObjectId;
+	acceptedRoles: Array<'owner' | 'admin' | 'member'>;
+	acceptedStatuses: Array<'invited' | 'accepted'>;
+}) => {
+	
+	const organization = await Organization.findById(organizationId);
+	
+	if (!organization) {
+		throw OrganizationNotFoundError({
+			message: 'Failed to find organization'
+		});
+	}
+	
+	if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
+		const membershipOrg = await validateUserClientForOrganization({
+			user: authData.authPayload,
+			organization,
+			acceptedRoles,
+			acceptedStatuses
+		});
+		
+		return ({ organization, membershipOrg });
+	}
+
+	if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
+		await validateServiceAccountClientForOrganization({
+			serviceAccount: authData.authPayload,
+			organization
+		});
+		
+		return ({ organization });
+	}
+
+	if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
+		throw UnauthorizedRequestError({
+			message: 'Failed service token authorization for organization'
+		});
+	}
+
+	if (authData.authMode === AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
+		const membershipOrg = await validateUserClientForOrganization({
+			user: authData.authPayload,
+			organization,
+			acceptedRoles,
+			acceptedStatuses
+		});
+		
+		return ({ organization, membershipOrg });
+	}
+	
+	throw UnauthorizedRequestError({
+		message: 'Failed client authorization for organization'
+	});
+}
 
 /**
  * Create an organization with name [name]
@@ -36,8 +123,11 @@ const createOrganization = async ({
 	let organization;
 	try {
 		// register stripe account
+		const stripe = new Stripe(await getStripeSecretKey(), {
+			apiVersion: '2022-08-01'
+		});
 
-		if (STRIPE_SECRET_KEY) {
+		if (await getStripeSecretKey()) {
 			const customer = await stripe.customers.create({
 				email,
 				description: name
@@ -87,6 +177,16 @@ const initSubscriptionOrg = async ({
 		if (organization) {
 			if (organization.customerId) {
 				// initialize starter subscription with quantity of 0
+				const stripe = new Stripe(await getStripeSecretKey(), {
+					apiVersion: '2022-08-01'
+				});
+
+				const productToPriceMap = {
+					starter: await getStripeProductStarter(),
+					team: await getStripeProductTeam(),
+					pro: await getStripeProductPro()
+				};
+
 				stripeSubscription = await stripe.subscriptions.create({
 					customer: organization.customerId,
 					items: [
@@ -139,6 +239,10 @@ const updateSubscriptionOrgQuantity = async ({
 				status: ACCEPTED
 			});
 
+			const stripe = new Stripe(await getStripeSecretKey(), {
+				apiVersion: '2022-08-01'
+			});
+
 			const subscription = (
 				await stripe.subscriptions.list({
 					customer: organization.customerId
@@ -164,7 +268,8 @@ const updateSubscriptionOrgQuantity = async ({
 };
 
 export {
+	validateClientForOrganization,
 	createOrganization,
 	initSubscriptionOrg,
 	updateSubscriptionOrgQuantity
-};
+};

backend/src/helpers/rateLimiter.ts

@@ -15,7 +15,7 @@ const apiLimiter = rateLimit({
 });
 
 // 10 requests per minute
-const authLimiter = rateLimit({
+const authLimit = rateLimit({
   windowMs: 60 * 1000,
   max: 10,
   standardHeaders: true,
@@ -36,8 +36,16 @@ const passwordLimiter = rateLimit({
   }
 });
 
-export { 
-  apiLimiter, 
-  authLimiter,
-  passwordLimiter 
+const authLimiter = (req: any, res: any, next: any) => {
+  if (process.env.NODE_ENV === 'production') {
+    authLimit(req, res, next);
+  } else {
+    next();
+  }
+};
+
+export {
+  apiLimiter,
+  authLimiter,
+  passwordLimiter
 };

backend/src/helpers/secret.ts

@@ -10,7 +10,8 @@ import {
 	EELogService
 } from '../ee/services';
 import {
-	IAction
+	IAction,
+	SecretVersion
 } from '../ee/models';
 import {
 	SECRET_SHARED,
@@ -21,60 +22,8 @@ import {
 	ACTION_READ_SECRETS
 } from '../variables';
 import _ from 'lodash';
-import { ABILITY_WRITE } from '../variables/organization';
 import { BadRequestError, UnauthorizedRequestError } from '../utils/errors';
 
-/**
- * Validate that user with id [userId] can modify secrets with ids [secretIds]
- * @param {Object} obj
- * @param {Object} obj.userId - id of user to validate
- * @param {Object} obj.secretIds - secret ids
- * @returns {Secret[]} secrets
- */
-const validateSecrets = async ({
-	userId,
-	secretIds
-}: {
-	userId: string;
-	secretIds: string[];
-}) => {
-	let secrets;
-	try {
-		secrets = await Secret.find({
-			_id: {
-				$in: secretIds.map((secretId: string) => new Types.ObjectId(secretId))
-			}
-		});
-
-		if (secrets.length != secretIds.length) {
-			throw BadRequestError({ message: 'Unable to validate some secrets' })
-		}
-
-		const userMemberships = await Membership.find({ user: userId })
-		const userMembershipById = _.keyBy(userMemberships, 'workspace');
-		const workspaceIdsSet = new Set(userMemberships.map((m) => m.workspace.toString()));
-
-		// for each secret check if the secret belongs to a workspace the user is a member of
-		secrets.forEach((secret: ISecret) => {
-			if (workspaceIdsSet.has(secret.workspace.toString())) {
-				const deniedMembershipPermissions = userMembershipById[secret.workspace.toString()].deniedPermissions;
-				const isDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: secret.environment, ability: ABILITY_WRITE });
-
-				if (isDisallowed) {
-					throw UnauthorizedRequestError({ message: 'You do not have the required permissions to perform this action' });
-				}
-			} else {
-				throw BadRequestError({ message: 'You cannot edit secrets of a workspace you are not a member of' });
-			}
-		});
-
-	} catch (err) {
-		throw BadRequestError({ message: 'Unable to validate secrets' })
-	}
-
-	return secrets;
-}
-
 interface V1PushSecret {
 	ciphertextKey: string;
 	ivKey: string;
@@ -241,8 +190,7 @@ const v1PushSecrets = async ({
 				secretKeyHash,
 			}) => {
 				const newSecret = newSecretsObj[`${type}-${secretKeyHash}`];
-				return ({
-					_id: new Types.ObjectId(),
+				return new SecretVersion({
 					secret: _id,
 					version: version ? version + 1 : 1,
 					workspace: new Types.ObjectId(workspaceId),
@@ -267,7 +215,7 @@ const v1PushSecrets = async ({
 
 		if (toAdd.length > 0) {
 			// add secrets
-			const newSecrets = await Secret.insertMany(
+			const newSecrets: ISecret[] = (await Secret.insertMany(
 				toAdd.map((s, idx) => {
 					const obj: any = {
 						version: 1,
@@ -294,7 +242,7 @@ const v1PushSecrets = async ({
 
 					return obj;
 				})
-			);
+			)).map((insertedSecret) => insertedSecret.toObject());
 
 			// (EE) add secret versions for new secrets
 			EESecretService.addSecretVersions({
@@ -313,8 +261,7 @@ const v1PushSecrets = async ({
 					secretValueIV,
 					secretValueTag,
 					secretValueHash
-				}) => ({
-					_id: new Types.ObjectId(),
+				}) => new SecretVersion({
 					secret: _id,
 					version,
 					workspace,
@@ -336,7 +283,7 @@ const v1PushSecrets = async ({
 
 		// (EE) take a secret snapshot
 		await EESecretService.takeSecretSnapshot({
-			workspaceId
+			workspaceId: new Types.ObjectId(workspaceId)
 		});
 	} catch (err) {
 		Sentry.setUser(null);
@@ -527,12 +474,12 @@ const v2PushSecrets = async ({
 
 			// (EE) add secret versions for new secrets
 			EESecretService.addSecretVersions({
-				secretVersions: newSecrets.map((secretDocument) => {
-					return {
-						...secretDocument.toObject(),
+				secretVersions: newSecrets.map((secretDocument: ISecret) => {
+					return new SecretVersion({
+						...secretDocument,
 						secret: secretDocument._id,
 						isDeleted: false
-					}
+					})
 				})
 			});
 
@@ -547,7 +494,7 @@ const v2PushSecrets = async ({
 
 		// (EE) take a secret snapshot
 		await EESecretService.takeSecretSnapshot({
-			workspaceId
+			workspaceId: new Types.ObjectId(workspaceId)
 		})
 
 		// (EE) create (audit) log
@@ -714,7 +661,6 @@ const reformatPullSecrets = ({ secrets }: { secrets: ISecret[] }) => {
 };
 
 export {
-	validateSecrets,
 	v1PushSecrets,
 	v2PushSecrets,
 	pullSecrets,

backend/src/helpers/secrets.ts

@@ -0,0 +1,947 @@
+import { Types } from 'mongoose';
+import {
+    CreateSecretParams,
+    GetSecretsParams,
+    GetSecretParams,
+    UpdateSecretParams,
+    DeleteSecretParams
+} from '../interfaces/services/SecretService';
+import {
+    AuthData
+} from '../interfaces/middleware';
+import {
+    User,
+    Workspace,
+    ServiceAccount,
+    ServiceTokenData,
+    Secret,
+    ISecret,
+    SecretBlindIndexData,
+} from '../models';
+import { SecretVersion } from '../ee/models';
+import {
+    validateMembership
+} from '../helpers/membership';
+import {
+    validateUserClientForSecret,
+    validateUserClientForSecrets
+} from '../helpers/user';
+import {
+    validateServiceTokenDataClientForSecrets, 
+    validateServiceTokenDataClientForWorkspace
+} from '../helpers/serviceTokenData';
+import {
+    validateServiceAccountClientForSecrets,
+    validateServiceAccountClientForWorkspace
+} from '../helpers/serviceAccount';
+import { 
+    BadRequestError, 
+    UnauthorizedRequestError,
+    SecretNotFoundError,
+    SecretBlindIndexDataNotFoundError
+} from '../utils/errors';
+import {
+    AUTH_MODE_JWT,
+    AUTH_MODE_SERVICE_ACCOUNT,
+    AUTH_MODE_SERVICE_TOKEN,
+    AUTH_MODE_API_KEY,
+    SECRET_PERSONAL,
+    SECRET_SHARED,
+    ACTION_ADD_SECRETS,
+    ACTION_READ_SECRETS,
+    ACTION_UPDATE_SECRETS,
+    ACTION_DELETE_SECRETS
+} from '../variables';
+import crypto from 'crypto';
+import * as argon2 from 'argon2';
+import { 
+    encryptSymmetric,
+    decryptSymmetric
+} from '../utils/crypto';
+import { getEncryptionKey } from '../config';
+import { TelemetryService } from '../services';
+import {
+    EESecretService,
+    EELogService
+} from '../ee/services';
+import {
+    getAuthDataPayloadIdObj,
+    getAuthDataPayloadUserObj
+} from '../utils/auth';
+
+/**
+ * Validate authenticated clients for secrets with id [secretId] based
+ * on any known permissions.
+ * @param {Object} obj
+ * @param {Object} obj.authData - authenticated client details
+ * @param {Types.ObjectId} obj.secretId - id of secret to validate against
+ * @param {Array<'admin' | 'member'>} obj.acceptedRoles - accepted workspace roles
+ * @param {String[]} obj.requiredPermissions - required permissions as part of the endpoint
+ */
+const validateClientForSecret = async ({
+    authData,
+    secretId,
+    acceptedRoles,
+    requiredPermissions
+}: {
+    authData: AuthData;
+    secretId: Types.ObjectId;
+    acceptedRoles: Array<'admin' | 'member'>;
+    requiredPermissions: string[];
+}) => {
+    const secret = await Secret.findById(secretId);
+
+    if (!secret) throw SecretNotFoundError({
+        message: 'Failed to find secret'
+    });
+
+    if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
+        await validateUserClientForSecret({
+            user: authData.authPayload,
+            secret,
+            acceptedRoles,
+            requiredPermissions
+        });
+
+        return secret;
+    }
+
+    if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
+        await validateServiceAccountClientForWorkspace({
+            serviceAccount: authData.authPayload,
+            workspaceId: secret.workspace,
+            environment: secret.environment,
+            requiredPermissions
+        });
+        
+        return secret;
+    }
+
+    if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
+        await validateServiceTokenDataClientForWorkspace({
+            serviceTokenData: authData.authPayload,
+            workspaceId: secret.workspace,
+            environment: secret.environment
+        });
+    
+        return secret;
+    }
+    
+    if (authData.authMode === AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
+        await validateUserClientForSecret({
+            user: authData.authPayload,
+            secret,
+            acceptedRoles,
+            requiredPermissions
+        });
+
+        return secret;
+    }
+    
+    throw UnauthorizedRequestError({
+        message: 'Failed client authorization for secret'
+    });
+}
+
+/**
+ * Validate authenticated clients for secrets with ids [secretIds] based
+ * on any known permissions.
+ * @param {Object} obj
+ * @param {Object} obj.authData - authenticated client details
+ * @param {Types.ObjectId[]} obj.secretIds - id of workspace to validate against
+ * @param {String} obj.environment - (optional) environment in workspace to validate against
+ * @param {Array<'admin' | 'member'>} obj.acceptedRoles - accepted workspace roles
+ * @param {String[]} obj.requiredPermissions - required permissions as part of the endpoint
+ */
+const validateClientForSecrets = async ({
+    authData,
+    secretIds,
+    requiredPermissions
+}: {
+    authData: AuthData;
+    secretIds: Types.ObjectId[];
+    requiredPermissions: string[];
+}) => {
+
+    let secrets: ISecret[] = [];
+    
+    secrets = await Secret.find({
+        _id: {
+            $in: secretIds
+        }
+    });
+
+    if (secrets.length != secretIds.length) {
+        throw BadRequestError({ message: 'Failed to validate non-existent secrets' })
+    }
+
+    if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
+        await validateUserClientForSecrets({
+            user: authData.authPayload,
+            secrets,
+            requiredPermissions
+        });
+        
+        return secrets;
+    }
+    
+    if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
+        await validateServiceAccountClientForSecrets({
+            serviceAccount: authData.authPayload,
+            secrets,
+            requiredPermissions
+        });
+        
+        return secrets;
+    }
+        
+    if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
+        await validateServiceTokenDataClientForSecrets({
+            serviceTokenData: authData.authPayload,
+            secrets,
+            requiredPermissions
+        });
+        
+        return secrets;
+    }
+
+    if (authData.authMode === AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
+        await validateUserClientForSecrets({
+            user: authData.authPayload,
+            secrets,
+            requiredPermissions
+        });
+        
+        return secrets;
+    }
+
+    throw UnauthorizedRequestError({
+        message: 'Failed client authorization for secrets resource'
+    });
+}
+
+/**
+ * Initialize secret blind index data by setting previously
+ * un-initialized projects to have secret blind index data
+ * (Ensures that all projects have associated blind index data)
+ */
+const initSecretBlindIndexDataHelper = async () => {
+    const workspaceIdsBlindIndexed = await SecretBlindIndexData.distinct('workspace');
+    const workspaceIdsToBlindIndex = await Workspace.distinct('_id', {
+        _id: {
+            $nin: workspaceIdsBlindIndexed
+        }
+    });
+    
+    const secretBlindIndexDataToInsert = await Promise.all(
+        workspaceIdsToBlindIndex.map(async (workspaceToBlindIndex) => {
+            const salt = crypto.randomBytes(16).toString('base64');
+
+            const { 
+                ciphertext: encryptedSaltCiphertext,
+                iv: saltIV,
+                tag: saltTag
+            } = encryptSymmetric({
+                plaintext: salt,
+                key: await getEncryptionKey()
+            });
+
+            const secretBlindIndexData = new SecretBlindIndexData({
+                workspace: workspaceToBlindIndex,
+                encryptedSaltCiphertext,
+                saltIV,
+                saltTag
+            })
+            
+            return secretBlindIndexData;
+        })
+    );
+    
+    if (secretBlindIndexDataToInsert.length > 0) {
+        await SecretBlindIndexData.insertMany(secretBlindIndexDataToInsert);
+    }
+}
+
+/**
+ * Create secret blind index data containing encrypted blind index [salt]
+ * for workspace with id [workspaceId]
+ * @param {Object} obj
+ * @param {Types.ObjectId} obj.workspaceId
+ */
+const createSecretBlindIndexDataHelper = async ({
+    workspaceId
+}: {
+    workspaceId: Types.ObjectId;
+}) => {
+    // initialize random blind index salt for workspace
+    const salt = crypto.randomBytes(16).toString('base64');
+    
+    const { 
+        ciphertext: encryptedSaltCiphertext,
+        iv: saltIV,
+        tag: saltTag
+    } = encryptSymmetric({
+        plaintext: salt,
+        key: await getEncryptionKey()
+    });
+    
+    const secretBlindIndexData = await new SecretBlindIndexData({
+        workspace: workspaceId,
+        encryptedSaltCiphertext,
+        saltIV,
+        saltTag
+    }).save();
+    
+    return secretBlindIndexData;
+}
+
+/**
+ * Get secret blind index salt for workspace with id [workspaceId]
+ * @param {Object} obj
+ * @param {Types.ObjectId} obj.workspaceId - id of workspace to get salt for
+ * @returns 
+ */
+const getSecretBlindIndexSaltHelper = async ({
+    workspaceId
+}: {
+    workspaceId: Types.ObjectId;
+}) => {
+    // check if workspace blind index data exists
+    const secretBlindIndexData = await SecretBlindIndexData.findOne({
+        workspace: workspaceId
+    });
+    
+    if (!secretBlindIndexData) throw SecretBlindIndexDataNotFoundError();
+    
+    // decrypt workspace salt
+    const salt = decryptSymmetric({
+        ciphertext: secretBlindIndexData.encryptedSaltCiphertext,
+        iv: secretBlindIndexData.saltIV,
+        tag: secretBlindIndexData.saltTag,
+        key: await getEncryptionKey()
+    });
+    
+    return salt;
+}
+
+/**
+ * Generate blind index for secret with name [secretName]
+ * and salt [salt]
+ * @param {Object} obj
+ * @param {String} obj.secretName - name of secret to generate blind index for
+ * @param {String} obj.salt - base64-salt
+ */
+ const generateSecretBlindIndexWithSaltHelper = async ({
+    secretName,
+    salt
+}: {
+    secretName: string;
+    salt: string;
+}) => {
+
+    // generate secret blind index
+    const secretBlindIndex = (await argon2.hash(secretName, {
+        type: argon2.argon2id,
+        salt: Buffer.from(salt, 'base64'),
+        saltLength: 16, // default 16 bytes
+        memoryCost: 65536, // default pool of 64 MiB per thread.
+        hashLength: 32,
+        parallelism: 1,
+        raw: true
+    })).toString('base64');
+
+    return secretBlindIndex;
+}
+
+/**
+ * Generate blind index for secret with name [secretName] 
+ * for workspace with id [workspaceId]
+ * @param {Object} obj
+ * @param {Stringj} obj.secretName - name of secret to generate blind index for
+ * @param {Types.ObjectId} obj.workspaceId - id of workspace that secret belongs to
+ */
+const generateSecretBlindIndexHelper = async ({
+    secretName,
+    workspaceId
+}: {
+    secretName: string;
+    workspaceId: Types.ObjectId;
+}) => {
+
+    // check if workspace blind index data exists
+    const secretBlindIndexData = await SecretBlindIndexData.findOne({
+        workspace: workspaceId
+    });
+    
+    if (!secretBlindIndexData) throw SecretBlindIndexDataNotFoundError();
+    
+    // decrypt workspace salt
+    const salt = decryptSymmetric({
+        ciphertext: secretBlindIndexData.encryptedSaltCiphertext,
+        iv: secretBlindIndexData.saltIV,
+        tag: secretBlindIndexData.saltTag,
+        key: await getEncryptionKey()
+    });
+
+    const secretBlindIndex = await generateSecretBlindIndexWithSaltHelper({
+        secretName,
+        salt
+    });
+
+    return secretBlindIndex;
+}
+
+/**
+ * Create secret with name [secretName]
+ * @param {Object} obj
+ * @param {String} obj.secretName - name of secret to create
+ * @param {Types.ObjectId} obj.workspaceId - id of workspace to create secret for
+ * @param {String} obj.environment - environment in workspace to create secret for
+ * @param {'shared' | 'personal'} obj.type - type of secret
+ * @param {AuthData} obj.authData - authentication data on request
+ * @returns 
+ */
+const createSecretHelper = async ({
+    secretName,
+    workspaceId,
+    environment,
+    type,
+    authData,
+    secretKeyCiphertext,
+    secretKeyIV,
+    secretKeyTag,
+    secretValueCiphertext,
+    secretValueIV,
+    secretValueTag,
+    secretCommentCiphertext,
+    secretCommentIV,
+    secretCommentTag
+}: CreateSecretParams) => {
+    const secretBlindIndex = await generateSecretBlindIndexHelper({
+        secretName,
+        workspaceId: new Types.ObjectId(workspaceId)
+    });
+
+    const exists = await Secret.exists({
+        secretBlindIndex,
+        workspace: new Types.ObjectId(workspaceId),
+        type,
+        ...(type === SECRET_PERSONAL ? getAuthDataPayloadUserObj(authData) : {})
+    });
+    
+    if (exists) throw BadRequestError({
+        message: 'Failed to create secret that already exists'
+    });
+    
+    if (type === SECRET_PERSONAL) {
+        // case: secret type is personal -> check if a corresponding shared secret 
+        // with the same blind index [secretBlindIndex] exists
+
+        const exists = await Secret.exists({
+            secretBlindIndex,
+            workspace: new Types.ObjectId(workspaceId),
+            type: SECRET_SHARED
+        });
+        
+        if (!exists) throw BadRequestError({
+            message: 'Failed to create personal secret override for no corresponding shared secret'
+        });
+    }
+    
+    // create secret
+    const secret = await new Secret({
+        version: 1,
+        workspace: new Types.ObjectId(workspaceId),
+        environment,
+        type,
+        ...(type === SECRET_PERSONAL ? getAuthDataPayloadUserObj(authData) : {}),
+        secretBlindIndex,
+        secretKeyCiphertext,
+        secretKeyIV,
+        secretKeyTag,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag,
+        secretCommentCiphertext,
+        secretCommentIV,
+        secretCommentTag
+    }).save();
+    
+    const secretVersion = new SecretVersion({
+        secret: secret._id,
+        version: secret.version,
+        workspace: secret.workspace,
+        type,
+        ...(type === SECRET_PERSONAL ? getAuthDataPayloadUserObj(authData) : {}),
+        environment: secret.environment,
+        isDeleted: false,
+        secretBlindIndex,
+        secretKeyCiphertext,
+        secretKeyIV,
+        secretKeyTag,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag
+    });
+
+    // // (EE) add version for new secret
+    await EESecretService.addSecretVersions({
+        secretVersions: [secretVersion]
+    });
+
+    // (EE) create (audit) log
+    const action = await EELogService.createAction({
+        name: ACTION_ADD_SECRETS,
+        ...getAuthDataPayloadIdObj(authData),
+        workspaceId,
+        secretIds: [secret._id]
+    });
+    
+    action && await EELogService.createLog({
+        ...getAuthDataPayloadIdObj(authData),
+        workspaceId,
+        actions: [action],
+        channel: authData.authChannel,
+        ipAddress: authData.authIP
+    });
+    
+    // (EE) take a secret snapshot
+    await EESecretService.takeSecretSnapshot({
+        workspaceId
+    });
+
+    const postHogClient = await TelemetryService.getPostHogClient();
+
+    if (postHogClient) {
+        postHogClient.capture({
+            event: 'secrets added',
+            distinctId: await TelemetryService.getDistinctId({
+                authData
+            }),
+            properties: {
+                numberOfSecrets: 1,
+                environment,
+                workspaceId,
+                channel: authData.authChannel,
+                userAgent: authData.authUserAgent
+            }
+        });
+    }
+    
+    return secret;
+}
+
+/**
+ * Get secrets for workspace with id [workspaceId] and environment [environment]
+ * @param {Object} obj
+ * @param {Types.ObjectId} obj.workspaceId - id of workspace
+ * @param {String} obj.environment - environment in workspace
+ * @param {AuthData} obj.authData - authentication data on request
+ * @returns 
+ */
+const getSecretsHelper = async ({
+    workspaceId,
+    environment,
+    authData
+}: GetSecretsParams) => {
+    let secrets: ISecret[] = [];
+
+    // get personal secrets first
+    secrets = await Secret.find({
+        workspace: new Types.ObjectId(workspaceId),
+        environment,
+        type: SECRET_PERSONAL,
+        ...getAuthDataPayloadUserObj(authData)
+    });
+
+    // concat with shared secrets
+    secrets = secrets.concat(await Secret.find({
+        workspace: new Types.ObjectId(workspaceId),
+        environment,
+        type: SECRET_SHARED,
+        secretBlindIndex: {
+            $nin: secrets.map((secret) => secret.secretBlindIndex)
+        }
+    }));
+
+    // (EE) create (audit) log
+    const action = await EELogService.createAction({
+        name: ACTION_READ_SECRETS,
+        ...getAuthDataPayloadIdObj(authData),
+        workspaceId,
+        secretIds: secrets.map((secret) => secret._id)
+    });
+    
+    action && await EELogService.createLog({
+        ...getAuthDataPayloadIdObj(authData),
+        workspaceId,
+        actions: [action],
+        channel: authData.authChannel,
+        ipAddress: authData.authIP
+    });
+
+    const postHogClient = await TelemetryService.getPostHogClient();
+
+    if (postHogClient) {
+        postHogClient.capture({
+            event: 'secrets pulled',
+            distinctId: await TelemetryService.getDistinctId({
+                authData
+            }),
+            properties: {
+                numberOfSecrets: secrets.length,
+                environment,
+                workspaceId,
+                channel: authData.authChannel,
+                userAgent: authData.authUserAgent
+            }
+        });
+    }
+
+    return secrets;
+}
+
+/**
+ * Get secret with name [secretName]
+ * @param {Object} obj
+ * @param {String} obj.secretName - name of secret to get
+ * @param {Types.ObjectId} obj.workspaceId - id of workspace that secret belongs to
+ * @param {String} obj.environment - environment in workspace that secret belongs to
+ * @param {'shared' | 'personal'} obj.type - type of secret
+ * @param {AuthData} obj.authData - authentication data on request
+ * @returns 
+ */
+const getSecretHelper = async ({
+    secretName,
+    workspaceId,
+    environment,
+    type,
+    authData
+}: GetSecretParams) => {
+    const secretBlindIndex = await generateSecretBlindIndexHelper({
+        secretName,
+        workspaceId: new Types.ObjectId(workspaceId)
+    });
+    let secret: ISecret | null = null;
+    
+    // try getting personal secret first (if exists)
+    secret = await Secret.findOne({
+        secretBlindIndex,
+        workspace: new Types.ObjectId(workspaceId),
+        environment,
+        type: type ?? SECRET_PERSONAL,
+        ...(type === SECRET_PERSONAL ? getAuthDataPayloadUserObj(authData) : {})
+    });
+
+    if (!secret) {
+        // case: failed to find personal secret matching criteria
+        // -> find shared secret matching criteria
+        secret = await Secret.findOne({
+            secretBlindIndex,
+            workspace: new Types.ObjectId(workspaceId),
+            environment,
+            type: SECRET_SHARED
+        });
+    }
+    
+    if (!secret) throw SecretNotFoundError();
+    
+    // (EE) create (audit) log
+    const action = await EELogService.createAction({
+        name: ACTION_READ_SECRETS,
+        ...getAuthDataPayloadIdObj(authData),
+        workspaceId,
+        secretIds: [secret._id]
+    });
+    
+    action && await EELogService.createLog({
+        ...getAuthDataPayloadIdObj(authData),
+        workspaceId,
+        actions: [action],
+        channel: authData.authChannel,
+        ipAddress: authData.authIP
+    });
+
+    const postHogClient = await TelemetryService.getPostHogClient();
+
+    if (postHogClient) {
+        postHogClient.capture({
+            event: 'secrets pull',
+            distinctId: await TelemetryService.getDistinctId({
+                authData
+            }),
+            properties: {
+                numberOfSecrets: 1,
+                environment,
+                workspaceId,
+                channel: authData.authChannel,
+                userAgent: authData.authUserAgent
+            }
+        });
+    }
+
+    return secret;
+}
+
+/**
+ * Update secret with name [secretName]
+ * @param {Object} obj
+ * @param {String} obj.secretName - name of secret to update
+ * @param {Types.ObjectId} obj.workspaceId - id of workspace that secret belongs to
+ * @param {String} obj.environment - environment in workspace that secret belongs to
+ * @param {'shared' | 'personal'} obj.type - type of secret
+ * @param {String} obj.secretValueCiphertext - ciphertext of secret value
+ * @param {String} obj.secretValueIV - IV of secret value
+ * @param {String} obj.secretValueTag - tag of secret value
+ * @param {AuthData} obj.authData - authentication data on request
+ * @returns 
+ */
+const updateSecretHelper = async ({
+    secretName,
+    workspaceId,
+    environment,
+    type,
+    authData,
+    secretValueCiphertext,
+    secretValueIV,
+    secretValueTag
+}: UpdateSecretParams) => {
+    const secretBlindIndex = await generateSecretBlindIndexHelper({
+        secretName,
+        workspaceId: new Types.ObjectId(workspaceId)
+    });
+
+    let secret: ISecret | null = null;
+    
+    if (type === SECRET_SHARED) {
+        // case: update shared secret
+        secret = await Secret.findOneAndUpdate(
+            {
+                secretBlindIndex,
+                workspace: new Types.ObjectId(workspaceId),
+                environment,
+                type
+            },
+            {
+                secretValueCiphertext,
+                secretValueIV,
+                secretValueTag,
+                $inc: { version: 1 }
+            },
+            {
+                new: true
+            }
+        );
+    } else {
+        // case: update personal secret
+        
+        secret = await Secret.findOneAndUpdate(
+            {
+                secretBlindIndex,
+                workspace: new Types.ObjectId(workspaceId),
+                environment,
+                type,
+                ...getAuthDataPayloadUserObj(authData)
+            },
+            {
+                secretValueCiphertext,
+                secretValueIV,
+                secretValueTag,
+                $inc: { version: 1 }
+            },
+            {
+                new: true
+            }
+        );
+    }
+
+    if (!secret) throw SecretNotFoundError();
+
+    const secretVersion = new SecretVersion({
+        secret: secret._id,
+        version: secret.version,
+        workspace: secret.workspace,
+        type,
+        ...(type === SECRET_PERSONAL ? getAuthDataPayloadUserObj(authData) : {}),
+        environment: secret.environment,
+        isDeleted: false,
+        secretBlindIndex,
+        secretKeyCiphertext: secret.secretKeyCiphertext,
+        secretKeyIV: secret.secretKeyIV,
+        secretKeyTag: secret.secretKeyTag,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag
+    });
+
+    // (EE) add version for new secret
+    await EESecretService.addSecretVersions({
+        secretVersions: [secretVersion]
+    });
+
+    // (EE) create (audit) log
+    const action = await EELogService.createAction({
+        name: ACTION_UPDATE_SECRETS,
+        ...getAuthDataPayloadIdObj(authData),
+        workspaceId,
+        secretIds: [secret._id]
+    });
+    
+    action && await EELogService.createLog({
+        ...getAuthDataPayloadIdObj(authData),
+        workspaceId,
+        actions: [action],
+        channel: authData.authChannel,
+        ipAddress: authData.authIP
+    });
+    
+    // (EE) take a secret snapshot
+    await EESecretService.takeSecretSnapshot({
+        workspaceId
+    });
+
+    const postHogClient = await TelemetryService.getPostHogClient();
+
+    if (postHogClient) {
+        postHogClient.capture({
+            event: 'secrets modified',
+            distinctId: await TelemetryService.getDistinctId({
+                authData
+            }),
+            properties: {
+                numberOfSecrets: 1,
+                environment,
+                workspaceId,
+                channel: authData.authChannel,
+                userAgent: authData.authUserAgent
+            }
+        });
+    }
+
+    return secret;
+}
+
+/**
+ * Delete secret with name [secretName]
+ * @param {Object} obj
+ * @param {String} obj.secretName - name of secret to delete
+ * @param {Types.ObjectId} obj.workspaceId - id of workspace that secret belongs to
+ * @param {String} obj.environment - environment in workspace that secret belongs to
+ * @param {'shared' | 'personal'} obj.type - type of secret
+ * @param {AuthData} obj.authData - authentication data on request
+ * @returns 
+ */
+const deleteSecretHelper = async ({
+    secretName,
+    workspaceId,
+    environment,
+    type,
+    authData
+}: DeleteSecretParams) => {
+    const secretBlindIndex = await generateSecretBlindIndexHelper({
+        secretName,
+        workspaceId: new Types.ObjectId(workspaceId)
+    });
+
+    let secrets: ISecret[] = [];
+    let secret: ISecret | null = null;
+    
+    if (type === SECRET_SHARED) {
+        secrets = await Secret.find({
+            secretBlindIndex,
+            workspaceId: new Types.ObjectId(workspaceId),
+            environment
+        });
+        
+        secret = await Secret.findOneAndDelete({
+            secretBlindIndex,
+            workspaceId: new Types.ObjectId(workspaceId),
+            environment,
+            type
+        });
+        
+        await Secret.deleteMany({
+            secretBlindIndex,
+            workspaceId: new Types.ObjectId(workspaceId),
+            environment
+        });
+    } else {
+        secret = await Secret.findOneAndDelete({
+            secretBlindIndex,
+            workspaceId: new Types.ObjectId(workspaceId),
+            environment,
+            type,
+            ...getAuthDataPayloadUserObj(authData)
+        });
+        
+        if (secret) {
+            secrets = [secret];
+        }
+    }
+    
+    if (!secret) throw SecretNotFoundError();
+    
+    await EESecretService.markDeletedSecretVersions({
+        secretIds: secrets.map((secret) => secret._id)
+    });
+
+    // (EE) create (audit) log
+    const action = await EELogService.createAction({
+        name: ACTION_DELETE_SECRETS,
+        ...getAuthDataPayloadIdObj(authData),
+        workspaceId,
+        secretIds: secrets.map((secret) => secret._id)
+    });
+
+    // (EE) take a secret snapshot
+    action && await EELogService.createLog({
+        ...getAuthDataPayloadIdObj(authData),
+        workspaceId,
+        actions: [action],
+        channel: authData.authChannel,
+        ipAddress: authData.authIP
+    });
+
+    // (EE) take a secret snapshot
+    await EESecretService.takeSecretSnapshot({
+        workspaceId
+    });
+
+    const postHogClient = await TelemetryService.getPostHogClient();
+
+    if (postHogClient) {
+        postHogClient.capture({
+            event: 'secrets deleted',
+            distinctId: await TelemetryService.getDistinctId({
+                authData
+            }),
+            properties: {
+                numberOfSecrets: secrets.length,
+                environment,
+                workspaceId,
+                channel: authData.authChannel,
+                userAgent: authData.authUserAgent
+            }
+        });
+    }
+    
+    return ({
+        secrets,
+        secret
+    });
+}
+
+export {
+    validateClientForSecret,
+    validateClientForSecrets,
+    initSecretBlindIndexDataHelper,
+    createSecretBlindIndexDataHelper,
+    getSecretBlindIndexSaltHelper,
+    generateSecretBlindIndexWithSaltHelper,
+    generateSecretBlindIndexHelper,
+    createSecretHelper,
+    getSecretsHelper,
+    getSecretHelper,
+    updateSecretHelper,
+    deleteSecretHelper
+}

backend/src/helpers/serviceAccount.ts

@@ -0,0 +1,271 @@
+import _ from 'lodash';
+import { Types } from 'mongoose';
+import {
+	User,
+	IUser,
+	ServiceAccount,
+    IServiceAccount,
+	ServiceTokenData,
+	IServiceTokenData,
+	ISecret,
+	IOrganization,
+	IServiceAccountWorkspacePermission,
+	ServiceAccountWorkspacePermission
+} from '../models';
+import { 
+	BadRequestError, 
+	UnauthorizedRequestError,
+	ServiceAccountNotFoundError
+} from '../utils/errors';
+import {
+	PERMISSION_READ_SECRETS,
+	PERMISSION_WRITE_SECRETS,
+	AUTH_MODE_JWT,
+	AUTH_MODE_SERVICE_ACCOUNT,
+	AUTH_MODE_SERVICE_TOKEN,
+	AUTH_MODE_API_KEY
+} from '../variables';
+import {
+	validateUserClientForServiceAccount
+} from '../helpers/user';
+
+const validateClientForServiceAccount = async ({
+	authData,
+	serviceAccountId,
+	requiredPermissions
+}: {
+	authData: {
+		authMode: string;
+		authPayload: IUser | IServiceAccount | IServiceTokenData;
+	},
+	serviceAccountId: Types.ObjectId;
+	requiredPermissions?: string[];
+}) => {
+	const serviceAccount = await ServiceAccount.findById(serviceAccountId); 
+	
+	if (!serviceAccount) {
+		throw ServiceAccountNotFoundError({
+			message: 'Failed to find service account'
+		});
+	}
+	
+	if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
+		await validateUserClientForServiceAccount({
+			user: authData.authPayload,
+			serviceAccount,
+			requiredPermissions
+		});
+		
+		return serviceAccount;
+	}
+
+	if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
+		await validateServiceAccountClientForServiceAccount({
+			serviceAccount: authData.authPayload,
+			targetServiceAccount: serviceAccount,
+			requiredPermissions
+		});
+
+		return serviceAccount;
+	}
+
+	if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
+		throw UnauthorizedRequestError({
+			message: 'Failed service token authorization for service account resource'
+		});
+	}
+
+	if (authData.authMode === AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
+		await validateUserClientForServiceAccount({
+			user: authData.authPayload,
+			serviceAccount,
+			requiredPermissions
+		});
+		
+		return serviceAccount;
+	}
+	
+	throw UnauthorizedRequestError({
+		message: 'Failed client authorization for service account resource'
+	});
+}
+
+/**
+ * Validate that service account (client) can access workspace
+ * with id [workspaceId] and its environment [environment] with required permissions
+ * [requiredPermissions]
+ * @param {Object} obj
+ * @param {ServiceAccount} obj.serviceAccount - service account client
+ * @param {Types.ObjectId} obj.workspaceId - id of workspace to validate against
+ * @param {String} environment - (optional) environment in workspace to validate against
+ * @param {String[]} requiredPermissions - required permissions as part of the endpoint
+ */
+ const validateServiceAccountClientForWorkspace = async ({
+    serviceAccount,
+	workspaceId,
+	environment,
+	requiredPermissions
+}: {
+    serviceAccount: IServiceAccount;
+	workspaceId: Types.ObjectId;
+	environment?: string;
+	requiredPermissions?: string[];
+}) => {
+	if (environment) {
+		// case: environment specified ->
+		// evaluate service account authorization for workspace
+		// in the context of a specific environment [environment]
+		const permission = await ServiceAccountWorkspacePermission.findOne({
+			serviceAccount,
+			workspace: new Types.ObjectId(workspaceId),
+			environment
+		});
+	
+		if (!permission) throw UnauthorizedRequestError({
+			message: 'Failed service account authorization for the given workspace environment'
+		});
+
+		let runningIsDisallowed = false;
+		requiredPermissions?.forEach((requiredPermission: string) => {
+			switch (requiredPermission) {
+				case PERMISSION_READ_SECRETS:
+					if (!permission.read) runningIsDisallowed = true;
+					break;
+				case PERMISSION_WRITE_SECRETS:
+					if (!permission.write) runningIsDisallowed = true;
+					break;
+				default:
+					break;
+			}
+			
+			if (runningIsDisallowed) {
+				throw UnauthorizedRequestError({
+					message: `Failed permissions authorization for workspace environment action : ${requiredPermission}`
+				});	
+			}
+		});
+		
+	} else {
+		// case: no environment specified ->
+		// evaluate service account authorization for workspace
+		// without need of environment [environment]
+
+		const permission = await ServiceAccountWorkspacePermission.findOne({
+			serviceAccount,
+			workspace: new Types.ObjectId(workspaceId)
+		});
+		
+		if (!permission) throw UnauthorizedRequestError({
+			message: 'Failed service account authorization for the given workspace'
+		});
+	}
+}
+
+/**
+ * Validate that service account (client) can access secrets
+ * with required permissions [requiredPermissions]
+ * @param {Object} obj
+ * @param {ServiceAccount} obj.serviceAccount - service account client
+ * @param {Secret[]} secrets - secrets to validate against
+ * @param {string[]} requiredPermissions - required permissions as part of the endpoint
+ */
+ const validateServiceAccountClientForSecrets = async ({
+	serviceAccount,
+	secrets,
+	requiredPermissions
+}: {
+	serviceAccount: IServiceAccount;
+	secrets: ISecret[];
+	requiredPermissions?: string[];
+}) => {
+
+	const permissions = await ServiceAccountWorkspacePermission.find({
+		serviceAccount: serviceAccount._id 
+	});
+
+	const permissionsObj = _.keyBy(permissions, (p) => {
+		return `${p.workspace.toString()}-${p.environment}`
+	});
+
+	secrets.forEach((secret: ISecret) => {
+		const permission = permissionsObj[`${secret.workspace.toString()}-${secret.environment}`];
+		
+		if (!permission) throw BadRequestError({
+			message: 'Failed to find any permission for the secret workspace and environment'
+		});
+		
+		requiredPermissions?.forEach((requiredPermission: string) => {
+			let runningIsDisallowed = false;
+			requiredPermissions?.forEach((requiredPermission: string) => {
+				switch (requiredPermission) {
+					case PERMISSION_READ_SECRETS:
+						if (!permission.read) runningIsDisallowed = true;
+						break;
+					case PERMISSION_WRITE_SECRETS:
+						if (!permission.write) runningIsDisallowed = true;
+						break;
+					default:
+						break;
+				}
+				
+				if (runningIsDisallowed) {
+					throw UnauthorizedRequestError({
+						message: `Failed permissions authorization for workspace environment action : ${requiredPermission}`
+					});	
+				}
+			});
+		});
+	});
+}
+
+/**
+ * Validate that service account (client) can access target service
+ * account [serviceAccount] with required permissions [requiredPermissions]
+ * @param {Object} obj
+ * @param {SerivceAccount} obj.serviceAccount - service account client
+ * @param {ServiceAccount} targetServiceAccount - target service account to validate against
+ * @param {string[]} requiredPermissions - required permissions as part of the endpoint
+ */
+const validateServiceAccountClientForServiceAccount = ({
+	serviceAccount,
+	targetServiceAccount,
+	requiredPermissions
+}: {
+	serviceAccount: IServiceAccount;
+	targetServiceAccount: IServiceAccount;
+	requiredPermissions?: string[];
+}) => {
+	if (!serviceAccount.organization.equals(targetServiceAccount.organization)) {
+		throw UnauthorizedRequestError({
+			message: 'Failed service account authorization for the given service account'
+		});
+	}
+}
+
+/**
+ * Validate that service account (client) can access organization [organization]
+ * @param {Object} obj
+ * @param {User} obj.user - service account client
+ * @param {Organization} obj.organization - organization to validate against
+ */
+const validateServiceAccountClientForOrganization = async ({
+	serviceAccount,
+	organization
+}: {
+	serviceAccount: IServiceAccount;
+	organization: IOrganization;
+}) => {
+	if (!serviceAccount.organization.equals(organization._id)) {
+		throw UnauthorizedRequestError({
+			message: 'Failed service account authorization for the given organization'
+		});
+	}
+}
+
+export {
+	validateClientForServiceAccount,
+    validateServiceAccountClientForWorkspace,
+	validateServiceAccountClientForSecrets,
+	validateServiceAccountClientForServiceAccount,
+	validateServiceAccountClientForOrganization
+}

backend/src/helpers/serviceTokenData.ts

@@ -0,0 +1,188 @@
+import { Types } from 'mongoose';
+import {
+    ISecret,
+    IServiceTokenData,
+    ServiceTokenData,
+    IUser,
+    User,
+    IServiceAccount,
+    ServiceAccount,
+} from '../models';
+import { 
+    UnauthorizedRequestError,
+    ServiceTokenDataNotFoundError
+} from '../utils/errors';
+import {
+    AUTH_MODE_JWT,
+	AUTH_MODE_SERVICE_ACCOUNT,
+	AUTH_MODE_SERVICE_TOKEN,
+	AUTH_MODE_API_KEY
+} from '../variables';
+import { validateUserClientForWorkspace } from '../helpers/user';
+import { validateServiceAccountClientForWorkspace } from '../helpers/serviceAccount';
+
+/**
+ * Validate authenticated clients for service token with id [serviceTokenId] based
+ * on any known permissions.
+ * @param {Object} obj
+ * @param {Object} obj.authData - authenticated client details
+ * @param {Types.ObjectId} obj.serviceTokenData - id of service token to validate against
+ * @param {Array<'admin' | 'member'>} obj.acceptedRoles - accepted workspace roles
+ */
+const validateClientForServiceTokenData = async ({
+    authData,
+    serviceTokenDataId,
+    acceptedRoles
+}: {
+    authData: {
+		authMode: string;
+		authPayload: IUser | IServiceAccount | IServiceTokenData;
+	};
+    serviceTokenDataId: Types.ObjectId;
+    acceptedRoles: Array<'admin' | 'member'>;
+}) => {
+    const serviceTokenData = await ServiceTokenData
+            .findById(serviceTokenDataId)
+            .select('+encryptedKey +iv +tag')
+            .populate<{ user: IUser }>('user');
+
+    if (!serviceTokenData) throw ServiceTokenDataNotFoundError({
+        message: 'Failed to find service token data'
+    });
+
+    if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
+        await validateUserClientForWorkspace({
+            user: authData.authPayload,
+            workspaceId: serviceTokenData.workspace,
+            acceptedRoles
+        });
+        
+        return serviceTokenData;
+    }
+
+    if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
+        await validateServiceAccountClientForWorkspace({
+            serviceAccount: authData.authPayload,
+            workspaceId: serviceTokenData.workspace
+        });
+        
+        return serviceTokenData;
+    }
+
+    if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
+        throw UnauthorizedRequestError({
+            message: 'Failed service token authorization for service token data'
+        });
+    }
+
+    if (authData.authMode === AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
+        await validateUserClientForWorkspace({
+            user: authData.authPayload,
+            workspaceId: serviceTokenData.workspace,
+            acceptedRoles
+        });
+        
+        return serviceTokenData;
+    }
+    
+    throw UnauthorizedRequestError({
+        message: 'Failed client authorization for service token data'
+    });
+}
+
+/**
+ * Validate that service token (client) can access workspace
+ * with id [workspaceId] and its environment [environment] with required permissions
+ * [requiredPermissions]
+ * @param {Object} obj
+ * @param {ServiceTokenData} obj.serviceTokenData - service token client
+ * @param {Types.ObjectId} obj.workspaceId - id of workspace to validate against
+ * @param {String} environment - (optional) environment in workspace to validate against
+ * @param {String[]} requiredPermissions - required permissions as part of the endpoint
+ */
+ const validateServiceTokenDataClientForWorkspace = async ({
+    serviceTokenData,
+	workspaceId,
+	environment,
+	requiredPermissions
+}: {
+    serviceTokenData: IServiceTokenData;
+	workspaceId: Types.ObjectId;
+	environment?: string;
+	requiredPermissions?: string[];
+}) => {
+    if (!serviceTokenData.workspace.equals(workspaceId)) {
+        // case: invalid workspaceId passed
+        throw UnauthorizedRequestError({
+            message: 'Failed service token authorization for the given workspace'
+        });
+    }
+
+    if (environment) {
+        // case: environment is specified
+        
+        if (serviceTokenData.environment !== environment) {
+            // case: invalid environment passed
+            throw UnauthorizedRequestError({
+                message: 'Failed service token authorization for the given workspace environment'
+            });
+        }
+
+        requiredPermissions?.forEach((permission) => {
+            if (!serviceTokenData.permissions.includes(permission)) {
+                throw UnauthorizedRequestError({
+                    message: `Failed service token authorization for the given workspace environment action: ${permission}`
+                });
+            }
+        });
+    }
+}
+
+/**
+ * Validate that service token (client) can access secrets
+ * with required permissions [requiredPermissions]
+ * @param {Object} obj
+ * @param {ServiceTokenData} obj.serviceTokenData - service token client
+ * @param {Secret[]} secrets - secrets to validate against
+ * @param {string[]} requiredPermissions - required permissions as part of the endpoint
+ */
+ const validateServiceTokenDataClientForSecrets = async ({
+    serviceTokenData,
+    secrets,
+	requiredPermissions
+}: {
+    serviceTokenData: IServiceTokenData;
+    secrets: ISecret[];
+	requiredPermissions?: string[];
+}) => {
+
+    secrets.forEach((secret: ISecret) => {
+        if (!serviceTokenData.workspace.equals(secret.workspace)) {
+            // case: invalid workspaceId passed
+            throw UnauthorizedRequestError({
+                message: 'Failed service token authorization for the given workspace'
+            });
+        }
+        
+        if (serviceTokenData.environment !== secret.environment) {
+            // case: invalid environment passed
+            throw UnauthorizedRequestError({
+                message: 'Failed service token authorization for the given workspace environment'
+            });
+        }
+        
+        requiredPermissions?.forEach((permission) => {
+            if (!serviceTokenData.permissions.includes(permission)) {
+                throw UnauthorizedRequestError({
+                    message: `Failed service token authorization for the given workspace environment action: ${permission}`
+                });
+            }
+        });
+    });
+}
+
+export {
+    validateClientForServiceTokenData,
+    validateServiceTokenDataClientForWorkspace,
+    validateServiceTokenDataClientForSecrets
+}

backend/src/helpers/token.ts

@@ -9,10 +9,8 @@ import {
     TOKEN_EMAIL_ORG_INVITATION,
     TOKEN_EMAIL_PASSWORD_RESET
 } from '../variables';
-import {
-    SALT_ROUNDS
-} from '../config';
 import { UnauthorizedRequestError } from '../utils/errors';
+import { getSaltRounds } from '../config';
 
 /**
  * Create and store a token in the database for purpose [type]
@@ -86,7 +84,7 @@ const createTokenHelper = async ({
         const query: TokenDataQuery = { type };
         const update: TokenDataUpdate = {
             type,
-            tokenHash: await bcrypt.hash(token, SALT_ROUNDS),
+            tokenHash: await bcrypt.hash(token, await getSaltRounds()),
             expiresAt
         }
 

backend/src/helpers/user.ts

@@ -1,6 +1,25 @@
 import * as Sentry from '@sentry/node';
-import { IUser, User } from '../models';
+import { Types } from 'mongoose';
+import {
+	IUser, 
+	ISecret,
+	IServiceAccount,
+	User,
+	Membership,
+	IOrganization,
+	Organization,
+} from '../models';
 import { sendMail } from './nodemailer';
+import { validateMembership } from './membership';
+import _ from 'lodash';
+import { BadRequestError, UnauthorizedRequestError } from '../utils/errors';
+import {
+	validateMembershipOrg
+} from '../helpers/membershipOrg';
+import {
+	PERMISSION_READ_SECRETS,
+	PERMISSION_WRITE_SECRETS
+} from '../variables';
 
 /**
  * Initialize a user under email [email]
@@ -146,4 +165,204 @@ const checkUserDevice = async ({
 	}
 }
 
-export { setupAccount, completeAccount, checkUserDevice };
+/**
+ * Validate that user (client) can access workspace
+ * with id [workspaceId] and its environment [environment] with required permissions
+ * [requiredPermissions]
+ * @param {Object} obj
+ * @param {User} obj.user - user client
+ * @param {Types.ObjectId} obj.workspaceId - id of workspace to validate against
+ * @param {String} environment - (optional) environment in workspace to validate against
+ * @param {String[]} requiredPermissions - required permissions as part of the endpoint
+ */
+const validateUserClientForWorkspace = async ({
+	user,
+	workspaceId,
+	environment,
+	acceptedRoles,
+	requiredPermissions
+}: {
+	user: IUser;
+	workspaceId: Types.ObjectId;
+	environment?: string;
+	acceptedRoles: Array<'admin' | 'member'>;
+	requiredPermissions?: string[];
+}) => {
+	
+	// validate user membership in workspace
+	const membership = await validateMembership({
+        userId: user._id,
+        workspaceId,
+		acceptedRoles
+    });
+	
+	let runningIsDisallowed = false;
+	requiredPermissions?.forEach((requiredPermission: string) => {
+		switch (requiredPermission) {
+			case PERMISSION_READ_SECRETS:
+				runningIsDisallowed = _.some(membership.deniedPermissions, { environmentSlug: environment, ability: PERMISSION_READ_SECRETS });
+				break;
+			case PERMISSION_WRITE_SECRETS:
+				runningIsDisallowed = _.some(membership.deniedPermissions, { environmentSlug: environment, ability: PERMISSION_WRITE_SECRETS });
+				break;
+			default:
+				break;
+		}
+		
+		if (runningIsDisallowed) {
+			throw UnauthorizedRequestError({
+				message: `Failed permissions authorization for workspace environment action : ${requiredPermission}`
+			});	
+		}
+	});
+	
+	return membership;
+}
+
+/**
+ * Validate that user (client) can access secret [secret]
+ * with required permissions [requiredPermissions]
+ * @param {Object} obj
+ * @param {User} obj.user - user client
+ * @param {Secret[]} obj.secrets - secrets to validate against
+ * @param {String[]} requiredPermissions - required permissions as part of the endpoint
+ */
+const validateUserClientForSecret = async ({
+	user,
+	secret,
+	acceptedRoles,
+	requiredPermissions
+}: {
+	user: IUser;
+	secret: ISecret;
+	acceptedRoles?: Array<'admin' | 'member'>;
+	requiredPermissions?: string[];
+}) => {
+	const membership = await validateMembership({
+		userId: user._id,
+		workspaceId: secret.workspace,
+		acceptedRoles
+	});
+	
+	if (requiredPermissions?.includes(PERMISSION_WRITE_SECRETS)) {
+		const isDisallowed = _.some(membership.deniedPermissions, { environmentSlug: secret.environment, ability: PERMISSION_WRITE_SECRETS });
+
+		if (isDisallowed) {
+			throw UnauthorizedRequestError({
+				message: 'You do not have the required permissions to perform this action' 
+			});
+		}
+	}
+}
+
+/**
+ * Validate that user (client) can access secrets [secrets]
+ * with required permissions [requiredPermissions]
+ * @param {Object} obj
+ * @param {User} obj.user - user client
+ * @param {Secret[]} obj.secrets - secrets to validate against
+ * @param {String[]} requiredPermissions - required permissions as part of the endpoint
+ */
+ const validateUserClientForSecrets = async ({
+	user,
+	secrets,
+	requiredPermissions
+}: {
+	user: IUser;
+	secrets: ISecret[];
+	requiredPermissions?: string[];
+}) => {
+	
+	// TODO: add acceptedRoles?
+
+	const userMemberships = await Membership.find({ user: user._id })
+	const userMembershipById = _.keyBy(userMemberships, 'workspace');
+	const workspaceIdsSet = new Set(userMemberships.map((m) => m.workspace.toString()));
+
+	// for each secret check if the secret belongs to a workspace the user is a member of
+	secrets.forEach((secret: ISecret) => {
+		if (!workspaceIdsSet.has(secret.workspace.toString())) {
+			throw BadRequestError({
+				message: 'Failed authorization for the secret'
+			});
+		}
+
+		if (requiredPermissions?.includes(PERMISSION_WRITE_SECRETS)) {
+			const deniedMembershipPermissions = userMembershipById[secret.workspace.toString()].deniedPermissions;
+			const isDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: secret.environment, ability: PERMISSION_WRITE_SECRETS });
+
+			if (isDisallowed) {
+				throw UnauthorizedRequestError({
+					message: 'You do not have the required permissions to perform this action' 
+				});
+			}
+		}
+	});
+}
+
+/**
+ * Validate that user (client) can access service account [serviceAccount]
+ * with required permissions [requiredPermissions]
+ * @param {Object} obj
+ * @param {User} obj.user - user client
+ * @param {ServiceAccount} obj.serviceAccount - service account to validate against
+ * @param {String[]} requiredPermissions - required permissions as part of the endpoint
+ */
+const validateUserClientForServiceAccount = async ({
+	user,
+	serviceAccount,
+	requiredPermissions
+}: {
+	user: IUser;
+	serviceAccount: IServiceAccount;
+	requiredPermissions?: string[];
+}) => {
+	if (!serviceAccount.user.equals(user._id)) {
+		// case: user who created service account is not the
+		// same user that is on the request
+		await validateMembershipOrg({
+			userId: user._id,
+			organizationId: serviceAccount.organization,
+			acceptedRoles: [],
+			acceptedStatuses: []
+		});
+	}
+}
+
+/**
+ * Validate that user (client) can access organization [organization]
+ * @param {Object} obj
+ * @param {User} obj.user - user client
+ * @param {Organization} obj.organization - organization to validate against
+ */
+ const validateUserClientForOrganization = async ({
+	user,
+	organization,
+	acceptedRoles,
+	acceptedStatuses
+}: {
+	user: IUser;
+	organization: IOrganization;
+	acceptedRoles: Array<'owner' | 'admin' | 'member'>;
+	acceptedStatuses: Array<'invited' | 'accepted'>;
+}) => {
+	const membershipOrg = await validateMembershipOrg({
+		userId: user._id,
+		organizationId: organization._id,
+		acceptedRoles,
+		acceptedStatuses
+	});
+	
+	return membershipOrg;
+}
+
+export { 
+	setupAccount, 
+	completeAccount, 
+	checkUserDevice,
+	validateUserClientForWorkspace,
+	validateUserClientForSecrets,
+	validateUserClientForServiceAccount,
+	validateUserClientForOrganization,
+	validateUserClientForSecret
+};

backend/src/helpers/workspace.ts

@@ -1,12 +1,135 @@
 import * as Sentry from '@sentry/node';
+import crypto from 'crypto';
+import { Types } from 'mongoose';
 import {
 	Workspace,
 	Bot,
 	Membership,
 	Key,
-	Secret
+	Secret,
+	User,
+	IUser,
+	ServiceAccountWorkspacePermission,
+	ServiceAccount,
+	IServiceAccount,
+	ServiceTokenData,
+	IServiceTokenData,
+	SecretBlindIndexData
 } from '../models';
 import { createBot } from '../helpers/bot';
+import { validateUserClientForWorkspace } from '../helpers/user';
+import { validateServiceAccountClientForWorkspace } from '../helpers/serviceAccount';
+import { validateServiceTokenDataClientForWorkspace } from '../helpers/serviceTokenData';
+import { validateMembership } from '../helpers/membership';
+import { UnauthorizedRequestError, WorkspaceNotFoundError } from '../utils/errors';
+import {
+	AUTH_MODE_JWT,
+	AUTH_MODE_SERVICE_ACCOUNT,
+	AUTH_MODE_SERVICE_TOKEN,
+	AUTH_MODE_API_KEY
+} from '../variables';
+import { encryptSymmetric } from '../utils/crypto';
+import { SecretService } from '../services';
+
+/**
+ * Validate authenticated clients for workspace with id [workspaceId] based
+ * on any known permissions.
+ * @param {Object} obj
+ * @param {Object} obj.authData - authenticated client details
+ * @param {Types.ObjectId} obj.workspaceId - id of workspace to validate against
+ * @param {String} obj.environment - (optional) environment in workspace to validate against
+ * @param {Array<'admin' | 'member'>} obj.acceptedRoles - accepted workspace roles
+ * @param {String[]} obj.requiredPermissions - required permissions as part of the endpoint
+ */
+const validateClientForWorkspace = async ({
+	authData,
+	workspaceId,
+	environment,
+	acceptedRoles,
+	requiredPermissions,
+	requireBlindIndicesEnabled
+}: {
+	authData: {
+		authMode: string;
+		authPayload: IUser | IServiceAccount | IServiceTokenData;
+	};
+	workspaceId: Types.ObjectId;
+	environment?: string;
+	acceptedRoles: Array<'admin' | 'member'>;
+	requiredPermissions?: string[];
+	requireBlindIndicesEnabled: boolean;
+}) => {
+	
+	const workspace = await Workspace.findById(workspaceId);
+
+	if (!workspace) throw WorkspaceNotFoundError({
+		message: 'Failed to find workspace'
+	});
+
+	if (requireBlindIndicesEnabled) {
+		// case: blind indices are not enabled for secrets in this workspace
+		// (i.e. workspace was created before blind indices were introduced
+		// and no admin has enabled it)
+		
+		const secretBlindIndexData = await SecretBlindIndexData.exists({
+			workspace: new Types.ObjectId(workspaceId)
+		});
+		
+		if (!secretBlindIndexData) throw UnauthorizedRequestError({
+			message: 'Failed workspace authorization due to blind indices not being enabled'
+		});
+	}
+
+	if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
+		const membership = await validateUserClientForWorkspace({
+			user: authData.authPayload,
+			workspaceId,
+			environment,
+			acceptedRoles,
+			requiredPermissions
+		});
+		
+		return ({ membership });
+	}
+
+	if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
+		await validateServiceAccountClientForWorkspace({
+			serviceAccount: authData.authPayload,
+			workspaceId,
+			environment,
+			requiredPermissions
+		});
+		
+		return {};
+	}
+	
+	if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
+		await validateServiceTokenDataClientForWorkspace({
+			serviceTokenData: authData.authPayload,
+			workspaceId,
+			environment,
+			requiredPermissions
+		});
+
+		return {};
+	}
+
+	if (authData.authMode === AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
+		const membership = await validateUserClientForWorkspace({
+			user: authData.authPayload,
+			workspaceId,
+			environment,
+			acceptedRoles,
+			requiredPermissions
+		});
+		
+		return ({ membership });
+	}
+	
+	throw UnauthorizedRequestError({
+		message: 'Failed client authorization for workspace'
+	});
+}
 
 /**
  * Create a workspace with name [name] in organization with id [organizationId]
@@ -27,13 +150,21 @@ const createWorkspace = async ({
 		// create workspace
 		workspace = await new Workspace({
 			name,
-			organization: organizationId
+			organization: organizationId,
+			autoCapitalization: true
 		}).save();
 		
-		const bot = await createBot({
+		// initialize bot for workspace
+		await createBot({
 			name: 'Infisical Bot',
-			workspaceId: workspace._id.toString()
+			workspaceId: workspace._id
 		});
+		
+		// initialize blind index salt for workspace
+		await SecretService.createSecretBlindIndexData({
+			workspaceId: workspace._id
+		});
+
 	} catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
@@ -71,4 +202,8 @@ const deleteWorkspace = async ({ id }: { id: string }) => {
 	}
 };
 
-export { createWorkspace, deleteWorkspace };
+export {
+	validateClientForWorkspace,
+	createWorkspace, 
+	deleteWorkspace 
+};

backend/src/index.ts

@@ -1,28 +1,189 @@
+import mongoose from 'mongoose';
 import dotenv from 'dotenv';
 dotenv.config();
-
+import express from 'express';
+import helmet from 'helmet';
+import cors from 'cors';
 import * as Sentry from '@sentry/node';
-import { SENTRY_DSN, NODE_ENV, MONGO_URL } from './config';
-import { server } from './app';
 import { DatabaseService } from './services';
 import { setUpHealthEndpoint } from './services/health';
 import { initSmtp } from './services/smtp';
+import { TelemetryService } from './services';
 import { setTransporter } from './helpers/nodemailer';
 import { createTestUserForDevelopment } from './utils/addDevelopmentUser';
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const { patchRouterParam } = require('./utils/patchAsyncRoutes');
 
-DatabaseService.initDatabase(MONGO_URL);
+import cookieParser from 'cookie-parser';
+import swaggerUi = require('swagger-ui-express');
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const swaggerFile = require('../spec.json');
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const requestIp = require('request-ip');
+import { apiLimiter } from './helpers/rateLimiter';
+import {
+    workspace as eeWorkspaceRouter,
+    secret as eeSecretRouter,
+    secretSnapshot as eeSecretSnapshotRouter,
+    action as eeActionRouter
+} from './ee/routes/v1';
+import {
+    signup as v1SignupRouter,
+    auth as v1AuthRouter,
+    bot as v1BotRouter,
+    organization as v1OrganizationRouter,
+    workspace as v1WorkspaceRouter,
+    membershipOrg as v1MembershipOrgRouter,
+    membership as v1MembershipRouter,
+    key as v1KeyRouter,
+    inviteOrg as v1InviteOrgRouter,
+    user as v1UserRouter,
+    userAction as v1UserActionRouter,
+    secret as v1SecretRouter,
+    serviceToken as v1ServiceTokenRouter,
+    password as v1PasswordRouter,
+    stripe as v1StripeRouter,
+    integration as v1IntegrationRouter,
+    integrationAuth as v1IntegrationAuthRouter,
+    secretsFolder as v1SecretsFolder
+} from './routes/v1';
+import {
+    signup as v2SignupRouter,
+    auth as v2AuthRouter,
+    users as v2UsersRouter,
+    organizations as v2OrganizationsRouter,
+    workspace as v2WorkspaceRouter,
+    secret as v2SecretRouter, // begin to phase out
+    secrets as v2SecretsRouter,
+    serviceTokenData as v2ServiceTokenDataRouter,
+    serviceAccounts as v2ServiceAccountsRouter,
+    apiKeyData as v2APIKeyDataRouter,
+    environment as v2EnvironmentRouter,
+    tags as v2TagsRouter,
+} from './routes/v2';
+import {
+    secrets as v3SecretsRouter,
+    workspaces as v3WorkspacesRouter
+} from './routes/v3';
+import { healthCheck } from './routes/status';
+import { getLogger } from './utils/logger';
+import { RouteNotFoundError } from './utils/errors';
+import { requestErrorHandler } from './middleware/requestErrorHandler';
+import {
+    getMongoURL,
+    getNodeEnv,
+    getPort,
+    getSentryDSN,
+    getSiteURL,
+    getSmtpHost
+} from './config';
 
-setUpHealthEndpoint(server);
+const main = async () => {
+    TelemetryService.logTelemetryMessage();
+    setTransporter(await initSmtp());
 
-setTransporter(initSmtp());
+    await DatabaseService.initDatabase(await getMongoURL());
+    if ((await getNodeEnv()) !== 'test') {
+        Sentry.init({
+            dsn: await getSentryDSN(),
+            tracesSampleRate: 1.0,
+            debug: await getNodeEnv() === 'production' ? false : true,
+            environment: await getNodeEnv()
+        });
+    }
 
-if (NODE_ENV !== 'test') {
-  Sentry.init({
-    dsn: SENTRY_DSN,
-    tracesSampleRate: 1.0,
-    debug: NODE_ENV === 'production' ? false : true,
-    environment: NODE_ENV
-  });
+    patchRouterParam();
+    const app = express();
+    app.enable('trust proxy');
+    app.use(express.json());
+    app.use(cookieParser());
+    app.use(
+        cors({
+            credentials: true,
+            origin: await getSiteURL()
+        })
+    );
+
+    app.use(requestIp.mw());
+
+    if ((await getNodeEnv()) === 'production') {
+        // enable app-wide rate-limiting + helmet security
+        // in production
+        app.disable('x-powered-by');
+        app.use(apiLimiter);
+        app.use(helmet());
+    }
+
+    // (EE) routes
+    app.use('/api/v1/secret', eeSecretRouter);
+    app.use('/api/v1/secret-snapshot', eeSecretSnapshotRouter);
+    app.use('/api/v1/workspace', eeWorkspaceRouter);
+    app.use('/api/v1/action', eeActionRouter);
+
+    // v1 routes (default)
+    app.use('/api/v1/signup', v1SignupRouter);
+    app.use('/api/v1/auth', v1AuthRouter);
+    app.use('/api/v1/bot', v1BotRouter);
+    app.use('/api/v1/user', v1UserRouter);
+    app.use('/api/v1/user-action', v1UserActionRouter);
+    app.use('/api/v1/organization', v1OrganizationRouter);
+    app.use('/api/v1/workspace', v1WorkspaceRouter);
+    app.use('/api/v1/membership-org', v1MembershipOrgRouter);
+    app.use('/api/v1/membership', v1MembershipRouter);
+    app.use('/api/v1/key', v1KeyRouter);
+    app.use('/api/v1/invite-org', v1InviteOrgRouter);
+    app.use('/api/v1/secret', v1SecretRouter);
+    app.use('/api/v1/service-token', v1ServiceTokenRouter); // deprecated
+    app.use('/api/v1/password', v1PasswordRouter);
+    app.use('/api/v1/stripe', v1StripeRouter);
+    app.use('/api/v1/integration', v1IntegrationRouter);
+    app.use('/api/v1/integration-auth', v1IntegrationAuthRouter);
+    app.use('/api/v1/folder', v1SecretsFolder)
+
+    // v2 routes (improvements)
+    app.use('/api/v2/signup', v2SignupRouter);
+    app.use('/api/v2/auth', v2AuthRouter);
+    app.use('/api/v2/users', v2UsersRouter);
+    app.use('/api/v2/organizations', v2OrganizationsRouter);
+    app.use('/api/v2/workspace', v2EnvironmentRouter);
+    app.use('/api/v2/workspace', v2TagsRouter);
+    app.use('/api/v2/workspace', v2WorkspaceRouter);
+    app.use('/api/v2/secret', v2SecretRouter); // deprecated
+    app.use('/api/v2/secrets', v2SecretsRouter);
+    app.use('/api/v2/service-token', v2ServiceTokenDataRouter); // TODO: turn into plural route
+    app.use('/api/v2/service-accounts', v2ServiceAccountsRouter); // new
+    app.use('/api/v2/api-key', v2APIKeyDataRouter);
+
+    // v3 routes (experimental)
+    app.use('/api/v3/secrets', v3SecretsRouter);
+    app.use('/api/v3/workspaces', v3WorkspacesRouter);
+
+    // api docs 
+    app.use('/api-docs', swaggerUi.serve, swaggerUi.setup(swaggerFile))
+
+    // Server status
+    app.use('/api', healthCheck)
+
+    //* Handle unrouted requests and respond with proper error message as well as status code
+    app.use((req, res, next) => {
+        if (res.headersSent) return next();
+        next(RouteNotFoundError({ message: `The requested source '(${req.method})${req.url}' was not found` }))
+    })
+
+    app.use(requestErrorHandler)
+
+    const server = app.listen(await getPort(), async () => {
+        (await getLogger("backend-main")).info(`Server started listening at port ${await getPort()}`)
+    });
+
+    await createTestUserForDevelopment();
+    setUpHealthEndpoint(server);
+
+    server.on('close', async () => {
+        await DatabaseService.closeDatabase();
+    })
+
+    return server;
 }
 
-createTestUserForDevelopment()
+export default main();

backend/src/integrations/apps.ts

@@ -1,7 +1,7 @@
-import axios from "axios";
 import * as Sentry from "@sentry/node";
 import { Octokit } from "@octokit/rest";
 import { IIntegrationAuth } from "../models";
+import request from '../config/request';
 import {
   INTEGRATION_AZURE_KEY_VAULT,
   INTEGRATION_AWS_PARAMETER_STORE,
@@ -10,39 +10,51 @@ import {
   INTEGRATION_VERCEL,
   INTEGRATION_NETLIFY,
   INTEGRATION_GITHUB,
+  INTEGRATION_GITLAB,
   INTEGRATION_RENDER,
+  INTEGRATION_RAILWAY,
   INTEGRATION_FLYIO,
   INTEGRATION_CIRCLECI,
+  INTEGRATION_TRAVISCI,
+  INTEGRATION_SUPABASE,
   INTEGRATION_HEROKU_API_URL,
+  INTEGRATION_GITLAB_API_URL,
   INTEGRATION_VERCEL_API_URL,
   INTEGRATION_NETLIFY_API_URL,
   INTEGRATION_RENDER_API_URL,
+  INTEGRATION_RAILWAY_API_URL,
   INTEGRATION_FLYIO_API_URL,
   INTEGRATION_CIRCLECI_API_URL,
+  INTEGRATION_TRAVISCI_API_URL,
+  INTEGRATION_SUPABASE_API_URL
 } from "../variables";
 
+interface App {
+  name: string;
+  appId?: string;
+  owner?: string;
+}
+
 /**
  * Return list of names of apps for integration named [integration]
  * @param {Object} obj
  * @param {String} obj.integration - name of integration
  * @param {String} obj.accessToken - access token for integration
+ * @param {String} obj.teamId - (optional) id of team for getting integration apps (used for integrations like GitLab)
  * @returns {Object[]} apps - names of integration apps
  * @returns {String} apps.name - name of integration app
  */
 const getApps = async ({
   integrationAuth,
   accessToken,
+  teamId
 }: {
   integrationAuth: IIntegrationAuth;
   accessToken: string;
+  teamId?: string;
 }) => {
-  interface App {
-    name: string;
-    appId?: string;
-    owner?: string;
-  }
 
-  let apps: App[];
+  let apps: App[] = [];
   try {
     switch (integrationAuth.integration) {
       case INTEGRATION_AZURE_KEY_VAULT:
@@ -75,11 +87,22 @@ const getApps = async ({
           accessToken,
         });
         break;
+      case INTEGRATION_GITLAB:
+        apps = await getAppsGitlab({
+          accessToken,
+          teamId
+        });
+        break;
       case INTEGRATION_RENDER:
         apps = await getAppsRender({
           accessToken,
         });
         break;
+      case INTEGRATION_RAILWAY:
+        apps = await getAppsRailway({
+          accessToken 
+        });
+        break;
       case INTEGRATION_FLYIO:
         apps = await getAppsFlyio({
           accessToken,
@@ -90,6 +113,16 @@ const getApps = async ({
           accessToken,
         });
         break;
+      case INTEGRATION_TRAVISCI:
+        apps = await getAppsTravisCI({
+          accessToken,
+        })
+        break;
+      case INTEGRATION_SUPABASE:
+        apps = await getAppsSupabase({
+            accessToken
+        });
+        break;
     }
   } catch (err) {
     Sentry.setUser(null);
@@ -111,7 +144,7 @@ const getAppsHeroku = async ({ accessToken }: { accessToken: string }) => {
   let apps;
   try {
     const res = (
-      await axios.get(`${INTEGRATION_HEROKU_API_URL}/apps`, {
+      await request.get(`${INTEGRATION_HEROKU_API_URL}/apps`, {
         headers: {
           Accept: "application/vnd.heroku+json; version=3",
           Authorization: `Bearer ${accessToken}`,
@@ -148,7 +181,7 @@ const getAppsVercel = async ({
   let apps;
   try {
     const res = (
-      await axios.get(`${INTEGRATION_VERCEL_API_URL}/v9/projects`, {
+      await request.get(`${INTEGRATION_VERCEL_API_URL}/v9/projects`, {
         headers: {
           Authorization: `Bearer ${accessToken}`,
           'Accept-Encoding': 'application/json'
@@ -165,6 +198,7 @@ const getAppsVercel = async ({
 
     apps = res.projects.map((a: any) => ({
       name: a.name,
+      appId: a.id
     }));
   } catch (err) {
     Sentry.setUser(null);
@@ -183,21 +217,40 @@ const getAppsVercel = async ({
  * @returns {String} apps.name - name of Netlify site
  */
 const getAppsNetlify = async ({ accessToken }: { accessToken: string }) => {
-  let apps;
+  const apps: any = [];
   try {
-    const res = (
-      await axios.get(`${INTEGRATION_NETLIFY_API_URL}/api/v1/sites`, {
+    let page = 1;
+    const perPage = 10;
+    let hasMorePages = true;
+    
+    // paginate through all sites
+    while (hasMorePages) {
+      const params = new URLSearchParams({
+        page: String(page),
+        per_page: String(perPage)
+      });
+
+      const { data } = await request.get(`${INTEGRATION_NETLIFY_API_URL}/api/v1/sites`, {
+        params,
         headers: {
           Authorization: `Bearer ${accessToken}`,
           'Accept-Encoding': 'application/json'
         }
-      })
-    ).data;
+      });
+      
+      data.map((a: any) => {
+        apps.push({
+          name: a.name,
+          appId: a.site_id
+        });
+      });
+      
+      if (data.length < perPage) {
+        hasMorePages = false;
+      }
 
-    apps = res.map((a: any) => ({
-      name: a.name,
-      appId: a.site_id,
-    }));
+      page++;
+    }
   } catch (err) {
     Sentry.setUser(null);
     Sentry.captureException(err);
@@ -210,32 +263,66 @@ const getAppsNetlify = async ({ accessToken }: { accessToken: string }) => {
 /**
  * Return list of repositories for Github integration
  * @param {Object} obj
- * @param {String} obj.accessToken - access token for Netlify API
- * @returns {Object[]} apps - names of Netlify sites
- * @returns {String} apps.name - name of Netlify site
+ * @param {String} obj.accessToken - access token for Github API
+ * @returns {Object[]} apps - names of Github sites
+ * @returns {String} apps.name - name of Github site
  */
 const getAppsGithub = async ({ accessToken }: { accessToken: string }) => {
   let apps;
   try {
+    interface GitHubApp {
+      id: string;
+      name: string;
+      permissions: {
+        admin: boolean;
+      };
+      owner: {
+        login: string;
+      }
+    }
+
     const octokit = new Octokit({
       auth: accessToken,
     });
 
-    const repos = (
-      await octokit.request(
-        "GET /user/repos{?visibility,affiliation,type,sort,direction,per_page,page,since,before}",
-        {
-          per_page: 100,
+    const getAllRepos = async () => {
+      let repos: GitHubApp[] = [];
+      let page = 1;
+      const per_page = 100;
+      let hasMore = true;
+
+      while (hasMore) {
+        const response = await octokit.request(
+          "GET /user/repos{?visibility,affiliation,type,sort,direction,per_page,page,since,before}",
+          {
+            per_page,
+            page,
+          }
+        );
+        
+        if (response.data.length > 0) {
+          repos = repos.concat(response.data);
+          page++;
+        } else {
+          hasMore = false;
         }
-      )
-    ).data;
+      }
+
+      return repos;
+    };
+
+    const repos = await getAllRepos();
 
     apps = repos
-      .filter((a: any) => a.permissions.admin === true)
-      .map((a: any) => ({
-        name: a.name,
-        owner: a.owner.login,
-      }));
+      .filter((a: GitHubApp) => a.permissions.admin === true)
+      .map((a: GitHubApp) => {
+        return {
+          appId: a.id,
+          name: a.name,
+          owner: a.owner.login,
+        };
+      });
+    
   } catch (err) {
     Sentry.setUser(null);
     Sentry.captureException(err);
@@ -257,7 +344,7 @@ const getAppsRender = async ({ accessToken }: { accessToken: string }) => {
   let apps: any;
   try {
     const res = (
-      await axios.get(`${INTEGRATION_RENDER_API_URL}/v1/services`, {
+      await request.get(`${INTEGRATION_RENDER_API_URL}/v1/services`, {
         headers: {
           Authorization: `Bearer ${accessToken}`,
           Accept: 'application/json',
@@ -281,6 +368,58 @@ const getAppsRender = async ({ accessToken }: { accessToken: string }) => {
   return apps;
 };
 
+/**
+ * Return list of projects for Railway integration
+ * @param {Object} obj
+ * @param {String} obj.accessToken - access token for Railway API
+ * @returns {Object[]} apps - names and ids of Railway services
+ * @returns {String} apps.name - name of Railway project
+ * @returns {String} apps.appId - id of Railway project
+ *
+*/
+const getAppsRailway = async ({ accessToken }: { accessToken: string }) => {
+  let apps: any[] = [];
+  try {
+    const query = `
+      query GetProjects($userId: String, $teamId: String) {
+        projects(userId: $userId, teamId: $teamId) {
+          edges {
+            node {
+              id
+              name
+            }
+          }
+        }
+      }
+    `;
+
+    const variables = {};
+
+    const { data: { data: { projects: { edges }}} } = await request.post(INTEGRATION_RAILWAY_API_URL, {
+      query,
+      variables,
+    }, {
+      headers: {
+        'Authorization': `Bearer ${accessToken}`,
+        'Content-Type': 'application/json',
+        'Accept-Encoding': 'application/json'
+      },
+    });
+    
+    apps = edges.map((e: any) => ({
+      name: e.node.name,
+      appId: e.node.id
+    }));
+
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error("Failed to get Railway services");
+  }
+  
+  return apps;
+}
+
 /**
  * Return list of apps for Fly.io integration
  * @param {Object} obj
@@ -303,23 +442,18 @@ const getAppsFlyio = async ({ accessToken }: { accessToken: string }) => {
       }
     `;
 
-    const res = (
-      await axios({
-        url: INTEGRATION_FLYIO_API_URL,
-        method: "post",
-        headers: {
-          Authorization: "Bearer " + accessToken,
+    const res = (await request.post(INTEGRATION_FLYIO_API_URL, {
+      query,
+      variables: {
+        role: null,
+      },
+    }, {
+      headers: {
+        Authorization: "Bearer " + accessToken,
         'Accept': 'application/json',
         'Accept-Encoding': 'application/json',
-        },
-        data: {
-          query,
-          variables: {
-            role: null,
-          },
-        },
-      })
-    ).data.data.apps.nodes;
+      },
+    })).data.data.apps.nodes;
 
     apps = res.map((a: any) => ({
       name: a.name,
@@ -344,7 +478,7 @@ const getAppsCircleCI = async ({ accessToken }: { accessToken: string }) => {
   let apps: any;
   try {    
     const res = (
-      await axios.get(
+      await request.get(
         `${INTEGRATION_CIRCLECI_API_URL}/v1.1/projects`,
         {
           headers: {
@@ -369,4 +503,183 @@ const getAppsCircleCI = async ({ accessToken }: { accessToken: string }) => {
   return apps;
 };
 
+const getAppsTravisCI = async ({ accessToken }: { accessToken: string }) => {
+  let apps: any;
+  try {
+    const res = (
+      await request.get(
+        `${INTEGRATION_TRAVISCI_API_URL}/repos`,
+        {
+          headers: {
+            "Authorization": `token ${accessToken}`,
+            "Accept-Encoding": "application/json",
+          },
+        }
+      )
+    ).data;
+
+    apps = res?.map((a: any) => {
+      return {
+        name: a?.slug?.split("/")[1],
+        appId: a?.id,
+      }
+    });
+  }catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error("Failed to get TravisCI projects");
+  }
+  
+  return apps;
+}
+
+/**
+ * Return list of repositories for GitLab integration
+ * @param {Object} obj
+ * @param {String} obj.accessToken - access token for GitLab API
+ * @returns {Object[]} apps - names of GitLab sites
+ * @returns {String} apps.name - name of GitLab site
+ */
+const getAppsGitlab = async ({ 
+  accessToken,
+  teamId
+}: {
+  accessToken: string;
+  teamId?: string;
+}) => {
+  const apps: App[] = [];
+  
+  let page = 1;
+  const perPage = 10;
+  let hasMorePages = true;
+  try {
+
+    if (teamId) {
+      // case: fetch projects for group with id [teamId] in GitLab
+      
+      while (hasMorePages) {
+        const params = new URLSearchParams({
+          page: String(page),
+          per_page: String(perPage)
+        });
+
+        const { data } = (
+          await request.get(
+            `${INTEGRATION_GITLAB_API_URL}/v4/groups/${teamId}/projects`,
+            {
+              params,
+              headers: {
+                "Authorization": `Bearer ${accessToken}`,
+                "Accept-Encoding": "application/json",
+              },
+            }
+          )
+        );
+
+        data.map((a: any) => {
+          apps.push({
+            name: a.name,
+            appId: a.id
+          });
+        });
+        
+        if (data.length < perPage) {
+          hasMorePages = false;
+        }
+        
+        page++;
+      }
+    } else {
+      // case: fetch projects for individual in GitLab
+      
+      const { id } = (
+        await request.get(
+          `${INTEGRATION_GITLAB_API_URL}/v4/user`,
+          {
+            headers: {
+              "Authorization": `Bearer ${accessToken}`,
+              "Accept-Encoding": "application/json",
+            },
+          }
+        )
+      ).data;
+      
+      while (hasMorePages) {
+        const params = new URLSearchParams({
+          page: String(page),
+          per_page: String(perPage)
+        });
+
+        const { data } = (
+          await request.get(
+            `${INTEGRATION_GITLAB_API_URL}/v4/users/${id}/projects`,
+            {
+              params,
+              headers: {
+                "Authorization": `Bearer ${accessToken}`,
+                "Accept-Encoding": "application/json",
+              },
+            }
+          )
+        );
+
+        data.map((a: any) => {
+          apps.push({
+            name: a.name,
+            appId: a.id
+          });
+        });
+
+        if (data.length < perPage) {
+          hasMorePages = false;
+        }
+        
+        page++;
+      }
+    }
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error("Failed to get GitLab projects");
+  }
+  
+  return apps;
+}
+
+
+/**
+ * Return list of projects for Supabase integration
+ * @param {Object} obj
+ * @param {String} obj.accessToken - access token for Supabase API
+ * @returns {Object[]} apps - names of Supabase apps
+ * @returns {String} apps.name - name of Supabase app
+ */
+const getAppsSupabase = async ({ accessToken }: { accessToken: string }) => {
+  let apps: any;
+  try {
+      const { data } = await request.get(
+        `${INTEGRATION_SUPABASE_API_URL}/v1/projects`,
+        {
+          headers: {
+          Authorization: `Bearer ${accessToken}`,
+          'Accept-Encoding': 'application/json'
+          }
+        }
+      );
+
+      apps = data.map((a: any) => {
+        return {
+            name: a.name,
+            appId: a.id
+        };
+    });
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed to get Supabase projects');
+  }
+  
+  return apps;
+};
+
 export { getApps };

backend/src/integrations/exchange.ts

@@ -1,28 +1,32 @@
-import axios from 'axios';
 import * as Sentry from '@sentry/node';
+import request from '../config/request';
 import {
   INTEGRATION_AZURE_KEY_VAULT,
   INTEGRATION_HEROKU,
   INTEGRATION_VERCEL,
   INTEGRATION_NETLIFY,
   INTEGRATION_GITHUB,
+  INTEGRATION_GITLAB,
   INTEGRATION_AZURE_TOKEN_URL,
   INTEGRATION_HEROKU_TOKEN_URL,
   INTEGRATION_VERCEL_TOKEN_URL,
   INTEGRATION_NETLIFY_TOKEN_URL,
-  INTEGRATION_GITHUB_TOKEN_URL
+  INTEGRATION_GITHUB_TOKEN_URL,
+  INTEGRATION_GITLAB_TOKEN_URL
 } from '../variables';
 import {
-  SITE_URL,
-  CLIENT_ID_AZURE,
-  CLIENT_ID_VERCEL,
-  CLIENT_ID_NETLIFY,
-  CLIENT_ID_GITHUB,
-  CLIENT_SECRET_AZURE,
-  CLIENT_SECRET_HEROKU,
-  CLIENT_SECRET_VERCEL,
-  CLIENT_SECRET_NETLIFY,
-  CLIENT_SECRET_GITHUB
+  getSiteURL,
+  getClientIdAzure,
+  getClientSecretAzure,
+  getClientSecretHeroku,
+  getClientIdVercel,
+  getClientSecretVercel,
+  getClientIdNetlify,
+  getClientSecretNetlify,
+  getClientIdGitHub,
+  getClientSecretGitHub,
+  getClientIdGitLab,
+  getClientSecretGitLab
 } from '../config';
 
 interface ExchangeCodeAzureResponse {
@@ -66,6 +70,15 @@ interface ExchangeCodeGithubResponse {
   token_type: string;
 }
 
+interface ExchangeCodeGitlabResponse {
+  access_token: string;
+  token_type: string;
+  expires_in: number;
+  refresh_token: string;
+  scope: string;
+  created_at: number;
+}
+
 /**
  * Return [accessToken], [accessExpiresAt], and [refreshToken] for OAuth2
  * code-token exchange for integration named [integration]
@@ -114,6 +127,10 @@ const exchangeCode = async ({
           code
         });
         break;
+      case INTEGRATION_GITLAB:
+        obj = await exchangeCodeGitlab({
+          code
+        });
     }
   } catch (err) {
     Sentry.setUser(null);
@@ -136,22 +153,22 @@ const exchangeCodeAzure = async ({
   const accessExpiresAt = new Date();
   let res: ExchangeCodeAzureResponse;
   try {
-    res = (await axios.post(
+    res = (await request.post(
       INTEGRATION_AZURE_TOKEN_URL,
       new URLSearchParams({
         grant_type: 'authorization_code',
         code: code,
         scope: 'https://vault.azure.net/.default openid offline_access',
-        client_id: CLIENT_ID_AZURE,
-        client_secret: CLIENT_SECRET_AZURE,
-        redirect_uri: `${SITE_URL}/integrations/azure-key-vault/oauth2/callback`
+        client_id: await getClientIdAzure(),
+        client_secret: await getClientSecretAzure(),
+        redirect_uri: `${await getSiteURL()}/integrations/azure-key-vault/oauth2/callback`
       } as any)
     )).data;
 
     accessExpiresAt.setSeconds(
       accessExpiresAt.getSeconds() + res.expires_in
     );
-  } catch (err: any) {
+  } catch (err) {
     Sentry.setUser(null);
     Sentry.captureException(err);
     throw new Error('Failed OAuth2 code-token exchange with Azure');
@@ -182,12 +199,12 @@ const exchangeCodeHeroku = async ({
   let res: ExchangeCodeHerokuResponse;
   const accessExpiresAt = new Date();
   try {
-    res = (await axios.post(
+    res = (await request.post(
       INTEGRATION_HEROKU_TOKEN_URL,
       new URLSearchParams({
         grant_type: 'authorization_code',
         code: code,
-        client_secret: CLIENT_SECRET_HEROKU
+        client_secret: await getClientSecretHeroku()
       } as any)
     )).data;
 
@@ -221,13 +238,13 @@ const exchangeCodeVercel = async ({ code }: { code: string }) => {
   let res: ExchangeCodeVercelResponse;
   try {
     res = (
-      await axios.post(
+      await request.post(
         INTEGRATION_VERCEL_TOKEN_URL,
         new URLSearchParams({
           code: code,
-          client_id: CLIENT_ID_VERCEL,
-          client_secret: CLIENT_SECRET_VERCEL,
-          redirect_uri: `${SITE_URL}/integrations/vercel/oauth2/callback`
+          client_id: await getClientIdVercel(),
+          client_secret: await getClientSecretVercel(),
+          redirect_uri: `${await getSiteURL()}/integrations/vercel/oauth2/callback`
         } as any)
       )
     ).data;
@@ -260,26 +277,26 @@ const exchangeCodeNetlify = async ({ code }: { code: string }) => {
   let accountId;
   try {
     res = (
-      await axios.post(
+      await request.post(
         INTEGRATION_NETLIFY_TOKEN_URL,
         new URLSearchParams({
           grant_type: 'authorization_code',
           code: code,
-          client_id: CLIENT_ID_NETLIFY,
-          client_secret: CLIENT_SECRET_NETLIFY,
-          redirect_uri: `${SITE_URL}/integrations/netlify/oauth2/callback`
+          client_id: await getClientIdNetlify(),
+          client_secret: await getClientSecretNetlify(),
+          redirect_uri: `${await getSiteURL()}/integrations/netlify/oauth2/callback`
         } as any)
       )
     ).data;
 
-    const res2 = await axios.get('https://api.netlify.com/api/v1/sites', {
+    const res2 = await request.get('https://api.netlify.com/api/v1/sites', {
       headers: {
         Authorization: `Bearer ${res.access_token}`
       }
     });
 
     const res3 = (
-      await axios.get('https://api.netlify.com/api/v1/accounts', {
+      await request.get('https://api.netlify.com/api/v1/accounts', {
         headers: {
           Authorization: `Bearer ${res.access_token}`
         }
@@ -314,12 +331,12 @@ const exchangeCodeGithub = async ({ code }: { code: string }) => {
   let res: ExchangeCodeGithubResponse;
   try {
     res = (
-      await axios.get(INTEGRATION_GITHUB_TOKEN_URL, {
+      await request.get(INTEGRATION_GITHUB_TOKEN_URL, {
         params: {
-          client_id: CLIENT_ID_GITHUB,
-          client_secret: CLIENT_SECRET_GITHUB,
+          client_id: await getClientIdGitHub(),
+          client_secret: await getClientSecretGitHub(),
           code: code,
-          redirect_uri: `${SITE_URL}/integrations/github/oauth2/callback`
+          redirect_uri: `${await getSiteURL()}/integrations/github/oauth2/callback`
         },
         headers: {
           'Accept': 'application/json',
@@ -341,4 +358,53 @@ const exchangeCodeGithub = async ({ code }: { code: string }) => {
   };
 };
 
+/**
+ * Return [accessToken], [accessExpiresAt], and [refreshToken] for Gitlab
+ * code-token exchange
+ * @param {Object} obj1
+ * @param {Object} obj1.code - code for code-token exchange
+ * @returns {Object} obj2
+ * @returns {String} obj2.accessToken - access token for Gitlab API
+ * @returns {String} obj2.refreshToken - refresh token for Gitlab API
+ * @returns {Date} obj2.accessExpiresAt - date of expiration for access token
+ */
+const exchangeCodeGitlab = async ({ code }: { code: string }) => {
+  let res: ExchangeCodeGitlabResponse; 
+  const accessExpiresAt = new Date();
+  
+  try {
+    res = (
+      await request.post(
+        INTEGRATION_GITLAB_TOKEN_URL,
+        new URLSearchParams({
+          grant_type: 'authorization_code',
+          code: code,
+          client_id: await getClientIdGitLab(),
+          client_secret: await getClientSecretGitLab(),
+          redirect_uri: `${await getSiteURL()}/integrations/gitlab/oauth2/callback`
+        } as any),
+        {
+          headers: {
+            "Accept-Encoding": "application/json",
+          }
+        }
+      )
+    ).data;
+    
+    accessExpiresAt.setSeconds(
+      accessExpiresAt.getSeconds() + res.expires_in
+    );
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed OAuth2 code-token exchange with Gitlab');
+  }
+
+  return {
+    accessToken: res.access_token,
+    refreshToken: res.refresh_token,
+    accessExpiresAt
+  };
+}
+
 export { exchangeCode };

backend/src/integrations/index.ts

@@ -1,6 +1,7 @@
 import { exchangeCode } from './exchange';
 import { exchangeRefresh } from './refresh';
 import { getApps } from './apps';
+import { getTeams } from './teams';
 import { syncSecrets } from './sync';
 import { revokeAccess } from './revoke';
 
@@ -8,6 +9,7 @@ export {
     exchangeCode,
     exchangeRefresh,
     getApps,
+    getTeams,
     syncSecrets,
     revokeAccess
 }

backend/src/integrations/refresh.ts

@@ -1,16 +1,29 @@
-import axios from 'axios';
 import * as Sentry from '@sentry/node';
-import { INTEGRATION_AZURE_KEY_VAULT, INTEGRATION_HEROKU } from '../variables';
+import request from '../config/request';
 import {
-  SITE_URL,
-  CLIENT_ID_AZURE,
-  CLIENT_SECRET_AZURE,
-  CLIENT_SECRET_HEROKU
-} from '../config';
+  IIntegrationAuth
+} from '../models';
+import {
+  INTEGRATION_AZURE_KEY_VAULT, 
+  INTEGRATION_HEROKU,
+  INTEGRATION_GITLAB,
+} from '../variables';
 import {
   INTEGRATION_AZURE_TOKEN_URL,
-  INTEGRATION_HEROKU_TOKEN_URL
+  INTEGRATION_HEROKU_TOKEN_URL,
+  INTEGRATION_GITLAB_TOKEN_URL
 } from '../variables';
+import {
+  IntegrationService
+} from '../services';
+import {
+  getSiteURL,
+  getClientIdAzure,
+  getClientSecretAzure,
+  getClientSecretHeroku,
+  getClientIdGitLab,
+  getClientSecretGitLab
+} from '../config';
 
 interface RefreshTokenAzureResponse {
   token_type: string;
@@ -21,6 +34,23 @@ interface RefreshTokenAzureResponse {
   refresh_token: string;
 }
 
+interface RefreshTokenHerokuResponse {
+  access_token: string;
+  expires_in: number;
+  refresh_token: string;
+  token_type: string;
+  user_id: string;
+}
+
+interface RefreshTokenGitLabResponse {
+  token_type: string;
+  scope: string;
+  expires_in: number;
+  access_token: string;
+  refresh_token: string;
+  created_at: number;
+}
+
 /**
  * Return new access token by exchanging refresh token [refreshToken] for integration
  * named [integration]
@@ -29,33 +59,61 @@ interface RefreshTokenAzureResponse {
  * @param {String} obj.refreshToken - refresh token to use to get new access token for Heroku
  */
 const exchangeRefresh = async ({
-  integration,
+  integrationAuth,
   refreshToken
 }: {
-  integration: string;
+  integrationAuth: IIntegrationAuth;
   refreshToken: string;
 }) => {
-  let accessToken;
+  
+  interface TokenDetails {
+    accessToken: string;
+    refreshToken: string;
+    accessExpiresAt: Date;
+  }
+  
+  let tokenDetails: TokenDetails;
   try {
-    switch (integration) {
+    switch (integrationAuth.integration) {
       case INTEGRATION_AZURE_KEY_VAULT:
-        accessToken = await exchangeRefreshAzure({
+        tokenDetails = await exchangeRefreshAzure({
           refreshToken
         });
         break;
       case INTEGRATION_HEROKU:
-        accessToken = await exchangeRefreshHeroku({
+        tokenDetails = await exchangeRefreshHeroku({
           refreshToken
         });
         break;
+      case INTEGRATION_GITLAB:
+        tokenDetails = await exchangeRefreshGitLab({
+          refreshToken
+        });
+        break;
+      default:
+        throw new Error('Failed to exchange token for incompatible integration');
     }
+
+    if (tokenDetails?.accessToken && tokenDetails?.refreshToken && tokenDetails?.accessExpiresAt) {
+      await IntegrationService.setIntegrationAuthAccess({
+        integrationAuthId: integrationAuth._id.toString(),
+        accessId: null,
+        accessToken: tokenDetails.accessToken,
+        accessExpiresAt: tokenDetails.accessExpiresAt
+      });
+
+      await IntegrationService.setIntegrationAuthRefresh({
+        integrationAuthId: integrationAuth._id.toString(),
+        refreshToken: tokenDetails.refreshToken
+      });
+    }
+
+    return tokenDetails.accessToken;
   } catch (err) {
     Sentry.setUser(null);
     Sentry.captureException(err);
     throw new Error('Failed to get new OAuth2 access token');
   }
-
-  return accessToken;
 };
 
 /**
@@ -71,18 +129,27 @@ const exchangeRefreshAzure = async ({
   refreshToken: string;
 }) => {
   try {
-    const res: RefreshTokenAzureResponse = (await axios.post(
+    const accessExpiresAt = new Date();
+    const { data }: { data: RefreshTokenAzureResponse } = await request.post(
       INTEGRATION_AZURE_TOKEN_URL,
        new URLSearchParams({
-        client_id: CLIENT_ID_AZURE,
+        client_id: await getClientIdAzure(),
         scope: 'openid offline_access',
         refresh_token: refreshToken,
         grant_type: 'refresh_token',
-        client_secret: CLIENT_SECRET_AZURE
+        client_secret: await getClientSecretAzure()
       } as any)
-    )).data;
+    );
     
-    return res.access_token;
+    accessExpiresAt.setSeconds(
+      accessExpiresAt.getSeconds() + data.expires_in
+    );
+
+    return ({
+      accessToken: data.access_token,
+      refreshToken: data.refresh_token,
+      accessExpiresAt
+    });
   } catch (err) {
     Sentry.setUser(null);
     Sentry.captureException(err);
@@ -102,26 +169,84 @@ const exchangeRefreshHeroku = async ({
 }: {
   refreshToken: string;
 }) => {
-  
-  let accessToken;
   try {
-    const res = await axios.post(
+    const accessExpiresAt = new Date();
+    const { 
+      data 
+    }: { 
+      data: RefreshTokenHerokuResponse 
+    } = await request.post(
         INTEGRATION_HEROKU_TOKEN_URL,
         new URLSearchParams({
             grant_type: 'refresh_token',
             refresh_token: refreshToken,
-            client_secret: CLIENT_SECRET_HEROKU
+            client_secret: await getClientSecretHeroku()
         } as any)
     );
 
-    accessToken = res.data.access_token;
+    accessExpiresAt.setSeconds(
+      accessExpiresAt.getSeconds() + data.expires_in
+    );
+
+    return ({
+      accessToken: data.access_token,
+      refreshToken: data.refresh_token,
+      accessExpiresAt
+    });
   } catch (err) {
     Sentry.setUser(null);
     Sentry.captureException(err);
     throw new Error('Failed to refresh OAuth2 access token for Heroku');
   }
+};
 
-  return accessToken;
+/**
+ * Return new access token by exchanging refresh token [refreshToken] for the
+ * GitLab integration
+ * @param {Object} obj
+ * @param {String} obj.refreshToken - refresh token to use to get new access token for GitLab
+ * @returns
+ */
+const exchangeRefreshGitLab = async ({
+  refreshToken
+}: {
+  refreshToken: string;
+}) => {
+  try {
+    const accessExpiresAt = new Date();
+    const { 
+      data
+    }: { 
+      data: RefreshTokenGitLabResponse 
+    } = await request.post(
+      INTEGRATION_GITLAB_TOKEN_URL,
+      new URLSearchParams({
+        grant_type: 'refresh_token',
+        refresh_token: refreshToken,
+        client_id: await getClientIdGitLab,
+        client_secret: await getClientSecretGitLab(),
+        redirect_uri: `${await getSiteURL()}/integrations/gitlab/oauth2/callback`
+      } as any),
+      {
+        headers: {
+          "Accept-Encoding": "application/json",
+        }
+      });
+
+    accessExpiresAt.setSeconds(
+      accessExpiresAt.getSeconds() + data.expires_in
+    );
+
+    return ({
+      accessToken: data.access_token,
+      refreshToken: data.refresh_token,
+      accessExpiresAt
+    });
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed to refresh OAuth2 access token for GitLab');
+  }
 };
 
 export { exchangeRefresh };

backend/src/integrations/revoke.ts

@@ -10,7 +10,8 @@ import {
   INTEGRATION_HEROKU,
   INTEGRATION_VERCEL,
   INTEGRATION_NETLIFY,
-  INTEGRATION_GITHUB
+  INTEGRATION_GITHUB,
+  INTEGRATION_GITLAB,
 } from '../variables';
 
 const revokeAccess = async ({
@@ -32,6 +33,8 @@ const revokeAccess = async ({
         break;
       case INTEGRATION_GITHUB:
         break;
+      case INTEGRATION_GITLAB:
+        break;
     }
 
     deletedIntegrationAuth = await IntegrationAuth.findOneAndDelete({

backend/src/integrations/sync.ts

@@ -1,4 +1,3 @@
-import axios from "axios";
 import * as Sentry from "@sentry/node";
 import _ from 'lodash';
 import AWS from 'aws-sdk';
@@ -20,16 +19,26 @@ import {
   INTEGRATION_VERCEL,
   INTEGRATION_NETLIFY,
   INTEGRATION_GITHUB,
+  INTEGRATION_GITLAB,
   INTEGRATION_RENDER,
+  INTEGRATION_RAILWAY,
   INTEGRATION_FLYIO,
   INTEGRATION_CIRCLECI,
+  INTEGRATION_TRAVISCI,
+  INTEGRATION_SUPABASE,
   INTEGRATION_HEROKU_API_URL,
+  INTEGRATION_GITLAB_API_URL,
   INTEGRATION_VERCEL_API_URL,
   INTEGRATION_NETLIFY_API_URL,
   INTEGRATION_RENDER_API_URL,
+  INTEGRATION_RAILWAY_API_URL,
   INTEGRATION_FLYIO_API_URL,
   INTEGRATION_CIRCLECI_API_URL,
+  INTEGRATION_TRAVISCI_API_URL,
+  INTEGRATION_SUPABASE_API_URL
 } from "../variables";
+import request from '../config/request';
+import axios from "axios";
 
 /**
  * Sync/push [secrets] to [app] in integration named [integration]
@@ -108,6 +117,13 @@ const syncSecrets = async ({
           accessToken,
         });
         break;
+      case INTEGRATION_GITLAB:
+        await syncSecretsGitLab({
+          integration,
+          secrets,
+          accessToken,
+        });
+        break;
       case INTEGRATION_RENDER:
         await syncSecretsRender({
           integration,
@@ -115,6 +131,13 @@ const syncSecrets = async ({
           accessToken,
         });
         break;
+      case INTEGRATION_RAILWAY:
+        await syncSecretsRailway({
+          integration,
+          secrets,
+          accessToken
+        });
+        break;
       case INTEGRATION_FLYIO:
         await syncSecretsFlyio({
           integration,
@@ -128,6 +151,21 @@ const syncSecrets = async ({
           secrets,
           accessToken,
         });
+        break;
+      case INTEGRATION_TRAVISCI:
+        await syncSecretsTravisCI({
+          integration,
+          secrets,
+          accessToken,
+        });
+        break;
+      case INTEGRATION_SUPABASE:
+        await syncSecretsSupabase({
+            integration,
+            secrets,
+            accessToken
+        });
+        break;
     }
   } catch (err) {
     Sentry.setUser(null);
@@ -153,7 +191,6 @@ const syncSecretsAzureKeyVault = async ({
   accessToken: string;
 }) => {
   try {
-
     interface GetAzureKeyVaultSecret {
       id: string; // secret URI
       attributes: {
@@ -176,17 +213,22 @@ const syncSecretsAzureKeyVault = async ({
      */
     const paginateAzureKeyVaultSecrets = async (url: string) => {
       let result: GetAzureKeyVaultSecret[] = [];
-      
-      while (url) {
-        const res = await axios.get(url, {
-          headers: {
-            Authorization: `Bearer ${accessToken}`,
-            'Accept-Encoding': 'application/json'
-          }
-        });
+      try {
+        while (url) {
+          const res = await request.get(url, {
+            headers: {
+              Authorization: `Bearer ${accessToken}`
+            }
+          });
+          
+          result = result.concat(res.data.value);
+          
+          url = res.data.nextLink;
+        }
         
-        result = result.concat(res.data.value);
-        url = res.data.nextLink;
+      } catch (err) {
+        Sentry.setUser(null);
+        Sentry.captureException(err);
       }
       
       return result;
@@ -200,10 +242,9 @@ const syncSecretsAzureKeyVault = async ({
         lastSlashIndex = getAzureKeyVaultSecret.id.lastIndexOf('/');
       }
       
-      const azureKeyVaultSecret = await axios.get(`${getAzureKeyVaultSecret.id}?api-version=7.3`, {
+      const azureKeyVaultSecret = await request.get(`${getAzureKeyVaultSecret.id}?api-version=7.3`, {
         headers: {
-          'Authorization': `Bearer ${accessToken}`,
-          'Accept-Encoding': 'application/json'
+          'Authorization': `Bearer ${accessToken}`
         }
       });
 
@@ -249,33 +290,75 @@ const syncSecretsAzureKeyVault = async ({
         deleteSecrets.push(res[key]);
       }
     });
+
+    const setSecretAzureKeyVault = async ({
+      key,
+      value,
+      integration,
+      accessToken
+    }: {
+      key: string;
+      value: string;
+      integration: IIntegration;
+      accessToken: string;
+    }) => {
+      let isSecretSet = false;
+      let maxTries = 6;
+      
+      while (!isSecretSet && maxTries > 0) {
+        // try to set secret
+        try {
+          await request.put(
+            `${integration.app}/secrets/${key}?api-version=7.3`,
+            {
+              value
+            },
+            {
+              headers: {
+                Authorization: `Bearer ${accessToken}`
+              }
+            }
+          );
+
+          isSecretSet = true;
+        
+        } catch (err) {
+          const error: any = err;
+          if (error?.response?.data?.error?.innererror?.code === 'ObjectIsDeletedButRecoverable') {
+            await request.post(
+              `${integration.app}/deletedsecrets/${key}/recover?api-version=7.3`, {},
+              {
+                headers: {
+                  Authorization: `Bearer ${accessToken}`
+                }
+              }
+            );
+            await new Promise(resolve => setTimeout(resolve, 10000));
+          } else {
+            await new Promise(resolve => setTimeout(resolve, 10000));
+            maxTries--;
+          }
+        }
+      }
+    }
     
     // Sync/push set secrets
-    if (setSecrets.length > 0) {
-      setSecrets.forEach(async ({ key, value }) => {
-        await axios.put(
-          `${integration.app}/secrets/${key}?api-version=7.3`,
-          {
-            value
-          },
-          {
-            headers: {
-              Authorization: `Bearer ${accessToken}`,
-              'Accept-Encoding': 'application/json'
-            }
-          }
-        );
+    for await (const setSecret of setSecrets) {
+      const { key, value } = setSecret;
+      setSecretAzureKeyVault({
+        key,
+        value,
+        integration,
+        accessToken
       });
     }
     
-    if (deleteSecrets.length > 0) {
-      deleteSecrets.forEach(async (secret) => {
-        await axios.delete(`${integration.app}/secrets/${secret.key}?api-version=7.3`, {
-          headers: {
-            'Authorization': `Bearer ${accessToken}`,
-            'Accept-Encoding': 'application/json'
-          }
-        });
+    for await (const deleteSecret of deleteSecrets) {
+      const { key } = deleteSecret;
+      await request.delete(`${integration.app}/secrets/${key}?api-version=7.3`, {
+        headers: {
+          'Authorization': `Bearer ${accessToken}`
+        }
       });
     }
   } catch (err) {
@@ -485,7 +568,7 @@ const syncSecretsHeroku = async ({
 }) => {
   try {
     const herokuSecrets = (
-      await axios.get(
+      await request.get(
         `${INTEGRATION_HEROKU_API_URL}/apps/${integration.app}/config-vars`,
         {
           headers: {
@@ -503,7 +586,7 @@ const syncSecretsHeroku = async ({
       }
     });
 
-    await axios.patch(
+    await request.patch(
       `${INTEGRATION_HEROKU_API_URL}/apps/${integration.app}/config-vars`,
       secrets,
       {
@@ -544,8 +627,9 @@ const syncSecretsVercel = async ({
     key: string;
     value: string;
     target: string[];
+    gitBranch?: string;
   }
-
+  
   try {
     // Get all (decrypted) secrets back from Vercel in
     // decrypted format
@@ -557,41 +641,60 @@ const syncSecretsVercel = async ({
           }
         : {}),
     };
-    
-    const res = (
-      await Promise.all(
-        (
-          await axios.get(
-            `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env`,
+      
+    const vercelSecrets: VercelSecret[] = (await request.get(
+      `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env`,
+      {
+        params,
+        headers: {
+            Authorization: `Bearer ${accessToken}`,
+            'Accept-Encoding': 'application/json'
+        }
+      }
+    ))
+    .data
+    .envs
+    .filter((secret: VercelSecret) => { 
+      if (!secret.target.includes(integration.targetEnvironment)) {
+        // case: secret does not have the same target environment
+        return false;
+      }
+
+      if (integration.targetEnvironment === 'preview' && integration.path && integration.path !== secret.gitBranch) {
+        // case: secret on preview environment does not have same target git branch
+        return false;
+      }
+
+      return true;
+    });
+
+    // return secret.target.includes(integration.targetEnvironment);
+
+    const res: { [key: string]: VercelSecret } = {};
+
+    for await (const vercelSecret of vercelSecrets) {
+      if (vercelSecret.type === 'encrypted') {
+        // case: secret is encrypted -> need to decrypt
+        const decryptedSecret = (await request.get(
+            `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env/${vercelSecret.id}`,
             {
               params,
               headers: {
                   Authorization: `Bearer ${accessToken}`,
                   'Accept-Encoding': 'application/json'
               }
-          }
-      ))
-      .data
-      .envs
-      .filter((secret: VercelSecret) => secret.target.includes(integration.targetEnvironment))
-      .map(async (secret: VercelSecret) => (await axios.get(
-              `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env/${secret.id}`,
-              {
-                params,
-                headers: {
-                    Authorization: `Bearer ${accessToken}`,
-                    'Accept-Encoding': 'application/json'
-                }
-              }
-          )).data)
-      )).reduce((obj: any, secret: any) => ({
-          ...obj,
-          [secret.key]: secret
-      }), {});
+            }
+        )).data;
 
-      const updateSecrets: VercelSecret[] = [];
-      const deleteSecrets: VercelSecret[] = [];
-      const newSecrets: VercelSecret[] = [];
+        res[vercelSecret.key] = decryptedSecret;
+      } else {
+        res[vercelSecret.key] = vercelSecret;
+      }
+    }
+    
+    const updateSecrets: VercelSecret[] = [];
+    const deleteSecrets: VercelSecret[] = [];
+    const newSecrets: VercelSecret[] = [];
 
     // Identify secrets to create
     Object.keys(secrets).map((key) => {
@@ -602,6 +705,9 @@ const syncSecretsVercel = async ({
           value: secrets[key],
           type: "encrypted",
           target: [integration.targetEnvironment],
+          ...(integration.path ? {
+            gitBranch: integration.path
+          } : {})
         });
       }
     });
@@ -615,8 +721,13 @@ const syncSecretsVercel = async ({
             id: res[key].id,
             key: key,
             value: secrets[key],
-            type: "encrypted",
-            target: [integration.targetEnvironment],
+            type: res[key].type,
+            target: res[key].target.includes(integration.targetEnvironment) 
+            ? [...res[key].target] 
+            : [...res[key].target, integration.targetEnvironment],
+            ...(integration.path ? {
+              gitBranch: integration.path
+            } : {})
           });
         }
       } else {
@@ -625,15 +736,18 @@ const syncSecretsVercel = async ({
           id: res[key].id,
           key: key,
           value: res[key].value,
-          type: "encrypted",
+          type: "encrypted", // value doesn't matter
           target: [integration.targetEnvironment],
+          ...(integration.path ? {
+            gitBranch: integration.path
+          } : {})
         });
       }
     });
 
     // Sync/push new secrets
     if (newSecrets.length > 0) {
-      await axios.post(
+      await request.post(
         `${INTEGRATION_VERCEL_API_URL}/v10/projects/${integration.app}/env`,
         newSecrets,
         {
@@ -645,12 +759,11 @@ const syncSecretsVercel = async ({
         }
       );
     }
-
-    // Sync/push updated secrets
-    if (updateSecrets.length > 0) {
-      updateSecrets.forEach(async (secret: VercelSecret) => {
+  
+    for await (const secret of updateSecrets) {
+      if (secret.type !== 'sensitive') {
         const { id, ...updatedSecret } = secret;
-        await axios.patch(
+        await request.patch(
           `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env/${secret.id}`,
           updatedSecret,
           {
@@ -661,23 +774,20 @@ const syncSecretsVercel = async ({
             },
           }
         );
-      });
+      } 
     }
 
-    // Delete secrets
-    if (deleteSecrets.length > 0) {
-      deleteSecrets.forEach(async (secret: VercelSecret) => {
-        await axios.delete(
-          `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env/${secret.id}`,
-          {
-            params,
-            headers: {
-              Authorization: `Bearer ${accessToken}`,
-              'Accept-Encoding': 'application/json'
-            },
-          }
-        );
-      });
+    for await (const secret of deleteSecrets) {
+      await request.delete(
+        `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env/${secret.id}`,
+        {
+          params,
+          headers: {
+            Authorization: `Bearer ${accessToken}`,
+            'Accept-Encoding': 'application/json'
+          },
+        }
+      ); 
     }
   } catch (err) {
     Sentry.setUser(null);
@@ -727,7 +837,7 @@ const syncSecretsNetlify = async ({
     });
 
     const res = (
-      await axios.get(
+      await request.get(
         `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env`,
         {
           params: getParams,
@@ -841,7 +951,7 @@ const syncSecretsNetlify = async ({
     });
 
     if (newSecrets.length > 0) {
-      await axios.post(
+      await request.post(
         `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env`,
         newSecrets,
         {
@@ -856,7 +966,7 @@ const syncSecretsNetlify = async ({
 
     if (updateSecrets.length > 0) {
       updateSecrets.forEach(async (secret: NetlifySecret) => {
-        await axios.patch(
+        await request.patch(
           `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env/${secret.key}`,
           {
             context: secret.values[0].context,
@@ -875,7 +985,7 @@ const syncSecretsNetlify = async ({
 
     if (deleteSecrets.length > 0) {
       deleteSecrets.forEach(async (key: string) => {
-        await axios.delete(
+        await request.delete(
           `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env/${key}`,
           {
             params: syncParams,
@@ -890,7 +1000,7 @@ const syncSecretsNetlify = async ({
 
     if (deleteSecretValues.length > 0) {
       deleteSecretValues.forEach(async (secret: NetlifySecret) => {
-        await axios.delete(
+        await request.delete(
           `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env/${secret.key}/value/${secret.values[0].id}`,
           {
             params: syncParams,
@@ -954,7 +1064,7 @@ const syncSecretsGitHub = async ({
         "GET /repos/{owner}/{repo}/actions/secrets/public-key",
         {
           owner: integration.owner,
-          repo: integration.app,
+          repo: integration.app
         }
       )
     ).data;
@@ -1041,7 +1151,7 @@ const syncSecretsRender = async ({
   accessToken: string;
 }) => {
   try {
-    await axios.put(
+    await request.put(
       `${INTEGRATION_RENDER_API_URL}/v1/services/${integration.appId}/env-vars`,
       Object.keys(secrets).map((key) => ({
         key,
@@ -1061,6 +1171,58 @@ const syncSecretsRender = async ({
   }
 };
 
+/**
+ * Sync/push [secrets] to Railway project with id [integration.appId]
+ * @param {Object} obj
+ * @param {IIntegration} obj.integration - integration details
+ * @param {Object} obj.secrets - secrets to push to integration (object where keys are secret keys and values are secret values)
+ * @param {String} obj.accessToken - access token for Railway integration
+ */
+const syncSecretsRailway = async ({
+  integration,
+  secrets,
+  accessToken
+}: {
+  integration: IIntegration;
+  secrets: any;
+  accessToken: string;
+}) => {
+  try {
+
+    const query = `
+      mutation UpsertVariables($input: VariableCollectionUpsertInput!) {
+        variableCollectionUpsert(input: $input)
+      }
+    `;
+
+    const input = {
+      projectId: integration.appId,
+      environmentId: integration.targetEnvironmentId,
+      ...(integration.targetServiceId ? { serviceId: integration.targetServiceId } : {}),
+      replace: true,
+      variables: secrets
+    };
+
+    await request.post(INTEGRATION_RAILWAY_API_URL, {
+      query,
+      variables: {
+        input,
+      },
+    }, {
+      headers: {
+        'Authorization': `Bearer ${accessToken}`,
+        'Content-Type': 'application/json',
+        'Accept-Encoding': 'application/json'
+      },
+    });
+    
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error("Failed to sync secrets to Railway");
+  }
+}
+
 /**
  * Sync/push [secrets] to Fly.io app
  * @param {Object} obj
@@ -1099,24 +1261,21 @@ const syncSecretsFlyio = async ({
       }
     `;
 
-    await axios({
-      url: INTEGRATION_FLYIO_API_URL,
-      method: "post",
+    await request.post(INTEGRATION_FLYIO_API_URL, {
+      query: SetSecrets,
+      variables: {
+        input: {
+          appId: integration.app,
+          secrets: Object.entries(secrets).map(([key, value]) => ({
+            key,
+            value,
+          })),
+        },
+      },
+    }, {
       headers: {
         Authorization: "Bearer " + accessToken,
-        'Accept-Encoding': 'application/json'
-      },
-      data: {
-        query: SetSecrets,
-        variables: {
-          input: {
-            appId: integration.app,
-            secrets: Object.entries(secrets).map(([key, value]) => ({
-              key,
-              value,
-            })),
-          },
-        },
+        'Accept-Encoding': 'application/json',
       },
     });
 
@@ -1137,23 +1296,18 @@ const syncSecretsFlyio = async ({
         }
     }`;
 
-    const getSecretsRes = (
-      await axios({
-        method: "post",
-        url: INTEGRATION_FLYIO_API_URL,
-        headers: {
-          'Authorization': 'Bearer ' + accessToken,
-          'Content-Type': 'application/json',
-          'Accept-Encoding': 'application/json'
-        },
-        data: {
-          query: GetSecrets,
-          variables: {
-            appName: integration.app,
-          },
-        },
-      })
-    ).data.data.app.secrets;
+    const getSecretsRes = (await request.post(INTEGRATION_FLYIO_API_URL, {
+      query: GetSecrets,
+      variables: {
+        appName: integration.app,
+      },
+    }, {
+      headers: {
+        Authorization: "Bearer " + accessToken,
+        'Content-Type': 'application/json',
+        'Accept-Encoding': 'application/json',
+      },
+    })).data.data.app.secrets;
 
     const deleteSecretsKeys = getSecretsRes
       .filter((secret: FlyioSecret) => !(secret.name in secrets))
@@ -1178,24 +1332,22 @@ const syncSecretsFlyio = async ({
         }
     }`;
 
-    await axios({
-      method: "post",
-      url: INTEGRATION_FLYIO_API_URL,
+    await request.post(INTEGRATION_FLYIO_API_URL, {
+      query: DeleteSecrets,
+      variables: {
+        input: {
+          appId: integration.app,
+          keys: deleteSecretsKeys,
+        },
+      },
+    }, {
       headers: {
         Authorization: "Bearer " + accessToken,
         "Content-Type": "application/json",
-        'Accept-Encoding': 'application/json'
-      },
-      data: {
-        query: DeleteSecrets,
-        variables: {
-          input: {
-            appId: integration.app,
-            keys: deleteSecretsKeys,
-          },
-        },
+        'Accept-Encoding': 'application/json',
       },
     });
+
   } catch (err) {
     Sentry.setUser(null);
     Sentry.captureException(err);
@@ -1221,7 +1373,7 @@ const syncSecretsCircleCI = async ({
 }) => {  
   try {
     const circleciOrganizationDetail = (
-      await axios.get(`${INTEGRATION_CIRCLECI_API_URL}/v2/me/collaborations`, {
+      await request.get(`${INTEGRATION_CIRCLECI_API_URL}/v2/me/collaborations`, {
         headers: {
           "Circle-Token": accessToken,
           "Accept-Encoding": "application/json",
@@ -1234,7 +1386,7 @@ const syncSecretsCircleCI = async ({
     // sync secrets to CircleCI
     Object.keys(secrets).forEach(
       async (key) =>
-        await axios.post(
+        await request.post(
           `${INTEGRATION_CIRCLECI_API_URL}/v2/project/${slug}/${integration.app}/envvar`,
           {
             name: key,
@@ -1251,7 +1403,7 @@ const syncSecretsCircleCI = async ({
 
     // get secrets from CircleCI
     const getSecretsRes = (
-      await axios.get(
+      await request.get(
         `${INTEGRATION_CIRCLECI_API_URL}/v2/project/${slug}/${integration.app}/envvar`,
         {
           headers: {
@@ -1265,7 +1417,7 @@ const syncSecretsCircleCI = async ({
     // delete secrets from CircleCI
     getSecretsRes.forEach(async (sec: any) => {
       if (!(sec.name in secrets)) {
-        await axios.delete(
+        await request.delete(
           `${INTEGRATION_CIRCLECI_API_URL}/v2/project/${slug}/${integration.app}/envvar/${sec.name}`,
           {
             headers: {
@@ -1283,4 +1435,271 @@ const syncSecretsCircleCI = async ({
   }
 };
 
+/**
+ * Sync/push [secrets] to TravisCI project 
+ * @param {Object} obj
+ * @param {IIntegration} obj.integration - integration details
+ * @param {Object} obj.secrets - secrets to push to integration (object where keys are secret keys and values are secret values)
+ * @param {String} obj.accessToken - access token for TravisCI integration
+ */
+const syncSecretsTravisCI = async ({
+  integration,
+  secrets,
+  accessToken,
+}: {
+  integration: IIntegration;
+  secrets: any;
+  accessToken: string;
+}) => {
+  try {
+    // get secrets from travis-ci  
+    const getSecretsRes = (
+      await request.get(
+        `${INTEGRATION_TRAVISCI_API_URL}/settings/env_vars?repository_id=${integration.appId}`,
+        {
+          headers: {
+            "Authorization": `token ${accessToken}`,
+            "Accept-Encoding": "application/json",
+          },
+        }
+      )
+    )
+    .data
+    ?.env_vars
+    .reduce((obj: any, secret: any) => ({
+        ...obj,
+        [secret.name]: secret
+    }), {});
+    
+    // add secrets
+    for await (const key of Object.keys(secrets)) {
+      if (!(key in getSecretsRes)) {
+        // case: secret does not exist in travis ci
+        // -> add secret
+        await request.post(
+          `${INTEGRATION_TRAVISCI_API_URL}/settings/env_vars?repository_id=${integration.appId}`,
+          {
+            env_var: {
+              name: key,
+              value: secrets[key]
+            }
+          },
+          {
+            headers: {
+              "Authorization": `token ${accessToken}`,
+              "Content-Type": "application/json",
+              "Accept-Encoding": "application/json",
+            },
+          }
+        );
+      } else {
+        // case: secret exists in travis ci
+        // -> update/set secret
+        await request.patch(
+          `${INTEGRATION_TRAVISCI_API_URL}/settings/env_vars/${getSecretsRes[key].id}?repository_id=${getSecretsRes[key].repository_id}`,
+          {
+            env_var: {
+              name: key,
+              value: secrets[key],
+            }
+          },
+          {
+            headers: {
+              "Authorization": `token ${accessToken}`,
+              "Content-Type": "application/json",
+              "Accept-Encoding": "application/json",
+            },
+          }
+        );
+      }
+    }
+
+    for await (const key of Object.keys(getSecretsRes)) {
+      if (!(key in secrets)){
+        // delete secret
+        await request.delete(
+          `${INTEGRATION_TRAVISCI_API_URL}/settings/env_vars/${getSecretsRes[key].id}?repository_id=${getSecretsRes[key].repository_id}`,
+          {
+            headers: {
+              "Authorization": `token ${accessToken}`,
+              "Content-Type": "application/json",
+              "Accept-Encoding": "application/json",
+            },
+          }
+        );
+      }
+    }
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error("Failed to sync secrets to GitLab");
+  }
+}
+
+/**
+ * Sync/push [secrets] to GitLab repo with name [integration.app]
+ * @param {Object} obj
+ * @param {IIntegration} obj.integration - integration details
+ * @param {IIntegrationAuth} obj.integrationAuth - integration auth details
+ * @param {Object} obj.secrets - secrets to push to integration (object where keys are secret keys and values are secret values)
+ * @param {String} obj.accessToken - access token for GitLab integration
+ */
+const syncSecretsGitLab = async ({
+  integration,
+  secrets,
+  accessToken,
+}: {
+  integration: IIntegration;
+  secrets: any;
+  accessToken: string;
+}) => {
+  try {
+    // get secrets from gitlab
+    const getSecretsRes = (
+      await request.get(
+        `${INTEGRATION_GITLAB_API_URL}/v4/projects/${integration?.appId}/variables`,
+        { 
+          headers: {
+            "Authorization": `Bearer ${accessToken}`,
+            "Accept-Encoding": "application/json",
+          },
+        }
+      )
+    ).data;
+
+    for await (const key of Object.keys(secrets)) {
+      const existingSecret = getSecretsRes.find((s: any) => s.key == key);
+      if (!existingSecret) {
+        await request.post(
+          `${INTEGRATION_GITLAB_API_URL}/v4/projects/${integration?.appId}/variables`,
+          {
+            key: key,
+            value: secrets[key],
+            protected: false,
+            masked: false,
+            raw: false,
+            environment_scope:'*'
+          },
+          {
+            headers: {
+              "Authorization": `Bearer ${accessToken}`,
+              "Content-Type": "application/json",
+              "Accept-Encoding": "application/json",
+            },
+          }
+        )
+      } else {
+        // udpate secret 
+        await request.put(
+          `${INTEGRATION_GITLAB_API_URL}/v4/projects/${integration?.appId}/variables/${existingSecret.key}`,
+          {
+            ...existingSecret,
+            value: secrets[existingSecret.key]
+          },
+          {
+            headers: {
+              "Authorization": `Bearer ${accessToken}`,
+              "Content-Type": "application/json",
+              "Accept-Encoding": "application/json",
+            },
+          }
+        )
+      }
+    }
+
+    // delete secrets 
+    for await (const sec of getSecretsRes) {
+      if (!(sec.key in secrets)) {
+        await request.delete(
+          `${INTEGRATION_GITLAB_API_URL}/v4/projects/${integration?.appId}/variables/${sec.key}`,
+          {
+            headers: {
+              "Authorization": `Bearer ${accessToken}`,
+            },
+          }
+        );
+      }
+    }
+  }catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error("Failed to sync secrets to GitLab");
+  }
+}
+
+/**
+ * Sync/push [secrets] to Supabase with name [integration.app]
+ * @param {Object} obj
+ * @param {IIntegration} obj.integration - integration details
+ * @param {IIntegrationAuth} obj.integrationAuth - integration auth details
+ * @param {Object} obj.secrets - secrets to push to integration (object where keys are secret keys and values are secret values)
+ * @param {String} obj.accessToken - access token for Supabase integration
+ */
+const syncSecretsSupabase = async ({
+  integration,
+  secrets,
+  accessToken
+}: {
+  integration: IIntegration;
+  secrets: any;
+  accessToken: string;
+}) => {
+  try {
+    const { data: getSecretsRes } = await request.get(
+      `${INTEGRATION_SUPABASE_API_URL}/v1/projects/${integration.appId}/secrets`,
+      {
+        headers: {
+            Authorization: `Bearer ${accessToken}`,
+            'Accept-Encoding': 'application/json'
+        }
+      }
+    );
+
+    // convert the secrets to [{}] format
+    const modifiedFormatForSecretInjection = Object.keys(secrets).map(
+      (key) => {
+        return {
+            name: key,
+            value: secrets[key]
+        };
+      }
+    );
+
+    await request.post(
+      `${INTEGRATION_SUPABASE_API_URL}/v1/projects/${integration.appId}/secrets`,
+      modifiedFormatForSecretInjection,
+      {
+        headers: {
+            Authorization: `Bearer ${accessToken}`,
+            'Accept-Encoding': 'application/json'
+        }
+      }
+    );
+
+    const secretsToDelete: any = [];
+    getSecretsRes?.forEach((secretObj: any) => {
+      if (!(secretObj.name in secrets)) {
+          secretsToDelete.push(secretObj.name);
+      }
+    });
+
+    await request.delete(
+      `${INTEGRATION_SUPABASE_API_URL}/v1/projects/${integration.appId}/secrets`,
+      {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          'Content-Type': 'application/json',
+          'Accept-Encoding': 'application/json'
+        },
+        data: secretsToDelete
+      }
+    );
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed to sync secrets to Supabase');
+  }
+};
+
+
 export { syncSecrets };

backend/src/integrations/teams.ts

@@ -0,0 +1,92 @@
+import * as Sentry from "@sentry/node";
+import {
+    IIntegrationAuth
+} from '../models';
+import {
+    INTEGRATION_GITLAB,
+    INTEGRATION_GITLAB_API_URL
+} from '../variables';
+import request from '../config/request';
+
+interface Team {
+    name: string;
+    teamId: string;
+}
+
+/**
+ * Return list of teams for integration authorization [integrationAuth]
+ * @param {Object} obj
+ * @param {String} obj.integrationAuth - integration authorization to get teams for
+ * @param {String} obj.accessToken - access token for integration authorization
+ * @returns {Object[]} teams - teams of integration authorization
+ * @returns {String} teams.name - name of team
+ * @returns {String} teams.teamId - id of team
+*/
+const getTeams = async ({
+    integrationAuth,
+    accessToken
+}: {
+    integrationAuth: IIntegrationAuth;
+    accessToken: string;
+}) => {
+    
+    let teams: Team[] = [];
+    try {
+        switch (integrationAuth.integration) {
+            case INTEGRATION_GITLAB:
+                teams = await getTeamsGitLab({
+                    accessToken
+                });
+                break;
+        }
+    } catch (err) {
+        Sentry.setUser(null);
+        Sentry.captureException(err);
+        throw new Error('Failed to get integration teams');
+    }
+    
+    
+    return teams;
+}
+
+/**
+ * Return list of teams for GitLab integration
+ * @param {Object} obj
+ * @param {String} obj.accessToken - access token for GitLab API
+ * @returns {Object[]} teams - teams that user is part of in GitLab
+ * @returns {String} teams.name - name of team
+ * @returns {String} teams.teamId - id of team
+*/
+const getTeamsGitLab = async ({
+    accessToken
+}: {
+    accessToken: string;
+}) => {
+    let teams: Team[] = [];
+    try {
+        const res = (await request.get(
+            `${INTEGRATION_GITLAB_API_URL}/v4/groups`,
+            {
+                headers: {
+                Authorization: `Bearer ${accessToken}`,
+                "Accept-Encoding": "application/json"
+                }
+            }
+        )).data; 
+    
+      teams = res.map((t: any) => ({
+        name: t.name,
+        teamId: t.id
+      }));
+    } catch (err) {
+        Sentry.setUser(null);
+        Sentry.captureException(err);
+        throw new Error("Failed to get GitLab integration teams");
+    }
+    
+    return teams;
+}
+
+export {
+    getTeams
+}

backend/src/interfaces/middleware/index.ts

@@ -0,0 +1,13 @@
+import {
+    IUser,
+    IServiceAccount,
+    IServiceTokenData
+} from '../../models';
+
+export interface AuthData {
+    authMode: string;
+    authPayload: IUser | IServiceAccount | IServiceTokenData;
+    authChannel: string;
+    authIP: string;
+    authUserAgent: string;
+}

backend/src/interfaces/serviceAccounts/dto/AddServiceAccountPermissionDto.ts

@@ -0,0 +1,7 @@
+interface AddServiceAccountPermissionDto {
+    name: string;
+    workspaceId?: string;
+    environment?: string;
+}
+
+export default AddServiceAccountPermissionDto;

backend/src/interfaces/serviceAccounts/dto/CreateServiceAccountDto.ts

@@ -0,0 +1,8 @@
+interface CreateServiceAccountDto {
+    organizationId: string;
+    name: string;
+    publicKey: string; 
+    expiresIn: number;
+}
+
+export default CreateServiceAccountDto;

backend/src/interfaces/serviceAccounts/dto/index.ts

@@ -0,0 +1,7 @@
+import CreateServiceAccountDto from './CreateServiceAccountDto';
+import AddServiceAccountPermissionDto from './AddServiceAccountPermissionDto';
+
+export {
+    CreateServiceAccountDto,
+    AddServiceAccountPermissionDto
+}

backend/src/interfaces/services/SecretService/index.ts

@@ -0,0 +1,52 @@
+import { Types } from 'mongoose';
+import { AuthData } from '../../middleware';
+
+export interface CreateSecretParams {
+    secretName: string;
+    workspaceId: Types.ObjectId;
+    environment: string;
+    type: 'shared' | 'personal';
+    authData: AuthData;
+    secretKeyCiphertext: string;
+    secretKeyIV: string;
+    secretKeyTag: string;
+    secretValueCiphertext: string;
+    secretValueIV: string;
+    secretValueTag: string;
+    secretCommentCiphertext?: string;
+    secretCommentIV?: string;
+    secretCommentTag?: string;
+}
+
+export interface GetSecretsParams {
+    workspaceId: Types.ObjectId;
+    environment: string;
+    authData: AuthData;
+}
+
+export interface GetSecretParams {
+    secretName: string;
+    workspaceId: Types.ObjectId;
+    environment: string;
+    type?: 'shared' | 'personal';
+    authData: AuthData;
+}
+
+export interface UpdateSecretParams {
+    secretName: string;
+    workspaceId: Types.ObjectId;
+    environment: string;
+    type: 'shared' | 'personal',
+    authData: AuthData
+    secretValueCiphertext: string;
+    secretValueIV: string;
+    secretValueTag: string;
+}
+
+export interface DeleteSecretParams {
+    secretName: string;
+    workspaceId: Types.ObjectId;
+    environment: string;
+    type: 'shared' | 'personal';
+    authData: AuthData;
+}

backend/src/middleware/index.ts

@@ -10,6 +10,8 @@ import requireIntegrationAuth from './requireIntegrationAuth';
 import requireIntegrationAuthorizationAuth from './requireIntegrationAuthorizationAuth';
 import requireServiceTokenAuth from './requireServiceTokenAuth';
 import requireServiceTokenDataAuth from './requireServiceTokenDataAuth';
+import requireServiceAccountAuth from './requireServiceAccountAuth';
+import requireServiceAccountWorkspacePermissionAuth from './requireServiceAccountWorkspacePermissionAuth';
 import requireSecretAuth from './requireSecretAuth';
 import requireSecretsAuth from './requireSecretsAuth';
 import validateRequest from './validateRequest';
@@ -27,6 +29,8 @@ export {
 	requireIntegrationAuthorizationAuth,
 	requireServiceTokenAuth,
 	requireServiceTokenDataAuth,
+	requireServiceAccountAuth,
+	requireServiceAccountWorkspacePermissionAuth,
 	requireSecretAuth,
 	requireSecretsAuth,
 	validateRequest

backend/src/middleware/requestErrorHandler.ts

@@ -1,16 +1,13 @@
-import { ErrorRequestHandler } from "express";
-
 import * as Sentry from '@sentry/node';
-import { InternalServerError, UnauthorizedRequestError } from "../utils/errors";
+import { ErrorRequestHandler } from "express";
+import { InternalServerError } from "../utils/errors";
 import { getLogger } from "../utils/logger";
 import RequestError, { LogLevel } from "../utils/requestError";
-import { NODE_ENV } from "../config";
+import { getNodeEnv } from '../config';
 
-import { TokenExpiredError } from 'jsonwebtoken';
-
-export const requestErrorHandler: ErrorRequestHandler = (error: RequestError | Error, req, res, next) => {
+export const requestErrorHandler: ErrorRequestHandler = async (error: RequestError | Error, req, res, next) => {
     if (res.headersSent) return next();
-    if (NODE_ENV !== "production") {
+    if ((await getNodeEnv()) !== "production") {
         /* eslint-disable no-console */
         console.log(error)
         /* eslint-enable no-console */
@@ -18,8 +15,8 @@ export const requestErrorHandler: ErrorRequestHandler = (error: RequestError | E
 
     //TODO: Find better way to type check for error. In current setting you need to cast type to get the functions and variables from RequestError
     if (!(error instanceof RequestError)) {
-        error = InternalServerError({ context: { exception: error.message }, stack: error.stack })
-        getLogger('backend-main').log((<RequestError>error).levelName.toLowerCase(), (<RequestError>error).message)
+        error = InternalServerError({ context: { exception: error.message }, stack: error.stack });
+        (await getLogger('backend-main')).log((<RequestError>error).levelName.toLowerCase(), (<RequestError>error).message)
     }
 
     //* Set Sentry user identification if req.user is populated

backend/src/middleware/requireAuth.ts

@@ -1,12 +1,27 @@
 import jwt from 'jsonwebtoken';
 import { Request, Response, NextFunction } from 'express';
-import { User, ServiceTokenData } from '../models';
 import {
 	validateAuthMode,
 	getAuthUserPayload,
 	getAuthSTDPayload,
-	getAuthAPIKeyPayload
+	getAuthAPIKeyPayload,
+	getAuthSAAKPayload
 } from '../helpers/auth';
+import { 
+	UnauthorizedRequestError
+} from '../utils/errors';
+import {
+	IUser,
+	IServiceAccount,
+	IServiceTokenData
+} from '../models';
+import {
+	AUTH_MODE_JWT,
+	AUTH_MODE_SERVICE_ACCOUNT,
+	AUTH_MODE_SERVICE_TOKEN,
+	AUTH_MODE_API_KEY
+} from '../variables';
+import { getChannelFromUserAgent } from '../utils/posthog';
 
 declare module 'jsonwebtoken' {
 	export interface UserIDJwtPayload extends jwt.JwtPayload {
@@ -25,37 +40,61 @@ declare module 'jsonwebtoken' {
  * @returns
  */
 const requireAuth = ({
-	acceptedAuthModes = ['jwt']
+	acceptedAuthModes = [AUTH_MODE_JWT],
 }: {
 	acceptedAuthModes: string[];
 }) => {
 	return async (req: Request, res: Response, next: NextFunction) => {
+		
 		// validate auth token against accepted auth modes [acceptedAuthModes]
 		// and return token type [authTokenType] and value [authTokenValue]
-		const { authTokenType, authTokenValue } = validateAuthMode({
+		const { authMode, authTokenValue } = validateAuthMode({
 			headers: req.headers,
 			acceptedAuthModes
 		});
 
-		// attach auth payloads
-		switch (authTokenType) {
-			case 'serviceToken':
-				req.serviceTokenData = await getAuthSTDPayload({
+		let authPayload: IUser | IServiceAccount | IServiceTokenData;
+		switch (authMode) {
+			case AUTH_MODE_SERVICE_ACCOUNT:
+				authPayload = await getAuthSAAKPayload({
 					authTokenValue
 				});
+				req.serviceAccount = authPayload;
 				break;
-			case 'apiKey':
-				req.user = await getAuthAPIKeyPayload({
+			case AUTH_MODE_SERVICE_TOKEN:
+				authPayload = await getAuthSTDPayload({
 					authTokenValue
 				});
+				req.serviceTokenData = authPayload;
+				break;
+			case AUTH_MODE_API_KEY:
+				authPayload = await getAuthAPIKeyPayload({
+					authTokenValue
+				});
+				req.user = authPayload;
 				break;
 			default:
-				req.user = await getAuthUserPayload({
+				authPayload = await getAuthUserPayload({
 					authTokenValue
 				});
+				req.user = authPayload;
 				break;
 		}
-
+		
+		req.requestData = {
+			...req.params,
+			...req.query,
+			...req.body,
+		}
+		
+		req.authData = {
+			authMode,
+			authPayload, // User, ServiceAccount, ServiceTokenData
+			authChannel: getChannelFromUserAgent(req.headers['user-agent']),
+			authIP: req.ip,
+			authUserAgent: req.headers['user-agent'] ?? 'other'
+		}
+		
 		return next();
 	}
 }

backend/src/middleware/requireBotAuth.ts

@@ -1,32 +1,28 @@
 import { Request, Response, NextFunction } from 'express';
+import { Types } from 'mongoose';
 import { Bot } from '../models';
 import { validateMembership } from '../helpers/membership';
+import { validateClientForBot } from '../helpers/bot';
 import { AccountNotFoundError } from '../utils/errors';
 
 type req = 'params' | 'body' | 'query';
 
 const requireBotAuth = ({
     acceptedRoles,
-    location = 'params'
+    locationBotId = 'params'
 }: {
-    acceptedRoles: string[];
-    location?: req;
+    acceptedRoles: Array<'admin' | 'member'>;
+    locationBotId?: req;
 }) => {
     return async (req: Request, res: Response, next: NextFunction) => {
-        const bot = await Bot.findById(req[location].botId);
+        const { botId } = req[locationBotId];
         
-        if (!bot) {
-            return next(AccountNotFoundError({message: 'Failed to locate Bot account'}))
-        }
-        
-        await validateMembership({
-            userId: req.user._id.toString(),
-            workspaceId: bot.workspace.toString(),
+        req.bot = await validateClientForBot({
+            authData: req.authData,
+            botId: new Types.ObjectId(botId),
             acceptedRoles
         });
         
-        req.bot = bot;
-        
         next();
     }
 }