Add deny api/get envs api

add basic auth model for Organization
2025-03-21 15:01:38 +00:00 · 2023-01-29 21:04:47 -08:00 · 2023-01-24 23:16:08 -08:00
830 changed files with 12227 additions and 48882 deletions
--- a/.env.example
+++ b/.env.example
@ -16,6 +16,9 @@ JWT_AUTH_LIFETIME=
 JWT_REFRESH_LIFETIME=
 JWT_SIGNUP_LIFETIME=

+# Optional lifetimes for OTP expressed in seconds
+EMAIL_TOKEN_LIFETIME=
+
 # MongoDB
 # Backend will connect to the MongoDB instance at connection string MONGO_URL which can either be a ref
 # to the MongoDB container instance or Mongo Cloud
@ -31,12 +34,12 @@ MONGO_PASSWORD=example
 SITE_URL=http://localhost:8080

 # Mail/SMTP
-SMTP_HOST= 
-SMTP_USERNAME= 
-SMTP_PASSWORD= 
+SMTP_HOST= # required
+SMTP_USERNAME= # required
+SMTP_PASSWORD= # required
 SMTP_PORT=587
 SMTP_SECURE=false
-SMTP_FROM_ADDRESS= 
+SMTP_FROM_ADDRESS= # required
 SMTP_FROM_NAME=Infisical

 # Integration
@ -45,12 +48,10 @@ CLIENT_ID_HEROKU=
 CLIENT_ID_VERCEL=
 CLIENT_ID_NETLIFY=
 CLIENT_ID_GITHUB=
-CLIENT_ID_GITLAB=
 CLIENT_SECRET_HEROKU=
 CLIENT_SECRET_VERCEL=
 CLIENT_SECRET_NETLIFY=
 CLIENT_SECRET_GITHUB=
-CLIENT_SECRET_GITLAB=
 CLIENT_SLUG_VERCEL=

 # Sentry (optional) for monitoring errors
@ -63,7 +64,7 @@ POSTHOG_PROJECT_API_KEY=
 STRIPE_SECRET_KEY=
 STRIPE_PUBLISHABLE_KEY=
 STRIPE_WEBHOOK_SECRET=
-STRIPE_PRODUCT_STARTER=
-STRIPE_PRODUCT_TEAM=
+STRIPE_PRODUCT_CARD_AUTH=
 STRIPE_PRODUCT_PRO=
-NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=
+STRIPE_PRODUCT_STARTER=
+NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@ -1,22 +0,0 @@
-# Description 📣
-
-<!-- Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change. -->
-
-## Type ✨
-
- [ ] Bug fix
- [ ] New feature
- [ ] Breaking change
- [ ] Documentation
-
-# Tests 🛠️
-
-<!-- Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration. You may want to add screenshots when relevant and possible -->
-
-```sh
-# Here's some code block to paste some code snippets
-```
-
---
-
- [ ] I have read the [contributing guide](https://infisical.com/docs/contributing/overview), agreed and acknowledged the [code of conduct](https://infisical.com/docs/contributing/code-of-conduct). 📝
--- a/.github/values.yaml
+++ b/.github/values.yaml
@ -1,71 +1,36 @@
 frontend:
-  enabled: true
-  name: frontend
-  podAnnotations: {}
-  deploymentAnnotations:
-    secrets.infisical.com/auto-reload: "true"
-  replicaCount: 2
+  replicaCount: 1
  image:
-    repository: infisical/frontend
-    tag: "latest"
+    repository: 
    pullPolicy: Always
+    tag: "latest"
  kubeSecretRef: managed-secret-frontend
-  service:
-    annotations: {}
-    type: ClusterIP
-    nodePort: ""
-
-frontendEnvironmentVariables: null

 backend:
-  enabled: true
-  name: backend
-  podAnnotations: {}
-  deploymentAnnotations:
-    secrets.infisical.com/auto-reload: "true"
-  replicaCount: 2
+  replicaCount: 1
  image:
-    repository: infisical/backend
-    tag: "latest"
+    repository: 
    pullPolicy: Always
+    tag: "latest"
  kubeSecretRef: managed-backend-secret
-  service:
-    annotations: {}
-    type: ClusterIP
-    nodePort: ""
-
-backendEnvironmentVariables: null
-
-## Mongo DB persistence
-mongodb:
-  enabled: true
-  persistence:
-    enabled: false
-
-## By default the backend will be connected to a Mongo instance within the cluster
-## However, it is recommended to add a managed document DB connection string for production-use (DBaaS)
-## Learn about connection string type here https://www.mongodb.com/docs/manual/reference/connection-string/
-## e.g. "mongodb://<user>:<pass>@<host>:<port>/<database-name>"
-mongodbConnection:
-  externalMongoDBConnectionString: ""

 ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: "nginx"
-    # cert-manager.io/issuer: letsencrypt-nginx
-  hostName: gamma.infisical.com ## <- Replace with your own domain
-  frontend:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+  hostName: gamma.infisical.com
+  frontend: 
    path: /
    pathType: Prefix
  backend:
    path: /api
    pathType: Prefix
  tls:
-    []
-    # - secretName: letsencrypt-nginx
-    #   hosts:
-    #     - infisical.local
+    - secretName: echo-tls
+      hosts:
+        - gamma.infisical.com

-mailhog:
-  enabled: false
+backendEnvironmentVariables:
+
+frontendEnvironmentVariables:
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@ -9,12 +9,6 @@ jobs:
    steps:
      - name: ☁️ Checkout source
        uses: actions/checkout@v3
-      - name: 📦 Install dependencies to test all dependencies
-        run: npm ci --only-production
-        working-directory: backend
-      - name: 🧪 Run tests
-        run: npm run test:ci
-        working-directory: backend
      - name: Save commit hashes for tag
        id: commit
        uses: pr-mpt/actions-commit-hash@v2
@ -51,8 +45,8 @@ jobs:
          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
          push: true
          context: backend
-          tags: infisical/backend:${{ steps.commit.outputs.short }},
-            infisical/backend:latest
+          tags: infisical/backend:${{ steps.commit.outputs.short }}, 
+                infisical/backend:latest
          platforms: linux/amd64,linux/arm64

  frontend-image:
@ -100,8 +94,8 @@ jobs:
          push: true
          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
          context: frontend
-          tags: infisical/frontend:${{ steps.commit.outputs.short }},
-            infisical/frontend:latest
+          tags: infisical/frontend:${{ steps.commit.outputs.short }}, 
+                infisical/frontend:latest
          platforms: linux/amd64,linux/arm64
          build-args: |
            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
@ -128,7 +122,7 @@ jobs:
          token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
      - name: Save DigitalOcean kubeconfig with short-lived credentials
        run: doctl kubernetes cluster kubeconfig save --expiry-seconds 600 k8s-1-25-4-do-0-nyc1-1670645170179
-      - name: switch to gamma namespace
+      - name: switch to gamma namespace 
        run: kubectl config set-context --current --namespace=gamma
      - name: test kubectl
        run: kubectl get ingress
@ -141,4 +135,4 @@ jobs:
            exit 1
          else
            echo "Helm upgrade was successful"
-          fi
+          fi
--- a/.github/workflows/release_build.yml
+++ b/.github/workflows/release_build.yml
@ -4,7 +4,7 @@ on:
  push:
    # run only against tags
    tags:
-      - "v*"
+      - 'v*'

 permissions:
  contents: write
@ -18,16 +18,10 @@ jobs:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - run: git fetch --force --tags
-      - run: echo "Ref name ${{github.ref_name}}"
      - uses: actions/setup-go@v3
        with:
-          go-version: ">=1.19.3"
+          go-version: '>=1.19.3'
          cache: true
          cache-dependency-path: cli/go.sum
      - name: libssl1.1 => libssl1.0-dev for OSXCross
@ -39,18 +33,19 @@ jobs:
        run: |
          mkdir ../../osxcross
          git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
-      - uses: goreleaser/goreleaser-action@v4
+      - uses: goreleaser/goreleaser-action@v2
        with:
          distribution: goreleaser
          version: latest
-          args: release --clean
+          args: release --rm-dist
        env:
          GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
          FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
          AUR_KEY: ${{ secrets.AUR_KEY }}
      - uses: actions/setup-python@v4
      - run: pip install --upgrade cloudsmith-cli
-      - name: Publish to CloudSmith
+      - name: Publish to CloudSmith 
        run: sh cli/upload_to_cloudsmith.sh
        env:
          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
+      
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -14,9 +14,6 @@ before:
 builds:
  - id: darwin-build
    binary: infisical
-    ldflags: -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
-    flags:
-      - -trimpath
    env:
      - CGO_ENABLED=1
      - CC=/home/runner/work/osxcross/target/bin/o64-clang
@ -27,14 +24,10 @@ builds:
      - goos: darwin
        goarch: "386"
    dir: ./cli
-
  - id: all-other-builds
    env:
      - CGO_ENABLED=0
    binary: infisical
-    ldflags: -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
-    flags:
-      - -trimpath
    goos:
      - freebsd
      - linux
@ -68,20 +61,18 @@ archives:

 release:
  replace_existing_draft: true
-  mode: "replace"
+  mode: 'replace'

 checksum:
-  name_template: "checksums.txt"
-
+  name_template: 'checksums.txt'
 snapshot:
-  name_template: "{{ incpatch .Version }}-devel"
-
+  name_template: "{{ incpatch .Version }}"
 changelog:
  sort: asc
  filters:
    exclude:
-      - "^docs:"
-      - "^test:"
+      - '^docs:'
+      - '^test:'

 # publishers:
 #   - name: fury.io
@ -89,7 +80,6 @@ changelog:
 #       - infisical
 #     dir: "{{ dir .ArtifactPath }}"
 #     cmd: curl -F package=@{{ .ArtifactName }} https://{{ .Env.FURY_TOKEN }}@push.fury.io/infisical/
-
 brews:
  - name: infisical
    tap:
@ -101,39 +91,31 @@ brews:
    folder: Formula
    homepage: "https://infisical.com"
    description: "The official Infisical CLI"
-    install: |-
-      bin.install "infisical"
-      bash_completion.install "completions/infisical.bash" => "infisical"
-      zsh_completion.install "completions/infisical.zsh" => "_infisical"
-      fish_completion.install "completions/infisical.fish"
-      man1.install "manpages/infisical.1.gz"
-
 nfpms:
-  - id: infisical
-    package_name: infisical
-    builds:
-      - all-other-builds
-    vendor: Infisical, Inc
-    homepage: https://infisical.com/
-    maintainer: Infisical, Inc
-    description: The offical Infisical CLI
-    license: MIT
-    formats:
-      - rpm
-      - deb
-      - apk
-      - archlinux
-    bindir: /usr/bin
-    contents:
-      - src: ./completions/infisical.bash
-        dst: /etc/bash_completion.d/infisical
-      - src: ./completions/infisical.fish
-        dst: /usr/share/fish/vendor_completions.d/infisical.fish
-      - src: ./completions/infisical.zsh
-        dst: /usr/share/zsh/site-functions/_infisical
-      - src: ./manpages/infisical.1.gz
-        dst: /usr/share/man/man1/infisical.1.gz
-
+- id: infisical
+  package_name: infisical
+  builds:
+    - all-other-builds
+  vendor: Infisical, Inc
+  homepage: https://infisical.com/
+  maintainer: Infisical, Inc
+  description: The offical Infisical CLI
+  license: MIT
+  formats:
+  - rpm
+  - deb
+  - apk
+  - archlinux
+  bindir: /usr/bin
+  contents:
+    - src: ./completions/infisical.bash
+      dst: /etc/bash_completion.d/infisical
+    - src: ./completions/infisical.fish
+      dst: /usr/share/fish/vendor_completions.d/infisical.fish
+    - src: ./completions/infisical.zsh
+      dst: /usr/share/zsh/site-functions/_infisical
+    - src: ./manpages/infisical.1.gz
+      dst: /usr/share/man/man1/infisical.1.gz
 scoop:
  bucket:
    owner: Infisical
@ -144,16 +126,16 @@ scoop:
  homepage: "https://infisical.com"
  description: "The official Infisical CLI"
  license: MIT
-
 aurs:
-  - name: infisical-bin
+  -
+    name: infisical-bin
    homepage: "https://infisical.com"
    description: "The official Infisical CLI"
    maintainers:
      - Infisical, Inc <support@infisical.com>
    license: MIT
-    private_key: "{{ .Env.AUR_KEY }}"
-    git_url: "ssh://aur@aur.archlinux.org/infisical-bin.git"
+    private_key: '{{ .Env.AUR_KEY }}'
+    git_url: 'ssh://aur@aur.archlinux.org/infisical-bin.git'
    package: |-
      # bin
      install -Dm755 "./infisical" "${pkgdir}/usr/bin/infisical"
@ -168,13 +150,19 @@ aurs:
      install -Dm644 "./completions/infisical.fish" "${pkgdir}/usr/share/fish/vendor_completions.d/infisical.fish"
      # man pages
      install -Dm644 "./manpages/infisical.1.gz" "${pkgdir}/usr/share/man/man1/infisical.1.gz"
-
 # dockers:
-#   - dockerfile: cli/docker/Dockerfile
+#   - dockerfile: goreleaser.dockerfile
 #     goos: linux
 #     goarch: amd64
 #     ids:
 #       - infisical
 #     image_templates:
-#       - "infisical/cli:{{ .Version }}"
+#       - "infisical/cli:{{ .Version }}"             
+#       - "infisical/cli:{{ .Major }}.{{ .Minor }}"  
+#       - "infisical/cli:{{ .Major }}"               
 #       - "infisical/cli:latest"
+#     build_flag_templates:
+#       - "--label=org.label-schema.schema-version=1.0"
+#       - "--label=org.label-schema.version={{.Version}}"
+#       - "--label=org.label-schema.name={{.ProjectName}}"
+#       - "--platform=linux/amd64"
--- a/README.md
+++ b/README.md
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@ -1,27 +1,18 @@
-# Build stage
-FROM node:16-alpine AS build
+FROM node:16-bullseye-slim

 WORKDIR /app

-COPY package*.json ./
+COPY package.json package-lock.json ./
+
+# RUN npm ci --only-production --ignore-scripts
+# "prepare": "cd .. && npm install"
+
 RUN npm ci --only-production

 COPY . .
-RUN npm run build
-
-# Production stage
-FROM node:16-alpine
-
-WORKDIR /app
-
-COPY package*.json ./
-RUN npm ci --only-production
-
-COPY --from=build /app .

 HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \  
  CMD node healthcheck.js

-EXPOSE 4000

-CMD ["npm", "run", "start"]
+CMD ["npm", "run", "start"]
--- a/backend/tests/healthcheck.test.ts
+++ b/backend/tests/healthcheck.test.ts
@ -0,0 +1,19 @@
+import { server } from '../src/app';
+import { describe, expect, it, beforeAll, afterAll } from '@jest/globals';
+import supertest from 'supertest';
+import { setUpHealthEndpoint } from '../src/services/health';
+
+const requestWithSupertest = supertest(server);
+describe('Healthcheck endpoint', () => {
+  beforeAll(async () => {
+    setUpHealthEndpoint(server);
+  });
+  afterAll(async () => {
+    server.close();
+  });
+
+  it('GET /healthcheck should return OK', async () => {
+    const res = await requestWithSupertest.get('/healthcheck');
+    expect(res.status).toEqual(200);
+  });
+});
--- a/backend/environment.d.ts
+++ b/backend/environment.d.ts
@ -3,9 +3,8 @@ export {};
 declare global {
  namespace NodeJS {
    interface ProcessEnv {
-      PORT: string;
+      EMAIL_TOKEN_LIFETIME: string;
      ENCRYPTION_KEY: string;
-      SALT_ROUNDS: string;
      JWT_AUTH_LIFETIME: string;
      JWT_AUTH_SECRET: string;
      JWT_REFRESH_LIFETIME: string;
@ -20,33 +19,23 @@ declare global {
      CLIENT_ID_HEROKU: string;
      CLIENT_ID_VERCEL: string;
      CLIENT_ID_NETLIFY: string;
-      CLIENT_ID_GITHUB: string;
-      CLIENT_ID_GITLAB: string;
      CLIENT_SECRET_HEROKU: string;
      CLIENT_SECRET_VERCEL: string;
      CLIENT_SECRET_NETLIFY: string;
-      CLIENT_SECRET_GITHUB: string;
-      CLIENT_SECRET_GITLAB: string;
-      CLIENT_SLUG_VERCEL: string;
 			POSTHOG_HOST: string;
 			POSTHOG_PROJECT_API_KEY: string;
      SENTRY_DSN: string;
      SITE_URL: string;
      SMTP_HOST: string;
-      SMTP_SECURE: string;
-      SMTP_PORT: string;
-      SMTP_USERNAME: string;
+      SMTP_NAME: string;
      SMTP_PASSWORD: string;
-      SMTP_FROM_ADDRESS: string;
-      SMTP_FROM_NAME: string;
-      STRIPE_PRODUCT_STARTER: string;
-      STRIPE_PRODUCT_TEAM: string;
+      SMTP_USERNAME: string;
+      STRIPE_PRODUCT_CARD_AUTH: string;
      STRIPE_PRODUCT_PRO: string;
+      STRIPE_PRODUCT_STARTER: string;
      STRIPE_PUBLISHABLE_KEY: string;
      STRIPE_SECRET_KEY: string;
      STRIPE_WEBHOOK_SECRET: string;
-      TELEMETRY_ENABLED: string;
-      LICENSE_KEY: string;
    }
  }
 }
--- a/backend/jest.config.ts
+++ b/backend/jest.config.ts
@ -1,9 +0,0 @@
-export default {
-  preset: 'ts-jest',
-  testEnvironment: 'node',
-  collectCoverageFrom: ['src/*.{js,ts}', '!**/node_modules/**'],
-  modulePaths: ['<rootDir>/src'],
-  testMatch: ['<rootDir>/tests/**/*.test.ts'],
-  setupFiles: ['<rootDir>/test-resources/env-vars.js'],
-  setupFilesAfterEnv: ['<rootDir>/tests/setupTests.ts']
-};
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
--- a/backend/package.json
+++ b/backend/package.json
@ -1,56 +1,9 @@
 {
-  "dependencies": {
-    "@aws-sdk/client-secrets-manager": "^3.303.0",
-    "@godaddy/terminus": "^4.11.2",
-    "@octokit/rest": "^19.0.5",
-    "@sentry/node": "^7.45.0",
-    "@sentry/tracing": "^7.46.0",
-    "@sentry/node": "^7.41.0",
-    "@types/crypto-js": "^4.1.1",
-    "@types/libsodium-wrappers": "^0.7.10",
-    "await-to-js": "^3.0.0",
-    "aws-sdk": "^2.1338.0",
-    "axios": "^1.1.3",
-    "axios-retry": "^3.4.0",
-    "bcrypt": "^5.1.0",
-    "bigint-conversion": "^2.2.2",
-    "builder-pattern": "^2.2.0",
-    "cookie-parser": "^1.4.6",
-    "cors": "^2.8.5",
-    "crypto-js": "^4.1.1",
-    "dotenv": "^16.0.1",
-    "express": "^4.18.1",
-    "express-rate-limit": "^6.7.0",
-    "express-validator": "^6.14.2",
-    "handlebars": "^4.7.7",
-    "helmet": "^5.1.1",
-    "infisical-node": "^1.0.37",
-    "js-yaml": "^4.1.0",
-    "jsonwebtoken": "^9.0.0",
-    "jsrp": "^0.2.4",
-    "libsodium-wrappers": "^0.7.10",
-    "lodash": "^4.17.21",
-    "mongoose": "^6.10.4",
-    "nodemailer": "^6.8.0",
-    "posthog-node": "^2.6.0",
-    "query-string": "^7.1.3",
-    "request-ip": "^3.3.0",
-    "rimraf": "^3.0.2",
-    "stripe": "^10.7.0",
-    "swagger-autogen": "^2.22.0",
-    "swagger-ui-express": "^4.6.2",
-    "tweetnacl": "^1.0.3",
-    "tweetnacl-util": "^0.15.1",
-    "typescript": "^4.9.3",
-    "utility-types": "^3.10.0",
-    "winston": "^3.8.2",
-    "winston-loki": "^6.0.6"
-  },
  "name": "infisical-api",
  "version": "1.0.0",
  "main": "src/index.js",
  "scripts": {
-    "start": "node build/index.js",
+    "start": "npm run build && node build/index.js",
    "dev": "nodemon",
    "swagger-autogen": "node ./swagger/index.ts",
    "build": "rimraf ./build && tsc && cp -R ./src/templates ./build",
@ -58,7 +11,7 @@
    "lint-and-fix": "eslint . --ext .ts --fix",
    "lint-staged": "lint-staged",
    "pretest": "docker compose -f test-resources/docker-compose.test.yml up -d",
-    "test": "cross-env NODE_ENV=test jest --verbose --testTimeout=10000 --detectOpenHandles; npm run posttest",
+    "test": "cross-env NODE_ENV=test jest --testTimeout=10000 --detectOpenHandles",
    "test:ci": "npm test -- --watchAll=false --ci --reporters=default --reporters=jest-junit --reporters=github-actions --coverage --testLocationInResults --json --outputFile=coverage/report.json",
    "posttest": "docker compose -f test-resources/docker-compose.test.yml down"
  },
@ -81,7 +34,7 @@
    "@types/cookie-parser": "^1.4.3",
    "@types/cors": "^2.8.12",
    "@types/express": "^4.17.14",
-    "@types/jest": "^29.5.0",
+    "@types/jest": "^29.2.4",
    "@types/jsonwebtoken": "^8.5.9",
    "@types/lodash": "^4.14.191",
    "@types/node": "^18.11.3",
@ -89,7 +42,7 @@
    "@types/supertest": "^2.0.12",
    "@types/swagger-jsdoc": "^6.0.1",
    "@types/swagger-ui-express": "^4.1.3",
-    "@typescript-eslint/eslint-plugin": "^5.54.0",
+    "@typescript-eslint/eslint-plugin": "^5.40.1",
    "@typescript-eslint/parser": "^5.40.1",
    "cross-env": "^7.0.3",
    "eslint": "^8.26.0",
@ -102,6 +55,17 @@
    "ts-jest": "^29.0.3",
    "ts-node": "^10.9.1"
  },
+  "jest": {
+    "preset": "ts-jest",
+    "testEnvironment": "node",
+    "collectCoverageFrom": [
+      "src/*.{js,ts}",
+      "!**/node_modules/**"
+    ],
+    "setupFiles": [
+      "<rootDir>/test-resources/env-vars.js"
+    ]
+  },
  "jest-junit": {
    "outputDirectory": "reports",
    "outputName": "jest-junit.xml",
@ -110,5 +74,47 @@
    "suiteNameTemplate": "{filepath}",
    "classNameTemplate": "{classname}",
    "titleTemplate": "{title}"
+  },
+  "dependencies": {
+    "@godaddy/terminus": "^4.11.2",
+    "@octokit/rest": "^19.0.5",
+    "@sentry/node": "^7.14.0",
+    "@sentry/tracing": "^7.19.0",
+    "@types/crypto-js": "^4.1.1",
+    "@types/libsodium-wrappers": "^0.7.10",
+    "await-to-js": "^3.0.0",
+    "axios": "^1.1.3",
+    "bcrypt": "^5.1.0",
+    "bigint-conversion": "^2.2.2",
+    "builder-pattern": "^2.2.0",
+    "cookie-parser": "^1.4.6",
+    "cors": "^2.8.5",
+    "crypto-js": "^4.1.1",
+    "dotenv": "^16.0.1",
+    "express": "^4.18.1",
+    "express-rate-limit": "^6.7.0",
+    "express-validator": "^6.14.2",
+    "handlebars": "^4.7.7",
+    "helmet": "^5.1.1",
+    "js-yaml": "^4.1.0",
+    "jsonwebtoken": "^9.0.0",
+    "jsrp": "^0.2.4",
+    "libsodium-wrappers": "^0.7.10",
+    "lodash": "^4.17.21",
+    "mongoose": "^6.7.2",
+    "nodemailer": "^6.8.0",
+    "posthog-node": "^2.2.2",
+    "query-string": "^7.1.3",
+    "request-ip": "^3.3.0",
+    "rimraf": "^3.0.2",
+    "stripe": "^10.7.0",
+    "swagger-autogen": "^2.22.0",
+    "swagger-ui-express": "^4.6.0",
+    "tweetnacl": "^1.0.3",
+    "tweetnacl-util": "^0.15.1",
+    "typescript": "^4.9.3",
+    "utility-types": "^3.10.0",
+    "winston": "^3.8.2",
+    "winston-loki": "^6.0.6"
  }
 }
--- a/backend/spec.json
+++ b/backend/spec.json
--- a/backend/src/app.ts
+++ b/backend/src/app.ts
@ -0,0 +1,138 @@
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const { patchRouterParam } = require('./utils/patchAsyncRoutes');
+
+import express, { Request, Response } from 'express';
+import helmet from 'helmet';
+import cors from 'cors';
+import cookieParser from 'cookie-parser';
+import dotenv from 'dotenv';
+import swaggerUi = require('swagger-ui-express');
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const swaggerFile = require('../spec.json');
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const requestIp = require('request-ip');
+
+dotenv.config();
+import { PORT, NODE_ENV, SITE_URL } from './config';
+import { apiLimiter } from './helpers/rateLimiter';
+
+import {
+  workspace as eeWorkspaceRouter,
+  secret as eeSecretRouter,
+  secretSnapshot as eeSecretSnapshotRouter,
+  action as eeActionRouter
+} from './ee/routes/v1';
+import {
+  signup as v1SignupRouter,
+  auth as v1AuthRouter,
+  bot as v1BotRouter,
+  organization as v1OrganizationRouter,
+  workspace as v1WorkspaceRouter,
+  membershipOrg as v1MembershipOrgRouter,
+  membership as v1MembershipRouter,
+  key as v1KeyRouter,
+  inviteOrg as v1InviteOrgRouter,
+  user as v1UserRouter,
+  userAction as v1UserActionRouter,
+  secret as v1SecretRouter,
+  serviceToken as v1ServiceTokenRouter,
+  password as v1PasswordRouter,
+  stripe as v1StripeRouter,
+  integration as v1IntegrationRouter,
+  integrationAuth as v1IntegrationAuthRouter
+} from './routes/v1';
+import {
+  users as v2UsersRouter,
+  organizations as v2OrganizationsRouter,
+  workspace as v2WorkspaceRouter,
+  secret as v2SecretRouter, // begin to phase out
+  secrets as v2SecretsRouter,
+  serviceTokenData as v2ServiceTokenDataRouter,
+  apiKeyData as v2APIKeyDataRouter,
+  environment as v2EnvironmentRouter,
+} from './routes/v2';
+
+import { healthCheck } from './routes/status';
+
+import { getLogger } from './utils/logger';
+import { RouteNotFoundError } from './utils/errors';
+import { requestErrorHandler } from './middleware/requestErrorHandler';
+
+// patch async route params to handle Promise Rejections
+patchRouterParam();
+
+export const app = express();
+
+app.enable('trust proxy');
+app.use(express.json());
+app.use(cookieParser());
+app.use(
+  cors({
+    credentials: true,
+    origin: SITE_URL
+  })
+);
+
+app.use(requestIp.mw())
+
+if (NODE_ENV === 'production') {
+  // enable app-wide rate-limiting + helmet security
+  // in production
+  app.disable('x-powered-by');
+  app.use(apiLimiter);
+  app.use(helmet());
+}
+
+// (EE) routes
+app.use('/api/v1/secret', eeSecretRouter);
+app.use('/api/v1/secret-snapshot', eeSecretSnapshotRouter);
+app.use('/api/v1/workspace', eeWorkspaceRouter);
+app.use('/api/v1/action', eeActionRouter);
+
+// v1 routes
+app.use('/api/v1/signup', v1SignupRouter);
+app.use('/api/v1/auth', v1AuthRouter);
+app.use('/api/v1/bot', v1BotRouter);
+app.use('/api/v1/user', v1UserRouter);
+app.use('/api/v1/user-action', v1UserActionRouter);
+app.use('/api/v1/organization', v1OrganizationRouter);
+app.use('/api/v1/workspace', v1WorkspaceRouter);
+app.use('/api/v1/membership-org', v1MembershipOrgRouter);
+app.use('/api/v1/membership', v1MembershipRouter);
+app.use('/api/v1/key', v1KeyRouter);
+app.use('/api/v1/invite-org', v1InviteOrgRouter);
+app.use('/api/v1/secret', v1SecretRouter);
+app.use('/api/v1/service-token', v1ServiceTokenRouter); // deprecated
+app.use('/api/v1/password', v1PasswordRouter);
+app.use('/api/v1/stripe', v1StripeRouter);
+app.use('/api/v1/integration', v1IntegrationRouter);
+app.use('/api/v1/integration-auth', v1IntegrationAuthRouter);
+
+// v2 routes
+app.use('/api/v2/users', v2UsersRouter);
+app.use('/api/v2/organizations', v2OrganizationsRouter);
+app.use('/api/v2/workspace', v2EnvironmentRouter);
+app.use('/api/v2/workspace', v2WorkspaceRouter);
+app.use('/api/v2/secret', v2SecretRouter); // deprecated
+app.use('/api/v2/secrets', v2SecretsRouter);
+app.use('/api/v2/service-token', v2ServiceTokenDataRouter); // TODO: turn into plural route
+app.use('/api/v2/api-key', v2APIKeyDataRouter);
+
+// api docs 
+app.use('/api-docs', swaggerUi.serve, swaggerUi.setup(swaggerFile))
+
+// Server status
+app.use('/api', healthCheck)
+
+//* Handle unrouted requests and respond with proper error message as well as status code
+app.use((req, res, next) => {
+  if (res.headersSent) return next();
+  next(RouteNotFoundError({ message: `The requested source '(${req.method})${req.url}' was not found` }))
+})
+
+//* Error Handling Middleware (must be after all routing logic)
+app.use(requestErrorHandler)
+
+export const server = app.listen(PORT, () => {
+  getLogger("backend-main").info(`Server started listening at port ${PORT}`)
+});
--- a/backend/src/config/index.ts
+++ b/backend/src/config/index.ts
@ -1,64 +1,91 @@
-import infisical from 'infisical-node';
-export const getPort = () => infisical.get('PORT')! || 4000;
-export const getInviteOnlySignup = () => infisical.get('INVITE_ONLY_SIGNUP')! == undefined ? false : infisical.get('INVITE_ONLY_SIGNUP');
-export const getEncryptionKey = () => infisical.get('ENCRYPTION_KEY')!;
-export const getSaltRounds = () => parseInt(infisical.get('SALT_ROUNDS')!) || 10;
-export const getJwtAuthLifetime = () => infisical.get('JWT_AUTH_LIFETIME')! || '10d';
-export const getJwtAuthSecret = () => infisical.get('JWT_AUTH_SECRET')!;
-export const getJwtMfaLifetime = () => infisical.get('JWT_MFA_LIFETIME')! || '5m';
-export const getJwtMfaSecret = () => infisical.get('JWT_MFA_LIFETIME')! || '5m';
-export const getJwtRefreshLifetime = () => infisical.get('JWT_REFRESH_LIFETIME')! || '90d';
-export const getJwtRefreshSecret = () => infisical.get('JWT_REFRESH_SECRET')!;
-export const getJwtServiceSecret = () => infisical.get('JWT_SERVICE_SECRET')!;
-export const getJwtSignupLifetime = () => infisical.get('JWT_SIGNUP_LIFETIME')! || '15m';
-export const getJwtSignupSecret = () => infisical.get('JWT_SIGNUP_SECRET')!;
-export const getMongoURL = () => infisical.get('MONGO_URL')!;
-export const getNodeEnv = () => infisical.get('NODE_ENV')! || 'production';
-export const getVerboseErrorOutput = () => infisical.get('VERBOSE_ERROR_OUTPUT')! === 'true' && true;
-export const getLokiHost = () => infisical.get('LOKI_HOST')!;
-export const getClientIdAzure = () => infisical.get('CLIENT_ID_AZURE')!;
-export const getClientIdHeroku = () => infisical.get('CLIENT_ID_HEROKU')!;
-export const getClientIdVercel = () => infisical.get('CLIENT_ID_VERCEL')!;
-export const getClientIdNetlify = () => infisical.get('CLIENT_ID_NETLIFY')!;
-export const getClientIdGitHub = () => infisical.get('CLIENT_ID_GITHUB')!;
-export const getClientIdGitLab = () => infisical.get('CLIENT_ID_GITLAB')!;
-export const getClientSecretAzure = () => infisical.get('CLIENT_SECRET_AZURE')!;
-export const getClientSecretHeroku = () => infisical.get('CLIENT_SECRET_HEROKU')!;
-export const getClientSecretVercel = () => infisical.get('CLIENT_SECRET_VERCEL')!;
-export const getClientSecretNetlify = () => infisical.get('CLIENT_SECRET_NETLIFY')!;
-export const getClientSecretGitHub = () => infisical.get('CLIENT_SECRET_GITHUB')!;
-export const getClientSecretGitLab = () => infisical.get('CLIENT_SECRET_GITLAB')!;
-export const getClientSlugVercel = () => infisical.get('CLIENT_SLUG_VERCEL')!;
-export const getPostHogHost = () => infisical.get('POSTHOG_HOST')! || 'https://app.posthog.com';
-export const getPostHogProjectApiKey = () => infisical.get('POSTHOG_PROJECT_API_KEY')! || 'phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE';
-export const getSentryDSN = () => infisical.get('SENTRY_DSN')!;
-export const getSiteURL = () => infisical.get('SITE_URL')!;
-export const getSmtpHost = () => infisical.get('SMTP_HOST')!;
-export const getSmtpSecure = () => infisical.get('SMTP_SECURE')! === 'true' || false;
-export const getSmtpPort = () => parseInt(infisical.get('SMTP_PORT')!) || 587;
-export const getSmtpUsername = () => infisical.get('SMTP_USERNAME')!;
-export const getSmtpPassword = () => infisical.get('SMTP_PASSWORD')!;
-export const getSmtpFromAddress = () => infisical.get('SMTP_FROM_ADDRESS')!;
-export const getSmtpFromName = () => infisical.get('SMTP_FROM_NAME')! || 'Infisical';
-export const getStripeProductStarter = () => infisical.get('STRIPE_PRODUCT_STARTER')!;
-export const getStripeProductPro = () => infisical.get('STRIPE_PRODUCT_PRO')!;
-export const getStripeProductTeam = () => infisical.get('STRIPE_PRODUCT_TEAM')!;
-export const getStripePublishableKey = () => infisical.get('STRIPE_PUBLISHABLE_KEY')!;
-export const getStripeSecretKey = () => infisical.get('STRIPE_SECRET_KEY')!;
-export const getStripeWebhookSecret = () => infisical.get('STRIPE_WEBHOOK_SECRET')!;
-export const getTelemetryEnabled = () => infisical.get('TELEMETRY_ENABLED')! !== 'false' && true;
-export const getLoopsApiKey = () => infisical.get('LOOPS_API_KEY')!;
-export const getSmtpConfigured = () => infisical.get('SMTP_HOST') == '' || infisical.get('SMTP_HOST') == undefined ? false : true
-export const getHttpsEnabled = () => {
-  if (getNodeEnv() != "production") {
-    // no https for anything other than prod
-    return false
-  }
+const PORT = process.env.PORT || 4000;
+const EMAIL_TOKEN_LIFETIME = process.env.EMAIL_TOKEN_LIFETIME! || '86400';
+const ENCRYPTION_KEY = process.env.ENCRYPTION_KEY!;
+const SALT_ROUNDS = parseInt(process.env.SALT_ROUNDS!) || 10;
+const JWT_AUTH_LIFETIME = process.env.JWT_AUTH_LIFETIME! || '10d';
+const JWT_AUTH_SECRET = process.env.JWT_AUTH_SECRET!;
+const JWT_REFRESH_LIFETIME = process.env.JWT_REFRESH_LIFETIME! || '90d';
+const JWT_REFRESH_SECRET = process.env.JWT_REFRESH_SECRET!;
+const JWT_SERVICE_SECRET = process.env.JWT_SERVICE_SECRET!;
+const JWT_SIGNUP_LIFETIME = process.env.JWT_SIGNUP_LIFETIME! || '15m';
+const JWT_SIGNUP_SECRET = process.env.JWT_SIGNUP_SECRET!;
+const MONGO_URL = process.env.MONGO_URL!;
+const NODE_ENV = process.env.NODE_ENV! || 'production';
+const VERBOSE_ERROR_OUTPUT = process.env.VERBOSE_ERROR_OUTPUT! === 'true' && true;
+const LOKI_HOST = process.env.LOKI_HOST || undefined;
+const CLIENT_SECRET_HEROKU = process.env.CLIENT_SECRET_HEROKU!;
+const CLIENT_ID_HEROKU = process.env.CLIENT_ID_HEROKU!;
+const CLIENT_ID_VERCEL = process.env.CLIENT_ID_VERCEL!;
+const CLIENT_ID_NETLIFY = process.env.CLIENT_ID_NETLIFY!;
+const CLIENT_ID_GITHUB = process.env.CLIENT_ID_GITHUB!;
+const CLIENT_SECRET_VERCEL = process.env.CLIENT_SECRET_VERCEL!;
+const CLIENT_SECRET_NETLIFY = process.env.CLIENT_SECRET_NETLIFY!;
+const CLIENT_SECRET_GITHUB = process.env.CLIENT_SECRET_GITHUB!;
+const CLIENT_SLUG_VERCEL= process.env.CLIENT_SLUG_VERCEL!;
+const POSTHOG_HOST = process.env.POSTHOG_HOST! || 'https://app.posthog.com';
+const POSTHOG_PROJECT_API_KEY =
+  process.env.POSTHOG_PROJECT_API_KEY! ||
+  'phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE';
+const SENTRY_DSN = process.env.SENTRY_DSN!;
+const SITE_URL = process.env.SITE_URL!;
+const SMTP_HOST = process.env.SMTP_HOST!;
+const SMTP_SECURE = process.env.SMTP_SECURE! === 'true' || false;
+const SMTP_PORT = parseInt(process.env.SMTP_PORT!) || 587;
+const SMTP_USERNAME = process.env.SMTP_USERNAME!;
+const SMTP_PASSWORD = process.env.SMTP_PASSWORD!;
+const SMTP_FROM_ADDRESS = process.env.SMTP_FROM_ADDRESS!;
+const SMTP_FROM_NAME = process.env.SMTP_FROM_NAME! || 'Infisical';
+const STRIPE_PRODUCT_CARD_AUTH = process.env.STRIPE_PRODUCT_CARD_AUTH!;
+const STRIPE_PRODUCT_PRO = process.env.STRIPE_PRODUCT_PRO!;
+const STRIPE_PRODUCT_STARTER = process.env.STRIPE_PRODUCT_STARTER!;
+const STRIPE_PUBLISHABLE_KEY = process.env.STRIPE_PUBLISHABLE_KEY!;
+const STRIPE_SECRET_KEY = process.env.STRIPE_SECRET_KEY!;
+const STRIPE_WEBHOOK_SECRET = process.env.STRIPE_WEBHOOK_SECRET!;
+const TELEMETRY_ENABLED = process.env.TELEMETRY_ENABLED! !== 'false' && true;
+const LICENSE_KEY = process.env.LICENSE_KEY!;

-  if (infisical.get('HTTPS_ENABLED') == undefined || infisical.get('HTTPS_ENABLED') == "") {
-    // default when no value present
-    return true
-  }
-
-  return infisical.get('HTTPS_ENABLED') === 'true' && true
-}
+export {
+  PORT,
+  EMAIL_TOKEN_LIFETIME,
+  ENCRYPTION_KEY,
+  SALT_ROUNDS,
+  JWT_AUTH_LIFETIME,
+  JWT_AUTH_SECRET,
+  JWT_REFRESH_LIFETIME,
+  JWT_REFRESH_SECRET,
+  JWT_SERVICE_SECRET,
+  JWT_SIGNUP_LIFETIME,
+  JWT_SIGNUP_SECRET,
+  MONGO_URL,
+  NODE_ENV,
+  VERBOSE_ERROR_OUTPUT,
+  LOKI_HOST,
+  CLIENT_ID_HEROKU,
+  CLIENT_ID_VERCEL,
+  CLIENT_ID_NETLIFY,
+  CLIENT_ID_GITHUB,
+  CLIENT_SECRET_HEROKU,
+  CLIENT_SECRET_VERCEL,
+  CLIENT_SECRET_NETLIFY,
+  CLIENT_SECRET_GITHUB,
+  CLIENT_SLUG_VERCEL,
+  POSTHOG_HOST,
+  POSTHOG_PROJECT_API_KEY,
+  SENTRY_DSN,
+  SITE_URL,
+  SMTP_HOST,
+  SMTP_PORT,
+  SMTP_SECURE,
+  SMTP_USERNAME,
+  SMTP_PASSWORD,
+  SMTP_FROM_ADDRESS,
+  SMTP_FROM_NAME,
+  STRIPE_PRODUCT_CARD_AUTH,
+  STRIPE_PRODUCT_PRO,
+  STRIPE_PRODUCT_STARTER,
+  STRIPE_PUBLISHABLE_KEY,
+  STRIPE_SECRET_KEY,
+  STRIPE_WEBHOOK_SECRET,
+  TELEMETRY_ENABLED,
+  LICENSE_KEY
+};
--- a/backend/src/config/request.ts
+++ b/backend/src/config/request.ts
@ -1,16 +0,0 @@
-import axios from 'axios';
-import axiosRetry from 'axios-retry';
-
-const axiosInstance = axios.create();
-
-// add retry functionality to the axios instance
-axiosRetry(axiosInstance, {
-  retries: 3,
-  retryDelay: axiosRetry.exponentialDelay, // exponential back-off delay between retries
-  retryCondition: (error) => {
-    // only retry if the error is a network error or a 5xx server error
-    return axiosRetry.isNetworkError(error) || axiosRetry.isRetryableError(error);
-  },
-});
-
-export default axiosInstance;
--- a/backend/src/controllers/v1/authController.ts
+++ b/backend/src/controllers/v1/authController.ts
@ -1,24 +1,16 @@
-import * as Sentry from '@sentry/node';
+/* eslint-disable @typescript-eslint/no-var-requires */
 import { Request, Response } from 'express';
 import jwt from 'jsonwebtoken';
+import * as Sentry from '@sentry/node';
 import * as bigintConversion from 'bigint-conversion';
-// eslint-disable-next-line @typescript-eslint/no-var-requires
 const jsrp = require('jsrp');
-import { User, LoginSRPDetail } from '../../models';
-import { createToken, issueAuthTokens, clearTokens } from '../../helpers/auth';
-import { checkUserDevice } from '../../helpers/user';
+import { User } from '../../models';
+import { createToken, issueTokens, clearTokens } from '../../helpers/auth';
 import {
-  ACTION_LOGIN,
-  ACTION_LOGOUT
-} from '../../variables';
-import { BadRequestError } from '../../utils/errors';
-import { EELogService } from '../../ee/services';
-import { getChannelFromUserAgent } from '../../utils/posthog'; // TODO: move this
-import {
-  getJwtRefreshSecret,
-  getJwtAuthLifetime,
-  getJwtAuthSecret,
-  getHttpsEnabled
+  NODE_ENV,
+  JWT_AUTH_LIFETIME,
+  JWT_AUTH_SECRET,
+  JWT_REFRESH_SECRET
 } from '../../config';

 declare module 'jsonwebtoken' {
@ -27,6 +19,8 @@ declare module 'jsonwebtoken' {
  }
 }

+const clientPublicKeys: any = {};
+
 /**
 * Log in user step 1: Return [salt] and [serverPublicKey] as part of step 1 of SRP protocol
 * @param req
@ -52,15 +46,13 @@ export const login1 = async (req: Request, res: Response) => {
        salt: user.salt,
        verifier: user.verifier
      },
-      async () => {
+      () => {
        // generate server-side public key
        const serverPublicKey = server.getPublicKey();
-
-        await LoginSRPDetail.findOneAndReplace({ email: email }, {
-          email: email,
-          clientPublicKey: clientPublicKey,
-          serverBInt: bigintConversion.bigintToBuf(server.bInt),
-        }, { upsert: true, returnNewDocument: false })
+        clientPublicKeys[email] = {
+          clientPublicKey,
+          serverBInt: bigintConversion.bigintToBuf(server.bInt)
+        };

        return res.status(200).send({
          serverPublicKey,
@ -93,52 +85,27 @@ export const login2 = async (req: Request, res: Response) => {

    if (!user) throw new Error('Failed to find user');

-    const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: email })
-
-    if (!loginSRPDetailFromDB) {
-      return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
-    }
-
    const server = new jsrp.server();
    server.init(
      {
        salt: user.salt,
        verifier: user.verifier,
-        b: loginSRPDetailFromDB.serverBInt
+        b: clientPublicKeys[email].serverBInt
      },
      async () => {
-        server.setClientPublicKey(loginSRPDetailFromDB.clientPublicKey);
+        server.setClientPublicKey(clientPublicKeys[email].clientPublicKey);

        // compare server and client shared keys
        if (server.checkClientProof(clientProof)) {
          // issue tokens
-
-          await checkUserDevice({
-            user,
-            ip: req.ip,
-            userAgent: req.headers['user-agent'] ?? ''
-          });
-
-          const tokens = await issueAuthTokens({ userId: user._id.toString() });
+          const tokens = await issueTokens({ userId: user._id.toString() });

          // store (refresh) token in httpOnly cookie
          res.cookie('jid', tokens.refreshToken, {
            httpOnly: true,
            path: '/',
            sameSite: 'strict',
-            secure: getHttpsEnabled()
-          });
-
-          const loginAction = await EELogService.createAction({
-            name: ACTION_LOGIN,
-            userId: user._id
-          });
-
-          loginAction && await EELogService.createLog({
-            userId: user._id,
-            actions: [loginAction],
-            channel: getChannelFromUserAgent(req.headers['user-agent']),
-            ipAddress: req.ip
+            secure: NODE_ENV === 'production' ? true : false
          });

          // return (access) token in response
@ -182,21 +149,8 @@ export const logout = async (req: Request, res: Response) => {
      httpOnly: true,
      path: '/',
      sameSite: 'strict',
-      secure: getHttpsEnabled() as boolean
+      secure: NODE_ENV === 'production' ? true : false
    });
-
-    const logoutAction = await EELogService.createAction({
-      name: ACTION_LOGOUT,
-      userId: req.user._id
-    });
-
-    logoutAction && await EELogService.createLog({
-      userId: req.user._id,
-      actions: [logoutAction],
-      channel: getChannelFromUserAgent(req.headers['user-agent']),
-      ipAddress: req.ip
-    });
-
  } catch (err) {
    Sentry.setUser({ email: req.user.email });
    Sentry.captureException(err);
@ -237,7 +191,7 @@ export const getNewToken = async (req: Request, res: Response) => {
    }

    const decodedToken = <jwt.UserIDJwtPayload>(
-      jwt.verify(refreshToken, getJwtRefreshSecret())
+      jwt.verify(refreshToken, JWT_REFRESH_SECRET)
    );

    const user = await User.findOne({
@ -252,8 +206,8 @@ export const getNewToken = async (req: Request, res: Response) => {
      payload: {
        userId: decodedToken.userId
      },
-      expiresIn: getJwtAuthLifetime(),
-      secret: getJwtAuthSecret()
+      expiresIn: JWT_AUTH_LIFETIME,
+      secret: JWT_AUTH_SECRET
    });

    return res.status(200).send({
--- a/backend/src/controllers/v1/integrationAuthController.ts
+++ b/backend/src/controllers/v1/integrationAuthController.ts
@ -2,55 +2,23 @@ import { Request, Response } from 'express';
 import { Types } from 'mongoose';
 import * as Sentry from '@sentry/node';
 import {
+	Integration, 
 	IntegrationAuth,
 	Bot 
 } from '../../models';
-import { INTEGRATION_SET, getIntegrationOptions as getIntegrationOptionsFunc } from '../../variables';
+import { INTEGRATION_SET, INTEGRATION_OPTIONS } from '../../variables';
 import { IntegrationService } from '../../services';
-import {
-	getApps, 
-	getTeams,
-	revokeAccess 
-} from '../../integrations';
-import {
-	INTEGRATION_VERCEL_API_URL,
-	INTEGRATION_RAILWAY_API_URL
-} from '../../variables';
-import request from '../../config/request';
+import { getApps, revokeAccess } from '../../integrations';

-/***
- * Return integration authorization with id [integrationAuthId]
- */
-export const getIntegrationAuth = async (req: Request, res: Response) => {
-	let integrationAuth;
-	try {
-		const { integrationAuthId } = req.params;
-		integrationAuth = await IntegrationAuth.findById(integrationAuthId);
-		
-		if (!integrationAuth) return res.status(400).send({
-			message: 'Failed to find integration authorization'
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get integration authorization'
-		});	
-	}
-	
+export const getIntegrationOptions = async (
+	req: Request,
+	res: Response
+) => {
 	return res.status(200).send({
-		integrationAuth
+		integrationOptions: INTEGRATION_OPTIONS
 	});
 }

-export const getIntegrationOptions = async (req: Request, res: Response) => {
-	const INTEGRATION_OPTIONS = getIntegrationOptionsFunc();
-
-	return res.status(200).send({
-		integrationOptions: INTEGRATION_OPTIONS,
-	});
-};
-
 /**
 * Perform OAuth2 code-token exchange as part of integration [integration] for workspace with id [workspaceId]
 * @param req
@ -63,6 +31,7 @@ export const oAuthExchange = async (
 ) => {
 	try {
 		const { workspaceId, code, integration } = req.body;
+
 		if (!INTEGRATION_SET.has(integration))
 			throw new Error('Failed to validate integration');
 		
@ -71,16 +40,12 @@ export const oAuthExchange = async (
 			throw new Error("Failed to get environments")
 		}
 	
-		const integrationAuth = await IntegrationService.handleOAuthExchange({
+		await IntegrationService.handleOAuthExchange({
 			workspaceId,
 			integration,
 			code,
 			environment: environments[0].slug,
 		});
-		
-		return res.status(200).send({
-			integrationAuth
-		});
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);
@ -88,42 +53,34 @@ export const oAuthExchange = async (
 			message: 'Failed to get OAuth2 code-token exchange'
 		});
 	}
+
+	return res.status(200).send({
+		message: 'Successfully enabled integration authorization'
+	});
 };

 /**
- * Save integration access token and (optionally) access id as part of integration
- * [integration] for workspace with id [workspaceId]
+ * Save integration access token as part of integration [integration] for workspace with id [workspaceId]
 * @param req 
 * @param res 
 */
 export const saveIntegrationAccessToken = async (
-  req: Request,
-  res: Response
+	req: Request,
+	res: Response
 ) => {
 	// TODO: refactor
-	// TODO: check if access token is valid for each integration
-
 	let integrationAuth;
 	try {
 		const {
 			workspaceId,
-			accessId,
 			accessToken,
 			integration
 		}: {
 			workspaceId: string;
-			accessId: string | null;
 			accessToken: string;
 			integration: string;
 		} = req.body;

-		const bot = await Bot.findOne({
-            workspace: new Types.ObjectId(workspaceId),
-            isActive: true
-        });
-        
-        if (!bot) throw new Error('Bot must be enabled to save integration access token');
-
 		integrationAuth = await IntegrationAuth.findOneAndUpdate({
            workspace: new Types.ObjectId(workspaceId),
            integration
@ -134,11 +91,17 @@ export const saveIntegrationAccessToken = async (
            new: true,
            upsert: true
        });
+
+		const bot = await Bot.findOne({
+            workspace: new Types.ObjectId(workspaceId),
+            isActive: true
+        });
+        
+        if (!bot) throw new Error('Bot must be enabled to save integration access token');
 		
-		// encrypt and save integration access details
+		// encrypt and save integration access token
 		integrationAuth = await IntegrationService.setIntegrationAuthAccess({
 			integrationAuthId: integrationAuth._id.toString(),
-			accessId,
 			accessToken,
 			accessExpiresAt: undefined
 		});
@ -166,18 +129,15 @@ export const saveIntegrationAccessToken = async (
 export const getIntegrationAuthApps = async (req: Request, res: Response) => {
 	let apps;
 	try {
-		const teamId = req.query.teamId as string;
-		
 		apps = await getApps({
 			integrationAuth: req.integrationAuth,
-			accessToken: req.accessToken,
-			...teamId && { teamId }
+			accessToken: req.accessToken
 		});
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
+        Sentry.captureException(err);	
 		return res.status(400).send({
-			message: "Failed to get integration authorization applications",
+			message: 'Failed to get integration authorization applications'
 		});
 	}

@ -186,213 +146,6 @@ export const getIntegrationAuthApps = async (req: Request, res: Response) => {
 	});
 };

-/**
- * Return list of teams allowed for integration with integration authorization id [integrationAuthId]
- * @param req 
- * @param res 
- * @returns 
- */
-export const getIntegrationAuthTeams = async (req: Request, res: Response) => {
-	const teams = await getTeams({
-		integrationAuth: req.integrationAuth,
-		accessToken: req.accessToken
-	});
-	
-	return res.status(200).send({
-		teams
-	});
-}
-
-/**
- * Return list of available Vercel (preview) branches for Vercel project with
- * id [appId]
- * @param req 
- * @param res 
- */
-export const getIntegrationAuthVercelBranches = async (req: Request, res: Response) => {
-	const { integrationAuthId } = req.params;
-	const appId = req.query.appId as string;
-	
-	interface VercelBranch {
-		ref: string;
-		lastCommit: string;
-		isProtected: boolean;
-	}
-
-	const params = new URLSearchParams({
-		projectId: appId,
-		...(req.integrationAuth.teamId ? {
-			teamId: req.integrationAuth.teamId
-		} : {})
-	});
-
-	let branches: string[] = [];
-	
-	if (appId && appId !== '') {
-		const { data }: { data: VercelBranch[] } = await request.get(
-			`${INTEGRATION_VERCEL_API_URL}/v1/integrations/git-branches`,
-			{
-				params,
-				headers: {
-					Authorization: `Bearer ${req.accessToken}`,
-					'Accept-Encoding': 'application/json'
-				}
-			}
-		);
-		
-		branches = data.map((b) => b.ref);
-	}
-
-	return res.status(200).send({
-		branches
-	});
-}
-
-/**
- * Return list of Railway environments for Railway project with
- * id [appId]
- * @param req 
- * @param res 
- */
-export const getIntegrationAuthRailwayEnvironments = async (req: Request, res: Response) => {
-	const { integrationAuthId } = req.params;
-	const appId = req.query.appId as string;
-	
-	interface RailwayEnvironment {
-		node: {
-			id: string;
-			name: string;
-			isEphemeral: boolean;
-		}
-	}
-	
-	interface Environment {
-		environmentId: string;
-		name: string;
-	}
-	
-	let environments: Environment[] = [];
-
-	if (appId && appId !== '') {
-		const query = `
-			query GetEnvironments($projectId: String!, $after: String, $before: String, $first: Int, $isEphemeral: Boolean, $last: Int) {
-				environments(projectId: $projectId, after: $after, before: $before, first: $first, isEphemeral: $isEphemeral, last: $last) {
-				edges {
-					node {
-					id
-					name
-					isEphemeral
-					}
-				}
-				}
-			}
-			`;
-		
-		const variables = {
-			projectId: appId
-		}
-		
-		const { data: { data: { environments: { edges } } } } = await request.post(INTEGRATION_RAILWAY_API_URL, {
-			query,
-			variables,
-		}, {
-			headers: {
-				'Authorization': `Bearer ${req.accessToken}`,
-				'Content-Type': 'application/json',
-			},
-		});
-		
-		environments = edges.map((e: RailwayEnvironment) => {
-			return ({
-				name: e.node.name,
-				environmentId: e.node.id
-			});
-		});
-	}
-	
-	return res.status(200).send({
-		environments
-	});
-}
-
-/**
- * Return list of Railway services for Railway project with id
- * [appId]
- * @param req 
- * @param res 
- */
-export const getIntegrationAuthRailwayServices = async (req: Request, res: Response) => {
-	const { integrationAuthId } = req.params;
-	const appId = req.query.appId as string;
-	
-	interface RailwayService {
-		node: {
-			id: string;
-			name: string;
-		}
-	}
-	
-	interface Service {
-		name: string;
-		serviceId: string;
-	}
-	
-	let services: Service[] = [];
-	
-	const query = `
-      query project($id: String!) {
-        project(id: $id) {
-          createdAt
-          deletedAt
-          id
-          description
-          expiredAt
-          isPublic
-          isTempProject
-          isUpdatable
-          name
-          prDeploys
-          teamId
-          updatedAt
-          upstreamUrl
-		  services {
-			edges {
-				node {
-					id
-					name
-				}
-			}
-		  }
-        }
-      }
-    `;
-
-	if (appId && appId !== '') {
-		const variables = {
-			id: appId
-		}
-		
-		const { data: { data: { project: { services: { edges } } } } } = await request.post(INTEGRATION_RAILWAY_API_URL, {
-			query,
-			variables
-		}, {
-			headers: {
-				'Authorization': `Bearer ${req.accessToken}`,
-				'Content-Type': 'application/json',
-			},
-		});
-		
-		services = edges.map((e: RailwayService) => ({
-			name: e.node.name,
-			serviceId: e.node.id
-		}));
-	}
-	
-	return res.status(200).send({
-		services
-	});
-}
-
 /**
 * Delete integration authorization with id [integrationAuthId]
 * @param req
@ -400,21 +153,21 @@ export const getIntegrationAuthRailwayServices = async (req: Request, res: Respo
 * @returns
 */
 export const deleteIntegrationAuth = async (req: Request, res: Response) => {
-  let integrationAuth;
-  try {
-    integrationAuth = await revokeAccess({
-      integrationAuth: req.integrationAuth,
-      accessToken: req.accessToken,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to delete integration authorization",
-    });
-  }
-
-  return res.status(200).send({
-    integrationAuth,
-  });
-};
+	let integrationAuth;
+	try {
+		integrationAuth = await revokeAccess({
+			integrationAuth: req.integrationAuth,
+			accessToken: req.accessToken
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+        Sentry.captureException(err);	
+		return res.status(400).send({
+			message: 'Failed to delete integration authorization'
+		});
+	}
+	
+	return res.status(200).send({
+		integrationAuth
+	});
+}
--- a/backend/src/controllers/v1/integrationController.ts
+++ b/backend/src/controllers/v1/integrationController.ts
@ -1,56 +1,83 @@
 import { Request, Response } from 'express';
-import { Types } from 'mongoose';
 import * as Sentry from '@sentry/node';
 import { 
-	Integration
+	Integration, 
+	Workspace,
+	Bot, 
+	BotKey 
 } from '../../models';
 import { EventService } from '../../services';
 import { eventPushSecrets } from '../../events';

 /**
 * Create/initialize an (empty) integration for integration authorization
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const createIntegration = async (req: Request, res: Response) => {
+	let integration;
+	try {
+		// initialize new integration after saving integration access token
+        integration = await new Integration({
+            workspace: req.integrationAuth.workspace._id,
+            isActive: false,
+            app: null,
+            environment: req.integrationAuth.workspace?.environments[0].slug,
+            integration: req.integrationAuth.integration,
+            integrationAuth: req.integrationAuth._id
+        }).save();
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to create integration'
+		});
+	}
+
+	return res.status(200).send({
+		integration
+	});
+}
+
+/**
+ * Change environment or name of integration with id [integrationId]
 * @param req
 * @param res
 * @returns
 */
-export const createIntegration = async (req: Request, res: Response) => {
+export const updateIntegration = async (req: Request, res: Response) => {
 	let integration;
-
+	
+	// TODO: add integration-specific validation to ensure that each
+	// integration has the correct fields populated in [Integration]
+	
 	try {
-		const {
-			integrationAuthId,
-			app,
+		const { 
+			environment, 
+			isActive, 
+			app, 
 			appId,
-			isActive,
-			sourceEnvironment,
 			targetEnvironment,
-			targetEnvironmentId,
-      targetService,
-      targetServiceId,
-			owner,
-			path,
-			region
+			owner, // github-specific integration param
 		} = req.body;
 		
-		// TODO: validate [sourceEnvironment] and [targetEnvironment]
-
-		// initialize new integration after saving integration access token
-    integration = await new Integration({
-      workspace: req.integrationAuth.workspace._id,
-      environment: sourceEnvironment,
-      isActive,
-      app,
-			appId,
-			targetEnvironment,
-			targetEnvironmentId,
-      targetService,
-      targetServiceId,
-			owner,
-			path,
-			region,
-      integration: req.integrationAuth.integration,
-      integrationAuth: new Types.ObjectId(integrationAuthId)
-    }).save();
+		integration = await Integration.findOneAndUpdate(
+			{
+				_id: req.integration._id
+			},
+			{
+				environment,
+				isActive,
+				app,
+				appId,
+				targetEnvironment,
+				owner
+			},
+			{
+				new: true
+			}
+		);
 		
 		if (integration) {
 			// trigger event - push secrets
@ -60,78 +87,17 @@ export const createIntegration = async (req: Request, res: Response) => {
 				})
 			});
 		}
-
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);
 		return res.status(400).send({
-			message: 'Failed to create integration'
+			message: 'Failed to update integration'
 		});
 	}

-  return res.status(200).send({
-    integration,
-  });
-};
-
-/**
- * Change environment or name of integration with id [integrationId]
- * @param req
- * @param res
- * @returns
- */
-export const updateIntegration = async (req: Request, res: Response) => {
-  let integration;
-
-  // TODO: add integration-specific validation to ensure that each
-  // integration has the correct fields populated in [Integration]
-
-  try {
-    const {
-      environment,
-      isActive,
-      app,
-      appId,
-      targetEnvironment,
-      owner, // github-specific integration param
-    } = req.body;
-
-    integration = await Integration.findOneAndUpdate(
-      {
-        _id: req.integration._id,
-      },
-      {
-        environment,
-        isActive,
-        app,
-        appId,
-        targetEnvironment,
-        owner,
-      },
-      {
-        new: true,
-      }
-    );
-
-    if (integration) {
-      // trigger event - push secrets
-      EventService.handleEvent({
-        event: eventPushSecrets({
-          workspaceId: integration.workspace.toString(),
-        }),
-      });
-    }
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to update integration",
-    });
-  }
-
-  return res.status(200).send({
-    integration,
-  });
+	return res.status(200).send({
+		integration
+	});
 };

 /**
@ -142,24 +108,24 @@ export const updateIntegration = async (req: Request, res: Response) => {
 * @returns
 */
 export const deleteIntegration = async (req: Request, res: Response) => {
-  let integration;
-  try {
-    const { integrationId } = req.params;
+	let integration;
+	try {
+		const { integrationId } = req.params;

-    integration = await Integration.findOneAndDelete({
-      _id: integrationId,
-    });
-
-    if (!integration) throw new Error("Failed to find integration");
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to delete integration",
-    });
-  }
-
-  return res.status(200).send({
-    integration,
-  });
+		integration = await Integration.findOneAndDelete({
+			_id: integrationId
+		});
+		
+		if (!integration) throw new Error('Failed to find integration');
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to delete integration'
+		});
+	}
+	
+	return res.status(200).send({
+		integration
+	});
 };
--- a/backend/src/controllers/v1/membershipController.ts
+++ b/backend/src/controllers/v1/membershipController.ts
@ -1,13 +1,13 @@
-import * as Sentry from '@sentry/node';
 import { Request, Response } from 'express';
-import { Membership, MembershipOrg, User, Key } from '../../models';
+import * as Sentry from '@sentry/node';
+import { Membership, MembershipOrg, User, Key, IMembership, Workspace } from '../../models';
 import {
 	findMembership,
 	deleteMembership as deleteMember
 } from '../../helpers/membership';
 import { sendMail } from '../../helpers/nodemailer';
+import { SITE_URL } from '../../config';
 import { ADMIN, MEMBER, ACCEPTED } from '../../variables';
-import { getSiteURL } from '../../config';

 /**
 * Check that user is a member of workspace with id [workspaceId]
@ -215,7 +215,7 @@ export const inviteUserToWorkspace = async (req: Request, res: Response) => {
 				inviterFirstName: req.user.firstName,
 				inviterEmail: req.user.email,
 				workspaceName: req.membership.workspace.name,
-				callback_url: getSiteURL() + '/login'
+				callback_url: SITE_URL + '/login'
 			}
 		});
 	} catch (err) {
--- a/backend/src/controllers/v1/membershipOrgController.ts
+++ b/backend/src/controllers/v1/membershipOrgController.ts
@ -1,13 +1,14 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { MembershipOrg, Organization, User } from '../../models';
+import crypto from 'crypto';
+import { SITE_URL, JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET } from '../../config';
+import { MembershipOrg, Organization, User, Token } from '../../models';
 import { deleteMembershipOrg as deleteMemberFromOrg } from '../../helpers/membershipOrg';
+import { checkEmailVerification } from '../../helpers/signup';
 import { createToken } from '../../helpers/auth';
 import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
 import { sendMail } from '../../helpers/nodemailer';
-import { TokenService } from '../../services';
-import { OWNER, ADMIN, MEMBER, ACCEPTED, INVITED, TOKEN_EMAIL_ORG_INVITATION } from '../../variables';
-import { getSiteURL, getJwtSignupLifetime, getJwtSignupSecret, getSmtpConfigured } from '../../config';
+import { OWNER, ADMIN, MEMBER, ACCEPTED, INVITED } from '../../variables';

 /**
 * Delete organization membership with id [membershipOrgId] from organization
@ -76,6 +77,8 @@ export const changeMembershipOrgRole = async (req: Request, res: Response) => {
 	// change role for (target) organization membership with id
 	// [membershipOrgId]

+	// TODO
+
 	let membershipToChangeRole;
 	// try {
 	// } catch (err) {
@ -99,11 +102,9 @@ export const changeMembershipOrgRole = async (req: Request, res: Response) => {
 * @returns
 */
 export const inviteUserToOrganization = async (req: Request, res: Response) => {
-	let invitee, inviteeMembershipOrg, completeInviteLink;
+	let invitee, inviteeMembershipOrg;
 	try {
 		const { organizationId, inviteeEmail } = req.body;
-		const host = req.headers.host;
-		const siteUrl = `${req.protocol}://${host}`;

 		// validate membership
 		const membershipOrg = await MembershipOrg.findOne({
@ -114,14 +115,14 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 		if (!membershipOrg) {
 			throw new Error('Failed to validate organization membership');
 		}
-
+		
 		invitee = await User.findOne({
 			email: inviteeEmail
 		}).select('+publicKey');

 		if (invitee) {
 			// case: invitee is an existing user
-
+			
 			inviteeMembershipOrg = await MembershipOrg.findOne({
 				user: invitee._id,
 				organization: organizationId
@ -164,11 +165,17 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 		const organization = await Organization.findOne({ _id: organizationId });

 		if (organization) {
-			const token = await TokenService.createToken({
-				type: TOKEN_EMAIL_ORG_INVITATION,
-				email: inviteeEmail,
-				organizationId: organization._id
-			});
+			const token = crypto.randomBytes(16).toString('hex');
+
+			await Token.findOneAndUpdate(
+				{ email: inviteeEmail },
+				{
+					email: inviteeEmail,
+					token,
+					createdAt: new Date()
+				},
+				{ upsert: true, new: true }
+			);

 			await sendMail({
 				template: 'organizationInvitation.handlebars',
@ -180,13 +187,9 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 					organizationName: organization.name,
 					email: inviteeEmail,
 					token,
-					callback_url: getSiteURL() + '/signupinvite'
+					callback_url: SITE_URL + '/signupinvite'
 				}
 			});
-
-			if (!getSmtpConfigured()) {
-				completeInviteLink = `${siteUrl + '/signupinvite'}?token=${token}&to=${inviteeEmail}`
-			}
 		}

 		await updateSubscriptionOrgQuantity({ organizationId });
@ -199,8 +202,7 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 	}

 	return res.status(200).send({
-		message: `Sent an invite link to ${req.body.inviteeEmail}`,
-		completeInviteLink
+		message: `Sent an invite link to ${req.body.inviteeEmail}`
 	});
 };

@ -226,11 +228,9 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
 		if (!membershipOrg)
 			throw new Error('Failed to find any invitations for email');

-		await TokenService.validateToken({
-			type: TOKEN_EMAIL_ORG_INVITATION,
+		await checkEmailVerification({
 			email,
-			organizationId: membershipOrg.organization,
-			token: code
+			code
 		});

 		if (user && user?.publicKey) {
@ -243,7 +243,7 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
 				message: 'Successfully verified email',
 				user,
 			});
-		}
+        }

 		if (!user) {
 			// initialize user account
@ -257,8 +257,8 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
 			payload: {
 				userId: user._id.toString()
 			},
-			expiresIn: getJwtSignupLifetime(),
-			secret: getJwtSignupSecret()
+			expiresIn: JWT_SIGNUP_LIFETIME,
+			secret: JWT_SIGNUP_SECRET
 		});
 	} catch (err) {
 		Sentry.setUser(null);
--- a/backend/src/controllers/v1/organizationController.ts
+++ b/backend/src/controllers/v1/organizationController.ts
@ -1,6 +1,17 @@
-import * as Sentry from '@sentry/node';
 import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import {
+	SITE_URL,
+	STRIPE_SECRET_KEY,
+	STRIPE_PRODUCT_STARTER,
+	STRIPE_PRODUCT_PRO,
+	STRIPE_PRODUCT_CARD_AUTH
+} from '../../config';
 import Stripe from 'stripe';
+
+const stripe = new Stripe(STRIPE_SECRET_KEY, {
+	apiVersion: '2022-08-01'
+});
 import {
 	Membership,
 	MembershipOrg,
@ -11,8 +22,12 @@ import {
 import { createOrganization as create } from '../../helpers/organization';
 import { addMembershipsOrg } from '../../helpers/membershipOrg';
 import { OWNER, ACCEPTED } from '../../variables';
-import _ from 'lodash';
-import { getStripeSecretKey, getSiteURL } from '../../config';
+
+const productToPriceMap = {
+	starter: STRIPE_PRODUCT_STARTER,
+	pro: STRIPE_PRODUCT_PRO,
+	cardAuth: STRIPE_PRODUCT_CARD_AUTH
+};

 export const getOrganizations = async (req: Request, res: Response) => {
 	let organizations;
@ -317,10 +332,6 @@ export const createOrganizationPortalSession = async (
 ) => {
 	let session;
 	try {
-		const stripe = new Stripe(getStripeSecretKey(), {
-			apiVersion: '2022-08-01'
-		});
-
 		// check if there is a payment method on file
 		const paymentMethods = await stripe.paymentMethods.list({
 			customer: req.membershipOrg.organization.customerId,
@ -329,17 +340,18 @@ export const createOrganizationPortalSession = async (

 		if (paymentMethods.data.length < 1) {
 			// case: no payment method on file
+			productToPriceMap['cardAuth'];
 			session = await stripe.checkout.sessions.create({
 				customer: req.membershipOrg.organization.customerId,
 				mode: 'setup',
 				payment_method_types: ['card'],
-				success_url: getSiteURL() + '/dashboard',
-				cancel_url: getSiteURL() + '/dashboard'
+				success_url: SITE_URL + '/dashboard',
+				cancel_url: SITE_URL + '/dashboard'
 			});
 		} else {
 			session = await stripe.billingPortal.sessions.create({
 				customer: req.membershipOrg.organization.customerId,
-				return_url: getSiteURL() + '/dashboard'
+				return_url: SITE_URL + '/dashboard'
 			});
 		}

@ -365,10 +377,6 @@ export const getOrganizationSubscriptions = async (
 ) => {
 	let subscriptions;
 	try {
-		const stripe = new Stripe(getStripeSecretKey(), {
-			apiVersion: '2022-08-01'
-		});
-		
 		subscriptions = await stripe.subscriptions.list({
 			customer: req.membershipOrg.organization.customerId
 		});
@ -384,44 +392,3 @@ export const getOrganizationSubscriptions = async (
 		subscriptions
 	});
 };
-
-
-/**
- * Given a org id, return the projects each member of the org belongs to
- * @param req
- * @param res
- * @returns
- */
-export const getOrganizationMembersAndTheirWorkspaces = async (
-	req: Request,
-	res: Response
-) => {
-	const { organizationId } = req.params;
-
-	const workspacesSet = (
-			await Workspace.find(
-				{
-					organization: organizationId
-				},
-				'_id'
-			)
-		).map((w) => w._id.toString());
-
-	const memberships = (
-		await Membership.find({
-			workspace: { $in: workspacesSet }
-		}).populate('workspace')
-	);
-	const userToWorkspaceIds: any = {};
-
-	memberships.forEach(membership => {
-		const user = membership.user.toString();
-		if (userToWorkspaceIds[user]) {
-			userToWorkspaceIds[user].push(membership.workspace);
-		} else {
-			userToWorkspaceIds[user] = [membership.workspace];
-		}
-	});
-
-	return res.json(userToWorkspaceIds);
-};
--- a/backend/src/controllers/v1/passwordController.ts
+++ b/backend/src/controllers/v1/passwordController.ts
@ -1,15 +1,16 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
+import crypto from 'crypto';
 // eslint-disable-next-line @typescript-eslint/no-var-requires
 const jsrp = require('jsrp');
 import * as bigintConversion from 'bigint-conversion';
-import { User, BackupPrivateKey, LoginSRPDetail } from '../../models';
+import { User, Token, BackupPrivateKey } from '../../models';
+import { checkEmailVerification } from '../../helpers/signup';
 import { createToken } from '../../helpers/auth';
 import { sendMail } from '../../helpers/nodemailer';
-import { TokenService } from '../../services';
-import { TOKEN_EMAIL_PASSWORD_RESET } from '../../variables';
-import { BadRequestError } from '../../utils/errors';
-import { getSiteURL, getJwtSignupLifetime, getJwtSignupSecret } from '../../config';
+import { JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET, SITE_URL } from '../../config';
+
+const clientPublicKeys: any = {};

 /**
 * Password reset step 1: Send email verification link to email [email] 
@ -32,10 +33,17 @@ export const emailPasswordReset = async (req: Request, res: Response) => {
 			});
 		}
 		
-		const token = await TokenService.createToken({
-			type: TOKEN_EMAIL_PASSWORD_RESET,
-			email
-		});
+		const token = crypto.randomBytes(16).toString('hex');
+
+		await Token.findOneAndUpdate(
+			{ email },
+			{
+				email,
+				token,
+				createdAt: new Date()
+			},
+			{ upsert: true, new: true }
+		);
 		
 		await sendMail({
 			template: 'passwordReset.handlebars',
@ -44,17 +52,18 @@ export const emailPasswordReset = async (req: Request, res: Response) => {
 			substitutions: {
 				email,
 				token,
-				callback_url: getSiteURL() + '/password-reset'
+				callback_url: SITE_URL + '/password-reset'
 			}
 		});
+		
 	} catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
 		return res.status(400).send({
 			message: 'Failed to send email for account recovery'
-		});
+		});	
 	}
-
+	
 	return res.status(200).send({
 		message: `Sent an email for account recovery to ${email}`
 	});
@ -70,7 +79,7 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => {
 	let user, token;
 	try {
 		const { email, code } = req.body;
-
+		
 		user = await User.findOne({ email }).select('+publicKey');
 		if (!user || !user?.publicKey) {
 			// case: user doesn't exist with email [email] or 
@ -79,27 +88,26 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => {
 				error: 'Failed email verification for password reset'
 			});
 		}
-		
-		await TokenService.validateToken({
-			type: TOKEN_EMAIL_PASSWORD_RESET,
-			email,
-			token: code
-		});

+		await checkEmailVerification({
+			email,
+			code
+		});
+		
 		// generate temporary password-reset token
 		token = createToken({
 			payload: {
 				userId: user._id.toString()
 			},
-			expiresIn: getJwtSignupLifetime(),
-			secret: getJwtSignupSecret()
+			expiresIn: JWT_SIGNUP_LIFETIME,
+			secret: JWT_SIGNUP_SECRET
 		});
 	} catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
 		return res.status(400).send({
 			message: 'Failed email verification for password reset'
-		});
+		});	
 	}

 	return res.status(200).send({
@ -122,7 +130,7 @@ export const srp1 = async (req: Request, res: Response) => {
 		const user = await User.findOne({
 			email: req.user.email
 		}).select('+salt +verifier');
-
+		
 		if (!user) throw new Error('Failed to find user');

 		const server = new jsrp.server();
@ -131,15 +139,13 @@ export const srp1 = async (req: Request, res: Response) => {
 				salt: user.salt,
 				verifier: user.verifier
 			},
-			async () => {
+			() => {
 				// generate server-side public key
 				const serverPublicKey = server.getPublicKey();
-
-				await LoginSRPDetail.findOneAndReplace({ email: req.user.email }, {
-					email: req.user.email,
-					clientPublicKey: clientPublicKey,
-					serverBInt: bigintConversion.bigintToBuf(server.bInt),
-				}, { upsert: true, returnNewDocument: false })
+				clientPublicKeys[req.user.email] = {
+					clientPublicKey,
+					serverBInt: bigintConversion.bigintToBuf(server.bInt)
+				};

 				return res.status(200).send({
 					serverPublicKey,
@ -166,39 +172,25 @@ export const srp1 = async (req: Request, res: Response) => {
 */
 export const changePassword = async (req: Request, res: Response) => {
 	try {
-		const { 
-			clientProof, 
-			protectedKey,
-			protectedKeyIV,
-			protectedKeyTag,
-			encryptedPrivateKey,
-			encryptedPrivateKeyIV,
-			encryptedPrivateKeyTag,
-			salt,
-			verifier
-		} = req.body;
-
+		const { clientProof, encryptedPrivateKey, iv, tag, salt, verifier } =
+			req.body;
 		const user = await User.findOne({
 			email: req.user.email
 		}).select('+salt +verifier');

 		if (!user) throw new Error('Failed to find user');

-		const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email })
-
-		if (!loginSRPDetailFromDB) {
-			return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
-		}
-
 		const server = new jsrp.server();
 		server.init(
 			{
 				salt: user.salt,
 				verifier: user.verifier,
-				b: loginSRPDetailFromDB.serverBInt
+				b: clientPublicKeys[req.user.email].serverBInt
 			},
 			async () => {
-				server.setClientPublicKey(loginSRPDetailFromDB.clientPublicKey);
+				server.setClientPublicKey(
+					clientPublicKeys[req.user.email].clientPublicKey
+				);

 				// compare server and client shared keys
 				if (server.checkClientProof(clientProof)) {
@ -207,13 +199,9 @@ export const changePassword = async (req: Request, res: Response) => {
 					await User.findByIdAndUpdate(
 						req.user._id.toString(),
 						{
-							encryptionVersion: 2,
-							protectedKey,
-							protectedKeyIV,
-							protectedKeyTag,
 							encryptedPrivateKey,
-							iv: encryptedPrivateKeyIV,
-							tag: encryptedPrivateKeyTag,
+							iv,
+							tag,
 							salt,
 							verifier
 						},
@ -261,22 +249,16 @@ export const createBackupPrivateKey = async (req: Request, res: Response) => {

 		if (!user) throw new Error('Failed to find user');

-		const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email })
-
-		if (!loginSRPDetailFromDB) {
-			return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
-		}
-
 		const server = new jsrp.server();
 		server.init(
 			{
 				salt: user.salt,
 				verifier: user.verifier,
-				b: loginSRPDetailFromDB.serverBInt
+				b: clientPublicKeys[req.user.email].serverBInt
 			},
 			async () => {
 				server.setClientPublicKey(
-					loginSRPDetailFromDB.clientPublicKey
+					clientPublicKeys[req.user.email].clientPublicKey
 				);

 				// compare server and client shared keys
@ -329,16 +311,16 @@ export const getBackupPrivateKey = async (req: Request, res: Response) => {
 		backupPrivateKey = await BackupPrivateKey.findOne({
 			user: req.user._id
 		}).select('+encryptedPrivateKey +iv +tag');
-
+		
 		if (!backupPrivateKey) throw new Error('Failed to find backup private key');
 	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
+		Sentry.setUser({ email: req.user.email});
 		Sentry.captureException(err);
 		return res.status(400).send({
 			message: 'Failed to get backup private key'
 		});
 	}
-
+	
 	return res.status(200).send({
 		backupPrivateKey
 	});
@ -347,12 +329,9 @@ export const getBackupPrivateKey = async (req: Request, res: Response) => {
 export const resetPassword = async (req: Request, res: Response) => {
 	try {
 		const {
-			protectedKey,
-			protectedKeyIV,
-			protectedKeyTag,
 			encryptedPrivateKey,
-			encryptedPrivateKeyIV,
-			encryptedPrivateKeyTag,
+			iv,
+			tag,
 			salt,
 			verifier,
 		} = req.body;
@ -360,28 +339,24 @@ export const resetPassword = async (req: Request, res: Response) => {
 		await User.findByIdAndUpdate(
 			req.user._id.toString(),
 			{
-				encryptionVersion: 2,
-				protectedKey,
-				protectedKeyIV,
-				protectedKeyTag,	
 				encryptedPrivateKey,
-				iv: encryptedPrivateKeyIV,
-				tag: encryptedPrivateKeyTag,
+				iv,
+				tag,
 				salt,
 				verifier
 			},
 			{
 				new: true
 			}
-		);
+		);	
 	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
+		Sentry.setUser({ email: req.user.email});
 		Sentry.captureException(err);
 		return res.status(400).send({
 			message: 'Failed to get backup private key'
-		});
+		});	
 	}
-
+	
 	return res.status(200).send({
 		message: 'Successfully reset password'
 	});
--- a/backend/src/controllers/v1/secretController.ts
+++ b/backend/src/controllers/v1/secretController.ts
@ -9,7 +9,7 @@ import {
 import { pushKeys } from '../../helpers/key';
 import { eventPushSecrets } from '../../events';
 import { EventService } from '../../services';
-import { TelemetryService } from '../../services';
+import { postHogClient } from '../../services';

 interface PushSecret {
 	ciphertextKey: string;
@ -38,7 +38,6 @@ export const pushSecrets = async (req: Request, res: Response) => {
 	// upload (encrypted) secrets to workspace with id [workspaceId]

 	try {
-		const postHogClient = TelemetryService.getPostHogClient();
 		let { secrets }: { secrets: PushSecret[] } = req.body;
 		const { keys, environment, channel } = req.body;
 		const { workspaceId } = req.params;
@ -112,7 +111,6 @@ export const pullSecrets = async (req: Request, res: Response) => {
 	let secrets;
 	let key;
 	try {
-		const postHogClient = TelemetryService.getPostHogClient();
 		const environment: string = req.query.environment as string;
 		const channel: string = req.query.channel as string;
 		const { workspaceId } = req.params;
@ -181,7 +179,6 @@ export const pullSecretsServiceToken = async (req: Request, res: Response) => {
 	let secrets;
 	let key;
 	try {
-		const postHogClient = TelemetryService.getPostHogClient();
 		const environment: string = req.query.environment as string;
 		const channel: string = req.query.channel as string;
 		const { workspaceId } = req.params;
--- a/backend/src/controllers/v1/serviceTokenController.ts
+++ b/backend/src/controllers/v1/serviceTokenController.ts
@ -1,7 +1,7 @@
 import { Request, Response } from 'express';
 import { ServiceToken } from '../../models';
 import { createToken } from '../../helpers/auth';
-import { getJwtServiceSecret } from '../../config';
+import { JWT_SERVICE_SECRET } from '../../config';

 /**
 * Return service token on request
@ -61,7 +61,7 @@ export const createServiceToken = async (req: Request, res: Response) => {
 				workspaceId
 			},
 			expiresIn: expiresIn,
-			secret: getJwtServiceSecret()
+			secret: JWT_SERVICE_SECRET
 		});
 	} catch (err) {
 		return res.status(400).send({
--- a/backend/src/controllers/v1/signupController.ts
+++ b/backend/src/controllers/v1/signupController.ts
@ -1,13 +1,16 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { User } from '../../models';
+import { NODE_ENV, JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET } from '../../config';
+import { User, MembershipOrg } from '../../models';
+import { completeAccount } from '../../helpers/user';
 import {
 	sendEmailVerification,
 	checkEmailVerification,
+	initializeDefaultOrg
 } from '../../helpers/signup';
-import { createToken } from '../../helpers/auth';
-import { BadRequestError } from '../../utils/errors';
-import { getInviteOnlySignup, getJwtSignupLifetime, getJwtSignupSecret, getSmtpConfigured } from '../../config';
+import { issueTokens, createToken } from '../../helpers/auth';
+import { INVITED, ACCEPTED } from '../../variables';
+import axios from 'axios';

 /**
 * Signup step 1: Initialize account for user under email [email] and send a verification code
@ -21,14 +24,6 @@ export const beginEmailSignup = async (req: Request, res: Response) => {
 	try {
 		email = req.body.email;

-		if (getInviteOnlySignup()) {
-			// Only one user can create an account without being invited. The rest need to be invited in order to make an account
-			const userCount = await User.countDocuments({})
-			if (userCount != 0) {
-				throw BadRequestError({ message: "New user sign ups are not allowed at this time. You must be invited to sign up." })
-			}
-		}
-
 		const user = await User.findOne({ email }).select('+publicKey');
 		if (user && user?.publicKey) {
 			// case: user has already completed account
@ -66,7 +61,7 @@ export const verifyEmailSignup = async (req: Request, res: Response) => {
 		const { email, code } = req.body;

 		// initialize user account
-		user = await User.findOne({ email }).select('+publicKey');
+		user = await User.findOne({ email });
 		if (user && user?.publicKey) {
 			// case: user has already completed account
 			return res.status(403).send({
@ -75,12 +70,10 @@ export const verifyEmailSignup = async (req: Request, res: Response) => {
 		}

 		// verify email
-		if (getSmtpConfigured()) {
-			await checkEmailVerification({
-				email,
-				code
-			});
-		}
+		await checkEmailVerification({
+			email,
+			code
+		});

 		if (!user) {
 			user = await new User({
@ -93,8 +86,8 @@ export const verifyEmailSignup = async (req: Request, res: Response) => {
 			payload: {
 				userId: user._id.toString()
 			},
-			expiresIn: getJwtSignupLifetime(),
-			secret: getJwtSignupSecret()
+			expiresIn: JWT_SIGNUP_LIFETIME,
+			secret: JWT_SIGNUP_SECRET
 		});
 	} catch (err) {
 		Sentry.setUser(null);
@ -110,3 +103,201 @@ export const verifyEmailSignup = async (req: Request, res: Response) => {
 		token
 	});
 };
+
+/**
+ * Complete setting up user by adding their personal and auth information as part of the
+ * signup flow
+ * @param req
+ * @param res
+ * @returns
+ */
+export const completeAccountSignup = async (req: Request, res: Response) => {
+	let user, token, refreshToken;
+	try {
+		const {
+			email,
+			firstName,
+			lastName,
+			publicKey,
+			encryptedPrivateKey,
+			iv,
+			tag,
+			salt,
+			verifier,
+			organizationName
+		} = req.body;
+
+		// get user
+		user = await User.findOne({ email });
+		
+		if (!user || (user && user?.publicKey)) {
+			// case 1: user doesn't exist.
+			// case 2: user has already completed account
+			return res.status(403).send({
+				error: 'Failed to complete account for complete user'
+			});
+		}
+
+		// complete setting up user's account
+		user = await completeAccount({
+			userId: user._id.toString(),
+			firstName,
+			lastName,
+			publicKey,
+			encryptedPrivateKey,
+			iv,
+			tag,
+			salt,
+			verifier
+		});
+
+		if (!user)
+			throw new Error('Failed to complete account for non-existent user'); // ensure user is non-null
+
+		// initialize default organization and workspace
+		await initializeDefaultOrg({
+			organizationName,
+			user
+		});
+
+		// update organization membership statuses that are
+		// invited to completed with user attached
+		await MembershipOrg.updateMany(
+			{
+				inviteEmail: email,
+				status: INVITED
+			},
+			{
+				user,
+				status: ACCEPTED
+			}
+		);
+
+		// issue tokens
+		const tokens = await issueTokens({
+			userId: user._id.toString()
+		});
+
+		token = tokens.token;
+		refreshToken = tokens.refreshToken;
+
+		// sending a welcome email to new users
+		if (process.env.LOOPS_API_KEY) {
+			await axios.post("https://app.loops.so/api/v1/events/send", {
+				"email": email,
+				"eventName": "Sign Up",
+				"firstName": firstName,
+				"lastName": lastName
+			}, {
+				headers: {
+					"Accept": "application/json",
+					"Authorization": "Bearer " + process.env.LOOPS_API_KEY
+				},
+			});
+		}
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to complete account setup'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully set up account',
+		user,
+		token,
+		refreshToken
+	});
+};
+/**
+ * Complete setting up user by adding their personal and auth information as part of the
+ * invite flow
+ * @param req
+ * @param res
+ * @returns
+ */
+export const completeAccountInvite = async (req: Request, res: Response) => {
+	let user, token, refreshToken;
+	try {
+		const {
+			email,
+			firstName,
+			lastName,
+			publicKey,
+			encryptedPrivateKey,
+			iv,
+			tag,
+			salt,
+			verifier
+		} = req.body;
+
+		// get user
+		user = await User.findOne({ email });
+
+		if (!user || (user && user?.publicKey)) {
+			// case 1: user doesn't exist.
+			// case 2: user has already completed account
+			return res.status(403).send({
+				error: 'Failed to complete account for complete user'
+			});
+		}
+
+		const membershipOrg = await MembershipOrg.findOne({
+			inviteEmail: email,
+			status: INVITED
+		});
+
+		if (!membershipOrg) throw new Error('Failed to find invitations for email');
+
+		// complete setting up user's account
+		user = await completeAccount({
+			userId: user._id.toString(),
+			firstName,
+			lastName,
+			publicKey,
+			encryptedPrivateKey,
+			iv,
+			tag,
+			salt,
+			verifier
+		});
+
+		if (!user)
+			throw new Error('Failed to complete account for non-existent user');
+
+		// update organization membership statuses that are
+		// invited to completed with user attached
+		await MembershipOrg.updateMany(
+			{
+				inviteEmail: email,
+				status: INVITED
+			},
+			{
+				user,
+				status: ACCEPTED
+			}
+		);
+
+		// issue tokens
+		const tokens = await issueTokens({
+			userId: user._id.toString()
+		});
+
+		token = tokens.token;
+		refreshToken = tokens.refreshToken;
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to complete account setup'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully set up account',
+		user,
+		token,
+		refreshToken
+	});
+};
--- a/backend/src/controllers/v1/stripeController.ts
+++ b/backend/src/controllers/v1/stripeController.ts
@ -1,7 +1,10 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
 import Stripe from 'stripe';
-import { getStripeSecretKey, getStripeWebhookSecret } from '../../config';
+import { STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET } from '../../config';
+const stripe = new Stripe(STRIPE_SECRET_KEY, {
+	apiVersion: '2022-08-01'
+});

 /**
 * Handle service provisioning/un-provisioning via Stripe
@ -13,15 +16,11 @@ export const handleWebhook = async (req: Request, res: Response) => {
 	let event;
 	try {
 		// check request for valid stripe signature
-		const stripe = new Stripe(getStripeSecretKey(), {
-			apiVersion: '2022-08-01'
-		});
-
 		const sig = req.headers['stripe-signature'] as string;
 		event = stripe.webhooks.constructEvent(
 			req.body,
 			sig,
-			getStripeWebhookSecret()
+			STRIPE_WEBHOOK_SECRET // ?
 		);
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });
--- a/backend/src/controllers/v1/workspaceController.ts
+++ b/backend/src/controllers/v1/workspaceController.ts
@ -1,21 +1,21 @@
-import { Request, Response } from "express";
-import * as Sentry from "@sentry/node";
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
 import {
-  Workspace,
-  Membership,
-  MembershipOrg,
-  Integration,
-  IntegrationAuth,
-  IUser,
-  ServiceToken,
-  ServiceTokenData,
-} from "../../models";
+	Workspace,
+	Membership,
+	MembershipOrg,
+	Integration,
+	IntegrationAuth,
+	IUser,
+	ServiceToken,
+	ServiceTokenData
+} from '../../models';
 import {
-  createWorkspace as create,
-  deleteWorkspace as deleteWork,
-} from "../../helpers/workspace";
-import { addMemberships } from "../../helpers/membership";
-import { ADMIN } from "../../variables";
+	createWorkspace as create,
+	deleteWorkspace as deleteWork
+} from '../../helpers/workspace';
+import { addMemberships } from '../../helpers/membership';
+import { ADMIN } from '../../variables';

 /**
 * Return public keys of members of workspace with id [workspaceId]
@ -24,31 +24,32 @@ import { ADMIN } from "../../variables";
 * @returns
 */
 export const getWorkspacePublicKeys = async (req: Request, res: Response) => {
-  let publicKeys;
-  try {
-    const { workspaceId } = req.params;
+	let publicKeys;
+	try {
+		const { workspaceId } = req.params;

-    publicKeys = (
-      await Membership.find({
-        workspace: workspaceId,
-      }).populate<{ user: IUser }>("user", "publicKey")
-    ).map((member) => {
-      return {
-        publicKey: member.user.publicKey,
-        userId: member.user._id,
-      };
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace member public keys",
-    });
-  }
+		publicKeys = (
+			await Membership.find({
+				workspace: workspaceId
+			}).populate<{ user: IUser }>('user', 'publicKey')
+		)
+		.map((member) => {
+			return {
+				publicKey: member.user.publicKey,
+				userId: member.user._id
+			};
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace member public keys'
+		});
+	}

-  return res.status(200).send({
-    publicKeys,
-  });
+	return res.status(200).send({
+		publicKeys
+	});
 };

 /**
@ -58,24 +59,24 @@ export const getWorkspacePublicKeys = async (req: Request, res: Response) => {
 * @returns
 */
 export const getWorkspaceMemberships = async (req: Request, res: Response) => {
-  let users;
-  try {
-    const { workspaceId } = req.params;
+	let users;
+	try {
+		const { workspaceId } = req.params;

-    users = await Membership.find({
-      workspace: workspaceId,
-    }).populate("user", "+publicKey");
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace members",
-    });
-  }
+		users = await Membership.find({
+			workspace: workspaceId
+		}).populate('user', '+publicKey');
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace members'
+		});
+	}

-  return res.status(200).send({
-    users,
-  });
+	return res.status(200).send({
+		users
+	});
 };

 /**
@ -85,24 +86,24 @@ export const getWorkspaceMemberships = async (req: Request, res: Response) => {
 * @returns
 */
 export const getWorkspaces = async (req: Request, res: Response) => {
-  let workspaces;
-  try {
-    workspaces = (
-      await Membership.find({
-        user: req.user._id,
-      }).populate("workspace")
-    ).map((m) => m.workspace);
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspaces",
-    });
-  }
+	let workspaces;
+	try {
+		workspaces = (
+			await Membership.find({
+				user: req.user._id
+			}).populate('workspace')
+		).map((m) => m.workspace);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspaces'
+		});
+	}

-  return res.status(200).send({
-    workspaces,
-  });
+	return res.status(200).send({
+		workspaces
+	});
 };

 /**
@ -112,24 +113,24 @@ export const getWorkspaces = async (req: Request, res: Response) => {
 * @returns
 */
 export const getWorkspace = async (req: Request, res: Response) => {
-  let workspace;
-  try {
-    const { workspaceId } = req.params;
+	let workspace;
+	try {
+		const { workspaceId } = req.params;

-    workspace = await Workspace.findOne({
-      _id: workspaceId,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace",
-    });
-  }
+		workspace = await Workspace.findOne({
+			_id: workspaceId
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace'
+		});
+	}

-  return res.status(200).send({
-    workspace,
-  });
+	return res.status(200).send({
+		workspace
+	});
 };

 /**
@ -140,46 +141,46 @@ export const getWorkspace = async (req: Request, res: Response) => {
 * @returns
 */
 export const createWorkspace = async (req: Request, res: Response) => {
-  let workspace;
-  try {
-    const { workspaceName, organizationId } = req.body;
+	let workspace;
+	try {
+		const { workspaceName, organizationId } = req.body;

-    // validate organization membership
-    const membershipOrg = await MembershipOrg.findOne({
-      user: req.user._id,
-      organization: organizationId,
-    });
+		// validate organization membership
+		const membershipOrg = await MembershipOrg.findOne({
+			user: req.user._id,
+			organization: organizationId
+		});

-    if (!membershipOrg) {
-      throw new Error("Failed to validate organization membership");
-    }
+		if (!membershipOrg) {
+			throw new Error('Failed to validate organization membership');
+		}

-    if (workspaceName.length < 1) {
-      throw new Error("Workspace names must be at least 1-character long");
-    }
+		if (workspaceName.length < 1) {
+			throw new Error('Workspace names must be at least 1-character long');
+		}

-    // create workspace and add user as member
-    workspace = await create({
-      name: workspaceName,
-      organizationId,
-    });
+		// create workspace and add user as member
+		workspace = await create({
+			name: workspaceName,
+			organizationId
+		});

-    await addMemberships({
-      userIds: [req.user._id],
-      workspaceId: workspace._id.toString(),
-      roles: [ADMIN],
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to create workspace",
-    });
-  }
+		await addMemberships({
+			userIds: [req.user._id],
+			workspaceId: workspace._id.toString(),
+			roles: [ADMIN]
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to create workspace'
+		});
+	}

-  return res.status(200).send({
-    workspace,
-  });
+	return res.status(200).send({
+		workspace
+	});
 };

 /**
@ -189,24 +190,24 @@ export const createWorkspace = async (req: Request, res: Response) => {
 * @returns
 */
 export const deleteWorkspace = async (req: Request, res: Response) => {
-  try {
-    const { workspaceId } = req.params;
+	try {
+		const { workspaceId } = req.params;

-    // delete workspace
-    await deleteWork({
-      id: workspaceId,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to delete workspace",
-    });
-  }
+		// delete workspace
+		await deleteWork({
+			id: workspaceId
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to delete workspace'
+		});
+	}

-  return res.status(200).send({
-    message: "Successfully deleted workspace",
-  });
+	return res.status(200).send({
+		message: 'Successfully deleted workspace'
+	});
 };

 /**
@ -216,34 +217,34 @@ export const deleteWorkspace = async (req: Request, res: Response) => {
 * @returns
 */
 export const changeWorkspaceName = async (req: Request, res: Response) => {
-  let workspace;
-  try {
-    const { workspaceId } = req.params;
-    const { name } = req.body;
+	let workspace;
+	try {
+		const { workspaceId } = req.params;
+		const { name } = req.body;

-    workspace = await Workspace.findOneAndUpdate(
-      {
-        _id: workspaceId,
-      },
-      {
-        name,
-      },
-      {
-        new: true,
-      }
-    );
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to change workspace name",
-    });
-  }
+		workspace = await Workspace.findOneAndUpdate(
+			{
+				_id: workspaceId
+			},
+			{
+				name
+			},
+			{
+				new: true
+			}
+		);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to change workspace name'
+		});
+	}

-  return res.status(200).send({
-    message: "Successfully changed workspace name",
-    workspace,
-  });
+	return res.status(200).send({
+		message: 'Successfully changed workspace name',
+		workspace
+	});
 };

 /**
@ -253,24 +254,24 @@ export const changeWorkspaceName = async (req: Request, res: Response) => {
 * @returns
 */
 export const getWorkspaceIntegrations = async (req: Request, res: Response) => {
-  let integrations;
-  try {
-    const { workspaceId } = req.params;
+	let integrations;
+	try {
+		const { workspaceId } = req.params;

-    integrations = await Integration.find({
-      workspace: workspaceId,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace integrations",
-    });
-  }
+		integrations = await Integration.find({
+			workspace: workspaceId
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace integrations'
+		});
+	}

-  return res.status(200).send({
-    integrations,
-  });
+	return res.status(200).send({
+		integrations
+	});
 };

 /**
@ -280,56 +281,56 @@ export const getWorkspaceIntegrations = async (req: Request, res: Response) => {
 * @returns
 */
 export const getWorkspaceIntegrationAuthorizations = async (
-  req: Request,
-  res: Response
+	req: Request,
+	res: Response
 ) => {
-  let authorizations;
-  try {
-    const { workspaceId } = req.params;
+	let authorizations;
+	try {
+		const { workspaceId } = req.params;

-    authorizations = await IntegrationAuth.find({
-      workspace: workspaceId,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace integration authorizations",
-    });
-  }
+		authorizations = await IntegrationAuth.find({
+			workspace: workspaceId
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace integration authorizations'
+		});
+	}

-  return res.status(200).send({
-    authorizations,
-  });
+	return res.status(200).send({
+		authorizations
+	});
 };

 /**
 * Return service service tokens for workspace [workspaceId] belonging to user
- * @param req
- * @param res
- * @returns
+ * @param req 
+ * @param res 
+ * @returns 
 */
 export const getWorkspaceServiceTokens = async (
-  req: Request,
-  res: Response
+	req: Request,
+	res: Response
 ) => {
-  let serviceTokens;
-  try {
-    const { workspaceId } = req.params;
-    // ?? FIX.
-    serviceTokens = await ServiceToken.find({
-      user: req.user._id,
-      workspace: workspaceId,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace service tokens",
-    });
-  }
-
-  return res.status(200).send({
-    serviceTokens,
-  });
-};
+	let serviceTokens;
+	try {
+		const { workspaceId } = req.params;
+		// ?? FIX.
+		serviceTokens = await ServiceToken.find({
+			user: req.user._id,
+			workspace: workspaceId
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace service tokens'
+		});
+	}
+	
+	return res.status(200).send({
+		serviceTokens
+	});
+}
--- a/backend/src/controllers/v2/apiKeyDataController.ts
+++ b/backend/src/controllers/v2/apiKeyDataController.ts
@ -1,11 +1,13 @@
-import * as Sentry from '@sentry/node';
 import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
 import crypto from 'crypto';
 import bcrypt from 'bcrypt';
 import {
    APIKeyData
 } from '../../models';
-import { getSaltRounds } from '../../config';
+import {
+    SALT_ROUNDS
+} from '../../config';

 /**
 * Return API key data for user with id [req.user_id]
@ -43,14 +45,13 @@ export const createAPIKeyData = async (req: Request, res: Response) => {
        const { name, expiresIn } = req.body;
        
        const secret = crypto.randomBytes(16).toString('hex');
-        const secretHash = await bcrypt.hash(secret, getSaltRounds());
+        const secretHash = await bcrypt.hash(secret, SALT_ROUNDS);
        
 		const expiresAt = new Date();
 		expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
        
        apiKeyData = await new APIKeyData({
            name,
-            lastUsed: new Date(),
            expiresAt,
            user: req.user._id,
            secretHash
--- a/backend/src/controllers/v2/authController.ts
+++ b/backend/src/controllers/v2/authController.ts
@ -1,360 +0,0 @@
-/* eslint-disable @typescript-eslint/no-var-requires */
-import { Request, Response } from 'express';
-import jwt from 'jsonwebtoken';
-import * as Sentry from '@sentry/node';
-import * as bigintConversion from 'bigint-conversion';
-const jsrp = require('jsrp');
-import { User, LoginSRPDetail } from '../../models';
-import { issueAuthTokens, createToken } from '../../helpers/auth';
-import { checkUserDevice } from '../../helpers/user';
-import { sendMail } from '../../helpers/nodemailer';
-import { TokenService } from '../../services';
-import { EELogService } from '../../ee/services';
-import { BadRequestError, InternalServerError } from '../../utils/errors';
-import {
-  TOKEN_EMAIL_MFA,
-  ACTION_LOGIN
-} from '../../variables';
-import { getChannelFromUserAgent } from '../../utils/posthog'; // TODO: move this
-import {
-  getJwtMfaLifetime,
-  getJwtMfaSecret,
-  getHttpsEnabled
-} from '../../config';
-
-declare module 'jsonwebtoken' {
-  export interface UserIDJwtPayload extends jwt.JwtPayload {
-    userId: string;
-  }
-}
-
-/**
- * Log in user step 1: Return [salt] and [serverPublicKey] as part of step 1 of SRP protocol
- * @param req
- * @param res
- * @returns
- */
-export const login1 = async (req: Request, res: Response) => {
-  try {
-    const {
-      email,
-      clientPublicKey
-    }: { email: string; clientPublicKey: string } = req.body;
-
-    const user = await User.findOne({
-      email
-    }).select('+salt +verifier');
-
-    if (!user) throw new Error('Failed to find user');
-
-    const server = new jsrp.server();
-    server.init(
-      {
-        salt: user.salt,
-        verifier: user.verifier
-      },
-      async () => {
-        // generate server-side public key
-        const serverPublicKey = server.getPublicKey();
-
-        await LoginSRPDetail.findOneAndReplace({ email: email }, {
-          email: email,
-          clientPublicKey: clientPublicKey,
-          serverBInt: bigintConversion.bigintToBuf(server.bInt),
-        }, { upsert: true, returnNewDocument: false });
-
-        return res.status(200).send({
-          serverPublicKey,
-          salt: user.salt
-        });
-      }
-    );
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to start authentication process'
-    });
-  }
-};
-
-/**
- * Log in user step 2: complete step 2 of SRP protocol and return token and their (encrypted)
- * private key
- * @param req
- * @param res
- * @returns
- */
-export const login2 = async (req: Request, res: Response) => {
-  try {
-
-    if (!req.headers['user-agent']) throw InternalServerError({ message: 'User-Agent header is required' });
-
-    const { email, clientProof } = req.body;
-    const user = await User.findOne({
-      email
-    }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag');
-
-    if (!user) throw new Error('Failed to find user');
-
-    const loginSRPDetail = await LoginSRPDetail.findOneAndDelete({ email: email })
-
-    if (!loginSRPDetail) {
-      return BadRequestError(Error("Failed to find login details for SRP"))
-    }
-
-    const server = new jsrp.server();
-    server.init(
-      {
-        salt: user.salt,
-        verifier: user.verifier,
-        b: loginSRPDetail.serverBInt
-      },
-      async () => {
-        server.setClientPublicKey(loginSRPDetail.clientPublicKey);
-
-        // compare server and client shared keys
-        if (server.checkClientProof(clientProof)) {
-
-          if (user.isMfaEnabled) {
-            // case: user has MFA enabled
-
-            // generate temporary MFA token
-            const token = createToken({
-              payload: {
-                userId: user._id.toString()
-              },
-              expiresIn: getJwtMfaLifetime(),
-              secret: getJwtMfaSecret()
-            });
-
-            const code = await TokenService.createToken({
-              type: TOKEN_EMAIL_MFA,
-              email
-            });
-
-            // send MFA code [code] to [email]
-            await sendMail({
-              template: 'emailMfa.handlebars',
-              subjectLine: 'Infisical MFA code',
-              recipients: [email],
-              substitutions: {
-                code
-              }
-            });
-
-            return res.status(200).send({
-              mfaEnabled: true,
-              token
-            });
-          }
-
-          await checkUserDevice({
-            user,
-            ip: req.ip,
-            userAgent: req.headers['user-agent'] ?? ''
-          });
-
-          // issue tokens
-          const tokens = await issueAuthTokens({ userId: user._id.toString() });
-
-          // store (refresh) token in httpOnly cookie
-          res.cookie('jid', tokens.refreshToken, {
-            httpOnly: true,
-            path: '/',
-            sameSite: 'strict',
-            secure: getHttpsEnabled()
-          });
-
-          // case: user does not have MFA enablgged
-          // return (access) token in response
-
-          interface ResponseData {
-            mfaEnabled: boolean;
-            encryptionVersion: any;
-            protectedKey?: string;
-            protectedKeyIV?: string;
-            protectedKeyTag?: string;
-            token: string;
-            publicKey?: string;
-            encryptedPrivateKey?: string;
-            iv?: string;
-            tag?: string;
-          }
-
-          const response: ResponseData = {
-            mfaEnabled: false,
-            encryptionVersion: user.encryptionVersion,
-            token: tokens.token,
-            publicKey: user.publicKey,
-            encryptedPrivateKey: user.encryptedPrivateKey,
-            iv: user.iv,
-            tag: user.tag
-          }
-
-          if (
-            user?.protectedKey &&
-            user?.protectedKeyIV &&
-            user?.protectedKeyTag
-          ) {
-            response.protectedKey = user.protectedKey;
-            response.protectedKeyIV = user.protectedKeyIV
-            response.protectedKeyTag = user.protectedKeyTag;
-          }
-
-          const loginAction = await EELogService.createAction({
-            name: ACTION_LOGIN,
-            userId: user._id
-          });
-
-          loginAction && await EELogService.createLog({
-            userId: user._id,
-            actions: [loginAction],
-            channel: getChannelFromUserAgent(req.headers['user-agent']),
-            ipAddress: req.ip
-          });
-
-          return res.status(200).send(response);
-        }
-
-        return res.status(400).send({
-          message: 'Failed to authenticate. Try again?'
-        });
-      }
-    );
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to authenticate. Try again?'
-    });
-  }
-};
-
-/**
- * Send MFA token to email [email]
- * @param req 
- * @param res 
- */
-export const sendMfaToken = async (req: Request, res: Response) => {
-  try {
-    const { email } = req.body;
-
-    const code = await TokenService.createToken({
-      type: TOKEN_EMAIL_MFA,
-      email
-    });
-
-    // send MFA code [code] to [email]
-    await sendMail({
-      template: 'emailMfa.handlebars',
-      subjectLine: 'Infisical MFA code',
-      recipients: [email],
-      substitutions: {
-        code
-      }
-    });
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to send MFA code'
-    });
-  }
-
-  return res.status(200).send({
-    message: 'Successfully sent new MFA code'
-  });
-}
-
-/**
- * Verify MFA token [mfaToken] and issue JWT and refresh tokens if the
- * MFA token [mfaToken] is valid
- * @param req 
- * @param res 
- */
-export const verifyMfaToken = async (req: Request, res: Response) => {
-  const { email, mfaToken } = req.body;
-
-  await TokenService.validateToken({
-    type: TOKEN_EMAIL_MFA,
-    email,
-    token: mfaToken
-  });
-
-  const user = await User.findOne({
-    email
-  }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag');
-
-  if (!user) throw new Error('Failed to find user');
-
-  await checkUserDevice({
-    user,
-    ip: req.ip,
-    userAgent: req.headers['user-agent'] ?? ''
-  });
-
-  // issue tokens
-  const tokens = await issueAuthTokens({ userId: user._id.toString() });
-
-  // store (refresh) token in httpOnly cookie
-  res.cookie('jid', tokens.refreshToken, {
-    httpOnly: true,
-    path: '/',
-    sameSite: 'strict',
-    secure: getHttpsEnabled()
-  });
-
-  interface VerifyMfaTokenRes {
-    encryptionVersion: number;
-    protectedKey?: string;
-    protectedKeyIV?: string;
-    protectedKeyTag?: string;
-    token: string;
-    publicKey: string;
-    encryptedPrivateKey: string;
-    iv: string;
-    tag: string;
-  }
-
-  interface VerifyMfaTokenRes {
-    encryptionVersion: number;
-    protectedKey?: string;
-    protectedKeyIV?: string;
-    protectedKeyTag?: string;
-    token: string;
-    publicKey: string;
-    encryptedPrivateKey: string;
-    iv: string;
-    tag: string;
-  }
-
-  const resObj: VerifyMfaTokenRes = {
-    encryptionVersion: user.encryptionVersion,
-    token: tokens.token,
-    publicKey: user.publicKey as string,
-    encryptedPrivateKey: user.encryptedPrivateKey as string,
-    iv: user.iv as string,
-    tag: user.tag as string
-  }
-
-  if (user?.protectedKey && user?.protectedKeyIV && user?.protectedKeyTag) {
-    resObj.protectedKey = user.protectedKey;
-    resObj.protectedKeyIV = user.protectedKeyIV;
-    resObj.protectedKeyTag = user.protectedKeyTag;
-  }
-
-  const loginAction = await EELogService.createAction({
-    name: ACTION_LOGIN,
-    userId: user._id
-  });
-
-  loginAction && await EELogService.createLog({
-    userId: user._id,
-    actions: [loginAction],
-    channel: getChannelFromUserAgent(req.headers['user-agent']),
-    ipAddress: req.ip
-  });
-
-  return res.status(200).send(resObj);
-}
--- a/backend/src/controllers/v2/environmentController.ts
+++ b/backend/src/controllers/v2/environmentController.ts
@ -11,7 +11,7 @@ import {
 import { SecretVersion } from '../../ee/models';
 import { BadRequestError } from '../../utils/errors';
 import _ from 'lodash';
-import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from '../../variables';
+import { ABILITY_READ } from '../../variables/organization';

 /**
 * Create new workspace environment named [environmentName] under workspace with id
@ -236,7 +236,7 @@ export const getAllAccessibleEnvironmentsOfWorkspace = async (
    throw BadRequestError()
  }

-  const accessibleEnvironments: any = []
+  const accessibleEnvironments: { name: string; slug: string; }[] = []
  const deniedPermission = workspacesUserIsMemberOf.deniedPermissions

  const relatedWorkspace = await Workspace.findById(workspaceId)
@ -244,17 +244,12 @@ export const getAllAccessibleEnvironmentsOfWorkspace = async (
    throw BadRequestError()
  }
  relatedWorkspace.environments.forEach(environment => {
-    const isReadBlocked = _.some(deniedPermission, { environmentSlug: environment.slug, ability: PERMISSION_READ_SECRETS })
-    const isWriteBlocked = _.some(deniedPermission, { environmentSlug: environment.slug, ability: PERMISSION_WRITE_SECRETS })
-    if (isReadBlocked && isWriteBlocked) {
+    const isReadBlocked = _.some(deniedPermission, { environmentSlug: environment.slug, ability: ABILITY_READ })
+    // const isWriteBlocked = _.some(deniedPermission, { environmentSlug: environment.slug, ability: ABILITY_WRITE })
+    if (isReadBlocked) {
      return
    } else {
-      accessibleEnvironments.push({
-        name: environment.name,
-        slug: environment.slug,
-        isWriteDenied: isWriteBlocked,
-        isReadDenied: isReadBlocked
-      })
+      accessibleEnvironments.push(environment)
    }
  })

--- a/backend/src/controllers/v2/index.ts
+++ b/backend/src/controllers/v2/index.ts
@ -1,5 +1,3 @@
-import * as authController from './authController';
-import * as signupController from './signupController';
 import * as usersController from './usersController';
 import * as organizationsController from './organizationsController';
 import * as workspaceController from './workspaceController';
@ -7,13 +5,9 @@ import * as serviceTokenDataController from './serviceTokenDataController';
 import * as apiKeyDataController from './apiKeyDataController';
 import * as secretController from './secretController';
 import * as secretsController from './secretsController';
-import * as serviceAccountsController from './serviceAccountsController';
 import * as environmentController from './environmentController';
-import * as tagController from './tagController';

 export {
-    authController,
-    signupController,
    usersController,
    organizationsController,
    workspaceController,
@ -21,7 +15,5 @@ export {
    apiKeyDataController,
    secretController,
    secretsController,
-    serviceAccountsController,
-    environmentController,
-    tagController
+    environmentController
 }
--- a/backend/src/controllers/v2/organizationsController.ts
+++ b/backend/src/controllers/v2/organizationsController.ts
@ -1,11 +1,9 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
 import { 
    MembershipOrg,
    Membership,
-    Workspace,
-    ServiceAccount
+    Workspace
 } from '../../models';
 import { deleteMembershipOrg } from '../../helpers/membershipOrg';
 import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
@ -262,45 +260,37 @@ export const getOrganizationWorkspaces = async (req: Request, res: Response) =>
        }
    }   
    */
-    const { organizationId } = req.params;
+    let workspaces;
+    try {
+        const { organizationId } = req.params;

-    const workspacesSet = new Set(
-        (
-            await Workspace.find(
-                {
-                    organization: organizationId
-                },
-                '_id'
-            )
-        ).map((w) => w._id.toString())
-    );
+		const workspacesSet = new Set(
+			(
+				await Workspace.find(
+					{
+						organization: organizationId
+					},
+					'_id'
+				)
+			).map((w) => w._id.toString())
+		);

-    const workspaces = (
-        await Membership.find({
-            user: req.user._id
-        }).populate('workspace')
-    )
-    .filter((m) => workspacesSet.has(m.workspace._id.toString()))
-    .map((m) => m.workspace);
-
-return res.status(200).send({
-        workspaces
-    });
-}
-
-/**
- * Return service accounts for organization with id [organizationId]
- * @param req 
- * @param res 
- */
-export const getOrganizationServiceAccounts = async (req: Request, res: Response) => {
-    const { organizationId } = req.params;
-    
-    const serviceAccounts = await ServiceAccount.find({
-        organization: new Types.ObjectId(organizationId)
-    });
+		workspaces = (
+			await Membership.find({
+				user: req.user._id
+			}).populate('workspace')
+		)
+			.filter((m) => workspacesSet.has(m.workspace._id.toString()))
+			.map((m) => m.workspace);
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get organization workspaces'
+		});	
+    }
    
    return res.status(200).send({
-        serviceAccounts
+        workspaces
    });
 }
--- a/backend/src/controllers/v2/secretController.ts
+++ b/backend/src/controllers/v2/secretController.ts
@ -7,7 +7,7 @@ const { ValidationError } = mongoose.Error;
 import { BadRequestError, InternalServerError, UnauthorizedRequestError, ValidationError as RouteValidationError } from '../../utils/errors';
 import { AnyBulkWriteOperation } from 'mongodb';
 import { SECRET_PERSONAL, SECRET_SHARED } from "../../variables";
-import { TelemetryService } from '../../services';
+import { postHogClient } from '../../services';

 /**
 * Create secret for workspace with id [workspaceId] and environment [environment]
@ -15,7 +15,6 @@ import { TelemetryService } from '../../services';
 * @param res 
 */
 export const createSecret = async (req: Request, res: Response) => {
-  const postHogClient = TelemetryService.getPostHogClient();
  const secretToCreate: CreateSecretRequestBody = req.body.secret;
  const { workspaceId, environment } = req.params
  const sanitizedSecret: SanitizedSecretForCreate = {
@ -68,7 +67,6 @@ export const createSecret = async (req: Request, res: Response) => {
 * @param res 
 */
 export const createSecrets = async (req: Request, res: Response) => {
-  const postHogClient = TelemetryService.getPostHogClient();
  const secretsToCreate: CreateSecretRequestBody[] = req.body.secrets;
  const { workspaceId, environment } = req.params
  const sanitizedSecretesToCreate: SanitizedSecretForCreate[] = []
@ -130,7 +128,6 @@ export const createSecrets = async (req: Request, res: Response) => {
 * @param res 
 */
 export const deleteSecrets = async (req: Request, res: Response) => {
-  const postHogClient = TelemetryService.getPostHogClient();
  const { workspaceId, environmentName } = req.params
  const secretIdsToDelete: string[] = req.body.secretIds

@ -184,7 +181,6 @@ export const deleteSecrets = async (req: Request, res: Response) => {
 * @param res
 */
 export const deleteSecret = async (req: Request, res: Response) => {
-  const postHogClient = TelemetryService.getPostHogClient();
  await Secret.findByIdAndDelete(req._secret._id)

  if (postHogClient) {
@ -213,7 +209,6 @@ export const deleteSecret = async (req: Request, res: Response) => {
 * @returns 
 */
 export const updateSecrets = async (req: Request, res: Response) => {
-  const postHogClient = TelemetryService.getPostHogClient();
  const { workspaceId, environmentName } = req.params
  const secretsModificationsRequested: ModifySecretRequestBody[] = req.body.secrets;
  const [secretIdsUserCanModifyError, secretIdsUserCanModify] = await to(Secret.find({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
@ -281,7 +276,6 @@ export const updateSecrets = async (req: Request, res: Response) => {
 * @returns 
 */
 export const updateSecret = async (req: Request, res: Response) => {
-  const postHogClient = TelemetryService.getPostHogClient();
  const { workspaceId, environmentName } = req.params
  const secretModificationsRequested: ModifySecretRequestBody = req.body.secret;

@ -335,7 +329,6 @@ export const updateSecret = async (req: Request, res: Response) => {
 * @returns 
 */
 export const getSecrets = async (req: Request, res: Response) => {
-  const postHogClient = TelemetryService.getPostHogClient();
  const { environment } = req.query;
  const { workspaceId } = req.params;

--- a/backend/src/controllers/v2/secretsController.ts
+++ b/backend/src/controllers/v2/secretsController.ts
@ -1,8 +1,7 @@
 import to from 'await-to-js';
 import { Types } from 'mongoose';
 import { Request, Response } from 'express';
-import { ISecret, Secret } from '../../models';
-import { IAction } from '../../ee/models';
+import { ISecret, Membership, Secret, Workspace } from '../../models';
 import {
    SECRET_PERSONAL,
    SECRET_SHARED,
@ -15,263 +14,10 @@ import { UnauthorizedRequestError, ValidationError } from '../../utils/errors';
 import { EventService } from '../../services';
 import { eventPushSecrets } from '../../events';
 import { EESecretService, EELogService } from '../../ee/services';
-import { TelemetryService } from '../../services';
+import { postHogClient } from '../../services';
 import { getChannelFromUserAgent } from '../../utils/posthog';
-import { PERMISSION_WRITE_SECRETS } from '../../variables';
-import { userHasNoAbility, userHasWorkspaceAccess, userHasWriteOnlyAbility } from '../../ee/helpers/checkMembershipPermissions';
-import Tag from '../../models/tag';
-import _, { eq } from 'lodash';
-import {
-    BatchSecretRequest,
-    BatchSecret
-} from '../../types/secret';
-
-/**
- * Peform a batch of any specified CUD secret operations
- * (used by dashboard)
- * @param req 
- * @param res 
- */
-export const batchSecrets = async (req: Request, res: Response) => {
-    const channel = getChannelFromUserAgent(req.headers['user-agent']);
-    const postHogClient = TelemetryService.getPostHogClient();
-
-    const {
-        workspaceId,
-        environment,
-        requests
-    }: {
-        workspaceId: string;
-        environment: string;
-        requests: BatchSecretRequest[];
-    } = req.body;
-
-    const createSecrets: BatchSecret[] = [];
-    const updateSecrets: BatchSecret[] = [];
-    const deleteSecrets: Types.ObjectId[] = [];
-    const actions: IAction[] = [];
-
-    requests.forEach((request) => {
-        switch (request.method) {
-            case 'POST':
-                createSecrets.push({
-                    ...request.secret,
-                    version: 1,
-                    user: request.secret.type === SECRET_PERSONAL ? req.user : undefined,
-                    environment,
-                    workspace: new Types.ObjectId(workspaceId)
-                });
-                break;
-            case 'PATCH':
-                updateSecrets.push({
-                    ...request.secret,
-                    _id: new Types.ObjectId(request.secret._id)
-                });
-                break;
-            case 'DELETE':
-                deleteSecrets.push(new Types.ObjectId(request.secret._id));
-                break;
-        }
-    });
-
-    // handle create secrets
-    let createdSecrets: ISecret[] = [];
-    if (createSecrets.length > 0) {
-        createdSecrets = await Secret.insertMany(createSecrets);
-        // (EE) add secret versions for new secrets
-        await EESecretService.addSecretVersions({
-            secretVersions: createdSecrets.map((n: any) => {
-                return ({
-                    ...n._doc,
-                    _id: new Types.ObjectId(),
-                    secret: n._id,
-                    isDeleted: false
-                });
-            })
-        });
-
-        const addAction = await EELogService.createAction({
-            name: ACTION_ADD_SECRETS,
-            userId: req.user?._id,
-            serviceAccountId: req.serviceAccount?._id,
-            serviceTokenDataId: req.serviceTokenData?._id,
-            workspaceId: new Types.ObjectId(workspaceId),
-            secretIds: createdSecrets.map((n) => n._id)
-        }) as IAction;
-        actions.push(addAction);
-
-        if (postHogClient) {
-            postHogClient.capture({
-                event: 'secrets added',
-                distinctId: req.user.email,
-                properties: {
-                    numberOfSecrets: createdSecrets.length,
-                    environment,
-                    workspaceId,
-                    channel,
-                    userAgent: req.headers?.['user-agent']
-                }
-            });
-        }
-    }
-
-    // handle update secrets
-    let updatedSecrets: ISecret[] = [];
-    if (updateSecrets.length > 0 && req.secrets) {
-        // construct object containing all secrets
-        let listedSecretsObj: {
-            [key: string]: {
-                version: number;
-                type: string;
-            }
-        } = {};
-
-        listedSecretsObj = req.secrets.reduce((obj: any, secret: ISecret) => ({
-            ...obj,
-            [secret._id.toString()]: secret
-        }), {});
-
-        const updateOperations = updateSecrets.map((u) => ({
-            updateOne: {
-                filter: { _id: new Types.ObjectId(u._id) },
-                update: {
-                    $inc: {
-                        version: 1
-                    },
-                    ...u,
-                    _id: new Types.ObjectId(u._id)
-                }
-            }
-        }));
-
-        await Secret.bulkWrite(updateOperations);
-
-        const secretVersions = updateSecrets.map((u) => ({
-            secret: new Types.ObjectId(u._id),
-            version: listedSecretsObj[u._id.toString()].version,
-            workspace: new Types.ObjectId(workspaceId),
-            type: listedSecretsObj[u._id.toString()].type,
-            environment,
-            isDeleted: false,
-            secretKeyCiphertext: u.secretKeyCiphertext,
-            secretKeyIV: u.secretKeyIV,
-            secretKeyTag: u.secretKeyTag,
-            secretValueCiphertext: u.secretValueCiphertext,
-            secretValueIV: u.secretValueIV,
-            secretValueTag: u.secretValueTag,
-            secretCommentCiphertext: u.secretCommentCiphertext,
-            secretCommentIV: u.secretCommentIV,
-            secretCommentTag: u.secretCommentTag,
-            tags: u.tags
-        }));
-
-        await EESecretService.addSecretVersions({
-            secretVersions
-        });
-
-        updatedSecrets = await Secret.find({
-            _id: {
-                $in: updateSecrets.map((u) => new Types.ObjectId(u._id))
-            }
-        });
-
-        const updateAction = await EELogService.createAction({
-            name: ACTION_UPDATE_SECRETS,
-            userId: req.user._id,
-            workspaceId: new Types.ObjectId(workspaceId),
-            secretIds: updatedSecrets.map((u) => u._id)
-        }) as IAction;
-        actions.push(updateAction);
-
-        if (postHogClient) {
-            postHogClient.capture({
-                event: 'secrets modified',
-                distinctId: req.user.email,
-                properties: {
-                    numberOfSecrets: updateSecrets.length,
-                    environment,
-                    workspaceId,
-                    channel,
-                    userAgent: req.headers?.['user-agent']
-                }
-            });
-        }
-    }
-
-    // handle delete secrets
-    if (deleteSecrets.length > 0) {
-        await Secret.deleteMany({
-            _id: {
-                $in: deleteSecrets
-            }
-        });
-
-        await EESecretService.markDeletedSecretVersions({
-            secretIds: deleteSecrets
-        });
-
-        const deleteAction = await EELogService.createAction({
-            name: ACTION_DELETE_SECRETS,
-            userId: req.user._id,
-            workspaceId: new Types.ObjectId(workspaceId),
-            secretIds: deleteSecrets
-        }) as IAction;
-        actions.push(deleteAction);
-
-        if (postHogClient) {
-            postHogClient.capture({
-                event: 'secrets deleted',
-                distinctId: req.user.email,
-                properties: {
-                    numberOfSecrets: deleteSecrets.length,
-                    environment,
-                    workspaceId,
-                    channel: channel,
-                    userAgent: req.headers?.['user-agent']
-                }
-            });
-        }
-    }
-
-    if (actions.length > 0) {
-        // (EE) create (audit) log
-        await EELogService.createLog({
-            userId: req.user._id.toString(),
-            workspaceId: new Types.ObjectId(workspaceId),
-            actions,
-            channel,
-            ipAddress: req.ip
-        });
-    }
-
-    // // trigger event - push secrets
-    await EventService.handleEvent({
-        event: eventPushSecrets({
-            workspaceId
-        })
-    });
-
-    // (EE) take a secret snapshot
-    await EESecretService.takeSecretSnapshot({
-        workspaceId
-    });
-
-    const resObj: { [key: string]: ISecret[] | string[] } = {}
-
-    if (createSecrets.length > 0) {
-        resObj['createdSecrets'] = createdSecrets;
-    }
-
-    if (updateSecrets.length > 0) {
-        resObj['updatedSecrets'] = updatedSecrets;
-    }
-
-    if (deleteSecrets.length > 0) {
-        resObj['deletedSecrets'] = deleteSecrets.map((d) => d.toString());
-    }
-
-    return res.status(200).send(resObj);
-}
+import { ABILITY_READ, ABILITY_WRITE } from '../../variables/organization';
+import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';

 /**
 * Create secret(s) for workspace with id [workspaceId] and environment [environment]
@ -333,71 +79,53 @@ export const createSecrets = async (req: Request, res: Response) => {
    */

    const channel = getChannelFromUserAgent(req.headers['user-agent'])
-    const { workspaceId, environment }: { workspaceId: string, environment: string } = req.body;
+    const { workspaceId, environment } = req.body;

-    if (req.user) {
-        const hasAccess = await userHasWorkspaceAccess(req.user, new Types.ObjectId(workspaceId), environment, PERMISSION_WRITE_SECRETS)
-        if (!hasAccess) {
-            throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
-        }
+    const hasAccess = await userHasWorkspaceAccess(req.user, workspaceId, environment, ABILITY_WRITE)
+    if (!hasAccess) {
+        throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
    }

-    let listOfSecretsToCreate;
+    let toAdd;
    if (Array.isArray(req.body.secrets)) {
        // case: create multiple secrets
-        listOfSecretsToCreate = req.body.secrets;
+        toAdd = req.body.secrets;
    } else if (typeof req.body.secrets === 'object') {
        // case: create 1 secret
-        listOfSecretsToCreate = [req.body.secrets];
+        toAdd = [req.body.secrets];
    }

-    type secretsToCreateType = {
-        type: string;
-        secretKeyCiphertext: string;
-        secretKeyIV: string;
-        secretKeyTag: string;
-        secretValueCiphertext: string;
-        secretValueIV: string;
-        secretValueTag: string;
-        secretCommentCiphertext: string;
-        secretCommentIV: string;
-        secretCommentTag: string;
-        tags: string[]
-    }
-
-    const secretsToInsert: ISecret[] = listOfSecretsToCreate.map(({
-        type,
-        secretKeyCiphertext,
-        secretKeyIV,
-        secretKeyTag,
-        secretValueCiphertext,
-        secretValueIV,
-        secretValueTag,
-        secretCommentCiphertext,
-        secretCommentIV,
-        secretCommentTag,
-        tags
-    }: secretsToCreateType) => {
-        return ({
-            version: 1,
-            workspace: new Types.ObjectId(workspaceId),
+    const newSecrets = await Secret.insertMany(
+        toAdd.map(({
            type,
-            user: (req.user && type === SECRET_PERSONAL) ? req.user : undefined,
-            environment,
            secretKeyCiphertext,
            secretKeyIV,
            secretKeyTag,
            secretValueCiphertext,
            secretValueIV,
            secretValueTag,
-            secretCommentCiphertext,
-            secretCommentIV,
-            secretCommentTag,
-            tags
-        });
-    });
-
-    const newlyCreatedSecrets: ISecret[] = (await Secret.insertMany(secretsToInsert)).map((insertedSecret) => insertedSecret.toObject());
+        }: {
+            type: string;
+            secretKeyCiphertext: string;
+            secretKeyIV: string;
+            secretKeyTag: string;
+            secretValueCiphertext: string;
+            secretValueIV: string;
+            secretValueTag: string;
+        }) => ({
+            version: 1,
+            workspace: new Types.ObjectId(workspaceId),
+            type,
+            user: type === SECRET_PERSONAL ? req.user : undefined,
+            environment,
+            secretKeyCiphertext,
+            secretKeyIV,
+            secretKeyTag,
+            secretValueCiphertext,
+            secretValueIV,
+            secretValueTag
+        }))
+    );

    setTimeout(async () => {
        // trigger event - push secrets
@ -410,7 +138,7 @@ export const createSecrets = async (req: Request, res: Response) => {

    // (EE) add secret versions for new secrets
    await EESecretService.addSecretVersions({
-        secretVersions: newlyCreatedSecrets.map(({
+        secretVersions: newSecrets.map(({
            _id,
            version,
            workspace,
@ -420,13 +148,11 @@ export const createSecrets = async (req: Request, res: Response) => {
            secretKeyCiphertext,
            secretKeyIV,
            secretKeyTag,
+            secretKeyHash,
            secretValueCiphertext,
            secretValueIV,
            secretValueTag,
-            secretCommentCiphertext,
-            secretCommentIV,
-            secretCommentTag,
-            tags
+            secretValueHash
        }) => ({
            _id: new Types.ObjectId(),
            secret: _id,
@ -439,31 +165,25 @@ export const createSecrets = async (req: Request, res: Response) => {
            secretKeyCiphertext,
            secretKeyIV,
            secretKeyTag,
+            secretKeyHash,
            secretValueCiphertext,
            secretValueIV,
            secretValueTag,
-            secretCommentCiphertext,
-            secretCommentIV,
-            secretCommentTag,
-            tags
+            secretValueHash
        }))
    });

-    const addAction = await EELogService.createAction({
+    const addAction = await EELogService.createActionSecret({
        name: ACTION_ADD_SECRETS,
-        userId: req.user?._id,
-        serviceAccountId: req.serviceAccount?._id,
-        serviceTokenDataId: req.serviceTokenData?._id,
-        workspaceId: new Types.ObjectId(workspaceId),
-        secretIds: newlyCreatedSecrets.map((n) => n._id)
+        userId: req.user._id.toString(),
+        workspaceId,
+        secretIds: newSecrets.map((n) => n._id)
    });

    // (EE) create (audit) log
    addAction && await EELogService.createLog({
-        userId: req.user?._id,
-        serviceAccountId: req.serviceAccount?._id,
-        serviceTokenDataId: req.serviceTokenData?._id,
-        workspaceId: new Types.ObjectId(workspaceId),
+        userId: req.user._id.toString(),
+        workspaceId,
        actions: [addAction],
        channel,
        ipAddress: req.ip
@ -474,17 +194,12 @@ export const createSecrets = async (req: Request, res: Response) => {
        workspaceId
    });

-    const postHogClient = TelemetryService.getPostHogClient();
    if (postHogClient) {
        postHogClient.capture({
            event: 'secrets added',
-            distinctId: TelemetryService.getDistinctId({
-                user: req.user,
-                serviceAccount: req.serviceAccount,
-                serviceTokenData: req.serviceTokenData
-            }),
+            distinctId: req.user.email,
            properties: {
-                numberOfSecrets: listOfSecretsToCreate.length,
+                numberOfSecrets: toAdd.length,
                environment,
                workspaceId,
                channel: channel,
@ -494,7 +209,7 @@ export const createSecrets = async (req: Request, res: Response) => {
    }

    return res.status(200).send({
-        secrets: newlyCreatedSecrets
+        secrets: newSecrets
    });
 }

@ -545,121 +260,63 @@ export const getSecrets = async (req: Request, res: Response) => {
        }
    }   
    */
+    const { workspaceId, environment } = req.query;

-    const { tagSlugs } = req.query;
-    const workspaceId = req.query.workspaceId as string;
-    const environment = req.query.environment as string;
-
-    // secrets to return 
-    let secrets: ISecret[] = [];
-
-    // query tags table to get all tags ids for the tag names for the given workspace
-    let tagIds = [];
-    const tagNamesList = typeof tagSlugs === 'string' && tagSlugs !== '' ? tagSlugs.split(',') : [];
-    if (tagNamesList != undefined && tagNamesList.length != 0) {
-        const workspaceFromDB = await Tag.find({ workspace: workspaceId });
-        tagIds = _.map(tagNamesList, (tagName) => {
-            const tag = _.find(workspaceFromDB, { slug: tagName });
-            return tag ? tag.id : null;
-        });
+    let userId = "" // used for getting personal secrets for user
+    let userEmail = "" // used for posthog 
+    if (req.user) {
+        userId = req.user._id;
+        userEmail = req.user.email;
    }

-    if (req.user) {
-        // case: client authorization is via JWT
-        const hasWriteOnlyAccess = await userHasWriteOnlyAbility(req.user._id, new Types.ObjectId(workspaceId), environment)
-        const hasNoAccess = await userHasNoAbility(req.user._id, new Types.ObjectId(workspaceId), environment)
-        if (hasNoAccess) {
+    if (req.serviceTokenData) {
+        userId = req.serviceTokenData.user._id
+        userEmail = req.serviceTokenData.user.email;
+    }
+
+    // none service token case as service tokens are already scoped
+    if (!req.serviceTokenData) {
+        const hasAccess = await userHasWorkspaceAccess(userId, workspaceId, environment, ABILITY_READ)
+        if (!hasAccess) {
            throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
        }
+    }

-        const secretQuery: any = {
+    const [err, secrets] = await to(Secret.find(
+        {
            workspace: workspaceId,
            environment,
            $or: [
-                { user: req.user._id }, // personal secrets for this user
-                { user: { $exists: false } } // shared secrets from workspace
-            ]
+                { user: userId },
+                { user: { $exists: false } }
+            ],
+            type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
        }
+    ).then())

-        if (tagIds.length > 0) {
-            secretQuery.tags = { $in: tagIds };
-        }
-
-        if (hasWriteOnlyAccess) {
-            // only return the secret keys and not the values since user does not have right to see values
-            secrets = await Secret.find(secretQuery).select("secretKeyCiphertext secretKeyIV secretKeyTag").populate("tags")
-        } else {
-            secrets = await Secret.find(secretQuery).populate("tags")
-        }
-    }
-
-    // case: client authorization is via service token
-    if (req.serviceTokenData) {
-        const userId = req.serviceTokenData.user._id
-
-        const secretQuery: any = {
-            workspace: workspaceId,
-            environment,
-            $or: [
-                { user: userId }, // personal secrets for this user
-                { user: { $exists: false } } // shared secrets from workspace
-            ]
-        }
-
-        if (tagIds.length > 0) {
-            secretQuery.tags = { $in: tagIds };
-        }
-
-        // TODO check if service token has write only permission 
-
-        secrets = await Secret.find(secretQuery).populate("tags");
-    }
-
-    // case: client authorization is via service account
-    if (req.serviceAccount) {
-        const secretQuery: any = {
-            workspace: workspaceId,
-            environment,
-            user: { $exists: false } // shared secrets only from workspace
-        }
-
-        if (tagIds.length > 0) {
-            secretQuery.tags = { $in: tagIds };
-        }
-
-        secrets = await Secret.find(secretQuery).populate("tags");
-    }
+    if (err) throw ValidationError({ message: 'Failed to get secrets', stack: err.stack });

    const channel = getChannelFromUserAgent(req.headers['user-agent'])

-    const readAction = await EELogService.createAction({
+    const readAction = await EELogService.createActionSecret({
        name: ACTION_READ_SECRETS,
-        userId: req.user?._id,
-        serviceAccountId: req.serviceAccount?._id,
-        serviceTokenDataId: req.serviceTokenData?._id,
-        workspaceId: new Types.ObjectId(workspaceId as string),
+        userId: userId,
+        workspaceId: workspaceId as string,
        secretIds: secrets.map((n: any) => n._id)
    });

    readAction && await EELogService.createLog({
-        userId: req.user?._id,
-        serviceAccountId: req.serviceAccount?._id,
-        serviceTokenDataId: req.serviceTokenData?._id,
-        workspaceId: new Types.ObjectId(workspaceId as string),
+        userId: userId,
+        workspaceId: workspaceId as string,
        actions: [readAction],
        channel,
        ipAddress: req.ip
    });

-    const postHogClient = TelemetryService.getPostHogClient();
    if (postHogClient) {
        postHogClient.capture({
            event: 'secrets pulled',
-            distinctId: TelemetryService.getDistinctId({
-                user: req.user,
-                serviceAccount: req.serviceAccount,
-                serviceTokenData: req.serviceTokenData
-            }),
+            distinctId: userEmail,
            properties: {
                numberOfSecrets: secrets.length,
                environment,
@ -727,6 +384,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
    */
    const channel = req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli';

+    // TODO: move type
    interface PatchSecret {
        id: string;
        secretKeyCiphertext: string;
@ -738,7 +396,6 @@ export const updateSecrets = async (req: Request, res: Response) => {
        secretCommentCiphertext: string;
        secretCommentIV: string;
        secretCommentTag: string;
-        tags: string[]
    }

    const updateOperationsToPerform = req.body.secrets.map((secret: PatchSecret) => {
@ -751,8 +408,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
            secretValueTag,
            secretCommentCiphertext,
            secretCommentIV,
-            secretCommentTag,
-            tags
+            secretCommentTag
        } = secret;

        return ({
@ -768,9 +424,8 @@ export const updateSecrets = async (req: Request, res: Response) => {
                    secretValueCiphertext,
                    secretValueIV,
                    secretValueTag,
-                    tags,
                    ...((
-                        secretCommentCiphertext !== undefined &&
+                        secretCommentCiphertext &&
                        secretCommentIV &&
                        secretCommentTag
                    ) ? {
@ -803,7 +458,6 @@ export const updateSecrets = async (req: Request, res: Response) => {
                secretCommentCiphertext,
                secretCommentIV,
                secretCommentTag,
-                tags
            } = secretModificationsBySecretId[secret._id.toString()]

            return ({
@ -821,7 +475,6 @@ export const updateSecrets = async (req: Request, res: Response) => {
                secretCommentCiphertext: secretCommentCiphertext ? secretCommentCiphertext : secret.secretCommentCiphertext,
                secretCommentIV: secretCommentIV ? secretCommentIV : secret.secretCommentIV,
                secretCommentTag: secretCommentTag ? secretCommentTag : secret.secretCommentTag,
-                tags: tags ? tags : secret.tags
            });
        })
    }
@ -850,21 +503,17 @@ export const updateSecrets = async (req: Request, res: Response) => {
            });
        }, 10000);

-        const updateAction = await EELogService.createAction({
+        const updateAction = await EELogService.createActionSecret({
            name: ACTION_UPDATE_SECRETS,
-            userId: req.user?._id,
-            serviceAccountId: req.serviceAccount?._id,
-            serviceTokenDataId: req.serviceTokenData?._id,
-            workspaceId: new Types.ObjectId(key),
+            userId: req.user._id.toString(),
+            workspaceId: key,
            secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id)
        });

        // (EE) create (audit) log
        updateAction && await EELogService.createLog({
-            userId: req.user?._id,
-            serviceAccountId: req.serviceAccount?._id,
-            serviceTokenDataId: req.serviceTokenData?._id,
-            workspaceId: new Types.ObjectId(key),
+            userId: req.user._id.toString(),
+            workspaceId: key,
            actions: [updateAction],
            channel,
            ipAddress: req.ip
@ -875,15 +524,10 @@ export const updateSecrets = async (req: Request, res: Response) => {
            workspaceId: key
        })

-        const postHogClient = TelemetryService.getPostHogClient();
        if (postHogClient) {
            postHogClient.capture({
                event: 'secrets modified',
-                distinctId: TelemetryService.getDistinctId({
-                    user: req.user,
-                    serviceAccount: req.serviceAccount,
-                    serviceTokenData: req.serviceTokenData
-                }),
+                distinctId: req.user.email,
                properties: {
                    numberOfSecrets: workspaceSecretObj[key].length,
                    environment: workspaceSecretObj[key][0].environment,
@ -905,7 +549,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
 }

 /**
- * Delete secret(s)
+ * Delete secret(s) with id [workspaceId] and environment [environment]
 * @param req 
 * @param res 
 */
@ -954,11 +598,6 @@ export const deleteSecrets = async (req: Request, res: Response) => {
        }
    }   
    */
-
-    return res.status(200).send({
-        message: 'delete secrets!!'
-    });
-
    const channel = getChannelFromUserAgent(req.headers['user-agent'])
    const toDelete = req.secrets.map((s: any) => s._id);

@ -990,21 +629,17 @@ export const deleteSecrets = async (req: Request, res: Response) => {
                workspaceId: key
            })
        });
-        const deleteAction = await EELogService.createAction({
+        const deleteAction = await EELogService.createActionSecret({
            name: ACTION_DELETE_SECRETS,
-            userId: req.user?._id,
-            serviceAccountId: req.serviceAccount?._id,
-            serviceTokenDataId: req.serviceTokenData?._id,
-            workspaceId: new Types.ObjectId(key),
+            userId: req.user._id.toString(),
+            workspaceId: key,
            secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id)
        });

        // (EE) create (audit) log
        deleteAction && await EELogService.createLog({
-            userId: req.user?._id,
-            serviceAccountId: req.serviceAccount?._id,
-            serviceTokenDataId: req.serviceTokenData?._id,
-            workspaceId: new Types.ObjectId(key),
+            userId: req.user._id.toString(),
+            workspaceId: key,
            actions: [deleteAction],
            channel,
            ipAddress: req.ip
@ -1015,15 +650,10 @@ export const deleteSecrets = async (req: Request, res: Response) => {
            workspaceId: key
        })

-        const postHogClient = TelemetryService.getPostHogClient();
        if (postHogClient) {
            postHogClient.capture({
                event: 'secrets deleted',
-                distinctId: TelemetryService.getDistinctId({
-                    user: req.user,
-                    serviceAccount: req.serviceAccount,
-                    serviceTokenData: req.serviceTokenData
-                }),
+                distinctId: req.user.email,
                properties: {
                    numberOfSecrets: workspaceSecretObj[key].length,
                    environment: workspaceSecretObj[key][0].environment,
--- a/backend/src/controllers/v2/serviceAccountsController.ts
+++ b/backend/src/controllers/v2/serviceAccountsController.ts
@ -1,306 +0,0 @@
-import { Request, Response } from 'express';
-import { Types } from 'mongoose';
-import crypto from 'crypto';
-import bcrypt from 'bcrypt';
-import { 
-    ServiceAccount,
-    ServiceAccountKey,
-    ServiceAccountOrganizationPermission,
-    ServiceAccountWorkspacePermission
-} from '../../models';
-import {
-    CreateServiceAccountDto
-} from '../../interfaces/serviceAccounts/dto';
-import { BadRequestError, ServiceAccountNotFoundError } from '../../utils/errors';
-import { getSaltRounds } from '../../config';
-
-/**
- * Return service account tied to the request (service account) client
- * @param req
- * @param res
- */
-export const getCurrentServiceAccount = async (req: Request, res: Response) => {
-    const serviceAccount = await ServiceAccount.findById(req.serviceAccount._id);
-    
-    if (!serviceAccount) {
-        throw ServiceAccountNotFoundError({ message: 'Failed to find service account' });
-    }
-    
-    return res.status(200).send({
-        serviceAccount
-    });
-}
-
-/**
- * Return service account with id [serviceAccountId]
- * @param req 
- * @param res 
- */
-export const getServiceAccountById = async (req: Request, res: Response) => {
-    const { serviceAccountId } = req.params;
-    
-    const serviceAccount = await ServiceAccount.findById(serviceAccountId);
-    
-    if (!serviceAccount) {
-        throw ServiceAccountNotFoundError({ message: 'Failed to find service account' });
-    }
-    
-    return res.status(200).send({
-        serviceAccount
-    });
-}
-
-/**
- * Create a new service account under organization with id [organizationId]
- * that has access to workspaces [workspaces]
- * @param req 
- * @param res 
- * @returns
- */
-export const createServiceAccount = async (req: Request, res: Response) => {
-    const {
-        name,
-        organizationId,
-        publicKey,
-        expiresIn,
-    }: CreateServiceAccountDto = req.body;
-
-    let expiresAt;
-    if (expiresIn) {
-        expiresAt = new Date();
-        expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
-    }
-
-    const secret = crypto.randomBytes(16).toString('base64');
-    const secretHash = await bcrypt.hash(secret, getSaltRounds());
-    
-    // create service account
-    const serviceAccount = await new ServiceAccount({
-        name,
-        organization: new Types.ObjectId(organizationId),
-        user: req.user,
-        publicKey,
-        lastUsed: new Date(),
-        expiresAt,
-        secretHash
-    }).save();
-    
-    const serviceAccountObj = serviceAccount.toObject();
-    
-    delete serviceAccountObj.secretHash;
-
-    // provision default org-level permission for service account
-    await new ServiceAccountOrganizationPermission({
-        serviceAccount: serviceAccount._id
-    }).save();
-    
-    const secretId = Buffer.from(serviceAccount._id.toString(), 'hex').toString('base64');
-
-    return res.status(200).send({
-        serviceAccountAccessKey: `sa.${secretId}.${secret}`,
-        serviceAccount: serviceAccountObj
-    });
-}
-
-/**
- * Change name of service account with id [serviceAccountId] to [name]
- * @param req 
- * @param res 
- * @returns 
- */
-export const changeServiceAccountName = async (req: Request, res: Response) => {
-    const { serviceAccountId } = req.params;
-    const { name } = req.body;
-    
-    const serviceAccount = await ServiceAccount.findOneAndUpdate(
-        {
-            _id: new Types.ObjectId(serviceAccountId)
-        },
-        {
-            name
-        },
-        {
-            new: true
-        }
-    );
-    
-    return res.status(200).send({
-        serviceAccount
-    });
-}
-
-/**
- * Add a service account key to service account with id [serviceAccountId]
- * for workspace with id [workspaceId]
- * @param req 
- * @param res 
- * @returns 
- */
-export const addServiceAccountKey = async (req: Request, res: Response) => {
-    const {
-        workspaceId,
-        encryptedKey,
-        nonce
-    } = req.body;
-    
-    const serviceAccountKey = await new ServiceAccountKey({
-        encryptedKey,
-        nonce,
-        sender: req.user._id,
-        serviceAccount: req.serviceAccount._d,
-        workspace: new Types.ObjectId(workspaceId)
-    }).save();
-
-    return serviceAccountKey;
-}
-
-/**
- * Return workspace-level permission for service account with id [serviceAccountId]
- * @param req 
- * @param res 
- */
-export const getServiceAccountWorkspacePermissions = async (req: Request, res: Response) => {
-    const serviceAccountWorkspacePermissions = await ServiceAccountWorkspacePermission.find({
-        serviceAccount: req.serviceAccount._id
-    }).populate('workspace');
-    
-    return res.status(200).send({
-        serviceAccountWorkspacePermissions
-    });
-}
-
-/**
- * Add a workspace permission to service account with id [serviceAccountId]
- * @param req 
- * @param res 
- */
-export const addServiceAccountWorkspacePermission = async (req: Request, res: Response) => {
-    const { serviceAccountId } = req.params;
-    const {
-        environment,
-        workspaceId,
-        read = false,
-        write = false,
-        encryptedKey,
-        nonce
-    } = req.body;
-    
-    if (!req.membership.workspace.environments.some((e: { name: string; slug: string }) => e.slug === environment)) {
-        return res.status(400).send({
-            message: 'Failed to validate workspace environment'
-        });
-    }
-    
-    const existingPermission = await ServiceAccountWorkspacePermission.findOne({
-        serviceAccount: new Types.ObjectId(serviceAccountId),
-        workspace: new Types.ObjectId(workspaceId),
-        environment
-    });
-    
-    if (existingPermission) throw BadRequestError({ message: 'Failed to add workspace permission to service account due to already-existing ' });
-
-    const serviceAccountWorkspacePermission = await new ServiceAccountWorkspacePermission({
-        serviceAccount: new Types.ObjectId(serviceAccountId),
-        workspace: new Types.ObjectId(workspaceId),
-        environment,
-        read,
-        write
-    }).save();
-    
-    const existingServiceAccountKey = await ServiceAccountKey.findOne({
-        serviceAccount: new Types.ObjectId(serviceAccountId),
-        workspace: new Types.ObjectId(workspaceId) 
-    });
-    
-    if (!existingServiceAccountKey) {
-        await new ServiceAccountKey({
-            encryptedKey,
-            nonce,
-            sender: req.user._id,
-            serviceAccount: new Types.ObjectId(serviceAccountId),
-            workspace: new Types.ObjectId(workspaceId)
-        }).save();
-    }
-
-    return res.status(200).send({
-        serviceAccountWorkspacePermission
-    });
-}
-
-/**
- * Delete workspace permission from service account with id [serviceAccountId]
- * @param req 
- * @param res 
- */
-export const deleteServiceAccountWorkspacePermission = async (req: Request, res: Response) => {
-    const { serviceAccountWorkspacePermissionId } = req.params;
-    const serviceAccountWorkspacePermission = await ServiceAccountWorkspacePermission.findByIdAndDelete(serviceAccountWorkspacePermissionId);
-
-    if (serviceAccountWorkspacePermission) {
-        const { serviceAccount, workspace } = serviceAccountWorkspacePermission;
-        const count = await ServiceAccountWorkspacePermission.countDocuments({
-            serviceAccount,
-            workspace
-        });
-        
-        if (count === 0) {
-            await ServiceAccountKey.findOneAndDelete({
-                serviceAccount,
-                workspace
-            });
-        }
-    }
-
-    return res.status(200).send({
-        serviceAccountWorkspacePermission
-    });
-}
-
-/**
- * Delete service account with id [serviceAccountId]
- * @param req 
- * @param res 
- * @returns 
- */
-export const deleteServiceAccount = async (req: Request, res: Response) => {
-    const { serviceAccountId } = req.params;
-
-    const serviceAccount = await ServiceAccount.findByIdAndDelete(serviceAccountId);
-
-    if (serviceAccount) {
-        await ServiceAccountKey.deleteMany({
-            serviceAccount: serviceAccount._id
-        });
-
-        await ServiceAccountOrganizationPermission.deleteMany({
-            serviceAccount: new Types.ObjectId(serviceAccountId)
-        });
-
-        await ServiceAccountWorkspacePermission.deleteMany({
-            serviceAccount: new Types.ObjectId(serviceAccountId)
-        });
-    }
-
-    return res.status(200).send({
-        serviceAccount
-    });
-}
-
-/**
- * Return service account keys for service account with id [serviceAccountId]
- * @param req 
- * @param res 
- * @returns 
- */
-export const getServiceAccountKeys = async (req: Request, res: Response) => {
-    const workspaceId = req.query.workspaceId as string;
-    
-    const serviceAccountKeys = await ServiceAccountKey.find({
-        serviceAccount: req.serviceAccount._id,
-        ...(workspaceId ? { workspace: new Types.ObjectId(workspaceId) } : {})
-    });
-    
-    return res.status(200).send({
-        serviceAccountKeys
-    });
-}
--- a/backend/src/controllers/v2/serviceTokenDataController.ts
+++ b/backend/src/controllers/v2/serviceTokenDataController.ts
@ -1,19 +1,13 @@
-import * as Sentry from '@sentry/node';
 import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
 import crypto from 'crypto';
 import bcrypt from 'bcrypt';
 import {
-    User,
-    ServiceAccount,
    ServiceTokenData
 } from '../../models';
-import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';
-import { 
-    PERMISSION_READ_SECRETS,
-    AUTH_MODE_JWT,
-    AUTH_MODE_SERVICE_ACCOUNT
-} from '../../variables';
-import { getSaltRounds } from '../../config';
+import {
+    SALT_ROUNDS
+} from '../../config';

 /**
 * Return service token data associated with service token on request
@ -21,35 +15,7 @@ import { getSaltRounds } from '../../config';
 * @param res 
 * @returns 
 */
-export const getServiceTokenData = async (req: Request, res: Response) => {
-    /* 
-    #swagger.summary = 'Return Infisical Token data'
-    #swagger.description = 'Return Infisical Token data'
-    
-    #swagger.security = [{
-        "bearerAuth": []
-    }]
-
-    #swagger.responses[200] = {
-        content: {
-            "application/json": {
-                "schema": { 
-                    "type": "object",
-					"properties": {
-                        "serviceTokenData": {
-                            "type": "object",
-                            $ref: "#/components/schemas/ServiceTokenData",
-                            "description": "Details of service token"
-                        }
-					}
-                }
-            }           
-        }
-    }   
-    */
-
-    return res.status(200).json(req.serviceTokenData);
-}
+export const getServiceTokenData = async (req: Request, res: Response) => res.status(200).json(req.serviceTokenData);

 /**
 * Create new service token data for workspace with id [workspaceId] and
@ -59,60 +25,51 @@ export const getServiceTokenData = async (req: Request, res: Response) => {
 * @returns 
 */
 export const createServiceTokenData = async (req: Request, res: Response) => {
-    let serviceTokenData;
+    let serviceToken, serviceTokenData;
+    try {
+        const {
+            name,
+            workspaceId,
+            environment,
+            encryptedKey,
+            iv,
+            tag,
+            expiresIn
+        } = req.body;

-    const {
-        name,
-        workspaceId,
-        environment,
-        encryptedKey,
-        iv,
-        tag,
-        expiresIn,
-        permissions
-    } = req.body;
+        const secret = crypto.randomBytes(16).toString('hex');
+        const secretHash = await bcrypt.hash(secret, SALT_ROUNDS);

-    const secret = crypto.randomBytes(16).toString('hex');
-    const secretHash = await bcrypt.hash(secret, getSaltRounds());
-
-    let expiresAt; 
-    if (!!expiresIn) {
-        expiresAt = new Date()
+        const expiresAt = new Date();
        expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
+
+        serviceTokenData = await new ServiceTokenData({
+            name,
+            workspace: workspaceId,
+            environment,
+            user: req.user._id,
+            expiresAt,
+            secretHash,
+            encryptedKey,
+            iv,
+            tag
+        }).save();
+
+        // return service token data without sensitive data
+        serviceTokenData = await ServiceTokenData.findById(serviceTokenData._id);
+
+        if (!serviceTokenData) throw new Error('Failed to find service token data');
+
+        serviceToken = `st.${serviceTokenData._id.toString()}.${secret}`;
+
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+        Sentry.captureException(err);
+        return res.status(400).send({
+            message: 'Failed to create service token data'
+        });
    }

-    let user, serviceAccount;
-    
-    if (req.authData.authMode === AUTH_MODE_JWT && req.authData.authPayload instanceof User) {
-        user = req.authData.authPayload._id;
-    }
-
-    if (req.authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && req.authData.authPayload instanceof ServiceAccount) {
-        serviceAccount = req.authData.authPayload._id;
-    }
-        
-    serviceTokenData = await new ServiceTokenData({
-        name,
-        workspace: workspaceId,
-        environment,
-        user,
-        serviceAccount,
-        lastUsed: new Date(),
-        expiresAt,
-        secretHash,
-        encryptedKey,
-        iv,
-        tag,
-        permissions
-    }).save();
-
-    // return service token data without sensitive data
-    serviceTokenData = await ServiceTokenData.findById(serviceTokenData._id);
-
-    if (!serviceTokenData) throw new Error('Failed to find service token data');
-
-    const serviceToken = `st.${serviceTokenData._id.toString()}.${secret}`;
-
    return res.status(200).send({
        serviceToken,
        serviceTokenData
@ -126,9 +83,19 @@ export const createServiceTokenData = async (req: Request, res: Response) => {
 * @returns 
 */
 export const deleteServiceTokenData = async (req: Request, res: Response) => {
-    const { serviceTokenDataId } = req.params;
+    let serviceTokenData;
+    try {
+        const { serviceTokenDataId } = req.params;

-    const serviceTokenData = await ServiceTokenData.findByIdAndDelete(serviceTokenDataId);
+        serviceTokenData = await ServiceTokenData.findByIdAndDelete(serviceTokenDataId);
+
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+        Sentry.captureException(err);
+        return res.status(400).send({
+            message: 'Failed to delete service token data'
+        });
+    }

    return res.status(200).send({
        serviceTokenData
--- a/backend/src/controllers/v2/signupController.ts
+++ b/backend/src/controllers/v2/signupController.ts
@ -1,250 +0,0 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { User, MembershipOrg } from '../../models';
-import { completeAccount } from '../../helpers/user';
-import {
-	initializeDefaultOrg
-} from '../../helpers/signup';
-import { issueAuthTokens } from '../../helpers/auth';
-import { INVITED, ACCEPTED } from '../../variables';
-import request from '../../config/request';
-import { getLoopsApiKey, getHttpsEnabled } from '../../config';
-
-/**
- * Complete setting up user by adding their personal and auth information as part of the
- * signup flow
- * @param req
- * @param res
- * @returns
- */
-export const completeAccountSignup = async (req: Request, res: Response) => {
-	let user, token, refreshToken;
-	try {
-		const {
-			email,
-			firstName,
-			lastName,
-			protectedKey,
-			protectedKeyIV,
-			protectedKeyTag,
-			publicKey,
-			encryptedPrivateKey,
-			encryptedPrivateKeyIV,
-			encryptedPrivateKeyTag,
-			salt,
-			verifier,
-			organizationName
-		}: {
-			email: string;
-			firstName: string;
-			lastName: string;
-			protectedKey: string;
-			protectedKeyIV: string;
-			protectedKeyTag: string;
-			publicKey: string;
-			encryptedPrivateKey: string;
-			encryptedPrivateKeyIV: string;
-			encryptedPrivateKeyTag: string;
-			salt: string;
-			verifier: string;
-			organizationName: string;
-		} = req.body;
-
-		// get user
-		user = await User.findOne({ email });
-
-		if (!user || (user && user?.publicKey)) {
-			// case 1: user doesn't exist.
-			// case 2: user has already completed account
-			return res.status(403).send({
-				error: 'Failed to complete account for complete user'
-			});
-		}
-
-		// complete setting up user's account
-		user = await completeAccount({
-			userId: user._id.toString(),
-			firstName,
-			lastName,
-			encryptionVersion: 2,
-			protectedKey,
-			protectedKeyIV,
-			protectedKeyTag,
-			publicKey,
-			encryptedPrivateKey,
-			encryptedPrivateKeyIV,
-			encryptedPrivateKeyTag,
-			salt,
-			verifier
-		});
-
-		if (!user)
-			throw new Error('Failed to complete account for non-existent user'); // ensure user is non-null
-
-		// initialize default organization and workspace
-		await initializeDefaultOrg({
-			organizationName,
-			user
-		});
-
-		// update organization membership statuses that are
-		// invited to completed with user attached
-		await MembershipOrg.updateMany(
-			{
-				inviteEmail: email,
-				status: INVITED
-			},
-			{
-				user,
-				status: ACCEPTED
-			}
-		);
-
-		// issue tokens
-		const tokens = await issueAuthTokens({
-			userId: user._id.toString()
-		});
-
-		token = tokens.token;
-
-		// sending a welcome email to new users
-		if (getLoopsApiKey()) {
-			await request.post("https://app.loops.so/api/v1/events/send", {
-				"email": email,
-				"eventName": "Sign Up",
-				"firstName": firstName,
-				"lastName": lastName
-			}, {
-				headers: {
-					"Accept": "application/json",
-					"Authorization": "Bearer " + getLoopsApiKey()
-				},
-			});
-		}
-
-		// store (refresh) token in httpOnly cookie
-		res.cookie('jid', tokens.refreshToken, {
-			httpOnly: true,
-			path: '/',
-			sameSite: 'strict',
-			secure: getHttpsEnabled()
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to complete account setup'
-		});
-	}
-
-	return res.status(200).send({
-		message: 'Successfully set up account',
-		user,
-		token
-	});
-};
-
-/**
- * Complete setting up user by adding their personal and auth information as part of the
- * invite flow
- * @param req
- * @param res
- * @returns
- */
-export const completeAccountInvite = async (req: Request, res: Response) => {
-	let user, token, refreshToken;
-	try {
-		const {
-			email,
-			firstName,
-			lastName,
-			protectedKey,
-			protectedKeyIV,
-			protectedKeyTag,
-			publicKey,
-			encryptedPrivateKey,
-			encryptedPrivateKeyIV,
-			encryptedPrivateKeyTag,
-			salt,
-			verifier
-		} = req.body;
-
-		// get user
-		user = await User.findOne({ email });
-
-		if (!user || (user && user?.publicKey)) {
-			// case 1: user doesn't exist.
-			// case 2: user has already completed account
-			return res.status(403).send({
-				error: 'Failed to complete account for complete user'
-			});
-		}
-
-		const membershipOrg = await MembershipOrg.findOne({
-			inviteEmail: email,
-			status: INVITED
-		});
-
-		if (!membershipOrg) throw new Error('Failed to find invitations for email');
-
-		// complete setting up user's account
-		user = await completeAccount({
-			userId: user._id.toString(),
-			firstName,
-			lastName,
-			encryptionVersion: 2,
-			protectedKey,
-			protectedKeyIV,
-			protectedKeyTag,
-			publicKey,
-			encryptedPrivateKey,
-			encryptedPrivateKeyIV,
-			encryptedPrivateKeyTag,
-			salt,
-			verifier
-		});
-
-		if (!user)
-			throw new Error('Failed to complete account for non-existent user');
-
-		// update organization membership statuses that are
-		// invited to completed with user attached
-		await MembershipOrg.updateMany(
-			{
-				inviteEmail: email,
-				status: INVITED
-			},
-			{
-				user,
-				status: ACCEPTED
-			}
-		);
-
-		// issue tokens
-		const tokens = await issueAuthTokens({
-			userId: user._id.toString()
-		});
-
-		token = tokens.token;
-
-		// store (refresh) token in httpOnly cookie
-		res.cookie('jid', tokens.refreshToken, {
-			httpOnly: true,
-			path: '/',
-			sameSite: 'strict',
-			secure: getHttpsEnabled()
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to complete account setup'
-		});
-	}
-
-	return res.status(200).send({
-		message: 'Successfully set up account',
-		user,
-		token
-	});
-};
--- a/backend/src/controllers/v2/tagController.ts
+++ b/backend/src/controllers/v2/tagController.ts
@ -1,72 +0,0 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
-import {
-	Membership, Secret,
-} from '../../models';
-import Tag, { ITag } from '../../models/tag';
-import { Builder } from "builder-pattern"
-import to from 'await-to-js';
-import { BadRequestError, UnauthorizedRequestError } from '../../utils/errors';
-import { MongoError } from 'mongodb';
-import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';
-
-export const createWorkspaceTag = async (req: Request, res: Response) => {
-	const { workspaceId } = req.params
-	const { name, slug } = req.body
-	const sanitizedTagToCreate = Builder<ITag>()
-		.name(name)
-		.workspace(new Types.ObjectId(workspaceId))
-		.slug(slug)
-		.user(new Types.ObjectId(req.user._id))
-		.build();
-
-	const [err, createdTag] = await to(Tag.create(sanitizedTagToCreate))
-
-	if (err) {
-		if ((err as MongoError).code === 11000) {
-			throw BadRequestError({ message: "Tags must be unique in a workspace" })
-		}
-
-		throw err
-	}
-
-	res.json(createdTag)
-}
-
-export const deleteWorkspaceTag = async (req: Request, res: Response) => {
-	const { tagId } = req.params
-
-	const tagFromDB = await Tag.findById(tagId)
-	if (!tagFromDB) {
-		throw BadRequestError()
-	}
-
-	// can only delete if the request user is one that belongs to the same workspace as the tag
-	const membership = await Membership.findOne({
-		user: req.user,
-		workspace: tagFromDB.workspace
-	});
-
-	if (!membership) {
-		UnauthorizedRequestError({ message: 'Failed to validate membership' });
-	}
-
-	const result = await Tag.findByIdAndDelete(tagId);
-
-	// remove the tag from secrets
-	await Secret.updateMany(
-		{ tags: { $in: [tagId] } },
-		{ $pull: { tags: tagId } }
-	);
-
-	res.json(result);
-}
-
-export const getWorkspaceTags = async (req: Request, res: Response) => {
-	const { workspaceId } = req.params
-	const workspaceTags = await Tag.find({ workspace: workspaceId })
-	return res.json({
-		workspaceTags
-	})
-}
--- a/backend/src/controllers/v2/usersController.ts
+++ b/backend/src/controllers/v2/usersController.ts
@ -41,7 +41,7 @@ export const getMe = async (req: Request, res: Response) => {
    try {
        user = await User
            .findById(req.user._id)
-            .select('+salt +publicKey +encryptedPrivateKey +iv +tag +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag');
+            .select('+publicKey +encryptedPrivateKey +iv +tag');
    } catch (err) {
        Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);
@ -55,44 +55,6 @@ export const getMe = async (req: Request, res: Response) => {
    });
 }

-/**
- * Update the current user's MFA-enabled status [isMfaEnabled].
- * Note: Infisical currently only supports email-based 2FA only; this will expand to
- * include SMS and authenticator app modes of authentication in the future.
- * @param req 
- * @param res 
- * @returns 
- */
-export const updateMyMfaEnabled = async (req: Request, res: Response) => {
-    let user;
-    try {
-        const { isMfaEnabled }: { isMfaEnabled: boolean } = req.body;
-        req.user.isMfaEnabled = isMfaEnabled;
-        
-        if (isMfaEnabled) { 
-            // TODO: adapt this route/controller 
-            // to work for different forms of MFA
-            req.user.mfaMethods = ['email'];
-        } else {
-            req.user.mfaMethods = [];
-        }
-
-        await req.user.save();
-        
-        user = req.user;
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: "Failed to update current user's MFA status"
-		}); 
-    }
-    
-    return res.status(200).send({
-        user
-    });
-}
-
 /**
 * Return organizations that the current user is part of.
 * @param req 
--- a/backend/src/controllers/v2/workspaceController.ts
+++ b/backend/src/controllers/v2/workspaceController.ts
@ -19,7 +19,7 @@ import {
 	reformatPullSecrets
 } from '../../helpers/secret';
 import { pushKeys } from '../../helpers/key';
-import { TelemetryService, EventService } from '../../services';
+import { postHogClient, EventService } from '../../services';
 import { eventPushSecrets } from '../../events';

 interface V2PushSecret {
@ -48,7 +48,6 @@ interface V2PushSecret {
 export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
 	// upload (encrypted) secrets to workspace with id [workspaceId]
 	try {
-		const postHogClient = TelemetryService.getPostHogClient();
 		let { secrets }: { secrets: V2PushSecret[] } = req.body;
 		const { keys, environment, channel } = req.body;
 		const { workspaceId } = req.params;
@ -122,7 +121,6 @@ export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
 export const pullSecrets = async (req: Request, res: Response) => {
 	let secrets;
 	try {
-		const postHogClient = TelemetryService.getPostHogClient();
 		const environment: string = req.query.environment as string;
 		const channel: string = req.query.channel as string;
 		const { workspaceId } = req.params;
@ -469,41 +467,4 @@ export const deleteWorkspaceMembership = async (req: Request, res: Response) =>
 	return res.status(200).send({
 		membership
 	});
-}
-
-/**
- * Change autoCapitilzation Rule of workspace
- * @param req
- * @param res
- * @returns
- */
-export const toggleAutoCapitalization = async (req: Request, res: Response) => {
-	let workspace;
-	try {
-		const { workspaceId } = req.params;
-		const { autoCapitalization } = req.body;
-
-		workspace = await Workspace.findOneAndUpdate(
-			{
-				_id: workspaceId
-			},
-			{
-				autoCapitalization
-			},
-			{
-				new: true
-			}
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to change autoCapitalization setting'
-		});
-	}
-
-	return res.status(200).send({
-		message: 'Successfully changed autoCapitalization setting',
-		workspace
-	});
-};
+}
--- a/backend/src/ee/controllers/v1/membershipController.ts
+++ b/backend/src/ee/controllers/v1/membershipController.ts
@ -2,8 +2,7 @@ import { Request, Response } from "express";
 import { Membership, Workspace } from "../../../models";
 import { IMembershipPermission } from "../../../models/membership";
 import { BadRequestError, UnauthorizedRequestError } from "../../../utils/errors";
-import { ADMIN, MEMBER } from "../../../variables/organization";
-import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from '../../../variables';
+import { ABILITY_READ, ABILITY_WRITE, ADMIN, MEMBER } from "../../../variables/organization";
 import { Builder } from "builder-pattern"
 import _ from "lodash";

@ -11,7 +10,7 @@ export const denyMembershipPermissions = async (req: Request, res: Response) =>
  const { membershipId } = req.params;
  const { permissions } = req.body;
  const sanitizedMembershipPermissions: IMembershipPermission[] = permissions.map((permission: IMembershipPermission) => {
-    if (!permission.ability || !permission.environmentSlug || ![PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS].includes(permission.ability)) {
+    if (!permission.ability || !permission.environmentSlug || ![ABILITY_READ, ABILITY_WRITE].includes(permission.ability)) {
      throw BadRequestError({ message: "One or more required fields are missing from the request or have incorrect type" })
    }

--- a/backend/src/ee/controllers/v1/secretController.ts
+++ b/backend/src/ee/controllers/v1/secretController.ts
@ -158,9 +158,11 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
 			secretKeyCiphertext,
 			secretKeyIV,
 			secretKeyTag,
+			secretKeyHash,
 			secretValueCiphertext,
 			secretValueIV,
 			secretValueTag,
+			secretValueHash
 		} = oldSecretVersion;
 		
 		// update secret
@ -177,9 +179,11 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
 				secretKeyCiphertext,
 				secretKeyIV,
 				secretKeyTag,
+				secretKeyHash,
 				secretValueCiphertext,
 				secretValueIV,
 				secretValueTag,
+				secretValueHash
 			},
 			{
 				new: true
@ -200,9 +204,11 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
 			secretKeyCiphertext,
 			secretKeyIV,
 			secretKeyTag,
+			secretKeyHash,
 			secretValueCiphertext,
 			secretValueIV,
-			secretValueTag
+			secretValueTag,
+			secretValueHash	
 		}).save();
 		
 		// take secret snapshot
--- a/backend/src/ee/controllers/v1/secretSnapshotController.ts
+++ b/backend/src/ee/controllers/v1/secretSnapshotController.ts
@ -15,13 +15,7 @@ export const getSecretSnapshot = async (req: Request, res: Response) => {

        secretSnapshot = await SecretSnapshot
            .findById(secretSnapshotId)
-            .populate({
-                path: 'secretVersions',
-                populate: {
-                    path: 'tags',
-                    model: 'Tag',
-                }
-            });
+            .populate('secretVersions');
        
        if (!secretSnapshot) throw new Error('Failed to find secret snapshot');
        
--- a/backend/src/ee/controllers/v1/stripeController.ts
+++ b/backend/src/ee/controllers/v1/stripeController.ts
@ -1,7 +1,10 @@
-import * as Sentry from '@sentry/node';
 import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
 import Stripe from 'stripe';
-import { getStripeSecretKey, getStripeWebhookSecret } from '../../../config';
+import { STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET } from '../../../config';
+const stripe = new Stripe(STRIPE_SECRET_KEY, {
+	apiVersion: '2022-08-01'
+});

 /**
 * Handle service provisioning/un-provisioning via Stripe
@ -12,16 +15,12 @@ import { getStripeSecretKey, getStripeWebhookSecret } from '../../../config';
 export const handleWebhook = async (req: Request, res: Response) => {
 	let event;
 	try {
-		const stripe = new Stripe(getStripeSecretKey(), {
-			apiVersion: '2022-08-01'
-		});
-
 		// check request for valid stripe signature
 		const sig = req.headers['stripe-signature'] as string;
 		event = stripe.webhooks.constructEvent(
 			req.body,
 			sig,
-			getStripeWebhookSecret()
+			STRIPE_WEBHOOK_SECRET // ?
 		);
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });
--- a/backend/src/ee/controllers/v1/workspaceController.ts
+++ b/backend/src/ee/controllers/v1/workspaceController.ts
@ -418,7 +418,7 @@ export const getWorkspaceLogs = async (req: Request, res: Response) => {
 		.skip(offset)
 		.limit(limit)
 		.populate('actions')
-		.populate('user serviceAccount serviceTokenData');
+		.populate('user');

 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });
--- a/backend/src/ee/helpers/action.ts
+++ b/backend/src/ee/helpers/action.ts
@ -1,44 +1,39 @@
 import * as Sentry from '@sentry/node';
 import { Types } from 'mongoose';
-import { Action } from '../models';
+import { SecretVersion, Action } from '../models';
 import { 
    getLatestSecretVersionIds,
    getLatestNSecretSecretVersionIds
 } from '../helpers/secretVersion';
-import { 
-    ACTION_LOGIN,
-    ACTION_LOGOUT,
-    ACTION_ADD_SECRETS,
-    ACTION_READ_SECRETS,
-    ACTION_DELETE_SECRETS,
-    ACTION_UPDATE_SECRETS,
-} from '../../variables';
+import { ACTION_UPDATE_SECRETS } from '../../variables';

 /**
- * Create an (audit) action for updating secrets
+ * Create an (audit) action for secrets including
+ * add, delete, update, and read actions.
 * @param {Object} obj
 * @param {String} obj.name - name of action
- * @param {Types.ObjectId} obj.secretIds - ids of relevant secrets
+ * @param {ObjectId[]} obj.secretIds - ids of relevant secrets
 * @returns {Action} action - new action
 */
-const createActionUpdateSecret = async ({
+const createActionSecretHelper = async ({
    name,
    userId,
-    serviceAccountId,
-    serviceTokenDataId,
    workspaceId,
    secretIds
 }: {
    name: string;
-    userId?: Types.ObjectId;
-    serviceAccountId?: Types.ObjectId;
-    serviceTokenDataId?: Types.ObjectId;
-    workspaceId: Types.ObjectId;
+    userId: string;
+    workspaceId: string;
    secretIds: Types.ObjectId[];
 }) => {
+
    let action;
+    let latestSecretVersions;
    try {
-        const latestSecretVersions = (await getLatestNSecretSecretVersionIds({
+        if (name === ACTION_UPDATE_SECRETS) {
+            // case: action is updating secrets
+            // -> add old and new secret versions
+            latestSecretVersions = (await getLatestNSecretSecretVersionIds({
                secretIds,
                n: 2
            }))
@ -46,12 +41,20 @@ const createActionUpdateSecret = async ({
                oldSecretVersion: s.versions[0]._id,
                newSecretVersion: s.versions[1]._id
            }));
-        
+        } else {
+            // case: action is adding, deleting, or reading secrets
+            // -> add new secret versions
+            latestSecretVersions = (await getLatestSecretVersionIds({
+                secretIds
+            }))
+            .map((s) => ({
+                newSecretVersion: s.versionId
+            }));
+        }
+
        action = await new Action({
            name,
            user: userId,
-            serviceAccount: serviceAccountId,
-            serviceTokenData: serviceTokenDataId,
            workspace: workspaceId,
            payload: {
                secretVersions: latestSecretVersions
@ -61,165 +64,10 @@ const createActionUpdateSecret = async ({
    } catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
-        throw new Error('Failed to create update secret action');
-    }
-    
-    return action;
-}
-
-/**
- * Create an (audit) action for creating, reading, and deleting
- * secrets
- * @param {Object} obj
- * @param {String} obj.name - name of action
- * @param {Types.ObjectId} obj.secretIds - ids of relevant secrets
- * @returns {Action} action - new action
- */
-const createActionSecret = async ({
-    name,
-    userId,
-    serviceAccountId,
-    serviceTokenDataId,
-    workspaceId,
-    secretIds
-}: {
-    name: string;
-    userId?: Types.ObjectId;
-    serviceAccountId?: Types.ObjectId;
-    serviceTokenDataId?: Types.ObjectId;
-    workspaceId: Types.ObjectId;
-    secretIds: Types.ObjectId[];
-}) => {
-    let action;
-    try {
-        // case: action is adding, deleting, or reading secrets
-        // -> add new secret versions
-        const latestSecretVersions = (await getLatestSecretVersionIds({
-            secretIds
-        }))
-        .map((s) => ({
-            newSecretVersion: s.versionId
-        }));
-        
-       action = await new Action({
-            name,
-            user: userId,
-            serviceAccount: serviceAccountId,
-            serviceTokenData: serviceTokenDataId,
-            workspace: workspaceId,
-            payload: {
-                secretVersions: latestSecretVersions
-            }
-        }).save(); 
-
-    } catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-        throw new Error('Failed to create action create/read/delete secret action');
-    }
-    
-    return action;
-}
-
-/**
- * Create an (audit) action for client with id [userId],
- * [serviceAccountId], or [serviceTokenDataId]
- * @param {Object} obj 
- * @param {String} obj.name - name of action
- * @param {String} obj.userId - id of user associated with action
- * @returns 
- */
-const createActionClient = ({
-    name,
-    userId,
-    serviceAccountId,
-    serviceTokenDataId
-}: {
-    name: string;
-    userId?: Types.ObjectId;
-    serviceAccountId?: Types.ObjectId;
-    serviceTokenDataId?: Types.ObjectId;
-}) => {
-    let action;
-    try {
-        action = new Action({
-            name,
-            user: userId,
-            serviceAccount: serviceAccountId,
-            serviceTokenData: serviceTokenDataId
-        }).save();
-    } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-        throw new Error('Failed to create client action');
-    }
-
-    return action; 
-}
-
-/**
- * Create an (audit) action. 
- * @param {Object} obj
- * @param {Object} obj.name - name of action
- * @param {Types.ObjectId} obj.userId - id of user associated with action
- * @param {Types.ObjectId} obj.workspaceId - id of workspace associated with action
- * @param {Types.ObjectId[]} obj.secretIds - ids of secrets associated with action
-*/
-const createActionHelper = async ({
-    name,
-    userId,
-    serviceAccountId,
-    serviceTokenDataId,
-    workspaceId,
-    secretIds,
-}: {
-    name: string;
-    userId?: Types.ObjectId;
-    serviceAccountId?: Types.ObjectId;
-    serviceTokenDataId?: Types.ObjectId;
-    workspaceId?: Types.ObjectId;
-    secretIds?: Types.ObjectId[];
-}) => {
-    let action;
-    try {
-        switch (name) {
-            case ACTION_LOGIN:
-            case ACTION_LOGOUT:
-                action = await createActionClient({
-                    name,
-                    userId
-                });
-                break;
-            case ACTION_ADD_SECRETS:
-            case ACTION_READ_SECRETS:
-            case ACTION_DELETE_SECRETS:
-                if (!workspaceId || !secretIds) throw new Error('Missing required params workspace id or secret ids to create action secret');
-                action = await createActionSecret({
-                    name,
-                    userId,
-                    workspaceId,
-                    secretIds
-                });
-                break;
-            case ACTION_UPDATE_SECRETS:
-                if (!workspaceId || !secretIds) throw new Error('Missing required params workspace id or secret ids to create action secret');
-                action = await createActionUpdateSecret({
-                    name,
-                    userId,
-                    workspaceId,
-                    secretIds
-                });
-                break;
-        }
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
        throw new Error('Failed to create action');
    }
    
    return action;
 }

-export { 
-    createActionHelper
-};
+export { createActionSecretHelper };
--- a/backend/src/ee/helpers/checkMembershipPermissions.ts
+++ b/backend/src/ee/helpers/checkMembershipPermissions.ts
@ -1,9 +1,7 @@
-import { Types } from 'mongoose';
 import _ from "lodash";
 import { Membership } from "../../models";
-import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from '../../variables';

-export const userHasWorkspaceAccess = async (userId: Types.ObjectId, workspaceId: Types.ObjectId, environment: string, action: any) => {
+export const userHasWorkspaceAccess = async (userId: any, workspaceId: any, environment: any, action: any) => {
  const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })
  if (!membershipForWorkspace) {
    return false
@ -17,39 +15,4 @@ export const userHasWorkspaceAccess = async (userId: Types.ObjectId, workspaceId
  }

  return true
-}
-
-export const userHasWriteOnlyAbility = async (userId: Types.ObjectId, workspaceId: Types.ObjectId, environment: string) => {
-  const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })
-  if (!membershipForWorkspace) {
-    return false
-  }
-
-  const deniedMembershipPermissions = membershipForWorkspace.deniedPermissions;
-  const isWriteDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: PERMISSION_WRITE_SECRETS });
-  const isReadDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: PERMISSION_READ_SECRETS });
-
-  // case: you have write only if read is blocked and write is not
-  if (isReadDisallowed && !isWriteDisallowed) {
-    return true
-  }
-
-  return false
-}
-
-export const userHasNoAbility = async (userId: Types.ObjectId, workspaceId: Types.ObjectId, environment: string) => {
-  const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })
-  if (!membershipForWorkspace) {
-    return true
-  }
-
-  const deniedMembershipPermissions = membershipForWorkspace.deniedPermissions;
-  const isWriteDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: PERMISSION_WRITE_SECRETS });
-  const isReadBlocked = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: PERMISSION_READ_SECRETS });
-
-  if (isReadBlocked && isWriteDisallowed) {
-    return true
-  }
-
-  return false
 }
--- a/backend/src/ee/helpers/log.ts
+++ b/backend/src/ee/helpers/log.ts
@ -1,32 +1,18 @@
 import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
 import { 
    Log,
    IAction
 } from '../models';
-/**
- * Create an (audit) log
- * @param {Object} obj
- * @param {Types.ObjectId} obj.userId - id of user associated with the log
- * @param {Types.ObjectId} obj.workspaceId - id of workspace associated with the log
- * @param {IAction[]} obj.actions - actions to include in log
- * @param {String} obj.channel - channel (web/cli/auto) associated with the log
- * @param {String} obj.ipAddress - ip address associated with the log
- * @returns {Log} log - new audit log
- */
+
 const createLogHelper = async ({
    userId,
-    serviceAccountId,
-    serviceTokenDataId,
    workspaceId,
    actions,
    channel,
    ipAddress
 }: {
-    userId?: Types.ObjectId;
-    serviceAccountId?: Types.ObjectId;
-    serviceTokenDataId?: Types.ObjectId;
-    workspaceId?: Types.ObjectId;
+    userId: string;
+    workspaceId: string;
    actions: IAction[];
    channel: string;
    ipAddress: string;
@ -35,9 +21,7 @@ const createLogHelper = async ({
    try {
        log = await new Log({
            user: userId,
-            serviceAccount: serviceAccountId,
-            serviceTokenData: serviceTokenDataId,
-            workspace: workspaceId ?? undefined,
+            workspace: workspaceId,
            actionNames: actions.map((a) => a.name),
            actions,
            channel,
--- a/backend/src/ee/middleware/requireSecretSnapshotAuth.ts
+++ b/backend/src/ee/middleware/requireSecretSnapshotAuth.ts
@ -15,28 +15,32 @@ import {
 const requireSecretSnapshotAuth = ({
    acceptedRoles,
 }: {
-    acceptedRoles: Array<'admin' | 'member'>;
+    acceptedRoles: string[];
 }) => {
    return async (req: Request, res: Response, next: NextFunction) => {
-        const { secretSnapshotId } = req.params;
-        
-        const secretSnapshot = await SecretSnapshot.findById(secretSnapshotId);
-        
-        if (!secretSnapshot) {
-            return next(SecretSnapshotNotFoundError({
-                message: 'Failed to find secret snapshot'
-            }));
-        }
-        
-        await validateMembership({
-            userId: req.user._id,
-            workspaceId: secretSnapshot.workspace,
-            acceptedRoles
-        });
-        
-        req.secretSnapshot = secretSnapshot as any;
+        try {
+            const { secretSnapshotId } = req.params;
+            
+            const secretSnapshot = await SecretSnapshot.findById(secretSnapshotId);
+            
+            if (!secretSnapshot) {
+                return next(SecretSnapshotNotFoundError({
+                    message: 'Failed to find secret snapshot'
+                }));
+            }
+            
+            await validateMembership({
+                userId: req.user._id.toString(),
+                workspaceId: secretSnapshot.workspace.toString(),
+                acceptedRoles
+            });
+            
+            req.secretSnapshot = secretSnapshot as any;

-        next();
+            next();
+        } catch (err) {
+            return next(UnauthorizedRequestError({ message: 'Unable to authenticate secret snapshot' }));
+        }
    }
 }

--- a/backend/src/ee/models/action.ts
+++ b/backend/src/ee/models/action.ts
@ -1,20 +1,10 @@
 import { Schema, model, Types } from 'mongoose';
-import {
-    ACTION_LOGIN,
-    ACTION_LOGOUT,
-    ACTION_ADD_SECRETS,
-    ACTION_UPDATE_SECRETS,
-    ACTION_READ_SECRETS,
-    ACTION_DELETE_SECRETS
-} from '../../variables';

 export interface IAction {
    name: string;
    user?: Types.ObjectId,
-    serviceAccount?: Types.ObjectId,
-    serviceTokenData?: Types.ObjectId,
    workspace?: Types.ObjectId,
-    payload?: {
+    payload: {
        secretVersions?: Types.ObjectId[]
    }
 }
@ -23,27 +13,12 @@ const actionSchema = new Schema<IAction>(
    {
        name: {
            type: String,
-            required: true,
-            enum: [
-                ACTION_LOGIN,
-                ACTION_LOGOUT,
-                ACTION_ADD_SECRETS,
-                ACTION_UPDATE_SECRETS,
-                ACTION_READ_SECRETS,
-                ACTION_DELETE_SECRETS
-            ]
+            required: true
        },
        user: {
            type: Schema.Types.ObjectId,
-            ref: 'User'
-        },
-        serviceAccount: {
-            type: Schema.Types.ObjectId,
-            ref: 'ServiceAccount'
-        },
-        serviceTokenData: {
-            type: Schema.Types.ObjectId,
-            ref: 'ServiceTokenData'
+            ref: 'User',
+            required: true
        },
        workspace: {
            type: Schema.Types.ObjectId,
--- a/backend/src/ee/models/log.ts
+++ b/backend/src/ee/models/log.ts
@ -1,7 +1,5 @@
 import { Schema, model, Types } from 'mongoose';
 import {
-    ACTION_LOGIN,
-    ACTION_LOGOUT,
    ACTION_ADD_SECRETS,
    ACTION_UPDATE_SECRETS,
    ACTION_READ_SECRETS,
@ -11,8 +9,6 @@ import {
 export interface ILog {
    _id: Types.ObjectId;
    user?: Types.ObjectId;
-    serviceAccount?: Types.ObjectId;
-    serviceTokenData?: Types.ObjectId;
    workspace?: Types.ObjectId;
    actionNames: string[];
    actions: Types.ObjectId[];
@ -26,14 +22,6 @@ const logSchema = new Schema<ILog>(
            type: Schema.Types.ObjectId,
            ref: 'User'
        },
-        serviceAccount: {
-            type: Schema.Types.ObjectId,
-            ref: 'ServiceAccount'
-        },
-        serviceTokenData: {
-            type: Schema.Types.ObjectId,
-            ref: 'ServiceTokenData'
-        },
        workspace: {
            type: Schema.Types.ObjectId,
            ref: 'Workspace'
@ -41,8 +29,6 @@ const logSchema = new Schema<ILog>(
        actionNames: {
            type: [String],
            enum: [
-                ACTION_LOGIN,
-                ACTION_LOGOUT,
                ACTION_ADD_SECRETS,
                ACTION_UPDATE_SECRETS,
                ACTION_READ_SECRETS,
--- a/backend/src/ee/models/secretVersion.ts
+++ b/backend/src/ee/models/secretVersion.ts
@ -5,20 +5,22 @@ import {
 } from '../../variables';

 export interface ISecretVersion {
+	_id: Types.ObjectId;
 	secret: Types.ObjectId;
 	version: number;
 	workspace: Types.ObjectId; // new
 	type: string; // new
-	user?: Types.ObjectId; // new
+	user: Types.ObjectId; // new
 	environment: string; // new
 	isDeleted: boolean;
 	secretKeyCiphertext: string;
 	secretKeyIV: string;
 	secretKeyTag: string;
+	secretKeyHash: string;
 	secretValueCiphertext: string;
 	secretValueIV: string;
 	secretValueTag: string;
-	tags?: string[];
+	secretValueHash: string;
 }

 const secretVersionSchema = new Schema<ISecretVersion>(
@ -69,6 +71,9 @@ const secretVersionSchema = new Schema<ISecretVersion>(
 			type: String, // symmetric
 			required: true
 		},
+		secretKeyHash: {
+			type: String
+		},
 		secretValueCiphertext: {
 			type: String,
 			required: true
@ -81,11 +86,9 @@ const secretVersionSchema = new Schema<ISecretVersion>(
 			type: String, // symmetric
 			required: true
 		},
-		tags: {
-			ref: 'Tag',
-			type: [Schema.Types.ObjectId],
-			default: []
-		},
+		secretValueHash: {
+			type: String
+		}
 	},
 	{
 		timestamps: true
--- a/backend/src/ee/routes/v1/secret.ts
+++ b/backend/src/ee/routes/v1/secret.ts
@ -7,12 +7,7 @@ import {
 } from '../../../middleware';
 import { query, param, body } from 'express-validator';
 import { secretController } from '../../controllers/v1';
-import {
-	ADMIN, 
-	MEMBER,
-	PERMISSION_READ_SECRETS,
-	PERMISSION_WRITE_SECRETS
-} from '../../../variables';
+import { ADMIN, MEMBER } from '../../../variables';

 router.get(
 	'/:secretId/secret-versions',
@ -20,8 +15,7 @@ router.get(
 		acceptedAuthModes: ['jwt', 'apiKey']
 	}),
 	requireSecretAuth({
-		acceptedRoles: [ADMIN, MEMBER],
-		requiredPermissions: [PERMISSION_READ_SECRETS]
+		acceptedRoles: [ADMIN, MEMBER]
 	}),
 	param('secretId').exists().trim(),
 	query('offset').exists().isInt(),
@ -36,8 +30,7 @@ router.post(
 		acceptedAuthModes: ['jwt', 'apiKey']
 	}),
 	requireSecretAuth({
-		acceptedRoles: [ADMIN, MEMBER],
-		requiredPermissions: [PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS]
+		acceptedRoles: [ADMIN, MEMBER]
 	}),
 	param('secretId').exists().trim(),
 	body('version').exists().isInt(),
--- a/backend/src/ee/routes/v1/workspace.ts
+++ b/backend/src/ee/routes/v1/workspace.ts
@ -15,8 +15,7 @@ router.get(
 		acceptedAuthModes: ['jwt', 'apiKey']
 	}),
 	requireWorkspaceAuth({
-		acceptedRoles: [ADMIN, MEMBER],
-		locationWorkspaceId: 'params'
+		acceptedRoles: [ADMIN, MEMBER]
 	}),
 	param('workspaceId').exists().trim(),
 	query('offset').exists().isInt(),
@ -31,8 +30,7 @@ router.get(
 		acceptedAuthModes: ['jwt']
 	}),
 	requireWorkspaceAuth({
-		acceptedRoles: [ADMIN, MEMBER],
-		locationWorkspaceId: 'params'
+		acceptedRoles: [ADMIN, MEMBER]
 	}),
 	param('workspaceId').exists().trim(),
 	validateRequest,
@ -45,8 +43,7 @@ router.post(
 		acceptedAuthModes: ['jwt', 'apiKey']
 	}),
 	requireWorkspaceAuth({
-		acceptedRoles: [ADMIN, MEMBER],
-		locationWorkspaceId: 'params'
+		acceptedRoles: [ADMIN, MEMBER]
 	}),
 	param('workspaceId').exists().trim(),
 	body('version').exists().isInt(),
@ -60,8 +57,7 @@ router.get(
 		acceptedAuthModes: ['jwt', 'apiKey']
 	}),
 	requireWorkspaceAuth({
-		acceptedRoles: [ADMIN, MEMBER],
-		locationWorkspaceId: 'params'
+		acceptedRoles: [ADMIN, MEMBER]
 	}),
 	param('workspaceId').exists().trim(),
 	query('offset').exists().isInt(),
--- a/backend/src/ee/services/EELicenseService.ts
+++ b/backend/src/ee/services/EELicenseService.ts
@ -1,3 +1,5 @@
+import { LICENSE_KEY } from '../../config';
+
 /**
 * Class to handle Enterprise Edition license actions
 */
@ -14,4 +16,4 @@ class EELicenseService {
    }
 }

-export default new EELicenseService('N/A');
+export default new EELicenseService(LICENSE_KEY);
--- a/backend/src/ee/services/EELogService.ts
+++ b/backend/src/ee/services/EELogService.ts
@ -1,12 +1,14 @@
 import { Types } from 'mongoose';
 import { 
+    Log,
+    Action,
    IAction
 } from '../models';
 import {
    createLogHelper
 } from '../helpers/log';
 import {
-    createActionHelper
+    createActionSecretHelper
 } from '../helpers/action';
 import EELicenseService from './EELicenseService';

@ -26,17 +28,13 @@ class EELogService {
     */
    static async createLog({
        userId,
-        serviceAccountId,
-        serviceTokenDataId,
        workspaceId,
        actions,
        channel,
        ipAddress
    }: {
-        userId?: Types.ObjectId;
-        serviceAccountId?: Types.ObjectId;
-        serviceTokenDataId?: Types.ObjectId;
-        workspaceId?: Types.ObjectId;
+        userId: string;
+        workspaceId: string;
        actions: IAction[];
        channel: string;
        ipAddress: string;
@ -44,8 +42,6 @@ class EELogService {
        if (!EELicenseService.isLicenseValid) return null;
        return await createLogHelper({
            userId,
-            serviceAccountId,
-            serviceTokenDataId,
            workspaceId,
            actions,
            channel,
@ -54,34 +50,28 @@ class EELogService {
    }
    
    /**
-     * Create an (audit) action
+     * Create an (audit) action for secrets including
+     * add, delete, update, and read actions.
     * @param {Object} obj
     * @param {String} obj.name - name of action
-     * @param {Types.ObjectId} obj.userId - id of user associated with the action
-     * @param {Types.ObjectId} obj.workspaceId - id of workspace associated with the action
-     * @param {ObjectId[]} obj.secretIds - ids of secrets associated with the action
+     * @param {ObjectId[]} obj.secretIds - secret ids
     * @returns {Action} action - new action
     */
-    static async createAction({
+    static async createActionSecret({
        name,
        userId,
-        serviceAccountId,
-        serviceTokenDataId,
        workspaceId,
        secretIds
    }: {
        name: string;
-        userId?: Types.ObjectId;
-        serviceAccountId?: Types.ObjectId;
-        serviceTokenDataId?: Types.ObjectId;
-        workspaceId?: Types.ObjectId;
-        secretIds?: Types.ObjectId[];
+        userId: string;
+        workspaceId: string;
+        secretIds: Types.ObjectId[];
    }) {
-        return await createActionHelper({
+        if (!EELicenseService.isLicenseValid) return null; 
+        return await createActionSecretHelper({
            name,
            userId,
-            serviceAccountId,
-            serviceTokenDataId,
            workspaceId,
            secretIds
        });
--- a/backend/src/helpers/auth.ts
+++ b/backend/src/helpers/auth.ts
@ -1,34 +1,24 @@
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
 import jwt from 'jsonwebtoken';
+import * as Sentry from '@sentry/node';
 import bcrypt from 'bcrypt';
 import {
-	IUser,
 	User,
 	ServiceTokenData,
-	ServiceAccount,
 	APIKeyData
 } from '../models';
+import {
+	JWT_AUTH_LIFETIME,
+	JWT_AUTH_SECRET,
+	JWT_REFRESH_LIFETIME,
+	JWT_REFRESH_SECRET
+} from '../config';
 import {
 	AccountNotFoundError,
 	ServiceTokenDataNotFoundError,
-	ServiceAccountNotFoundError,
 	APIKeyDataNotFoundError,
 	UnauthorizedRequestError,
 	BadRequestError
 } from '../utils/errors';
-import {
-	getJwtAuthLifetime,
-	getJwtAuthSecret,
-	getJwtRefreshLifetime,
-	getJwtRefreshSecret
-} from '../config';
-import {
-	AUTH_MODE_JWT,
-	AUTH_MODE_SERVICE_ACCOUNT,
-	AUTH_MODE_SERVICE_TOKEN,
-	AUTH_MODE_API_KEY
-} from '../variables';

 /**
 * 
@ -46,7 +36,7 @@ const validateAuthMode = ({
 	const apiKey = headers['x-api-key'];
 	const authHeader = headers['authorization'];

-	let authMode, authTokenValue;
+	let authTokenType, authTokenValue;
 	if (apiKey === undefined && authHeader === undefined) {
 		// case: no auth or X-API-KEY header present
 		throw BadRequestError({ message: 'Missing Authorization or X-API-KEY in request header.' });
@ -54,7 +44,7 @@ const validateAuthMode = ({

 	if (typeof apiKey === 'string') {
 		// case: treat request authentication type as via X-API-KEY (i.e. API Key)
-		authMode = AUTH_MODE_API_KEY;
+		authTokenType = 'apiKey';
 		authTokenValue = apiKey;
 	}

@ -70,24 +60,20 @@ const validateAuthMode = ({

 		switch (tokenValue.split('.', 1)[0]) {
 			case 'st':
-				authMode = AUTH_MODE_SERVICE_TOKEN;
-				break;
-			case 'sa':
-				authMode = AUTH_MODE_SERVICE_ACCOUNT;
+				authTokenType = 'serviceToken';
 				break;
 			default:
-				authMode = AUTH_MODE_JWT;
+				authTokenType = 'jwt';
 		}
-
 		authTokenValue = tokenValue;
 	}

-	if (!authMode || !authTokenValue) throw BadRequestError({ message: 'Missing valid Authorization or X-API-KEY in request header.' });
+	if (!authTokenType || !authTokenValue) throw BadRequestError({ message: 'Missing valid Authorization or X-API-KEY in request header.' });

-	if (!acceptedAuthModes.includes(authMode)) throw BadRequestError({ message: 'The provided authentication type is not supported.' });
+	if (!acceptedAuthModes.includes(authTokenType)) throw BadRequestError({ message: 'The provided authentication type is not supported.' });

 	return ({
-		authMode,
+		authTokenType,
 		authTokenValue
 	});
 }
@ -103,17 +89,25 @@ const getAuthUserPayload = async ({
 }: {
 	authTokenValue: string;
 }) => {
-	const decodedToken = <jwt.UserIDJwtPayload>(
-		jwt.verify(authTokenValue, getJwtAuthSecret())
-	);
+	let user;
+	try {
+		const decodedToken = <jwt.UserIDJwtPayload>(
+			jwt.verify(authTokenValue, JWT_AUTH_SECRET)
+		);

-	const user = await User.findOne({
-		_id: decodedToken.userId
-	}).select('+publicKey');
+		user = await User.findOne({
+			_id: decodedToken.userId
+		}).select('+publicKey');

-	if (!user) throw AccountNotFoundError({ message: 'Failed to find User' });
+		if (!user) throw AccountNotFoundError({ message: 'Failed to find User' });

-	if (!user?.publicKey) throw UnauthorizedRequestError({ message: 'Failed to authenticate User with partially set up account' });
+		if (!user?.publicKey) throw UnauthorizedRequestError({ message: 'Failed to authenticate User with partially set up account' });
+
+	} catch (err) {
+		throw UnauthorizedRequestError({
+			message: 'Failed to authenticate JWT token'
+		});
+	}

 	return user;
 }
@ -129,70 +123,42 @@ const getAuthSTDPayload = async ({
 }: {
 	authTokenValue: string;
 }) => {
-	const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split('.', 3);
+	let serviceTokenData;
+	try {
+		const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split('.', 3);

-	let serviceTokenData = await ServiceTokenData
-		.findById(TOKEN_IDENTIFIER, '+secretHash +expiresAt');
+		// TODO: optimize double query
+		serviceTokenData = await ServiceTokenData
+			.findById(TOKEN_IDENTIFIER, '+secretHash +expiresAt');

-	if (!serviceTokenData) {
-		throw ServiceTokenDataNotFoundError({ message: 'Failed to find service token data' });
-	} else if (serviceTokenData?.expiresAt && new Date(serviceTokenData.expiresAt) < new Date()) {
-		// case: service token expired
-		await ServiceTokenData.findByIdAndDelete(serviceTokenData._id);
+		if (!serviceTokenData) {
+			throw ServiceTokenDataNotFoundError({ message: 'Failed to find service token data' });
+		} else if (serviceTokenData?.expiresAt && new Date(serviceTokenData.expiresAt) < new Date()) {
+			// case: service token expired
+			await ServiceTokenData.findByIdAndDelete(serviceTokenData._id);
+			throw UnauthorizedRequestError({
+				message: 'Failed to authenticate expired service token'
+			});
+		}
+
+		const isMatch = await bcrypt.compare(TOKEN_SECRET, serviceTokenData.secretHash);
+		if (!isMatch) throw UnauthorizedRequestError({
+			message: 'Failed to authenticate service token'
+		});
+
+		serviceTokenData = await ServiceTokenData
+			.findById(TOKEN_IDENTIFIER)
+			.select('+encryptedKey +iv +tag').populate('user');
+
+	} catch (err) {
 		throw UnauthorizedRequestError({
-			message: 'Failed to authenticate expired service token'
+			message: 'Failed to authenticate service token'
 		});
 	}

-	const isMatch = await bcrypt.compare(TOKEN_SECRET, serviceTokenData.secretHash);
-	if (!isMatch) throw UnauthorizedRequestError({
-		message: 'Failed to authenticate service token'
-	});
-
-	serviceTokenData = await ServiceTokenData
-		.findOneAndUpdate({
-			_id: new Types.ObjectId(TOKEN_IDENTIFIER)
-		}, {
-			lastUsed: new Date()
-		}, {
-			new: true
-		})
-		.select('+encryptedKey +iv +tag').populate('user serviceAccount');
-
-	if (!serviceTokenData) throw ServiceTokenDataNotFoundError({ message: 'Failed to find service token data' });
-
 	return serviceTokenData;
 }

-/**
- * Return service account access key payload
- * @param {Object} obj
- * @param {String} obj.authTokenValue - service account access token value
- * @returns {ServiceAccount} serviceAccount
- */
-const getAuthSAAKPayload = async ({
-	authTokenValue
-}: {
-	authTokenValue: string;
-}) => {
-	const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split('.', 3);
-
-	const serviceAccount = await ServiceAccount.findById(
-		Buffer.from(TOKEN_IDENTIFIER, 'base64').toString('hex')
-	).select('+secretHash');
-
-	if (!serviceAccount) {
-		throw ServiceAccountNotFoundError({ message: 'Failed to find service account' });
-	}
-
-	const result = await bcrypt.compare(TOKEN_SECRET, serviceAccount.secretHash);
-	if (!result) throw UnauthorizedRequestError({
-		message: 'Failed to authenticate service account access key'
-	});
-
-	return serviceAccount;
-}
-
 /**
 * Return API key data payload corresponding to API key [authTokenValue]
 * @param {Object} obj
@ -204,44 +170,33 @@ const getAuthAPIKeyPayload = async ({
 }: {
 	authTokenValue: string;
 }) => {
-	const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split('.', 3);
+	let user;
+	try {
+		const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split('.', 3);

-	let apiKeyData = await APIKeyData
-		.findById(TOKEN_IDENTIFIER, '+secretHash +expiresAt')
-		.populate<{ user: IUser }>('user', '+publicKey');
+		const apiKeyData = await APIKeyData
+			.findById(TOKEN_IDENTIFIER, '+secretHash +expiresAt')
+			.populate('user', '+publicKey');

-	if (!apiKeyData) {
-		throw APIKeyDataNotFoundError({ message: 'Failed to find API key data' });
-	} else if (apiKeyData?.expiresAt && new Date(apiKeyData.expiresAt) < new Date()) {
-		// case: API key expired
-		await APIKeyData.findByIdAndDelete(apiKeyData._id);
-		throw UnauthorizedRequestError({
-			message: 'Failed to authenticate expired API key'
+		if (!apiKeyData) {
+			throw APIKeyDataNotFoundError({ message: 'Failed to find API key data' });
+		} else if (apiKeyData?.expiresAt && new Date(apiKeyData.expiresAt) < new Date()) {
+			// case: API key expired
+			await APIKeyData.findByIdAndDelete(apiKeyData._id);
+			throw UnauthorizedRequestError({
+				message: 'Failed to authenticate expired API key'
+			});
+		}
+
+		const isMatch = await bcrypt.compare(TOKEN_SECRET, apiKeyData.secretHash);
+		if (!isMatch) throw UnauthorizedRequestError({
+			message: 'Failed to authenticate API key'
 		});
-	}

-	const isMatch = await bcrypt.compare(TOKEN_SECRET, apiKeyData.secretHash);
-	if (!isMatch) throw UnauthorizedRequestError({
-		message: 'Failed to authenticate API key'
-	});
-
-	apiKeyData = await APIKeyData.findOneAndUpdate({
-		_id: new Types.ObjectId(TOKEN_IDENTIFIER)
-	}, {
-		lastUsed: new Date()
-	}, {
-		new: true
-	});
-
-	if (!apiKeyData) {
-		throw APIKeyDataNotFoundError({ message: 'Failed to find API key data' });
-	}
-
-	const user = await User.findById(apiKeyData.user).select('+publicKey');
-
-	if (!user) {
-		throw AccountNotFoundError({
-			message: 'Failed to find user'
+		user = apiKeyData.user;
+	} catch (err) {
+		throw UnauthorizedRequestError({
+			message: 'Failed to authenticate API key'
 		});
 	}

@ -256,24 +211,31 @@ const getAuthAPIKeyPayload = async ({
 * @return {String} obj.token - issued JWT token
 * @return {String} obj.refreshToken - issued refresh token
 */
-const issueAuthTokens = async ({ userId }: { userId: string }) => {
+const issueTokens = async ({ userId }: { userId: string }) => {
+	let token: string;
+	let refreshToken: string;
+	try {
+		// issue tokens
+		token = createToken({
+			payload: {
+				userId
+			},
+			expiresIn: JWT_AUTH_LIFETIME,
+			secret: JWT_AUTH_SECRET
+		});

-	// issue tokens
-	const token = createToken({
-		payload: {
-			userId
-		},
-		expiresIn: getJwtAuthLifetime(),
-		secret: getJwtAuthSecret()
-	});
-
-	const refreshToken = createToken({
-		payload: {
-			userId
-		},
-		expiresIn: getJwtRefreshLifetime(),
-		secret: getJwtRefreshSecret()
-	});
+		refreshToken = createToken({
+			payload: {
+				userId
+			},
+			expiresIn: JWT_REFRESH_LIFETIME,
+			secret: JWT_REFRESH_SECRET
+		});
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		throw new Error('Failed to issue tokens');
+	}

 	return {
 		token,
@ -287,14 +249,19 @@ const issueAuthTokens = async ({ userId }: { userId: string }) => {
 * @param {String} obj.userId - id of user whose tokens are cleared.
 */
 const clearTokens = async ({ userId }: { userId: string }): Promise<void> => {
-	// increment refreshVersion on user by 1
-	User.findOneAndUpdate({
-		_id: userId
-	}, {
-		$inc: {
-			refreshVersion: 1
-		}
-	});
+	try {
+		// increment refreshVersion on user by 1
+		User.findOneAndUpdate({
+			_id: userId
+		}, {
+			$inc: {
+				refreshVersion: 1
+			}
+		});
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+	}
 };

 /**
@ -314,18 +281,23 @@ const createToken = ({
 	expiresIn: string | number;
 	secret: string;
 }) => {
-	return jwt.sign(payload, secret, {
-		expiresIn
-	});
+	try {
+		return jwt.sign(payload, secret, {
+			expiresIn
+		});
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		throw new Error('Failed to create a token');
+	}
 };

 export {
 	validateAuthMode,
 	getAuthUserPayload,
 	getAuthSTDPayload,
-	getAuthSAAKPayload,
 	getAuthAPIKeyPayload,
 	createToken,
-	issueAuthTokens,
+	issueTokens,
 	clearTokens
 };
--- a/backend/src/helpers/bot.ts
+++ b/backend/src/helpers/bot.ts
@ -1,16 +1,10 @@
 import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
 import {
    Bot,
    BotKey,
    Secret,
    ISecret,
-    IUser,
-    User,
-    IServiceAccount,
-    ServiceAccount,
-    IServiceTokenData,
-    ServiceTokenData
+    IUser
 } from '../models';
 import { 
    generateKeyPair, 
@ -18,88 +12,8 @@ import {
    decryptSymmetric,
    decryptAsymmetric
 } from '../utils/crypto';
-import {
-    SECRET_SHARED,
-    AUTH_MODE_JWT,
-    AUTH_MODE_SERVICE_ACCOUNT,
-    AUTH_MODE_SERVICE_TOKEN,
-    AUTH_MODE_API_KEY
-} from '../variables';
-import { getEncryptionKey } from '../config';
-import { BotNotFoundError, UnauthorizedRequestError } from '../utils/errors';
-import {
-    validateMembership
-} from '../helpers/membership';
-import {
-    validateUserClientForWorkspace
-} from '../helpers/user';
-import {
-    validateServiceAccountClientForWorkspace
-} from '../helpers/serviceAccount';
-
-/**
- * Validate authenticated clients for bot with id [botId] based
- * on any known permissions.
- * @param {Object} obj
- * @param {Object} obj.authData - authenticated client details
- * @param {Types.ObjectId} obj.botId - id of bot to validate against
- * @param {Array<'admin' | 'member'>} obj.acceptedRoles - accepted workspace roles
- */
-const validateClientForBot = async ({
-    authData,
-    botId,
-    acceptedRoles
-}: {
-    authData: {
-		authMode: string;
-		authPayload: IUser | IServiceAccount | IServiceTokenData;
-	};
-    botId: Types.ObjectId;
-    acceptedRoles: Array<'admin' | 'member'>;
-}) => {
-    const bot = await Bot.findById(botId);
-    
-    if (!bot) throw BotNotFoundError();
-    
-    if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
-        await validateUserClientForWorkspace({
-            user: authData.authPayload,
-            workspaceId: bot.workspace,
-            acceptedRoles
-        });
-        
-        return bot;
-    }
-
-    if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
-        await validateServiceAccountClientForWorkspace({
-            serviceAccount: authData.authPayload,
-            workspaceId: bot.workspace
-        });
-
-        return bot;
-    }
-
-    if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
-        throw UnauthorizedRequestError({
-            message: 'Failed service token authorization for bot'
-        });
-    }
-
-    if (authData.authMode === AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
-        await validateUserClientForWorkspace({
-            user: authData.authPayload,
-            workspaceId: bot.workspace,
-            acceptedRoles
-        });
-        
-        return bot;
-    }
-    
-    throw BotNotFoundError({
-        message: 'Failed client authorization for bot'
-    });
-}
+import { ENCRYPTION_KEY } from '../config';
+import { SECRET_SHARED } from '../variables';

 /**
 * Create an inactive bot with name [name] for workspace with id [workspaceId]
@ -119,7 +33,7 @@ const createBot = async ({
        const { publicKey, privateKey } = generateKeyPair();
        const { ciphertext, iv, tag } = encryptSymmetric({
            plaintext: privateKey,
-            key: getEncryptionKey()
+            key: ENCRYPTION_KEY
        });

        bot = await new Bot({
@ -216,7 +130,7 @@ const getKey = async ({ workspaceId }: { workspaceId: string }) => {
            ciphertext: bot.encryptedPrivateKey,
            iv: bot.iv,
            tag: bot.tag,
-            key: getEncryptionKey()
+            key: ENCRYPTION_KEY
        });
        
        key = decryptAsymmetric({
@ -308,7 +222,6 @@ const decryptSymmetricHelper = async ({
 }

 export {
-    validateClientForBot,
    createBot,
    getSecretsHelper,
    encryptSymmetricHelper,
--- a/backend/src/helpers/database.ts
+++ b/backend/src/helpers/database.ts
@ -1,4 +1,5 @@
 import mongoose from 'mongoose';
+import { ISecret, Secret } from '../models';
 import { EESecretService } from '../ee/services';
 import { getLogger } from '../utils/logger';

@ -15,10 +16,6 @@ const initDatabaseHelper = async ({
 }) => {
    try {
        await mongoose.connect(mongoURL);
-    
-        // allow empty strings to pass the required validator
-        mongoose.Schema.Types.String.checkRequired(v => typeof v === 'string');
-
        getLogger("database").info("Database connection established");
        
        await EESecretService.initSecretVersioning();
@ -29,23 +26,6 @@ const initDatabaseHelper = async ({
    return mongoose.connection;
 }

-/**
- * Close database conection
- */
-const closeDatabaseHelper = async () => {
-    return Promise.all([
-        new Promise((resolve) => {
-            if (mongoose.connection && mongoose.connection.readyState == 1) {
-            mongoose.connection.close()
-                .then(() => resolve('Database connection closed'));
-            } else {
-            resolve('Database connection already closed');
-            }
-        })
-    ]);
-}
-
 export {
-    initDatabaseHelper,
-    closeDatabaseHelper
+    initDatabaseHelper
 }
--- a/backend/src/helpers/integration.ts
+++ b/backend/src/helpers/integration.ts
@ -1,42 +1,17 @@
 import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
 import {
    Bot,
    Integration,
    IntegrationAuth,
-    IUser,
-    User,
-    IServiceAccount,
-    ServiceAccount,
-    IServiceTokenData,
-    ServiceTokenData
 } from '../models';
 import { exchangeCode, exchangeRefresh, syncSecrets } from '../integrations';
 import { BotService } from '../services';
 import {
-    AUTH_MODE_JWT,
-	AUTH_MODE_SERVICE_ACCOUNT,
-	AUTH_MODE_SERVICE_TOKEN,
-	AUTH_MODE_API_KEY,
    INTEGRATION_VERCEL,
    INTEGRATION_NETLIFY
 } from '../variables';
-import { 
-    UnauthorizedRequestError,
-    IntegrationAuthNotFoundError,
-    IntegrationNotFoundError
-} from '../utils/errors';
+import { UnauthorizedRequestError } from '../utils/errors';
 import RequestError from '../utils/requestError';
-import {
-    validateClientForIntegrationAuth 
-} from '../helpers/integrationAuth';
-import {
-    validateUserClientForWorkspace
-} from '../helpers/user';
-import {
-    validateServiceAccountClientForWorkspace
-} from '../helpers/serviceAccount';
-import { IntegrationService } from '../services';

 interface Update {
    workspace: string;
@ -45,84 +20,6 @@ interface Update {
    accountId?: string;
 }

-/**
- * Validate authenticated clients for integration with id [integrationId] based
- * on any known permissions.
- * @param {Object} obj
- * @param {Object} obj.authData - authenticated client details
- * @param {Types.ObjectId} obj.integrationId - id of integration to validate against
- * @param {String} obj.environment - (optional) environment in workspace to validate against
- * @param {Array<'admin' | 'member'>} obj.acceptedRoles - accepted workspace roles
- * @param {String[]} obj.requiredPermissions - required permissions as part of the endpoint
- */
- const validateClientForIntegration = async ({
-    authData,
-    integrationId,
-    acceptedRoles
-}: {
-    authData: {
-		authMode: string;
-		authPayload: IUser | IServiceAccount | IServiceTokenData;
-	};
-    integrationId: Types.ObjectId;
-    acceptedRoles: Array<'admin' | 'member'>;
-}) => {
-    
-    const integration = await Integration.findById(integrationId);
-    if (!integration) throw IntegrationNotFoundError();
-
-    const integrationAuth = await IntegrationAuth
-        .findById(integration.integrationAuth)
-        .select(
-			'+refreshCiphertext +refreshIV +refreshTag +accessCiphertext +accessIV +accessTag +accessExpiresAt'
-        );
-    
-    if (!integrationAuth) throw IntegrationAuthNotFoundError();
-
-    const accessToken = (await IntegrationService.getIntegrationAuthAccess({
-        integrationAuthId: integrationAuth._id
-    })).accessToken;
-
-    if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
-        await validateUserClientForWorkspace({
-            user: authData.authPayload,
-            workspaceId: integration.workspace,
-            acceptedRoles
-        });
-        
-        return ({ integration, accessToken });
-    }
-    
-    if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
-        await validateServiceAccountClientForWorkspace({
-            serviceAccount: authData.authPayload,
-            workspaceId: integration.workspace
-        });
-        
-        return ({ integration, accessToken });
-    }
-
-    if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
-        throw UnauthorizedRequestError({
-            message: 'Failed service token authorization for integration'
-        });
-    }
-
-    if (authData.authMode === AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
-        await validateUserClientForWorkspace({
-            user: authData.authPayload,
-            workspaceId: integration.workspace,
-            acceptedRoles
-        });
-        
-        return ({ integration, accessToken });
-    }
-    
-    throw UnauthorizedRequestError({
-        message: 'Failed client authorization for integration'
-    });
-}
-
 /**
 * Perform OAuth2 code-token exchange for workspace with id [workspaceId] and integration
 * named [integration]
@ -133,7 +30,6 @@ interface Update {
 * @param {String} obj.workspaceId - id of workspace
 * @param {String} obj.integration - name of integration 
 * @param {String} obj.code - code
- * @returns {IntegrationAuth} integrationAuth - integration auth after OAuth2 code-token exchange
 */
 const handleOAuthExchangeHelper = async ({
    workspaceId,
@ -146,6 +42,7 @@ const handleOAuthExchangeHelper = async ({
    code: string;
    environment: string;
 }) => {
+    let action;
    let integrationAuth;
    try {
        const bot = await Bot.findOne({
@ -197,18 +94,25 @@ const handleOAuthExchangeHelper = async ({
            // set integration auth access token
            await setIntegrationAuthAccessHelper({
                integrationAuthId: integrationAuth._id.toString(),
-                accessId: null,
                accessToken: res.accessToken,
                accessExpiresAt: res.accessExpiresAt
            });
        }
+
+        // initialize new integration after exchange
+        await new Integration({
+            workspace: workspaceId,
+            isActive: false,
+            app: null,
+            environment,
+            integration,
+            integrationAuth: integrationAuth._id
+        }).save();
    } catch (err) {
        Sentry.setUser(null);
        Sentry.captureException(err);
        throw new Error('Failed to handle OAuth2 code-token exchange')
    }
-    
-    return integrationAuth;
 }
 /**
 * Sync/push environment variables in workspace with id [workspaceId] to
@ -242,8 +146,8 @@ const syncIntegrationsHelper = async ({
            if (!integrationAuth) throw new Error('Failed to find integration auth');
            
            // get integration auth access token
-            const access = await getIntegrationAuthAccessHelper({
-                integrationAuthId: integration.integrationAuth
+            const accessToken = await getIntegrationAuthAccessHelper({
+                integrationAuthId: integration.integrationAuth.toString()
            });

            // sync secrets to integration
@ -251,8 +155,7 @@ const syncIntegrationsHelper = async ({
                integration,
                integrationAuth,
                secrets,
-                accessId: access.accessId,
-                accessToken: access.accessToken
+                accessToken
            });
        }
    } catch (err) {
@ -270,7 +173,7 @@ const syncIntegrationsHelper = async ({
 * @param {String} obj.integrationAuthId - id of integration auth
 * @param {String} refreshToken - decrypted refresh token
 */
- const getIntegrationAuthRefreshHelper = async ({ integrationAuthId }: { integrationAuthId: Types.ObjectId }) => {
+ const getIntegrationAuthRefreshHelper = async ({ integrationAuthId }: { integrationAuthId: string }) => {
    let refreshToken;
 	
    try {
@ -307,13 +210,13 @@ const syncIntegrationsHelper = async ({
 * @param {String} obj.integrationAuthId - id of integration auth
 * @returns {String} accessToken - decrypted access token
 */
-const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrationAuthId: Types.ObjectId }) => {
-    let accessId;
+const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrationAuthId: string }) => {
    let accessToken;
+	
    try {
        const integrationAuth = await IntegrationAuth
            .findById(integrationAuthId)
-            .select('workspace integration +accessCiphertext +accessIV +accessTag +accessExpiresAt + refreshCiphertext +accessIdCiphertext +accessIdIV +accessIdTag');
+            .select('workspace integration +accessCiphertext +accessIV +accessTag +accessExpiresAt + refreshCiphertext');

        if (!integrationAuth) throw UnauthorizedRequestError({message: 'Failed to locate Integration Authentication credentials'});

@ -332,20 +235,11 @@ const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrati
                // access token is expired
                const refreshToken = await getIntegrationAuthRefreshHelper({ integrationAuthId });
                accessToken = await exchangeRefresh({
-                    integrationAuth,
+                    integration: integrationAuth.integration,
                    refreshToken
                });
            }
        }
-        
-        if (integrationAuth?.accessIdCiphertext && integrationAuth?.accessIdIV && integrationAuth?.accessIdTag) {
-            accessId = await BotService.decryptSymmetric({
-                workspaceId: integrationAuth.workspace.toString(),
-                ciphertext: integrationAuth.accessIdCiphertext as string,
-                iv: integrationAuth.accessIdIV as string,
-                tag: integrationAuth.accessIdTag as string
-            });
-        }

    } catch (err) {
        Sentry.setUser(null);
@ -356,10 +250,7 @@ const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrati
            throw new Error('Failed to get integration access token');
    }
    
-    return ({
-        accessId,
-        accessToken
-    });
+    return accessToken;
 }

 /**
@ -409,9 +300,9 @@ const setIntegrationAuthRefreshHelper = async ({
 }

 /**
- * Encrypt access token [accessToken] and (optionally) access id [accessId]
- * using the bot's copy of the workspace key for workspace belonging to 
- * integration auth with id [integrationAuthId] and store it along with [accessExpiresAt]
+ * Encrypt access token [accessToken] using the bot's copy
+ * of the workspace key for workspace belonging to integration auth
+ * with id [integrationAuthId] and store it along with [accessExpiresAt]
 * @param {Object} obj
 * @param {String} obj.integrationAuthId - id of integration auth
 * @param {String} obj.accessToken - access token
@ -419,12 +310,10 @@ const setIntegrationAuthRefreshHelper = async ({
 */
 const setIntegrationAuthAccessHelper = async ({
    integrationAuthId,
-    accessId,
    accessToken,
    accessExpiresAt
 }: {
    integrationAuthId: string;
-    accessId: string | null;
    accessToken: string;
    accessExpiresAt: Date | undefined;
 }) => {
@ -434,28 +323,17 @@ const setIntegrationAuthAccessHelper = async ({
        
        if (!integrationAuth) throw new Error('Failed to find integration auth');
        
-        const encryptedAccessTokenObj = await BotService.encryptSymmetric({
+        const obj = await BotService.encryptSymmetric({
            workspaceId: integrationAuth.workspace.toString(),
            plaintext: accessToken
        });
        
-        let encryptedAccessIdObj;
-        if (accessId) {
-            encryptedAccessIdObj = await BotService.encryptSymmetric({
-                workspaceId: integrationAuth.workspace.toString(),
-                plaintext: accessId
-            }); 
-        }
-        
        integrationAuth = await IntegrationAuth.findOneAndUpdate({
            _id: integrationAuthId
        }, {
-            accessIdCiphertext: encryptedAccessIdObj?.ciphertext ?? undefined,
-            accessIdIV: encryptedAccessIdObj?.iv ?? undefined,
-            accessIdTag: encryptedAccessIdObj?.tag ?? undefined,
-            accessCiphertext: encryptedAccessTokenObj.ciphertext,
-            accessIV: encryptedAccessTokenObj.iv,
-            accessTag: encryptedAccessTokenObj.tag,
+            accessCiphertext: obj.ciphertext,
+            accessIV: obj.iv,
+            accessTag: obj.tag,
            accessExpiresAt
        }, {
            new: true
@ -470,7 +348,6 @@ const setIntegrationAuthAccessHelper = async ({
 }

 export {
-    validateClientForIntegration,
    handleOAuthExchangeHelper,
    syncIntegrationsHelper,
    getIntegrationAuthRefreshHelper,
--- a/backend/src/helpers/integrationAuth.ts
+++ b/backend/src/helpers/integrationAuth.ts
@ -1,108 +0,0 @@
-import { Types } from 'mongoose';
-import {
-    IntegrationAuth,
-    IUser,
-    User,
-    IServiceAccount,
-    ServiceAccount,
-    IServiceTokenData,
-    ServiceTokenData,
-    IWorkspace
-} from '../models';
-import { 
-    AUTH_MODE_JWT,
-    AUTH_MODE_SERVICE_ACCOUNT,
-    AUTH_MODE_SERVICE_TOKEN,
-    AUTH_MODE_API_KEY
-} from '../variables';
-import {
-    IntegrationAuthNotFoundError,
-    UnauthorizedRequestError
-} from '../utils/errors';
-import { IntegrationService } from '../services';
-import { validateUserClientForWorkspace } from '../helpers/user';
-import { validateServiceAccountClientForWorkspace } from '../helpers/serviceAccount';
-
-/**
- * Validate authenticated clients for integration authorization with id [integrationAuthId] based
- * on any known permissions.
- * @param {Object} obj
- * @param {Object} obj.authData - authenticated client details
- * @param {Types.ObjectId} obj.integrationAuthId - id of integration authorization to validate against
- * @param {Array<'admin' | 'member'>} obj.acceptedRoles - accepted workspace roles
- * @param {String[]} obj.requiredPermissions - required permissions as part of the endpoint
- */
- const validateClientForIntegrationAuth = async ({
-    authData,
-    integrationAuthId,
-    acceptedRoles,
-    attachAccessToken
-}: {
-    authData: {
-		authMode: string;
-		authPayload: IUser | IServiceAccount | IServiceTokenData;
-	};
-    integrationAuthId: Types.ObjectId;
-    acceptedRoles: Array<'admin' | 'member'>;
-    attachAccessToken?: boolean;
-}) => {
-
-    const integrationAuth = await IntegrationAuth
-        .findById(integrationAuthId)
-        .populate<{ workspace: IWorkspace }>('workspace')
-        .select(
-			'+refreshCiphertext +refreshIV +refreshTag +accessCiphertext +accessIV +accessTag +accessExpiresAt'
-        );
-    
-    if (!integrationAuth) throw IntegrationAuthNotFoundError();
-    
-    let accessToken;
-    if (attachAccessToken) {
-        accessToken = (await IntegrationService.getIntegrationAuthAccess({
-            integrationAuthId: integrationAuth._id
-        })).accessToken;
-    }
-    
-    if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
-        await validateUserClientForWorkspace({
-            user: authData.authPayload,
-            workspaceId: integrationAuth.workspace._id,
-            acceptedRoles
-        });
-
-        return ({ integrationAuth, accessToken });
-    }
-    
-    if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
-        await validateServiceAccountClientForWorkspace({
-            serviceAccount: authData.authPayload,
-            workspaceId: integrationAuth.workspace._id
-        });
-
-        return ({ integrationAuth, accessToken });
-    }
-
-    if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
-        throw UnauthorizedRequestError({
-            message: 'Failed service token authorization for integration authorization'
-        });
-    }
-
-    if (authData.authMode === AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
-        await validateUserClientForWorkspace({
-            user: authData.authPayload,
-            workspaceId: integrationAuth.workspace._id,
-            acceptedRoles
-        });
-
-        return ({ integrationAuth, accessToken });
-    }
-    
-    throw UnauthorizedRequestError({
-        message: 'Failed client authorization for integration authorization'
-    });
-}
-
-export {
-    validateClientForIntegrationAuth
-};
--- a/backend/src/helpers/membership.ts
+++ b/backend/src/helpers/membership.ts
@ -1,106 +1,5 @@
 import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
-import { 
-	Membership, 
-	Key,
-	IUser,
-	User,
-	IServiceAccount,
-	ServiceAccount,
-	IServiceTokenData,
-	ServiceTokenData
-} from '../models';
-import {
-	MembershipNotFoundError,
-	BadRequestError,
-	UnauthorizedRequestError
-} from '../utils/errors';
-import {
-	AUTH_MODE_JWT,
-	AUTH_MODE_SERVICE_ACCOUNT,
-	AUTH_MODE_SERVICE_TOKEN,
-	AUTH_MODE_API_KEY
-} from '../variables';
-import {
-	validateUserClientForWorkspace
-} from '../helpers/user';
-import {
-	validateServiceAccountClientForWorkspace
-} from '../helpers/serviceAccount';
-import {
-	validateServiceTokenDataClientForWorkspace
-} from '../helpers/serviceTokenData';
-
-/**
- * Validate authenticated clients for membership with id [membershipId] based
- * on any known permissions.
- * @param {Object} obj
- * @param {Object} obj.authData - authenticated client details
- * @param {Types.ObjectId} obj.membershipId - id of membership to validate against
- * @param {Array<'admin' | 'member'>} obj.acceptedRoles - accepted workspaceRoles
- * @returns {Membership} - validated membership
- */
-const validateClientForMembership = async ({
-	authData,
-	membershipId,
-	acceptedRoles
-}: {
-	authData: {
-		authMode: string;
-		authPayload: IUser | IServiceAccount | IServiceTokenData;
-	};
-	membershipId: Types.ObjectId;
-    acceptedRoles: Array<'admin' | 'member'>;
-}) => {
-	
-	const membership = await Membership.findById(membershipId);
-	
-	if (!membership) throw MembershipNotFoundError({
-		message: 'Failed to find membership'
-	});
-
-	if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
-		await validateUserClientForWorkspace({
-			user: authData.authPayload,
-			workspaceId: membership.workspace,
-			acceptedRoles
-		});
-		
-		return membership;
-	}
-	
-	if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
-		await validateServiceAccountClientForWorkspace({
-			serviceAccount: authData.authPayload,
-			workspaceId: membership.workspace
-		});
-
-		return membership;
-	}
-	
-	if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
-		await validateServiceTokenDataClientForWorkspace({
-			serviceTokenData: authData.authPayload,
-			workspaceId: new Types.ObjectId(membership.workspace)
-		});
-		
-		return membership;
-	}
-
-	if (authData.authMode == AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
-		await validateUserClientForWorkspace({
-			user: authData.authPayload,
-			workspaceId: membership.workspace,
-			acceptedRoles 
-		});
-		
-		return membership;
-	}
-	
-	throw UnauthorizedRequestError({
-		message: 'Failed client authorization for membership'
-	});
-}
+import { Membership, Key } from '../models';

 /**
 * Validate that user with id [userId] is a member of workspace with id [workspaceId]
@ -115,24 +14,28 @@ const validateMembership = async ({
 	workspaceId,
 	acceptedRoles,
 }: {
-	userId: Types.ObjectId;
-	workspaceId: Types.ObjectId;
-	acceptedRoles?: Array<'admin' | 'member'>;
+	userId: string;
+	workspaceId: string;
+	acceptedRoles: string[];
 }) => {
 	
-	const membership = await Membership.findOne({
-		user: userId,
-		workspace: workspaceId
-	}).populate("workspace");
-	
-	if (!membership) {
-		throw MembershipNotFoundError({ message: 'Failed to find workspace membership' });
-	}
-	
-	if (acceptedRoles) {
+	let membership;
+	//TODO: Refactor code to take advantage of using RequestError. It's possible to create new types of errors for more detailed errors
+	try {
+		membership = await Membership.findOne({
+			user: userId,
+			workspace: workspaceId
+		}).populate("workspace");
+		
+		if (!membership) throw new Error('Failed to find membership');
+		
 		if (!acceptedRoles.includes(membership.role)) {
-			throw BadRequestError({ message: 'Failed authorization for membership role' });
+			throw new Error('Failed to validate membership role');
 		}
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		throw new Error('Failed to validate membership');
 	}
 	
 	return membership;
@ -230,7 +133,6 @@ const deleteMembership = async ({ membershipId }: { membershipId: string }) => {
 };

 export { 
-	validateClientForMembership,
 	validateMembership,
 	addMemberships, 
 	findMembership, 
--- a/backend/src/helpers/membershipOrg.ts
+++ b/backend/src/helpers/membershipOrg.ts
@ -1,140 +1,40 @@
 import * as Sentry from '@sentry/node';
 import { Types } from 'mongoose';
-import { 
-	MembershipOrg, 
-	Workspace, 
-	Membership, 
-	Key,
-	IUser,
-	User,
-	IServiceAccount,
-	ServiceAccount,
-	IServiceTokenData,
-	ServiceTokenData
-} from '../models';
-import {
-	MembershipOrgNotFoundError,
-	BadRequestError,
-	UnauthorizedRequestError
-} from '../utils/errors';
-import {
-	AUTH_MODE_JWT,
-	AUTH_MODE_SERVICE_ACCOUNT,
-	AUTH_MODE_SERVICE_TOKEN,
-	AUTH_MODE_API_KEY
-} from '../variables';
-
-/**
- * Validate authenticated clients for organization membership with id [membershipOrgId] based
- * on any known permissions.
- * @param {Object} obj
- * @param {Object} obj.authData - authenticated client details
- * @param {Types.ObjectId} obj.membershipOrgId - id of organization membership to validate against
- * @param {Array<'owner' | 'admin' | 'member'>} obj.acceptedRoles - accepted organization roles
- * @param {MembershipOrg} - validated organization membership
- */
-const validateClientForMembershipOrg = async ({
-	authData,
-	membershipOrgId,
-	acceptedRoles,
-	acceptedStatuses
-}: {
-	authData: {
-		authMode: string;
-		authPayload: IUser | IServiceAccount | IServiceTokenData;
-	};
-	membershipOrgId: Types.ObjectId;
-    acceptedRoles: Array<'owner' | 'admin' | 'member'>;
-    acceptedStatuses: Array<'invited' | 'accepted'>;
-}) => {
-	const membershipOrg = await MembershipOrg.findById(membershipOrgId);
-
-	if (!membershipOrg) throw MembershipOrgNotFoundError({
-		message: 'Failed to find organization membership '
-	});
-
-	if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
-		await validateMembershipOrg({
-			userId: authData.authPayload._id,
-			organizationId: membershipOrg.organization,
-			acceptedRoles,
-			acceptedStatuses
-		});
-		
-		return membershipOrg;
-	}
-
-	if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
-		if (!authData.authPayload.organization.equals(membershipOrg.organization)) throw UnauthorizedRequestError({
-			message: 'Failed service account client authorization for organization membership'
-		});
-		
-		return membershipOrg;
-	}
-
-	if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
-		throw UnauthorizedRequestError({
-			message: 'Failed service account client authorization for organization membership'
-		});
-	}
-	
-	if (authData.authMode === AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
-		await validateMembershipOrg({
-			userId: authData.authPayload._id,
-			organizationId: membershipOrg.organization,
-			acceptedRoles,
-			acceptedStatuses
-		});
-		
-		return membershipOrg;
-	}
-	
-	throw UnauthorizedRequestError({
-		message: 'Failed client authorization for organization membership'
-	});
-}
+import { MembershipOrg, Workspace, Membership, Key } from '../models';

 /**
 * Validate that user with id [userId] is a member of organization with id [organizationId]
 * and has at least one of the roles in [acceptedRoles]
- * @param {Object} obj
- * @param {Types.ObjectId} obj.userId
- * @param {Types.ObjectId} obj.organizationId
- * @param {String[]} obj.acceptedRoles
+ *
 */
-const validateMembershipOrg = async ({
+const validateMembership = async ({
 	userId,
 	organizationId,
-	acceptedRoles,
-	acceptedStatuses
+	acceptedRoles
 }: {
-	userId: Types.ObjectId;
-	organizationId: Types.ObjectId;
-	acceptedRoles?: Array<'owner' | 'admin' | 'member'>;
-	acceptedStatuses?: Array<'invited' | 'accepted'>;
+	userId: string;
+	organizationId: string;
+	acceptedRoles: string[];
 }) => {
-	const membershipOrg = await MembershipOrg.findOne({
-		user: userId,
-		organization: organizationId
-	});
-	
-	if (!membershipOrg) {
-		throw MembershipOrgNotFoundError({ message: 'Failed to find organization membership' });
-	}
-	
-	if (acceptedRoles) {
-		if (!acceptedRoles.includes(membershipOrg.role)) {
-			throw UnauthorizedRequestError({ message: 'Failed to validate organization membership role' });
+	let membership;
+	try {
+		membership = await MembershipOrg.findOne({
+			user: new Types.ObjectId(userId),
+			organization: new Types.ObjectId(organizationId)
+		});
+		
+		if (!membership) throw new Error('Failed to find organization membership');
+		
+		if (!acceptedRoles.includes(membership.role)) {
+			throw new Error('Failed to validate organization membership role');
 		}
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		throw new Error('Failed to validate organization membership');
 	}
 	
-	if (acceptedStatuses) {
-		if (!acceptedStatuses.includes(membershipOrg.status)) {
-			throw UnauthorizedRequestError({ message: 'Failed to validate organization membership status' });
-		}
-	}
-	
-	return membershipOrg;
+	return membership;
 }

 /**
@ -256,8 +156,7 @@ const deleteMembershipOrg = async ({
 };

 export {
-	validateClientForMembershipOrg,
-	validateMembershipOrg,
+	validateMembership,
 	findMembershipOrg,
 	addMembershipsOrg, 
 	deleteMembershipOrg 
--- a/backend/src/helpers/nodemailer.ts
+++ b/backend/src/helpers/nodemailer.ts
@ -1,9 +1,9 @@
-import * as Sentry from '@sentry/node';
 import fs from 'fs';
 import path from 'path';
 import handlebars from 'handlebars';
 import nodemailer from 'nodemailer';
-import { getSmtpFromName, getSmtpFromAddress, getSmtpConfigured } from '../config';
+import { SMTP_FROM_NAME, SMTP_FROM_ADDRESS } from '../config';
+import * as Sentry from '@sentry/node';

 let smtpTransporter: nodemailer.Transporter;

@ -25,25 +25,23 @@ const sendMail = async ({
  recipients: string[];
  substitutions: any;
 }) => {
-  if (getSmtpConfigured()) {
-    try {
-      const html = fs.readFileSync(
-        path.resolve(__dirname, '../templates/' + template),
-        'utf8'
-      );
-      const temp = handlebars.compile(html);
-      const htmlToSend = temp(substitutions);
+  try {
+    const html = fs.readFileSync(
+      path.resolve(__dirname, '../templates/' + template),
+      'utf8'
+    );
+    const temp = handlebars.compile(html);
+    const htmlToSend = temp(substitutions);

-      await smtpTransporter.sendMail({
-        from: `"${getSmtpFromName()}" <${getSmtpFromAddress()}>`,
-        to: recipients.join(', '),
-        subject: subjectLine,
-        html: htmlToSend
-      });
-    } catch (err) {
-      Sentry.setUser(null);
-      Sentry.captureException(err);
-    }
+    await smtpTransporter.sendMail({
+      from: `"${SMTP_FROM_NAME}" <${SMTP_FROM_ADDRESS}>`,
+      to: recipients.join(', '),
+      subject: subjectLine,
+      html: htmlToSend
+    });
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
  }
 };

--- a/backend/src/helpers/organization.ts
+++ b/backend/src/helpers/organization.ts
@ -1,110 +1,21 @@
 import * as Sentry from '@sentry/node';
 import Stripe from 'stripe';
-import { Types } from 'mongoose';
 import {
-	IUser,
-	User,
-	IServiceAccount,
-	ServiceAccount,
-	IServiceTokenData,
-	ServiceTokenData
-} from '../models';
-import { Organization, MembershipOrg } from '../models';
-import { 
-	ACCEPTED,
-	AUTH_MODE_JWT,
-	AUTH_MODE_SERVICE_ACCOUNT,
-	AUTH_MODE_SERVICE_TOKEN,
-	AUTH_MODE_API_KEY,
-	OWNER
-} from '../variables';
-import { 
-	getStripeSecretKey,
-	getStripeProductPro,
-	getStripeProductTeam,
-	getStripeProductStarter
+	STRIPE_SECRET_KEY,
+	STRIPE_PRODUCT_STARTER,
+	STRIPE_PRODUCT_PRO
 } from '../config';
-import {
-	UnauthorizedRequestError,
-	OrganizationNotFoundError
-} from '../utils/errors';
-import {
-	validateUserClientForOrganization
-} from '../helpers/user';
-import {
-	validateServiceAccountClientForOrganization
-} from '../helpers/serviceAccount';
+const stripe = new Stripe(STRIPE_SECRET_KEY, {
+	apiVersion: '2022-08-01'
+});
+import { Types } from 'mongoose';
+import { ACCEPTED } from '../variables';
+import { Organization, MembershipOrg } from '../models';

-/**
- * Validate accepted clients for organization with id [organizationId]
- * @param {Object} obj
- * @param {Object} obj.authData - authenticated client details
- * @param {Types.ObjectId} obj.organizationId - id of organization to validate against
- */
-const validateClientForOrganization = async ({
-	authData,
-	organizationId,
-	acceptedRoles,
-	acceptedStatuses
-}: {
-	authData: {
-		authMode: string;
-		authPayload: IUser | IServiceAccount | IServiceTokenData;
-	},
-	organizationId: Types.ObjectId;
-	acceptedRoles: Array<'owner' | 'admin' | 'member'>;
-	acceptedStatuses: Array<'invited' | 'accepted'>;
-}) => {
-	
-	const organization = await Organization.findById(organizationId);
-	
-	if (!organization) {
-		throw OrganizationNotFoundError({
-			message: 'Failed to find organization'
-		});
-	}
-	
-	if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
-		const membershipOrg = await validateUserClientForOrganization({
-			user: authData.authPayload,
-			organization,
-			acceptedRoles,
-			acceptedStatuses
-		});
-		
-		return ({ organization, membershipOrg });
-	}
-
-	if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
-		await validateServiceAccountClientForOrganization({
-			serviceAccount: authData.authPayload,
-			organization
-		});
-		
-		return ({ organization });
-	}
-
-	if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
-		throw UnauthorizedRequestError({
-			message: 'Failed service token authorization for organization'
-		});
-	}
-
-	if (authData.authMode === AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
-		const membershipOrg = await validateUserClientForOrganization({
-			user: authData.authPayload,
-			organization,
-			acceptedRoles,
-			acceptedStatuses
-		});
-		
-		return ({ organization, membershipOrg });
-	}
-	
-	throw UnauthorizedRequestError({
-		message: 'Failed client authorization for organization'
-	});
-}
+const productToPriceMap = {
+	starter: STRIPE_PRODUCT_STARTER,
+	pro: STRIPE_PRODUCT_PRO
+};

 /**
 * Create an organization with name [name]
@ -123,11 +34,8 @@ const createOrganization = async ({
 	let organization;
 	try {
 		// register stripe account
-		const stripe = new Stripe(getStripeSecretKey(), {
-			apiVersion: '2022-08-01'
-		});

-		if (getStripeSecretKey()) {
+		if (STRIPE_SECRET_KEY) {
 			const customer = await stripe.customers.create({
 				email,
 				description: name
@ -147,7 +55,7 @@ const createOrganization = async ({
 	} catch (err) {
 		Sentry.setUser({ email });
 		Sentry.captureException(err);
-		throw new Error(`Failed to create organization [err=${err}]`);
+		throw new Error('Failed to create organization');
 	}

 	return organization;
@ -177,16 +85,6 @@ const initSubscriptionOrg = async ({
 		if (organization) {
 			if (organization.customerId) {
 				// initialize starter subscription with quantity of 0
-				const stripe = new Stripe(getStripeSecretKey(), {
-					apiVersion: '2022-08-01'
-				});
-
-				const productToPriceMap = {
-					starter: getStripeProductStarter(),
-					team: getStripeProductTeam(),
-					pro: getStripeProductPro()
-				};
-
 				stripeSubscription = await stripe.subscriptions.create({
 					customer: organization.customerId,
 					items: [
@ -239,10 +137,6 @@ const updateSubscriptionOrgQuantity = async ({
 				status: ACCEPTED
 			});

-			const stripe = new Stripe(getStripeSecretKey(), {
-				apiVersion: '2022-08-01'
-			});
-
 			const subscription = (
 				await stripe.subscriptions.list({
 					customer: organization.customerId
@ -268,8 +162,7 @@ const updateSubscriptionOrgQuantity = async ({
 };

 export {
-	validateClientForOrganization,
 	createOrganization,
 	initSubscriptionOrg,
 	updateSubscriptionOrgQuantity
-};
+};
--- a/backend/src/helpers/rateLimiter.ts
+++ b/backend/src/helpers/rateLimiter.ts
@ -15,7 +15,7 @@ const apiLimiter = rateLimit({
 });

 // 10 requests per minute
-const authLimit = rateLimit({
+const authLimiter = rateLimit({
  windowMs: 60 * 1000,
  max: 10,
  standardHeaders: true,
@ -36,16 +36,8 @@ const passwordLimiter = rateLimit({
  }
 });

-const authLimiter = (req: any, res: any, next: any) => {
-  if (process.env.NODE_ENV === 'production') {
-    authLimit(req, res, next);
-  } else {
-    next();
-  }
-};
-
-export {
-  apiLimiter,
+export { 
+  apiLimiter, 
  authLimiter,
-  passwordLimiter
+  passwordLimiter 
 };
--- a/backend/src/helpers/secret.ts
+++ b/backend/src/helpers/secret.ts
@ -21,8 +21,60 @@ import {
 	ACTION_READ_SECRETS
 } from '../variables';
 import _ from 'lodash';
+import { ABILITY_WRITE } from '../variables/organization';
 import { BadRequestError, UnauthorizedRequestError } from '../utils/errors';

+/**
+ * Validate that user with id [userId] can modify secrets with ids [secretIds]
+ * @param {Object} obj
+ * @param {Object} obj.userId - id of user to validate
+ * @param {Object} obj.secretIds - secret ids
+ * @returns {Secret[]} secrets
+ */
+const validateSecrets = async ({
+	userId,
+	secretIds
+}: {
+	userId: string;
+	secretIds: string[];
+}) => {
+	let secrets;
+	try {
+		secrets = await Secret.find({
+			_id: {
+				$in: secretIds.map((secretId: string) => new Types.ObjectId(secretId))
+			}
+		});
+
+		if (secrets.length != secretIds.length) {
+			throw BadRequestError({ message: 'Unable to validate some secrets' })
+		}
+
+		const userMemberships = await Membership.find({ user: userId })
+		const userMembershipById = _.keyBy(userMemberships, 'workspace');
+		const workspaceIdsSet = new Set(userMemberships.map((m) => m.workspace.toString()));
+
+		// for each secret check if the secret belongs to a workspace the user is a member of
+		secrets.forEach((secret: ISecret) => {
+			if (workspaceIdsSet.has(secret.workspace.toString())) {
+				const deniedMembershipPermissions = userMembershipById[secret.workspace.toString()].deniedPermissions;
+				const isDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: secret.environment, ability: ABILITY_WRITE });
+
+				if (isDisallowed) {
+					throw UnauthorizedRequestError({ message: 'You do not have the required permissions to perform this action' });
+				}
+			} else {
+				throw BadRequestError({ message: 'You cannot edit secrets of a workspace you are not a member of' });
+			}
+		});
+
+	} catch (err) {
+		throw BadRequestError({ message: 'Unable to validate secrets' })
+	}
+
+	return secrets;
+}
+
 interface V1PushSecret {
 	ciphertextKey: string;
 	ivKey: string;
@ -215,7 +267,7 @@ const v1PushSecrets = async ({

 		if (toAdd.length > 0) {
 			// add secrets
-			const newSecrets: ISecret[] = (await Secret.insertMany(
+			const newSecrets = await Secret.insertMany(
 				toAdd.map((s, idx) => {
 					const obj: any = {
 						version: 1,
@ -242,7 +294,7 @@ const v1PushSecrets = async ({

 					return obj;
 				})
-			)).map((insertedSecret) => insertedSecret.toObject());
+			);

 			// (EE) add secret versions for new secrets
 			EESecretService.addSecretVersions({
@ -354,10 +406,10 @@ const v2PushSecrets = async ({
 				secretIds: toDelete
 			});

-			const deleteAction = await EELogService.createAction({
+			const deleteAction = await EELogService.createActionSecret({
 				name: ACTION_DELETE_SECRETS,
-				userId: new Types.ObjectId(userId),
-				workspaceId: new Types.ObjectId(userId),
+				userId,
+				workspaceId,
 				secretIds: toDelete
 			});

@ -447,10 +499,10 @@ const v2PushSecrets = async ({
 				})
 			});

-			const updateAction = await EELogService.createAction({
+			const updateAction = await EELogService.createActionSecret({
 				name: ACTION_UPDATE_SECRETS,
-				userId: new Types.ObjectId(userId),
-				workspaceId: new Types.ObjectId(workspaceId),
+				userId,
+				workspaceId,
 				secretIds: toUpdate.map((u) => u._id)
 			});

@ -484,10 +536,10 @@ const v2PushSecrets = async ({
 				})
 			});

-			const addAction = await EELogService.createAction({
+			const addAction = await EELogService.createActionSecret({
 				name: ACTION_ADD_SECRETS,
-				userId: new Types.ObjectId(userId),
-				workspaceId: new Types.ObjectId(workspaceId),
+				userId,
+				workspaceId,
 				secretIds: newSecrets.map((n) => n._id)
 			});
 			addAction && actions.push(addAction);
@ -501,8 +553,8 @@ const v2PushSecrets = async ({
 		// (EE) create (audit) log
 		if (actions.length > 0) {
 			await EELogService.createLog({
-				userId: new Types.ObjectId(userId),
-				workspaceId: new Types.ObjectId(workspaceId),
+				userId,
+				workspaceId,
 				actions,
 				channel,
 				ipAddress
@ -593,16 +645,16 @@ const pullSecrets = async ({
 			environment
 		})

-		const readAction = await EELogService.createAction({
+		const readAction = await EELogService.createActionSecret({
 			name: ACTION_READ_SECRETS,
-			userId: new Types.ObjectId(userId),
-			workspaceId: new Types.ObjectId(workspaceId),
+			userId,
+			workspaceId,
 			secretIds: secrets.map((n: any) => n._id)
 		});

 		readAction && await EELogService.createLog({
-			userId: new Types.ObjectId(userId),
-			workspaceId: new Types.ObjectId(workspaceId),
+			userId,
+			workspaceId,
 			actions: [readAction],
 			channel,
 			ipAddress
@ -662,6 +714,7 @@ const reformatPullSecrets = ({ secrets }: { secrets: ISecret[] }) => {
 };

 export {
+	validateSecrets,
 	v1PushSecrets,
 	v2PushSecrets,
 	pullSecrets,
--- a/backend/src/helpers/secrets.ts
+++ b/backend/src/helpers/secrets.ts
@ -1,198 +0,0 @@
-import { Types } from 'mongoose';
-import {
-    User,
-    IUser,
-    ServiceAccount,
-    IServiceAccount,
-    ServiceTokenData,
-    IServiceTokenData,
-    Secret,
-    ISecret
-} from '../models';
-import {
-    validateMembership
-} from '../helpers/membership';
-import {
-    validateUserClientForSecret,
-    validateUserClientForSecrets
-} from '../helpers/user';
-import {
-    validateServiceTokenDataClientForSecrets, validateServiceTokenDataClientForWorkspace
-} from '../helpers/serviceTokenData';
-import {
-    validateServiceAccountClientForSecrets,
-    validateServiceAccountClientForWorkspace
-} from '../helpers/serviceAccount';
-import { 
-    BadRequestError, 
-    UnauthorizedRequestError,
-    SecretNotFoundError
-} from '../utils/errors';
-import {
-    AUTH_MODE_JWT,
-    AUTH_MODE_SERVICE_ACCOUNT,
-    AUTH_MODE_SERVICE_TOKEN,
-    AUTH_MODE_API_KEY
-} from '../variables';
-
-/**
- * Validate authenticated clients for secrets with id [secretId] based
- * on any known permissions.
- * @param {Object} obj
- * @param {Object} obj.authData - authenticated client details
- * @param {Types.ObjectId} obj.secretId - id of secret to validate against
- * @param {Array<'admin' | 'member'>} obj.acceptedRoles - accepted workspace roles
- * @param {String[]} obj.requiredPermissions - required permissions as part of the endpoint
- */
-const validateClientForSecret = async ({
-    authData,
-    secretId,
-    acceptedRoles,
-    requiredPermissions
-}: {
-    authData: {
-		authMode: string;
-		authPayload: IUser | IServiceAccount | IServiceTokenData;
-	},
-    secretId: Types.ObjectId;
-    acceptedRoles: Array<'admin' | 'member'>;
-    requiredPermissions: string[];
-}) => {
-    const secret = await Secret.findById(secretId);
-
-    if (!secret) throw SecretNotFoundError({
-        message: 'Failed to find secret'
-    });
-
-    if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
-        await validateUserClientForSecret({
-            user: authData.authPayload,
-            secret,
-            acceptedRoles,
-            requiredPermissions
-        });
-
-        return secret;
-    }
-
-    if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
-        await validateServiceAccountClientForWorkspace({
-            serviceAccount: authData.authPayload,
-            workspaceId: secret.workspace,
-            environment: secret.environment,
-            requiredPermissions
-        });
-        
-        return secret;
-    }
-
-    if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
-        await validateServiceTokenDataClientForWorkspace({
-            serviceTokenData: authData.authPayload,
-            workspaceId: secret.workspace,
-            environment: secret.environment
-        });
-    
-        return secret;
-    }
-    
-    if (authData.authMode === AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
-        await validateUserClientForSecret({
-            user: authData.authPayload,
-            secret,
-            acceptedRoles,
-            requiredPermissions
-        });
-
-        return secret;
-    }
-    
-    throw UnauthorizedRequestError({
-        message: 'Failed client authorization for secret'
-    });
-}
-
-/**
- * Validate authenticated clients for secrets with ids [secretIds] based
- * on any known permissions.
- * @param {Object} obj
- * @param {Object} obj.authData - authenticated client details
- * @param {Types.ObjectId[]} obj.secretIds - id of workspace to validate against
- * @param {String} obj.environment - (optional) environment in workspace to validate against
- * @param {Array<'admin' | 'member'>} obj.acceptedRoles - accepted workspace roles
- * @param {String[]} obj.requiredPermissions - required permissions as part of the endpoint
- */
-const validateClientForSecrets = async ({
-    authData,
-    secretIds,
-    requiredPermissions
-}: {
-    authData: {
-		authMode: string;
-		authPayload: IUser | IServiceAccount | IServiceTokenData;
-	},
-    secretIds: Types.ObjectId[];
-    requiredPermissions: string[];
-}) => {
-
-    let secrets: ISecret[] = [];
-    
-    secrets = await Secret.find({
-        _id: {
-            $in: secretIds
-        }
-    });
-
-    if (secrets.length != secretIds.length) {
-        throw BadRequestError({ message: 'Failed to validate non-existent secrets' })
-    }
-
-    if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
-        await validateUserClientForSecrets({
-            user: authData.authPayload,
-            secrets,
-            requiredPermissions
-        });
-        
-        return secrets;
-    }
-    
-    if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
-        await validateServiceAccountClientForSecrets({
-            serviceAccount: authData.authPayload,
-            secrets,
-            requiredPermissions
-        });
-        
-        return secrets;
-    }
-        
-    if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
-        await validateServiceTokenDataClientForSecrets({
-            serviceTokenData: authData.authPayload,
-            secrets,
-            requiredPermissions
-        });
-        
-        return secrets;
-    }
-
-    if (authData.authMode === AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
-        await validateUserClientForSecrets({
-            user: authData.authPayload,
-            secrets,
-            requiredPermissions
-        });
-        
-        return secrets;
-    }
-
-    throw UnauthorizedRequestError({
-        message: 'Failed client authorization for secrets resource'
-    });
-}
-
-export {
-    validateClientForSecret,
-    validateClientForSecrets
-}
--- a/backend/src/helpers/serviceAccount.ts
+++ b/backend/src/helpers/serviceAccount.ts
@ -1,271 +0,0 @@
-import _ from 'lodash';
-import { Types } from 'mongoose';
-import {
-	User,
-	IUser,
-	ServiceAccount,
-    IServiceAccount,
-	ServiceTokenData,
-	IServiceTokenData,
-	ISecret,
-	IOrganization,
-	IServiceAccountWorkspacePermission,
-	ServiceAccountWorkspacePermission
-} from '../models';
-import { 
-	BadRequestError, 
-	UnauthorizedRequestError,
-	ServiceAccountNotFoundError
-} from '../utils/errors';
-import {
-	PERMISSION_READ_SECRETS,
-	PERMISSION_WRITE_SECRETS,
-	AUTH_MODE_JWT,
-	AUTH_MODE_SERVICE_ACCOUNT,
-	AUTH_MODE_SERVICE_TOKEN,
-	AUTH_MODE_API_KEY
-} from '../variables';
-import {
-	validateUserClientForServiceAccount
-} from '../helpers/user';
-
-const validateClientForServiceAccount = async ({
-	authData,
-	serviceAccountId,
-	requiredPermissions
-}: {
-	authData: {
-		authMode: string;
-		authPayload: IUser | IServiceAccount | IServiceTokenData;
-	},
-	serviceAccountId: Types.ObjectId;
-	requiredPermissions?: string[];
-}) => {
-	const serviceAccount = await ServiceAccount.findById(serviceAccountId); 
-	
-	if (!serviceAccount) {
-		throw ServiceAccountNotFoundError({
-			message: 'Failed to find service account'
-		});
-	}
-	
-	if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
-		await validateUserClientForServiceAccount({
-			user: authData.authPayload,
-			serviceAccount,
-			requiredPermissions
-		});
-		
-		return serviceAccount;
-	}
-
-	if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
-		await validateServiceAccountClientForServiceAccount({
-			serviceAccount: authData.authPayload,
-			targetServiceAccount: serviceAccount,
-			requiredPermissions
-		});
-
-		return serviceAccount;
-	}
-
-	if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
-		throw UnauthorizedRequestError({
-			message: 'Failed service token authorization for service account resource'
-		});
-	}
-
-	if (authData.authMode === AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
-		await validateUserClientForServiceAccount({
-			user: authData.authPayload,
-			serviceAccount,
-			requiredPermissions
-		});
-		
-		return serviceAccount;
-	}
-	
-	throw UnauthorizedRequestError({
-		message: 'Failed client authorization for service account resource'
-	});
-}
-
-/**
- * Validate that service account (client) can access workspace
- * with id [workspaceId] and its environment [environment] with required permissions
- * [requiredPermissions]
- * @param {Object} obj
- * @param {ServiceAccount} obj.serviceAccount - service account client
- * @param {Types.ObjectId} obj.workspaceId - id of workspace to validate against
- * @param {String} environment - (optional) environment in workspace to validate against
- * @param {String[]} requiredPermissions - required permissions as part of the endpoint
- */
- const validateServiceAccountClientForWorkspace = async ({
-    serviceAccount,
-	workspaceId,
-	environment,
-	requiredPermissions
-}: {
-    serviceAccount: IServiceAccount;
-	workspaceId: Types.ObjectId;
-	environment?: string;
-	requiredPermissions?: string[];
-}) => {
-	if (environment) {
-		// case: environment specified ->
-		// evaluate service account authorization for workspace
-		// in the context of a specific environment [environment]
-		const permission = await ServiceAccountWorkspacePermission.findOne({
-			serviceAccount,
-			workspace: new Types.ObjectId(workspaceId),
-			environment
-		});
-	
-		if (!permission) throw UnauthorizedRequestError({
-			message: 'Failed service account authorization for the given workspace environment'
-		});
-
-		let runningIsDisallowed = false;
-		requiredPermissions?.forEach((requiredPermission: string) => {
-			switch (requiredPermission) {
-				case PERMISSION_READ_SECRETS:
-					if (!permission.read) runningIsDisallowed = true;
-					break;
-				case PERMISSION_WRITE_SECRETS:
-					if (!permission.write) runningIsDisallowed = true;
-					break;
-				default:
-					break;
-			}
-			
-			if (runningIsDisallowed) {
-				throw UnauthorizedRequestError({
-					message: `Failed permissions authorization for workspace environment action : ${requiredPermission}`
-				});	
-			}
-		});
-		
-	} else {
-		// case: no environment specified ->
-		// evaluate service account authorization for workspace
-		// without need of environment [environment]
-
-		const permission = await ServiceAccountWorkspacePermission.findOne({
-			serviceAccount,
-			workspace: new Types.ObjectId(workspaceId)
-		});
-		
-		if (!permission) throw UnauthorizedRequestError({
-			message: 'Failed service account authorization for the given workspace'
-		});
-	}
-}
-
-/**
- * Validate that service account (client) can access secrets
- * with required permissions [requiredPermissions]
- * @param {Object} obj
- * @param {ServiceAccount} obj.serviceAccount - service account client
- * @param {Secret[]} secrets - secrets to validate against
- * @param {string[]} requiredPermissions - required permissions as part of the endpoint
- */
- const validateServiceAccountClientForSecrets = async ({
-	serviceAccount,
-	secrets,
-	requiredPermissions
-}: {
-	serviceAccount: IServiceAccount;
-	secrets: ISecret[];
-	requiredPermissions?: string[];
-}) => {
-
-	const permissions = await ServiceAccountWorkspacePermission.find({
-		serviceAccount: serviceAccount._id 
-	});
-
-	const permissionsObj = _.keyBy(permissions, (p) => {
-		return `${p.workspace.toString()}-${p.environment}`
-	});
-
-	secrets.forEach((secret: ISecret) => {
-		const permission = permissionsObj[`${secret.workspace.toString()}-${secret.environment}`];
-		
-		if (!permission) throw BadRequestError({
-			message: 'Failed to find any permission for the secret workspace and environment'
-		});
-		
-		requiredPermissions?.forEach((requiredPermission: string) => {
-			let runningIsDisallowed = false;
-			requiredPermissions?.forEach((requiredPermission: string) => {
-				switch (requiredPermission) {
-					case PERMISSION_READ_SECRETS:
-						if (!permission.read) runningIsDisallowed = true;
-						break;
-					case PERMISSION_WRITE_SECRETS:
-						if (!permission.write) runningIsDisallowed = true;
-						break;
-					default:
-						break;
-				}
-				
-				if (runningIsDisallowed) {
-					throw UnauthorizedRequestError({
-						message: `Failed permissions authorization for workspace environment action : ${requiredPermission}`
-					});	
-				}
-			});
-		});
-	});
-}
-
-/**
- * Validate that service account (client) can access target service
- * account [serviceAccount] with required permissions [requiredPermissions]
- * @param {Object} obj
- * @param {SerivceAccount} obj.serviceAccount - service account client
- * @param {ServiceAccount} targetServiceAccount - target service account to validate against
- * @param {string[]} requiredPermissions - required permissions as part of the endpoint
- */
-const validateServiceAccountClientForServiceAccount = ({
-	serviceAccount,
-	targetServiceAccount,
-	requiredPermissions
-}: {
-	serviceAccount: IServiceAccount;
-	targetServiceAccount: IServiceAccount;
-	requiredPermissions?: string[];
-}) => {
-	if (!serviceAccount.organization.equals(targetServiceAccount.organization)) {
-		throw UnauthorizedRequestError({
-			message: 'Failed service account authorization for the given service account'
-		});
-	}
-}
-
-/**
- * Validate that service account (client) can access organization [organization]
- * @param {Object} obj
- * @param {User} obj.user - service account client
- * @param {Organization} obj.organization - organization to validate against
- */
-const validateServiceAccountClientForOrganization = async ({
-	serviceAccount,
-	organization
-}: {
-	serviceAccount: IServiceAccount;
-	organization: IOrganization;
-}) => {
-	if (!serviceAccount.organization.equals(organization._id)) {
-		throw UnauthorizedRequestError({
-			message: 'Failed service account authorization for the given organization'
-		});
-	}
-}
-
-export {
-	validateClientForServiceAccount,
-    validateServiceAccountClientForWorkspace,
-	validateServiceAccountClientForSecrets,
-	validateServiceAccountClientForServiceAccount,
-	validateServiceAccountClientForOrganization
-}
--- a/backend/src/helpers/serviceTokenData.ts
+++ b/backend/src/helpers/serviceTokenData.ts
@ -1,189 +0,0 @@
-import { Types } from 'mongoose';
-import {
-    ISecret,
-    IServiceTokenData,
-    ServiceTokenData,
-    IUser,
-    User,
-    IServiceAccount,
-    ServiceAccount,
-} from '../models';
-import { 
-    UnauthorizedRequestError,
-    ServiceTokenDataNotFoundError
-} from '../utils/errors';
-import {
-    AUTH_MODE_JWT,
-	AUTH_MODE_SERVICE_ACCOUNT,
-	AUTH_MODE_SERVICE_TOKEN,
-	AUTH_MODE_API_KEY
-} from '../variables';
-import { validateUserClientForWorkspace } from '../helpers/user';
-import { validateServiceAccountClientForWorkspace } from '../helpers/serviceAccount';
-
-/**
- * Validate authenticated clients for service token with id [serviceTokenId] based
- * on any known permissions.
- * @param {Object} obj
- * @param {Object} obj.authData - authenticated client details
- * @param {Types.ObjectId} obj.serviceTokenData - id of service token to validate against
- * @param {Array<'admin' | 'member'>} obj.acceptedRoles - accepted workspace roles
- */
-const validateClientForServiceTokenData = async ({
-    authData,
-    serviceTokenDataId,
-    acceptedRoles
-}: {
-    authData: {
-		authMode: string;
-		authPayload: IUser | IServiceAccount | IServiceTokenData;
-	};
-    serviceTokenDataId: Types.ObjectId;
-    acceptedRoles: Array<'admin' | 'member'>;
-}) => {
-    const serviceTokenData = await ServiceTokenData
-            .findById(serviceTokenDataId)
-            .select('+encryptedKey +iv +tag')
-            .populate<{ user: IUser }>('user');
-
-    if (!serviceTokenData) throw ServiceTokenDataNotFoundError({
-        message: 'Failed to find service token data'
-    });
-
-    if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
-        await validateUserClientForWorkspace({
-            user: authData.authPayload,
-            workspaceId: serviceTokenData.workspace,
-            acceptedRoles
-        });
-        
-        return serviceTokenData;
-    }
-
-    if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
-        await validateServiceAccountClientForWorkspace({
-            serviceAccount: authData.authPayload,
-            workspaceId: serviceTokenData.workspace
-        });
-        
-        return serviceTokenData;
-    }
-
-    if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
-        throw UnauthorizedRequestError({
-            message: 'Failed service token authorization for service token data'
-        });
-    }
-
-    if (authData.authMode === AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
-        await validateUserClientForWorkspace({
-            user: authData.authPayload,
-            workspaceId: serviceTokenData.workspace,
-            acceptedRoles
-        });
-        
-        return serviceTokenData;
-    }
-    
-    throw UnauthorizedRequestError({
-        message: 'Failed client authorization for service token data'
-    });
-}
-
-/**
- * Validate that service token (client) can access workspace
- * with id [workspaceId] and its environment [environment] with required permissions
- * [requiredPermissions]
- * @param {Object} obj
- * @param {ServiceTokenData} obj.serviceTokenData - service token client
- * @param {Types.ObjectId} obj.workspaceId - id of workspace to validate against
- * @param {String} environment - (optional) environment in workspace to validate against
- * @param {String[]} requiredPermissions - required permissions as part of the endpoint
- */
- const validateServiceTokenDataClientForWorkspace = async ({
-    serviceTokenData,
-	workspaceId,
-	environment,
-	requiredPermissions
-}: {
-    serviceTokenData: IServiceTokenData;
-	workspaceId: Types.ObjectId;
-	environment?: string;
-	requiredPermissions?: string[];
-}) => {
-
-    if (!serviceTokenData.workspace.equals(workspaceId)) {
-        // case: invalid workspaceId passed
-        throw UnauthorizedRequestError({
-            message: 'Failed service token authorization for the given workspace'
-        });
-    }
-
-    if (environment) {
-        // case: environment is specified
-        
-        if (serviceTokenData.environment !== environment) {
-            // case: invalid environment passed
-            throw UnauthorizedRequestError({
-                message: 'Failed service token authorization for the given workspace environment'
-            });
-        }
-
-        requiredPermissions?.forEach((permission) => {
-            if (!serviceTokenData.permissions.includes(permission)) {
-                throw UnauthorizedRequestError({
-                    message: `Failed service token authorization for the given workspace environment action: ${permission}`
-                });
-            }
-        });
-    }
-}
-
-/**
- * Validate that service token (client) can access secrets
- * with required permissions [requiredPermissions]
- * @param {Object} obj
- * @param {ServiceTokenData} obj.serviceTokenData - service token client
- * @param {Secret[]} secrets - secrets to validate against
- * @param {string[]} requiredPermissions - required permissions as part of the endpoint
- */
- const validateServiceTokenDataClientForSecrets = async ({
-    serviceTokenData,
-    secrets,
-	requiredPermissions
-}: {
-    serviceTokenData: IServiceTokenData;
-    secrets: ISecret[];
-	requiredPermissions?: string[];
-}) => {
-
-    secrets.forEach((secret: ISecret) => {
-        if (!serviceTokenData.workspace.equals(secret.workspace)) {
-            // case: invalid workspaceId passed
-            throw UnauthorizedRequestError({
-                message: 'Failed service token authorization for the given workspace'
-            });
-        }
-        
-        if (serviceTokenData.environment !== secret.environment) {
-            // case: invalid environment passed
-            throw UnauthorizedRequestError({
-                message: 'Failed service token authorization for the given workspace environment'
-            });
-        }
-        
-        requiredPermissions?.forEach((permission) => {
-            if (!serviceTokenData.permissions.includes(permission)) {
-                throw UnauthorizedRequestError({
-                    message: `Failed service token authorization for the given workspace environment action: ${permission}`
-                });
-            }
-        });
-    });
-}
-
-export {
-    validateClientForServiceTokenData,
-    validateServiceTokenDataClientForWorkspace,
-    validateServiceTokenDataClientForSecrets
-}
--- a/backend/src/helpers/signup.ts
+++ b/backend/src/helpers/signup.ts
@ -1,11 +1,12 @@
 import * as Sentry from '@sentry/node';
-import { IUser } from '../models';
+import crypto from 'crypto';
+import { Token, IToken, IUser } from '../models';
 import { createOrganization } from './organization';
 import { addMembershipsOrg } from './membershipOrg';
-import { OWNER, ACCEPTED } from '../variables';
+import { createWorkspace } from './workspace';
+import { addMemberships } from './membership';
+import { OWNER, ADMIN, ACCEPTED } from '../variables';
 import { sendMail } from '../helpers/nodemailer';
-import { TokenService } from '../services';
-import { TOKEN_EMAIL_CONFIRMATION } from '../variables';

 /**
 * Send magic link to verify email to [email]
@ -13,13 +14,21 @@ import { TOKEN_EMAIL_CONFIRMATION } from '../variables';
 * @param {Object} obj
 * @param {String} obj.email - email
 * @returns {Boolean} success - whether or not operation was successful
+ *
 */
 const sendEmailVerification = async ({ email }: { email: string }) => {
 	try {
-		const token = await TokenService.createToken({
-			type: TOKEN_EMAIL_CONFIRMATION,
-			email
-		});
+		const token = String(crypto.randomInt(Math.pow(10, 5), Math.pow(10, 6) - 1));
+
+		await Token.findOneAndUpdate(
+			{ email },
+			{
+				email,
+				token,
+				createdAt: new Date()
+			},
+			{ upsert: true, new: true }
+		);

 		// send mail
 		await sendMail({
@ -53,11 +62,12 @@ const checkEmailVerification = async ({
 	code: string;
 }) => {
 	try {
-		await TokenService.validateToken({
-			type: TOKEN_EMAIL_CONFIRMATION,
+		const token = await Token.findOneAndDelete({
 			email,
 			token: code
 		});
+	
+		if (!token) throw new Error('Failed to find email verification token');
 	} catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
@ -93,8 +103,20 @@ const initializeDefaultOrg = async ({
 			roles: [OWNER],
 			statuses: [ACCEPTED]
 		});
+
+		// initialize a default workspace inside the new organization
+		const workspace = await createWorkspace({
+			name: `Example Project`,
+			organizationId: organization._id.toString()
+		});
+
+		await addMemberships({
+			userIds: [user._id.toString()],
+			workspaceId: workspace._id.toString(),
+			roles: [ADMIN]
+		});
 	} catch (err) {
-		throw new Error(`Failed to initialize default organization and workspace [err=${err}]`);
+		throw new Error('Failed to initialize default organization and workspace');
 	}
 };

--- a/backend/src/helpers/telemetry.ts
+++ b/backend/src/helpers/telemetry.ts
--- a/backend/src/helpers/token.ts
+++ b/backend/src/helpers/token.ts
@ -1,215 +0,0 @@
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
-import { TokenData } from '../models';
-import crypto from 'crypto';
-import bcrypt from 'bcrypt';
-import {
-    TOKEN_EMAIL_CONFIRMATION,
-    TOKEN_EMAIL_MFA,
-    TOKEN_EMAIL_ORG_INVITATION,
-    TOKEN_EMAIL_PASSWORD_RESET
-} from '../variables';
-import { UnauthorizedRequestError } from '../utils/errors';
-import { getSaltRounds } from '../config';
-
-/**
- * Create and store a token in the database for purpose [type]
- * @param {Object} obj
- * @param {String} obj.type
- * @param {String} obj.email
- * @param {String} obj.phoneNumber
- * @param {Types.ObjectId} obj.organizationId
- * @returns {String} token - the created token
- */
-const createTokenHelper = async ({
-    type,
-    email,
-    phoneNumber,
-    organizationId
-}: {
-    type: 'emailConfirmation' | 'emailMfa' | 'organizationInvitation' | 'passwordReset';
-    email?: string;
-    phoneNumber?: string;
-    organizationId?: Types.ObjectId
-}) => {
-    let token, expiresAt, triesLeft;
-    try {
-        // generate random token based on specified token use-case
-        // type [type]
-        switch (type) {
-            case TOKEN_EMAIL_CONFIRMATION:
-                // generate random 6-digit code
-                token = String(crypto.randomInt(Math.pow(10, 5), Math.pow(10, 6) - 1));
-                expiresAt = new Date((new Date()).getTime() + 86400000);
-                break;
-            case TOKEN_EMAIL_MFA:
-                // generate random 6-digit code
-                token = String(crypto.randomInt(Math.pow(10, 5), Math.pow(10, 6) - 1));
-                triesLeft = 5;
-                expiresAt = new Date((new Date()).getTime() + 300000);
-                break;
-            case TOKEN_EMAIL_ORG_INVITATION:
-                // generate random hex
-                token = crypto.randomBytes(16).toString('hex');
-                expiresAt = new Date((new Date()).getTime() + 259200000);
-                break;
-            case TOKEN_EMAIL_PASSWORD_RESET:
-                // generate random hex
-                token = crypto.randomBytes(16).toString('hex');
-                expiresAt = new Date((new Date()).getTime() + 86400000); 
-                break;
-            default:
-                token = crypto.randomBytes(16).toString('hex');
-                expiresAt = new Date();
-                break;
-        }
-        
-       interface TokenDataQuery {
-            type: string;
-            email?: string;
-            phoneNumber?: string;
-            organization?: Types.ObjectId;
-        }
-        
-        interface TokenDataUpdate {
-            type: string;
-            email?: string;
-            phoneNumber?: string;
-            organization?: Types.ObjectId;
-            tokenHash: string;
-            triesLeft?: number;
-            expiresAt: Date;
-        }
-
-        const query: TokenDataQuery = { type };
-        const update: TokenDataUpdate = {
-            type,
-            tokenHash: await bcrypt.hash(token, getSaltRounds()),
-            expiresAt
-        }
-
-        if (email) {
-            query.email = email; 
-            update.email = email; 
-        }
-        if (phoneNumber) { 
-            query.phoneNumber = phoneNumber; 
-            update.phoneNumber = phoneNumber; 
-        }
-        if (organizationId) { 
-            query.organization = organizationId 
-            update.organization = organizationId 
-        } 
-        
-        if (triesLeft) {
-            update.triesLeft = triesLeft;
-        }
-       
-        await TokenData.findOneAndUpdate(
-            query,
-            update,
-            {
-                new: true,
-                upsert: true
-            }
-        );
-    } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-        throw new Error(
-            "Failed to create token"
-        ); 
-    }
-    
-    return token;
-}
-
-/**
- * 
- * @param {Object} obj
- * @param {String} obj.email - email associated with the token
- * @param {String} obj.token - value of the token
- */
-const validateTokenHelper = async ({
-    type,
-    email,
-    phoneNumber,
-    organizationId,
-    token
-}: {
-    type: 'emailConfirmation' | 'emailMfa' | 'organizationInvitation' | 'passwordReset';
-    email?: string;
-    phoneNumber?: string;
-    organizationId?: Types.ObjectId;
-    token: string;
-}) => {
-    interface Query {
-        type: string;
-        email?: string;
-        phoneNumber?: string;
-        organization?: Types.ObjectId;
-    }
-
-    const query: Query = { type };
-
-    if (email) { query.email = email; }
-    if (phoneNumber) { query.phoneNumber = phoneNumber; }
-    if (organizationId) { query.organization = organizationId; }
-
-    const tokenData = await TokenData.findOne(query).select('+tokenHash');
-    
-    if (!tokenData) throw new Error('Failed to find token to validate');
-    
-    if (tokenData.expiresAt < new Date()) {
-        // case: token expired
-        await TokenData.findByIdAndDelete(tokenData._id);
-        throw UnauthorizedRequestError({
-            message: 'MFA session expired. Please log in again',
-            context: {
-                code: 'mfa_expired'
-            }
-        });
-    }
-
-    const isValid = await bcrypt.compare(token, tokenData.tokenHash);
-    if (!isValid) {
-        // case: token is not valid
-        if (tokenData?.triesLeft !== undefined) {
-            // case: token has a try-limit
-            if (tokenData.triesLeft === 1) {
-                // case: token is out of tries
-                await TokenData.findByIdAndDelete(tokenData._id);
-            } else {
-                // case: token has more than 1 try left
-                await TokenData.findByIdAndUpdate(tokenData._id, {
-                    triesLeft: tokenData.triesLeft - 1
-                }, {
-                    new: true
-                });
-            }
-
-            throw UnauthorizedRequestError({
-                message: 'MFA code is invalid',
-                context: {
-                    code: 'mfa_invalid',
-                    triesLeft: tokenData.triesLeft - 1
-                }
-            });
-        }
-
-        throw UnauthorizedRequestError({
-            message: 'MFA code is invalid',
-            context: {
-                code: 'mfa_invalid'
-            }
-        });
-    }
-
-    // case: token is valid
-    await TokenData.findByIdAndDelete(tokenData._id);
-}
-
-export {
-    createTokenHelper,
-    validateTokenHelper
-}
--- a/backend/src/helpers/user.ts
+++ b/backend/src/helpers/user.ts
@ -1,25 +1,5 @@
 import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
-import {
-	IUser, 
-	ISecret,
-	IServiceAccount,
-	User,
-	Membership,
-	IOrganization,
-	Organization,
-} from '../models';
-import { sendMail } from './nodemailer';
-import { validateMembership } from './membership';
-import _ from 'lodash';
-import { BadRequestError, UnauthorizedRequestError } from '../utils/errors';
-import {
-	validateMembershipOrg
-} from '../helpers/membershipOrg';
-import {
-	PERMISSION_READ_SECRETS,
-	PERMISSION_WRITE_SECRETS
-} from '../variables';
+import { User, IUser } from '../models';

 /**
 * Initialize a user under email [email]
@ -48,14 +28,10 @@ const setupAccount = async ({ email }: { email: string }) => {
 * @param {String} obj.userId - id of user to finish setting up
 * @param {String} obj.firstName - first name of user
 * @param {String} obj.lastName - last name of user
- * @param {Number} obj.encryptionVersion - version of auth encryption scheme used
- * @param {String} obj.protectedKey - protected key in encryption version 2
- * @param {String} obj.protectedKeyIV - IV of protected key in encryption version 2
- * @param {String} obj.protectedKeyTag - tag of protected key in encryption version 2
 * @param {String} obj.publicKey - publickey of user
 * @param {String} obj.encryptedPrivateKey - (encrypted) private key of user
- * @param {String} obj.encryptedPrivateKeyIV - iv for (encrypted) private key of user
- * @param {String} obj.encryptedPrivateKeyTag - tag for (encrypted) private key of user
+ * @param {String} obj.iv - iv for (encrypted) private key of user
+ * @param {String} obj.tag - tag for (encrypted) private key of user
 * @param {String} obj.salt - salt for auth SRP
 * @param {String} obj.verifier - verifier for auth SRP
 * @returns {Object} user - the completed user
@ -64,28 +40,20 @@ const completeAccount = async ({
 	userId,
 	firstName,
 	lastName,
-	encryptionVersion,
-	protectedKey,
-	protectedKeyIV,
-	protectedKeyTag,
 	publicKey,
 	encryptedPrivateKey,
-	encryptedPrivateKeyIV,
-	encryptedPrivateKeyTag,
+	iv,
+	tag,
 	salt,
 	verifier
 }: {
 	userId: string;
 	firstName: string;
 	lastName: string;
-	encryptionVersion: number;
-	protectedKey: string;
-	protectedKeyIV: string;
-	protectedKeyTag: string;
 	publicKey: string;
 	encryptedPrivateKey: string;
-	encryptedPrivateKeyIV: string;
-	encryptedPrivateKeyTag: string;
+	iv: string;
+	tag: string;
 	salt: string;
 	verifier: string;
 }) => {
@ -99,14 +67,10 @@ const completeAccount = async ({
 			{
 				firstName,
 				lastName,
-				encryptionVersion,
-				protectedKey,
-				protectedKeyIV,
-				protectedKeyTag,
 				publicKey,
 				encryptedPrivateKey,
-				iv: encryptedPrivateKeyIV,
-				tag: encryptedPrivateKeyTag,
+				iv,
+				tag,
 				salt,
 				verifier
 			},
@ -121,248 +85,4 @@ const completeAccount = async ({
 	return user;
 };

-/**
- * Check if device with ip [ip] and user-agent [userAgent] has been seen for user [user].
- * If the device is unseen, then notify the user of the new device
- * @param {Object} obj
- * @param {String} obj.ip - login ip address
- * @param {String} obj.userAgent - login user-agent
- */
-const checkUserDevice = async ({
-	user,
-	ip,
-	userAgent
-}: {
-	user: IUser;
-	ip: string;
-	userAgent: string;
-}) => {
-	const isDeviceSeen = user.devices.some((device) => device.ip === ip && device.userAgent === userAgent);
-		
-	if (!isDeviceSeen) {
-		// case: unseen login ip detected for user
-		// -> notify user about the sign-in from new ip 
-		
-		user.devices = user.devices.concat([{
-			ip: String(ip),
-			userAgent
-		}]);
-		
-		await user.save();
-
-		// send MFA code [code] to [email]
-		await sendMail({
-			template: 'newDevice.handlebars',
-			subjectLine: `Successful login from new device`,
-			recipients: [user.email],
-			substitutions: {
-				email: user.email,
-				timestamp: new Date().toString(),
-				ip,
-				userAgent
-			}
-		}); 
-	}
-}
-
-/**
- * Validate that user (client) can access workspace
- * with id [workspaceId] and its environment [environment] with required permissions
- * [requiredPermissions]
- * @param {Object} obj
- * @param {User} obj.user - user client
- * @param {Types.ObjectId} obj.workspaceId - id of workspace to validate against
- * @param {String} environment - (optional) environment in workspace to validate against
- * @param {String[]} requiredPermissions - required permissions as part of the endpoint
- */
-const validateUserClientForWorkspace = async ({
-	user,
-	workspaceId,
-	environment,
-	acceptedRoles,
-	requiredPermissions
-}: {
-	user: IUser;
-	workspaceId: Types.ObjectId;
-	environment?: string;
-	acceptedRoles: Array<'admin' | 'member'>;
-	requiredPermissions?: string[];
-}) => {
-	
-	// validate user membership in workspace
-	const membership = await validateMembership({
-        userId: user._id,
-        workspaceId,
-		acceptedRoles
-    });
-	
-	let runningIsDisallowed = false;
-	requiredPermissions?.forEach((requiredPermission: string) => {
-		switch (requiredPermission) {
-			case PERMISSION_READ_SECRETS:
-				runningIsDisallowed = _.some(membership.deniedPermissions, { environmentSlug: environment, ability: PERMISSION_READ_SECRETS });
-				break;
-			case PERMISSION_WRITE_SECRETS:
-				runningIsDisallowed = _.some(membership.deniedPermissions, { environmentSlug: environment, ability: PERMISSION_WRITE_SECRETS });
-				break;
-			default:
-				break;
-		}
-		
-		if (runningIsDisallowed) {
-			throw UnauthorizedRequestError({
-				message: `Failed permissions authorization for workspace environment action : ${requiredPermission}`
-			});	
-		}
-	});
-	
-	return membership;
-}
-
-/**
- * Validate that user (client) can access secret [secret]
- * with required permissions [requiredPermissions]
- * @param {Object} obj
- * @param {User} obj.user - user client
- * @param {Secret[]} obj.secrets - secrets to validate against
- * @param {String[]} requiredPermissions - required permissions as part of the endpoint
- */
-const validateUserClientForSecret = async ({
-	user,
-	secret,
-	acceptedRoles,
-	requiredPermissions
-}: {
-	user: IUser;
-	secret: ISecret;
-	acceptedRoles?: Array<'admin' | 'member'>;
-	requiredPermissions?: string[];
-}) => {
-	const membership = await validateMembership({
-		userId: user._id,
-		workspaceId: secret.workspace,
-		acceptedRoles
-	});
-	
-	if (requiredPermissions?.includes(PERMISSION_WRITE_SECRETS)) {
-		const isDisallowed = _.some(membership.deniedPermissions, { environmentSlug: secret.environment, ability: PERMISSION_WRITE_SECRETS });
-
-		if (isDisallowed) {
-			throw UnauthorizedRequestError({
-				message: 'You do not have the required permissions to perform this action' 
-			});
-		}
-	}
-}
-
-/**
- * Validate that user (client) can access secrets [secrets]
- * with required permissions [requiredPermissions]
- * @param {Object} obj
- * @param {User} obj.user - user client
- * @param {Secret[]} obj.secrets - secrets to validate against
- * @param {String[]} requiredPermissions - required permissions as part of the endpoint
- */
- const validateUserClientForSecrets = async ({
-	user,
-	secrets,
-	requiredPermissions
-}: {
-	user: IUser;
-	secrets: ISecret[];
-	requiredPermissions?: string[];
-}) => {
-	
-	// TODO: add acceptedRoles?
-
-	const userMemberships = await Membership.find({ user: user._id })
-	const userMembershipById = _.keyBy(userMemberships, 'workspace');
-	const workspaceIdsSet = new Set(userMemberships.map((m) => m.workspace.toString()));
-
-	// for each secret check if the secret belongs to a workspace the user is a member of
-	secrets.forEach((secret: ISecret) => {
-		if (!workspaceIdsSet.has(secret.workspace.toString())) {
-			throw BadRequestError({
-				message: 'Failed authorization for the secret'
-			});
-		}
-
-		if (requiredPermissions?.includes(PERMISSION_WRITE_SECRETS)) {
-			const deniedMembershipPermissions = userMembershipById[secret.workspace.toString()].deniedPermissions;
-			const isDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: secret.environment, ability: PERMISSION_WRITE_SECRETS });
-
-			if (isDisallowed) {
-				throw UnauthorizedRequestError({
-					message: 'You do not have the required permissions to perform this action' 
-				});
-			}
-		}
-	});
-}
-
-/**
- * Validate that user (client) can access service account [serviceAccount]
- * with required permissions [requiredPermissions]
- * @param {Object} obj
- * @param {User} obj.user - user client
- * @param {ServiceAccount} obj.serviceAccount - service account to validate against
- * @param {String[]} requiredPermissions - required permissions as part of the endpoint
- */
-const validateUserClientForServiceAccount = async ({
-	user,
-	serviceAccount,
-	requiredPermissions
-}: {
-	user: IUser;
-	serviceAccount: IServiceAccount;
-	requiredPermissions?: string[];
-}) => {
-	if (!serviceAccount.user.equals(user._id)) {
-		// case: user who created service account is not the
-		// same user that is on the request
-		await validateMembershipOrg({
-			userId: user._id,
-			organizationId: serviceAccount.organization,
-			acceptedRoles: [],
-			acceptedStatuses: []
-		});
-	}
-}
-
-/**
- * Validate that user (client) can access organization [organization]
- * @param {Object} obj
- * @param {User} obj.user - user client
- * @param {Organization} obj.organization - organization to validate against
- */
- const validateUserClientForOrganization = async ({
-	user,
-	organization,
-	acceptedRoles,
-	acceptedStatuses
-}: {
-	user: IUser;
-	organization: IOrganization;
-	acceptedRoles: Array<'owner' | 'admin' | 'member'>;
-	acceptedStatuses: Array<'invited' | 'accepted'>;
-}) => {
-	const membershipOrg = await validateMembershipOrg({
-		userId: user._id,
-		organizationId: organization._id,
-		acceptedRoles,
-		acceptedStatuses
-	});
-	
-	return membershipOrg;
-}
-
-export { 
-	setupAccount, 
-	completeAccount, 
-	checkUserDevice,
-	validateUserClientForWorkspace,
-	validateUserClientForSecrets,
-	validateUserClientForServiceAccount,
-	validateUserClientForOrganization,
-	validateUserClientForSecret
-};
+export { setupAccount, completeAccount };
--- a/backend/src/helpers/workspace.ts
+++ b/backend/src/helpers/workspace.ts
@ -1,115 +1,12 @@
 import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
 import {
 	Workspace,
 	Bot,
 	Membership,
 	Key,
-	Secret,
-	User,
-	IUser,
-	ServiceAccountWorkspacePermission,
-	ServiceAccount,
-	IServiceAccount,
-	ServiceTokenData,
-	IServiceTokenData,
+	Secret
 } from '../models';
 import { createBot } from '../helpers/bot';
-import { validateUserClientForWorkspace } from '../helpers/user';
-import { validateServiceAccountClientForWorkspace } from '../helpers/serviceAccount';
-import { validateServiceTokenDataClientForWorkspace } from '../helpers/serviceTokenData';
-import { validateMembership } from '../helpers/membership';
-import { UnauthorizedRequestError, WorkspaceNotFoundError } from '../utils/errors';
-import {
-	AUTH_MODE_JWT,
-	AUTH_MODE_SERVICE_ACCOUNT,
-	AUTH_MODE_SERVICE_TOKEN,
-	AUTH_MODE_API_KEY
-} from '../variables';
-
-/**
- * Validate authenticated clients for workspace with id [workspaceId] based
- * on any known permissions.
- * @param {Object} obj
- * @param {Object} obj.authData - authenticated client details
- * @param {Types.ObjectId} obj.workspaceId - id of workspace to validate against
- * @param {String} obj.environment - (optional) environment in workspace to validate against
- * @param {Array<'admin' | 'member'>} obj.acceptedRoles - accepted workspace roles
- * @param {String[]} obj.requiredPermissions - required permissions as part of the endpoint
- */
-const validateClientForWorkspace = async ({
-	authData,
-	workspaceId,
-	environment,
-	acceptedRoles,
-	requiredPermissions
-}: {
-	authData: {
-		authMode: string;
-		authPayload: IUser | IServiceAccount | IServiceTokenData;
-	};
-	workspaceId: Types.ObjectId;
-	environment?: string;
-	acceptedRoles: Array<'admin' | 'member'>;
-	requiredPermissions?: string[];
-}) => {
-	
-	const workspace = await Workspace.findById(workspaceId);
-
-	if (!workspace) throw WorkspaceNotFoundError({
-		message: 'Failed to find workspace'
-	});
-
-	if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
-		const membership = await validateUserClientForWorkspace({
-			user: authData.authPayload,
-			workspaceId,
-			environment,
-			acceptedRoles,
-			requiredPermissions
-		});
-		
-		return ({ membership });
-	}
-
-	if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
-		await validateServiceAccountClientForWorkspace({
-			serviceAccount: authData.authPayload,
-			workspaceId,
-			environment,
-			requiredPermissions
-		});
-		
-		return {};
-	}
-	
-	if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
-		await validateServiceTokenDataClientForWorkspace({
-			serviceTokenData: authData.authPayload,
-			workspaceId,
-			environment,
-			requiredPermissions
-		});
-
-		return {};
-	}
-
-	if (authData.authMode === AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
-		const membership = await validateUserClientForWorkspace({
-			user: authData.authPayload,
-			workspaceId,
-			environment,
-			acceptedRoles,
-			requiredPermissions
-		});
-		
-		return ({ membership });
-	}
-	
-	throw UnauthorizedRequestError({
-		message: 'Failed client authorization for workspace'
-	});
-}

 /**
 * Create a workspace with name [name] in organization with id [organizationId]
@ -174,8 +71,4 @@ const deleteWorkspace = async ({ id }: { id: string }) => {
 	}
 };

-export {
-	validateClientForWorkspace,
-	createWorkspace, 
-	deleteWorkspace 
-};
+export { createWorkspace, deleteWorkspace };
--- a/backend/src/index.ts
+++ b/backend/src/index.ts
@ -1,186 +1,28 @@
-import mongoose from 'mongoose';
 import dotenv from 'dotenv';
 dotenv.config();
-import infisical from 'infisical-node';
-import express from 'express';
-import helmet from 'helmet';
-import cors from 'cors';
+
 import * as Sentry from '@sentry/node';
+import { SENTRY_DSN, NODE_ENV, MONGO_URL } from './config';
+import { server } from './app';
 import { DatabaseService } from './services';
 import { setUpHealthEndpoint } from './services/health';
 import { initSmtp } from './services/smtp';
-import { TelemetryService } from './services';
 import { setTransporter } from './helpers/nodemailer';
 import { createTestUserForDevelopment } from './utils/addDevelopmentUser';
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const { patchRouterParam } = require('./utils/patchAsyncRoutes');

-import cookieParser from 'cookie-parser';
-import swaggerUi = require('swagger-ui-express');
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const swaggerFile = require('../spec.json');
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const requestIp = require('request-ip');
-import { apiLimiter } from './helpers/rateLimiter';
-import {
-    workspace as eeWorkspaceRouter,
-    secret as eeSecretRouter,
-    secretSnapshot as eeSecretSnapshotRouter,
-    action as eeActionRouter
-} from './ee/routes/v1';
-import {
-    signup as v1SignupRouter,
-    auth as v1AuthRouter,
-    bot as v1BotRouter,
-    organization as v1OrganizationRouter,
-    workspace as v1WorkspaceRouter,
-    membershipOrg as v1MembershipOrgRouter,
-    membership as v1MembershipRouter,
-    key as v1KeyRouter,
-    inviteOrg as v1InviteOrgRouter,
-    user as v1UserRouter,
-    userAction as v1UserActionRouter,
-    secret as v1SecretRouter,
-    serviceToken as v1ServiceTokenRouter,
-    password as v1PasswordRouter,
-    stripe as v1StripeRouter,
-    integration as v1IntegrationRouter,
-    integrationAuth as v1IntegrationAuthRouter
-} from './routes/v1';
-import {
-    signup as v2SignupRouter,
-    auth as v2AuthRouter,
-    users as v2UsersRouter,
-    organizations as v2OrganizationsRouter,
-    workspace as v2WorkspaceRouter,
-    secret as v2SecretRouter, // begin to phase out
-    secrets as v2SecretsRouter,
-    serviceTokenData as v2ServiceTokenDataRouter,
-    serviceAccounts as v2ServiceAccountsRouter,
-    apiKeyData as v2APIKeyDataRouter,
-    environment as v2EnvironmentRouter,
-    tags as v2TagsRouter,
-} from './routes/v2';
-import { healthCheck } from './routes/status';
-import { getLogger } from './utils/logger';
-import { RouteNotFoundError } from './utils/errors';
-import { requestErrorHandler } from './middleware/requestErrorHandler';
-import {
-    getMongoURL,
-    getNodeEnv,
-    getPort,
-    getSentryDSN,
-    getSiteURL,
-    getSmtpHost
-} from './config';
+DatabaseService.initDatabase(MONGO_URL);

-const main = async () => {
-    if (process.env.INFISICAL_TOKEN != "" || process.env.INFISICAL_TOKEN != undefined) {
-        await infisical.connect({
-            token: process.env.INFISICAL_TOKEN!
-        });
-    }
+setUpHealthEndpoint(server);

-    TelemetryService.logTelemetryMessage();
-    setTransporter(initSmtp());
+setTransporter(initSmtp());

-    await DatabaseService.initDatabase(getMongoURL());
-    if (getNodeEnv() !== 'test') {
-        Sentry.init({
-            dsn: getSentryDSN(),
-            tracesSampleRate: 1.0,
-            debug: getNodeEnv() === 'production' ? false : true,
-            environment: getNodeEnv()
-        });
-    }
-
-    patchRouterParam();
-    const app = express();
-    app.enable('trust proxy');
-    app.use(express.json());
-    app.use(cookieParser());
-    app.use(
-        cors({
-            credentials: true,
-            origin: getSiteURL()
-        })
-    );
-
-    app.use(requestIp.mw());
-
-    if (getNodeEnv() === 'production') {
-        // enable app-wide rate-limiting + helmet security
-        // in production
-        app.disable('x-powered-by');
-        app.use(apiLimiter);
-        app.use(helmet());
-    }
-
-    // (EE) routes
-    app.use('/api/v1/secret', eeSecretRouter);
-    app.use('/api/v1/secret-snapshot', eeSecretSnapshotRouter);
-    app.use('/api/v1/workspace', eeWorkspaceRouter);
-    app.use('/api/v1/action', eeActionRouter);
-
-    // v1 routes
-    app.use('/api/v1/signup', v1SignupRouter);
-    app.use('/api/v1/auth', v1AuthRouter);
-    app.use('/api/v1/bot', v1BotRouter);
-    app.use('/api/v1/user', v1UserRouter);
-    app.use('/api/v1/user-action', v1UserActionRouter);
-    app.use('/api/v1/organization', v1OrganizationRouter);
-    app.use('/api/v1/workspace', v1WorkspaceRouter);
-    app.use('/api/v1/membership-org', v1MembershipOrgRouter);
-    app.use('/api/v1/membership', v1MembershipRouter);
-    app.use('/api/v1/key', v1KeyRouter);
-    app.use('/api/v1/invite-org', v1InviteOrgRouter);
-    app.use('/api/v1/secret', v1SecretRouter);
-    app.use('/api/v1/service-token', v1ServiceTokenRouter); // deprecated
-    app.use('/api/v1/password', v1PasswordRouter);
-    app.use('/api/v1/stripe', v1StripeRouter);
-    app.use('/api/v1/integration', v1IntegrationRouter);
-    app.use('/api/v1/integration-auth', v1IntegrationAuthRouter);
-
-    // v2 routes
-    app.use('/api/v2/signup', v2SignupRouter);
-    app.use('/api/v2/auth', v2AuthRouter);
-    app.use('/api/v2/users', v2UsersRouter);
-    app.use('/api/v2/organizations', v2OrganizationsRouter);
-    app.use('/api/v2/workspace', v2EnvironmentRouter);
-    app.use('/api/v2/workspace', v2TagsRouter);
-    app.use('/api/v2/workspace', v2WorkspaceRouter);
-    app.use('/api/v2/secret', v2SecretRouter); // deprecated
-    app.use('/api/v2/secrets', v2SecretsRouter);
-    app.use('/api/v2/service-token', v2ServiceTokenDataRouter); // TODO: turn into plural route
-    app.use('/api/v2/service-accounts', v2ServiceAccountsRouter); // new
-    app.use('/api/v2/api-key', v2APIKeyDataRouter);
-
-    // api docs 
-    app.use('/api-docs', swaggerUi.serve, swaggerUi.setup(swaggerFile))
-
-    // Server status
-    app.use('/api', healthCheck)
-
-    //* Handle unrouted requests and respond with proper error message as well as status code
-    app.use((req, res, next) => {
-        if (res.headersSent) return next();
-        next(RouteNotFoundError({ message: `The requested source '(${req.method})${req.url}' was not found` }))
-    })
-
-    app.use(requestErrorHandler)
-
-    const server = app.listen(getPort(), () => {
-        getLogger("backend-main").info(`Server started listening at port ${getPort()}`)
-    });
-
-    await createTestUserForDevelopment();
-    setUpHealthEndpoint(server);
-
-    server.on('close', async () => {
-        await DatabaseService.closeDatabase();
-    })
-
-    return server;
+if (NODE_ENV !== 'test') {
+  Sentry.init({
+    dsn: SENTRY_DSN,
+    tracesSampleRate: 1.0,
+    debug: NODE_ENV === 'production' ? false : true,
+    environment: NODE_ENV
+  });
 }

-export default main();
+createTestUserForDevelopment()
--- a/backend/src/integrations/apps.ts
+++ b/backend/src/integrations/apps.ts
@ -1,133 +1,81 @@
-import * as Sentry from "@sentry/node";
-import { Octokit } from "@octokit/rest";
-import { IIntegrationAuth } from "../models";
-import request from '../config/request';
+import axios from 'axios';
+import * as Sentry from '@sentry/node';
+import { Octokit } from '@octokit/rest';
+import { IIntegrationAuth } from '../models';
 import {
-  INTEGRATION_AZURE_KEY_VAULT,
-  INTEGRATION_AWS_PARAMETER_STORE,
-  INTEGRATION_AWS_SECRET_MANAGER,
  INTEGRATION_HEROKU,
  INTEGRATION_VERCEL,
  INTEGRATION_NETLIFY,
  INTEGRATION_GITHUB,
-  INTEGRATION_GITLAB,
  INTEGRATION_RENDER,
-  INTEGRATION_RAILWAY,
  INTEGRATION_FLYIO,
-  INTEGRATION_CIRCLECI,
-  INTEGRATION_TRAVISCI,
-  INTEGRATION_SUPABASE,
  INTEGRATION_HEROKU_API_URL,
-  INTEGRATION_GITLAB_API_URL,
  INTEGRATION_VERCEL_API_URL,
  INTEGRATION_NETLIFY_API_URL,
  INTEGRATION_RENDER_API_URL,
-  INTEGRATION_RAILWAY_API_URL,
-  INTEGRATION_FLYIO_API_URL,
-  INTEGRATION_CIRCLECI_API_URL,
-  INTEGRATION_TRAVISCI_API_URL,
-  INTEGRATION_SUPABASE_API_URL
-} from "../variables";
-
-interface App {
-  name: string;
-  appId?: string;
-  owner?: string;
-}
+  INTEGRATION_FLYIO_API_URL
+} from '../variables';

 /**
 * Return list of names of apps for integration named [integration]
 * @param {Object} obj
 * @param {String} obj.integration - name of integration
 * @param {String} obj.accessToken - access token for integration
- * @param {String} obj.teamId - (optional) id of team for getting integration apps (used for integrations like GitLab)
 * @returns {Object[]} apps - names of integration apps
 * @returns {String} apps.name - name of integration app
 */
 const getApps = async ({
  integrationAuth,
-  accessToken,
-  teamId
+  accessToken
 }: {
  integrationAuth: IIntegrationAuth;
  accessToken: string;
-  teamId?: string;
 }) => {
+  interface App {
+    name: string;
+    appId?: string;
+    owner?: string;
+  }

-  let apps: App[] = [];
+  let apps: App[];
  try {
    switch (integrationAuth.integration) {
-      case INTEGRATION_AZURE_KEY_VAULT:
-        apps = [];
-        break;
-      case INTEGRATION_AWS_PARAMETER_STORE:
-        apps = [];
-        break;
-      case INTEGRATION_AWS_SECRET_MANAGER:
-        apps = [];
-        break;
      case INTEGRATION_HEROKU:
        apps = await getAppsHeroku({
-          accessToken,
+          accessToken
        });
        break;
      case INTEGRATION_VERCEL:
        apps = await getAppsVercel({
          integrationAuth,
-          accessToken,
+          accessToken
        });
        break;
      case INTEGRATION_NETLIFY:
        apps = await getAppsNetlify({
-          accessToken,
+          accessToken
        });
        break;
      case INTEGRATION_GITHUB:
        apps = await getAppsGithub({
-          accessToken,
-        });
-        break;
-      case INTEGRATION_GITLAB:
-        apps = await getAppsGitlab({
-          accessToken,
-          teamId
+          accessToken
        });
        break;
      case INTEGRATION_RENDER:
        apps = await getAppsRender({
-          accessToken,
-        });
-        break;
-      case INTEGRATION_RAILWAY:
-        apps = await getAppsRailway({
-          accessToken 
+          accessToken
        });
        break;
      case INTEGRATION_FLYIO:
        apps = await getAppsFlyio({
-          accessToken,
-        });
-        break;
-      case INTEGRATION_CIRCLECI:
-        apps = await getAppsCircleCI({
-          accessToken,
-        });
-        break;
-      case INTEGRATION_TRAVISCI:
-        apps = await getAppsTravisCI({
-          accessToken,
-        })
-        break;
-      case INTEGRATION_SUPABASE:
-        apps = await getAppsSupabase({
-            accessToken
+          accessToken
        });
        break;
    }
  } catch (err) {
    Sentry.setUser(null);
    Sentry.captureException(err);
-    throw new Error("Failed to get integration apps");
+    throw new Error('Failed to get integration apps');
  }

  return apps;
@ -144,21 +92,21 @@ const getAppsHeroku = async ({ accessToken }: { accessToken: string }) => {
  let apps;
  try {
    const res = (
-      await request.get(`${INTEGRATION_HEROKU_API_URL}/apps`, {
+      await axios.get(`${INTEGRATION_HEROKU_API_URL}/apps`, {
        headers: {
-          Accept: "application/vnd.heroku+json; version=3",
-          Authorization: `Bearer ${accessToken}`,
-        },
+          Accept: 'application/vnd.heroku+json; version=3',
+          Authorization: `Bearer ${accessToken}`
+        }
      })
    ).data;

    apps = res.map((a: any) => ({
-      name: a.name,
+      name: a.name
    }));
  } catch (err) {
    Sentry.setUser(null);
    Sentry.captureException(err);
-    throw new Error("Failed to get Heroku integration apps");
+    throw new Error('Failed to get Heroku integration apps');
  }

  return apps;
@ -171,39 +119,35 @@ const getAppsHeroku = async ({ accessToken }: { accessToken: string }) => {
 * @returns {Object[]} apps - names of Vercel apps
 * @returns {String} apps.name - name of Vercel app
 */
-const getAppsVercel = async ({
+const getAppsVercel = async ({ 
  integrationAuth,
-  accessToken,
-}: {
+  accessToken 
+}: { 
  integrationAuth: IIntegrationAuth;
  accessToken: string;
 }) => {
  let apps;
  try {
    const res = (
-      await request.get(`${INTEGRATION_VERCEL_API_URL}/v9/projects`, {
+      await axios.get(`${INTEGRATION_VERCEL_API_URL}/v9/projects`, {
        headers: {
-          Authorization: `Bearer ${accessToken}`,
-          'Accept-Encoding': 'application/json'
+          Authorization: `Bearer ${accessToken}`
        },
-        ...(integrationAuth?.teamId
-          ? {
-              params: {
-                teamId: integrationAuth.teamId,
-              },
-            }
-          : {}),
+       ...( integrationAuth?.teamId ? { 
+        params: {
+          teamId: integrationAuth.teamId
+        }
+      } : {}) 
      })
    ).data;
-
+    
    apps = res.projects.map((a: any) => ({
-      name: a.name,
-      appId: a.id
+      name: a.name
    }));
  } catch (err) {
    Sentry.setUser(null);
    Sentry.captureException(err);
-    throw new Error("Failed to get Vercel integration apps");
+    throw new Error('Failed to get Vercel integration apps');
  }

  return apps;
@ -216,45 +160,29 @@ const getAppsVercel = async ({
 * @returns {Object[]} apps - names of Netlify sites
 * @returns {String} apps.name - name of Netlify site
 */
-const getAppsNetlify = async ({ accessToken }: { accessToken: string }) => {
-  const apps: any = [];
+const getAppsNetlify = async ({
+  accessToken
+}: {
+  accessToken: string;
+}) => {
+  let apps;
  try {
-    let page = 1;
-    const perPage = 10;
-    let hasMorePages = true;
-    
-    // paginate through all sites
-    while (hasMorePages) {
-      const params = new URLSearchParams({
-        page: String(page),
-        per_page: String(perPage)
-      });
-
-      const { data } = await request.get(`${INTEGRATION_NETLIFY_API_URL}/api/v1/sites`, {
-        params,
+    const res = (
+      await axios.get(`${INTEGRATION_NETLIFY_API_URL}/api/v1/sites`, {
        headers: {
-          Authorization: `Bearer ${accessToken}`,
-          'Accept-Encoding': 'application/json'
+          Authorization: `Bearer ${accessToken}`
        }
-      });
-      
-      data.map((a: any) => {
-        apps.push({
-          name: a.name,
-          appId: a.site_id
-        });
-      });
-      
-      if (data.length < perPage) {
-        hasMorePages = false;
-      }
+      })
+    ).data;

-      page++;
-    }
+    apps = res.map((a: any) => ({
+      name: a.name,
+      appId: a.site_id
+    }));
  } catch (err) {
    Sentry.setUser(null);
    Sentry.captureException(err);
-    throw new Error("Failed to get Netlify integration apps");
+    throw new Error('Failed to get Netlify integration apps');
  }

  return apps;
@ -263,39 +191,39 @@ const getAppsNetlify = async ({ accessToken }: { accessToken: string }) => {
 /**
 * Return list of repositories for Github integration
 * @param {Object} obj
- * @param {String} obj.accessToken - access token for Github API
- * @returns {Object[]} apps - names of Github sites
- * @returns {String} apps.name - name of Github site
+ * @param {String} obj.accessToken - access token for Netlify API
+ * @returns {Object[]} apps - names of Netlify sites
+ * @returns {String} apps.name - name of Netlify site
 */
-const getAppsGithub = async ({ accessToken }: { accessToken: string }) => {
+const getAppsGithub = async ({
+  accessToken
+}: {
+  accessToken: string;
+}) => {
  let apps;
  try {
    const octokit = new Octokit({
-      auth: accessToken,
+      auth: accessToken
    });

-    const repos = (
-      await octokit.request(
-        "GET /user/repos{?visibility,affiliation,type,sort,direction,per_page,page,since,before}",
-        {
-          per_page: 100,
-        }
-      )
-    ).data;
+    const repos = (await octokit.request(
+      'GET /user/repos{?visibility,affiliation,type,sort,direction,per_page,page,since,before}',
+      {
+        per_page: 100
+      }
+    )).data;

    apps = repos
-      .filter((a: any) => a.permissions.admin === true)
-      .map((a: any) => {
-        return ({
-          appId: a.id,
+      .filter((a:any) => a.permissions.admin === true)
+      .map((a: any) => ({
          name: a.name,
-          owner: a.owner.login,
-        });
-      });
+          owner: a.owner.login
+        })
+      );
  } catch (err) {
    Sentry.setUser(null);
    Sentry.captureException(err);
-    throw new Error("Failed to get Github repos");
+    throw new Error('Failed to get Github repos');
  }

  return apps;
@ -309,16 +237,18 @@ const getAppsGithub = async ({ accessToken }: { accessToken: string }) => {
 * @returns {String} apps.name - name of Render service
 * @returns {String} apps.appId - id of Render service
 */
-const getAppsRender = async ({ accessToken }: { accessToken: string }) => {
+const getAppsRender = async ({
+  accessToken
+}: {
+  accessToken: string;
+}) => {
  let apps: any;
  try {
    const res = (
-      await request.get(`${INTEGRATION_RENDER_API_URL}/v1/services`, {
+      await axios.get(`${INTEGRATION_RENDER_API_URL}/v1/services`, {
        headers: {
-          Authorization: `Bearer ${accessToken}`,
-          Accept: 'application/json',
-          'Accept-Encoding': 'application/json',
-        },
+          Authorization: `Bearer ${accessToken}`
+        }
      })
    ).data;
    
@ -327,63 +257,10 @@ const getAppsRender = async ({ accessToken }: { accessToken: string }) => {
        name: a.service.name,
        appId: a.service.id
      })); 
-    
  } catch (err) {
    Sentry.setUser(null);
    Sentry.captureException(err);
-    throw new Error("Failed to get Render services");
-  }
-
-  return apps;
-};
-
-/**
- * Return list of projects for Railway integration
- * @param {Object} obj
- * @param {String} obj.accessToken - access token for Railway API
- * @returns {Object[]} apps - names and ids of Railway services
- * @returns {String} apps.name - name of Railway project
- * @returns {String} apps.appId - id of Railway project
- *
-*/
-const getAppsRailway = async ({ accessToken }: { accessToken: string }) => {
-  let apps: any[] = [];
-  try {
-    const query = `
-      query GetProjects($userId: String, $teamId: String) {
-        projects(userId: $userId, teamId: $teamId) {
-          edges {
-            node {
-              id
-              name
-            }
-          }
-        }
-      }
-    `;
-
-    const variables = {};
-
-    const { data: { data: { projects: { edges }}} } = await request.post(INTEGRATION_RAILWAY_API_URL, {
-      query,
-      variables,
-    }, {
-      headers: {
-        'Authorization': `Bearer ${accessToken}`,
-        'Content-Type': 'application/json',
-        'Accept-Encoding': 'application/json'
-      },
-    });
-    
-    apps = edges.map((e: any) => ({
-      name: e.node.name,
-      appId: e.node.id
-    }));
-
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error("Failed to get Railway services");
+    throw new Error('Failed to get Render services');
  }
  
  return apps;
@ -396,7 +273,11 @@ const getAppsRailway = async ({ accessToken }: { accessToken: string }) => {
 * @returns {Object[]} apps - names and ids of Fly.io apps
 * @returns {String} apps.name - name of Fly.io apps
 */
-const getAppsFlyio = async ({ accessToken }: { accessToken: string }) => {
+const getAppsFlyio = async ({
+  accessToken
+}: {
+  accessToken: string;
+}) => {
  let apps;
  try {
    const query = `
@ -410,245 +291,32 @@ const getAppsFlyio = async ({ accessToken }: { accessToken: string }) => {
        }
      }
    `;
-
-    const res = (await request.post(INTEGRATION_FLYIO_API_URL, {
-      query,
-      variables: {
-        role: null,
-      },
-    }, {
+    
+    const res = (await axios({
+      url: INTEGRATION_FLYIO_API_URL,
+      method: 'post',
      headers: {
-        Authorization: "Bearer " + accessToken,
-        'Accept': 'application/json',
-        'Accept-Encoding': 'application/json',
+        'Authorization': 'Bearer ' + accessToken
      },
+      data: {
+        query,
+        variables: {
+          role: null
+        }
+      }
    })).data.data.apps.nodes;
-
-    apps = res.map((a: any) => ({
-      name: a.name,
-    }));
+    
+    apps = res
+      .map((a: any) => ({
+        name: a.name
+      })); 
  } catch (err) {
    Sentry.setUser(null);
    Sentry.captureException(err);
-    throw new Error("Failed to get Fly.io apps");
-  }
-
-  return apps;
-};
-
-/**
- * Return list of projects for CircleCI integration
- * @param {Object} obj
- * @param {String} obj.accessToken - access token for CircleCI API
- * @returns {Object[]} apps -
- * @returns {String} apps.name - name of CircleCI apps
- */
-const getAppsCircleCI = async ({ accessToken }: { accessToken: string }) => {
-  let apps: any;
-  try {    
-    const res = (
-      await request.get(
-        `${INTEGRATION_CIRCLECI_API_URL}/v1.1/projects`,
-        {
-          headers: {
-            "Circle-Token": accessToken,
-            "Accept-Encoding": "application/json",
-          },
-        }
-      )
-    ).data
-
-    apps = res?.map((a: any) => {
-      return {
-        name: a?.reponame
-      }
-    });
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error("Failed to get CircleCI projects");
-  }
-  
-  return apps;
-};
-
-const getAppsTravisCI = async ({ accessToken }: { accessToken: string }) => {
-  let apps: any;
-  try {
-    const res = (
-      await request.get(
-        `${INTEGRATION_TRAVISCI_API_URL}/repos`,
-        {
-          headers: {
-            "Authorization": `token ${accessToken}`,
-            "Accept-Encoding": "application/json",
-          },
-        }
-      )
-    ).data;
-
-    apps = res?.map((a: any) => {
-      return {
-        name: a?.slug?.split("/")[1],
-        appId: a?.id,
-      }
-    });
-  }catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error("Failed to get TravisCI projects");
+    throw new Error('Failed to get Fly.io apps');
  }
  
  return apps;
 }

-/**
- * Return list of repositories for GitLab integration
- * @param {Object} obj
- * @param {String} obj.accessToken - access token for GitLab API
- * @returns {Object[]} apps - names of GitLab sites
- * @returns {String} apps.name - name of GitLab site
- */
-const getAppsGitlab = async ({ 
-  accessToken,
-  teamId
-}: {
-  accessToken: string;
-  teamId?: string;
-}) => {
-  const apps: App[] = [];
-  
-  let page = 1;
-  const perPage = 10;
-  let hasMorePages = true;
-  try {
-
-    if (teamId) {
-      // case: fetch projects for group with id [teamId] in GitLab
-      
-      while (hasMorePages) {
-        const params = new URLSearchParams({
-          page: String(page),
-          per_page: String(perPage)
-        });
-
-        const { data } = (
-          await request.get(
-            `${INTEGRATION_GITLAB_API_URL}/v4/groups/${teamId}/projects`,
-            {
-              params,
-              headers: {
-                "Authorization": `Bearer ${accessToken}`,
-                "Accept-Encoding": "application/json",
-              },
-            }
-          )
-        );
-
-        data.map((a: any) => {
-          apps.push({
-            name: a.name,
-            appId: a.id
-          });
-        });
-        
-        if (data.length < perPage) {
-          hasMorePages = false;
-        }
-        
-        page++;
-      }
-    } else {
-      // case: fetch projects for individual in GitLab
-      
-      const { id } = (
-        await request.get(
-          `${INTEGRATION_GITLAB_API_URL}/v4/user`,
-          {
-            headers: {
-              "Authorization": `Bearer ${accessToken}`,
-              "Accept-Encoding": "application/json",
-            },
-          }
-        )
-      ).data;
-      
-      while (hasMorePages) {
-        const params = new URLSearchParams({
-          page: String(page),
-          per_page: String(perPage)
-        });
-
-        const { data } = (
-          await request.get(
-            `${INTEGRATION_GITLAB_API_URL}/v4/users/${id}/projects`,
-            {
-              params,
-              headers: {
-                "Authorization": `Bearer ${accessToken}`,
-                "Accept-Encoding": "application/json",
-              },
-            }
-          )
-        );
-
-        data.map((a: any) => {
-          apps.push({
-            name: a.name,
-            appId: a.id
-          });
-        });
-
-        if (data.length < perPage) {
-          hasMorePages = false;
-        }
-        
-        page++;
-      }
-    }
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error("Failed to get GitLab projects");
-  }
-  
-  return apps;
-}
-
-
-/**
- * Return list of projects for Supabase integration
- * @param {Object} obj
- * @param {String} obj.accessToken - access token for Supabase API
- * @returns {Object[]} apps - names of Supabase apps
- * @returns {String} apps.name - name of Supabase app
- */
-const getAppsSupabase = async ({ accessToken }: { accessToken: string }) => {
-  let apps: any;
-  try {
-      const { data } = await request.get(
-        `${INTEGRATION_SUPABASE_API_URL}/v1/projects`,
-        {
-          headers: {
-          Authorization: `Bearer ${accessToken}`,
-          'Accept-Encoding': 'application/json'
-          }
-        }
-      );
-
-      apps = data.map((a: any) => {
-        return {
-            name: a.name,
-            appId: a.id
-        };
-    });
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed to get Supabase projects');
-  }
-  
-  return apps;
-};
-
 export { getApps };
--- a/backend/src/integrations/exchange.ts
+++ b/backend/src/integrations/exchange.ts
@ -1,44 +1,26 @@
+import axios from 'axios';
 import * as Sentry from '@sentry/node';
-import request from '../config/request';
 import {
-  INTEGRATION_AZURE_KEY_VAULT,
  INTEGRATION_HEROKU,
  INTEGRATION_VERCEL,
  INTEGRATION_NETLIFY,
  INTEGRATION_GITHUB,
-  INTEGRATION_GITLAB,
-  INTEGRATION_AZURE_TOKEN_URL,
  INTEGRATION_HEROKU_TOKEN_URL,
  INTEGRATION_VERCEL_TOKEN_URL,
  INTEGRATION_NETLIFY_TOKEN_URL,
-  INTEGRATION_GITHUB_TOKEN_URL,
-  INTEGRATION_GITLAB_TOKEN_URL
+  INTEGRATION_GITHUB_TOKEN_URL
 } from '../variables';
 import {
-  getSiteURL,
-  getClientIdAzure,
-  getClientSecretAzure,
-  getClientSecretHeroku,
-  getClientIdVercel,
-  getClientSecretVercel,
-  getClientIdNetlify,
-  getClientSecretNetlify,
-  getClientIdGitHub,
-  getClientSecretGitHub,
-  getClientIdGitLab,
-  getClientSecretGitLab
+  SITE_URL,
+  CLIENT_ID_VERCEL,
+  CLIENT_ID_NETLIFY,
+  CLIENT_ID_GITHUB,
+  CLIENT_SECRET_HEROKU,
+  CLIENT_SECRET_VERCEL,
+  CLIENT_SECRET_NETLIFY,
+  CLIENT_SECRET_GITHUB
 } from '../config';

-interface ExchangeCodeAzureResponse {
-  token_type: string;
-  scope: string;
-  expires_in: number;
-  ext_expires_in: number;
-  access_token: string;
-  refresh_token: string;
-  id_token: string;
-}
-
 interface ExchangeCodeHerokuResponse {
  token_type: string;
  access_token: string;
@ -70,15 +52,6 @@ interface ExchangeCodeGithubResponse {
  token_type: string;
 }

-interface ExchangeCodeGitlabResponse {
-  access_token: string;
-  token_type: string;
-  expires_in: number;
-  refresh_token: string;
-  scope: string;
-  created_at: number;
-}
-
 /**
 * Return [accessToken], [accessExpiresAt], and [refreshToken] for OAuth2
 * code-token exchange for integration named [integration]
@ -102,11 +75,6 @@ const exchangeCode = async ({

  try {
    switch (integration) {
-      case INTEGRATION_AZURE_KEY_VAULT:
-        obj = await exchangeCodeAzure({
-          code
-        });
-        break;
      case INTEGRATION_HEROKU:
        obj = await exchangeCodeHeroku({
          code
@ -127,10 +95,6 @@ const exchangeCode = async ({
          code
        });
        break;
-      case INTEGRATION_GITLAB:
-        obj = await exchangeCodeGitlab({
-          code
-        });
    }
  } catch (err) {
    Sentry.setUser(null);
@ -141,46 +105,6 @@ const exchangeCode = async ({
  return obj;
 };

-/**
- * Return [accessToken] for Azure OAuth2 code-token exchange
- * @param param0 
- */
-const exchangeCodeAzure = async ({
-  code
-}: {
-  code: string;
-}) => {
-  const accessExpiresAt = new Date();
-  let res: ExchangeCodeAzureResponse;
-  try {
-    res = (await request.post(
-      INTEGRATION_AZURE_TOKEN_URL,
-      new URLSearchParams({
-        grant_type: 'authorization_code',
-        code: code,
-        scope: 'https://vault.azure.net/.default openid offline_access',
-        client_id: getClientIdAzure(),
-        client_secret: getClientSecretAzure(),
-        redirect_uri: `${getSiteURL()}/integrations/azure-key-vault/oauth2/callback`
-      } as any)
-    )).data;
-
-    accessExpiresAt.setSeconds(
-      accessExpiresAt.getSeconds() + res.expires_in
-    );
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed OAuth2 code-token exchange with Azure');
-  }
-
-  return ({
-    accessToken: res.access_token,
-    refreshToken: res.refresh_token,
-    accessExpiresAt
-  });
-}
-
 /**
 * Return [accessToken], [accessExpiresAt], and [refreshToken] for Heroku
 * OAuth2 code-token exchange
@ -192,36 +116,36 @@ const exchangeCodeAzure = async ({
 * @returns {Date} obj2.accessExpiresAt - date of expiration for access token
 */
 const exchangeCodeHeroku = async ({
-  code
+    code
 }: {
-  code: string;
+    code: string;
 }) => {
-  let res: ExchangeCodeHerokuResponse;
-  const accessExpiresAt = new Date();
-  try {
-    res = (await request.post(
-      INTEGRATION_HEROKU_TOKEN_URL,
-      new URLSearchParams({
-        grant_type: 'authorization_code',
-        code: code,
-        client_secret: getClientSecretHeroku()
-      } as any)
-    )).data;
-
-    accessExpiresAt.setSeconds(
-      accessExpiresAt.getSeconds() + res.expires_in
-    );
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed OAuth2 code-token exchange with Heroku');
-  }
-
-  return ({
-    accessToken: res.access_token,
-    refreshToken: res.refresh_token,
-    accessExpiresAt
-  });
+    let res: ExchangeCodeHerokuResponse;
+    const accessExpiresAt = new Date();
+    try {
+        res = (await axios.post(
+            INTEGRATION_HEROKU_TOKEN_URL,
+            new URLSearchParams({
+				grant_type: 'authorization_code',
+				code: code,
+				client_secret: CLIENT_SECRET_HEROKU
+			} as any)
+        )).data;
+        
+        accessExpiresAt.setSeconds(
+            accessExpiresAt.getSeconds() + res.expires_in
+        );
+    } catch (err) {
+        Sentry.setUser(null);
+        Sentry.captureException(err);
+        throw new Error('Failed OAuth2 code-token exchange with Heroku');
+    }
+    
+    return ({
+        accessToken: res.access_token,
+        refreshToken: res.refresh_token,
+        accessExpiresAt
+    });
 }

 /**
@ -238,20 +162,20 @@ const exchangeCodeVercel = async ({ code }: { code: string }) => {
  let res: ExchangeCodeVercelResponse;
  try {
    res = (
-      await request.post(
+      await axios.post(
        INTEGRATION_VERCEL_TOKEN_URL,
        new URLSearchParams({
          code: code,
-          client_id: getClientIdVercel(),
-          client_secret: getClientSecretVercel(),
-          redirect_uri: `${getSiteURL()}/integrations/vercel/oauth2/callback`
+          client_id: CLIENT_ID_VERCEL,
+          client_secret: CLIENT_SECRET_VERCEL,
+          redirect_uri: `${SITE_URL}/vercel`
        } as any)
      )
    ).data;
  } catch (err) {
    Sentry.setUser(null);
    Sentry.captureException(err);
-    throw new Error(`Failed OAuth2 code-token exchange with Vercel [err=${err}]`);
+    throw new Error('Failed OAuth2 code-token exchange with Vercel');
  }

  return {
@ -277,26 +201,26 @@ const exchangeCodeNetlify = async ({ code }: { code: string }) => {
  let accountId;
  try {
    res = (
-      await request.post(
+      await axios.post(
        INTEGRATION_NETLIFY_TOKEN_URL,
        new URLSearchParams({
          grant_type: 'authorization_code',
          code: code,
-          client_id: getClientIdNetlify(),
-          client_secret: getClientSecretNetlify(),
-          redirect_uri: `${getSiteURL()}/integrations/netlify/oauth2/callback`
+          client_id: CLIENT_ID_NETLIFY,
+          client_secret: CLIENT_SECRET_NETLIFY,
+          redirect_uri: `${SITE_URL}/netlify`
        } as any)
      )
    ).data;

-    const res2 = await request.get('https://api.netlify.com/api/v1/sites', {
+    const res2 = await axios.get('https://api.netlify.com/api/v1/sites', {
      headers: {
        Authorization: `Bearer ${res.access_token}`
      }
    });

    const res3 = (
-      await request.get('https://api.netlify.com/api/v1/accounts', {
+      await axios.get('https://api.netlify.com/api/v1/accounts', {
        headers: {
          Authorization: `Bearer ${res.access_token}`
        }
@ -331,16 +255,15 @@ const exchangeCodeGithub = async ({ code }: { code: string }) => {
  let res: ExchangeCodeGithubResponse;
  try {
    res = (
-      await request.get(INTEGRATION_GITHUB_TOKEN_URL, {
+      await axios.get(INTEGRATION_GITHUB_TOKEN_URL, {
        params: {
-          client_id: getClientIdGitHub(),
-          client_secret: getClientSecretGitHub(),
+          client_id: CLIENT_ID_GITHUB,
+          client_secret: CLIENT_SECRET_GITHUB,
          code: code,
-          redirect_uri: `${getSiteURL()}/integrations/github/oauth2/callback`
+          redirect_uri: `${SITE_URL}/github`
        },
        headers: {
-          'Accept': 'application/json',
-          'Accept-Encoding': 'application/json'
+          Accept: 'application/json'
        }
      })
    ).data;
@ -358,53 +281,4 @@ const exchangeCodeGithub = async ({ code }: { code: string }) => {
  };
 };

-/**
- * Return [accessToken], [accessExpiresAt], and [refreshToken] for Gitlab
- * code-token exchange
- * @param {Object} obj1
- * @param {Object} obj1.code - code for code-token exchange
- * @returns {Object} obj2
- * @returns {String} obj2.accessToken - access token for Gitlab API
- * @returns {String} obj2.refreshToken - refresh token for Gitlab API
- * @returns {Date} obj2.accessExpiresAt - date of expiration for access token
- */
-const exchangeCodeGitlab = async ({ code }: { code: string }) => {
-  let res: ExchangeCodeGitlabResponse; 
-  const accessExpiresAt = new Date();
-  
-  try {
-    res = (
-      await request.post(
-        INTEGRATION_GITLAB_TOKEN_URL,
-        new URLSearchParams({
-          grant_type: 'authorization_code',
-          code: code,
-          client_id: getClientIdGitLab(),
-          client_secret: getClientSecretGitLab(),
-          redirect_uri: `${getSiteURL()}/integrations/gitlab/oauth2/callback`
-        } as any),
-        {
-          headers: {
-            "Accept-Encoding": "application/json",
-          }
-        }
-      )
-    ).data;
-    
-    accessExpiresAt.setSeconds(
-      accessExpiresAt.getSeconds() + res.expires_in
-    );
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed OAuth2 code-token exchange with Gitlab');
-  }
-
-  return {
-    accessToken: res.access_token,
-    refreshToken: res.refresh_token,
-    accessExpiresAt
-  };
-}
-
 export { exchangeCode };
--- a/backend/src/integrations/index.ts
+++ b/backend/src/integrations/index.ts
@ -1,7 +1,6 @@
 import { exchangeCode } from './exchange';
 import { exchangeRefresh } from './refresh';
 import { getApps } from './apps';
-import { getTeams } from './teams';
 import { syncSecrets } from './sync';
 import { revokeAccess } from './revoke';

@ -9,7 +8,6 @@ export {
    exchangeCode,
    exchangeRefresh,
    getApps,
-    getTeams,
    syncSecrets,
    revokeAccess
 }
--- a/backend/src/integrations/refresh.ts
+++ b/backend/src/integrations/refresh.ts
@ -1,55 +1,12 @@
+import axios from 'axios';
 import * as Sentry from '@sentry/node';
-import request from '../config/request';
+import { INTEGRATION_HEROKU } from '../variables';
 import {
-  IIntegrationAuth
-} from '../models';
-import {
-  INTEGRATION_AZURE_KEY_VAULT, 
-  INTEGRATION_HEROKU,
-  INTEGRATION_GITLAB,
-} from '../variables';
-import {
-  INTEGRATION_AZURE_TOKEN_URL,
-  INTEGRATION_HEROKU_TOKEN_URL,
-  INTEGRATION_GITLAB_TOKEN_URL
-} from '../variables';
-import {
-  IntegrationService
-} from '../services';
-import {
-  getSiteURL,
-  getClientIdAzure,
-  getClientSecretAzure,
-  getClientSecretHeroku,
-  getClientIdGitLab,
-  getClientSecretGitLab
+    CLIENT_SECRET_HEROKU
 } from '../config';
-
-interface RefreshTokenAzureResponse {
-  token_type: string;
-  scope: string;
-  expires_in: number;
-  ext_expires_in: 4871;
-  access_token: string;
-  refresh_token: string;
-}
-
-interface RefreshTokenHerokuResponse {
-  access_token: string;
-  expires_in: number;
-  refresh_token: string;
-  token_type: string;
-  user_id: string;
-}
-
-interface RefreshTokenGitLabResponse {
-  token_type: string;
-  scope: string;
-  expires_in: number;
-  access_token: string;
-  refresh_token: string;
-  created_at: number;
-}
+import {
+    INTEGRATION_HEROKU_TOKEN_URL
+} from '../variables';

 /**
 * Return new access token by exchanging refresh token [refreshToken] for integration
@ -59,104 +16,30 @@ interface RefreshTokenGitLabResponse {
 * @param {String} obj.refreshToken - refresh token to use to get new access token for Heroku
 */
 const exchangeRefresh = async ({
-  integrationAuth,
+  integration,
  refreshToken
 }: {
-  integrationAuth: IIntegrationAuth;
+  integration: string;
  refreshToken: string;
 }) => {
-  
-  interface TokenDetails {
-    accessToken: string;
-    refreshToken: string;
-    accessExpiresAt: Date;
-  }
-  
-  let tokenDetails: TokenDetails;
+  let accessToken;
  try {
-    switch (integrationAuth.integration) {
-      case INTEGRATION_AZURE_KEY_VAULT:
-        tokenDetails = await exchangeRefreshAzure({
-          refreshToken
-        });
-        break;
+    switch (integration) {
      case INTEGRATION_HEROKU:
-        tokenDetails = await exchangeRefreshHeroku({
+        accessToken = await exchangeRefreshHeroku({
          refreshToken
        });
        break;
-      case INTEGRATION_GITLAB:
-        tokenDetails = await exchangeRefreshGitLab({
-          refreshToken
-        });
-        break;
-      default:
-        throw new Error('Failed to exchange token for incompatible integration');
    }
-
-    if (tokenDetails?.accessToken && tokenDetails?.refreshToken && tokenDetails?.accessExpiresAt) {
-      await IntegrationService.setIntegrationAuthAccess({
-        integrationAuthId: integrationAuth._id.toString(),
-        accessId: null,
-        accessToken: tokenDetails.accessToken,
-        accessExpiresAt: tokenDetails.accessExpiresAt
-      });
-
-      await IntegrationService.setIntegrationAuthRefresh({
-        integrationAuthId: integrationAuth._id.toString(),
-        refreshToken: tokenDetails.refreshToken
-      });
-    }
-
-    return tokenDetails.accessToken;
  } catch (err) {
    Sentry.setUser(null);
    Sentry.captureException(err);
    throw new Error('Failed to get new OAuth2 access token');
  }
+
+  return accessToken;
 };

-/**
- * Return new access token by exchanging refresh token [refreshToken] for the
- * Azure integration
- * @param {Object} obj
- * @param {String} obj.refreshToken - refresh token to use to get new access token for Azure
- * @returns
- */
-const exchangeRefreshAzure = async ({
-  refreshToken
-}: {
-  refreshToken: string;
-}) => {
-  try {
-    const accessExpiresAt = new Date();
-    const { data }: { data: RefreshTokenAzureResponse } = await request.post(
-      INTEGRATION_AZURE_TOKEN_URL,
-       new URLSearchParams({
-        client_id: getClientIdAzure(),
-        scope: 'openid offline_access',
-        refresh_token: refreshToken,
-        grant_type: 'refresh_token',
-        client_secret: getClientSecretAzure()
-      } as any)
-    );
-    
-    accessExpiresAt.setSeconds(
-      accessExpiresAt.getSeconds() + data.expires_in
-    );
-
-    return ({
-      accessToken: data.access_token,
-      refreshToken: data.refresh_token,
-      accessExpiresAt
-    });
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed to get refresh OAuth2 access token for Azure'); 
-  }
-}
-
 /**
 * Return new access token by exchanging refresh token [refreshToken] for the
 * Heroku integration
@ -169,84 +52,26 @@ const exchangeRefreshHeroku = async ({
 }: {
  refreshToken: string;
 }) => {
-  try {
-    const accessExpiresAt = new Date();
-    const { 
-      data 
-    }: { 
-      data: RefreshTokenHerokuResponse 
-    } = await request.post(
-        INTEGRATION_HEROKU_TOKEN_URL,
-        new URLSearchParams({
-            grant_type: 'refresh_token',
-            refresh_token: refreshToken,
-            client_secret: getClientSecretHeroku()
-        } as any)
-    );
+    let accessToken;
+	//TODO: Refactor code to take advantage of using RequestError. It's possible to create new types of errors for more detailed errors
+    try {
+        const res = await axios.post(
+            INTEGRATION_HEROKU_TOKEN_URL,
+            new URLSearchParams({
+                grant_type: 'refresh_token',
+                refresh_token: refreshToken,
+                client_secret: CLIENT_SECRET_HEROKU
+            } as any)
+        );

-    accessExpiresAt.setSeconds(
-      accessExpiresAt.getSeconds() + data.expires_in
-    );
-
-    return ({
-      accessToken: data.access_token,
-      refreshToken: data.refresh_token,
-      accessExpiresAt
-    });
+    accessToken = res.data.access_token;
  } catch (err) {
    Sentry.setUser(null);
    Sentry.captureException(err);
-    throw new Error('Failed to refresh OAuth2 access token for Heroku');
+    throw new Error('Failed to get new OAuth2 access token for Heroku');
  }
-};

-/**
- * Return new access token by exchanging refresh token [refreshToken] for the
- * GitLab integration
- * @param {Object} obj
- * @param {String} obj.refreshToken - refresh token to use to get new access token for GitLab
- * @returns
- */
-const exchangeRefreshGitLab = async ({
-  refreshToken
-}: {
-  refreshToken: string;
-}) => {
-  try {
-    const accessExpiresAt = new Date();
-    const { 
-      data
-    }: { 
-      data: RefreshTokenGitLabResponse 
-    } = await request.post(
-      INTEGRATION_GITLAB_TOKEN_URL,
-      new URLSearchParams({
-        grant_type: 'refresh_token',
-        refresh_token: refreshToken,
-        client_id: getClientIdGitLab,
-        client_secret: getClientSecretGitLab(),
-        redirect_uri: `${getSiteURL()}/integrations/gitlab/oauth2/callback`
-      } as any),
-      {
-        headers: {
-          "Accept-Encoding": "application/json",
-        }
-      });
-
-    accessExpiresAt.setSeconds(
-      accessExpiresAt.getSeconds() + data.expires_in
-    );
-
-    return ({
-      accessToken: data.access_token,
-      refreshToken: data.refresh_token,
-      accessExpiresAt
-    });
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed to refresh OAuth2 access token for GitLab');
-  }
+  return accessToken;
 };

 export { exchangeRefresh };
--- a/backend/src/integrations/revoke.ts
+++ b/backend/src/integrations/revoke.ts
@ -10,8 +10,7 @@ import {
  INTEGRATION_HEROKU,
  INTEGRATION_VERCEL,
  INTEGRATION_NETLIFY,
-  INTEGRATION_GITHUB,
-  INTEGRATION_GITLAB,
+  INTEGRATION_GITHUB
 } from '../variables';

 const revokeAccess = async ({
@ -33,8 +32,6 @@ const revokeAccess = async ({
        break;
      case INTEGRATION_GITHUB:
        break;
-      case INTEGRATION_GITLAB:
-        break;
    }

    deletedIntegrationAuth = await IntegrationAuth.findOneAndDelete({
--- a/backend/src/integrations/sync.ts
+++ b/backend/src/integrations/sync.ts
--- a/backend/src/integrations/teams.ts
+++ b/backend/src/integrations/teams.ts
@ -1,92 +0,0 @@
-import * as Sentry from "@sentry/node";
-import {
-    IIntegrationAuth
-} from '../models';
-import {
-    INTEGRATION_GITLAB,
-    INTEGRATION_GITLAB_API_URL
-} from '../variables';
-import request from '../config/request';
-
-interface Team {
-    name: string;
-    teamId: string;
-}
-
-/**
- * Return list of teams for integration authorization [integrationAuth]
- * @param {Object} obj
- * @param {String} obj.integrationAuth - integration authorization to get teams for
- * @param {String} obj.accessToken - access token for integration authorization
- * @returns {Object[]} teams - teams of integration authorization
- * @returns {String} teams.name - name of team
- * @returns {String} teams.teamId - id of team
-*/
-const getTeams = async ({
-    integrationAuth,
-    accessToken
-}: {
-    integrationAuth: IIntegrationAuth;
-    accessToken: string;
-}) => {
-    
-    let teams: Team[] = [];
-    try {
-        switch (integrationAuth.integration) {
-            case INTEGRATION_GITLAB:
-                teams = await getTeamsGitLab({
-                    accessToken
-                });
-                break;
-        }
-    } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-        throw new Error('Failed to get integration teams');
-    }
-    
-    
-    return teams;
-}
-
-/**
- * Return list of teams for GitLab integration
- * @param {Object} obj
- * @param {String} obj.accessToken - access token for GitLab API
- * @returns {Object[]} teams - teams that user is part of in GitLab
- * @returns {String} teams.name - name of team
- * @returns {String} teams.teamId - id of team
-*/
-const getTeamsGitLab = async ({
-    accessToken
-}: {
-    accessToken: string;
-}) => {
-    let teams: Team[] = [];
-    try {
-        const res = (await request.get(
-            `${INTEGRATION_GITLAB_API_URL}/v4/groups`,
-            {
-                headers: {
-                Authorization: `Bearer ${accessToken}`,
-                "Accept-Encoding": "application/json"
-                }
-            }
-        )).data; 
-    
-      teams = res.map((t: any) => ({
-        name: t.name,
-        teamId: t.id
-      }));
-    } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-        throw new Error("Failed to get GitLab integration teams");
-    }
-    
-    return teams;
-}
-
-export {
-    getTeams
-}
--- a/backend/src/interfaces/serviceAccounts/dto/AddServiceAccountPermissionDto.ts
+++ b/backend/src/interfaces/serviceAccounts/dto/AddServiceAccountPermissionDto.ts
@ -1,7 +0,0 @@
-interface AddServiceAccountPermissionDto {
-    name: string;
-    workspaceId?: string;
-    environment?: string;
-}
-
-export default AddServiceAccountPermissionDto;
--- a/backend/src/interfaces/serviceAccounts/dto/CreateServiceAccountDto.ts
+++ b/backend/src/interfaces/serviceAccounts/dto/CreateServiceAccountDto.ts
@ -1,8 +0,0 @@
-interface CreateServiceAccountDto {
-    organizationId: string;
-    name: string;
-    publicKey: string; 
-    expiresIn: number;
-}
-
-export default CreateServiceAccountDto;
--- a/backend/src/interfaces/serviceAccounts/dto/index.ts
+++ b/backend/src/interfaces/serviceAccounts/dto/index.ts
@ -1,7 +0,0 @@
-import CreateServiceAccountDto from './CreateServiceAccountDto';
-import AddServiceAccountPermissionDto from './AddServiceAccountPermissionDto';
-
-export {
-    CreateServiceAccountDto,
-    AddServiceAccountPermissionDto
-}
--- a/backend/src/middleware/index.ts
+++ b/backend/src/middleware/index.ts
@ -1,5 +1,4 @@
 import requireAuth from './requireAuth';
-import requireMfaAuth from './requireMfaAuth';
 import requireBotAuth from './requireBotAuth';
 import requireSignupAuth from './requireSignupAuth';
 import requireWorkspaceAuth from './requireWorkspaceAuth';
@ -10,15 +9,12 @@ import requireIntegrationAuth from './requireIntegrationAuth';
 import requireIntegrationAuthorizationAuth from './requireIntegrationAuthorizationAuth';
 import requireServiceTokenAuth from './requireServiceTokenAuth';
 import requireServiceTokenDataAuth from './requireServiceTokenDataAuth';
-import requireServiceAccountAuth from './requireServiceAccountAuth';
-import requireServiceAccountWorkspacePermissionAuth from './requireServiceAccountWorkspacePermissionAuth';
 import requireSecretAuth from './requireSecretAuth';
 import requireSecretsAuth from './requireSecretsAuth';
 import validateRequest from './validateRequest';

 export {
 	requireAuth,
-	requireMfaAuth,
 	requireBotAuth,
 	requireSignupAuth,
 	requireWorkspaceAuth,
@ -29,8 +25,6 @@ export {
 	requireIntegrationAuthorizationAuth,
 	requireServiceTokenAuth,
 	requireServiceTokenDataAuth,
-	requireServiceAccountAuth,
-	requireServiceAccountWorkspacePermissionAuth,
 	requireSecretAuth,
 	requireSecretsAuth,
 	validateRequest
--- a/backend/src/middleware/requestErrorHandler.ts
+++ b/backend/src/middleware/requestErrorHandler.ts
@ -1,13 +1,15 @@
-import * as Sentry from '@sentry/node';
 import { ErrorRequestHandler } from "express";
+
+import * as Sentry from '@sentry/node';
 import { InternalServerError } from "../utils/errors";
 import { getLogger } from "../utils/logger";
 import RequestError, { LogLevel } from "../utils/requestError";
-import { getNodeEnv } from '../config';
+import { NODE_ENV } from "../config";
+

 export const requestErrorHandler: ErrorRequestHandler = (error: RequestError | Error, req, res, next) => {
    if (res.headersSent) return next();
-    if (getNodeEnv() !== "production") {
+    if (NODE_ENV !== "production") {
        /* eslint-disable no-console */
        console.log(error)
        /* eslint-enable no-console */
--- a/backend/src/middleware/requireAuth.ts
+++ b/backend/src/middleware/requireAuth.ts
@ -1,26 +1,12 @@
 import jwt from 'jsonwebtoken';
 import { Request, Response, NextFunction } from 'express';
+import { User, ServiceTokenData } from '../models';
 import {
 	validateAuthMode,
 	getAuthUserPayload,
 	getAuthSTDPayload,
-	getAuthAPIKeyPayload,
-	getAuthSAAKPayload
+	getAuthAPIKeyPayload
 } from '../helpers/auth';
-import { 
-	UnauthorizedRequestError
-} from '../utils/errors';
-import {
-	IUser,
-	IServiceAccount,
-	IServiceTokenData
-} from '../models';
-import {
-	AUTH_MODE_JWT,
-	AUTH_MODE_SERVICE_ACCOUNT,
-	AUTH_MODE_SERVICE_TOKEN,
-	AUTH_MODE_API_KEY
-} from '../variables';

 declare module 'jsonwebtoken' {
 	export interface UserIDJwtPayload extends jwt.JwtPayload {
@ -39,58 +25,37 @@ declare module 'jsonwebtoken' {
 * @returns
 */
 const requireAuth = ({
-	acceptedAuthModes = [AUTH_MODE_JWT],
+	acceptedAuthModes = ['jwt']
 }: {
 	acceptedAuthModes: string[];
 }) => {
 	return async (req: Request, res: Response, next: NextFunction) => {
-		
 		// validate auth token against accepted auth modes [acceptedAuthModes]
 		// and return token type [authTokenType] and value [authTokenValue]
-		const { authMode, authTokenValue } = validateAuthMode({
+		const { authTokenType, authTokenValue } = validateAuthMode({
 			headers: req.headers,
 			acceptedAuthModes
 		});

-		let authPayload: IUser | IServiceAccount | IServiceTokenData;
-		switch (authMode) {
-			case AUTH_MODE_SERVICE_ACCOUNT:
-				authPayload = await getAuthSAAKPayload({
+		// attach auth payloads
+		switch (authTokenType) {
+			case 'serviceToken':
+				req.serviceTokenData = await getAuthSTDPayload({
 					authTokenValue
 				});
-				req.serviceAccount = authPayload;
 				break;
-			case AUTH_MODE_SERVICE_TOKEN:
-				authPayload = await getAuthSTDPayload({
+			case 'apiKey':
+				req.user = await getAuthAPIKeyPayload({
 					authTokenValue
 				});
-				req.serviceTokenData = authPayload;
-				break;
-			case AUTH_MODE_API_KEY:
-				authPayload = await getAuthAPIKeyPayload({
-					authTokenValue
-				});
-				req.user = authPayload;
 				break;
 			default:
-				authPayload = await getAuthUserPayload({
+				req.user = await getAuthUserPayload({
 					authTokenValue
 				});
-				req.user = authPayload;
 				break;
 		}
-		
-		req.requestData = {
-			...req.params,
-			...req.query,
-			...req.body,
-		}
-		
-		req.authData = {
-			authMode,
-			authPayload // User, ServiceAccount, ServiceTokenData
-		}
-		
+
 		return next();
 	}
 }
--- a/backend/src/middleware/requireBotAuth.ts
+++ b/backend/src/middleware/requireBotAuth.ts
@ -1,28 +1,32 @@
 import { Request, Response, NextFunction } from 'express';
-import { Types } from 'mongoose';
 import { Bot } from '../models';
 import { validateMembership } from '../helpers/membership';
-import { validateClientForBot } from '../helpers/bot';
 import { AccountNotFoundError } from '../utils/errors';

 type req = 'params' | 'body' | 'query';

 const requireBotAuth = ({
    acceptedRoles,
-    locationBotId = 'params'
+    location = 'params'
 }: {
-    acceptedRoles: Array<'admin' | 'member'>;
-    locationBotId?: req;
+    acceptedRoles: string[];
+    location?: req;
 }) => {
    return async (req: Request, res: Response, next: NextFunction) => {
-        const { botId } = req[locationBotId];
+        const bot = await Bot.findById(req[location].botId);
        
-        req.bot = await validateClientForBot({
-            authData: req.authData,
-            botId: new Types.ObjectId(botId),
+        if (!bot) {
+            return next(AccountNotFoundError({message: 'Failed to locate Bot account'}))
+        }
+        
+        await validateMembership({
+            userId: req.user._id.toString(),
+            workspaceId: bot.workspace.toString(),
            acceptedRoles
        });
        
+        req.bot = bot;
+        
        next();
    }
 }
--- a/backend/src/middleware/requireIntegrationAuth.ts
+++ b/backend/src/middleware/requireIntegrationAuth.ts
@ -1,9 +1,7 @@
 import { Request, Response, NextFunction } from 'express';
-import { Types } from 'mongoose';
 import { Integration, IntegrationAuth } from '../models';
 import { IntegrationService } from '../services';
 import { validateMembership } from '../helpers/membership';
-import { validateClientForIntegration } from '../helpers/integration';
 import { IntegrationNotFoundError, UnauthorizedRequestError } from '../utils/errors';

 /**
@ -15,25 +13,43 @@ import { IntegrationNotFoundError, UnauthorizedRequestError } from '../utils/err
 const requireIntegrationAuth = ({
 	acceptedRoles
 }: {
-	acceptedRoles: Array<'admin' | 'member'>;
+	acceptedRoles: string[];
 }) => {
 	return async (req: Request, res: Response, next: NextFunction) => {
+		// integration authorization middleware
+
 		const { integrationId } = req.params;

-		const { integration, accessToken } = await validateClientForIntegration({
-			authData: req.authData,
-			integrationId: new Types.ObjectId(integrationId),
+		// validate integration accessibility
+		const integration = await Integration.findOne({
+			_id: integrationId
+		});
+
+		if (!integration) {
+			return next(IntegrationNotFoundError({message: 'Failed to locate Integration'}))
+		}
+		
+		await validateMembership({
+			userId: req.user._id.toString(),
+			workspaceId: integration.workspace.toString(),
 			acceptedRoles
 		});

-		if (integration) {
-			req.integration = integration;
-		}
-		
-		if (accessToken) {
-			req.accessToken = accessToken;
+		const integrationAuth = await IntegrationAuth.findOne({
+			_id: integration.integrationAuth
+		}).select(
+			'+refreshCiphertext +refreshIV +refreshTag +accessCiphertext +accessIV +accessTag +accessExpiresAt'
+		);
+
+		if (!integrationAuth) {
+			return next(UnauthorizedRequestError({message: 'Failed to locate Integration Authentication credentials'}))
 		}

+		req.integration = integration;
+		req.accessToken = await IntegrationService.getIntegrationAuthAccess({
+			integrationAuthId: integrationAuth._id.toString()
+		});
+
 		return next();
 	};
 };
--- a/backend/src/middleware/requireIntegrationAuthorizationAuth.ts
+++ b/backend/src/middleware/requireIntegrationAuthorizationAuth.ts
@ -1,9 +1,7 @@
 import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
 import { Request, Response, NextFunction } from 'express';
 import { IntegrationAuth, IWorkspace } from '../models';
 import { IntegrationService } from '../services';
-import { validateClientForIntegrationAuth } from '../helpers/integrationAuth';
 import { validateMembership } from '../helpers/membership';
 import { UnauthorizedRequestError } from '../utils/errors';

@ -21,26 +19,35 @@ const requireIntegrationAuthorizationAuth = ({
 	attachAccessToken = true,
 	location = 'params'
 }: {
-	acceptedRoles: Array<'admin' | 'member'>;
+	acceptedRoles: string[];
 	attachAccessToken?: boolean;
 	location?: req;
 }) => {
 	return async (req: Request, res: Response, next: NextFunction) => {
 		const { integrationAuthId } = req[location];
+		const integrationAuth = await IntegrationAuth.findOne({
+			_id: integrationAuthId
+		})
+		.populate<{ workspace: IWorkspace }>('workspace')
+		.select(
+			'+refreshCiphertext +refreshIV +refreshTag +accessCiphertext +accessIV +accessTag +accessExpiresAt'
+		);

-		const { integrationAuth, accessToken } = await validateClientForIntegrationAuth({
-			authData: req.authData,
-			integrationAuthId: new Types.ObjectId(integrationAuthId),
-			acceptedRoles,
-			attachAccessToken
-		});
-		
-		if (integrationAuth) {
-			req.integrationAuth = integrationAuth;
+		if (!integrationAuth) {
+			return next(UnauthorizedRequestError({message: 'Failed to locate Integration Authorization credentials'}))
 		}
+		
+		await validateMembership({
+			userId: req.user._id.toString(),
+			workspaceId: integrationAuth.workspace._id.toString(),
+			acceptedRoles
+		});

-		if (accessToken) {
-			req.accessToken = accessToken;
+		req.integrationAuth = integrationAuth;
+		if (attachAccessToken) {
+			req.accessToken = await IntegrationService.getIntegrationAuthAccess({
+				integrationAuthId: integrationAuth._id.toString()
+			});
 		}
 		
 		return next();
--- a/backend/src/middleware/requireMembershipAuth.ts
+++ b/backend/src/middleware/requireMembershipAuth.ts
@ -1,13 +1,9 @@
-import { Types } from 'mongoose';
 import { Request, Response, NextFunction } from 'express';
 import { UnauthorizedRequestError } from '../utils/errors';
 import {
    Membership,
 } from '../models';
-import {
-    validateClientForMembership,
-    validateMembership
-} from '../helpers/membership';
+import { validateMembership } from '../helpers/membership';

 type req = 'params' | 'body' | 'query';

@ -20,25 +16,43 @@ type req = 'params' | 'body' | 'query';
 */
 const requireMembershipAuth = ({
    acceptedRoles,
-    locationMembershipId = 'params'
+    location = 'params'
 }: {
-    acceptedRoles: Array<'admin' | 'member'>;
-    locationMembershipId: req
+    acceptedRoles: string[];
+    location?: req;
 }) => {
    return async (
        req: Request, 
        res: Response, 
        next: NextFunction
    ) => {
-        const { membershipId } = req[locationMembershipId];
-        
-        req.targetMembership = await validateClientForMembership({
-            authData: req.authData,
-            membershipId: new Types.ObjectId(membershipId),
-            acceptedRoles
-        });
-        
-        return next();
+        try {
+            const { membershipId } = req[location];
+            
+            const membership = await Membership.findById(membershipId);
+            
+            if (!membership) throw new Error('Failed to find target membership');
+            
+            const userMembership = await Membership.findOne({
+                workspace: membership.workspace
+            });
+            
+            if (!userMembership) throw new Error('Failed to validate own membership')
+            
+            const targetMembership = await validateMembership({
+                userId: req.user._id.toString(),
+                workspaceId: membership.workspace.toString(),
+                acceptedRoles
+            });
+            
+            req.targetMembership = targetMembership;
+            
+            return next();
+        } catch (err) {
+            return next(UnauthorizedRequestError({ 
+                message: 'Unable to validate workspace membership' 
+            }));
+        }
    }
 }

--- a/backend/src/middleware/requireMembershipOrgAuth.ts
+++ b/backend/src/middleware/requireMembershipOrgAuth.ts
@ -1,17 +1,11 @@
-import { Types } from 'mongoose';
 import { Request, Response, NextFunction } from 'express';
 import { UnauthorizedRequestError } from '../utils/errors';
 import {
    MembershipOrg
 } from '../models';
-import { 
-    validateClientForMembershipOrg,
-    validateMembershipOrg
-} from '../helpers/membershipOrg';
+import { validateMembership } from '../helpers/membershipOrg';


-// TODO: transform
-
 type req = 'params' | 'body' | 'query';

 /**
@ -23,24 +17,32 @@ type req = 'params' | 'body' | 'query';
 */
 const requireMembershipOrgAuth = ({
    acceptedRoles,
-    acceptedStatuses,
-    locationMembershipOrgId = 'params'
+    location = 'params'
 }: {
-    acceptedRoles: Array<'owner' | 'admin' | 'member'>;
-	acceptedStatuses: Array<'invited' | 'accepted'>;
-    locationMembershipOrgId?: req;
+    acceptedRoles: string[];
+    location?: req;
 }) => {
    return async (req: Request, res: Response, next: NextFunction) => {
-        const { membershipId } = req[locationMembershipOrgId];
-        
-        req.membershipOrg = await validateClientForMembershipOrg({
-            authData: req.authData,
-            membershipOrgId: new Types.ObjectId(membershipId),
-            acceptedRoles,
-            acceptedStatuses
-        });
-        
-        return next();
+        try {
+            const { membershipId } = req[location];
+            const membershipOrg = await MembershipOrg.findById(membershipId);
+            
+            if (!membershipOrg) throw new Error('Failed to find target organization membership');
+            
+            const targetMembership = await validateMembership({
+                userId: req.user._id.toString(),
+                organizationId: membershipOrg.organization.toString(),
+                acceptedRoles
+            });
+            
+            req.targetMembership = targetMembership;
+            
+            return next();
+        } catch (err) {
+            return next(UnauthorizedRequestError({
+                message: 'Unable to validate organization membership'
+            }));
+        }
    }
 }

--- a/backend/src/middleware/requireMfaAuth.ts
+++ b/backend/src/middleware/requireMfaAuth.ts
@ -1,43 +0,0 @@
-import jwt from 'jsonwebtoken';
-import { Request, Response, NextFunction } from 'express';
-import { User } from '../models';
-import { BadRequestError, UnauthorizedRequestError } from '../utils/errors';
-import { getJwtMfaSecret } from '../config';
-
-declare module 'jsonwebtoken' {
-	export interface UserIDJwtPayload extends jwt.JwtPayload {
-		userId: string;
-	}
-}
-
-/**
- * Validate if (MFA) JWT temporary token on request is valid (e.g. not expired)
- * and if there is an associated user.
- */
-const requireMfaAuth = async (
-	req: Request,
-	res: Response,
-	next: NextFunction
-) => {
-	// JWT (temporary) authentication middleware for complete signup
-	const [ AUTH_TOKEN_TYPE, AUTH_TOKEN_VALUE ] = <[string, string]>req.headers['authorization']?.split(' ', 2) ?? [null, null]
-	if(AUTH_TOKEN_TYPE === null) return next(BadRequestError({message: `Missing Authorization Header in the request header.`}))
-	if(AUTH_TOKEN_TYPE.toLowerCase() !== 'bearer') return next(BadRequestError({message: `The provided authentication type '${AUTH_TOKEN_TYPE}' is not supported.`}))
-	if(AUTH_TOKEN_VALUE === null) return next(BadRequestError({message: 'Missing Authorization Body in the request header'}))
-	
-	const decodedToken = <jwt.UserIDJwtPayload>(
-		jwt.verify(AUTH_TOKEN_VALUE, getJwtMfaSecret())
-	);
-
-	const user = await User.findOne({
-		_id: decodedToken.userId
-	}).select('+publicKey');
-
-	if (!user)
-		return next(UnauthorizedRequestError({message: 'Unable to authenticate for User account completion. Try logging in again'}))
-
-	req.user = user;
-	return next();
-};
-
-export default requireMfaAuth;
--- a/backend/src/middleware/requireOrganizationAuth.ts
+++ b/backend/src/middleware/requireOrganizationAuth.ts
@ -1,46 +1,45 @@
 import { Request, Response, NextFunction } from 'express';
-import { Types } from 'mongoose';
 import { IOrganization, MembershipOrg } from '../models';
 import { UnauthorizedRequestError, ValidationError } from '../utils/errors';
-import { validateMembershipOrg } from '../helpers/membershipOrg';
-import { validateClientForOrganization } from '../helpers/organization';
-
-type req = 'params' | 'body' | 'query';

 /**
 * Validate if user on request is a member with proper roles for organization
 * on request params.
 * @param {Object} obj
 * @param {String[]} obj.acceptedRoles - accepted organization roles
- * @param {String[]} obj.accepteStatuses - accepted organization statuses
+ * @param {String[]} obj.acceptedStatuses - accepted organization statuses
 */
 const requireOrganizationAuth = ({
 	acceptedRoles,
-	acceptedStatuses,
-	locationOrganizationId = 'params'
+	acceptedStatuses
 }: {
-	acceptedRoles: Array<'owner' | 'admin' | 'member'>;
-	acceptedStatuses: Array<'invited' | 'accepted'>;
-	locationOrganizationId?: req;
+	acceptedRoles: string[];
+	acceptedStatuses: string[];
 }) => {
 	return async (req: Request, res: Response, next: NextFunction) => {
-		const { organizationId } = req[locationOrganizationId];
-		
-		const { organization, membershipOrg } = await validateClientForOrganization({
-			authData: req.authData,
-			organizationId: new Types.ObjectId(organizationId),
-			acceptedRoles,
-			acceptedStatuses
-		});
-		
-		if (organization) {
-			req.organization = organization;
+		// organization authorization middleware
+
+		// validate organization membership
+		const membershipOrg = await MembershipOrg.findOne({
+			user: req.user._id,
+			organization: req.params.organizationId
+		}).populate<{ organization: IOrganization }>('organization');
+
+
+		if (!membershipOrg) {
+			return next(UnauthorizedRequestError({message: "You're not a member of this Organization."}))
+		}
+		//TODO is this important to validate? I mean is it possible to save wrong role to database or get wrong role from databse? - Zamion101
+		if (!acceptedRoles.includes(membershipOrg.role)) {
+			return next(ValidationError({message: 'Failed to validate Organization Membership Role'}))
 		}

-		if (membershipOrg) {
-			req.membershipOrg = membershipOrg;
+		if (!acceptedStatuses.includes(membershipOrg.status)) {
+			return next(ValidationError({message: 'Failed to validate Organization Membership Status'}))
 		}

+		req.membershipOrg = membershipOrg;
+
 		return next();
 	};
 };
--- a/backend/src/middleware/requireSecretAuth.ts
+++ b/backend/src/middleware/requireSecretAuth.ts
@ -1,17 +1,12 @@
 import { Request, Response, NextFunction } from 'express';
-import { Types } from 'mongoose';
 import { UnauthorizedRequestError, SecretNotFoundError } from '../utils/errors';
 import { Secret } from '../models';
 import {
    validateMembership
 } from '../helpers/membership';
-import {
-    validateClientForSecret
-} from '../helpers/secrets';

 // note: used for old /v1/secret and /v2/secret routes.
-// newer /v2/secrets routes use [requireSecretsAuth] middleware with the exception
-// of some /ee endpoints
+// newer /v2/secrets routes use [requireSecretsAuth] middleware

 /**
 * Validate if user on request has proper membership to modify secret.
@ -20,25 +15,34 @@ import {
 * @param {String[]} obj.location - location of [workspaceId] on request (e.g. params, body) for parsing
 */
 const requireSecretAuth = ({
-    acceptedRoles,
-    requiredPermissions
+    acceptedRoles
 }: {
-    acceptedRoles: Array<'admin' | 'member'>;
-    requiredPermissions: string[];
+    acceptedRoles: string[];
 }) => {
    return async (req: Request, res: Response, next: NextFunction) => {
-        const { secretId } = req.params;
-        
-        const secret = await validateClientForSecret({
-            authData: req.authData,
-            secretId: new Types.ObjectId(secretId),
-            acceptedRoles,
-            requiredPermissions
-        });
-        
-        req._secret = secret;
+        try {
+            const { secretId } = req.params;
+            
+            const secret = await Secret.findById(secretId);
+            
+            if (!secret) {
+                return next(SecretNotFoundError({
+                    message: 'Failed to find secret'
+                }));
+            }
+            
+            await validateMembership({
+                userId: req.user._id.toString(),
+                workspaceId: secret.workspace.toString(),
+                acceptedRoles
+            });
+            
+            req._secret = secret;

-        next();
+            next();
+        } catch (err) {
+            return next(UnauthorizedRequestError({ message: 'Unable to authenticate secret' }));
+        }
    }
 }

--- a/backend/src/middleware/requireSecretsAuth.ts
+++ b/backend/src/middleware/requireSecretsAuth.ts
@ -1,35 +1,48 @@
 import { Request, Response, NextFunction } from 'express';
-import { Types } from 'mongoose';
 import { UnauthorizedRequestError } from '../utils/errors';
 import { Secret, Membership } from '../models';
-import { validateClientForSecrets } from '../helpers/secrets';
+import { validateSecrets } from '../helpers/secret';
+
+// TODO: make this work for delete route

 const requireSecretsAuth = ({
-    acceptedRoles,
-    requiredPermissions = []
+    acceptedRoles
 }: {
    acceptedRoles: string[];
-    requiredPermissions?: string[];
 }) => {
    return async (req: Request, res: Response, next: NextFunction) => {
-        let secretIds = [];
-        if (Array.isArray(req.body.secrets)) {
-            secretIds = req.body.secrets.map((s: any) => s.id);
-        } else if (typeof req.body.secrets === 'object') {
-            secretIds = [req.body.secrets.id];
-        } else if (Array.isArray(req.body.secretIds)) {
-            secretIds = req.body.secretIds;
-        } else if (typeof req.body.secretIds === 'string') {
-            secretIds = [req.body.secretIds];
+        let secrets;
+        try {
+            if (Array.isArray(req.body.secrets)) {
+                // case: validate multiple secrets
+                secrets = await validateSecrets({
+                    userId: req.user._id.toString(),
+                    secretIds: req.body.secrets.map((s: any) => s.id)
+                });
+            } else if (typeof req.body.secrets === 'object') { // change this to check for object
+                // case: validate 1 secret
+                secrets = await validateSecrets({
+                    userId: req.user._id.toString(),
+                    secretIds: req.body.secrets.id
+                });
+            } else if (Array.isArray(req.body.secretIds)) {
+                secrets = await validateSecrets({
+                    userId: req.user._id.toString(),
+                    secretIds: req.body.secretIds
+                });
+            } else if (typeof req.body.secretIds === 'string') {
+                // case: validate secretIds
+                secrets = await validateSecrets({
+                    userId: req.user._id.toString(),
+                    secretIds: [req.body.secretIds]
+                });
+            }
+            
+            req.secrets = secrets;
+            return next();
+        } catch (err) {
+            return next(UnauthorizedRequestError({ message: 'Unable to authenticate secret(s)' }));
        }
-
-        req.secrets = await validateClientForSecrets({
-            authData: req.authData,
-            secretIds: secretIds.map((secretId: string) => new Types.ObjectId(secretId)),
-            requiredPermissions
-        });
-    
-        return next();
    }
 }

--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Maidul Islam	e8213799c8	Add deny api/get envs api	2023-01-29 21:04:47 -08:00
Maidul Islam	967df7282e	add basic auth model for Organization	2023-01-24 23:16:08 -08:00