Replace insertMany operation with upsert for backfilling trusted ips

Fix PATCH IP whitelist behavior and breaking integrations due to incorrect project id in local storage

.dockerignore

@@ -0,0 +1,2 @@
+backend/node_modules
+frontend/node_modules

.env.example

@@ -1,5 +1,6 @@
 # Keys
 # Required key for platform encryption/decryption ops
+# THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NOT BE USED FOR PRODUCTION
 ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218
 
 # JWT
@@ -8,6 +9,7 @@ JWT_SIGNUP_SECRET=3679e04ca949f914c03332aaaeba805a
 JWT_REFRESH_SECRET=5f2f3c8f0159068dc2bbb3a652a716ff
 JWT_AUTH_SECRET=4be6ba5602e0fa0ac6ac05c3cd4d247f
 JWT_SERVICE_SECRET=f32f716d70a42c5703f4656015e76200
+JWT_PROVIDER_AUTH_SECRET=f32f716d70a42c5703f4656015e76201
 
 # JWT lifetime
 # Optional lifetimes for JWT tokens expressed in seconds or a string 
@@ -15,6 +17,7 @@ JWT_SERVICE_SECRET=f32f716d70a42c5703f4656015e76200
 JWT_AUTH_LIFETIME=
 JWT_REFRESH_LIFETIME=
 JWT_SIGNUP_LIFETIME=
+JWT_PROVIDER_AUTH_LIFETIME=
 
 # MongoDB
 # Backend will connect to the MongoDB instance at connection string MONGO_URL which can either be a ref
@@ -32,12 +35,10 @@ SITE_URL=http://localhost:8080
 
 # Mail/SMTP 
 SMTP_HOST=
+SMTP_PORT=
+SMTP_NAME=
 SMTP_USERNAME=
 SMTP_PASSWORD=
-SMTP_PORT=587
-SMTP_SECURE=false
-SMTP_FROM_ADDRESS= 
-SMTP_FROM_NAME=Infisical
 
 # Integration
 # Optional only if integration is used
@@ -46,11 +47,13 @@ CLIENT_ID_VERCEL=
 CLIENT_ID_NETLIFY=
 CLIENT_ID_GITHUB=
 CLIENT_ID_GITLAB=
+CLIENT_ID_BITBUCKET=
 CLIENT_SECRET_HEROKU=
 CLIENT_SECRET_VERCEL=
 CLIENT_SECRET_NETLIFY=
 CLIENT_SECRET_GITHUB=
 CLIENT_SECRET_GITLAB=
+CLIENT_SECRET_BITBUCKET=
 CLIENT_SLUG_VERCEL=
 
 # Sentry (optional) for monitoring errors
@@ -60,10 +63,6 @@ SENTRY_DSN=
 # Ignore - Not applicable for self-hosted version
 POSTHOG_HOST=
 POSTHOG_PROJECT_API_KEY=
-STRIPE_SECRET_KEY=
-STRIPE_PUBLISHABLE_KEY=
-STRIPE_WEBHOOK_SECRET=
-STRIPE_PRODUCT_STARTER=
-STRIPE_PRODUCT_TEAM=
-STRIPE_PRODUCT_PRO=
-NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=
+
+CLIENT_ID_GOOGLE=
+CLIENT_SECRET_GOOGLE=

.github/resources/docker-compose.be-test.yml

@@ -13,6 +13,7 @@ services:
       - MONGO_URL=mongodb://test:example@mongo:27017/?authSource=admin
       - MONGO_USERNAME=test
       - MONGO_PASSWORD=example
+      - ENCRYPTION_KEY=a984ecdf82ec779e55dbcc21303a900f
     networks:
       - infisical-test
 

.github/values.yaml

@@ -1,3 +1,10 @@
+# secretScanningGitApp:
+#   enabled: false
+#   deploymentAnnotations:
+#     secrets.infisical.com/auto-reload: "true"
+#   image:
+#     repository: infisical/staging_deployment_secret-scanning-git-app
+    
 frontend:
   enabled: true
   name: frontend
@@ -6,7 +13,7 @@ frontend:
     secrets.infisical.com/auto-reload: "true"
   replicaCount: 2
   image:
-    repository: infisical/frontend
+    repository: infisical/staging_deployment_frontend
     tag: "latest"
     pullPolicy: Always
   kubeSecretRef: managed-secret-frontend
@@ -25,7 +32,7 @@ backend:
     secrets.infisical.com/auto-reload: "true"
   replicaCount: 2
   image:
-    repository: infisical/backend
+    repository: infisical/staging_deployment_backend
     tag: "latest"
     pullPolicy: Always
   kubeSecretRef: managed-backend-secret
@@ -51,8 +58,8 @@ mongodbConnection:
 
 ingress:
   enabled: true
-  annotations:
-    kubernetes.io/ingress.class: "nginx"
+  # annotations:
+  #   kubernetes.io/ingress.class: "nginx"
     # cert-manager.io/issuer: letsencrypt-nginx
   hostName: gamma.infisical.com ## <- Replace with your own domain
   frontend:

.github/workflows/build-docker-image-to-prod.yml

@@ -0,0 +1,118 @@
+name: Release production images (frontend, backend)
+on:
+  push:
+    tags:
+      - "infisical/v*.*.*"
+
+jobs:
+  backend-image:
+    name: Build backend image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Extract version from tag
+        id: extract_version
+        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+      - name: 📦 Install dependencies to test all dependencies
+        run: npm ci --only-production
+        working-directory: backend
+      - name: 🧪 Run tests
+        run: npm run test:ci
+        working-directory: backend
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
+      - name: 📦 Build backend and export to Docker
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          load: true
+          context: backend
+          tags: infisical/backend:test
+      - name: ⏻ Spawn backend container and dependencies
+        run: |
+          docker compose -f .github/resources/docker-compose.be-test.yml up --wait --quiet-pull
+      - name: 🧪 Test backend image
+        run: |
+          ./.github/resources/healthcheck.sh infisical-backend-test
+      - name: ⏻ Shut down backend container and dependencies
+        run: |
+          docker compose -f .github/resources/docker-compose.be-test.yml down
+      - name: 🏗️ Build backend and push
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          push: true
+          context: backend
+          tags: |
+            infisical/backend:${{ steps.commit.outputs.short }}
+            infisical/backend:latest
+            infisical/backend:${{ steps.extract_version.outputs.version }}
+          platforms: linux/amd64,linux/arm64
+
+  frontend-image:
+    name: Build frontend image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Extract version from tag
+        id: extract_version
+        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
+      - name: 📦 Build frontend and export to Docker
+        uses: depot/build-push-action@v1
+        with:
+          load: true
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          project: 64mmf0n610
+          context: frontend
+          tags: infisical/frontend:test
+          build-args: |
+            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
+      - name: ⏻ Spawn frontend container
+        run: |
+          docker run -d --rm --name infisical-frontend-test infisical/frontend:test
+      - name: 🧪 Test frontend image
+        run: |
+          ./.github/resources/healthcheck.sh infisical-frontend-test
+      - name: ⏻ Shut down frontend container
+        run: |
+          docker stop infisical-frontend-test
+      - name: 🏗️ Build frontend and push
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          push: true
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          context: frontend
+          tags: |
+            infisical/frontend:${{ steps.commit.outputs.short }}
+            infisical/frontend:latest
+            infisical/frontend:${{ steps.extract_version.outputs.version }}
+          platforms: linux/amd64,linux/arm64
+          build-args: |
+            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}

.github/workflows/build-staging-img.yml

@@ -5,7 +5,6 @@ jobs:
   backend-image:
     name: Build backend image
     runs-on: ubuntu-latest
-
     steps:
       - name: ☁️ Checkout source
         uses: actions/checkout@v3
@@ -51,14 +50,14 @@ jobs:
           token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
           push: true
           context: backend
-          tags: infisical/backend:${{ steps.commit.outputs.short }},
-            infisical/backend:latest
+          tags: |
+            infisical/staging_deployment_backend:${{ steps.commit.outputs.short }}
+            infisical/staging_deployment_backend:latest
           platforms: linux/amd64,linux/arm64
 
   frontend-image:
     name: Build frontend image
     runs-on: ubuntu-latest
-
     steps:
       - name: ☁️ Checkout source
         uses: actions/checkout@v3
@@ -81,12 +80,12 @@ jobs:
           token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
           project: 64mmf0n610
           context: frontend
-          tags: infisical/frontend:test
+          tags: infisical/staging_deployment_frontend:test
           build-args: |
             POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
       - name: ⏻ Spawn frontend container
         run: |
-          docker run -d --rm --name infisical-frontend-test infisical/frontend:test
+          docker run -d --rm --name infisical-frontend-test infisical/staging_deployment_frontend:test
       - name: 🧪 Test frontend image
         run: |
           ./.github/resources/healthcheck.sh infisical-frontend-test
@@ -100,8 +99,9 @@ jobs:
           push: true
           token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
           context: frontend
-          tags: infisical/frontend:${{ steps.commit.outputs.short }},
-            infisical/frontend:latest
+          tags: |
+            infisical/staging_deployment_frontend:${{ steps.commit.outputs.short }}
+            infisical/staging_deployment_frontend:latest
           platforms: linux/amd64,linux/arm64
           build-args: |
             POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
@@ -135,7 +135,7 @@ jobs:
       - name: Download helm values to file and upgrade gamma deploy
         run: |
           wget https://raw.githubusercontent.com/Infisical/infisical/main/.github/values.yaml
-          helm upgrade infisical infisical-helm-charts/infisical  --values values.yaml --recreate-pods
+          helm upgrade infisical infisical-helm-charts/infisical  --values values.yaml --wait --install
           if [[ $(helm status infisical) == *"FAILED"* ]]; then
             echo "Helm upgrade failed"
             exit 1

.github/workflows/check-be-pull-request.yml

@@ -13,6 +13,7 @@ jobs:
   check-be-pr:
     name: Check
     runs-on: ubuntu-latest
+    timeout-minutes: 15
 
     steps:
       - name: ☁️ Checkout source
@@ -26,17 +27,17 @@ jobs:
       - name: 📦 Install dependencies
         run: npm ci --only-production
         working-directory: backend
-      - name: 🧪 Run tests
-        run: npm run test:ci
-        working-directory: backend
-      - name: 📁 Upload test results
-        uses: actions/upload-artifact@v3
-        if: always()
-        with:
-          name: be-test-results
-          path: |
-            ./backend/reports
-            ./backend/coverage
+      # - name: 🧪 Run tests
+      #   run: npm run test:ci
+      #   working-directory: backend
+      # - name: 📁 Upload test results
+      #   uses: actions/upload-artifact@v3
+      #   if: always()
+      #   with:
+      #     name: be-test-results
+      #     path: |
+      #       ./backend/reports
+      #       ./backend/coverage
       - name: 🏗️ Run build
         run: npm run build
         working-directory: backend

.github/workflows/check-fe-pull-request.yml

@@ -2,40 +2,35 @@ name: Check Frontend Pull Request
 
 on:
   pull_request:
-    types: [ opened, synchronize ]
+    types: [opened, synchronize]
     paths:
-      - 'frontend/**'
-      - '!frontend/README.md'
-      - '!frontend/.*'
-      - 'frontend/.eslintrc.js'
-
+      - "frontend/**"
+      - "!frontend/README.md"
+      - "!frontend/.*"
+      - "frontend/.eslintrc.js"
 
 jobs:
-
   check-fe-pr:
     name: Check
     runs-on: ubuntu-latest
+    timeout-minutes: 15
 
     steps:
-      -
-        name: ☁️ Checkout source
+      - name: ☁️ Checkout source
         uses: actions/checkout@v3
-      -
-        name: 🔧 Setup Node 16
+      - name: 🔧 Setup Node 16
         uses: actions/setup-node@v3
         with:
-          node-version: '16'
-          cache: 'npm'
+          node-version: "16"
+          cache: "npm"
           cache-dependency-path: frontend/package-lock.json
-      -
-        name: 📦 Install dependencies
+      - name: 📦 Install dependencies
         run: npm ci --only-production --ignore-scripts
         working-directory: frontend
       # -
       #   name: 🧪 Run tests
       #   run: npm run test:ci
       #   working-directory: frontend
-      -
-        name: 🏗️ Run build
+      - name: 🏗️ Run build
         run: npm run build
         working-directory: frontend

.github/workflows/release-standalone-docker-img.yml

@@ -0,0 +1,75 @@
+name: Release standalone docker image
+on:
+  push:
+    tags:
+      - "infisical/v*.*.*"
+
+jobs:
+  infisical-standalone:
+    name: Build infisical standalone image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Extract version from tag
+        id: extract_version
+        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: 📦 Install dependencies to test all dependencies
+        run: npm ci --only-production
+        working-directory: backend
+      - uses: paulhatch/semantic-version@v5.0.2
+        id: version
+        with:
+          # The prefix to use to identify tags
+          tag_prefix: "infisical-standalone/v"
+          # A string which, if present in a git commit, indicates that a change represents a
+          # major (breaking) change, supports regular expressions wrapped with '/'
+          major_pattern: "(MAJOR)"
+          # Same as above except indicating a minor change, supports regular expressions wrapped with '/'
+          minor_pattern: "(MINOR)"
+          # A string to determine the format of the version output
+          version_format: "${major}.${minor}.${patch}-prerelease${increment}"
+          # Optional path to check for changes. If any changes are detected in the path the
+          # 'changed' output will true. Enter multiple paths separated by spaces.
+          change_path: "backend,frontend"
+          # Prevents pre-v1.0.0 version from automatically incrementing the major version.
+          # If enabled, when the major version is 0, major releases will be treated as minor and minor as patch. Note that the version_type output is unchanged.
+          enable_prerelease_mode: true
+      # - name: 🧪 Run tests
+      #   run: npm run test:ci
+      #   working-directory: backend
+      - name: version output
+        run: |
+          echo "Output Value: ${{ steps.version.outputs.major }}"
+          echo "Output Value: ${{ steps.version.outputs.minor }}"
+          echo "Output Value: ${{ steps.version.outputs.patch }}"
+          echo "Output Value: ${{ steps.version.outputs.version }}"
+          echo "Output Value: ${{ steps.version.outputs.version_type }}"
+          echo "Output Value: ${{ steps.version.outputs.increment }}"
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
+      - name: 📦 Build backend and export to Docker
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          push: true
+          context: .
+          tags: |
+            infisical/infisical:latest
+            infisical/infisical:${{ steps.commit.outputs.short }}
+            infisical/infisical:${{ steps.extract_version.outputs.version }}
+          platforms: linux/amd64,linux/arm64
+          file: Dockerfile.standalone-infisical

.github/workflows/release_build.yml

@@ -4,7 +4,7 @@ on:
   push:
     # run only against tags
     tags:
-      - "v*"
+      - "infisical-cli/v*.*.*"
 
 permissions:
   contents: write
@@ -41,13 +41,15 @@ jobs:
           git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
       - uses: goreleaser/goreleaser-action@v4
         with:
-          distribution: goreleaser
+          distribution: goreleaser-pro
           version: latest
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
+          POSTHOG_API_KEY_FOR_CLI: ${{ secrets.POSTHOG_API_KEY_FOR_CLI }}
           FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
           AUR_KEY: ${{ secrets.AUR_KEY }}
+          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
       - uses: actions/setup-python@v4
       - run: pip install --upgrade cloudsmith-cli
       - name: Publish to CloudSmith

.github/workflows/release_docker_k8_operator.yaml

@@ -1,10 +1,16 @@
 name: Release Docker image for K8 operator
-on: [workflow_dispatch]
+on:
+  push:
+    tags:
+      - "infisical-k8-operator/v*.*.*"
 
 jobs:
   release:
     runs-on: ubuntu-latest
     steps:
+      - name: Extract version from tag
+        id: extract_version
+        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical-k8-operator/}"
       - uses: actions/checkout@v2
 
       - name: 🔧 Set up QEMU
@@ -26,4 +32,6 @@ jobs:
           context: k8-operator
           push: true
           platforms: linux/amd64,linux/arm64
-          tags: infisical/kubernetes-operator:latest
+          tags: |
+            infisical/kubernetes-operator:latest
+            infisical/kubernetes-operator:${{ steps.extract_version.outputs.version }}

.gitignore

@@ -2,6 +2,7 @@
 node_modules
 .env
 .env.dev
+.env.gamma
 .env.prod
 .env.infisical
 

.goreleaser.yaml

@@ -11,10 +11,16 @@ before:
     - ./cli/scripts/completions.sh
     - ./cli/scripts/manpages.sh
 
+monorepo:
+  tag_prefix: infisical-cli/
+  dir: cli
+
 builds:
   - id: darwin-build
     binary: infisical
-    ldflags: -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+    ldflags:
+      - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+      - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
     flags:
       - -trimpath
     env:
@@ -32,7 +38,9 @@ builds:
     env:
       - CGO_ENABLED=0
     binary: infisical
-    ldflags: -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+    ldflags:
+      - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+      - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
     flags:
       - -trimpath
     goos:
@@ -61,10 +69,10 @@ archives:
       - goos: windows
         format: zip
     files:
-      - README*
-      - LICENSE*
-      - manpages/*
-      - completions/*
+      - ../README*
+      - ../LICENSE*
+      - ../manpages/*
+      - ../completions/*
 
 release:
   replace_existing_draft: true
@@ -74,14 +82,7 @@ checksum:
   name_template: "checksums.txt"
 
 snapshot:
-  name_template: "{{ incpatch .Version }}-devel"
-
-changelog:
-  sort: asc
-  filters:
-    exclude:
-      - "^docs:"
-      - "^test:"
+  name_template: "{{ .Version }}-devel"
 
 # publishers:
 #   - name: fury.io
@@ -107,6 +108,22 @@ brews:
       zsh_completion.install "completions/infisical.zsh" => "_infisical"
       fish_completion.install "completions/infisical.fish"
       man1.install "manpages/infisical.1.gz"
+  - name: 'infisical@{{.Version}}'
+    tap:
+      owner: Infisical
+      name: homebrew-get-cli
+    commit_author:
+      name: "Infisical"
+      email: ai@infisical.com
+    folder: Formula
+    homepage: "https://infisical.com"
+    description: "The official Infisical CLI"
+    install: |-
+      bin.install "infisical"
+      bash_completion.install "completions/infisical.bash" => "infisical"
+      zsh_completion.install "completions/infisical.zsh" => "_infisical"
+      fish_completion.install "completions/infisical.fish"
+      man1.install "manpages/infisical.1.gz"
 
 nfpms:
   - id: infisical
@@ -164,7 +181,7 @@ aurs:
       mkdir -p "${pkgdir}/usr/share/zsh/site-functions/"
       mkdir -p "${pkgdir}/usr/share/fish/vendor_completions.d/"
       install -Dm644 "./completions/infisical.bash" "${pkgdir}/usr/share/bash-completion/completions/infisical"
-      install -Dm644 "./completions/infisical.zsh" "${pkgdir}/usr/share/zsh/site-functions/infisical"
+      install -Dm644 "./completions/infisical.zsh" "${pkgdir}/usr/share/zsh/site-functions/_infisical"
       install -Dm644 "./completions/infisical.fish" "${pkgdir}/usr/share/fish/vendor_completions.d/infisical.fish"
       # man pages
       install -Dm644 "./manpages/infisical.1.gz" "${pkgdir}/usr/share/man/man1/infisical.1.gz"

.husky/pre-commit

@@ -3,3 +3,5 @@
 . "$(dirname -- "$0")/_/husky.sh"
 
 npx lint-staged
+
+infisical scan git-changes --staged -v

.infisicalignore

@@ -0,0 +1 @@
+.github/resources/docker-compose.be-test.yml:generic-api-key:16

.vscode/settings.json

@@ -0,0 +1,3 @@
+{
+	"workbench.editor.wrapTabs": true
+}

Dockerfile.standalone-infisical

@@ -0,0 +1,107 @@
+ARG POSTHOG_HOST=https://app.posthog.com
+ARG POSTHOG_API_KEY=posthog-api-key
+
+FROM node:16-alpine AS frontend-dependencies
+
+WORKDIR /app
+
+COPY frontend/package.json frontend/package-lock.json frontend/next.config.js ./
+
+# Install dependencies
+RUN npm ci --only-production --ignore-scripts
+
+# Rebuild the source code only when needed
+FROM node:16-alpine AS frontend-builder
+WORKDIR /app
+
+# Copy dependencies
+COPY --from=frontend-dependencies /app/node_modules ./node_modules
+# Copy all files 
+COPY /frontend .
+
+ENV NODE_ENV production
+ENV NEXT_PUBLIC_ENV production
+ARG POSTHOG_HOST
+ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
+ARG POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
+ARG INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
+
+# Build
+RUN npm run build
+
+# Production image
+FROM node:16-alpine AS frontend-runner
+WORKDIR /app
+
+RUN addgroup --system --gid 1001 nodejs
+RUN adduser --system --uid 1001 nextjs
+
+RUN mkdir -p /app/.next/cache/images && chown nextjs:nodejs /app/.next/cache/images
+VOLUME /app/.next/cache/images
+
+ARG POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
+  BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
+ARG INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
+  BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
+
+COPY --chown=nextjs:nodejs --chmod=555 frontend/scripts ./scripts
+COPY --from=frontend-builder /app/public ./public
+RUN chown nextjs:nodejs ./public/data
+COPY --from=frontend-builder --chown=nextjs:nodejs /app/.next/standalone ./
+COPY --from=frontend-builder --chown=nextjs:nodejs /app/.next/static ./.next/static
+
+USER nextjs
+
+ENV NEXT_TELEMETRY_DISABLED 1
+
+##
+## BACKEND
+##
+FROM node:16-alpine AS backend-build
+
+WORKDIR /app
+
+COPY backend/package*.json ./
+RUN npm ci --only-production
+
+COPY /backend .
+RUN npm run build
+
+# Production stage
+FROM node:16-alpine AS backend-runner
+
+WORKDIR /app
+
+COPY backend/package*.json ./
+RUN npm ci --only-production
+
+COPY --from=backend-build /app .
+
+# Production stage
+FROM node:16-alpine AS production
+
+WORKDIR / 
+
+# Install PM2
+RUN npm install -g pm2
+# Copy ecosystem.config.js
+COPY ecosystem.config.js .
+
+RUN apk add --no-cache nginx
+
+COPY nginx/default-stand-alone-docker.conf /etc/nginx/nginx.conf
+
+COPY --from=backend-runner /app /backend
+
+COPY --from=frontend-runner /app/ /app/
+
+EXPOSE 80
+ENV HTTPS_ENABLED false 
+
+CMD ["pm2-runtime", "start", "ecosystem.config.js"]
+
+

SECURITY.md

@@ -1,9 +1,13 @@
 # Security Policy
 
-## Supported Versions
+## Supported versions
 
 We always recommend using the latest version of Infisical to ensure you get all security updates.
 
-## Reporting a Vulnerability
+## Reporting vulnerabilities
 
-Please report security vulnerabilities or concerns to team@infisical.com.
+Please do not file GitHub issues or post on our public forum for security vulnerabilities, as they are public!
+
+Infisical takes security issues very seriously. If you have any concerns about Infisical or believe you have uncovered a vulnerability, please get in touch via the e-mail address security@infisical.com. In the message, try to provide a description of the issue and ideally a way of reproducing it. The security team will get back to you as soon as possible.
+
+Note that this security address should be used only for undisclosed vulnerabilities. Please report any security problems to us before disclosing it publicly.

backend/.eslintrc

@@ -1,12 +1,40 @@
 {
   "parser": "@typescript-eslint/parser",
-  "plugins": ["@typescript-eslint"],
+  "plugins": [
+    "@typescript-eslint",
+    "unused-imports"
+  ],
   "extends": [
     "eslint:recommended",
     "plugin:@typescript-eslint/eslint-recommended",
     "plugin:@typescript-eslint/recommended"
   ],
   "rules": {
-    "no-console": 2
+    "no-empty-function": "off",
+    "@typescript-eslint/no-empty-function": "off",
+    "no-console": 2,
+    "quotes": [
+      "error",
+      "double",
+      {
+        "avoidEscape": true
+      }
+    ],
+    "comma-dangle": [
+      "error",
+      "only-multiline"
+    ],
+    "@typescript-eslint/no-unused-vars": "off",
+    "unused-imports/no-unused-imports": "error",
+    "unused-imports/no-unused-vars": [
+      "warn",
+      {
+        "vars": "all",
+        "varsIgnorePattern": "^_",
+        "args": "after-used",
+        "argsIgnorePattern": "^_"
+      }
+    ],
+    "sort-imports": 1
   }
 }

backend/.prettierrc

@@ -0,0 +1,7 @@
+{
+  "singleQuote": false,
+  "printWidth": 100,
+  "trailingComma": "none",
+  "tabWidth": 2,
+  "semi": true
+}

backend/Dockerfile

@@ -19,6 +19,10 @@ RUN npm ci --only-production
 
 COPY --from=build /app .
 
+RUN apk add --no-cache bash curl && curl -1sLf \
+  'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
+  && apk add infisical=0.8.1
+
 HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \  
   CMD node healthcheck.js
 

backend/environment.d.ts

@@ -14,7 +14,7 @@ declare global {
 			JWT_SIGNUP_LIFETIME: string;
 			JWT_SIGNUP_SECRET: string;
       MONGO_URL: string;
-      NODE_ENV: 'development' | 'staging' | 'testing' | 'production';
+      NODE_ENV: "development" | "staging" | "testing" | "production";
       VERBOSE_ERROR_OUTPUT: string;
       LOKI_HOST: string;
       CLIENT_ID_HEROKU: string;
@@ -39,12 +39,6 @@ declare global {
       SMTP_PASSWORD: string;
       SMTP_FROM_ADDRESS: string;
       SMTP_FROM_NAME: string;
-      STRIPE_PRODUCT_STARTER: string;
-      STRIPE_PRODUCT_TEAM: string;
-      STRIPE_PRODUCT_PRO: string;
-      STRIPE_PUBLISHABLE_KEY: string;
-      STRIPE_SECRET_KEY: string;
-      STRIPE_WEBHOOK_SECRET: string;
       TELEMETRY_ENABLED: string;
       LICENSE_KEY: string;
     }

backend/jest.config.ts

@@ -1,9 +1,9 @@
 export default {
-  preset: 'ts-jest',
-  testEnvironment: 'node',
-  collectCoverageFrom: ['src/*.{js,ts}', '!**/node_modules/**'],
-  modulePaths: ['<rootDir>/src'],
-  testMatch: ['<rootDir>/tests/**/*.test.ts'],
-  setupFiles: ['<rootDir>/test-resources/env-vars.js'],
-  setupFilesAfterEnv: ['<rootDir>/tests/setupTests.ts']
+  preset: "ts-jest",
+  testEnvironment: "node",
+  collectCoverageFrom: ["src/*.{js,ts}", "!**/node_modules/**"],
+  modulePaths: ["<rootDir>/src"],
+  testMatch: ["<rootDir>/tests/**/*.test.ts"],
+  setupFiles: ["<rootDir>/test-resources/env-vars.js"],
+  setupFilesAfterEnv: ["<rootDir>/tests/setupTests.ts"],
 };

backend/package.json

@@ -1,42 +1,46 @@
 {
   "dependencies": {
-    "@aws-sdk/client-secrets-manager": "^3.303.0",
-    "@godaddy/terminus": "^4.11.2",
+    "@aws-sdk/client-secrets-manager": "^3.319.0",
+    "@godaddy/terminus": "^4.12.0",
+    "@node-saml/passport-saml": "^4.0.4",
     "@octokit/rest": "^19.0.5",
-    "@sentry/node": "^7.45.0",
-    "@sentry/tracing": "^7.46.0",
-    "@sentry/node": "^7.41.0",
+    "@sentry/node": "^7.49.0",
+    "@sentry/tracing": "^7.48.0",
     "@types/crypto-js": "^4.1.1",
     "@types/libsodium-wrappers": "^0.7.10",
-    "await-to-js": "^3.0.0",
-    "aws-sdk": "^2.1338.0",
-    "axios": "^1.1.3",
+    "argon2": "^0.30.3",
+    "aws-sdk": "^2.1364.0",
+    "axios": "^1.3.5",
     "axios-retry": "^3.4.0",
     "bcrypt": "^5.1.0",
-    "bigint-conversion": "^2.2.2",
-    "builder-pattern": "^2.2.0",
+    "bigint-conversion": "^2.4.0",
     "cookie-parser": "^1.4.6",
     "cors": "^2.8.5",
     "crypto-js": "^4.1.1",
     "dotenv": "^16.0.1",
     "express": "^4.18.1",
+    "express-async-errors": "^3.1.1",
     "express-rate-limit": "^6.7.0",
     "express-validator": "^6.14.2",
     "handlebars": "^4.7.7",
     "helmet": "^5.1.1",
-    "infisical-node": "^1.0.37",
+    "infisical-node": "^1.2.1",
     "js-yaml": "^4.1.0",
     "jsonwebtoken": "^9.0.0",
     "jsrp": "^0.2.4",
     "libsodium-wrappers": "^0.7.10",
     "lodash": "^4.17.21",
-    "mongoose": "^6.10.4",
+    "mongoose": "^6.10.5",
+    "nanoid": "^3.3.6",
+    "node-cache": "^5.1.2",
     "nodemailer": "^6.8.0",
+    "passport": "^0.6.0",
+    "passport-google-oauth20": "^2.0.0",
     "posthog-node": "^2.6.0",
+    "probot": "^12.3.1",
     "query-string": "^7.1.3",
-    "request-ip": "^3.3.0",
+    "rate-limit-mongo": "^2.3.2",
     "rimraf": "^3.0.2",
-    "stripe": "^10.7.0",
     "swagger-autogen": "^2.22.0",
     "swagger-ui-express": "^4.6.2",
     "tweetnacl": "^1.0.3",
@@ -53,7 +57,7 @@
     "start": "node build/index.js",
     "dev": "nodemon",
     "swagger-autogen": "node ./swagger/index.ts",
-    "build": "rimraf ./build && tsc && cp -R ./src/templates ./build",
+    "build": "rimraf ./build && tsc && cp -R ./src/templates ./build && cp -R ./src/data ./build",
     "lint": "eslint . --ext .ts",
     "lint-and-fix": "eslint . --ext .ts --fix",
     "lint-staged": "lint-staged",
@@ -86,6 +90,8 @@
     "@types/lodash": "^4.14.191",
     "@types/node": "^18.11.3",
     "@types/nodemailer": "^6.4.6",
+    "@types/passport": "^1.0.12",
+    "@types/picomatch": "^2.3.0",
     "@types/supertest": "^2.0.12",
     "@types/swagger-jsdoc": "^6.0.1",
     "@types/swagger-ui-express": "^4.1.3",
@@ -93,11 +99,13 @@
     "@typescript-eslint/parser": "^5.40.1",
     "cross-env": "^7.0.3",
     "eslint": "^8.26.0",
+    "eslint-plugin-unused-imports": "^2.0.0",
     "install": "^0.13.0",
     "jest": "^29.3.1",
     "jest-junit": "^15.0.0",
     "nodemon": "^2.0.19",
     "npm": "^8.19.3",
+    "smee-client": "^1.2.3",
     "supertest": "^6.3.3",
     "ts-jest": "^29.0.3",
     "ts-node": "^10.9.1"

backend/spec.json

@@ -1532,7 +1532,15 @@
     "/api/v1/invite-org/signup": {
       "post": {
         "description": "",
-        "parameters": [],
+        "parameters": [
+          {
+            "name": "host",
+            "in": "header",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
         "responses": {
           "200": {
             "description": "OK"
@@ -2071,6 +2079,15 @@
                   "targetEnvironment": {
                     "example": "any"
                   },
+                  "targetEnvironmentId": {
+                    "example": "any"
+                  },
+                  "targetService": {
+                    "example": "any"
+                  },
+                  "targetServiceId": {
+                    "example": "any"
+                  },
                   "owner": {
                     "example": "any"
                   },
@@ -2297,6 +2314,13 @@
             "schema": {
               "type": "string"
             }
+          },
+          {
+            "name": "teamId",
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
           }
         ],
         "responses": {
@@ -2309,6 +2333,107 @@
         }
       }
     },
+    "/api/v1/integration-auth/{integrationAuthId}/teams": {
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "integrationAuthId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
+    "/api/v1/integration-auth/{integrationAuthId}/vercel/branches": {
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "integrationAuthId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "appId",
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
+    "/api/v1/integration-auth/{integrationAuthId}/railway/environments": {
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "integrationAuthId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "appId",
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
+    "/api/v1/integration-auth/{integrationAuthId}/railway/services": {
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "integrationAuthId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "appId",
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
     "/api/v2/signup/complete-account/signup": {
       "post": {
         "description": "",
@@ -2870,9 +2995,6 @@
                 }
               }
             }
-          },
-          "400": {
-            "description": "Bad Request"
           }
         },
         "security": [
@@ -2882,6 +3004,26 @@
         ]
       }
     },
+    "/api/v2/organizations/{organizationId}/service-accounts": {
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "organizationId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
     "/api/v2/workspace/{workspaceId}/environments": {
       "post": {
         "description": "",
@@ -4018,9 +4160,6 @@
         "responses": {
           "200": {
             "description": "OK"
-          },
-          "400": {
-            "description": "Bad Request"
           }
         },
         "requestBody": {
@@ -4073,6 +4212,138 @@
             }
           }
         ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
+    "/api/v2/service-accounts/me": {
+      "get": {
+        "description": "",
+        "parameters": [],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
+    "/api/v2/service-accounts/{serviceAccountId}": {
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "serviceAccountId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      },
+      "delete": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "serviceAccountId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
+    "/api/v2/service-accounts/": {
+      "post": {
+        "description": "",
+        "parameters": [],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
+    "/api/v2/service-accounts/{serviceAccountId}/name": {
+      "patch": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "serviceAccountId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        },
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "type": "object",
+                "properties": {
+                  "name": {
+                    "example": "any"
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    },
+    "/api/v2/service-accounts/{serviceAccountId}/permissions/workspace": {
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "serviceAccountId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      },
+      "post": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "serviceAccountId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
         "responses": {
           "200": {
             "description": "OK"
@@ -4080,6 +4351,90 @@
           "400": {
             "description": "Bad Request"
           }
+        },
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "type": "object",
+                "properties": {
+                  "environment": {
+                    "example": "any"
+                  },
+                  "workspaceId": {
+                    "example": "any"
+                  },
+                  "read": {
+                    "example": "any"
+                  },
+                  "write": {
+                    "example": "any"
+                  },
+                  "encryptedKey": {
+                    "example": "any"
+                  },
+                  "nonce": {
+                    "example": "any"
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    },
+    "/api/v2/service-accounts/{serviceAccountId}/permissions/workspace/{serviceAccountWorkspacePermissionId}": {
+      "delete": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "serviceAccountId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "serviceAccountWorkspacePermissionId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
+    "/api/v2/service-accounts/{serviceAccountId}/keys": {
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "serviceAccountId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "workspaceId",
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
         }
       }
     },
@@ -4149,6 +4504,297 @@
         }
       }
     },
+    "/api/v3/secrets/": {
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "workspaceId",
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "environment",
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
+    "/api/v3/secrets/{secretName}": {
+      "post": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "secretName",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        },
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "type": "object",
+                "properties": {
+                  "workspaceId": {
+                    "example": "any"
+                  },
+                  "environment": {
+                    "example": "any"
+                  },
+                  "type": {
+                    "example": "any"
+                  },
+                  "secretKeyCiphertext": {
+                    "example": "any"
+                  },
+                  "secretKeyIV": {
+                    "example": "any"
+                  },
+                  "secretKeyTag": {
+                    "example": "any"
+                  },
+                  "secretValueCiphertext": {
+                    "example": "any"
+                  },
+                  "secretValueIV": {
+                    "example": "any"
+                  },
+                  "secretValueTag": {
+                    "example": "any"
+                  },
+                  "secretCommentCiphertext": {
+                    "example": "any"
+                  },
+                  "secretCommentIV": {
+                    "example": "any"
+                  },
+                  "secretCommentTag": {
+                    "example": "any"
+                  }
+                }
+              }
+            }
+          }
+        }
+      },
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "secretName",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "workspaceId",
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "environment",
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "type",
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      },
+      "patch": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "secretName",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        },
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "type": "object",
+                "properties": {
+                  "workspaceId": {
+                    "example": "any"
+                  },
+                  "environment": {
+                    "example": "any"
+                  },
+                  "type": {
+                    "example": "any"
+                  },
+                  "secretValueCiphertext": {
+                    "example": "any"
+                  },
+                  "secretValueIV": {
+                    "example": "any"
+                  },
+                  "secretValueTag": {
+                    "example": "any"
+                  }
+                }
+              }
+            }
+          }
+        }
+      },
+      "delete": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "secretName",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        },
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "type": "object",
+                "properties": {
+                  "workspaceId": {
+                    "example": "any"
+                  },
+                  "environment": {
+                    "example": "any"
+                  },
+                  "type": {
+                    "example": "any"
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    },
+    "/api/v3/workspaces/{workspaceId}/secrets/blind-index-status": {
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "workspaceId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
+    "/api/v3/workspaces/{workspaceId}/secrets": {
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "workspaceId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
+    "/api/v3/workspaces/{workspaceId}/secrets/names": {
+      "post": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "workspaceId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        },
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "type": "object",
+                "properties": {
+                  "secretsToUpdate": {
+                    "example": "any"
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    },
     "/api/status": {
       "get": {
         "description": "",

backend/src/config/index.ts

@@ -1,64 +1,92 @@
-import infisical from 'infisical-node';
-export const getPort = () => infisical.get('PORT')! || 4000;
-export const getInviteOnlySignup = () => infisical.get('INVITE_ONLY_SIGNUP')! == undefined ? false : infisical.get('INVITE_ONLY_SIGNUP');
-export const getEncryptionKey = () => infisical.get('ENCRYPTION_KEY')!;
-export const getSaltRounds = () => parseInt(infisical.get('SALT_ROUNDS')!) || 10;
-export const getJwtAuthLifetime = () => infisical.get('JWT_AUTH_LIFETIME')! || '10d';
-export const getJwtAuthSecret = () => infisical.get('JWT_AUTH_SECRET')!;
-export const getJwtMfaLifetime = () => infisical.get('JWT_MFA_LIFETIME')! || '5m';
-export const getJwtMfaSecret = () => infisical.get('JWT_MFA_LIFETIME')! || '5m';
-export const getJwtRefreshLifetime = () => infisical.get('JWT_REFRESH_LIFETIME')! || '90d';
-export const getJwtRefreshSecret = () => infisical.get('JWT_REFRESH_SECRET')!;
-export const getJwtServiceSecret = () => infisical.get('JWT_SERVICE_SECRET')!;
-export const getJwtSignupLifetime = () => infisical.get('JWT_SIGNUP_LIFETIME')! || '15m';
-export const getJwtSignupSecret = () => infisical.get('JWT_SIGNUP_SECRET')!;
-export const getMongoURL = () => infisical.get('MONGO_URL')!;
-export const getNodeEnv = () => infisical.get('NODE_ENV')! || 'production';
-export const getVerboseErrorOutput = () => infisical.get('VERBOSE_ERROR_OUTPUT')! === 'true' && true;
-export const getLokiHost = () => infisical.get('LOKI_HOST')!;
-export const getClientIdAzure = () => infisical.get('CLIENT_ID_AZURE')!;
-export const getClientIdHeroku = () => infisical.get('CLIENT_ID_HEROKU')!;
-export const getClientIdVercel = () => infisical.get('CLIENT_ID_VERCEL')!;
-export const getClientIdNetlify = () => infisical.get('CLIENT_ID_NETLIFY')!;
-export const getClientIdGitHub = () => infisical.get('CLIENT_ID_GITHUB')!;
-export const getClientIdGitLab = () => infisical.get('CLIENT_ID_GITLAB')!;
-export const getClientSecretAzure = () => infisical.get('CLIENT_SECRET_AZURE')!;
-export const getClientSecretHeroku = () => infisical.get('CLIENT_SECRET_HEROKU')!;
-export const getClientSecretVercel = () => infisical.get('CLIENT_SECRET_VERCEL')!;
-export const getClientSecretNetlify = () => infisical.get('CLIENT_SECRET_NETLIFY')!;
-export const getClientSecretGitHub = () => infisical.get('CLIENT_SECRET_GITHUB')!;
-export const getClientSecretGitLab = () => infisical.get('CLIENT_SECRET_GITLAB')!;
-export const getClientSlugVercel = () => infisical.get('CLIENT_SLUG_VERCEL')!;
-export const getPostHogHost = () => infisical.get('POSTHOG_HOST')! || 'https://app.posthog.com';
-export const getPostHogProjectApiKey = () => infisical.get('POSTHOG_PROJECT_API_KEY')! || 'phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE';
-export const getSentryDSN = () => infisical.get('SENTRY_DSN')!;
-export const getSiteURL = () => infisical.get('SITE_URL')!;
-export const getSmtpHost = () => infisical.get('SMTP_HOST')!;
-export const getSmtpSecure = () => infisical.get('SMTP_SECURE')! === 'true' || false;
-export const getSmtpPort = () => parseInt(infisical.get('SMTP_PORT')!) || 587;
-export const getSmtpUsername = () => infisical.get('SMTP_USERNAME')!;
-export const getSmtpPassword = () => infisical.get('SMTP_PASSWORD')!;
-export const getSmtpFromAddress = () => infisical.get('SMTP_FROM_ADDRESS')!;
-export const getSmtpFromName = () => infisical.get('SMTP_FROM_NAME')! || 'Infisical';
-export const getStripeProductStarter = () => infisical.get('STRIPE_PRODUCT_STARTER')!;
-export const getStripeProductPro = () => infisical.get('STRIPE_PRODUCT_PRO')!;
-export const getStripeProductTeam = () => infisical.get('STRIPE_PRODUCT_TEAM')!;
-export const getStripePublishableKey = () => infisical.get('STRIPE_PUBLISHABLE_KEY')!;
-export const getStripeSecretKey = () => infisical.get('STRIPE_SECRET_KEY')!;
-export const getStripeWebhookSecret = () => infisical.get('STRIPE_WEBHOOK_SECRET')!;
-export const getTelemetryEnabled = () => infisical.get('TELEMETRY_ENABLED')! !== 'false' && true;
-export const getLoopsApiKey = () => infisical.get('LOOPS_API_KEY')!;
-export const getSmtpConfigured = () => infisical.get('SMTP_HOST') == '' || infisical.get('SMTP_HOST') == undefined ? false : true
-export const getHttpsEnabled = () => {
-  if (getNodeEnv() != "production") {
+import InfisicalClient from "infisical-node";
+
+export const client = new InfisicalClient({
+  token: process.env.INFISICAL_TOKEN!,
+});
+
+export const getPort = async () => (await client.getSecret("PORT")).secretValue || 4000;
+export const getEncryptionKey = async () => {
+  const secretValue = (await client.getSecret("ENCRYPTION_KEY")).secretValue;
+  return secretValue === "" ? undefined : secretValue;
+}
+export const getRootEncryptionKey = async () => {
+  const secretValue = (await client.getSecret("ROOT_ENCRYPTION_KEY")).secretValue;
+  return secretValue === "" ? undefined : secretValue;
+}
+export const getInviteOnlySignup = async () => (await client.getSecret("INVITE_ONLY_SIGNUP")).secretValue === "true"
+export const getSaltRounds = async () => parseInt((await client.getSecret("SALT_ROUNDS")).secretValue) || 10;
+export const getJwtAuthLifetime = async () => (await client.getSecret("JWT_AUTH_LIFETIME")).secretValue || "10d";
+export const getJwtAuthSecret = async () => (await client.getSecret("JWT_AUTH_SECRET")).secretValue;
+export const getJwtMfaLifetime = async () => (await client.getSecret("JWT_MFA_LIFETIME")).secretValue || "5m";
+export const getJwtMfaSecret = async () => (await client.getSecret("JWT_MFA_LIFETIME")).secretValue || "5m";
+export const getJwtRefreshLifetime = async () => (await client.getSecret("JWT_REFRESH_LIFETIME")).secretValue || "90d";
+export const getJwtRefreshSecret = async () => (await client.getSecret("JWT_REFRESH_SECRET")).secretValue;
+export const getJwtServiceSecret = async () => (await client.getSecret("JWT_SERVICE_SECRET")).secretValue;
+export const getJwtSignupLifetime = async () => (await client.getSecret("JWT_SIGNUP_LIFETIME")).secretValue || "15m";
+export const getJwtProviderAuthSecret = async () => (await client.getSecret("JWT_PROVIDER_AUTH_SECRET")).secretValue;
+export const getJwtProviderAuthLifetime = async () => (await client.getSecret("JWT_PROVIDER_AUTH_LIFETIME")).secretValue || "15m";
+export const getJwtSignupSecret = async () => (await client.getSecret("JWT_SIGNUP_SECRET")).secretValue;
+export const getMongoURL = async () => (await client.getSecret("MONGO_URL")).secretValue;
+export const getNodeEnv = async () => (await client.getSecret("NODE_ENV")).secretValue || "production";
+export const getVerboseErrorOutput = async () => (await client.getSecret("VERBOSE_ERROR_OUTPUT")).secretValue === "true" && true;
+export const getLokiHost = async () => (await client.getSecret("LOKI_HOST")).secretValue;
+export const getClientIdAzure = async () => (await client.getSecret("CLIENT_ID_AZURE")).secretValue;
+export const getClientIdHeroku = async () => (await client.getSecret("CLIENT_ID_HEROKU")).secretValue;
+export const getClientIdVercel = async () => (await client.getSecret("CLIENT_ID_VERCEL")).secretValue;
+export const getClientIdNetlify = async () => (await client.getSecret("CLIENT_ID_NETLIFY")).secretValue;
+export const getClientIdGitHub = async () => (await client.getSecret("CLIENT_ID_GITHUB")).secretValue;
+export const getClientIdGitLab = async () => (await client.getSecret("CLIENT_ID_GITLAB")).secretValue;
+export const getClientIdGoogle = async () => (await client.getSecret("CLIENT_ID_GOOGLE")).secretValue;
+export const getClientIdBitBucket = async () => (await client.getSecret("CLIENT_ID_BITBUCKET")).secretValue;
+export const getClientSecretAzure = async () => (await client.getSecret("CLIENT_SECRET_AZURE")).secretValue;
+export const getClientSecretHeroku = async () => (await client.getSecret("CLIENT_SECRET_HEROKU")).secretValue;
+export const getClientSecretVercel = async () => (await client.getSecret("CLIENT_SECRET_VERCEL")).secretValue;
+export const getClientSecretNetlify = async () => (await client.getSecret("CLIENT_SECRET_NETLIFY")).secretValue;
+export const getClientSecretGitHub = async () => (await client.getSecret("CLIENT_SECRET_GITHUB")).secretValue;
+export const getClientSecretGitLab = async () => (await client.getSecret("CLIENT_SECRET_GITLAB")).secretValue;
+export const getClientSecretGoogle = async () => (await client.getSecret("CLIENT_SECRET_GOOGLE")).secretValue;
+export const getClientSecretBitBucket = async () => (await client.getSecret("CLIENT_SECRET_BITBUCKET")).secretValue;
+export const getClientSlugVercel = async () => (await client.getSecret("CLIENT_SLUG_VERCEL")).secretValue;
+export const getPostHogHost = async () => (await client.getSecret("POSTHOG_HOST")).secretValue || "https://app.posthog.com";
+export const getPostHogProjectApiKey = async () => (await client.getSecret("POSTHOG_PROJECT_API_KEY")).secretValue || "phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE";
+export const getSentryDSN = async () => (await client.getSecret("SENTRY_DSN")).secretValue;
+export const getSiteURL = async () => (await client.getSecret("SITE_URL")).secretValue;
+export const getSmtpHost = async () => (await client.getSecret("SMTP_HOST")).secretValue;
+export const getSmtpSecure = async () => (await client.getSecret("SMTP_SECURE")).secretValue === "true" || false;
+export const getSmtpPort = async () => parseInt((await client.getSecret("SMTP_PORT")).secretValue) || 587;
+export const getSmtpUsername = async () => (await client.getSecret("SMTP_USERNAME")).secretValue;
+export const getSmtpPassword = async () => (await client.getSecret("SMTP_PASSWORD")).secretValue;
+export const getSmtpFromAddress = async () => (await client.getSecret("SMTP_FROM_ADDRESS")).secretValue;
+export const getSmtpFromName = async () => (await client.getSecret("SMTP_FROM_NAME")).secretValue || "Infisical";
+
+export const getSecretScanningWebhookProxy = async () => (await client.getSecret("SECRET_SCANNING_WEBHOOK_PROXY")).secretValue;
+export const getSecretScanningWebhookSecret = async () => (await client.getSecret("SECRET_SCANNING_WEBHOOK_SECRET")).secretValue;
+export const getSecretScanningGitAppId = async () => (await client.getSecret("SECRET_SCANNING_GIT_APP_ID")).secretValue;
+export const getSecretScanningPrivateKey = async () => (await client.getSecret("SECRET_SCANNING_PRIVATE_KEY")).secretValue;
+
+export const getLicenseKey = async () => {
+  const secretValue = (await client.getSecret("LICENSE_KEY")).secretValue;
+  return secretValue === "" ? undefined : secretValue;
+}
+export const getLicenseServerKey = async () => {
+  const secretValue = (await client.getSecret("LICENSE_SERVER_KEY")).secretValue;
+  return secretValue === "" ? undefined : secretValue;
+}
+export const getLicenseServerUrl = async () => (await client.getSecret("LICENSE_SERVER_URL")).secretValue || "https://portal.infisical.com";
+
+export const getTelemetryEnabled = async () => (await client.getSecret("TELEMETRY_ENABLED")).secretValue !== "false" && true;
+export const getLoopsApiKey = async () => (await client.getSecret("LOOPS_API_KEY")).secretValue;
+export const getSmtpConfigured = async () => (await client.getSecret("SMTP_HOST")).secretValue == "" || (await client.getSecret("SMTP_HOST")).secretValue == undefined ? false : true
+export const getHttpsEnabled = async () => {
+  if ((await getNodeEnv()) != "production") {
     // no https for anything other than prod
     return false
   }
 
-  if (infisical.get('HTTPS_ENABLED') == undefined || infisical.get('HTTPS_ENABLED') == "") {
+  if ((await client.getSecret("HTTPS_ENABLED")).secretValue == undefined || (await client.getSecret("HTTPS_ENABLED")).secretValue == "") {
     // default when no value present
     return true
   }
 
-  return infisical.get('HTTPS_ENABLED') === 'true' && true
+  return (await client.getSecret("HTTPS_ENABLED")).secretValue === "true" && true
 }

backend/src/config/request.ts

@@ -1,10 +1,24 @@
-import axios from 'axios';
-import axiosRetry from 'axios-retry';
+import axios from "axios";
+import axiosRetry from "axios-retry";
+import {
+  getLicenseKeyAuthToken,
+  getLicenseServerKeyAuthToken,
+  setLicenseKeyAuthToken,
+  setLicenseServerKeyAuthToken,
+} from "./storage";
+import {
+  getLicenseKey,
+  getLicenseServerKey, 
+  getLicenseServerUrl,
+} from "./index";
 
-const axiosInstance = axios.create();
+// should have JWT to interact with the license server
+export const licenseServerKeyRequest = axios.create();
+export const licenseKeyRequest = axios.create();
+export const standardRequest = axios.create();
 
 // add retry functionality to the axios instance
-axiosRetry(axiosInstance, {
+axiosRetry(standardRequest, {
   retries: 3,
   retryDelay: axiosRetry.exponentialDelay, // exponential back-off delay between retries
   retryCondition: (error) => {
@@ -13,4 +27,98 @@ axiosRetry(axiosInstance, {
   },
 });
 
-export default axiosInstance;
+export const refreshLicenseServerKeyToken = async () => {
+  const licenseServerKey = await getLicenseServerKey();
+  const licenseServerUrl = await getLicenseServerUrl();
+
+  const { data: { token } } = await standardRequest.post(
+    `${licenseServerUrl}/api/auth/v1/license-server-login`, {},
+    {
+      headers: {
+        "X-API-KEY": licenseServerKey,
+      },
+    }
+  );
+
+  setLicenseServerKeyAuthToken(token);
+
+  return token;
+}
+
+export const refreshLicenseKeyToken = async () => {
+  const licenseKey = await getLicenseKey();
+  const licenseServerUrl = await getLicenseServerUrl();
+
+  const { data: { token } } = await standardRequest.post(
+    `${licenseServerUrl}/api/auth/v1/license-login`, {},
+    {
+      headers: {
+        "X-API-KEY": licenseKey,
+      },
+    }
+  );
+
+  setLicenseKeyAuthToken(token);
+
+  return token;
+}
+
+licenseServerKeyRequest.interceptors.request.use((config) => {
+  const token = getLicenseServerKeyAuthToken();
+
+  if (token && config.headers) {
+      // eslint-disable-next-line no-param-reassign
+      config.headers.Authorization = `Bearer ${token}`;
+  }
+  return config;
+}, (err) => {
+  return Promise.reject(err);
+});
+
+licenseServerKeyRequest.interceptors.response.use((response) => {
+  return response
+}, async function (err) {
+  const originalRequest = err.config;
+  
+  if (err.response.status === 401 && !originalRequest._retry) {
+    originalRequest._retry = true;
+    
+    // refresh
+    const token = await refreshLicenseServerKeyToken();            
+    
+    axios.defaults.headers.common["Authorization"] = "Bearer " + token;
+    return licenseServerKeyRequest(originalRequest);
+  }
+
+  return Promise.reject(err);
+});
+
+licenseKeyRequest.interceptors.request.use((config) => {
+  const token = getLicenseKeyAuthToken();
+
+  if (token && config.headers) {
+      // eslint-disable-next-line no-param-reassign
+      config.headers.Authorization = `Bearer ${token}`;
+  }
+  return config;
+}, (err) => {
+  return Promise.reject(err);
+});
+
+licenseKeyRequest.interceptors.response.use((response) => {
+  return response
+}, async function (err) {
+  const originalRequest = err.config;
+  
+  if (err.response.status === 401 && !originalRequest._retry) {
+    originalRequest._retry = true;
+    
+    // refresh
+    const token = await refreshLicenseKeyToken();            
+    
+    axios.defaults.headers.common["Authorization"] = "Bearer " + token;
+    return licenseKeyRequest(originalRequest);
+  }
+
+  return Promise.reject(err);
+});

backend/src/config/storage.ts

@@ -0,0 +1,30 @@
+const MemoryLicenseServerKeyTokenStorage = () => {
+    let authToken: string;
+  
+    return {
+      setToken: (token: string) => {
+        authToken = token;
+      },
+      getToken: () => authToken,
+    };
+};
+
+const MemoryLicenseKeyTokenStorage = () => {
+    let authToken: string;
+  
+    return {
+      setToken: (token: string) => {
+        authToken = token;
+      },
+      getToken: () => authToken,
+    };
+};
+
+const licenseServerTokenStorage = MemoryLicenseServerKeyTokenStorage();
+const licenseTokenStorage = MemoryLicenseKeyTokenStorage();
+
+export const getLicenseServerKeyAuthToken = licenseServerTokenStorage.getToken;
+export const setLicenseServerKeyAuthToken = licenseServerTokenStorage.setToken;
+
+export const getLicenseKeyAuthToken = licenseTokenStorage.getToken;
+export const setLicenseKeyAuthToken = licenseTokenStorage.setToken;

backend/src/controllers/v1/authController.ts

@@ -1,29 +1,39 @@
-import * as Sentry from '@sentry/node';
-import { Request, Response } from 'express';
-import jwt from 'jsonwebtoken';
-import * as bigintConversion from 'bigint-conversion';
+import { Request, Response } from "express";
+import fs from "fs";
+import path from "path";
+import jwt from "jsonwebtoken";
+import * as bigintConversion from "bigint-conversion";
 // eslint-disable-next-line @typescript-eslint/no-var-requires
-const jsrp = require('jsrp');
-import { User, LoginSRPDetail } from '../../models';
-import { createToken, issueAuthTokens, clearTokens } from '../../helpers/auth';
-import { checkUserDevice } from '../../helpers/user';
+const jsrp = require("jsrp");
+import { 
+  LoginSRPDetail, 
+  TokenVersion,
+  User,
+} from "../../models";
+import { clearTokens, createToken, issueAuthTokens } from "../../helpers/auth";
+import { checkUserDevice } from "../../helpers/user";
 import {
   ACTION_LOGIN,
-  ACTION_LOGOUT
-} from '../../variables';
-import { BadRequestError } from '../../utils/errors';
-import { EELogService } from '../../ee/services';
-import { getChannelFromUserAgent } from '../../utils/posthog'; // TODO: move this
+  ACTION_LOGOUT,
+  AUTH_MODE_JWT,
+} from "../../variables";
 import { 
-  getJwtRefreshSecret,
+  BadRequestError,
+  UnauthorizedRequestError,
+} from "../../utils/errors";
+import { EELogService } from "../../ee/services";
+import { getChannelFromUserAgent } from "../../utils/posthog";
+import {
+  getHttpsEnabled,
   getJwtAuthLifetime,
   getJwtAuthSecret,
-  getHttpsEnabled
-} from '../../config';
+  getJwtRefreshSecret,
+} from "../../config";
 
-declare module 'jsonwebtoken' {
+declare module "jsonwebtoken" {
   export interface UserIDJwtPayload extends jwt.JwtPayload {
     userId: string;
+    refreshVersion?: number;
   }
 }
 
@@ -34,23 +44,22 @@ declare module 'jsonwebtoken' {
  * @returns
  */
 export const login1 = async (req: Request, res: Response) => {
-  try {
   const {
     email,
-      clientPublicKey
+    clientPublicKey,
   }: { email: string; clientPublicKey: string } = req.body;
 
   const user = await User.findOne({
-      email
-    }).select('+salt +verifier');
+    email,
+  }).select("+salt +verifier");
 
-    if (!user) throw new Error('Failed to find user');
+  if (!user) throw new Error("Failed to find user");
 
   const server = new jsrp.server();
   server.init(
     {
       salt: user.salt,
-        verifier: user.verifier
+      verifier: user.verifier,
     },
     async () => {
       // generate server-side public key
@@ -64,17 +73,10 @@ export const login1 = async (req: Request, res: Response) => {
 
       return res.status(200).send({
         serverPublicKey,
-          salt: user.salt
+        salt: user.salt,
       });
     }
   );
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to start authentication process'
-    });
-  }
 };
 
 /**
@@ -85,13 +87,12 @@ export const login1 = async (req: Request, res: Response) => {
  * @returns
  */
 export const login2 = async (req: Request, res: Response) => {
-  try {
   const { email, clientProof } = req.body;
   const user = await User.findOne({
-      email
-    }).select('+salt +verifier +publicKey +encryptedPrivateKey +iv +tag');
+    email,
+  }).select("+salt +verifier +publicKey +encryptedPrivateKey +iv +tag");
 
-    if (!user) throw new Error('Failed to find user');
+  if (!user) throw new Error("Failed to find user");
 
   const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: email })
 
@@ -104,7 +105,7 @@ export const login2 = async (req: Request, res: Response) => {
     {
       salt: user.salt,
       verifier: user.verifier,
-        b: loginSRPDetailFromDB.serverBInt
+      b: loginSRPDetailFromDB.serverBInt,
     },
     async () => {
       server.setClientPublicKey(loginSRPDetailFromDB.clientPublicKey);
@@ -115,30 +116,34 @@ export const login2 = async (req: Request, res: Response) => {
 
         await checkUserDevice({
           user,
-            ip: req.ip,
-            userAgent: req.headers['user-agent'] ?? ''
+          ip: req.realIP,
+          userAgent: req.headers["user-agent"] ?? "",
         });
 
-          const tokens = await issueAuthTokens({ userId: user._id.toString() });
+        const tokens = await issueAuthTokens({ 
+          userId: user._id,
+          ip: req.realIP,
+          userAgent: req.headers["user-agent"] ?? "",
+        });
 
         // store (refresh) token in httpOnly cookie
-          res.cookie('jid', tokens.refreshToken, {
+        res.cookie("jid", tokens.refreshToken, {
           httpOnly: true,
-            path: '/',
-            sameSite: 'strict',
-            secure: getHttpsEnabled()
+          path: "/",
+          sameSite: "strict",
+          secure: await getHttpsEnabled(),
         });
 
         const loginAction = await EELogService.createAction({
           name: ACTION_LOGIN,
-            userId: user._id
+          userId: user._id,
         });
 
         loginAction && await EELogService.createLog({
           userId: user._id,
           actions: [loginAction],
-            channel: getChannelFromUserAgent(req.headers['user-agent']),
-            ipAddress: req.ip
+          channel: getChannelFromUserAgent(req.headers["user-agent"]),
+          ipAddress: req.realIP,
         });
 
         // return (access) token in response
@@ -147,22 +152,15 @@ export const login2 = async (req: Request, res: Response) => {
           publicKey: user.publicKey,
           encryptedPrivateKey: user.encryptedPrivateKey,
           iv: user.iv,
-            tag: user.tag
+          tag: user.tag,
         });
       }
 
       return res.status(400).send({
-          message: 'Failed to authenticate. Try again?'
+        message: "Failed to authenticate. Try again?",
       });
     }
   );
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to authenticate. Try again?'
-    });
-  }
 };
 
 /**
@@ -172,44 +170,59 @@ export const login2 = async (req: Request, res: Response) => {
  * @returns
  */
 export const logout = async (req: Request, res: Response) => {
-  try {
-    await clearTokens({
-      userId: req.user._id.toString()
-    });
+  if (req.authData.authMode === AUTH_MODE_JWT && req.authData.authPayload instanceof User && req.authData.tokenVersionId) {
+    await clearTokens(req.authData.tokenVersionId)
+  }
 
   // clear httpOnly cookie
-    res.cookie('jid', '', {
+  res.cookie("jid", "", {
     httpOnly: true,
-      path: '/',
-      sameSite: 'strict',
-      secure: getHttpsEnabled() as boolean
+    path: "/",
+    sameSite: "strict",
+    secure: (await getHttpsEnabled()) as boolean,
   });
 
   const logoutAction = await EELogService.createAction({
     name: ACTION_LOGOUT,
-      userId: req.user._id
+    userId: req.user._id,
   });
 
   logoutAction && await EELogService.createLog({
     userId: req.user._id,
     actions: [logoutAction],
-      channel: getChannelFromUserAgent(req.headers['user-agent']),
-      ipAddress: req.ip
+    channel: getChannelFromUserAgent(req.headers["user-agent"]),
+    ipAddress: req.realIP,
   });
 
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to logout'
-    });
-  }
-
   return res.status(200).send({
-    message: 'Successfully logged out.'
+    message: "Successfully logged out.",
   });
 };
 
+export const getCommonPasswords = async (req: Request, res: Response) => {
+  const commonPasswords = fs.readFileSync(
+		path.resolve(__dirname, "../../data/" + "common_passwords.txt"),
+		"utf8"
+	).split("\n");	
+
+  return res.status(200).send(commonPasswords);
+}
+
+export const revokeAllSessions = async (req: Request, res: Response) => {
+  await TokenVersion.updateMany({
+    user: req.user._id,
+  }, {
+    $inc: {
+      refreshVersion: 1,
+      accessVersion: 1,
+    },
+  });
+
+  return res.status(200).send({
+    message: "Successfully revoked all sessions.",
+  }); 
+}
+
 /**
  * Return user is authenticated
  * @param req
@@ -218,52 +231,60 @@ export const logout = async (req: Request, res: Response) => {
  */
 export const checkAuth = async (req: Request, res: Response) => {
   return res.status(200).send({
-    message: 'Authenticated'
+    message: "Authenticated",
   });
 }
 
 /**
- * Return new token by redeeming refresh token
+ * Return new JWT access token by first validating the refresh token
  * @param req
  * @param res
  * @returns
  */
 export const getNewToken = async (req: Request, res: Response) => {
-  try {
   const refreshToken = req.cookies.jid;
 
-    if (!refreshToken) {
-      throw new Error('Failed to find token in request cookies');
-    }
+  if (!refreshToken) throw BadRequestError({
+    message: "Failed to find refresh token in request cookies"
+  });
 
   const decodedToken = <jwt.UserIDJwtPayload>(
-      jwt.verify(refreshToken, getJwtRefreshSecret())
+    jwt.verify(refreshToken, await getJwtRefreshSecret())
   );
 
   const user = await User.findOne({
-      _id: decodedToken.userId
-    }).select('+publicKey');
+    _id: decodedToken.userId,
+  }).select("+publicKey +refreshVersion +accessVersion");
 
-    if (!user) throw new Error('Failed to authenticate unfound user');
+  if (!user) throw new Error("Failed to authenticate unfound user");
   if (!user?.publicKey)
-      throw new Error('Failed to authenticate not fully set up account');
+    throw new Error("Failed to authenticate not fully set up account");
+  
+  const tokenVersion = await TokenVersion.findById(decodedToken.tokenVersionId);
+
+  if (!tokenVersion) throw UnauthorizedRequestError({
+    message: "Failed to validate refresh token",
+  });
+
+  if (decodedToken.refreshVersion !== tokenVersion.refreshVersion) throw BadRequestError({
+    message: "Failed to validate refresh token",
+  });
 
   const token = createToken({
     payload: {
-        userId: decodedToken.userId
+      userId: decodedToken.userId,
+      tokenVersionId: tokenVersion._id.toString(),
+      accessVersion: tokenVersion.refreshVersion,
     },
-      expiresIn: getJwtAuthLifetime(),
-      secret: getJwtAuthSecret()
+    expiresIn: await getJwtAuthLifetime(),
+    secret: await getJwtAuthSecret(),
   });
 
   return res.status(200).send({
-      token
+    token,
   });
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Invalid request'
-    });
-  }
 };
+
+export const handleAuthProviderCallback = (req: Request, res: Response) => {
+  res.redirect(`/login/provider/success?token=${encodeURIComponent(req.providerAuthToken)}`);
+}

backend/src/controllers/v1/botController.ts

@@ -1,7 +1,7 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { Bot, BotKey } from '../../models';
-import { createBot } from '../../helpers/bot';
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { Bot, BotKey } from "../../models";
+import { createBot } from "../../helpers/bot";
 
 interface BotKey {
     encryptedKey: string;
@@ -16,32 +16,23 @@ interface BotKey {
  * @returns
  */
 export const getBotByWorkspaceId = async (req: Request, res: Response) => {
-    let bot;
-	try {
   const { workspaceId } = req.params;
 
-        bot = await Bot.findOne({
-            workspace: workspaceId
+  let bot = await Bot.findOne({
+      workspace: workspaceId,
   });
   
   if (!bot) {
       // case: bot doesn't exist for workspace with id [workspaceId]
       // -> create a new bot and return it
       bot = await createBot({
-                name: 'Infisical Bot',
-                workspaceId
-            });
-        }
-	} catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-        return res.status(400).send({
-			message: 'Failed to get bot for workspace'
+          name: "Infisical Bot",
+          workspaceId: new Types.ObjectId(workspaceId),
       });
   }
     
   return res.status(200).send({
-        bot
+      bot,
   });
 };
 
@@ -52,56 +43,46 @@ export const getBotByWorkspaceId = async (req: Request, res: Response) => {
  * @returns
  */
 export const setBotActiveState = async (req: Request, res: Response) => {
-    let bot;
-	try {
     const { isActive, botKey }: { isActive: boolean, botKey: BotKey } = req.body;
     
     if (isActive) {
         // bot state set to active -> share workspace key with bot
         if (!botKey?.encryptedKey || !botKey?.nonce) {
             return res.status(400).send({
-                    message: 'Failed to set bot state to active - missing bot key'
+                message: "Failed to set bot state to active - missing bot key",
             });
         }
         
         await BotKey.findOneAndUpdate({
-                workspace: req.bot.workspace
+            workspace: req.bot.workspace,
         }, {
             encryptedKey: botKey.encryptedKey,
             nonce: botKey.nonce,
             sender: req.user._id,
             bot: req.bot._id,
-                workspace: req.bot.workspace
+            workspace: req.bot.workspace,
         }, {
             upsert: true,
-                new: true
+            new: true,
         });
     } else {
         // case: bot state set to inactive -> delete bot's workspace key
         await BotKey.deleteOne({
-                bot: req.bot._id
+            bot: req.bot._id,
         });
     }
 
-        bot = await Bot.findOneAndUpdate({
-            _id: req.bot._id
+    const bot = await Bot.findOneAndUpdate({
+        _id: req.bot._id,
     }, {
-            isActive
+        isActive,
     }, {
-            new: true
+        new: true,
     });
     
-        if (!bot) throw new Error('Failed to update bot active state');
-        
-	} catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-        return res.status(400).send({
-			message: 'Failed to update bot active state'
-		});
-	}
+    if (!bot) throw new Error("Failed to update bot active state");
     
     return res.status(200).send({
-        bot
+        bot,
     });
 };

backend/src/controllers/v1/index.ts

@@ -1,19 +1,21 @@
-import * as authController from './authController';
-import * as botController from './botController';
-import * as integrationAuthController from './integrationAuthController';
-import * as integrationController from './integrationController';
-import * as keyController from './keyController';
-import * as membershipController from './membershipController';
-import * as membershipOrgController from './membershipOrgController';
-import * as organizationController from './organizationController';
-import * as passwordController from './passwordController';
-import * as secretController from './secretController';
-import * as serviceTokenController from './serviceTokenController';
-import * as signupController from './signupController';
-import * as stripeController from './stripeController';
-import * as userActionController from './userActionController';
-import * as userController from './userController';
-import * as workspaceController from './workspaceController';
+import * as authController from "./authController";
+import * as botController from "./botController";
+import * as integrationAuthController from "./integrationAuthController";
+import * as integrationController from "./integrationController";
+import * as keyController from "./keyController";
+import * as membershipController from "./membershipController";
+import * as membershipOrgController from "./membershipOrgController";
+import * as organizationController from "./organizationController";
+import * as passwordController from "./passwordController";
+import * as secretController from "./secretController";
+import * as serviceTokenController from "./serviceTokenController";
+import * as signupController from "./signupController";
+import * as userActionController from "./userActionController";
+import * as userController from "./userController";
+import * as workspaceController from "./workspaceController";
+import * as secretScanningController from "./secretScanningController";
+import * as webhookController from "./webhookController";
+import * as secretImportController from "./secretImportController";
 
 export {
   authController,
@@ -28,8 +30,10 @@ export {
   secretController,
   serviceTokenController,
   signupController,
-	stripeController,
   userActionController,
   userController,
-	workspaceController
+  workspaceController,
+  secretScanningController,
+  webhookController,
+  secretImportController
 };

backend/src/controllers/v1/integrationAuthController.ts

@@ -1,53 +1,41 @@
-import { Request, Response } from 'express';
-import { Types } from 'mongoose';
-import * as Sentry from '@sentry/node';
-import {
-	IntegrationAuth,
-	Bot 
-} from '../../models';
-import { INTEGRATION_SET, getIntegrationOptions as getIntegrationOptionsFunc } from '../../variables';
-import { IntegrationService } from '../../services';
-import {
-	getApps, 
-	getTeams,
-	revokeAccess 
-} from '../../integrations';
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { standardRequest } from "../../config/request";
+import { getApps, getTeams, revokeAccess } from "../../integrations";
+import { Bot, IntegrationAuth } from "../../models";
+import { IntegrationService } from "../../services";
 import {
+  ALGORITHM_AES_256_GCM,
+  ENCODING_SCHEME_UTF8,
+  INTEGRATION_BITBUCKET_API_URL,
+  INTEGRATION_RAILWAY_API_URL,
+  INTEGRATION_SET,
   INTEGRATION_VERCEL_API_URL,
-	INTEGRATION_RAILWAY_API_URL
-} from '../../variables';
-import request from '../../config/request';
+  getIntegrationOptions as getIntegrationOptionsFunc
+} from "../../variables";
 
 /***
  * Return integration authorization with id [integrationAuthId]
  */
 export const getIntegrationAuth = async (req: Request, res: Response) => {
-	let integrationAuth;
-	try {
   const { integrationAuthId } = req.params;
-		integrationAuth = await IntegrationAuth.findById(integrationAuthId);
+  const integrationAuth = await IntegrationAuth.findById(integrationAuthId);
 
-		if (!integrationAuth) return res.status(400).send({
-			message: 'Failed to find integration authorization'
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
+  if (!integrationAuth)
     return res.status(400).send({
-			message: 'Failed to get integration authorization'
+      message: "Failed to find integration authorization"
     });
-	}
 
   return res.status(200).send({
     integrationAuth
   });
-}
+};
 
 export const getIntegrationOptions = async (req: Request, res: Response) => {
-	const INTEGRATION_OPTIONS = getIntegrationOptionsFunc();
+  const INTEGRATION_OPTIONS = await getIntegrationOptionsFunc();
 
   return res.status(200).send({
-		integrationOptions: INTEGRATION_OPTIONS,
+    integrationOptions: INTEGRATION_OPTIONS
   });
 };
 
@@ -57,37 +45,25 @@ export const getIntegrationOptions = async (req: Request, res: Response) => {
  * @param res
  * @returns
  */
-export const oAuthExchange = async (
-	req: Request,
-	res: Response
-) => {
-	try {
+export const oAuthExchange = async (req: Request, res: Response) => {
   const { workspaceId, code, integration } = req.body;
-		if (!INTEGRATION_SET.has(integration))
-			throw new Error('Failed to validate integration');
+  if (!INTEGRATION_SET.has(integration)) throw new Error("Failed to validate integration");
 
   const environments = req.membership.workspace?.environments || [];
-		if(environments.length === 0){
-			throw new Error("Failed to get environments")
+  if (environments.length === 0) {
+    throw new Error("Failed to get environments");
   }
 
   const integrationAuth = await IntegrationService.handleOAuthExchange({
     workspaceId,
     integration,
     code,
-			environment: environments[0].slug,
+    environment: environments[0].slug
   });
 
   return res.status(200).send({
     integrationAuth
   });
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get OAuth2 code-token exchange'
-		});
-	}
 };
 
 /**
@@ -96,24 +72,24 @@ export const oAuthExchange = async (
  * @param req
  * @param res
  */
-export const saveIntegrationAccessToken = async (
-  req: Request,
-  res: Response
-) => {
+export const saveIntegrationAccessToken = async (req: Request, res: Response) => {
   // TODO: refactor
   // TODO: check if access token is valid for each integration
 
   let integrationAuth;
-	try {
   const {
     workspaceId,
     accessId,
     accessToken,
+    url,
+    namespace,
     integration
   }: {
     workspaceId: string;
     accessId: string | null;
     accessToken: string;
+    url: string;
+    namespace: string;
     integration: string;
   } = req.body;
 
@@ -122,18 +98,26 @@ export const saveIntegrationAccessToken = async (
     isActive: true
   });
 
-        if (!bot) throw new Error('Bot must be enabled to save integration access token');
+  if (!bot) throw new Error("Bot must be enabled to save integration access token");
 
-		integrationAuth = await IntegrationAuth.findOneAndUpdate({
+  integrationAuth = await IntegrationAuth.findOneAndUpdate(
+    {
       workspace: new Types.ObjectId(workspaceId),
       integration
-        }, {
+    },
+    {
       workspace: new Types.ObjectId(workspaceId),
-            integration
-		}, {
+      integration,
+      url,
+      namespace,
+      algorithm: ALGORITHM_AES_256_GCM,
+      keyEncoding: ENCODING_SCHEME_UTF8
+    },
+    {
       new: true,
       upsert: true
-        });
+    }
+  );
 
   // encrypt and save integration access details
   integrationAuth = await IntegrationService.setIntegrationAuthAccess({
@@ -143,19 +127,12 @@ export const saveIntegrationAccessToken = async (
     accessExpiresAt: undefined
   });
 
-		if (!integrationAuth) throw new Error('Failed to save integration access token');
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to save access token for integration'
-		});
-	}
+  if (!integrationAuth) throw new Error("Failed to save integration access token");
 
   return res.status(200).send({
     integrationAuth
   });
-}
+};
 
 /**
  * Return list of applications allowed for integration with integration authorization id [integrationAuthId]
@@ -164,22 +141,16 @@ export const saveIntegrationAccessToken = async (
  * @returns
  */
 export const getIntegrationAuthApps = async (req: Request, res: Response) => {
-	let apps;
-	try {
   const teamId = req.query.teamId as string;
+  const workspaceSlug = req.query.workspaceSlug as string;
 
-		apps = await getApps({
+  const apps = await getApps({
     integrationAuth: req.integrationAuth,
     accessToken: req.accessToken,
-			...teamId && { teamId }
+    accessId: req.accessId,
+    ...(teamId && { teamId }),
+    ...(workspaceSlug && { workspaceSlug })
   });
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: "Failed to get integration authorization applications",
-		});
-	}
 
   return res.status(200).send({
     apps
@@ -201,7 +172,7 @@ export const getIntegrationAuthTeams = async (req: Request, res: Response) => {
   return res.status(200).send({
     teams
   });
-}
+};
 
 /**
  * Return list of available Vercel (preview) branches for Vercel project with
@@ -210,7 +181,6 @@ export const getIntegrationAuthTeams = async (req: Request, res: Response) => {
  * @param res
  */
 export const getIntegrationAuthVercelBranches = async (req: Request, res: Response) => {
-	const { integrationAuthId } = req.params;
   const appId = req.query.appId as string;
 
   interface VercelBranch {
@@ -221,21 +191,23 @@ export const getIntegrationAuthVercelBranches = async (req: Request, res: Respon
 
   const params = new URLSearchParams({
     projectId: appId,
-		...(req.integrationAuth.teamId ? {
+    ...(req.integrationAuth.teamId
+      ? {
           teamId: req.integrationAuth.teamId
-		} : {})
+        }
+      : {})
   });
 
   let branches: string[] = [];
 
-	if (appId && appId !== '') {
-		const { data }: { data: VercelBranch[] } = await request.get(
+  if (appId && appId !== "") {
+    const { data }: { data: VercelBranch[] } = await standardRequest.get(
       `${INTEGRATION_VERCEL_API_URL}/v1/integrations/git-branches`,
       {
         params,
         headers: {
           Authorization: `Bearer ${req.accessToken}`,
-					'Accept-Encoding': 'application/json'
+          "Accept-Encoding": "application/json"
         }
       }
     );
@@ -246,7 +218,7 @@ export const getIntegrationAuthVercelBranches = async (req: Request, res: Respon
   return res.status(200).send({
     branches
   });
-}
+};
 
 /**
  * Return list of Railway environments for Railway project with
@@ -255,7 +227,6 @@ export const getIntegrationAuthVercelBranches = async (req: Request, res: Respon
  * @param res
  */
 export const getIntegrationAuthRailwayEnvironments = async (req: Request, res: Response) => {
-	const { integrationAuthId } = req.params;
   const appId = req.query.appId as string;
 
   interface RailwayEnvironment {
@@ -263,7 +234,7 @@ export const getIntegrationAuthRailwayEnvironments = async (req: Request, res: R
       id: string;
       name: string;
       isEphemeral: boolean;
-		}
+    };
   }
 
   interface Environment {
@@ -273,7 +244,7 @@ export const getIntegrationAuthRailwayEnvironments = async (req: Request, res: R
 
   let environments: Environment[] = [];
 
-	if (appId && appId !== '') {
+  if (appId && appId !== "") {
     const query = `
 			query GetEnvironments($projectId: String!, $after: String, $before: String, $first: Int, $isEphemeral: Boolean, $last: Int) {
 				environments(projectId: $projectId, after: $after, before: $before, first: $first, isEphemeral: $isEphemeral, last: $last) {
@@ -290,30 +261,40 @@ export const getIntegrationAuthRailwayEnvironments = async (req: Request, res: R
 
     const variables = {
       projectId: appId
-		}
+    };
 
-		const { data: { data: { environments: { edges } } } } = await request.post(INTEGRATION_RAILWAY_API_URL, {
+    const {
+      data: {
+        data: {
+          environments: { edges }
+        }
+      }
+    } = await standardRequest.post(
+      INTEGRATION_RAILWAY_API_URL,
+      {
         query,
-			variables,
-		}, {
-			headers: {
-				'Authorization': `Bearer ${req.accessToken}`,
-				'Content-Type': 'application/json',
+        variables
       },
-		});
+      {
+        headers: {
+          Authorization: `Bearer ${req.accessToken}`,
+          "Content-Type": "application/json"
+        }
+      }
+    );
 
     environments = edges.map((e: RailwayEnvironment) => {
-			return ({
+      return {
         name: e.node.name,
         environmentId: e.node.id
-			});
+      };
     });
   }
 
   return res.status(200).send({
     environments
   });
-}
+};
 
 /**
  * Return list of Railway services for Railway project with id
@@ -322,14 +303,13 @@ export const getIntegrationAuthRailwayEnvironments = async (req: Request, res: R
  * @param res
  */
 export const getIntegrationAuthRailwayServices = async (req: Request, res: Response) => {
-	const { integrationAuthId } = req.params;
   const appId = req.query.appId as string;
 
   interface RailwayService {
     node: {
       id: string;
       name: string;
-		}
+    };
   }
 
   interface Service {
@@ -367,20 +347,32 @@ export const getIntegrationAuthRailwayServices = async (req: Request, res: Respo
       }
     `;
 
-	if (appId && appId !== '') {
+  if (appId && appId !== "") {
     const variables = {
       id: appId
-		}
+    };
 
-		const { data: { data: { project: { services: { edges } } } } } = await request.post(INTEGRATION_RAILWAY_API_URL, {
+    const {
+      data: {
+        data: {
+          project: {
+            services: { edges }
+          }
+        }
+      }
+    } = await standardRequest.post(
+      INTEGRATION_RAILWAY_API_URL,
+      {
         query,
         variables
-		}, {
-			headers: {
-				'Authorization': `Bearer ${req.accessToken}`,
-				'Content-Type': 'application/json',
       },
-		});
+      {
+        headers: {
+          Authorization: `Bearer ${req.accessToken}`,
+          "Content-Type": "application/json"
+        }
+      }
+    );
 
     services = edges.map((e: RailwayService) => ({
       name: e.node.name,
@@ -391,7 +383,67 @@ export const getIntegrationAuthRailwayServices = async (req: Request, res: Respo
   return res.status(200).send({
     services
   });
-}
+};
+
+/**
+ * Return list of workspaces allowed for Bitbucket integration
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getIntegrationAuthBitBucketWorkspaces = async (req: Request, res: Response) => {
+  
+  interface WorkspaceResponse {
+    size: number;
+    page: number;
+    pageLen: number;
+    next: string;
+    previous: string;
+    values: Array<Workspace>;
+  }
+
+  interface Workspace {
+    type: string;
+    uuid: string;
+    name: string;
+    slug: string;
+    is_private: boolean;
+    created_on: string;
+    updated_on: string;
+  }
+
+  const workspaces: Workspace[] = [];
+  let hasNextPage = true;
+  let workspaceUrl = `${INTEGRATION_BITBUCKET_API_URL}/2.0/workspaces`
+
+  while (hasNextPage) {
+    const { data }: { data: WorkspaceResponse } = await standardRequest.get(
+      workspaceUrl,
+      {
+        headers: {
+          Authorization: `Bearer ${req.accessToken}`,
+          "Accept-Encoding": "application/json"
+        }
+      }
+    );
+    
+    if (data?.values.length > 0) {
+      data.values.forEach((workspace) => {
+        workspaces.push(workspace)
+      })
+    }
+
+    if (data.next) {
+      workspaceUrl = data.next
+    } else {
+      hasNextPage = false
+    }
+  }
+
+  return res.status(200).send({
+    workspaces
+  });
+};
 
 /**
  * Delete integration authorization with id [integrationAuthId]
@@ -400,21 +452,12 @@ export const getIntegrationAuthRailwayServices = async (req: Request, res: Respo
  * @returns
  */
 export const deleteIntegrationAuth = async (req: Request, res: Response) => {
-  let integrationAuth;
-  try {
-    integrationAuth = await revokeAccess({
+  const integrationAuth = await revokeAccess({
     integrationAuth: req.integrationAuth,
-      accessToken: req.accessToken,
+    accessToken: req.accessToken
   });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to delete integration authorization",
-    });
-  }
 
   return res.status(200).send({
-    integrationAuth,
+    integrationAuth
   });
 };

backend/src/controllers/v1/integrationController.ts

@@ -1,11 +1,11 @@
-import { Request, Response } from 'express';
-import { Types } from 'mongoose';
-import * as Sentry from '@sentry/node';
-import { 
-	Integration
-} from '../../models';
-import { EventService } from '../../services';
-import { eventPushSecrets } from '../../events';
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { Integration } from "../../models";
+import { EventService } from "../../services";
+import { eventStartIntegration } from "../../events";
+import Folder from "../../models/folder";
+import { getFolderByPath } from "../../services/FolderService";
+import { BadRequestError } from "../../utils/errors";
 
 /**
  * Create/initialize an (empty) integration for integration authorization
@@ -14,9 +14,6 @@ import { eventPushSecrets } from '../../events';
  * @returns
  */
 export const createIntegration = async (req: Request, res: Response) => {
-	let integration;
-
-	try {
   const {
     integrationAuthId,
     app,
@@ -29,13 +26,28 @@ export const createIntegration = async (req: Request, res: Response) => {
     targetServiceId,
     owner,
     path,
-			region
+    region,
+    secretPath
   } = req.body;
 
+  const folders = await Folder.findOne({
+    workspace: req.integrationAuth.workspace._id,
+    environment: sourceEnvironment
+  });
+
+  if (folders) {
+    const folder = getFolderByPath(folders.nodes, secretPath);
+    if (!folder) {
+      throw BadRequestError({
+        message: "Path for service token does not exist"
+      });
+    }
+  }
+
   // TODO: validate [sourceEnvironment] and [targetEnvironment]
 
   // initialize new integration after saving integration access token
-    integration = await new Integration({
+  const integration = await new Integration({
     workspace: req.integrationAuth.workspace._id,
     environment: sourceEnvironment,
     isActive,
@@ -48,6 +60,7 @@ export const createIntegration = async (req: Request, res: Response) => {
     owner,
     path,
     region,
+    secretPath,
     integration: req.integrationAuth.integration,
     integrationAuth: new Types.ObjectId(integrationAuthId)
   }).save();
@@ -55,22 +68,15 @@ export const createIntegration = async (req: Request, res: Response) => {
   if (integration) {
     // trigger event - push secrets
     EventService.handleEvent({
-				event: eventPushSecrets({
-					workspaceId: integration.workspace.toString()
+      event: eventStartIntegration({
+        workspaceId: integration.workspace,
+        environment: sourceEnvironment
       })
     });
   }
 
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to create integration'
-		});
-	}
-
   return res.status(200).send({
-    integration,
+    integration
   });
 };
 
@@ -81,12 +87,9 @@ export const createIntegration = async (req: Request, res: Response) => {
  * @returns
  */
 export const updateIntegration = async (req: Request, res: Response) => {
-  let integration;
-
   // TODO: add integration-specific validation to ensure that each
   // integration has the correct fields populated in [Integration]
 
-  try {
   const {
     environment,
     isActive,
@@ -94,11 +97,26 @@ export const updateIntegration = async (req: Request, res: Response) => {
     appId,
     targetEnvironment,
     owner, // github-specific integration param
+    secretPath
   } = req.body;
 
-    integration = await Integration.findOneAndUpdate(
+  const folders = await Folder.findOne({
+    workspace: req.integration.workspace,
+    environment
+  });
+
+  if (folders) {
+    const folder = getFolderByPath(folders.nodes, secretPath);
+    if (!folder) {
+      throw BadRequestError({
+        message: "Path for service token does not exist"
+      });
+    }
+  }
+
+  const integration = await Integration.findOneAndUpdate(
     {
-        _id: req.integration._id,
+      _id: req.integration._id
     },
     {
       environment,
@@ -107,30 +125,25 @@ export const updateIntegration = async (req: Request, res: Response) => {
       appId,
       targetEnvironment,
       owner,
+      secretPath
     },
     {
-        new: true,
+      new: true
     }
   );
 
   if (integration) {
     // trigger event - push secrets
     EventService.handleEvent({
-        event: eventPushSecrets({
-          workspaceId: integration.workspace.toString(),
-        }),
-      });
-    }
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to update integration",
+      event: eventStartIntegration({
+        workspaceId: integration.workspace,
+        environment
+      })
     });
   }
 
   return res.status(200).send({
-    integration,
+    integration
   });
 };
 
@@ -142,24 +155,15 @@ export const updateIntegration = async (req: Request, res: Response) => {
  * @returns
  */
 export const deleteIntegration = async (req: Request, res: Response) => {
-  let integration;
-  try {
   const { integrationId } = req.params;
 
-    integration = await Integration.findOneAndDelete({
-      _id: integrationId,
+  const integration = await Integration.findOneAndDelete({
+    _id: integrationId
   });
 
   if (!integration) throw new Error("Failed to find integration");
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to delete integration",
-    });
-  }
 
   return res.status(200).send({
-    integration,
+    integration
   });
 };

backend/src/controllers/v1/keyController.ts

@@ -1,7 +1,6 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { Key } from '../../models';
-import { findMembership } from '../../helpers/membership';
+import { Request, Response } from "express";
+import { Key } from "../../models";
+import { findMembership } from "../../helpers/membership";
 
 /**
  * Add (encrypted) copy of workspace key for workspace with id [workspaceId] for user with
@@ -11,18 +10,17 @@ import { findMembership } from '../../helpers/membership';
  * @returns
  */
 export const uploadKey = async (req: Request, res: Response) => {
-	try {
   const { workspaceId } = req.params;
   const { key } = req.body;
 
   // validate membership of receiver
   const receiverMembership = await findMembership({
     user: key.userId,
-			workspace: workspaceId
+    workspace: workspaceId,
   });
 
   if (!receiverMembership) {
-			throw new Error('Failed receiver membership validation for workspace');
+    throw new Error("Failed receiver membership validation for workspace");
   }
 
   await new Key({
@@ -30,18 +28,11 @@ export const uploadKey = async (req: Request, res: Response) => {
     nonce: key.nonce,
     sender: req.user._id,
     receiver: key.userId,
-			workspace: workspaceId
+    workspace: workspaceId,
   }).save();
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to upload key to workspace'
-		});
-	}
 
 	return res.status(200).send({
-		message: 'Successfully uploaded key to workspace'
+		message: "Successfully uploaded key to workspace",
 	});
 };
 
@@ -52,30 +43,21 @@ export const uploadKey = async (req: Request, res: Response) => {
  * @returns
  */
 export const getLatestKey = async (req: Request, res: Response) => {
-	let latestKey;
-	try {
   const { workspaceId } = req.params;
 
   // get latest key
-		latestKey = await Key.find({
+  const latestKey = await Key.find({
     workspace: workspaceId,
-			receiver: req.user._id
+    receiver: req.user._id,
   })
     .sort({ createdAt: -1 })
     .limit(1)
-			.populate('sender', '+publicKey');
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get latest key'
-		});
-	}
+    .populate("sender", "+publicKey");
 
 	const resObj: any = {};
 
 	if (latestKey.length > 0) {
-		resObj['latestKey'] = latestKey[0];
+		resObj["latestKey"] = latestKey[0];
 	}
 
 	return res.status(200).send(resObj);

backend/src/controllers/v1/membershipController.ts

@@ -1,13 +1,9 @@
-import * as Sentry from '@sentry/node';
-import { Request, Response } from 'express';
-import { Membership, MembershipOrg, User, Key } from '../../models';
-import {
-	findMembership,
-	deleteMembership as deleteMember
-} from '../../helpers/membership';
-import { sendMail } from '../../helpers/nodemailer';
-import { ADMIN, MEMBER, ACCEPTED } from '../../variables';
-import { getSiteURL } from '../../config';
+import { Request, Response } from "express";
+import { Key, Membership, MembershipOrg, User } from "../../models";
+import { deleteMembership as deleteMember, findMembership } from "../../helpers/membership";
+import { sendMail } from "../../helpers/nodemailer";
+import { ACCEPTED, ADMIN, MEMBER } from "../../variables";
+import { getSiteURL } from "../../config";
 
 /**
  * Check that user is a member of workspace with id [workspaceId]
@@ -16,9 +12,7 @@ import { getSiteURL } from '../../config';
  * @returns
  */
 export const validateMembership = async (req: Request, res: Response) => {
-	try {
   const { workspaceId } = req.params;
-
   // validate membership
   const membership = await findMembership({
     user: req.user._id,
@@ -26,18 +20,11 @@ export const validateMembership = async (req: Request, res: Response) => {
   });
 
   if (!membership) {
-			throw new Error('Failed to validate membership');
-		}
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed workspace connection check'
-		});
+    throw new Error("Failed to validate membership");
   }
 
   return res.status(200).send({
-		message: 'Workspace membership confirmed'
+    message: "Workspace membership confirmed"
   });
 };
 
@@ -48,19 +35,15 @@ export const validateMembership = async (req: Request, res: Response) => {
  * @returns
  */
 export const deleteMembership = async (req: Request, res: Response) => {
-	let deletedMembership;
-	try {
   const { membershipId } = req.params;
 
   // check if membership to delete exists
   const membershipToDelete = await Membership.findOne({
     _id: membershipId
-		}).populate('user');
+  }).populate("user");
 
   if (!membershipToDelete) {
-			throw new Error(
-				"Failed to delete workspace membership that doesn't exist"
-			);
+    throw new Error("Failed to delete workspace membership that doesn't exist");
   }
 
   // check if user is a member and admin of the workspace
@@ -71,25 +54,18 @@ export const deleteMembership = async (req: Request, res: Response) => {
   });
 
   if (!membership) {
-			throw new Error('Failed to validate workspace membership');
+    throw new Error("Failed to validate workspace membership");
   }
 
   if (membership.role !== ADMIN) {
     // user is not an admin member of the workspace
-			throw new Error('Insufficient role for deleting workspace membership');
+    throw new Error("Insufficient role for deleting workspace membership");
   }
 
   // delete workspace membership
-		deletedMembership = await deleteMember({
+  const deletedMembership = await deleteMember({
     membershipId: membershipToDelete._id.toString()
   });
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to delete membership'
-		});
-	}
 
   return res.status(200).send({
     deletedMembership
@@ -103,22 +79,20 @@ export const deleteMembership = async (req: Request, res: Response) => {
  * @returns
  */
 export const changeMembershipRole = async (req: Request, res: Response) => {
-	let membershipToChangeRole;
-	try {
   const { membershipId } = req.params;
   const { role } = req.body;
 
   if (![ADMIN, MEMBER].includes(role)) {
-			throw new Error('Failed to validate role');
+    throw new Error("Failed to validate role");
   }
 
   // validate target membership
-		membershipToChangeRole = await findMembership({
+  const membershipToChangeRole = await findMembership({
     _id: membershipId
   });
 
   if (!membershipToChangeRole) {
-			throw new Error('Failed to find membership to change role');
+    throw new Error("Failed to find membership to change role");
   }
 
   // check if user is a member and admin of target membership's
@@ -129,23 +103,16 @@ export const changeMembershipRole = async (req: Request, res: Response) => {
   });
 
   if (!membership) {
-			throw new Error('Failed to validate membership');
+    throw new Error("Failed to validate membership");
   }
 
   if (membership.role !== ADMIN) {
     // user is not an admin member of the workspace
-			throw new Error('Insufficient role for changing member roles');
+    throw new Error("Insufficient role for changing member roles");
   }
 
   membershipToChangeRole.role = role;
   await membershipToChangeRole.save();
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to change membership role'
-		});
-	}
 
   return res.status(200).send({
     membership: membershipToChangeRole
@@ -159,17 +126,14 @@ export const changeMembershipRole = async (req: Request, res: Response) => {
  * @returns
  */
 export const inviteUserToWorkspace = async (req: Request, res: Response) => {
-	let invitee, latestKey;
-	try {
   const { workspaceId } = req.params;
   const { email }: { email: string } = req.body;
 
-		invitee = await User.findOne({
+  const invitee = await User.findOne({
     email
-		}).select('+publicKey');
+  }).select("+publicKey");
 
-		if (!invitee || !invitee?.publicKey)
-			throw new Error('Failed to validate invitee');
+  if (!invitee || !invitee?.publicKey) throw new Error("Failed to validate invitee");
 
   // validate invitee's workspace membership - ensure member isn't
   // already a member of the workspace
@@ -178,8 +142,7 @@ export const inviteUserToWorkspace = async (req: Request, res: Response) => {
     workspace: workspaceId
   });
 
-		if (inviteeMembership)
-			throw new Error('Failed to add existing member of workspace');
+  if (inviteeMembership) throw new Error("Failed to add existing member of workspace");
 
   // validate invitee's organization membership - ensure that only
   // (accepted) organization members can be added to the workspace
@@ -189,42 +152,34 @@ export const inviteUserToWorkspace = async (req: Request, res: Response) => {
     status: ACCEPTED
   });
 
-		if (!membershipOrg)
-			throw new Error("Failed to validate invitee's organization membership");
+  if (!membershipOrg) throw new Error("Failed to validate invitee's organization membership");
 
   // get latest key
-		latestKey = await Key.findOne({
+  const latestKey = await Key.findOne({
     workspace: workspaceId,
     receiver: req.user._id
   })
     .sort({ createdAt: -1 })
-			.populate('sender', '+publicKey');
+    .populate("sender", "+publicKey");
 
   // create new workspace membership
-		const m = await new Membership({
+  await new Membership({
     user: invitee._id,
     workspace: workspaceId,
     role: MEMBER
   }).save();
 
   await sendMail({
-			template: 'workspaceInvitation.handlebars',
-			subjectLine: 'Infisical workspace invitation',
+    template: "workspaceInvitation.handlebars",
+    subjectLine: "Infisical workspace invitation",
     recipients: [invitee.email],
     substitutions: {
       inviterFirstName: req.user.firstName,
       inviterEmail: req.user.email,
       workspaceName: req.membership.workspace.name,
-				callback_url: getSiteURL() + '/login'
+      callback_url: (await getSiteURL()) + "/login"
     }
   });
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to invite user to workspace'
-		});
-	}
 
   return res.status(200).send({
     invitee,

backend/src/controllers/v1/membershipOrgController.ts

@@ -1,13 +1,28 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { MembershipOrg, Organization, User } from '../../models';
-import { deleteMembershipOrg as deleteMemberFromOrg } from '../../helpers/membershipOrg';
-import { createToken } from '../../helpers/auth';
-import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
-import { sendMail } from '../../helpers/nodemailer';
-import { TokenService } from '../../services';
-import { OWNER, ADMIN, MEMBER, ACCEPTED, INVITED, TOKEN_EMAIL_ORG_INVITATION } from '../../variables';
-import { getSiteURL, getJwtSignupLifetime, getJwtSignupSecret, getSmtpConfigured } from '../../config';
+import { Types } from "mongoose";
+import { Request, Response } from "express";
+import { MembershipOrg, Organization, User } from "../../models";
+import { SSOConfig } from "../../ee/models";
+import { deleteMembershipOrg as deleteMemberFromOrg } from "../../helpers/membershipOrg";
+import { createToken } from "../../helpers/auth";
+import { updateSubscriptionOrgQuantity } from "../../helpers/organization";
+import { sendMail } from "../../helpers/nodemailer";
+import { TokenService } from "../../services";
+import { EELicenseService } from "../../ee/services";
+import {
+  ACCEPTED,
+  ADMIN,
+  INVITED,
+  MEMBER,
+  OWNER,
+  TOKEN_EMAIL_ORG_INVITATION
+} from "../../variables";
+import {
+  getJwtSignupLifetime,
+  getJwtSignupSecret,
+  getSiteURL,
+  getSmtpConfigured
+} from "../../config";
+import { validateUserEmail } from "../../validation";
 
 /**
  * Delete organization membership with id [membershipOrgId] from organization
@@ -15,20 +30,16 @@ import { getSiteURL, getJwtSignupLifetime, getJwtSignupSecret, getSmtpConfigured
  * @param res
  * @returns
  */
-export const deleteMembershipOrg = async (req: Request, res: Response) => {
-	let membershipOrgToDelete;
-	try {
+export const deleteMembershipOrg = async (req: Request, _res: Response) => {
   const { membershipOrgId } = req.params;
 
   // check if organization membership to delete exists
-		membershipOrgToDelete = await MembershipOrg.findOne({
+  const membershipOrgToDelete = await MembershipOrg.findOne({
     _id: membershipOrgId
-		}).populate('user');
+  }).populate("user");
 
   if (!membershipOrgToDelete) {
-			throw new Error(
-				"Failed to delete organization membership that doesn't exist"
-			);
+    throw new Error("Failed to delete organization membership that doesn't exist");
   }
 
   // check if user is a member and admin of the organization
@@ -39,29 +50,22 @@ export const deleteMembershipOrg = async (req: Request, res: Response) => {
   });
 
   if (!membershipOrg) {
-			throw new Error('Failed to validate organization membership');
+    throw new Error("Failed to validate organization membership");
   }
 
   if (membershipOrg.role !== OWNER && membershipOrg.role !== ADMIN) {
     // user is not an admin member of the organization
-			throw new Error('Insufficient role for deleting organization membership');
+    throw new Error("Insufficient role for deleting organization membership");
   }
 
   // delete organization membership
-		const deletedMembershipOrg = await deleteMemberFromOrg({
+  await deleteMemberFromOrg({
     membershipOrgId: membershipOrgToDelete._id.toString()
   });
 
   await updateSubscriptionOrgQuantity({
     organizationId: membershipOrg.organization.toString()
   });
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to delete organization membership'
-		});
-	}
 
   return membershipOrgToDelete;
 };
@@ -77,14 +81,6 @@ export const changeMembershipOrgRole = async (req: Request, res: Response) => {
   // [membershipOrgId]
 
   let membershipToChangeRole;
-	// try {
-	// } catch (err) {
-	// 	Sentry.setUser({ email: req.user.email });
-	// 	Sentry.captureException(err);
-	// 	return res.status(400).send({
-	// 		message: 'Failed to change organization membership role'
-	// 	});
-	// }
 
   return res.status(200).send({
     membershipOrg: membershipToChangeRole
@@ -99,8 +95,7 @@ export const changeMembershipOrgRole = async (req: Request, res: Response) => {
  * @returns
  */
 export const inviteUserToOrganization = async (req: Request, res: Response) => {
-	let invitee, inviteeMembershipOrg, completeInviteLink;
-	try {
+  let inviteeMembershipOrg, completeInviteLink;
   const { organizationId, inviteeEmail } = req.body;
   const host = req.headers.host;
   const siteUrl = `${req.protocol}://${host}`;
@@ -112,12 +107,38 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
   });
 
   if (!membershipOrg) {
-			throw new Error('Failed to validate organization membership');
+    throw new Error("Failed to validate organization membership");
   }
 
-		invitee = await User.findOne({
+  const plan = await EELicenseService.getPlan(organizationId);
+  
+  const ssoConfig = await SSOConfig.findOne({
+    organization: new Types.ObjectId(organizationId)
+  });
+
+  if (ssoConfig && ssoConfig.isActive) {
+    // case: SAML SSO is enabled for the organization
+    return res.status(400).send({
+      message:
+        "Failed to invite member due to SAML SSO configured for organization"
+    }); 
+  }
+
+  if (plan.memberLimit !== null) {
+    // case: limit imposed on number of members allowed
+
+    if (plan.membersUsed >= plan.memberLimit) {
+      // case: number of members used exceeds the number of members allowed
+      return res.status(400).send({
+        message:
+          "Failed to invite member due to member limit reached. Upgrade plan to invite more members."
+      });
+    }
+  }
+
+  const invitee = await User.findOne({
     email: inviteeEmail
-		}).select('+publicKey');
+  }).select("+publicKey");
 
   if (invitee) {
     // case: invitee is an existing user
@@ -128,9 +149,7 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
     });
 
     if (inviteeMembershipOrg && inviteeMembershipOrg.status === ACCEPTED) {
-				throw new Error(
-					'Failed to invite an existing member of the organization'
-				);
+      throw new Error("Failed to invite an existing member of the organization");
     }
 
     if (!inviteeMembershipOrg) {
@@ -139,7 +158,7 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
         inviteEmail: inviteeEmail,
         organization: organizationId,
         role: MEMBER,
-					status: invitee?.publicKey ? ACCEPTED : INVITED
+        status: INVITED
       }).save();
     }
   } else {
@@ -152,6 +171,9 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
     if (!inviteeMembershipOrg) {
       // case: invitee has never been invited before
 
+      // validate that email is not disposable
+      validateUserEmail(inviteeEmail);
+
       await new MembershipOrg({
         inviteEmail: inviteeEmail,
         organization: organizationId,
@@ -171,32 +193,28 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
     });
 
     await sendMail({
-				template: 'organizationInvitation.handlebars',
-				subjectLine: 'Infisical organization invitation',
+      template: "organizationInvitation.handlebars",
+      subjectLine: "Infisical organization invitation",
       recipients: [inviteeEmail],
       substitutions: {
         inviterFirstName: req.user.firstName,
         inviterEmail: req.user.email,
         organizationName: organization.name,
         email: inviteeEmail,
+        organizationId: organization._id.toString(),
         token,
-					callback_url: getSiteURL() + '/signupinvite'
+        callback_url: (await getSiteURL()) + "/signupinvite"
       }
     });
 
-			if (!getSmtpConfigured()) {
-				completeInviteLink = `${siteUrl + '/signupinvite'}?token=${token}&to=${inviteeEmail}`
+    if (!(await getSmtpConfigured())) {
+      completeInviteLink = `${
+        siteUrl + "/signupinvite"
+      }?token=${token}&to=${inviteeEmail}&organization_id=${organization._id}`;
     }
   }
 
   await updateSubscriptionOrgQuantity({ organizationId });
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to send organization invite'
-		});
-	}
 
   return res.status(200).send({
     message: `Sent an invite link to ${req.body.inviteeEmail}`,
@@ -212,19 +230,18 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
  * @returns
  */
 export const verifyUserToOrganization = async (req: Request, res: Response) => {
-	let user, token;
-	try {
-		const { email, code } = req.body;
+  let user;
+  const { email, organizationId, code } = req.body;
 
-		user = await User.findOne({ email }).select('+publicKey');
+  user = await User.findOne({ email }).select("+publicKey");
 
   const membershipOrg = await MembershipOrg.findOne({
     inviteEmail: email,
-			status: INVITED
+    status: INVITED,
+    organization: new Types.ObjectId(organizationId)
   });
 
-		if (!membershipOrg)
-			throw new Error('Failed to find any invitations for email');
+  if (!membershipOrg) throw new Error("Failed to find any invitations for email");
 
   await TokenService.validateToken({
     type: TOKEN_EMAIL_ORG_INVITATION,
@@ -239,9 +256,13 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
     membershipOrg.status = ACCEPTED;
     await membershipOrg.save();
 
+    await updateSubscriptionOrgQuantity({
+      organizationId
+    });
+
     return res.status(200).send({
-				message: 'Successfully verified email',
-				user,
+      message: "Successfully verified email",
+      user
     });
   }
 
@@ -253,23 +274,16 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
   }
 
   // generate temporary signup token
-		token = createToken({
+  const token = createToken({
     payload: {
       userId: user._id.toString()
     },
-			expiresIn: getJwtSignupLifetime(),
-			secret: getJwtSignupSecret()
+    expiresIn: await getJwtSignupLifetime(),
+    secret: await getJwtSignupSecret()
   });
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			error: 'Failed email magic link verification for organization invitation'
-		});
-	}
 
   return res.status(200).send({
-		message: 'Successfully verified email',
+    message: "Successfully verified email",
     user,
     token
   });

backend/src/controllers/v1/organizationController.ts

@@ -1,37 +1,27 @@
-import * as Sentry from '@sentry/node';
-import { Request, Response } from 'express';
-import Stripe from 'stripe';
+import { Request, Response } from "express";
 import {
+	IncidentContactOrg,
 	Membership,
 	MembershipOrg,
 	Organization,
 	Workspace,
-	IncidentContactOrg
-} from '../../models';
-import { createOrganization as create } from '../../helpers/organization';
-import { addMembershipsOrg } from '../../helpers/membershipOrg';
-import { OWNER, ACCEPTED } from '../../variables';
-import _ from 'lodash';
-import { getStripeSecretKey, getSiteURL } from '../../config';
+} from "../../models";
+import { createOrganization as create } from "../../helpers/organization";
+import { addMembershipsOrg } from "../../helpers/membershipOrg";
+import { ACCEPTED, OWNER } from "../../variables";
+import { getLicenseServerUrl, getSiteURL } from "../../config";
+import { licenseServerKeyRequest } from "../../config/request";
 
 export const getOrganizations = async (req: Request, res: Response) => {
-	let organizations;
-	try {
-		organizations = (
+  const organizations = (
     await MembershipOrg.find({
-				user: req.user._id
-			}).populate('organization')
+      user: req.user._id,
+      status: ACCEPTED,
+    }).populate("organization")
   ).map((m) => m.organization);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get organizations'
-		});
-	}
 
 	return res.status(200).send({
-		organizations
+		organizations,
 	});
 };
 
@@ -43,36 +33,27 @@ export const getOrganizations = async (req: Request, res: Response) => {
  * @returns
  */
 export const createOrganization = async (req: Request, res: Response) => {
-	let organization;
-	try {
   const { organizationName } = req.body;
 
   if (organizationName.length < 1) {
-			throw new Error('Organization names must be at least 1-character long');
+    throw new Error("Organization names must be at least 1-character long");
   }
 
   // create organization and add user as member
-		organization = await create({
+  const organization = await create({
     email: req.user.email,
-			name: organizationName
+    name: organizationName,
   });
 
   await addMembershipsOrg({
     userIds: [req.user._id.toString()],
     organizationId: organization._id.toString(),
     roles: [OWNER],
-			statuses: [ACCEPTED]
+    statuses: [ACCEPTED],
   });
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to create organization'
-		});
-	}
 
 	return res.status(200).send({
-		organization
+		organization,
 	});
 };
 
@@ -83,19 +64,9 @@ export const createOrganization = async (req: Request, res: Response) => {
  * @returns
  */
 export const getOrganization = async (req: Request, res: Response) => {
-	let organization;
-	try {
-		organization = req.membershipOrg.organization;
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to find organization'
-		});
-	}
-
+	const organization = req.organization
 	return res.status(200).send({
-		organization
+		organization,
 	});
 };
 
@@ -106,23 +77,14 @@ export const getOrganization = async (req: Request, res: Response) => {
  * @returns
  */
 export const getOrganizationMembers = async (req: Request, res: Response) => {
-	let users;
-	try {
   const { organizationId } = req.params;
 
-		users = await MembershipOrg.find({
-			organization: organizationId
-		}).populate('user', '+publicKey');
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get organization members'
-		});
-	}
+  const users = await MembershipOrg.find({
+    organization: organizationId,
+  }).populate("user", "+publicKey");
 
 	return res.status(200).send({
-		users
+		users,
 	});
 };
 
@@ -136,38 +98,29 @@ export const getOrganizationWorkspaces = async (
 	req: Request,
 	res: Response
 ) => {
-	let workspaces;
-	try {
   const { organizationId } = req.params;
 
   const workspacesSet = new Set(
     (
       await Workspace.find(
         {
-						organization: organizationId
+          organization: organizationId,
         },
-					'_id'
+        "_id"
       )
     ).map((w) => w._id.toString())
   );
 
-		workspaces = (
+  const workspaces = (
     await Membership.find({
-				user: req.user._id
-			}).populate('workspace')
+      user: req.user._id,
+    }).populate("workspace")
   )
     .filter((m) => workspacesSet.has(m.workspace._id.toString()))
     .map((m) => m.workspace);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get my workspaces'
-		});
-	}
 
 	return res.status(200).send({
-		workspaces
+		workspaces,
 	});
 };
 
@@ -178,33 +131,24 @@ export const getOrganizationWorkspaces = async (
  * @returns
  */
 export const changeOrganizationName = async (req: Request, res: Response) => {
-	let organization;
-	try {
   const { organizationId } = req.params;
   const { name } = req.body;
 
-		organization = await Organization.findOneAndUpdate(
+  const organization = await Organization.findOneAndUpdate(
     {
-				_id: organizationId
+      _id: organizationId,
     },
     {
-				name
+      name,
     },
     {
-				new: true
+      new: true,
     }
   );
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to change organization name'
-		});
-	}
 
 	return res.status(200).send({
-		message: 'Successfully changed organization name',
-		organization
+		message: "Successfully changed organization name",
+		organization,
 	});
 };
 
@@ -218,23 +162,14 @@ export const getOrganizationIncidentContacts = async (
 	req: Request,
 	res: Response
 ) => {
-	let incidentContactsOrg;
-	try {
   const { organizationId } = req.params;
 
-		incidentContactsOrg = await IncidentContactOrg.find({
-			organization: organizationId
+  const incidentContactsOrg = await IncidentContactOrg.find({
+    organization: organizationId,
   });
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get organization incident contacts'
-		});
-	}
 
 	return res.status(200).send({
-		incidentContactsOrg
+		incidentContactsOrg,
 	});
 };
 
@@ -248,26 +183,17 @@ export const addOrganizationIncidentContact = async (
 	req: Request,
 	res: Response
 ) => {
-	let incidentContactOrg;
-	try {
   const { organizationId } = req.params;
   const { email } = req.body;
 
-		incidentContactOrg = await IncidentContactOrg.findOneAndUpdate(
+  const incidentContactOrg = await IncidentContactOrg.findOneAndUpdate(
     { email, organization: organizationId },
     { email, organization: organizationId },
     { upsert: true, new: true }
   );
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to add incident contact for organization'
-		});
-	}
 
 	return res.status(200).send({
-		incidentContactOrg
+		incidentContactOrg,
 	});
 };
 
@@ -281,31 +207,22 @@ export const deleteOrganizationIncidentContact = async (
 	req: Request,
 	res: Response
 ) => {
-	let incidentContactOrg;
-	try {
   const { organizationId } = req.params;
   const { email } = req.body;
 
-		incidentContactOrg = await IncidentContactOrg.findOneAndDelete({
+  const incidentContactOrg = await IncidentContactOrg.findOneAndDelete({
     email,
-			organization: organizationId
+    organization: organizationId,
   });
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to delete organization incident contact'
-		});
-	}
 
 	return res.status(200).send({
-		message: 'Successfully deleted organization incident contact',
-		incidentContactOrg
+		message: "Successfully deleted organization incident contact",
+		incidentContactOrg,
 	});
 };
 
 /**
- * Redirect user to (stripe) billing portal or add card page depending on
+ * Redirect user to billing portal or add card page depending on
  * if there is a card on file
  * @param req
  * @param res
@@ -315,41 +232,31 @@ export const createOrganizationPortalSession = async (
 	req: Request,
 	res: Response
 ) => {
-	let session;
-	try {
-		const stripe = new Stripe(getStripeSecretKey(), {
-			apiVersion: '2022-08-01'
-		});
+  const { data: { pmtMethods } } = await licenseServerKeyRequest.get(
+    `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/payment-methods`,
+  );
   
-		// check if there is a payment method on file
-		const paymentMethods = await stripe.paymentMethods.list({
-			customer: req.membershipOrg.organization.customerId,
-			type: 'card'
-		});
-
-		if (paymentMethods.data.length < 1) {
-			// case: no payment method on file
-			session = await stripe.checkout.sessions.create({
-				customer: req.membershipOrg.organization.customerId,
-				mode: 'setup',
-				payment_method_types: ['card'],
-				success_url: getSiteURL() + '/dashboard',
-				cancel_url: getSiteURL() + '/dashboard'
-			});
-		} else {
-			session = await stripe.billingPortal.sessions.create({
-				customer: req.membershipOrg.organization.customerId,
-				return_url: getSiteURL() + '/dashboard'
-			});
+  if (pmtMethods.length < 1) {
+    // case: organization has no payment method on file
+    // -> redirect to add payment method portal 
+    const { data: { url } } = await licenseServerKeyRequest.post(
+      `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/payment-methods`,
+      {
+        success_url: (await getSiteURL()) + "/dashboard",
+        cancel_url: (await getSiteURL()) + "/dashboard"
       }
-
-		return res.status(200).send({ url: session.url });
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to redirect to organization billing portal'
-		});
+    );
+    return res.status(200).send({ url });
+  } else {
+    // case: organization has payment method on file
+    // -> redirect to billing portal
+    const { data: { url } } = await licenseServerKeyRequest.post(
+      `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/billing-portal`,
+      {
+        return_url: (await getSiteURL()) + "/dashboard"
+      }
+    );
+    return res.status(200).send({ url });
   }
 };
 
@@ -363,25 +270,8 @@ export const getOrganizationSubscriptions = async (
 	req: Request,
 	res: Response
 ) => {
-	let subscriptions;
-	try {
-		const stripe = new Stripe(getStripeSecretKey(), {
-			apiVersion: '2022-08-01'
-		});
-		
-		subscriptions = await stripe.subscriptions.list({
-			customer: req.membershipOrg.organization.customerId
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get organization subscriptions'
-		});
-	}
-
 	return res.status(200).send({
-		subscriptions
+		subscriptions: []
 	});
 };
 
@@ -401,16 +291,16 @@ export const getOrganizationMembersAndTheirWorkspaces = async (
 	const workspacesSet = (
 			await Workspace.find(
 				{
-					organization: organizationId
+					organization: organizationId,
 				},
-				'_id'
+				"_id"
 			)
 		).map((w) => w._id.toString());
 
 	const memberships = (
 		await Membership.find({
-			workspace: { $in: workspacesSet }
-		}).populate('workspace')
+			workspace: { $in: workspacesSet },
+		}).populate("workspace")
 	);
 	const userToWorkspaceIds: any = {};
 

backend/src/controllers/v1/passwordController.ts

@@ -1,15 +1,18 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
+import { Request, Response } from "express";
 // eslint-disable-next-line @typescript-eslint/no-var-requires
-const jsrp = require('jsrp');
-import * as bigintConversion from 'bigint-conversion';
-import { User, BackupPrivateKey, LoginSRPDetail } from '../../models';
-import { createToken } from '../../helpers/auth';
-import { sendMail } from '../../helpers/nodemailer';
-import { TokenService } from '../../services';
-import { TOKEN_EMAIL_PASSWORD_RESET } from '../../variables';
-import { BadRequestError } from '../../utils/errors';
-import { getSiteURL, getJwtSignupLifetime, getJwtSignupSecret } from '../../config';
+const jsrp = require("jsrp");
+import * as bigintConversion from "bigint-conversion";
+import { BackupPrivateKey, LoginSRPDetail, User } from "../../models";
+import { clearTokens, createToken, sendMail } from "../../helpers";
+import { TokenService } from "../../services";
+import { AUTH_MODE_JWT, TOKEN_EMAIL_PASSWORD_RESET } from "../../variables";
+import { BadRequestError } from "../../utils/errors";
+import {
+  getHttpsEnabled,
+  getJwtSignupLifetime,
+  getJwtSignupSecret,
+  getSiteURL
+} from "../../config";
 
 /**
  * Password reset step 1: Send email verification link to email [email]
@@ -19,16 +22,14 @@ import { getSiteURL, getJwtSignupLifetime, getJwtSignupSecret } from '../../conf
  * @returns
  */
 export const emailPasswordReset = async (req: Request, res: Response) => {
-	let email: string;
-	try {
-		email = req.body.email;
+  const email: string = req.body.email;
 
-		const user = await User.findOne({ email }).select('+publicKey');
+  const user = await User.findOne({ email }).select("+publicKey");
   if (!user || !user?.publicKey) {
     // case: user has already completed account
 
-			return res.status(403).send({
-				error: 'Failed to send email verification for password reset'
+    return res.status(200).send({
+      message: "If an account exists with this email, a password reset link has been sent"
     });
   }
 
@@ -38,27 +39,20 @@ export const emailPasswordReset = async (req: Request, res: Response) => {
   });
 
   await sendMail({
-			template: 'passwordReset.handlebars',
-			subjectLine: 'Infisical password reset',
+    template: "passwordReset.handlebars",
+    subjectLine: "Infisical password reset",
     recipients: [email],
     substitutions: {
       email,
       token,
-				callback_url: getSiteURL() + '/password-reset'
+      callback_url: (await getSiteURL()) + "/password-reset"
     }
   });
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to send email for account recovery'
-		});
-	}
 
   return res.status(200).send({
-		message: `Sent an email for account recovery to ${email}`
+    message: "If an account exists with this email, a password reset link has been sent"
   });
-}
+};
 
 /**
  * Password reset step 2: Verify email verification link sent to email [email]
@@ -67,16 +61,14 @@ export const emailPasswordReset = async (req: Request, res: Response) => {
  * @returns
  */
 export const emailPasswordResetVerify = async (req: Request, res: Response) => {
-	let user, token;
-	try {
   const { email, code } = req.body;
 
-		user = await User.findOne({ email }).select('+publicKey');
+  const user = await User.findOne({ email }).select("+publicKey");
   if (!user || !user?.publicKey) {
     // case: user doesn't exist with email [email] or
     // hasn't even completed their account
     return res.status(403).send({
-				error: 'Failed email verification for password reset'
+      error: "Failed email verification for password reset"
     });
   }
 
@@ -87,27 +79,20 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => {
   });
 
   // generate temporary password-reset token
-		token = createToken({
+  const token = createToken({
     payload: {
       userId: user._id.toString()
     },
-			expiresIn: getJwtSignupLifetime(),
-			secret: getJwtSignupSecret()
+    expiresIn: await getJwtSignupLifetime(),
+    secret: await getJwtSignupSecret()
   });
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed email verification for password reset'
-		});
-	}
 
   return res.status(200).send({
-		message: 'Successfully verified email',
+    message: "Successfully verified email",
     user,
     token
   });
-}
+};
 
 /**
  * Return [salt] and [serverPublicKey] as part of step 1 of SRP protocol
@@ -117,13 +102,13 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => {
  */
 export const srp1 = async (req: Request, res: Response) => {
   // return salt, serverPublicKey as part of first step of SRP protocol
-	try {
+
   const { clientPublicKey } = req.body;
   const user = await User.findOne({
     email: req.user.email
-		}).select('+salt +verifier');
+  }).select("+salt +verifier");
 
-		if (!user) throw new Error('Failed to find user');
+  if (!user) throw new Error("Failed to find user");
 
   const server = new jsrp.server();
   server.init(
@@ -135,11 +120,15 @@ export const srp1 = async (req: Request, res: Response) => {
       // generate server-side public key
       const serverPublicKey = server.getPublicKey();
 
-				await LoginSRPDetail.findOneAndReplace({ email: req.user.email }, {
+      await LoginSRPDetail.findOneAndReplace(
+        { email: req.user.email },
+        {
           email: req.user.email,
           clientPublicKey: clientPublicKey,
-					serverBInt: bigintConversion.bigintToBuf(server.bInt),
-				}, { upsert: true, returnNewDocument: false })
+          serverBInt: bigintConversion.bigintToBuf(server.bInt)
+        },
+        { upsert: true, returnNewDocument: false }
+      );
 
       return res.status(200).send({
         serverPublicKey,
@@ -147,13 +136,6 @@ export const srp1 = async (req: Request, res: Response) => {
       });
     }
   );
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			error: 'Failed to start change password process'
-		});
-	}
 };
 
 /**
@@ -165,7 +147,6 @@ export const srp1 = async (req: Request, res: Response) => {
  * @returns
  */
 export const changePassword = async (req: Request, res: Response) => {
-	try {
   const {
     clientProof,
     protectedKey,
@@ -180,14 +161,18 @@ export const changePassword = async (req: Request, res: Response) => {
 
   const user = await User.findOne({
     email: req.user.email
-		}).select('+salt +verifier');
+  }).select("+salt +verifier");
 
-		if (!user) throw new Error('Failed to find user');
+  if (!user) throw new Error("Failed to find user");
 
-		const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email })
+  const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email });
 
   if (!loginSRPDetailFromDB) {
-			return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
+    return BadRequestError(
+      Error(
+        "It looks like some details from the first login are not found. Please try login one again"
+      )
+    );
   }
 
   const server = new jsrp.server();
@@ -222,23 +207,33 @@ export const changePassword = async (req: Request, res: Response) => {
           }
         );
 
+        if (
+          req.authData.authMode === AUTH_MODE_JWT &&
+          req.authData.authPayload instanceof User &&
+          req.authData.tokenVersionId
+        ) {
+          await clearTokens(req.authData.tokenVersionId);
+        }
+
+        // clear httpOnly cookie
+
+        res.cookie("jid", "", {
+          httpOnly: true,
+          path: "/",
+          sameSite: "strict",
+          secure: (await getHttpsEnabled()) as boolean
+        });
+
         return res.status(200).send({
-						message: 'Successfully changed password'
+          message: "Successfully changed password"
         });
       }
 
       return res.status(400).send({
-					error: 'Failed to change password. Try again?'
+        error: "Failed to change password. Try again?"
       });
     }
   );
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			error: 'Failed to change password. Try again?'
-		});
-	}
 };
 
 /**
@@ -252,19 +247,21 @@ export const createBackupPrivateKey = async (req: Request, res: Response) => {
   // requires verifying [clientProof] as part of second step of SRP protocol
   // as initiated in /srp1
 
-	try {
-		const { clientProof, encryptedPrivateKey, iv, tag, salt, verifier } =
-			req.body;
+  const { clientProof, encryptedPrivateKey, iv, tag, salt, verifier } = req.body;
   const user = await User.findOne({
     email: req.user.email
-		}).select('+salt +verifier');
+  }).select("+salt +verifier");
 
-		if (!user) throw new Error('Failed to find user');
+  if (!user) throw new Error("Failed to find user");
 
-		const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email })
+  const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email });
 
   if (!loginSRPDetailFromDB) {
-			return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
+    return BadRequestError(
+      Error(
+        "It looks like some details from the first login are not found. Please try login one again"
+      )
+    );
   }
 
   const server = new jsrp.server();
@@ -275,9 +272,7 @@ export const createBackupPrivateKey = async (req: Request, res: Response) => {
       b: loginSRPDetailFromDB.serverBInt
     },
     async () => {
-				server.setClientPublicKey(
-					loginSRPDetailFromDB.clientPublicKey
-				);
+      server.setClientPublicKey(loginSRPDetailFromDB.clientPublicKey);
 
       // compare server and client shared keys
       if (server.checkClientProof(clientProof)) {
@@ -294,27 +289,20 @@ export const createBackupPrivateKey = async (req: Request, res: Response) => {
             verifier
           },
           { upsert: true, new: true }
-					).select('+user, encryptedPrivateKey');
+        ).select("+user, encryptedPrivateKey");
 
         // issue tokens
         return res.status(200).send({
-						message: 'Successfully updated backup private key',
+          message: "Successfully updated backup private key",
           backupPrivateKey
         });
       }
 
       return res.status(400).send({
-					message: 'Failed to update backup private key'
+        message: "Failed to update backup private key"
       });
     }
   );
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to update backup private key'
-		});
-	}
 };
 
 /**
@@ -324,28 +312,18 @@ export const createBackupPrivateKey = async (req: Request, res: Response) => {
  * @returns
  */
 export const getBackupPrivateKey = async (req: Request, res: Response) => {
-	let backupPrivateKey;
-	try {
-		backupPrivateKey = await BackupPrivateKey.findOne({
+  const backupPrivateKey = await BackupPrivateKey.findOne({
     user: req.user._id
-		}).select('+encryptedPrivateKey +iv +tag');
+  }).select("+encryptedPrivateKey +iv +tag");
 
-		if (!backupPrivateKey) throw new Error('Failed to find backup private key');
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get backup private key'
-		});
-	}
+  if (!backupPrivateKey) throw new Error("Failed to find backup private key");
 
   return res.status(200).send({
     backupPrivateKey
   });
-}
+};
 
 export const resetPassword = async (req: Request, res: Response) => {
-	try {
   const {
     protectedKey,
     protectedKeyIV,
@@ -354,7 +332,7 @@ export const resetPassword = async (req: Request, res: Response) => {
     encryptedPrivateKeyIV,
     encryptedPrivateKeyTag,
     salt,
-			verifier,
+    verifier
   } = req.body;
 
   await User.findByIdAndUpdate(
@@ -374,15 +352,8 @@ export const resetPassword = async (req: Request, res: Response) => {
       new: true
     }
   );
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get backup private key'
-		});
-	}
 
   return res.status(200).send({
-		message: 'Successfully reset password'
+    message: "Successfully reset password"
   });
-}
+};

backend/src/controllers/v1/secretController.ts

@@ -1,15 +1,15 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { Key, Secret } from '../../models';
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { Key } from "../../models";
 import {
-	v1PushSecrets as push,
   pullSecrets as pull,
+  v1PushSecrets as push,
   reformatPullSecrets
-} from '../../helpers/secret';
-import { pushKeys } from '../../helpers/key';
-import { eventPushSecrets } from '../../events';
-import { EventService } from '../../services';
-import { TelemetryService } from '../../services';
+} from "../../helpers/secret";
+import { pushKeys } from "../../helpers/key";
+import { eventPushSecrets } from "../../events";
+import { EventService } from "../../services";
+import { TelemetryService } from "../../services";
 
 interface PushSecret {
   ciphertextKey: string;
@@ -24,7 +24,7 @@ interface PushSecret {
   ivComment: string;
   tagComment: string;
   hashComment: string;
-	type: 'shared' | 'personal';
+  type: "shared" | "personal";
 }
 
 /**
@@ -36,9 +36,7 @@ interface PushSecret {
  */
 export const pushSecrets = async (req: Request, res: Response) => {
   // upload (encrypted) secrets to workspace with id [workspaceId]
-
-	try {
-		const postHogClient = TelemetryService.getPostHogClient();
+  const postHogClient = await TelemetryService.getPostHogClient();
   let { secrets }: { secrets: PushSecret[] } = req.body;
   const { keys, environment, channel } = req.body;
   const { workspaceId } = req.params;
@@ -46,13 +44,11 @@ export const pushSecrets = async (req: Request, res: Response) => {
   // validate environment
   const workspaceEnvs = req.membership.workspace.environments;
   if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
-			throw new Error('Failed to validate environment');
+    throw new Error("Failed to validate environment");
   }
 
   // sanitize secrets
-		secrets = secrets.filter(
-			(s: PushSecret) => s.ciphertextKey !== '' && s.ciphertextValue !== ''
-		);
+  secrets = secrets.filter((s: PushSecret) => s.ciphertextKey !== "" && s.ciphertextValue !== "");
 
   await push({
     userId: req.user._id,
@@ -67,16 +63,15 @@ export const pushSecrets = async (req: Request, res: Response) => {
     keys
   });
 
-		
   if (postHogClient) {
     postHogClient.capture({
-				event: 'secrets pushed',
+      event: "secrets pushed",
       distinctId: req.user.email,
       properties: {
         numberOfSecrets: secrets.length,
         environment,
         workspaceId,
-					channel: channel ? channel : 'cli'
+        channel: channel ? channel : "cli"
       }
     });
   }
@@ -84,20 +79,14 @@ export const pushSecrets = async (req: Request, res: Response) => {
   // trigger event - push secrets
   EventService.handleEvent({
     event: eventPushSecrets({
-				workspaceId
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+      secretPath: "/"
     })
   });
 
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to upload workspace secrets'
-		});
-	}
-
   return res.status(200).send({
-		message: 'Successfully uploaded workspace secrets'
+    message: "Successfully uploaded workspace secrets"
   });
 };
 
@@ -110,9 +99,8 @@ export const pushSecrets = async (req: Request, res: Response) => {
  */
 export const pullSecrets = async (req: Request, res: Response) => {
   let secrets;
-	let key;
-	try {
-		const postHogClient = TelemetryService.getPostHogClient();
+
+  const postHogClient = await TelemetryService.getPostHogClient();
   const environment: string = req.query.environment as string;
   const channel: string = req.query.channel as string;
   const { workspaceId } = req.params;
@@ -120,25 +108,25 @@ export const pullSecrets = async (req: Request, res: Response) => {
   // validate environment
   const workspaceEnvs = req.membership.workspace.environments;
   if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
-			throw new Error('Failed to validate environment');
+    throw new Error("Failed to validate environment");
   }
 
   secrets = await pull({
     userId: req.user._id.toString(),
     workspaceId,
     environment,
-			channel: channel ? channel : 'cli',
-			ipAddress: req.ip
+    channel: channel ? channel : "cli",
+    ipAddress: req.realIP
   });
 
-		key = await Key.findOne({
+  const key = await Key.findOne({
     workspace: workspaceId,
     receiver: req.user._id
   })
     .sort({ createdAt: -1 })
-			.populate('sender', '+publicKey');
+    .populate("sender", "+publicKey");
 
-		if (channel !== 'cli') {
+  if (channel !== "cli") {
     secrets = reformatPullSecrets({ secrets });
   }
 
@@ -146,22 +134,15 @@ export const pullSecrets = async (req: Request, res: Response) => {
     // capture secrets pushed event in production
     postHogClient.capture({
       distinctId: req.user.email,
-				event: 'secrets pulled',
+      event: "secrets pulled",
       properties: {
         numberOfSecrets: secrets.length,
         environment,
         workspaceId,
-					channel: channel ? channel : 'cli'
+        channel: channel ? channel : "cli"
       }
     });
   }
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to pull workspace secrets'
-		});
-	}
 
   return res.status(200).send({
     secrets,
@@ -178,10 +159,7 @@ export const pullSecrets = async (req: Request, res: Response) => {
  * @returns
  */
 export const pullSecretsServiceToken = async (req: Request, res: Response) => {
-	let secrets;
-	let key;
-	try {
-		const postHogClient = TelemetryService.getPostHogClient();
+  const postHogClient = await TelemetryService.getPostHogClient();
   const environment: string = req.query.environment as string;
   const channel: string = req.query.channel as string;
   const { workspaceId } = req.params;
@@ -189,18 +167,18 @@ export const pullSecretsServiceToken = async (req: Request, res: Response) => {
   // validate environment
   const workspaceEnvs = req.membership.workspace.environments;
   if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
-			throw new Error('Failed to validate environment');
+    throw new Error("Failed to validate environment");
   }
 
-		secrets = await pull({
+  const secrets = await pull({
     userId: req.serviceToken.user._id.toString(),
     workspaceId,
     environment,
-			channel: 'cli',
-			ipAddress: req.ip
+    channel: "cli",
+    ipAddress: req.realIP
   });
 
-		key = {
+  const key = {
     encryptedKey: req.serviceToken.encryptedKey,
     nonce: req.serviceToken.nonce,
     sender: {
@@ -214,22 +192,15 @@ export const pullSecretsServiceToken = async (req: Request, res: Response) => {
     // capture secrets pulled event in production
     postHogClient.capture({
       distinctId: req.serviceToken.user.email,
-				event: 'secrets pulled',
+      event: "secrets pulled",
       properties: {
         numberOfSecrets: secrets.length,
         environment,
         workspaceId,
-					channel: channel ? channel : 'cli'
+        channel: channel ? channel : "cli"
       }
     });
   }
-	} catch (err) {
-		Sentry.setUser({ email: req.serviceToken.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to pull workspace secrets'
-		});
-	}
 
   return res.status(200).send({
     secrets: reformatPullSecrets({ secrets }),

backend/src/controllers/v1/secretImportController.ts

@@ -0,0 +1,116 @@
+import { Request, Response } from "express";
+import { validateMembership } from "../../helpers";
+import SecretImport from "../../models/secretImports";
+import { getAllImportedSecrets } from "../../services/SecretImportService";
+import { BadRequestError } from "../../utils/errors";
+import { ADMIN, MEMBER } from "../../variables";
+
+export const createSecretImport = async (req: Request, res: Response) => {
+  const { workspaceId, environment, folderId, secretImport } = req.body;
+  const importSecDoc = await SecretImport.findOne({
+    workspace: workspaceId,
+    environment,
+    folderId
+  });
+
+  if (!importSecDoc) {
+    const doc = new SecretImport({
+      workspace: workspaceId,
+      environment,
+      folderId,
+      imports: [{ environment: secretImport.environment, secretPath: secretImport.secretPath }]
+    });
+    await doc.save();
+    return res.status(200).json({ message: "successfully created secret import" });
+  }
+
+  const doesImportExist = importSecDoc.imports.find(
+    (el) => el.environment === secretImport.environment && el.secretPath === secretImport.secretPath
+  );
+  if (doesImportExist) {
+    throw BadRequestError({ message: "Secret import already exist" });
+  }
+  importSecDoc.imports.push({
+    environment: secretImport.environment,
+    secretPath: secretImport.secretPath
+  });
+  await importSecDoc.save();
+  return res.status(200).json({ message: "successfully created secret import" });
+};
+
+// to keep the ordering, you must pass all the imports in here not the only updated one
+// this is because the order decide which import gets overriden
+export const updateSecretImport = async (req: Request, res: Response) => {
+  const { id } = req.params;
+  const { secretImports } = req.body;
+  const importSecDoc = await SecretImport.findById(id);
+  if (!importSecDoc) {
+    throw BadRequestError({ message: "Import not found" });
+  }
+
+  await validateMembership({
+    userId: req.user._id.toString(),
+    workspaceId: importSecDoc.workspace,
+    acceptedRoles: [ADMIN, MEMBER]
+  });
+
+  importSecDoc.imports = secretImports;
+  await importSecDoc.save();
+  return res.status(200).json({ message: "successfully updated secret import" });
+};
+
+export const deleteSecretImport = async (req: Request, res: Response) => {
+  const { id } = req.params;
+  const { secretImportEnv, secretImportPath } = req.body;
+  const importSecDoc = await SecretImport.findById(id);
+  if (!importSecDoc) {
+    throw BadRequestError({ message: "Import not found" });
+  }
+
+  await validateMembership({
+    userId: req.user._id.toString(),
+    workspaceId: importSecDoc.workspace,
+    acceptedRoles: [ADMIN, MEMBER]
+  });
+  importSecDoc.imports = importSecDoc.imports.filter(
+    ({ environment, secretPath }) =>
+      !(environment === secretImportEnv && secretPath === secretImportPath)
+  );
+  await importSecDoc.save();
+  return res.status(200).json({ message: "successfully delete secret import" });
+};
+
+export const getSecretImports = async (req: Request, res: Response) => {
+  const { workspaceId, environment, folderId } = req.query;
+  const importSecDoc = await SecretImport.findOne({
+    workspace: workspaceId,
+    environment,
+    folderId
+  });
+
+  if (!importSecDoc) {
+    return res.status(200).json({ secretImport: {} });
+  }
+
+  return res.status(200).json({ secretImport: importSecDoc });
+};
+
+export const getAllSecretsFromImport = async (req: Request, res: Response) => {
+  const { workspaceId, environment, folderId } = req.query as {
+    workspaceId: string;
+    environment: string;
+    folderId: string;
+  };
+  const importSecDoc = await SecretImport.findOne({
+    workspace: workspaceId,
+    environment,
+    folderId
+  });
+
+  if (!importSecDoc) {
+    return res.status(200).json({ secrets: {} });
+  }
+
+  const secrets = await getAllImportedSecrets(workspaceId, environment, folderId);
+  return res.status(200).json({ secrets });
+};

backend/src/controllers/v1/secretScanningController.ts

@@ -0,0 +1,91 @@
+import { Request, Response } from "express";
+import GitAppInstallationSession from "../../models/gitAppInstallationSession";
+import crypto from "crypto";
+import { Types } from "mongoose";
+import { UnauthorizedRequestError } from "../../utils/errors";
+import GitAppOrganizationInstallation from "../../models/gitAppOrganizationInstallation";
+import { MembershipOrg } from "../../models";
+import GitRisks, { STATUS_RESOLVED_FALSE_POSITIVE, STATUS_RESOLVED_NOT_REVOKED, STATUS_RESOLVED_REVOKED } from "../../models/gitRisks";
+
+export const createInstallationSession = async (req: Request, res: Response) => {
+  const sessionId = crypto.randomBytes(16).toString("hex");
+  await GitAppInstallationSession.findByIdAndUpdate(
+    req.organization,
+    {
+      organization: new Types.ObjectId(req.organization),
+      sessionId: sessionId,
+      user: new Types.ObjectId(req.user._id)
+    },
+    { upsert: true }
+  ).lean();
+
+  res.send({
+    sessionId: sessionId
+  })
+}
+
+export const linkInstallationToOrganization = async (req: Request, res: Response) => {
+  const { installationId, sessionId } = req.body
+
+  const installationSession = await GitAppInstallationSession.findOneAndDelete({ sessionId: sessionId })
+  if (!installationSession) {
+    throw UnauthorizedRequestError()
+  }
+
+  const userMembership = await MembershipOrg.find({ user: req.user._id, organization: installationSession.organization })
+  if (!userMembership) {
+    throw UnauthorizedRequestError()
+  }
+
+  const installationLink = await GitAppOrganizationInstallation.findOneAndUpdate({
+    organizationId: installationSession.organization,
+  }, {
+    installationId: installationId,
+    organizationId: installationSession.organization,
+    user: installationSession.user
+  }, {
+    upsert: true
+  }).lean()
+
+  res.json(installationLink)
+}
+
+export const getCurrentOrganizationInstallationStatus = async (req: Request, res: Response) => {
+  const { organizationId } = req.params
+  try {
+    const appInstallation = await GitAppOrganizationInstallation.findOne({ organizationId: organizationId }).lean()
+    if (!appInstallation) {
+      res.json({
+        appInstallationComplete: false
+      })
+    }
+
+    res.json({
+      appInstallationComplete: true
+    })
+  } catch {
+    res.json({
+      appInstallationComplete: false
+    })
+  }
+}
+
+export const getRisksForOrganization = async (req: Request, res: Response) => {
+  const { organizationId } = req.params
+  const risks = await GitRisks.find({ organization: organizationId }).sort({ createdAt: -1 }).lean()
+  res.json({
+    risks: risks
+  })
+}
+
+export const updateRisksStatus = async (req: Request, res: Response) => {
+  const { riskId } = req.params
+  const { status } = req.body
+  const isRiskResolved = status == STATUS_RESOLVED_FALSE_POSITIVE || status == STATUS_RESOLVED_REVOKED || status == STATUS_RESOLVED_NOT_REVOKED ? true : false
+  const risk = await GitRisks.findByIdAndUpdate(riskId, {
+    status: status,
+    isResolved: isRiskResolved
+  }).lean()
+
+  res.json(risk)
+}

backend/src/controllers/v1/secretsFolderController.ts

@@ -0,0 +1,235 @@
+import { Request, Response } from "express";
+import { Secret } from "../../models";
+import Folder from "../../models/folder";
+import { BadRequestError } from "../../utils/errors";
+import {
+  appendFolder,
+  deleteFolderById,
+  generateFolderId,
+  getAllFolderIds,
+  getFolderByPath,
+  getParentFromFolderId,
+  searchByFolderId,
+  searchByFolderIdWithDir,
+  validateFolderName,
+} from "../../services/FolderService";
+import { ADMIN, MEMBER } from "../../variables";
+import { validateMembership } from "../../helpers/membership";
+import { FolderVersion } from "../../ee/models";
+import { EESecretService } from "../../ee/services";
+
+// TODO
+// verify workspace id/environment
+export const createFolder = async (req: Request, res: Response) => {
+  const { workspaceId, environment, folderName, parentFolderId } = req.body;
+  if (!validateFolderName(folderName)) {
+    throw BadRequestError({
+      message: "Folder name cannot contain spaces. Only underscore and dashes",
+    });
+  }
+
+  const folders = await Folder.findOne({
+    workspace: workspaceId,
+    environment,
+  }).lean();
+  // space has no folders initialized
+  if (!folders) {
+    const id = generateFolderId();
+    const folder = new Folder({
+      workspace: workspaceId,
+      environment,
+      nodes: {
+        id: "root",
+        name: "root",
+        version: 1,
+        children: [{ id, name: folderName, children: [], version: 1 }],
+      },
+    });
+    await folder.save();
+    const folderVersion = new FolderVersion({
+      workspace: workspaceId,
+      environment,
+      nodes: folder.nodes,
+    });
+    await folderVersion.save();
+    await EESecretService.takeSecretSnapshot({
+      workspaceId,
+      environment,
+    });
+    return res.json({ folder: { id, name: folderName } });
+  }
+
+  const folder = appendFolder(folders.nodes, { folderName, parentFolderId });
+  await Folder.findByIdAndUpdate(folders._id, folders);
+
+  const parentFolder = searchByFolderId(folders.nodes, parentFolderId);
+  const folderVersion = new FolderVersion({
+    workspace: workspaceId,
+    environment,
+    nodes: parentFolder,
+  });
+  await folderVersion.save();
+
+  await EESecretService.takeSecretSnapshot({
+    workspaceId,
+    environment,
+    folderId: parentFolderId,
+  });
+
+  return res.json({ folder });
+};
+
+export const updateFolderById = async (req: Request, res: Response) => {
+  const { folderId } = req.params;
+  const { name, workspaceId, environment } = req.body;
+
+  const folders = await Folder.findOne({ workspace: workspaceId, environment });
+  if (!folders) {
+    throw BadRequestError({ message: "The folder doesn't exist" });
+  }
+
+  // check that user is a member of the workspace
+  await validateMembership({
+    userId: req.user._id.toString(),
+    workspaceId,
+    acceptedRoles: [ADMIN, MEMBER],
+  });
+
+  const parentFolder = getParentFromFolderId(folders.nodes, folderId);
+  if (!parentFolder) {
+    throw BadRequestError({ message: "The folder doesn't exist" });
+  }
+  const folder = parentFolder.children.find(({ id }) => id === folderId);
+  if (!folder) {
+    throw BadRequestError({ message: "The folder doesn't exist" });
+  }
+
+  parentFolder.version += 1;
+  folder.name = name;
+
+  await Folder.findByIdAndUpdate(folders._id, folders);
+  const folderVersion = new FolderVersion({
+    workspace: workspaceId,
+    environment,
+    nodes: parentFolder,
+  });
+  await folderVersion.save();
+
+  await EESecretService.takeSecretSnapshot({
+    workspaceId,
+    environment,
+    folderId: parentFolder.id,
+  });
+
+  return res.json({
+    message: "Successfully updated folder",
+    folder: { name: folder.name, id: folder.id },
+  });
+};
+
+export const deleteFolder = async (req: Request, res: Response) => {
+  const { folderId } = req.params;
+  const { workspaceId, environment } = req.body;
+
+  const folders = await Folder.findOne({ workspace: workspaceId, environment });
+  if (!folders) {
+    throw BadRequestError({ message: "The folder doesn't exist" });
+  }
+
+  // check that user is a member of the workspace
+  await validateMembership({
+    userId: req.user._id.toString(),
+    workspaceId,
+    acceptedRoles: [ADMIN, MEMBER],
+  });
+
+  const delOp = deleteFolderById(folders.nodes, folderId);
+  if (!delOp) {
+    throw BadRequestError({ message: "The folder doesn't exist" });
+  }
+  const { deletedNode: delFolder, parent: parentFolder } = delOp;
+
+  parentFolder.version += 1;
+  const delFolderIds = getAllFolderIds(delFolder);
+
+  await Folder.findByIdAndUpdate(folders._id, folders);
+  const folderVersion = new FolderVersion({
+    workspace: workspaceId,
+    environment,
+    nodes: parentFolder,
+  });
+  await folderVersion.save();
+  if (delFolderIds.length) {
+    await Secret.deleteMany({
+      folder: { $in: delFolderIds.map(({ id }) => id) },
+      workspace: workspaceId,
+      environment,
+    });
+  }
+
+  await EESecretService.takeSecretSnapshot({
+    workspaceId,
+    environment,
+    folderId: parentFolder.id,
+  });
+
+  res.send({ message: "successfully deleted folders", folders: delFolderIds });
+};
+
+// TODO: validate workspace
+export const getFolders = async (req: Request, res: Response) => {
+  const { workspaceId, environment, parentFolderId, parentFolderPath } =
+    req.query as {
+      workspaceId: string;
+      environment: string;
+      parentFolderId?: string;
+      parentFolderPath?: string;
+    };
+
+  const folders = await Folder.findOne({ workspace: workspaceId, environment });
+  if (!folders) {
+    res.send({ folders: [], dir: [] });
+    return;
+  }
+
+  // check that user is a member of the workspace
+  await validateMembership({
+    userId: req.user._id.toString(),
+    workspaceId,
+    acceptedRoles: [ADMIN, MEMBER],
+  });
+
+  // if instead of parentFolderId given a path like /folder1/folder2
+  if (parentFolderPath) {
+    const folder = getFolderByPath(folders.nodes, parentFolderPath);
+    if (!folder) {
+      res.send({ folders: [], dir: [] });
+      return;
+    }
+    // dir is not needed at present as this is only used in overview section of secrets
+    res.send({
+      folders: folder.children.map(({ id, name }) => ({ id, name })),
+      dir: [{ name: folder.name, id: folder.id }],
+    });
+  }
+
+  if (!parentFolderId) {
+    const rootFolders = folders.nodes.children.map(({ id, name }) => ({
+      id,
+      name,
+    }));
+    res.send({ folders: rootFolders });
+    return;
+  }
+
+  const folderBySearch = searchByFolderIdWithDir(folders.nodes, parentFolderId);
+  if (!folderBySearch) {
+    throw BadRequestError({ message: "The folder doesn't exist" });
+  }
+  const { folder, dir } = folderBySearch;
+
+  res.send({
+    folders: folder.children.map(({ id, name }) => ({ id, name })),
+    dir,
+  });
+};

backend/src/controllers/v1/serviceTokenController.ts

@@ -1,7 +1,7 @@
-import { Request, Response } from 'express';
-import { ServiceToken } from '../../models';
-import { createToken } from '../../helpers/auth';
-import { getJwtServiceSecret } from '../../config';
+import { Request, Response } from "express";
+import { ServiceToken } from "../../models";
+import { createToken } from "../../helpers/auth";
+import { getJwtServiceSecret } from "../../config";
 
 /**
  * Return service token on request
@@ -11,7 +11,7 @@ import { getJwtServiceSecret } from '../../config';
  */
 export const getServiceToken = async (req: Request, res: Response) => {
 	return res.status(200).send({
-		serviceToken: req.serviceToken
+		serviceToken: req.serviceToken,
 	});
 };
 
@@ -31,13 +31,13 @@ export const createServiceToken = async (req: Request, res: Response) => {
 			expiresIn,
 			publicKey,
 			encryptedKey,
-			nonce
+			nonce,
 		} = req.body;
 
 		// validate environment
 		const workspaceEnvs = req.membership.workspace.environments;
 		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
-			throw new Error('Failed to validate environment');
+			throw new Error("Failed to validate environment");
 		}
 
 		// compute access token expiration date
@@ -52,24 +52,24 @@ export const createServiceToken = async (req: Request, res: Response) => {
 			expiresAt,
 			publicKey,
 			encryptedKey,
-			nonce
+			nonce,
 		}).save();
 
 		token = createToken({
 			payload: {
 				serviceTokenId: serviceToken._id.toString(),
-				workspaceId
+				workspaceId,
 			},
 			expiresIn: expiresIn,
-			secret: getJwtServiceSecret()
+			secret: await getJwtServiceSecret(),
 		});
 	} catch (err) {
 		return res.status(400).send({
-			message: 'Failed to create service token'
+			message: "Failed to create service token",
 		});
 	}
 
 	return res.status(200).send({
-		token
+		token,
 	});
 };

backend/src/controllers/v1/signupController.ts

@@ -1,13 +1,15 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { User } from '../../models';
+import { Request, Response } from "express";
+import { User } from "../../models";
+import { checkEmailVerification, sendEmailVerification } from "../../helpers/signup";
+import { createToken } from "../../helpers/auth";
+import { BadRequestError } from "../../utils/errors";
 import {
-	sendEmailVerification,
-	checkEmailVerification,
-} from '../../helpers/signup';
-import { createToken } from '../../helpers/auth';
-import { BadRequestError } from '../../utils/errors';
-import { getInviteOnlySignup, getJwtSignupLifetime, getJwtSignupSecret, getSmtpConfigured } from '../../config';
+  getInviteOnlySignup,
+  getJwtSignupLifetime,
+  getJwtSignupSecret,
+  getSmtpConfigured
+} from "../../config";
+import { validateUserEmail } from "../../validation";
 
 /**
  * Signup step 1: Initialize account for user under email [email] and send a verification code
@@ -17,36 +19,22 @@ import { getInviteOnlySignup, getJwtSignupLifetime, getJwtSignupSecret, getSmtpC
  * @returns
  */
 export const beginEmailSignup = async (req: Request, res: Response) => {
-	let email: string;
-	try {
-		email = req.body.email;
+  const email: string = req.body.email;
 
-		if (getInviteOnlySignup()) {
-			// Only one user can create an account without being invited. The rest need to be invited in order to make an account
-			const userCount = await User.countDocuments({})
-			if (userCount != 0) {
-				throw BadRequestError({ message: "New user sign ups are not allowed at this time. You must be invited to sign up." })
-			}
-		}
+  // validate that email is not disposable
+  validateUserEmail(email);
 
-		const user = await User.findOne({ email }).select('+publicKey');
+  const user = await User.findOne({ email }).select("+publicKey");
   if (user && user?.publicKey) {
     // case: user has already completed account
 
     return res.status(403).send({
-				error: 'Failed to send email verification code for complete account'
+      error: "Failed to send email verification code for complete account"
     });
   }
 
   // send send verification email
   await sendEmailVerification({ email });
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			error: 'Failed to send email verification code'
-		});
-	}
 
   return res.status(200).send({
     message: `Sent an email verification code to ${email}`
@@ -61,21 +49,30 @@ export const beginEmailSignup = async (req: Request, res: Response) => {
  * @returns
  */
 export const verifyEmailSignup = async (req: Request, res: Response) => {
-	let user, token;
-	try {
+  let user;
   const { email, code } = req.body;
 
   // initialize user account
-		user = await User.findOne({ email }).select('+publicKey');
+  user = await User.findOne({ email }).select("+publicKey");
   if (user && user?.publicKey) {
     // case: user has already completed account
     return res.status(403).send({
-				error: 'Failed email verification for complete user'
+      error: "Failed email verification for complete user"
     });
   }
 
+  if (await getInviteOnlySignup()) {
+    // Only one user can create an account without being invited. The rest need to be invited in order to make an account
+    const userCount = await User.countDocuments({});
+    if (userCount != 0) {
+      throw BadRequestError({
+        message: "New user sign ups are not allowed at this time. You must be invited to sign up."
+      });
+    }
+  }
+
   // verify email
-		if (getSmtpConfigured()) {
+  if (await getSmtpConfigured()) {
     await checkEmailVerification({
       email,
       code
@@ -89,23 +86,16 @@ export const verifyEmailSignup = async (req: Request, res: Response) => {
   }
 
   // generate temporary signup token
-		token = createToken({
+  const token = createToken({
     payload: {
       userId: user._id.toString()
     },
-			expiresIn: getJwtSignupLifetime(),
-			secret: getJwtSignupSecret()
+    expiresIn: await getJwtSignupLifetime(),
+    secret: await getJwtSignupSecret()
   });
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			error: 'Failed email verification'
-		});
-	}
 
   return res.status(200).send({
-		message: 'Successfuly verified email',
+    message: "Successfuly verified email",
     user,
     token
   });

backend/src/controllers/v1/stripeController.ts

@@ -1,41 +0,0 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import Stripe from 'stripe';
-import { getStripeSecretKey, getStripeWebhookSecret } from '../../config';
-
-/**
- * Handle service provisioning/un-provisioning via Stripe
- * @param req
- * @param res
- * @returns
- */
-export const handleWebhook = async (req: Request, res: Response) => {
-	let event;
-	try {
-		// check request for valid stripe signature
-		const stripe = new Stripe(getStripeSecretKey(), {
-			apiVersion: '2022-08-01'
-		});
-
-		const sig = req.headers['stripe-signature'] as string;
-		event = stripe.webhooks.constructEvent(
-			req.body,
-			sig,
-			getStripeWebhookSecret()
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			error: 'Failed to process webhook'
-		});
-	}
-
-	switch (event.type) {
-		case '':
-			break;
-		default:
-	}
-
-	return res.json({ received: true });
-};

backend/src/controllers/v1/userActionController.ts

@@ -1,6 +1,5 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { UserAction } from '../../models';
+import { Request, Response } from "express";
+import { UserAction } from "../../models";
 
 /**
  * Add user action [action]
@@ -11,32 +10,23 @@ import { UserAction } from '../../models';
 export const addUserAction = async (req: Request, res: Response) => {
 	// add/record new action [action] for user with id [req.user._id]
 
-	let userAction;
-	try {
   const { action } = req.body;
 
-		userAction = await UserAction.findOneAndUpdate(
+  const userAction = await UserAction.findOneAndUpdate(
     {
       user: req.user._id,
-				action
+      action,
     },
     { user: req.user._id, action },
     {
       new: true,
-				upsert: true
+      upsert: true,
     }
   );
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to record user action'
-		});
-	}
 
 	return res.status(200).send({
-		message: 'Successfully recorded user action',
-		userAction
+		message: "Successfully recorded user action",
+		userAction,
 	});
 };
 
@@ -48,23 +38,14 @@ export const addUserAction = async (req: Request, res: Response) => {
  */
 export const getUserAction = async (req: Request, res: Response) => {
 	// get user action [action] for user with id [req.user._id]
-	let userAction;
-	try {
   const action: string = req.query.action as string;
 
-		userAction = await UserAction.findOne({
+  const userAction = await UserAction.findOne({
     user: req.user._id,
-			action
+    action,
   });
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get user action'
-		});
-	}
 
 	return res.status(200).send({
-		userAction
+		userAction,
 	});
 };

backend/src/controllers/v1/userController.ts

@@ -1,4 +1,4 @@
-import { Request, Response } from 'express';
+import { Request, Response } from "express";
 
 /**
  * Return user on request
@@ -8,6 +8,6 @@ import { Request, Response } from 'express';
  */
 export const getUser = async (req: Request, res: Response) => {
 	return res.status(200).send({
-		user: req.user
+		user: req.user,
 	});
 };

backend/src/controllers/v1/webhookController.ts

@@ -0,0 +1,140 @@
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { client, getRootEncryptionKey } from "../../config";
+import { validateMembership } from "../../helpers";
+import Webhook from "../../models/webhooks";
+import { getWebhookPayload, triggerWebhookRequest } from "../../services/WebhookService";
+import { BadRequestError } from "../../utils/errors";
+import { ADMIN, ALGORITHM_AES_256_GCM, ENCODING_SCHEME_BASE64, MEMBER } from "../../variables";
+
+export const createWebhook = async (req: Request, res: Response) => {
+  const { webhookUrl, webhookSecretKey, environment, workspaceId, secretPath } = req.body;
+  const webhook = new Webhook({
+    workspace: workspaceId,
+    environment,
+    secretPath,
+    url: webhookUrl,
+    algorithm: ALGORITHM_AES_256_GCM,
+    keyEncoding: ENCODING_SCHEME_BASE64
+  });
+
+  if (webhookSecretKey) {
+    const rootEncryptionKey = await getRootEncryptionKey();
+    const { ciphertext, iv, tag } = client.encryptSymmetric(webhookSecretKey, rootEncryptionKey);
+    webhook.iv = iv;
+    webhook.tag = tag;
+    webhook.encryptedSecretKey = ciphertext;
+  }
+
+  await webhook.save();
+
+  return res.status(200).send({
+    webhook,
+    message: "successfully created webhook"
+  });
+};
+
+export const updateWebhook = async (req: Request, res: Response) => {
+  const { webhookId } = req.params;
+  const { isDisabled } = req.body;
+  const webhook = await Webhook.findById(webhookId);
+  if (!webhook) {
+    throw BadRequestError({ message: "Webhook not found!!" });
+  }
+
+  // check that user is a member of the workspace
+  await validateMembership({
+    userId: req.user._id.toString(),
+    workspaceId: webhook.workspace,
+    acceptedRoles: [ADMIN, MEMBER]
+  });
+
+  if (typeof isDisabled !== undefined) {
+    webhook.isDisabled = isDisabled;
+  }
+  await webhook.save();
+
+  return res.status(200).send({
+    webhook,
+    message: "successfully updated webhook"
+  });
+};
+
+export const deleteWebhook = async (req: Request, res: Response) => {
+  const { webhookId } = req.params;
+  const webhook = await Webhook.findById(webhookId);
+  if (!webhook) {
+    throw BadRequestError({ message: "Webhook not found!!" });
+  }
+
+  await validateMembership({
+    userId: req.user._id.toString(),
+    workspaceId: webhook.workspace,
+    acceptedRoles: [ADMIN, MEMBER]
+  });
+  await webhook.remove();
+
+  return res.status(200).send({
+    message: "successfully removed webhook"
+  });
+};
+
+export const testWebhook = async (req: Request, res: Response) => {
+  const { webhookId } = req.params;
+  const webhook = await Webhook.findById(webhookId);
+  if (!webhook) {
+    throw BadRequestError({ message: "Webhook not found!!" });
+  }
+
+  await validateMembership({
+    userId: req.user._id.toString(),
+    workspaceId: webhook.workspace,
+    acceptedRoles: [ADMIN, MEMBER]
+  });
+
+  try {
+    await triggerWebhookRequest(
+      webhook,
+      getWebhookPayload(
+        "test",
+        webhook.workspace.toString(),
+        webhook.environment,
+        webhook.secretPath
+      )
+    );
+    await Webhook.findByIdAndUpdate(webhookId, {
+      lastStatus: "success",
+      lastRunErrorMessage: null
+    });
+  } catch (err) {
+    await Webhook.findByIdAndUpdate(webhookId, {
+      lastStatus: "failed",
+      lastRunErrorMessage: (err as Error).message
+    });
+    return res.status(400).send({
+      message: "Failed to receive response",
+      error: (err as Error).message
+    });
+  }
+
+  return res.status(200).send({
+    message: "Successfully received response"
+  });
+};
+
+export const listWebhooks = async (req: Request, res: Response) => {
+  const { environment, workspaceId, secretPath } = req.query;
+
+  const optionalFilters: Record<string, string> = {};
+  if (environment) optionalFilters.environment = environment as string;
+  if (secretPath) optionalFilters.secretPath = secretPath as string;
+
+  const webhooks = await Webhook.find({
+    workspace: new Types.ObjectId(workspaceId as string),
+    ...optionalFilters
+  });
+
+  return res.status(200).send({
+    webhooks
+  });
+};

backend/src/controllers/v1/workspaceController.ts

@@ -1,19 +1,18 @@
 import { Request, Response } from "express";
-import * as Sentry from "@sentry/node";
 import {
-  Workspace,
-  Membership,
-  MembershipOrg,
+  IUser,
   Integration,
   IntegrationAuth,
-  IUser,
+  Membership,
+  MembershipOrg,
   ServiceToken,
-  ServiceTokenData,
+  Workspace,
 } from "../../models";
 import {
   createWorkspace as create,
   deleteWorkspace as deleteWork,
 } from "../../helpers/workspace";
+import { EELicenseService } from "../../ee/services";
 import { addMemberships } from "../../helpers/membership";
 import { ADMIN } from "../../variables";
 
@@ -24,11 +23,9 @@ import { ADMIN } from "../../variables";
  * @returns
  */
 export const getWorkspacePublicKeys = async (req: Request, res: Response) => {
-  let publicKeys;
-  try {
   const { workspaceId } = req.params;
 
-    publicKeys = (
+  const publicKeys = (
     await Membership.find({
       workspace: workspaceId,
     }).populate<{ user: IUser }>("user", "publicKey")
@@ -38,13 +35,6 @@ export const getWorkspacePublicKeys = async (req: Request, res: Response) => {
       userId: member.user._id,
     };
   });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace member public keys",
-    });
-  }
 
   return res.status(200).send({
     publicKeys,
@@ -58,20 +48,11 @@ export const getWorkspacePublicKeys = async (req: Request, res: Response) => {
  * @returns
  */
 export const getWorkspaceMemberships = async (req: Request, res: Response) => {
-  let users;
-  try {
   const { workspaceId } = req.params;
 
-    users = await Membership.find({
+  const users = await Membership.find({
     workspace: workspaceId,
   }).populate("user", "+publicKey");
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace members",
-    });
-  }
 
   return res.status(200).send({
     users,
@@ -85,20 +66,11 @@ export const getWorkspaceMemberships = async (req: Request, res: Response) => {
  * @returns
  */
 export const getWorkspaces = async (req: Request, res: Response) => {
-  let workspaces;
-  try {
-    workspaces = (
+  const workspaces = (
     await Membership.find({
       user: req.user._id,
     }).populate("workspace")
   ).map((m) => m.workspace);
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspaces",
-    });
-  }
 
   return res.status(200).send({
     workspaces,
@@ -112,20 +84,11 @@ export const getWorkspaces = async (req: Request, res: Response) => {
  * @returns
  */
 export const getWorkspace = async (req: Request, res: Response) => {
-  let workspace;
-  try {
   const { workspaceId } = req.params;
 
-    workspace = await Workspace.findOne({
+  const workspace = await Workspace.findOne({
     _id: workspaceId,
   });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace",
-    });
-  }
 
   return res.status(200).send({
     workspace,
@@ -140,8 +103,6 @@ export const getWorkspace = async (req: Request, res: Response) => {
  * @returns
  */
 export const createWorkspace = async (req: Request, res: Response) => {
-  let workspace;
-  try {
   const { workspaceName, organizationId } = req.body;
 
   // validate organization membership
@@ -154,12 +115,24 @@ export const createWorkspace = async (req: Request, res: Response) => {
     throw new Error("Failed to validate organization membership");
   }
 
+  const plan = await EELicenseService.getPlan(organizationId);
+  
+  if (plan.workspaceLimit !== null) {
+    // case: limit imposed on number of workspaces allowed
+    if (plan.workspacesUsed >= plan.workspaceLimit) {
+      // case: number of workspaces used exceeds the number of workspaces allowed
+      return res.status(400).send({
+        message: "Failed to create workspace due to plan limit reached. Upgrade plan to add more workspaces.",
+      });
+    }
+  }
+
   if (workspaceName.length < 1) {
     throw new Error("Workspace names must be at least 1-character long");
   }
 
   // create workspace and add user as member
-    workspace = await create({
+  const workspace = await create({
     name: workspaceName,
     organizationId,
   });
@@ -169,13 +142,6 @@ export const createWorkspace = async (req: Request, res: Response) => {
     workspaceId: workspace._id.toString(),
     roles: [ADMIN],
   });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to create workspace",
-    });
-  }
 
   return res.status(200).send({
     workspace,
@@ -189,20 +155,12 @@ export const createWorkspace = async (req: Request, res: Response) => {
  * @returns
  */
 export const deleteWorkspace = async (req: Request, res: Response) => {
-  try {
   const { workspaceId } = req.params;
 
   // delete workspace
   await deleteWork({
     id: workspaceId,
   });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to delete workspace",
-    });
-  }
 
   return res.status(200).send({
     message: "Successfully deleted workspace",
@@ -216,12 +174,10 @@ export const deleteWorkspace = async (req: Request, res: Response) => {
  * @returns
  */
 export const changeWorkspaceName = async (req: Request, res: Response) => {
-  let workspace;
-  try {
   const { workspaceId } = req.params;
   const { name } = req.body;
 
-    workspace = await Workspace.findOneAndUpdate(
+  const workspace = await Workspace.findOneAndUpdate(
     {
       _id: workspaceId,
     },
@@ -232,13 +188,6 @@ export const changeWorkspaceName = async (req: Request, res: Response) => {
       new: true,
     }
   );
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to change workspace name",
-    });
-  }
 
   return res.status(200).send({
     message: "Successfully changed workspace name",
@@ -253,20 +202,11 @@ export const changeWorkspaceName = async (req: Request, res: Response) => {
  * @returns
  */
 export const getWorkspaceIntegrations = async (req: Request, res: Response) => {
-  let integrations;
-  try {
   const { workspaceId } = req.params;
 
-    integrations = await Integration.find({
+  const integrations = await Integration.find({
     workspace: workspaceId,
   });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace integrations",
-    });
-  }
 
   return res.status(200).send({
     integrations,
@@ -283,20 +223,11 @@ export const getWorkspaceIntegrationAuthorizations = async (
   req: Request,
   res: Response
 ) => {
-  let authorizations;
-  try {
   const { workspaceId } = req.params;
 
-    authorizations = await IntegrationAuth.find({
+  const authorizations = await IntegrationAuth.find({
     workspace: workspaceId,
   });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace integration authorizations",
-    });
-  }
 
   return res.status(200).send({
     authorizations,
@@ -313,21 +244,12 @@ export const getWorkspaceServiceTokens = async (
   req: Request,
   res: Response
 ) => {
-  let serviceTokens;
-  try {
   const { workspaceId } = req.params;
   // ?? FIX.
-    serviceTokens = await ServiceToken.find({
+  const serviceTokens = await ServiceToken.find({
     user: req.user._id,
     workspace: workspaceId,
   });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace service tokens",
-    });
-  }
 
   return res.status(200).send({
     serviceTokens,

backend/src/controllers/v2/apiKeyDataController.ts

@@ -1,104 +0,0 @@
-import * as Sentry from '@sentry/node';
-import { Request, Response } from 'express';
-import crypto from 'crypto';
-import bcrypt from 'bcrypt';
-import {
-    APIKeyData
-} from '../../models';
-import { getSaltRounds } from '../../config';
-
-/**
- * Return API key data for user with id [req.user_id]
- * @param req
- * @param res 
- * @returns 
- */
-export const getAPIKeyData = async (req: Request, res: Response) => {
-    let apiKeyData;
-    try {
-        apiKeyData = await APIKeyData.find({
-            user: req.user._id
-        });
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-        Sentry.captureException(err);
-        return res.status(400).send({
-            message: 'Failed to get API key data'
-        });
-    }
-    
-    return res.status(200).send({
-        apiKeyData
-    });
-}
-
-/**
- * Create new API key data for user with id [req.user._id]
- * @param req 
- * @param res 
- */
-export const createAPIKeyData = async (req: Request, res: Response) => {
-    let apiKey, apiKeyData;
-    try {
-        const { name, expiresIn } = req.body;
-        
-        const secret = crypto.randomBytes(16).toString('hex');
-        const secretHash = await bcrypt.hash(secret, getSaltRounds());
-        
-		const expiresAt = new Date();
-		expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
-        
-        apiKeyData = await new APIKeyData({
-            name,
-            lastUsed: new Date(),
-            expiresAt,
-            user: req.user._id,
-            secretHash
-        }).save();
-        
-        // return api key data without sensitive data
-        apiKeyData = await APIKeyData.findById(apiKeyData._id);
-        
-        if (!apiKeyData) throw new Error('Failed to find API key data');
-        
-        apiKey = `ak.${apiKeyData._id.toString()}.${secret}`;
-            
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-        Sentry.captureException(err);
-        return res.status(400).send({
-            message: 'Failed to API key data'
-        });
-    }
-    
-    return res.status(200).send({
-        apiKey,
-        apiKeyData
-    });
-}
-
-/**
- * Delete API key data with id [apiKeyDataId].
- * @param req 
- * @param res 
- * @returns 
- */
-export const deleteAPIKeyData = async (req: Request, res: Response) => {
-    let apiKeyData;
-    try {
-        const { apiKeyDataId } = req.params;
-
-        apiKeyData = await APIKeyData.findByIdAndDelete(apiKeyDataId);
-        
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-        Sentry.captureException(err);
-        return res.status(400).send({
-            message: 'Failed to delete API key data'
-        });
-    }
-    
-    return res.status(200).send({
-        apiKeyData
-    });
-}

backend/src/controllers/v2/authController.ts

@@ -1,28 +1,27 @@
 /* eslint-disable @typescript-eslint/no-var-requires */
-import { Request, Response } from 'express';
-import jwt from 'jsonwebtoken';
-import * as Sentry from '@sentry/node';
-import * as bigintConversion from 'bigint-conversion';
-const jsrp = require('jsrp');
-import { User, LoginSRPDetail } from '../../models';
-import { issueAuthTokens, createToken } from '../../helpers/auth';
-import { checkUserDevice } from '../../helpers/user';
-import { sendMail } from '../../helpers/nodemailer';
-import { TokenService } from '../../services';
-import { EELogService } from '../../ee/services';
-import { BadRequestError, InternalServerError } from '../../utils/errors';
+import { Request, Response } from "express";
+import jwt from "jsonwebtoken";
+import * as bigintConversion from "bigint-conversion";
+const jsrp = require("jsrp");
+import { LoginSRPDetail, User } from "../../models";
+import { createToken, issueAuthTokens } from "../../helpers/auth";
+import { checkUserDevice } from "../../helpers/user";
+import { sendMail } from "../../helpers/nodemailer";
+import { TokenService } from "../../services";
+import { EELogService } from "../../ee/services";
+import { BadRequestError, InternalServerError } from "../../utils/errors";
 import {
+  ACTION_LOGIN,
   TOKEN_EMAIL_MFA,
-  ACTION_LOGIN
-} from '../../variables';
-import { getChannelFromUserAgent } from '../../utils/posthog'; // TODO: move this
+} from "../../variables";
+import { getChannelFromUserAgent } from "../../utils/posthog"; // TODO: move this
 import {
+  getHttpsEnabled,
   getJwtMfaLifetime,
   getJwtMfaSecret,
-  getHttpsEnabled
-} from '../../config';
+} from "../../config";
 
-declare module 'jsonwebtoken' {
+declare module "jsonwebtoken" {
   export interface UserIDJwtPayload extends jwt.JwtPayload {
     userId: string;
   }
@@ -35,23 +34,22 @@ declare module 'jsonwebtoken' {
  * @returns
  */
 export const login1 = async (req: Request, res: Response) => {
-  try {
   const {
     email,
-      clientPublicKey
+    clientPublicKey,
   }: { email: string; clientPublicKey: string } = req.body;
 
   const user = await User.findOne({
-      email
-    }).select('+salt +verifier');
+    email,
+  }).select("+salt +verifier");
 
-    if (!user) throw new Error('Failed to find user');
+  if (!user) throw new Error("Failed to find user");
 
   const server = new jsrp.server();
   server.init(
     {
       salt: user.salt,
-        verifier: user.verifier
+      verifier: user.verifier,
     },
     async () => {
       // generate server-side public key
@@ -65,17 +63,11 @@ export const login1 = async (req: Request, res: Response) => {
 
       return res.status(200).send({
         serverPublicKey,
-          salt: user.salt
+        salt: user.salt,
       });
     }
   );
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to start authentication process'
-    });
-  }
+  
 };
 
 /**
@@ -86,16 +78,14 @@ export const login1 = async (req: Request, res: Response) => {
  * @returns
  */
 export const login2 = async (req: Request, res: Response) => {
-  try {
-
-    if (!req.headers['user-agent']) throw InternalServerError({ message: 'User-Agent header is required' });
+  if (!req.headers["user-agent"]) throw InternalServerError({ message: "User-Agent header is required" });
 
   const { email, clientProof } = req.body;
   const user = await User.findOne({
-      email
-    }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag');
+    email,
+  }).select("+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag +devices");
 
-    if (!user) throw new Error('Failed to find user');
+  if (!user) throw new Error("Failed to find user");
 
   const loginSRPDetail = await LoginSRPDetail.findOneAndDelete({ email: email })
 
@@ -108,65 +98,68 @@ export const login2 = async (req: Request, res: Response) => {
     {
       salt: user.salt,
       verifier: user.verifier,
-        b: loginSRPDetail.serverBInt
+      b: loginSRPDetail.serverBInt,
     },
     async () => {
       server.setClientPublicKey(loginSRPDetail.clientPublicKey);
 
       // compare server and client shared keys
       if (server.checkClientProof(clientProof)) {
-
         if (user.isMfaEnabled) {
           // case: user has MFA enabled
 
           // generate temporary MFA token
           const token = createToken({
             payload: {
-                userId: user._id.toString()
+              userId: user._id.toString(),
             },
-              expiresIn: getJwtMfaLifetime(),
-              secret: getJwtMfaSecret()
+            expiresIn: await getJwtMfaLifetime(),
+            secret: await getJwtMfaSecret(),
           });
 
           const code = await TokenService.createToken({
             type: TOKEN_EMAIL_MFA,
-              email
+            email,
           });
 
           // send MFA code [code] to [email]
           await sendMail({
-              template: 'emailMfa.handlebars',
-              subjectLine: 'Infisical MFA code',
+            template: "emailMfa.handlebars",
+            subjectLine: "Infisical MFA code",
             recipients: [email],
             substitutions: {
-                code
-              }
+              code,
+            },
           });
 
           return res.status(200).send({
             mfaEnabled: true,
-              token
+            token,
           });
         }
 
         await checkUserDevice({
           user,
-            ip: req.ip,
-            userAgent: req.headers['user-agent'] ?? ''
+          ip: req.realIP,
+          userAgent: req.headers["user-agent"] ?? "",
         });
 
         // issue tokens
-          const tokens = await issueAuthTokens({ userId: user._id.toString() });
-
-          // store (refresh) token in httpOnly cookie
-          res.cookie('jid', tokens.refreshToken, {
-            httpOnly: true,
-            path: '/',
-            sameSite: 'strict',
-            secure: getHttpsEnabled()
+        const tokens = await issueAuthTokens({ 
+          userId: user._id,
+          ip: req.realIP,
+          userAgent: req.headers["user-agent"] ?? "",
         });
 
-          // case: user does not have MFA enablgged
+        // store (refresh) token in httpOnly cookie
+        res.cookie("jid", tokens.refreshToken, {
+          httpOnly: true,
+          path: "/",
+          sameSite: "strict",
+          secure: await getHttpsEnabled(),
+        });
+
+        // case: user does not have MFA enabled
         // return (access) token in response
 
         interface ResponseData {
@@ -189,7 +182,7 @@ export const login2 = async (req: Request, res: Response) => {
           publicKey: user.publicKey,
           encryptedPrivateKey: user.encryptedPrivateKey,
           iv: user.iv,
-            tag: user.tag
+          tag: user.tag,
         }
 
         if (
@@ -204,31 +197,24 @@ export const login2 = async (req: Request, res: Response) => {
 
         const loginAction = await EELogService.createAction({
           name: ACTION_LOGIN,
-            userId: user._id
+          userId: user._id,
         });
 
         loginAction && await EELogService.createLog({
           userId: user._id,
           actions: [loginAction],
-            channel: getChannelFromUserAgent(req.headers['user-agent']),
-            ipAddress: req.ip
+          channel: getChannelFromUserAgent(req.headers["user-agent"]),
+          ipAddress: req.ip,
         });
 
         return res.status(200).send(response);
       }
 
       return res.status(400).send({
-          message: 'Failed to authenticate. Try again?'
+        message: "Failed to authenticate. Try again?",
       });
     }
   );
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to authenticate. Try again?'
-    });
-  }
 };
 
 /**
@@ -237,33 +223,25 @@ export const login2 = async (req: Request, res: Response) => {
  * @param res 
  */
 export const sendMfaToken = async (req: Request, res: Response) => {
-  try {
   const { email } = req.body;
 
   const code = await TokenService.createToken({
     type: TOKEN_EMAIL_MFA,
-      email
+    email,
   });
 
   // send MFA code [code] to [email]
   await sendMail({
-      template: 'emailMfa.handlebars',
-      subjectLine: 'Infisical MFA code',
+    template: "emailMfa.handlebars",
+    subjectLine: "Infisical MFA code",
     recipients: [email],
     substitutions: {
-        code
-      }
+      code,
+    },
   });
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to send MFA code'
-    });
-  }
 
   return res.status(200).send({
-    message: 'Successfully sent new MFA code'
+    message: "Successfully sent new MFA code",
   });
 }
 
@@ -279,30 +257,36 @@ export const verifyMfaToken = async (req: Request, res: Response) => {
   await TokenService.validateToken({
     type: TOKEN_EMAIL_MFA,
     email,
-    token: mfaToken
+    token: mfaToken,
   });
 
   const user = await User.findOne({
-    email
-  }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag');
+    email,
+  }).select("+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag +devices");
 
-  if (!user) throw new Error('Failed to find user');
+  if (!user) throw new Error("Failed to find user");
+
+  await LoginSRPDetail.deleteOne({ userId: user.id })
 
   await checkUserDevice({
     user,
-    ip: req.ip,
-    userAgent: req.headers['user-agent'] ?? ''
+    ip: req.realIP,
+    userAgent: req.headers["user-agent"] ?? "",
   });
 
   // issue tokens
-  const tokens = await issueAuthTokens({ userId: user._id.toString() });
+  const tokens = await issueAuthTokens({ 
+    userId: user._id,
+    ip: req.realIP,
+    userAgent: req.headers["user-agent"] ?? "",
+  });
 
   // store (refresh) token in httpOnly cookie
-  res.cookie('jid', tokens.refreshToken, {
+  res.cookie("jid", tokens.refreshToken, {
     httpOnly: true,
-    path: '/',
-    sameSite: 'strict',
-    secure: getHttpsEnabled()
+    path: "/",
+    sameSite: "strict",
+    secure: await getHttpsEnabled(),
   });
 
   interface VerifyMfaTokenRes {
@@ -335,7 +319,7 @@ export const verifyMfaToken = async (req: Request, res: Response) => {
     publicKey: user.publicKey as string,
     encryptedPrivateKey: user.encryptedPrivateKey as string,
     iv: user.iv as string,
-    tag: user.tag as string
+    tag: user.tag as string,
   }
 
   if (user?.protectedKey && user?.protectedKeyIV && user?.protectedKeyTag) {
@@ -346,14 +330,14 @@ export const verifyMfaToken = async (req: Request, res: Response) => {
 
   const loginAction = await EELogService.createAction({
     name: ACTION_LOGIN,
-    userId: user._id
+    userId: user._id,
   });
 
   loginAction && await EELogService.createLog({
     userId: user._id,
     actions: [loginAction],
-    channel: getChannelFromUserAgent(req.headers['user-agent']),
-    ipAddress: req.ip
+    channel: getChannelFromUserAgent(req.headers["user-agent"]),
+    ipAddress: req.realIP,
   });
 
   return res.status(200).send(resObj);

backend/src/controllers/v2/environmentController.ts

@@ -1,17 +1,17 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
+import { Request, Response } from "express";
 import {
+  Integration,
+  Membership,
   Secret,
   ServiceToken,
-  Workspace,
-  Integration,
   ServiceTokenData,
-  Membership,
-} from '../../models';
-import { SecretVersion } from '../../ee/models';
-import { BadRequestError } from '../../utils/errors';
-import _ from 'lodash';
-import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from '../../variables';
+  Workspace,
+} from "../../models";
+import { SecretVersion } from "../../ee/models";
+import { EELicenseService } from "../../ee/services";
+import { BadRequestError, WorkspaceNotFoundError } from "../../utils/errors";
+import _ from "lodash";
+import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from "../../variables";
 
 /**
  * Create new workspace environment named [environmentName] under workspace with id
@@ -23,17 +23,33 @@ export const createWorkspaceEnvironment = async (
   req: Request,
   res: Response
 ) => {
+
   const { workspaceId } = req.params;
   const { environmentName, environmentSlug } = req.body;
-  try {
   const workspace = await Workspace.findById(workspaceId).exec();
+
+  if (!workspace) throw WorkspaceNotFoundError();
+
+  const plan = await EELicenseService.getPlan(workspace.organization.toString());
+
+  if (plan.environmentLimit !== null) {
+    // case: limit imposed on number of environments allowed
+    if (workspace.environments.length >= plan.environmentLimit) {
+      // case: number of environments used exceeds the number of environments allowed
+
+      return res.status(400).send({
+        message: "Failed to create environment due to environment limit reached. Upgrade plan to create more environments.",
+      });
+    }
+  }
+
   if (
     !workspace ||
     workspace?.environments.find(
       ({ name, slug }) => slug === environmentSlug || environmentName === name
     )
   ) {
-      throw new Error('Failed to create workspace environment');
+    throw new Error("Failed to create workspace environment");
   }
 
   workspace?.environments.push({
@@ -41,16 +57,11 @@ export const createWorkspaceEnvironment = async (
     slug: environmentSlug.toLowerCase(),
   });
   await workspace.save();
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to create new workspace environment',
-    });
-  }
+
+  await EELicenseService.refreshPlan(workspace.organization.toString(), workspaceId);
 
   return res.status(200).send({
-    message: 'Successfully created new environment',
+    message: "Successfully created new environment",
     workspace: workspaceId,
     environment: {
       name: environmentName,
@@ -72,16 +83,15 @@ export const renameWorkspaceEnvironment = async (
 ) => {
   const { workspaceId } = req.params;
   const { environmentName, environmentSlug, oldEnvironmentSlug } = req.body;
-  try {
   // user should pass both new slug and env name
   if (!environmentSlug || !environmentName) {
-      throw new Error('Invalid environment given.');
+    throw new Error("Invalid environment given.");
   }
 
   // atomic update the env to avoid conflict
   const workspace = await Workspace.findById(workspaceId).exec();
   if (!workspace) {
-      throw new Error('Failed to create workspace environment');
+    throw new Error("Failed to create workspace environment");
   }
 
   const isEnvExist = workspace.environments.some(
@@ -90,14 +100,14 @@ export const renameWorkspaceEnvironment = async (
       (name === environmentName || slug === environmentSlug)
   );
   if (isEnvExist) {
-      throw new Error('Invalid environment given');
+    throw new Error("Invalid environment given");
   }
 
   const envIndex = workspace?.environments.findIndex(
     ({ slug }) => slug === oldEnvironmentSlug
   );
   if (envIndex === -1) {
-      throw new Error('Invalid environment given');
+    throw new Error("Invalid environment given");
   }
 
   workspace.environments[envIndex].name = environmentName;
@@ -127,22 +137,15 @@ export const renameWorkspaceEnvironment = async (
   await Membership.updateMany(
     {
       workspace: workspaceId,
-        "deniedPermissions.environmentSlug": oldEnvironmentSlug
+      "deniedPermissions.environmentSlug": oldEnvironmentSlug,
     },
     { $set: { "deniedPermissions.$[element].environmentSlug": environmentSlug } },
     { arrayFilters: [{ "element.environmentSlug": oldEnvironmentSlug }] }
   )
 
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to update workspace environment',
-    });
-  }
 
   return res.status(200).send({
-    message: 'Successfully update environment',
+    message: "Successfully update environment",
     workspace: workspaceId,
     environment: {
       name: environmentName,
@@ -163,18 +166,17 @@ export const deleteWorkspaceEnvironment = async (
 ) => {
   const { workspaceId } = req.params;
   const { environmentSlug } = req.body;
-  try {
   // atomic update the env to avoid conflict
   const workspace = await Workspace.findById(workspaceId).exec();
   if (!workspace) {
-      throw new Error('Failed to create workspace environment');
+    throw new Error("Failed to create workspace environment");
   }
 
   const envIndex = workspace?.environments.findIndex(
     ({ slug }) => slug === environmentSlug
   );
   if (envIndex === -1) {
-      throw new Error('Invalid environment given');
+    throw new Error("Invalid environment given");
   }
 
   workspace.environments.splice(envIndex, 1);
@@ -189,14 +191,21 @@ export const deleteWorkspaceEnvironment = async (
     workspace: workspaceId,
     environment: environmentSlug,
   });
-    await ServiceToken.deleteMany({
-      workspace: workspaceId,
-      environment: environmentSlug,
-    });
-    await ServiceTokenData.deleteMany({
-      workspace: workspaceId,
-      environment: environmentSlug,
-    });
+
+  // await ServiceToken.deleteMany({
+  //   workspace: workspaceId,
+  //   environment: environmentSlug,
+  // });
+
+  const result = await ServiceTokenData.updateMany(
+    { workspace: workspaceId },
+    { $pull: { scopes: { environment: environmentSlug } } }
+  );
+
+  if (result.modifiedCount > 0) {
+    await ServiceTokenData.deleteMany({ workspace: workspaceId, scopes: { $size: 0 } });
+  }
+
   await Integration.deleteMany({
     workspace: workspaceId,
     environment: environmentSlug,
@@ -204,18 +213,12 @@ export const deleteWorkspaceEnvironment = async (
   await Membership.updateMany(
     { workspace: workspaceId },
     { $pull: { deniedPermissions: { environmentSlug: environmentSlug } } }
-    )
+  );
 
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to delete workspace environment',
-    });
-  }
+  await EELicenseService.refreshPlan(workspace.organization.toString(), workspaceId);
 
   return res.status(200).send({
-    message: 'Successfully deleted environment',
+    message: "Successfully deleted environment",
     workspace: workspaceId,
     environment: environmentSlug,
   });
@@ -229,7 +232,7 @@ export const getAllAccessibleEnvironmentsOfWorkspace = async (
   const { workspaceId } = req.params;
   const workspacesUserIsMemberOf = await Membership.findOne({
     workspace: workspaceId,
-    user: req.user
+    user: req.user,
   })
 
   if (!workspacesUserIsMemberOf) {
@@ -253,7 +256,7 @@ export const getAllAccessibleEnvironmentsOfWorkspace = async (
         name: environment.name,
         slug: environment.slug,
         isWriteDenied: isWriteBlocked,
-        isReadDenied: isReadBlocked
+        isReadDenied: isReadBlocked,
       })
     }
   })

backend/src/controllers/v2/index.ts

@@ -1,15 +1,14 @@
-import * as authController from './authController';
-import * as signupController from './signupController';
-import * as usersController from './usersController';
-import * as organizationsController from './organizationsController';
-import * as workspaceController from './workspaceController';
-import * as serviceTokenDataController from './serviceTokenDataController';
-import * as apiKeyDataController from './apiKeyDataController';
-import * as secretController from './secretController';
-import * as secretsController from './secretsController';
-import * as serviceAccountsController from './serviceAccountsController';
-import * as environmentController from './environmentController';
-import * as tagController from './tagController';
+import * as authController from "./authController";
+import * as signupController from "./signupController";
+import * as usersController from "./usersController";
+import * as organizationsController from "./organizationsController";
+import * as workspaceController from "./workspaceController";
+import * as serviceTokenDataController from "./serviceTokenDataController";
+import * as secretController from "./secretController";
+import * as secretsController from "./secretsController";
+import * as serviceAccountsController from "./serviceAccountsController";
+import * as environmentController from "./environmentController";
+import * as tagController from "./tagController";
 
 export {
     authController,
@@ -18,10 +17,9 @@ export {
     organizationsController,
     workspaceController,
     serviceTokenDataController,
-    apiKeyDataController,
     secretController,
     secretsController,
     serviceAccountsController,
     environmentController,
-    tagController
+    tagController,
 }

backend/src/controllers/v2/organizationsController.ts

@@ -1,14 +1,13 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
+import { Request, Response } from "express";
+import { Types } from "mongoose";
 import { 
-    MembershipOrg,
     Membership,
+    MembershipOrg,
+    ServiceAccount,
     Workspace,
-    ServiceAccount
-} from '../../models';
-import { deleteMembershipOrg } from '../../helpers/membershipOrg';
-import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
+} from "../../models";
+import { deleteMembershipOrg } from "../../helpers/membershipOrg";
+import { updateSubscriptionOrgQuantity } from "../../helpers/organization";
 
 /**
  * Return memberships for organization with id [organizationId]
@@ -49,23 +48,14 @@ export const getOrganizationMemberships = async (req: Request, res: Response) =>
         }
     }   
     */
-    let memberships;
-    try {
     const { organizationId } = req.params;
 
-		memberships = await MembershipOrg.find({
-			organization: organizationId
-		}).populate('user', '+publicKey');
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get organization memberships'
-		});
-    }
+		const memberships = await MembershipOrg.find({
+			organization: organizationId,
+		}).populate("user", "+publicKey");
     
     return res.status(200).send({
-        memberships
+        memberships,
     });
 }
 
@@ -128,29 +118,20 @@ export const updateOrganizationMembership = async (req: Request, res: Response)
         }
     }   
     */
-    let membership;
-    try {
     const { membershipId } = req.params;
     const { role } = req.body;
     
-        membership = await MembershipOrg.findByIdAndUpdate(
+    const membership = await MembershipOrg.findByIdAndUpdate(
         membershipId,
         {
-                role
+            role,
         }, {
-                new: true
+            new: true,
         }
     );
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to update organization membership'
-		});
-    }
     
     return res.status(200).send({
-        membership
+        membership,
     });
 }
 
@@ -197,28 +178,19 @@ export const deleteOrganizationMembership = async (req: Request, res: Response)
         }
     }   
     */
-    let membership;
-    try {
     const { membershipId } = req.params;
     
     // delete organization membership
-        membership = await deleteMembershipOrg({
-            membershipOrgId: membershipId
+    const membership = await deleteMembershipOrg({
+        membershipOrgId: membershipId,
     });
 
     await updateSubscriptionOrgQuantity({
-			organizationId: membership.organization.toString()
+			organizationId: membership.organization.toString(),
 		});
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to delete organization membership'
-		});	
-    }
 
     return res.status(200).send({
-        membership
+        membership,
     });
 }
 
@@ -268,23 +240,23 @@ export const getOrganizationWorkspaces = async (req: Request, res: Response) =>
         (
             await Workspace.find(
                 {
-                    organization: organizationId
+                    organization: organizationId,
                 },
-                '_id'
+                "_id"
             )
         ).map((w) => w._id.toString())
     );
 
     const workspaces = (
         await Membership.find({
-            user: req.user._id
-        }).populate('workspace')
+            user: req.user._id,
+        }).populate("workspace")
     )
     .filter((m) => workspacesSet.has(m.workspace._id.toString()))
     .map((m) => m.workspace);
 
 return res.status(200).send({
-        workspaces
+        workspaces,
     });
 }
 
@@ -297,10 +269,10 @@ export const getOrganizationServiceAccounts = async (req: Request, res: Response
     const { organizationId } = req.params;
     
     const serviceAccounts = await ServiceAccount.find({
-        organization: new Types.ObjectId(organizationId)
+        organization: new Types.ObjectId(organizationId),
     });
     
     return res.status(200).send({
-        serviceAccounts
+        serviceAccounts,
     });
 }

backend/src/controllers/v2/secretController.ts

@@ -1,13 +1,27 @@
-import to from "await-to-js";
 import { Request, Response } from "express";
 import mongoose, { Types } from "mongoose";
 import Secret, { ISecret } from "../../models/secret";
-import { CreateSecretRequestBody, ModifySecretRequestBody, SanitizedSecretForCreate, SanitizedSecretModify } from "../../types/secret";
+import {
+  CreateSecretRequestBody,
+  ModifySecretRequestBody,
+  SanitizedSecretForCreate,
+  SanitizedSecretModify
+} from "../../types/secret";
 const { ValidationError } = mongoose.Error;
-import { BadRequestError, InternalServerError, UnauthorizedRequestError, ValidationError as RouteValidationError } from '../../utils/errors';
-import { AnyBulkWriteOperation } from 'mongodb';
-import { SECRET_PERSONAL, SECRET_SHARED } from "../../variables";
-import { TelemetryService } from '../../services';
+import {
+  ValidationError as RouteValidationError,
+  UnauthorizedRequestError
+} from "../../utils/errors";
+import { AnyBulkWriteOperation } from "mongodb";
+import {
+  ALGORITHM_AES_256_GCM,
+  ENCODING_SCHEME_UTF8,
+  SECRET_PERSONAL,
+  SECRET_SHARED
+} from "../../variables";
+import { TelemetryService } from "../../services";
+import { User } from "../../models";
+import { AccountNotFoundError } from "../../utils/errors";
 
 /**
  * Create secret for workspace with id [workspaceId] and environment [environment]
@@ -15,9 +29,9 @@ import { TelemetryService } from '../../services';
  * @param res
  */
 export const createSecret = async (req: Request, res: Response) => {
-  const postHogClient = TelemetryService.getPostHogClient();
+  const postHogClient = await TelemetryService.getPostHogClient();
   const secretToCreate: CreateSecretRequestBody = req.body.secret;
-  const { workspaceId, environment } = req.params
+  const { workspaceId, environment } = req.params;
   const sanitizedSecret: SanitizedSecretForCreate = {
     secretKeyCiphertext: secretToCreate.secretKeyCiphertext,
     secretKeyIV: secretToCreate.secretKeyIV,
@@ -34,46 +48,44 @@ export const createSecret = async (req: Request, res: Response) => {
     workspace: new Types.ObjectId(workspaceId),
     environment,
     type: secretToCreate.type,
-    user: new Types.ObjectId(req.user._id)
-  }
+    user: new Types.ObjectId(req.user._id),
+    algorithm: ALGORITHM_AES_256_GCM,
+    keyEncoding: ENCODING_SCHEME_UTF8
+  };
 
-
-  const [error, secret] = await to(Secret.create(sanitizedSecret).then())
-  if (error instanceof ValidationError) {
-    throw RouteValidationError({ message: error.message, stack: error.stack })
-  }
+  const secret = await new Secret(sanitizedSecret).save();
 
   if (postHogClient) {
     postHogClient.capture({
-      event: 'secrets added',
+      event: "secrets added",
       distinctId: req.user.email,
       properties: {
         numberOfSecrets: 1,
         workspaceId,
         environment,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
+        channel: req.headers?.["user-agent"]?.toLowerCase().includes("mozilla") ? "web" : "cli",
+        userAgent: req.headers?.["user-agent"]
       }
     });
   }
 
   res.status(200).send({
     secret
-  })
-}
+  });
+};
 
 /**
- * Create many secrets for workspace wiht id [workspaceId] and environment [environment]
+ * Create many secrets for workspace with id [workspaceId] and environment [environment]
  * @param req
  * @param res
  */
 export const createSecrets = async (req: Request, res: Response) => {
-  const postHogClient = TelemetryService.getPostHogClient();
+  const postHogClient = await TelemetryService.getPostHogClient();
   const secretsToCreate: CreateSecretRequestBody[] = req.body.secrets;
-  const { workspaceId, environment } = req.params
-  const sanitizedSecretesToCreate: SanitizedSecretForCreate[] = []
+  const { workspaceId, environment } = req.params;
+  const sanitizedSecretesToCreate: SanitizedSecretForCreate[] = [];
 
-  secretsToCreate.forEach(rawSecret => {
+  secretsToCreate.forEach((rawSecret) => {
     const safeUpdateFields: SanitizedSecretForCreate = {
       secretKeyCiphertext: rawSecret.secretKeyCiphertext,
       secretKeyIV: rawSecret.secretKeyIV,
@@ -90,39 +102,34 @@ export const createSecrets = async (req: Request, res: Response) => {
       workspace: new Types.ObjectId(workspaceId),
       environment,
       type: rawSecret.type,
-      user: new Types.ObjectId(req.user._id)
-    }
+      user: new Types.ObjectId(req.user._id),
+      algorithm: ALGORITHM_AES_256_GCM,
+      keyEncoding: ENCODING_SCHEME_UTF8
+    };
 
-    sanitizedSecretesToCreate.push(safeUpdateFields)
-  })
+    sanitizedSecretesToCreate.push(safeUpdateFields);
+  });
 
-  const [bulkCreateError, secrets] = await to(Secret.insertMany(sanitizedSecretesToCreate).then())
-  if (bulkCreateError) {
-    if (bulkCreateError instanceof ValidationError) {
-      throw RouteValidationError({ message: bulkCreateError.message, stack: bulkCreateError.stack })
-    }
-
-    throw InternalServerError({ message: "Unable to process your batch create request. Please try again", stack: bulkCreateError.stack })
-  }
+  const secrets = await Secret.insertMany(sanitizedSecretesToCreate);
 
   if (postHogClient) {
     postHogClient.capture({
-      event: 'secrets added',
+      event: "secrets added",
       distinctId: req.user.email,
       properties: {
         numberOfSecrets: (secretsToCreate ?? []).length,
         workspaceId,
         environment,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
+        channel: req.headers?.["user-agent"]?.toLowerCase().includes("mozilla") ? "web" : "cli",
+        userAgent: req.headers?.["user-agent"]
       }
     });
   }
 
   res.status(200).send({
     secrets
-  })
-}
+  });
+};
 
 /**
  * Delete secrets in workspace with id [workspaceId] and environment [environment]
@@ -130,53 +137,50 @@ export const createSecrets = async (req: Request, res: Response) => {
  * @param res
  */
 export const deleteSecrets = async (req: Request, res: Response) => {
-  const postHogClient = TelemetryService.getPostHogClient();
-  const { workspaceId, environmentName } = req.params
-  const secretIdsToDelete: string[] = req.body.secretIds
+  const postHogClient = await TelemetryService.getPostHogClient();
+  const { workspaceId, environmentName } = req.params;
+  const secretIdsToDelete: string[] = req.body.secretIds;
 
-  const [secretIdsUserCanDeleteError, secretIdsUserCanDelete] = await to(Secret.find({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
-  if (secretIdsUserCanDeleteError) {
-    throw InternalServerError({ message: `Unable to fetch secrets you own: [error=${secretIdsUserCanDeleteError.message}]` })
-  }
+  const secretIdsUserCanDelete = await Secret.find({ workspace: workspaceId, environment: environmentName }, { _id: 1 });
 
-  const secretsUserCanDeleteSet: Set<string> = new Set(secretIdsUserCanDelete.map(objectId => objectId._id.toString()));
-  const deleteOperationsToPerform: AnyBulkWriteOperation<ISecret>[] = []
+  const secretsUserCanDeleteSet: Set<string> = new Set(
+    secretIdsUserCanDelete.map((objectId) => objectId._id.toString())
+  );
+  const deleteOperationsToPerform: AnyBulkWriteOperation<ISecret>[] = [];
 
   let numSecretsDeleted = 0;
-  secretIdsToDelete.forEach(secretIdToDelete => {
+  secretIdsToDelete.forEach((secretIdToDelete) => {
     if (secretsUserCanDeleteSet.has(secretIdToDelete)) {
-      const deleteOperation = { deleteOne: { filter: { _id: new Types.ObjectId(secretIdToDelete) } } }
-      deleteOperationsToPerform.push(deleteOperation)
+      const deleteOperation = {
+        deleteOne: { filter: { _id: new Types.ObjectId(secretIdToDelete) } }
+      };
+      deleteOperationsToPerform.push(deleteOperation);
       numSecretsDeleted++;
     } else {
-      throw RouteValidationError({ message: "You cannot delete secrets that you do not have access to" })
+      throw RouteValidationError({
+        message: "You cannot delete secrets that you do not have access to"
+      });
     }
-  })
+  });
 
-  const [bulkDeleteError, bulkDelete] = await to(Secret.bulkWrite(deleteOperationsToPerform).then())
-  if (bulkDeleteError) {
-    if (bulkDeleteError instanceof ValidationError) {
-      throw RouteValidationError({ message: "Unable to apply modifications, please try again", stack: bulkDeleteError.stack })
-    }
-    throw InternalServerError()
-  }
+  await Secret.bulkWrite(deleteOperationsToPerform);
 
   if (postHogClient) {
     postHogClient.capture({
-      event: 'secrets deleted',
+      event: "secrets deleted",
       distinctId: req.user.email,
       properties: {
         numberOfSecrets: numSecretsDeleted,
         environment: environmentName,
         workspaceId,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
+        channel: req.headers?.["user-agent"]?.toLowerCase().includes("mozilla") ? "web" : "cli",
+        userAgent: req.headers?.["user-agent"]
       }
     });
   }
 
-  res.status(200).send()
-}
+  res.status(200).send();
+};
 
 /**
  * Delete secret with id [secretId]
@@ -184,27 +188,27 @@ export const deleteSecrets = async (req: Request, res: Response) => {
  * @param res
  */
 export const deleteSecret = async (req: Request, res: Response) => {
-  const postHogClient = TelemetryService.getPostHogClient();
-  await Secret.findByIdAndDelete(req._secret._id)
+  const postHogClient = await TelemetryService.getPostHogClient();
+  await Secret.findByIdAndDelete(req._secret._id);
 
   if (postHogClient) {
     postHogClient.capture({
-      event: 'secrets deleted',
+      event: "secrets deleted",
       distinctId: req.user.email,
       properties: {
         numberOfSecrets: 1,
         workspaceId: req._secret.workspace.toString(),
         environment: req._secret.environment,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
+        channel: req.headers?.["user-agent"]?.toLowerCase().includes("mozilla") ? "web" : "cli",
+        userAgent: req.headers?.["user-agent"]
       }
     });
   }
 
   res.status(200).send({
     secret: req._secret
-  })
-}
+  });
+};
 
 /**
  * Update secrets for workspace with id [workspaceId] and environment [environment]
@@ -213,18 +217,17 @@ export const deleteSecret = async (req: Request, res: Response) => {
  * @returns
  */
 export const updateSecrets = async (req: Request, res: Response) => {
-  const postHogClient = TelemetryService.getPostHogClient();
-  const { workspaceId, environmentName } = req.params
+  const postHogClient = await TelemetryService.getPostHogClient();
+  const { workspaceId, environmentName } = req.params;
   const secretsModificationsRequested: ModifySecretRequestBody[] = req.body.secrets;
-  const [secretIdsUserCanModifyError, secretIdsUserCanModify] = await to(Secret.find({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
-  if (secretIdsUserCanModifyError) {
-    throw InternalServerError({ message: "Unable to fetch secrets you own" })
-  }
+  const secretIdsUserCanModify = await Secret.find({ workspace: workspaceId, environment: environmentName }, { _id: 1 });
 
-  const secretsUserCanModifySet: Set<string> = new Set(secretIdsUserCanModify.map(objectId => objectId._id.toString()));
-  const updateOperationsToPerform: any = []
+  const secretsUserCanModifySet: Set<string> = new Set(
+    secretIdsUserCanModify.map((objectId) => objectId._id.toString())
+  );
+  const updateOperationsToPerform: any = [];
 
-  secretsModificationsRequested.forEach(userModifiedSecret => {
+  secretsModificationsRequested.forEach((userModifiedSecret) => {
     if (secretsUserCanModifySet.has(userModifiedSecret._id.toString())) {
       const sanitizedSecret: SanitizedSecretModify = {
         secretKeyCiphertext: userModifiedSecret.secretKeyCiphertext,
@@ -238,41 +241,41 @@ export const updateSecrets = async (req: Request, res: Response) => {
         secretCommentCiphertext: userModifiedSecret.secretCommentCiphertext,
         secretCommentIV: userModifiedSecret.secretCommentIV,
         secretCommentTag: userModifiedSecret.secretCommentTag,
-        secretCommentHash: userModifiedSecret.secretCommentHash,
-      }
+        secretCommentHash: userModifiedSecret.secretCommentHash
+      };
 
-      const updateOperation = { updateOne: { filter: { _id: userModifiedSecret._id, workspace: workspaceId }, update: { $inc: { version: 1 }, $set: sanitizedSecret } } }
-      updateOperationsToPerform.push(updateOperation)
+      const updateOperation = {
+        updateOne: {
+          filter: { _id: userModifiedSecret._id, workspace: workspaceId },
+          update: { $inc: { version: 1 }, $set: sanitizedSecret }
+        }
+      };
+      updateOperationsToPerform.push(updateOperation);
     } else {
-      throw UnauthorizedRequestError({ message: "You do not have permission to modify one or more of the requested secrets" })
+      throw UnauthorizedRequestError({
+        message: "You do not have permission to modify one or more of the requested secrets"
+      });
     }
-  })
+  });
 
-  const [bulkModificationInfoError, bulkModificationInfo] = await to(Secret.bulkWrite(updateOperationsToPerform).then())
-  if (bulkModificationInfoError) {
-    if (bulkModificationInfoError instanceof ValidationError) {
-      throw RouteValidationError({ message: "Unable to apply modifications, please try again", stack: bulkModificationInfoError.stack })
-    }
-
-    throw InternalServerError()
-  }
+  await Secret.bulkWrite(updateOperationsToPerform);
 
   if (postHogClient) {
     postHogClient.capture({
-      event: 'secrets modified',
+      event: "secrets modified",
       distinctId: req.user.email,
       properties: {
         numberOfSecrets: (secretsModificationsRequested ?? []).length,
         environment: environmentName,
         workspaceId,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
+        channel: req.headers?.["user-agent"]?.toLowerCase().includes("mozilla") ? "web" : "cli",
+        userAgent: req.headers?.["user-agent"]
       }
     });
   }
 
-  return res.status(200).send()
-}
+  return res.status(200).send();
+};
 
 /**
  * Update a secret within workspace with id [workspaceId] and environment [environment]
@@ -281,14 +284,11 @@ export const updateSecrets = async (req: Request, res: Response) => {
  * @returns
  */
 export const updateSecret = async (req: Request, res: Response) => {
-  const postHogClient = TelemetryService.getPostHogClient();
-  const { workspaceId, environmentName } = req.params
+  const postHogClient = await TelemetryService.getPostHogClient();
+  const { workspaceId, environmentName } = req.params;
   const secretModificationsRequested: ModifySecretRequestBody = req.body.secret;
 
-  const [secretIdUserCanModifyError, secretIdUserCanModify] = await to(Secret.findOne({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
-  if (secretIdUserCanModifyError && !secretIdUserCanModify) {
-    throw BadRequestError()
-  }
+  await Secret.findOne({ workspace: workspaceId, environment: environmentName }, { _id: 1 });
 
   const sanitizedSecret: SanitizedSecretModify = {
     secretKeyCiphertext: secretModificationsRequested.secretKeyCiphertext,
@@ -302,30 +302,40 @@ export const updateSecret = async (req: Request, res: Response) => {
     secretCommentCiphertext: secretModificationsRequested.secretCommentCiphertext,
     secretCommentIV: secretModificationsRequested.secretCommentIV,
     secretCommentTag: secretModificationsRequested.secretCommentTag,
-    secretCommentHash: secretModificationsRequested.secretCommentHash,
+    secretCommentHash: secretModificationsRequested.secretCommentHash
+  };
+
+  const singleModificationUpdate = await Secret.updateOne(
+    { _id: secretModificationsRequested._id, workspace: workspaceId },
+    { $inc: { version: 1 }, $set: sanitizedSecret }
+  )
+  .catch((error) => {
+    if (error instanceof ValidationError) {
+      throw RouteValidationError({
+        message: "Unable to apply modifications, please try again",
+        stack: error.stack
+      });
     }
 
-  const [error, singleModificationUpdate] = await to(Secret.updateOne({ _id: secretModificationsRequested._id, workspace: workspaceId }, { $inc: { version: 1 }, $set: sanitizedSecret }).then())
-  if (error instanceof ValidationError) {
-    throw RouteValidationError({ message: "Unable to apply modifications, please try again", stack: error.stack })
-  }
+    throw error;
+  });
 
   if (postHogClient) {
     postHogClient.capture({
-      event: 'secrets modified',
+      event: "secrets modified",
       distinctId: req.user.email,
       properties: {
         numberOfSecrets: 1,
         environment: environmentName,
         workspaceId,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
+        channel: req.headers?.["user-agent"]?.toLowerCase().includes("mozilla") ? "web" : "cli",
+        userAgent: req.headers?.["user-agent"]
       }
     });
   }
 
-  return res.status(200).send(singleModificationUpdate)
-}
+  return res.status(200).send(singleModificationUpdate);
+};
 
 /**
  * Return secrets for workspace with id [workspaceId], environment [environment] and user
@@ -335,51 +345,54 @@ export const updateSecret = async (req: Request, res: Response) => {
  * @returns
  */
 export const getSecrets = async (req: Request, res: Response) => {
-  const postHogClient = TelemetryService.getPostHogClient();
+  const postHogClient = await TelemetryService.getPostHogClient();
   const { environment } = req.query;
   const { workspaceId } = req.params;
 
-  let userId: Types.ObjectId | undefined = undefined // used for getting personal secrets for user
-  let userEmail: Types.ObjectId | undefined = undefined // used for posthog 
+  let userId: Types.ObjectId | undefined = undefined; // used for getting personal secrets for user
+  let userEmail: string | undefined = undefined; // used for posthog
   if (req.user) {
     userId = req.user._id;
     userEmail = req.user.email;
   }
 
   if (req.serviceTokenData) {
-    userId = req.serviceTokenData.user._id
-    userEmail = req.serviceTokenData.user.email;
+    userId = req.serviceTokenData.user;
+
+    const user = await User.findById(req.serviceTokenData.user, "email");
+    if (!user) throw AccountNotFoundError();
+    userEmail = user.email;
   }
 
-  const [err, secrets] = await to(Secret.find(
-    {
+  const secrets = await Secret.find({
     workspace: workspaceId,
     environment,
     $or: [{ user: userId }, { user: { $exists: false } }],
     type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
-    }
-  ).then())
-
-  if (err) {
-    throw RouteValidationError({ message: "Failed to get secrets, please try again", stack: err.stack })
-  }
+  })
+  .catch((err) => {
+    throw RouteValidationError({
+      message: "Failed to get secrets, please try again",
+      stack: err.stack
+    });
+  })
 
   if (postHogClient) {
     postHogClient.capture({
-      event: 'secrets pulled',
+      event: "secrets pulled",
       distinctId: userEmail,
       properties: {
         numberOfSecrets: (secrets ?? []).length,
         environment,
         workspaceId,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
+        channel: req.headers?.["user-agent"]?.toLowerCase().includes("mozilla") ? "web" : "cli",
+        userAgent: req.headers?.["user-agent"]
       }
     });
   }
 
-  return res.json(secrets)
-}
+  return res.json(secrets);
+};
 
 /**
  * Return secret with id [secretId]
@@ -405,4 +418,4 @@ export const getSecret = async (req: Request, res: Response) => {
   return res.status(200).send({
     secret: req._secret
   });
-}
+};

backend/src/controllers/v2/serviceAccountsController.ts

@@ -1,18 +1,18 @@
-import { Request, Response } from 'express';
-import { Types } from 'mongoose';
-import crypto from 'crypto';
-import bcrypt from 'bcrypt';
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import crypto from "crypto";
+import bcrypt from "bcrypt";
 import { 
     ServiceAccount,
     ServiceAccountKey,
     ServiceAccountOrganizationPermission,
-    ServiceAccountWorkspacePermission
-} from '../../models';
+    ServiceAccountWorkspacePermission,
+} from "../../models";
 import {
-    CreateServiceAccountDto
-} from '../../interfaces/serviceAccounts/dto';
-import { BadRequestError, ServiceAccountNotFoundError } from '../../utils/errors';
-import { getSaltRounds } from '../../config';
+    CreateServiceAccountDto,
+} from "../../interfaces/serviceAccounts/dto";
+import { BadRequestError, ServiceAccountNotFoundError } from "../../utils/errors";
+import { getSaltRounds } from "../../config";
 
 /**
  * Return service account tied to the request (service account) client
@@ -23,11 +23,11 @@ export const getCurrentServiceAccount = async (req: Request, res: Response) => {
     const serviceAccount = await ServiceAccount.findById(req.serviceAccount._id);
     
     if (!serviceAccount) {
-        throw ServiceAccountNotFoundError({ message: 'Failed to find service account' });
+        throw ServiceAccountNotFoundError({ message: "Failed to find service account" });
     }
     
     return res.status(200).send({
-        serviceAccount
+        serviceAccount,
     });
 }
 
@@ -42,11 +42,11 @@ export const getServiceAccountById = async (req: Request, res: Response) => {
     const serviceAccount = await ServiceAccount.findById(serviceAccountId);
     
     if (!serviceAccount) {
-        throw ServiceAccountNotFoundError({ message: 'Failed to find service account' });
+        throw ServiceAccountNotFoundError({ message: "Failed to find service account" });
     }
     
     return res.status(200).send({
-        serviceAccount
+        serviceAccount,
     });
 }
 
@@ -71,8 +71,8 @@ export const createServiceAccount = async (req: Request, res: Response) => {
         expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
     }
 
-    const secret = crypto.randomBytes(16).toString('base64');
-    const secretHash = await bcrypt.hash(secret, getSaltRounds());
+    const secret = crypto.randomBytes(16).toString("base64");
+    const secretHash = await bcrypt.hash(secret, await getSaltRounds());
     
     // create service account
     const serviceAccount = await new ServiceAccount({
@@ -82,7 +82,7 @@ export const createServiceAccount = async (req: Request, res: Response) => {
         publicKey,
         lastUsed: new Date(),
         expiresAt,
-        secretHash
+        secretHash,
     }).save();
     
     const serviceAccountObj = serviceAccount.toObject();
@@ -91,14 +91,14 @@ export const createServiceAccount = async (req: Request, res: Response) => {
 
     // provision default org-level permission for service account
     await new ServiceAccountOrganizationPermission({
-        serviceAccount: serviceAccount._id
+        serviceAccount: serviceAccount._id,
     }).save();
     
-    const secretId = Buffer.from(serviceAccount._id.toString(), 'hex').toString('base64');
+    const secretId = Buffer.from(serviceAccount._id.toString(), "hex").toString("base64");
 
     return res.status(200).send({
         serviceAccountAccessKey: `sa.${secretId}.${secret}`,
-        serviceAccount: serviceAccountObj
+        serviceAccount: serviceAccountObj,
     });
 }
 
@@ -114,18 +114,18 @@ export const changeServiceAccountName = async (req: Request, res: Response) => {
     
     const serviceAccount = await ServiceAccount.findOneAndUpdate(
         {
-            _id: new Types.ObjectId(serviceAccountId)
+            _id: new Types.ObjectId(serviceAccountId),
         },
         {
-            name
+            name,
         },
         {
-            new: true
+            new: true,
         }
     );
     
     return res.status(200).send({
-        serviceAccount
+        serviceAccount,
     });
 }
 
@@ -140,7 +140,7 @@ export const addServiceAccountKey = async (req: Request, res: Response) => {
     const {
         workspaceId,
         encryptedKey,
-        nonce
+        nonce,
     } = req.body;
     
     const serviceAccountKey = await new ServiceAccountKey({
@@ -148,7 +148,7 @@ export const addServiceAccountKey = async (req: Request, res: Response) => {
         nonce,
         sender: req.user._id,
         serviceAccount: req.serviceAccount._d,
-        workspace: new Types.ObjectId(workspaceId)
+        workspace: new Types.ObjectId(workspaceId),
     }).save();
 
     return serviceAccountKey;
@@ -161,11 +161,11 @@ export const addServiceAccountKey = async (req: Request, res: Response) => {
  */
 export const getServiceAccountWorkspacePermissions = async (req: Request, res: Response) => {
     const serviceAccountWorkspacePermissions = await ServiceAccountWorkspacePermission.find({
-        serviceAccount: req.serviceAccount._id
-    }).populate('workspace');
+        serviceAccount: req.serviceAccount._id,
+    }).populate("workspace");
     
     return res.status(200).send({
-        serviceAccountWorkspacePermissions
+        serviceAccountWorkspacePermissions,
     });
 }
 
@@ -182,34 +182,34 @@ export const addServiceAccountWorkspacePermission = async (req: Request, res: Re
         read = false,
         write = false,
         encryptedKey,
-        nonce
+        nonce,
     } = req.body;
     
     if (!req.membership.workspace.environments.some((e: { name: string; slug: string }) => e.slug === environment)) {
         return res.status(400).send({
-            message: 'Failed to validate workspace environment'
+            message: "Failed to validate workspace environment",
         });
     }
     
     const existingPermission = await ServiceAccountWorkspacePermission.findOne({
         serviceAccount: new Types.ObjectId(serviceAccountId),
         workspace: new Types.ObjectId(workspaceId),
-        environment
+        environment,
     });
     
-    if (existingPermission) throw BadRequestError({ message: 'Failed to add workspace permission to service account due to already-existing ' });
+    if (existingPermission) throw BadRequestError({ message: "Failed to add workspace permission to service account due to already-existing " });
 
     const serviceAccountWorkspacePermission = await new ServiceAccountWorkspacePermission({
         serviceAccount: new Types.ObjectId(serviceAccountId),
         workspace: new Types.ObjectId(workspaceId),
         environment,
         read,
-        write
+        write,
     }).save();
     
     const existingServiceAccountKey = await ServiceAccountKey.findOne({
         serviceAccount: new Types.ObjectId(serviceAccountId),
-        workspace: new Types.ObjectId(workspaceId) 
+        workspace: new Types.ObjectId(workspaceId), 
     });
     
     if (!existingServiceAccountKey) {
@@ -218,12 +218,12 @@ export const addServiceAccountWorkspacePermission = async (req: Request, res: Re
             nonce,
             sender: req.user._id,
             serviceAccount: new Types.ObjectId(serviceAccountId),
-            workspace: new Types.ObjectId(workspaceId)
+            workspace: new Types.ObjectId(workspaceId),
         }).save();
     }
 
     return res.status(200).send({
-        serviceAccountWorkspacePermission
+        serviceAccountWorkspacePermission,
     });
 }
 
@@ -240,19 +240,19 @@ export const deleteServiceAccountWorkspacePermission = async (req: Request, res:
         const { serviceAccount, workspace } = serviceAccountWorkspacePermission;
         const count = await ServiceAccountWorkspacePermission.countDocuments({
             serviceAccount,
-            workspace
+            workspace,
         });
         
         if (count === 0) {
             await ServiceAccountKey.findOneAndDelete({
                 serviceAccount,
-                workspace
+                workspace,
             });
         }
     }
 
     return res.status(200).send({
-        serviceAccountWorkspacePermission
+        serviceAccountWorkspacePermission,
     });
 }
 
@@ -269,20 +269,20 @@ export const deleteServiceAccount = async (req: Request, res: Response) => {
 
     if (serviceAccount) {
         await ServiceAccountKey.deleteMany({
-            serviceAccount: serviceAccount._id
+            serviceAccount: serviceAccount._id,
         });
 
         await ServiceAccountOrganizationPermission.deleteMany({
-            serviceAccount: new Types.ObjectId(serviceAccountId)
+            serviceAccount: new Types.ObjectId(serviceAccountId),
         });
 
         await ServiceAccountWorkspacePermission.deleteMany({
-            serviceAccount: new Types.ObjectId(serviceAccountId)
+            serviceAccount: new Types.ObjectId(serviceAccountId),
         });
     }
 
     return res.status(200).send({
-        serviceAccount
+        serviceAccount,
     });
 }
 
@@ -297,10 +297,10 @@ export const getServiceAccountKeys = async (req: Request, res: Response) => {
     
     const serviceAccountKeys = await ServiceAccountKey.find({
         serviceAccount: req.serviceAccount._id,
-        ...(workspaceId ? { workspace: new Types.ObjectId(workspaceId) } : {})
+        ...(workspaceId ? { workspace: new Types.ObjectId(workspaceId) } : {}),
     });
     
     return res.status(200).send({
-        serviceAccountKeys
+        serviceAccountKeys,
     });
 }

backend/src/controllers/v2/serviceTokenDataController.ts

@@ -1,19 +1,10 @@
-import * as Sentry from '@sentry/node';
-import { Request, Response } from 'express';
-import crypto from 'crypto';
-import bcrypt from 'bcrypt';
-import {
-    User,
-    ServiceAccount,
-    ServiceTokenData
-} from '../../models';
-import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';
-import { 
-    PERMISSION_READ_SECRETS,
-    AUTH_MODE_JWT,
-    AUTH_MODE_SERVICE_ACCOUNT
-} from '../../variables';
-import { getSaltRounds } from '../../config';
+import { Request, Response } from "express";
+import crypto from "crypto";
+import bcrypt from "bcrypt";
+import { ServiceAccount, ServiceTokenData, User } from "../../models";
+import { AUTH_MODE_JWT, AUTH_MODE_SERVICE_ACCOUNT } from "../../variables";
+import { getSaltRounds } from "../../config";
+import { BadRequestError } from "../../utils/errors";
 
 /**
  * Return service token data associated with service token on request
@@ -48,8 +39,18 @@ export const getServiceTokenData = async (req: Request, res: Response) => {
     }   
     */
 
-    return res.status(200).json(req.serviceTokenData);
-}
+  if (!(req.authData.authPayload instanceof ServiceTokenData))
+    throw BadRequestError({
+      message: "Failed accepted client validation for service token data"
+    });
+
+  const serviceTokenData = await ServiceTokenData.findById(req.authData.authPayload._id)
+    .select("+encryptedKey +iv +tag")
+    .populate("user")
+    .lean();
+
+  return res.status(200).json(serviceTokenData);
+};
 
 /**
  * Create new service token data for workspace with id [workspaceId] and
@@ -61,23 +62,14 @@ export const getServiceTokenData = async (req: Request, res: Response) => {
 export const createServiceTokenData = async (req: Request, res: Response) => {
   let serviceTokenData;
 
-    const {
-        name,
-        workspaceId,
-        environment,
-        encryptedKey,
-        iv,
-        tag,
-        expiresIn,
-        permissions
-    } = req.body;
+  const { name, workspaceId, encryptedKey, iv, tag, expiresIn, permissions, scopes } = req.body;
 
-    const secret = crypto.randomBytes(16).toString('hex');
-    const secretHash = await bcrypt.hash(secret, getSaltRounds());
+  const secret = crypto.randomBytes(16).toString("hex");
+  const secretHash = await bcrypt.hash(secret, await getSaltRounds());
 
   let expiresAt;
-    if (!!expiresIn) {
-        expiresAt = new Date()
+  if (expiresIn) {
+    expiresAt = new Date();
     expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
   }
 
@@ -87,16 +79,19 @@ export const createServiceTokenData = async (req: Request, res: Response) => {
     user = req.authData.authPayload._id;
   }
 
-    if (req.authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && req.authData.authPayload instanceof ServiceAccount) {
+  if (
+    req.authData.authMode === AUTH_MODE_SERVICE_ACCOUNT &&
+    req.authData.authPayload instanceof ServiceAccount
+  ) {
     serviceAccount = req.authData.authPayload._id;
   }
 
   serviceTokenData = await new ServiceTokenData({
     name,
     workspace: workspaceId,
-        environment,
     user,
     serviceAccount,
+    scopes,
     lastUsed: new Date(),
     expiresAt,
     secretHash,
@@ -109,7 +104,7 @@ export const createServiceTokenData = async (req: Request, res: Response) => {
   // return service token data without sensitive data
   serviceTokenData = await ServiceTokenData.findById(serviceTokenData._id);
 
-    if (!serviceTokenData) throw new Error('Failed to find service token data');
+  if (!serviceTokenData) throw new Error("Failed to find service token data");
 
   const serviceToken = `st.${serviceTokenData._id.toString()}.${secret}`;
 
@@ -117,7 +112,7 @@ export const createServiceTokenData = async (req: Request, res: Response) => {
     serviceToken,
     serviceTokenData
   });
-}
+};
 
 /**
  * Delete service token data with id [serviceTokenDataId].
@@ -133,4 +128,4 @@ export const deleteServiceTokenData = async (req: Request, res: Response) => {
   return res.status(200).send({
     serviceTokenData
   });
-}
+};

backend/src/controllers/v2/signupController.ts

@@ -1,14 +1,14 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { User, MembershipOrg } from '../../models';
-import { completeAccount } from '../../helpers/user';
+import { Request, Response } from "express";
+import { MembershipOrg, User } from "../../models";
+import { completeAccount } from "../../helpers/user";
 import {
-	initializeDefaultOrg
-} from '../../helpers/signup';
-import { issueAuthTokens } from '../../helpers/auth';
-import { INVITED, ACCEPTED } from '../../variables';
-import request from '../../config/request';
-import { getLoopsApiKey, getHttpsEnabled } from '../../config';
+	initializeDefaultOrg,
+} from "../../helpers/signup";
+import { issueAuthTokens } from "../../helpers/auth";
+import { ACCEPTED, INVITED } from "../../variables";
+import { standardRequest } from "../../config/request";
+import { getHttpsEnabled, getLoopsApiKey } from "../../config";
+import { updateSubscriptionOrgQuantity } from "../../helpers/organization";
 
 /**
  * Complete setting up user by adding their personal and auth information as part of the
@@ -18,8 +18,7 @@ import { getLoopsApiKey, getHttpsEnabled } from '../../config';
  * @returns
  */
 export const completeAccountSignup = async (req: Request, res: Response) => {
-	let user, token, refreshToken;
-	try {
+	let user;
   const {
     email,
     firstName,
@@ -33,7 +32,7 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
     encryptedPrivateKeyTag,
     salt,
     verifier,
-			organizationName
+    organizationName,
   }: {
     email: string;
     firstName: string;
@@ -57,7 +56,7 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
     // case 1: user doesn't exist.
     // case 2: user has already completed account
     return res.status(403).send({
-				error: 'Failed to complete account for complete user'
+      error: "Failed to complete account for complete user",
     });
   }
 
@@ -75,16 +74,29 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
     encryptedPrivateKeyIV,
     encryptedPrivateKeyTag,
     salt,
-			verifier
+    verifier,
   });
 
   if (!user)
-			throw new Error('Failed to complete account for non-existent user'); // ensure user is non-null
+    throw new Error("Failed to complete account for non-existent user"); // ensure user is non-null
 
   // initialize default organization and workspace
   await initializeDefaultOrg({
     organizationName,
-			user
+    user,
+  });
+
+  // update organization membership statuses that are
+  // invited to completed with user attached
+  const membershipsToUpdate = await MembershipOrg.find({
+    inviteEmail: email,
+    status: INVITED,
+  });
+  
+  membershipsToUpdate.forEach(async (membership) => {
+    await updateSubscriptionOrgQuantity({
+      organizationId: membership.organization.toString(),
+    });
   });
 
   // update organization membership statuses that are
@@ -92,55 +104,50 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
   await MembershipOrg.updateMany(
     {
       inviteEmail: email,
-				status: INVITED
+      status: INVITED,
     },
     {
       user,
-				status: ACCEPTED
+      status: ACCEPTED,
     }
   );
 
   // issue tokens
   const tokens = await issueAuthTokens({
-			userId: user._id.toString()
+    userId: user._id,
+    ip: req.realIP,
+    userAgent: req.headers["user-agent"] ?? "",
   });
 
-		token = tokens.token;
+  const token = tokens.token;
 
   // sending a welcome email to new users
-		if (getLoopsApiKey()) {
-			await request.post("https://app.loops.so/api/v1/events/send", {
+  if (await getLoopsApiKey()) {
+    await standardRequest.post("https://app.loops.so/api/v1/events/send", {
       "email": email,
       "eventName": "Sign Up",
       "firstName": firstName,
-				"lastName": lastName
+      "lastName": lastName,
     }, {
       headers: {
         "Accept": "application/json",
-					"Authorization": "Bearer " + getLoopsApiKey()
+        "Authorization": "Bearer " + (await getLoopsApiKey()),
       },
     });
   }
 
   // store (refresh) token in httpOnly cookie
-		res.cookie('jid', tokens.refreshToken, {
+  res.cookie("jid", tokens.refreshToken, {
     httpOnly: true,
-			path: '/',
-			sameSite: 'strict',
-			secure: getHttpsEnabled()
+    path: "/",
+    sameSite: "strict",
+    secure: await getHttpsEnabled(),
   });
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to complete account setup'
-		});
-	}
 
 	return res.status(200).send({
-		message: 'Successfully set up account',
+		message: "Successfully set up account",
 		user,
-		token
+		token,
 	});
 };
 
@@ -152,8 +159,7 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
  * @returns
  */
 export const completeAccountInvite = async (req: Request, res: Response) => {
-	let user, token, refreshToken;
-	try {
+	let user;
   const {
     email,
     firstName,
@@ -166,7 +172,7 @@ export const completeAccountInvite = async (req: Request, res: Response) => {
     encryptedPrivateKeyIV,
     encryptedPrivateKeyTag,
     salt,
-			verifier
+    verifier,
   } = req.body;
 
   // get user
@@ -176,16 +182,16 @@ export const completeAccountInvite = async (req: Request, res: Response) => {
     // case 1: user doesn't exist.
     // case 2: user has already completed account
     return res.status(403).send({
-				error: 'Failed to complete account for complete user'
+      error: "Failed to complete account for complete user",
     });
   }
 
   const membershipOrg = await MembershipOrg.findOne({
     inviteEmail: email,
-			status: INVITED
+    status: INVITED,
   });
 
-		if (!membershipOrg) throw new Error('Failed to find invitations for email');
+  if (!membershipOrg) throw new Error("Failed to find invitations for email");
 
   // complete setting up user's account
   user = await completeAccount({
@@ -201,50 +207,56 @@ export const completeAccountInvite = async (req: Request, res: Response) => {
     encryptedPrivateKeyIV,
     encryptedPrivateKeyTag,
     salt,
-			verifier
+    verifier,
   });
 
   if (!user)
-			throw new Error('Failed to complete account for non-existent user');
+    throw new Error("Failed to complete account for non-existent user");
   
   // update organization membership statuses that are
   // invited to completed with user attached
+  const membershipsToUpdate = await MembershipOrg.find({
+    inviteEmail: email,
+    status: INVITED,
+  });
+  
+  membershipsToUpdate.forEach(async (membership) => {
+    await updateSubscriptionOrgQuantity({
+      organizationId: membership.organization.toString(),
+    });
+  });
+
   await MembershipOrg.updateMany(
     {
       inviteEmail: email,
-				status: INVITED
+      status: INVITED,
     },
     {
       user,
-				status: ACCEPTED
+      status: ACCEPTED,
     }
   );
 
   // issue tokens
   const tokens = await issueAuthTokens({
-			userId: user._id.toString()
+    userId: user._id,
+    ip: req.realIP,
+    userAgent: req.headers["user-agent"] ?? "",
   });
 
-		token = tokens.token;
+  const token = tokens.token;
 
   // store (refresh) token in httpOnly cookie
-		res.cookie('jid', tokens.refreshToken, {
+  res.cookie("jid", tokens.refreshToken, {
     httpOnly: true,
-			path: '/',
-			sameSite: 'strict',
-			secure: getHttpsEnabled()
+    path: "/",
+    sameSite: "strict",
+    secure: await getHttpsEnabled(),
   });
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to complete account setup'
-		});
-	}
 
 	return res.status(200).send({
-		message: 'Successfully set up account',
+		message: "Successfully set up account",
 		user,
-		token
+		token,
 	});
 };

backend/src/controllers/v2/tagController.ts

@@ -1,45 +1,31 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
-import {
-	Membership, Secret,
-} from '../../models';
-import Tag, { ITag } from '../../models/tag';
-import { Builder } from "builder-pattern"
-import to from 'await-to-js';
-import { BadRequestError, UnauthorizedRequestError } from '../../utils/errors';
-import { MongoError } from 'mongodb';
-import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { Membership, Secret } from "../../models";
+import Tag from "../../models/tag";
+import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors";
 
 export const createWorkspaceTag = async (req: Request, res: Response) => {
-	const { workspaceId } = req.params
-	const { name, slug } = req.body
-	const sanitizedTagToCreate = Builder<ITag>()
-		.name(name)
-		.workspace(new Types.ObjectId(workspaceId))
-		.slug(slug)
-		.user(new Types.ObjectId(req.user._id))
-		.build();
+  const { workspaceId } = req.params;
+  const { name, slug } = req.body;
   
-	const [err, createdTag] = await to(Tag.create(sanitizedTagToCreate))
+  const tagToCreate = {
+      name,
+      workspace: new Types.ObjectId(workspaceId),
+      slug,
+      user: new Types.ObjectId(req.user._id),
+    };
   
-	if (err) {
-		if ((err as MongoError).code === 11000) {
-			throw BadRequestError({ message: "Tags must be unique in a workspace" })
-		}
+  const createdTag = await new Tag(tagToCreate).save();
   
-		throw err
-	}
-
-	res.json(createdTag)
-}
+  res.json(createdTag);
+};
 
 export const deleteWorkspaceTag = async (req: Request, res: Response) => {
-	const { tagId } = req.params
+  const { tagId } = req.params;
 
-	const tagFromDB = await Tag.findById(tagId)
+  const tagFromDB = await Tag.findById(tagId);
   if (!tagFromDB) {
-		throw BadRequestError()
+    throw BadRequestError();
   }
 
   // can only delete if the request user is one that belongs to the same workspace as the tag
@@ -49,24 +35,25 @@ export const deleteWorkspaceTag = async (req: Request, res: Response) => {
   });
 
   if (!membership) {
-		UnauthorizedRequestError({ message: 'Failed to validate membership' });
+    UnauthorizedRequestError({ message: "Failed to validate membership" });
   }
 
   const result = await Tag.findByIdAndDelete(tagId);
 
   // remove the tag from secrets
-	await Secret.updateMany(
-		{ tags: { $in: [tagId] } },
-		{ $pull: { tags: tagId } }
-	);
+  await Secret.updateMany({ tags: { $in: [tagId] } }, { $pull: { tags: tagId } });
 
   res.json(result);
-}
+};
 
 export const getWorkspaceTags = async (req: Request, res: Response) => {
-	const { workspaceId } = req.params
-	const workspaceTags = await Tag.find({ workspace: workspaceId })
+  const { workspaceId } = req.params;
+  
+  const workspaceTags = await Tag.find({ 
+    workspace: new Types.ObjectId(workspaceId) 
+  });
+  
   return res.json({
     workspaceTags
-	})
-}
+  });
+};

backend/src/controllers/v2/usersController.ts

@@ -1,9 +1,15 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import crypto from "crypto";
+import bcrypt from "bcrypt";
 import {
-    User,
-    MembershipOrg
-} from '../../models';
+    APIKeyData,
+    AuthProvider,
+    MembershipOrg,
+    TokenVersion,
+    User
+} from "../../models";
+import { getSaltRounds } from "../../config";
 
 /**
  * Return the current user.
@@ -37,21 +43,12 @@ export const getMe = async (req: Request, res: Response) => {
         }
     }   
     */
-    let user;
-    try {
-        user = await User
+    const user = await User
         .findById(req.user._id)
-            .select('+salt +publicKey +encryptedPrivateKey +iv +tag +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag');
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get current user'
-		});
-    }
+        .select("+salt +publicKey +encryptedPrivateKey +iv +tag +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag");
     
     return res.status(200).send({
-        user
+        user,
     });
 }
 
@@ -64,29 +61,81 @@ export const getMe = async (req: Request, res: Response) => {
  * @returns 
  */
 export const updateMyMfaEnabled = async (req: Request, res: Response) => {
-    let user;
-    try {
     const { isMfaEnabled }: { isMfaEnabled: boolean } = req.body;
     req.user.isMfaEnabled = isMfaEnabled;
     
     if (isMfaEnabled) { 
         // TODO: adapt this route/controller 
         // to work for different forms of MFA
-            req.user.mfaMethods = ['email'];
+        req.user.mfaMethods = ["email"];
     } else {
         req.user.mfaMethods = [];
     }
 
     await req.user.save();
     
-        user = req.user;
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: "Failed to update current user's MFA status"
+    const user = req.user;
+    
+    return res.status(200).send({
+        user,
     });
+}
+
+/**
+ * Update name of the current user to [firstName, lastName].
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const updateName = async (req: Request, res: Response) => {
+    const { 
+        firstName, 
+        lastName 
+    }: { 
+        firstName: string; 
+        lastName: string; 
+    } = req.body;
+    
+    const user = await User.findByIdAndUpdate(
+        req.user._id.toString(),
+        {
+            firstName,
+            lastName: lastName ?? ""
+        },
+        {
+            new: true
         }
+    );
+    
+    return res.status(200).send({
+        user,
+    });
+}
+
+/**
+ * Update auth provider of the current user to [authProvider]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const updateAuthProvider = async (req: Request, res: Response) => {
+    const {
+        authProvider
+    } = req.body;
+    
+    if (req.user?.authProvider === AuthProvider.OKTA_SAML) return res.status(400).send({
+        message: "Failed to update user authentication method because SAML SSO is enforced"
+    });
+
+    const user = await User.findByIdAndUpdate(
+        req.user._id.toString(),
+        {
+            authProvider
+        },
+        {
+            new: true
+        }
+    );
 
     return res.status(200).send({
         user
@@ -126,22 +175,116 @@ export const getMyOrganizations = async (req: Request, res: Response) => {
         }
     }   
     */
-	let organizations;
-	try {
-		organizations = (
+  const organizations = (
     await MembershipOrg.find({
-				user: req.user._id
-			}).populate('organization')
+      user: req.user._id,
+    }).populate("organization")
   ).map((m) => m.organization);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: "Failed to get current user's organizations"
-		});
-	}
 
 	return res.status(200).send({
-		organizations
+		organizations,
+	});
+}
+
+/**
+ * Return API keys belonging to current user.
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getMyAPIKeys = async (req: Request, res: Response) => {
+    const apiKeyData = await APIKeyData.find({
+		user: req.user._id,
+	});
+
+	return res.status(200).send(apiKeyData);
+}
+
+/**
+ * Create new API key for current user.
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const createAPIKey = async (req: Request, res: Response) => {
+	const { name, expiresIn } = req.body;
+
+	const secret = crypto.randomBytes(16).toString("hex");
+	const secretHash = await bcrypt.hash(secret, await getSaltRounds());
+
+	const expiresAt = new Date();
+	expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
+
+	let apiKeyData = await new APIKeyData({
+		name,
+		lastUsed: new Date(),
+		expiresAt,
+		user: req.user._id,
+		secretHash,
+	}).save();
+
+	// return api key data without sensitive data
+	apiKeyData = (await APIKeyData.findById(apiKeyData._id)) as any;
+
+	if (!apiKeyData) throw new Error("Failed to find API key data");
+
+	const apiKey = `ak.${apiKeyData._id.toString()}.${secret}`;
+
+	return res.status(200).send({
+		apiKey,
+		apiKeyData,
+	});
+}
+
+/**
+ * Delete API key with id [apiKeyDataId] belonging to current user
+ * @param req 
+ * @param res 
+ */
+export const deleteAPIKey = async (req: Request, res: Response) => {
+    const { apiKeyDataId } = req.params;
+
+    const apiKeyData = await APIKeyData.findOneAndDelete({
+        _id: new Types.ObjectId(apiKeyDataId),
+        user: req.user._id
+    });
+
+	return res.status(200).send({
+		apiKeyData
+	});
+}
+
+/**
+ * Return active sessions (TokenVersion) belonging to user
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getMySessions = async (req: Request, res: Response) => {
+    const tokenVersions = await TokenVersion.find({
+        user: req.user._id
+    });
+    
+    return res.status(200).send(tokenVersions);
+}
+
+/**
+ * Revoke all active sessions belong to user
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const deleteMySessions = async (req: Request, res: Response) => {
+    await TokenVersion.updateMany({
+        user: req.user._id,
+    }, {
+        $inc: {
+            refreshVersion: 1,
+            accessVersion: 1,
+        },
+    });
+
+    return res.status(200).send({
+        message: "Successfully revoked all sessions"
     });
 }

backend/src/controllers/v2/workspaceController.ts

@@ -1,26 +1,14 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { Key, Membership, ServiceTokenData, Workspace } from "../../models";
 import {
-	Workspace,
-	Secret,
-	Membership,
-	MembershipOrg,
-	Integration,
-	IntegrationAuth,
-	Key,
-	IUser,
-	ServiceToken,
-	ServiceTokenData
-} from '../../models';
-import {
-	v2PushSecrets as push,
   pullSecrets as pull,
+  v2PushSecrets as push,
   reformatPullSecrets
-} from '../../helpers/secret';
-import { pushKeys } from '../../helpers/key';
-import { TelemetryService, EventService } from '../../services';
-import { eventPushSecrets } from '../../events';
+} from "../../helpers/secret";
+import { pushKeys } from "../../helpers/key";
+import { EventService, TelemetryService } from "../../services";
+import { eventPushSecrets } from "../../events";
 
 interface V2PushSecret {
   type: string; // personal or shared
@@ -47,8 +35,7 @@ interface V2PushSecret {
  */
 export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
   // upload (encrypted) secrets to workspace with id [workspaceId]
-	try {
-		const postHogClient = TelemetryService.getPostHogClient();
+  const postHogClient = await TelemetryService.getPostHogClient();
   let { secrets }: { secrets: V2PushSecret[] } = req.body;
   const { keys, environment, channel } = req.body;
   const { workspaceId } = req.params;
@@ -56,12 +43,12 @@ export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
   // validate environment
   const workspaceEnvs = req.membership.workspace.environments;
   if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
-			throw new Error('Failed to validate environment');
+    throw new Error("Failed to validate environment");
   }
 
   // sanitize secrets
   secrets = secrets.filter(
-			(s: V2PushSecret) => s.secretKeyCiphertext !== '' && s.secretValueCiphertext !== ''
+    (s: V2PushSecret) => s.secretKeyCiphertext !== "" && s.secretValueCiphertext !== ""
   );
 
   await push({
@@ -69,8 +56,8 @@ export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
     workspaceId,
     environment,
     secrets,
-			channel: channel ? channel : 'cli',
-			ipAddress: req.ip
+    channel: channel ? channel : "cli",
+    ipAddress: req.realIP
   });
 
   await pushKeys({
@@ -81,13 +68,13 @@ export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
 
   if (postHogClient) {
     postHogClient.capture({
-				event: 'secrets pushed',
+      event: "secrets pushed",
       distinctId: req.user.email,
       properties: {
         numberOfSecrets: secrets.length,
         environment,
         workspaceId,
-					channel: channel ? channel : 'cli'
+        channel: channel ? channel : "cli"
       }
     });
   }
@@ -95,20 +82,14 @@ export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
   // trigger event - push secrets
   EventService.handleEvent({
     event: eventPushSecrets({
-				workspaceId
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+      secretPath: "/"
     })
   });
 
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to upload workspace secrets'
-		});
-	}
-
   return res.status(200).send({
-		message: 'Successfully uploaded workspace secrets'
+    message: "Successfully uploaded workspace secrets"
   });
 };
 
@@ -121,8 +102,7 @@ export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
  */
 export const pullSecrets = async (req: Request, res: Response) => {
   let secrets;
-	try {
-		const postHogClient = TelemetryService.getPostHogClient();
+  const postHogClient = await TelemetryService.getPostHogClient();
   const environment: string = req.query.environment as string;
   const channel: string = req.query.channel as string;
   const { workspaceId } = req.params;
@@ -131,23 +111,23 @@ export const pullSecrets = async (req: Request, res: Response) => {
   if (req.user) {
     userId = req.user._id.toString();
   } else if (req.serviceTokenData) {
-			userId = req.serviceTokenData.user._id
+    userId = req.serviceTokenData.user.toString();
   }
   // validate environment
   const workspaceEnvs = req.membership.workspace.environments;
   if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
-			throw new Error('Failed to validate environment');
+    throw new Error("Failed to validate environment");
   }
 
   secrets = await pull({
     userId,
     workspaceId,
     environment,
-			channel: channel ? channel : 'cli',
-			ipAddress: req.ip
+    channel: channel ? channel : "cli",
+    ipAddress: req.realIP
   });
 
-		if (channel !== 'cli') {
+  if (channel !== "cli") {
     secrets = reformatPullSecrets({ secrets });
   }
 
@@ -155,22 +135,15 @@ export const pullSecrets = async (req: Request, res: Response) => {
     // capture secrets pushed event in production
     postHogClient.capture({
       distinctId: req.user.email,
-				event: 'secrets pulled',
+      event: "secrets pulled",
       properties: {
         numberOfSecrets: secrets.length,
         environment,
         workspaceId,
-					channel: channel ? channel : 'cli'
+        channel: channel ? channel : "cli"
       }
     });
   }
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to pull workspace secrets'
-		});
-	}
 
   return res.status(200).send({
     secrets
@@ -206,52 +179,28 @@ export const getWorkspaceKey = async (req: Request, res: Response) => {
         }
     }   
     */
-	let key;
-	try {
   const { workspaceId } = req.params;
 
-		key = await Key.findOne({
+  const key = await Key.findOne({
     workspace: workspaceId,
     receiver: req.user._id
-		}).populate('sender', '+publicKey');
+  }).populate("sender", "+publicKey");
 
-		if (!key) throw new Error('Failed to find workspace key');
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get workspace key'
-		});
-	}
+  if (!key) throw new Error("Failed to find workspace key");
 
   return res.status(200).json(key);
-}
-export const getWorkspaceServiceTokenData = async (
-	req: Request,
-	res: Response
-) => {
-	let serviceTokenData;
-	try {
+};
+export const getWorkspaceServiceTokenData = async (req: Request, res: Response) => {
   const { workspaceId } = req.params;
 
-		serviceTokenData = await ServiceTokenData
-			.find({
+  const serviceTokenData = await ServiceTokenData.find({
     workspace: workspaceId
-			})
-			.select('+encryptedKey +iv +tag');
-
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get workspace service token data'
-		});
-	}
+  }).select("+encryptedKey +iv +tag");
 
   return res.status(200).send({
     serviceTokenData
   });
-}
+};
 
 /**
  * Return memberships for workspace with id [workspaceId]
@@ -293,25 +242,16 @@ export const getWorkspaceMemberships = async (req: Request, res: Response) => {
         }
     }   
     */
-	let memberships;
-	try {
   const { workspaceId } = req.params;
 
-		memberships = await Membership.find({
+  const memberships = await Membership.find({
     workspace: workspaceId
-		}).populate('user', '+publicKey');
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get workspace memberships'
-		});
-	}
+  }).populate("user", "+publicKey");
 
   return res.status(200).send({
     memberships
   });
-}
+};
 
 /**
  * Update role of membership with id [membershipId] to role [role]
@@ -373,33 +313,23 @@ export const updateWorkspaceMembership = async (req: Request, res: Response) =>
         }
     }   
     */
-	let membership;
-	try {
-		const {
-			membershipId
-		} = req.params;
+  const { membershipId } = req.params;
   const { role } = req.body;
 
-		membership = await Membership.findByIdAndUpdate(
+  const membership = await Membership.findByIdAndUpdate(
     membershipId,
     {
       role
-			}, {
+    },
+    {
       new: true
     }
   );
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to update workspace membership'
-		});
-	}
 
   return res.status(200).send({
     membership
   });
-}
+};
 
 /**
  * Delete workspace membership with id [membershipId]
@@ -444,32 +374,21 @@ export const deleteWorkspaceMembership = async (req: Request, res: Response) =>
         }
     }   
     */
-	let membership;
-	try {
-		const { 
-			membershipId
-		} = req.params;
+  const { membershipId } = req.params;
 
-		membership = await Membership.findByIdAndDelete(membershipId);
+  const membership = await Membership.findByIdAndDelete(membershipId);
 
-		if (!membership) throw new Error('Failed to delete workspace membership');
+  if (!membership) throw new Error("Failed to delete workspace membership");
 
   await Key.deleteMany({
     receiver: membership.user,
     workspace: membership.workspace
   });
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to delete workspace membership'
-		});	
-	}
 
   return res.status(200).send({
     membership
   });
-}
+};
 
 /**
  * Change autoCapitilzation Rule of workspace
@@ -478,12 +397,10 @@ export const deleteWorkspaceMembership = async (req: Request, res: Response) =>
  * @returns
  */
 export const toggleAutoCapitalization = async (req: Request, res: Response) => {
-	let workspace;
-	try {
   const { workspaceId } = req.params;
   const { autoCapitalization } = req.body;
 
-		workspace = await Workspace.findOneAndUpdate(
+  const workspace = await Workspace.findOneAndUpdate(
     {
       _id: workspaceId
     },
@@ -494,16 +411,9 @@ export const toggleAutoCapitalization = async (req: Request, res: Response) => {
       new: true
     }
   );
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to change autoCapitalization setting'
-		});
-	}
 
   return res.status(200).send({
-		message: 'Successfully changed autoCapitalization setting',
+    message: "Successfully changed autoCapitalization setting",
     workspace
   });
 };

backend/src/controllers/v3/authController.ts

@@ -0,0 +1,264 @@
+/* eslint-disable @typescript-eslint/no-var-requires */
+import { Request, Response } from "express";
+import jwt from "jsonwebtoken";
+import * as Sentry from "@sentry/node";
+import * as bigintConversion from "bigint-conversion";
+const jsrp = require("jsrp");
+import { LoginSRPDetail, User } from "../../models";
+import { createToken, issueAuthTokens, validateProviderAuthToken } from "../../helpers/auth";
+import { checkUserDevice } from "../../helpers/user";
+import { sendMail } from "../../helpers/nodemailer";
+import { TokenService } from "../../services";
+import { EELogService } from "../../ee/services";
+import { BadRequestError, InternalServerError } from "../../utils/errors";
+import {
+    ACTION_LOGIN,
+    TOKEN_EMAIL_MFA,
+} from "../../variables";
+import { getChannelFromUserAgent } from "../../utils/posthog"; // TODO: move this
+import {
+    getHttpsEnabled,
+    getJwtMfaLifetime,
+    getJwtMfaSecret,
+} from "../../config";
+import { AuthProvider } from "../../models/user";
+
+declare module "jsonwebtoken" {
+    export interface ProviderAuthJwtPayload extends jwt.JwtPayload {
+        userId: string;
+        email: string;
+        authProvider: AuthProvider;
+        isUserCompleted: boolean,
+    }
+}
+
+/**
+ * Log in user step 1: Return [salt] and [serverPublicKey] as part of step 1 of SRP protocol
+ * @param req
+ * @param res
+ * @returns
+ */
+export const login1 = async (req: Request, res: Response) => {
+    try {
+        const {
+            email,
+            providerAuthToken,
+            clientPublicKey,
+        }: {
+            email: string;
+            clientPublicKey: string,
+            providerAuthToken?: string;
+        } = req.body;
+
+        const user = await User.findOne({
+            email,
+        }).select("+salt +verifier");
+
+        if (!user) throw new Error("Failed to find user");
+
+        if (user.authProvider && user.authProvider !== AuthProvider.EMAIL) {
+            await validateProviderAuthToken({
+                email,
+                user,
+                providerAuthToken,
+            })
+        }
+
+        const server = new jsrp.server();
+        server.init(
+            {
+                salt: user.salt,
+                verifier: user.verifier,
+            },
+            async () => {
+                // generate server-side public key
+                const serverPublicKey = server.getPublicKey();
+                await LoginSRPDetail.findOneAndReplace({
+                    email: email,
+                }, {
+                    email,
+                    userId: user.id,
+                    clientPublicKey: clientPublicKey,
+                    serverBInt: bigintConversion.bigintToBuf(server.bInt),
+                }, { upsert: true, returnNewDocument: false });
+
+                return res.status(200).send({
+                    serverPublicKey,
+                    salt: user.salt,
+                });
+            }
+        );
+    } catch (err) {
+        Sentry.setUser(null);
+        Sentry.captureException(err);
+        return res.status(400).send({
+            message: "Failed to start authentication process",
+        });
+    }
+};
+
+/**
+ * Log in user step 2: complete step 2 of SRP protocol and return token and their (encrypted)
+ * private key
+ * @param req
+ * @param res
+ * @returns
+ */
+export const login2 = async (req: Request, res: Response) => {
+    try {
+
+        if (!req.headers["user-agent"]) throw InternalServerError({ message: "User-Agent header is required" });
+
+        const { email, clientProof, providerAuthToken } = req.body;
+
+        const user = await User.findOne({
+            email,
+        }).select("+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag +devices");
+
+        if (!user) throw new Error("Failed to find user");
+
+        if (user.authProvider && user.authProvider !== AuthProvider.EMAIL) {
+            await validateProviderAuthToken({
+                email,
+                user,
+                providerAuthToken,
+            })
+        }
+
+        const loginSRPDetail = await LoginSRPDetail.findOneAndDelete({ email: email })
+
+        if (!loginSRPDetail) {
+            return BadRequestError(Error("Failed to find login details for SRP"))
+        }
+
+        const server = new jsrp.server();
+        server.init(
+            {
+                salt: user.salt,
+                verifier: user.verifier,
+                b: loginSRPDetail.serverBInt,
+            },
+            async () => {
+                server.setClientPublicKey(loginSRPDetail.clientPublicKey);
+
+                // compare server and client shared keys
+                if (server.checkClientProof(clientProof)) {
+
+                    if (user.isMfaEnabled) {
+                        // case: user has MFA enabled
+
+                        // generate temporary MFA token
+                        const token = createToken({
+                            payload: {
+                                userId: user._id.toString(),
+                            },
+                            expiresIn: await getJwtMfaLifetime(),
+                            secret: await getJwtMfaSecret(),
+                        });
+
+                        const code = await TokenService.createToken({
+                            type: TOKEN_EMAIL_MFA,
+                            email,
+                        });
+
+                        // send MFA code [code] to [email]
+                        await sendMail({
+                            template: "emailMfa.handlebars",
+                            subjectLine: "Infisical MFA code",
+                            recipients: [user.email],
+                            substitutions: {
+                                code,
+                            },
+                        });
+
+                        return res.status(200).send({
+                            mfaEnabled: true,
+                            token,
+                        });
+                    }
+
+                    await checkUserDevice({
+                        user,
+                        ip: req.realIP,
+                        userAgent: req.headers["user-agent"] ?? "",
+                    });
+
+                    // issue tokens
+                    const tokens = await issueAuthTokens({ 
+                        userId: user._id,
+                        ip: req.realIP,
+                        userAgent: req.headers["user-agent"] ?? "",
+                    });
+
+                    // store (refresh) token in httpOnly cookie
+                    res.cookie("jid", tokens.refreshToken, {
+                        httpOnly: true,
+                        path: "/",
+                        sameSite: "strict",
+                        secure: await getHttpsEnabled(),
+                    });
+
+                    // case: user does not have MFA enablgged
+                    // return (access) token in response
+
+                    interface ResponseData {
+                        mfaEnabled: boolean;
+                        encryptionVersion: any;
+                        protectedKey?: string;
+                        protectedKeyIV?: string;
+                        protectedKeyTag?: string;
+                        token: string;
+                        publicKey?: string;
+                        encryptedPrivateKey?: string;
+                        iv?: string;
+                        tag?: string;
+                    }
+
+                    const response: ResponseData = {
+                        mfaEnabled: false,
+                        encryptionVersion: user.encryptionVersion,
+                        token: tokens.token,
+                        publicKey: user.publicKey,
+                        encryptedPrivateKey: user.encryptedPrivateKey,
+                        iv: user.iv,
+                        tag: user.tag,
+                    }
+
+                    if (
+                        user?.protectedKey &&
+                        user?.protectedKeyIV &&
+                        user?.protectedKeyTag
+                    ) {
+                        response.protectedKey = user.protectedKey;
+                        response.protectedKeyIV = user.protectedKeyIV
+                        response.protectedKeyTag = user.protectedKeyTag;
+                    }
+
+                    const loginAction = await EELogService.createAction({
+                        name: ACTION_LOGIN,
+                        userId: user._id,
+                    });
+
+                    loginAction && await EELogService.createLog({
+                        userId: user._id,
+                        actions: [loginAction],
+                        channel: getChannelFromUserAgent(req.headers["user-agent"]),
+                        ipAddress: req.realIP,
+                    });
+
+                    return res.status(200).send(response);
+                }
+
+                return res.status(400).send({
+                    message: "Failed to authenticate. Try again?",
+                });
+            }
+        );
+    } catch (err) {
+        Sentry.setUser(null);
+        Sentry.captureException(err);
+        return res.status(400).send({
+            message: "Failed to authenticate. Try again?",
+        });
+    }
+};

backend/src/controllers/v3/index.ts

@@ -0,0 +1,11 @@
+import * as secretsController from "./secretsController";
+import * as workspacesController from "./workspacesController";
+import * as authController from "./authController";
+import * as signupController from "./signupController";
+
+export {
+    authController,
+    secretsController,
+    signupController,
+    workspacesController,
+}

backend/src/controllers/v3/secretsController.ts

@@ -0,0 +1,477 @@
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { EventService, SecretService } from "../../services";
+import { eventPushSecrets } from "../../events";
+import { BotService } from "../../services";
+import { containsGlobPatterns, repackageSecretToRaw } from "../../helpers/secrets";
+import { encryptSymmetric128BitHexKeyUTF8 } from "../../utils/crypto";
+import { getAllImportedSecrets } from "../../services/SecretImportService";
+import Folder from "../../models/folder";
+import { getFolderByPath } from "../../services/FolderService";
+import { BadRequestError } from "../../utils/errors";
+import { IServiceTokenData } from "../../models";
+import { requireWorkspaceAuth } from "../../middleware";
+import { ADMIN, MEMBER, PERMISSION_READ_SECRETS } from "../../variables";
+
+/**
+ * Return secrets for workspace with id [workspaceId] and environment
+ * [environment] in plaintext
+ * @param req
+ * @param res
+ */
+export const getSecretsRaw = async (req: Request, res: Response) => {
+  let workspaceId = req.query.workspaceId as string;
+  let environment = req.query.environment as string;
+  let secretPath = req.query.secretPath as string;
+  const includeImports = req.query.include_imports as string;
+
+  // if the service token has single scope, it will get all secrets for that scope by default
+  const serviceTokenDetails: IServiceTokenData = req?.serviceTokenData;
+  if (serviceTokenDetails) {
+    if (
+      serviceTokenDetails.scopes.length == 1 &&
+      !containsGlobPatterns(serviceTokenDetails.scopes[0].secretPath)
+    ) {
+      const scope = serviceTokenDetails.scopes[0];
+      secretPath = scope.secretPath;
+      environment = scope.environment;
+      workspaceId = serviceTokenDetails.workspace.toString();
+    } else {
+      requireWorkspaceAuth({
+        acceptedRoles: [ADMIN, MEMBER],
+        locationWorkspaceId: "query",
+        locationEnvironment: "query",
+        requiredPermissions: [PERMISSION_READ_SECRETS],
+        requireBlindIndicesEnabled: true,
+        requireE2EEOff: true
+      });
+    }
+  }
+
+  const secrets = await SecretService.getSecrets({
+    workspaceId: new Types.ObjectId(workspaceId),
+    environment,
+    secretPath,
+    authData: req.authData
+  });
+
+  const key = await BotService.getWorkspaceKeyWithBot({
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  if (includeImports === "true") {
+    const folders = await Folder.findOne({ workspace: workspaceId, environment });
+    let folderId = "root";
+    // if folder exist get it and replace folderid with new one
+    if (folders) {
+      const folder = getFolderByPath(folders.nodes, secretPath as string);
+      if (!folder) {
+        throw BadRequestError({ message: "Folder not found" });
+      }
+      folderId = folder.id;
+    }
+    const importedSecrets = await getAllImportedSecrets(workspaceId, environment, folderId);
+    return res.status(200).send({
+      secrets: secrets.map((secret) =>
+        repackageSecretToRaw({
+          secret,
+          key
+        })
+      ),
+      imports: importedSecrets.map((el) => ({
+        ...el,
+        secrets: el.secrets.map((secret) => repackageSecretToRaw({ secret, key }))
+      }))
+    });
+  }
+
+  return res.status(200).send({
+    secrets: secrets.map((secret) => {
+      const rep = repackageSecretToRaw({
+        secret,
+        key
+      });
+      return rep;
+    })
+  });
+};
+
+/**
+ * Return secret with name [secretName] in plaintext
+ * @param req
+ * @param res
+ */
+export const getSecretByNameRaw = async (req: Request, res: Response) => {
+  const { secretName } = req.params;
+  const workspaceId = req.query.workspaceId as string;
+  const environment = req.query.environment as string;
+  const secretPath = req.query.secretPath as string;
+  const type = req.query.type as "shared" | "personal" | undefined;
+
+  const secret = await SecretService.getSecret({
+    secretName,
+    workspaceId: new Types.ObjectId(workspaceId),
+    environment,
+    type,
+    secretPath,
+    authData: req.authData
+  });
+
+  const key = await BotService.getWorkspaceKeyWithBot({
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  return res.status(200).send({
+    secret: repackageSecretToRaw({
+      secret,
+      key
+    })
+  });
+};
+
+/**
+ * Create secret with name [secretName] in plaintext
+ * @param req
+ * @param res
+ */
+export const createSecretRaw = async (req: Request, res: Response) => {
+  const { secretName } = req.params;
+  const { workspaceId, environment, type, secretValue, secretComment, secretPath = "/" } = req.body;
+
+  const key = await BotService.getWorkspaceKeyWithBot({
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  const secretKeyEncrypted = encryptSymmetric128BitHexKeyUTF8({
+    plaintext: secretName,
+    key
+  });
+
+  const secretValueEncrypted = encryptSymmetric128BitHexKeyUTF8({
+    plaintext: secretValue,
+    key
+  });
+
+  const secretCommentEncrypted = encryptSymmetric128BitHexKeyUTF8({
+    plaintext: secretComment,
+    key
+  });
+
+  const secret = await SecretService.createSecret({
+    secretName,
+    workspaceId: new Types.ObjectId(workspaceId),
+    environment,
+    type,
+    authData: req.authData,
+    secretKeyCiphertext: secretKeyEncrypted.ciphertext,
+    secretKeyIV: secretKeyEncrypted.iv,
+    secretKeyTag: secretKeyEncrypted.tag,
+    secretValueCiphertext: secretValueEncrypted.ciphertext,
+    secretValueIV: secretValueEncrypted.iv,
+    secretValueTag: secretValueEncrypted.tag,
+    secretPath,
+    secretCommentCiphertext: secretCommentEncrypted.ciphertext,
+    secretCommentIV: secretCommentEncrypted.iv,
+    secretCommentTag: secretCommentEncrypted.tag
+  });
+
+  await EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+      secretPath
+    })
+  });
+
+  const secretWithoutBlindIndex = secret.toObject();
+  delete secretWithoutBlindIndex.secretBlindIndex;
+
+  return res.status(200).send({
+    secret: repackageSecretToRaw({
+      secret: secretWithoutBlindIndex,
+      key
+    })
+  });
+};
+
+/**
+ * Update secret with name [secretName]
+ * @param req
+ * @param res
+ */
+export const updateSecretByNameRaw = async (req: Request, res: Response) => {
+  const { secretName } = req.params;
+  const { workspaceId, environment, type, secretValue, secretPath = "/" } = req.body;
+
+  const key = await BotService.getWorkspaceKeyWithBot({
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  const secretValueEncrypted = encryptSymmetric128BitHexKeyUTF8({
+    plaintext: secretValue,
+    key
+  });
+
+  const secret = await SecretService.updateSecret({
+    secretName,
+    workspaceId,
+    environment,
+    type,
+    authData: req.authData,
+    secretValueCiphertext: secretValueEncrypted.ciphertext,
+    secretValueIV: secretValueEncrypted.iv,
+    secretValueTag: secretValueEncrypted.tag,
+    secretPath
+  });
+
+  await EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+      secretPath
+    })
+  });
+
+  return res.status(200).send({
+    secret: repackageSecretToRaw({
+      secret,
+      key
+    })
+  });
+};
+
+/**
+ * Delete secret with name [secretName]
+ * @param req
+ * @param res
+ */
+export const deleteSecretByNameRaw = async (req: Request, res: Response) => {
+  const { secretName } = req.params;
+  const { workspaceId, environment, type, secretPath = "/" } = req.body;
+
+  const { secret } = await SecretService.deleteSecret({
+    secretName,
+    workspaceId,
+    environment,
+    type,
+    authData: req.authData,
+    secretPath
+  });
+
+  await EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+      secretPath
+    })
+  });
+
+  const key = await BotService.getWorkspaceKeyWithBot({
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  return res.status(200).send({
+    secret: repackageSecretToRaw({
+      secret,
+      key
+    })
+  });
+};
+
+/**
+ * Get secrets for workspace with id [workspaceId] and environment
+ * [environment]
+ * @param req
+ * @param res
+ */
+export const getSecrets = async (req: Request, res: Response) => {
+  const workspaceId = req.query.workspaceId as string;
+  const environment = req.query.environment as string;
+  const secretPath = req.query.secretPath as string;
+  const includeImports = req.query.include_imports as string;
+
+  const secrets = await SecretService.getSecrets({
+    workspaceId: new Types.ObjectId(workspaceId),
+    environment,
+    secretPath,
+    authData: req.authData
+  });
+
+  if (includeImports === "true") {
+    const folders = await Folder.findOne({ workspace: workspaceId, environment });
+    let folderId = "root";
+    // if folder exist get it and replace folderid with new one
+    if (folders) {
+      const folder = getFolderByPath(folders.nodes, secretPath as string);
+      if (!folder) {
+        throw BadRequestError({ message: "Folder not found" });
+      }
+      folderId = folder.id;
+    }
+    const importedSecrets = await getAllImportedSecrets(workspaceId, environment, folderId);
+    return res.status(200).send({
+      secrets,
+      imports: importedSecrets
+    });
+  }
+
+  return res.status(200).send({
+    secrets
+  });
+};
+
+/**
+ * Return secret with name [secretName]
+ * @param req
+ * @param res
+ */
+export const getSecretByName = async (req: Request, res: Response) => {
+  const { secretName } = req.params;
+  const workspaceId = req.query.workspaceId as string;
+  const environment = req.query.environment as string;
+  const secretPath = req.query.secretPath as string;
+  const type = req.query.type as "shared" | "personal" | undefined;
+
+  const secret = await SecretService.getSecret({
+    secretName,
+    workspaceId: new Types.ObjectId(workspaceId),
+    environment,
+    type,
+    secretPath,
+    authData: req.authData
+  });
+
+  return res.status(200).send({
+    secret
+  });
+};
+
+/**
+ * Create secret with name [secretName]
+ * @param req
+ * @param res
+ */
+export const createSecret = async (req: Request, res: Response) => {
+  const { secretName } = req.params;
+  const {
+    workspaceId,
+    environment,
+    type,
+    secretKeyCiphertext,
+    secretKeyIV,
+    secretKeyTag,
+    secretValueCiphertext,
+    secretValueIV,
+    secretValueTag,
+    secretCommentCiphertext,
+    secretCommentIV,
+    secretCommentTag,
+    secretPath = "/"
+  } = req.body;
+
+  const secret = await SecretService.createSecret({
+    secretName,
+    workspaceId: new Types.ObjectId(workspaceId),
+    environment,
+    type,
+    authData: req.authData,
+    secretKeyCiphertext,
+    secretKeyIV,
+    secretKeyTag,
+    secretValueCiphertext,
+    secretValueIV,
+    secretValueTag,
+    secretPath,
+    secretCommentCiphertext,
+    secretCommentIV,
+    secretCommentTag
+  });
+
+  await EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+      secretPath
+    })
+  });
+
+  const secretWithoutBlindIndex = secret.toObject();
+  delete secretWithoutBlindIndex.secretBlindIndex;
+
+  return res.status(200).send({
+    secret: secretWithoutBlindIndex
+  });
+};
+
+/**
+ * Update secret with name [secretName]
+ * @param req
+ * @param res
+ */
+export const updateSecretByName = async (req: Request, res: Response) => {
+  const { secretName } = req.params;
+  const {
+    workspaceId,
+    environment,
+    type,
+    secretValueCiphertext,
+    secretValueIV,
+    secretValueTag,
+    secretPath = "/"
+  } = req.body;
+
+  const secret = await SecretService.updateSecret({
+    secretName,
+    workspaceId,
+    environment,
+    type,
+    authData: req.authData,
+    secretValueCiphertext,
+    secretValueIV,
+    secretValueTag,
+    secretPath
+  });
+
+  await EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+      secretPath
+    })
+  });
+
+  return res.status(200).send({
+    secret
+  });
+};
+
+/**
+ * Delete secret with name [secretName]
+ * @param req
+ * @param res
+ */
+export const deleteSecretByName = async (req: Request, res: Response) => {
+  const { secretName } = req.params;
+  const { workspaceId, environment, type, secretPath = "/" } = req.body;
+
+  const { secret } = await SecretService.deleteSecret({
+    secretName,
+    workspaceId,
+    environment,
+    type,
+    authData: req.authData,
+    secretPath
+  });
+
+  await EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+      secretPath
+    })
+  });
+
+  return res.status(200).send({
+    secret
+  });
+};

backend/src/controllers/v3/signupController.ts

@@ -0,0 +1,197 @@
+import jwt from "jsonwebtoken";
+import { Request, Response } from "express";
+import * as Sentry from "@sentry/node";
+import { MembershipOrg, User } from "../../models";
+import { completeAccount } from "../../helpers/user";
+import {
+	initializeDefaultOrg,
+} from "../../helpers/signup";
+import { issueAuthTokens, validateProviderAuthToken } from "../../helpers/auth";
+import { ACCEPTED, INVITED } from "../../variables";
+import { standardRequest } from "../../config/request";
+import { getHttpsEnabled, getJwtSignupSecret, getLoopsApiKey } from "../../config";
+import { BadRequestError } from "../../utils/errors";
+import { TelemetryService } from "../../services";
+import { AuthProvider } from "../../models";
+
+/**
+ * Complete setting up user by adding their personal and auth information as part of the
+ * signup flow
+ * @param req
+ * @param res
+ * @returns
+ */
+export const completeAccountSignup = async (req: Request, res: Response) => {
+	let user, token, refreshToken;
+	try {
+		const {
+			email,
+			firstName,
+			lastName,
+			protectedKey,
+			protectedKeyIV,
+			protectedKeyTag,
+			publicKey,
+			encryptedPrivateKey,
+			encryptedPrivateKeyIV,
+			encryptedPrivateKeyTag,
+			salt,
+			verifier,
+			organizationName,
+			providerAuthToken,
+			attributionSource,
+		}: {
+			email: string;
+			firstName: string;
+			lastName: string;
+			protectedKey: string;
+			protectedKeyIV: string;
+			protectedKeyTag: string;
+			publicKey: string;
+			encryptedPrivateKey: string;
+			encryptedPrivateKeyIV: string;
+			encryptedPrivateKeyTag: string;
+			salt: string;
+			verifier: string;
+			organizationName: string;
+			providerAuthToken?: string;
+			attributionSource?: string;
+		} = req.body;
+
+		user = await User.findOne({ email });
+
+		if (!user || (user && user?.publicKey)) {
+			// case 1: user doesn't exist.
+			// case 2: user has already completed account
+			return res.status(403).send({
+				error: "Failed to complete account for complete user",
+			});
+		}
+
+		if (providerAuthToken) {
+			await validateProviderAuthToken({
+				email,
+				providerAuthToken,
+				user,
+			});
+		} else {
+			const [AUTH_TOKEN_TYPE, AUTH_TOKEN_VALUE] = <[string, string]>req.headers["authorization"]?.split(" ", 2) ?? [null, null]
+			if (AUTH_TOKEN_TYPE === null) {
+				throw BadRequestError({ message: "Missing Authorization Header in the request header." });
+			}
+			if (AUTH_TOKEN_TYPE.toLowerCase() !== "bearer") {
+				throw BadRequestError({ message: `The provided authentication type '${AUTH_TOKEN_TYPE}' is not supported.` })
+			}
+			if (AUTH_TOKEN_VALUE === null) {
+				throw BadRequestError({
+					message: "Missing Authorization Body in the request header",
+				})
+			}
+
+			const decodedToken = <jwt.UserIDJwtPayload>(
+				jwt.verify(AUTH_TOKEN_VALUE, await getJwtSignupSecret())
+			);
+
+			if (decodedToken.userId !== user.id) {
+				throw BadRequestError();
+			}
+		}
+
+		// complete setting up user's account
+		user = await completeAccount({
+			userId: user._id.toString(),
+			firstName,
+			lastName,
+			encryptionVersion: 2,
+			protectedKey,
+			protectedKeyIV,
+			protectedKeyTag,
+			publicKey,
+			encryptedPrivateKey,
+			encryptedPrivateKeyIV,
+			encryptedPrivateKeyTag,
+			salt,
+			verifier,
+		});
+
+		if (!user)
+			throw new Error("Failed to complete account for non-existent user"); // ensure user is non-null
+
+		if (user.authProvider !== AuthProvider.OKTA_SAML) {
+			// initialize default organization and workspace
+			await initializeDefaultOrg({
+				organizationName,
+				user,
+			});
+		}
+
+		// update organization membership statuses that are
+		// invited to completed with user attached
+		await MembershipOrg.updateMany(
+			{
+				inviteEmail: email,
+				status: INVITED,
+			},
+			{
+				user,
+				status: ACCEPTED,
+			}
+		);
+
+		// issue tokens
+		const tokens = await issueAuthTokens({
+			userId: user._id,
+			ip: req.realIP,
+			userAgent: req.headers["user-agent"] ?? "",
+		});
+
+		token = tokens.token;
+
+		// sending a welcome email to new users
+		if (await getLoopsApiKey()) {
+			await standardRequest.post("https://app.loops.so/api/v1/events/send", {
+				"email": email,
+				"eventName": "Sign Up",
+				"firstName": firstName,
+				"lastName": lastName,
+			}, {
+				headers: {
+					"Accept": "application/json",
+					"Authorization": "Bearer " + (await getLoopsApiKey()),
+				},
+			});
+		}
+
+		// store (refresh) token in httpOnly cookie
+		res.cookie("jid", tokens.refreshToken, {
+			httpOnly: true,
+			path: "/",
+			sameSite: "strict",
+			secure: await getHttpsEnabled(),
+		});
+
+		const postHogClient = await TelemetryService.getPostHogClient();
+		if (postHogClient) {
+			postHogClient.capture({
+				event: "User Signed Up",
+				distinctId: email,
+				properties: {
+					email,
+					...(attributionSource ? { attributionSource } : {})
+				},
+			});
+		}
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: "Failed to complete account setup",
+		});
+	}
+
+	return res.status(200).send({
+		message: "Successfully set up account",
+		user,
+		token,
+	});
+};

backend/src/controllers/v3/workspacesController.ts

@@ -0,0 +1,90 @@
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { Secret } from "../../models";
+import { SecretService } from"../../services";
+
+/**
+ * Return whether or not all secrets in workspace with id [workspaceId]
+ * are blind-indexed
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getWorkspaceBlindIndexStatus = async (req: Request, res: Response) => {
+    const { workspaceId } = req.params;
+
+    const secretsWithoutBlindIndex = await Secret.countDocuments({
+        workspace: new Types.ObjectId(workspaceId),
+        secretBlindIndex: {
+            $exists: false,
+        },
+    });
+
+    return res.status(200).send(secretsWithoutBlindIndex === 0);
+}
+
+/**
+ * Get all secrets for workspace with id [workspaceId]
+ */
+export const getWorkspaceSecrets = async (req: Request, res: Response) => {
+    const { workspaceId } = req.params;
+
+    const secrets = await Secret.find({
+        workspace: new Types.ObjectId (workspaceId),
+    });
+    
+    return res.status(200).send({
+        secrets,
+    });
+}
+
+/**
+ * Update blind indices for secrets in workspace with id [workspaceId]
+ * @param req 
+ * @param res 
+ */
+export const nameWorkspaceSecrets = async (req: Request, res: Response) => {
+    interface SecretToUpdate {
+        secretName: string;
+        _id: string;
+    }
+
+    const { workspaceId } = req.params;
+    const { 
+        secretsToUpdate, 
+    }: {
+        secretsToUpdate: SecretToUpdate[];
+    } = req.body;
+
+    // get secret blind index salt
+    const salt = await SecretService.getSecretBlindIndexSalt({
+        workspaceId: new Types.ObjectId(workspaceId),
+    });
+
+    // update secret blind indices
+    const operations = await Promise.all(
+        secretsToUpdate.map(async (secretToUpdate: SecretToUpdate) => {
+            const secretBlindIndex = await SecretService.generateSecretBlindIndexWithSalt({
+                secretName: secretToUpdate.secretName,
+                salt,
+            });
+    
+            return ({
+                updateOne: {
+                    filter: {
+                        _id: new Types.ObjectId(secretToUpdate._id),
+                    },
+                    update: {
+                        secretBlindIndex,
+                    },
+                },
+            });
+        })
+    );
+
+    await Secret.bulkWrite(operations);
+
+    return res.status(200).send({
+        message: "Successfully named workspace secrets",
+    });
+}

backend/src/ee/controllers/v1/actionController.ts

@@ -1,7 +1,6 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { Action, SecretVersion } from '../../models';
-import { ActionNotFoundError } from '../../../utils/errors';
+import { Request, Response } from "express";
+import { Action } from "../../models";
+import { ActionNotFoundError } from "../../../utils/errors";
 
 export const getAction = async (req: Request, res: Response) => {
     let action;
@@ -11,21 +10,21 @@ export const getAction = async (req: Request, res: Response) => {
         action = await Action
             .findById(actionId)
             .populate([
-                'payload.secretVersions.oldSecretVersion',
-                'payload.secretVersions.newSecretVersion'
+                "payload.secretVersions.oldSecretVersion",
+                "payload.secretVersions.newSecretVersion",
             ]);
         
         if (!action) throw ActionNotFoundError({
-            message: 'Failed to find action'
+            message: "Failed to find action",
         });
 
     } catch (err) {
         throw ActionNotFoundError({
-            message: 'Failed to find action'
+            message: "Failed to find action",
         });
     }
     
     return res.status(200).send({
-        action
+        action,
     });
 }

backend/src/ee/controllers/v1/cloudProductsController.ts

@@ -0,0 +1,28 @@
+import { Request, Response } from "express";
+import { EELicenseService } from "../../services";
+import { getLicenseServerUrl } from "../../../config";
+import { licenseServerKeyRequest } from "../../../config/request";
+
+/**
+ * Return available cloud product information.
+ * Note: Nicely formatted to easily construct a table from
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getCloudProducts = async (req: Request, res: Response) => {
+    const billingCycle = req.query["billing-cycle"] as string;
+
+    if (EELicenseService.instanceType === "cloud") {
+        const { data } = await licenseServerKeyRequest.get(
+            `${await getLicenseServerUrl()}/api/license-server/v1/cloud-products?billing-cycle=${billingCycle}`
+        ); 
+
+        return res.status(200).send(data);
+    }
+    
+    return res.status(200).send({
+        head: [],
+        rows: [],
+    });
+}

backend/src/ee/controllers/v1/index.ts

@@ -1,15 +1,21 @@
-import * as stripeController from './stripeController';
-import * as secretController from './secretController';
-import * as secretSnapshotController from './secretSnapshotController';
-import * as workspaceController from './workspaceController';
-import * as actionController from './actionController';
-import * as membershipController from './membershipController';
+import * as secretController from "./secretController";
+import * as secretSnapshotController from "./secretSnapshotController";
+import * as organizationsController from "./organizationsController";
+import * as ssoController from "./ssoController";
+import * as usersController from "./usersController";
+import * as workspaceController from "./workspaceController";
+import * as actionController from "./actionController";
+import * as membershipController from "./membershipController";
+import * as cloudProductsController from "./cloudProductsController";
 
 export {
-    stripeController,
     secretController,
     secretSnapshotController,
+    organizationsController,
+    ssoController,
+    usersController,
     workspaceController,
     actionController,
-    membershipController
+    membershipController,
+    cloudProductsController,
 }

backend/src/ee/controllers/v1/membershipController.ts

@@ -3,8 +3,7 @@ import { Membership, Workspace } from "../../../models";
 import { IMembershipPermission } from "../../../models/membership";
 import { BadRequestError, UnauthorizedRequestError } from "../../../utils/errors";
 import { ADMIN, MEMBER } from "../../../variables/organization";
-import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from '../../../variables';
-import { Builder } from "builder-pattern"
+import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from "../../../variables";
 import _ from "lodash";
 
 export const denyMembershipPermissions = async (req: Request, res: Response) => {
@@ -15,10 +14,10 @@ export const denyMembershipPermissions = async (req: Request, res: Response) =>
       throw BadRequestError({ message: "One or more required fields are missing from the request or have incorrect type" })
     }
 
-    return Builder<IMembershipPermission>()
-      .environmentSlug(permission.environmentSlug)
-      .ability(permission.ability)
-      .build();
+    return {
+      environmentSlug: permission.environmentSlug,
+      ability: permission.ability
+    }
   })
 
   const sanitizedMembershipPermissionsUnique = _.uniqWith(sanitizedMembershipPermissions, _.isEqual)
@@ -39,7 +38,7 @@ export const denyMembershipPermissions = async (req: Request, res: Response) =>
     throw BadRequestError({ message: "Something went wrong when locating the related workspace" })
   }
 
-  const uniqueEnvironmentSlugs = new Set(_.uniq(_.map(relatedWorkspace.environments, 'slug')));
+  const uniqueEnvironmentSlugs = new Set(_.uniq(_.map(relatedWorkspace.environments, "slug")));
 
   sanitizedMembershipPermissionsUnique.forEach(permission => {
     if (!uniqueEnvironmentSlugs.has(permission.environmentSlug)) {
@@ -59,6 +58,6 @@ export const denyMembershipPermissions = async (req: Request, res: Response) =>
   }
 
   res.send({
-    permissionsDenied: updatedMembershipWithPermissions.deniedPermissions
+    permissionsDenied: updatedMembershipWithPermissions.deniedPermissions,
   })
 }

backend/src/ee/controllers/v1/organizationsController.ts

@@ -0,0 +1,209 @@
+import { Request, Response } from "express";
+import { getLicenseServerUrl } from "../../../config";
+import { licenseServerKeyRequest } from "../../../config/request";
+import { EELicenseService } from "../../services";
+
+export const getOrganizationPlansTable = async (req: Request, res: Response) => {
+    const billingCycle = req.query.billingCycle as string;
+    
+    const { data } = await licenseServerKeyRequest.get(
+        `${await getLicenseServerUrl()}/api/license-server/v1/cloud-products?billing-cycle=${billingCycle}`
+    ); 
+
+    return res.status(200).send(data); 
+}
+
+/**
+ * Return the organization current plan's feature set
+ */
+export const getOrganizationPlan = async (req: Request, res: Response) => {
+    const { organizationId } = req.params;
+    const workspaceId = req.query.workspaceId as string;
+
+    const plan = await EELicenseService.getPlan(organizationId, workspaceId);
+
+    return res.status(200).send({
+        plan,
+    });
+}
+
+/**
+ * Return checkout url for pro trial
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const startOrganizationTrial = async (req: Request, res: Response) => {
+    const { organizationId } = req.params;
+    const { success_url } = req.body;
+
+    const { data: { url } } = await licenseServerKeyRequest.post(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/session/trial`,
+        {
+            success_url
+        }
+    ); 
+    
+    EELicenseService.delPlan(organizationId);
+    
+    return res.status(200).send({
+        url
+    });
+}
+
+/**
+ * Return the organization's current plan's billing info
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getOrganizationPlanBillingInfo = async (req: Request, res: Response) => {
+    const { data } = await licenseServerKeyRequest.get(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/cloud-plan/billing`
+    ); 
+    
+    return res.status(200).send(data);
+}
+
+/**
+ * Return the organization's current plan's feature table
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getOrganizationPlanTable = async (req: Request, res: Response) => {
+    const { data } = await licenseServerKeyRequest.get(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/cloud-plan/table`
+    ); 
+
+    return res.status(200).send(data);
+}
+
+export const getOrganizationBillingDetails = async (req: Request, res: Response) => {
+    const { data  } = await licenseServerKeyRequest.get(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details`
+    ); 
+
+    return res.status(200).send(data);
+}
+
+export const updateOrganizationBillingDetails = async (req: Request, res: Response) => {
+    const {
+        name,
+        email
+    } = req.body;
+
+    const { data } = await licenseServerKeyRequest.patch(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details`,
+        {
+            ...(name ? { name } : {}),
+            ...(email ? { email } : {})
+        }
+    ); 
+
+    return res.status(200).send(data); 
+}
+
+/**
+ * Return the organization's payment methods on file
+ */
+export const getOrganizationPmtMethods = async (req: Request, res: Response) => {
+    const { data: { pmtMethods } } = await licenseServerKeyRequest.get(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/payment-methods`
+    );
+
+    return res.status(200).send(pmtMethods); 
+}
+
+/**
+ * Return URL to add payment method for organization
+ */
+export const addOrganizationPmtMethod = async (req: Request, res: Response) => {
+    const {
+        success_url,
+        cancel_url,
+    } = req.body;
+    
+    const { data: { url } } = await licenseServerKeyRequest.post(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/payment-methods`,
+        {
+            success_url,
+            cancel_url,
+        }
+    );
+    
+    return res.status(200).send({
+        url,
+    }); 
+}
+
+export const deleteOrganizationPmtMethod = async (req: Request, res: Response) => {
+    const { pmtMethodId } = req.params;
+
+    const { data } = await licenseServerKeyRequest.delete(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/payment-methods/${pmtMethodId}`,
+    );
+        
+    return res.status(200).send(data);
+}
+
+/**
+ * Return the organization's tax ids on file
+ */
+export const getOrganizationTaxIds = async (req: Request, res: Response) => {
+    const { data: { tax_ids } } = await licenseServerKeyRequest.get(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/tax-ids`
+    );
+
+    return res.status(200).send(tax_ids); 
+}
+
+/**
+ * Add tax id to organization
+ */
+export const addOrganizationTaxId = async (req: Request, res: Response) => {
+    const {
+        type,
+        value
+    } = req.body;
+
+    const { data } = await licenseServerKeyRequest.post(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/tax-ids`,
+        {
+            type,
+            value
+        }
+    );
+
+    return res.status(200).send(data); 
+}
+
+/**
+ * Delete tax id with id [taxId] from organization tax ids on file
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const deleteOrganizationTaxId = async (req: Request, res: Response) => {
+    const { taxId } = req.params;
+
+    const { data } = await licenseServerKeyRequest.delete(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/tax-ids/${taxId}`,
+    );
+        
+    return res.status(200).send(data); 
+}
+
+/**
+ * Return organization's invoices on file
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getOrganizationInvoices = async (req: Request, res: Response) => {
+    const { data: { invoices } } = await licenseServerKeyRequest.get(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/invoices`
+    );
+
+    return res.status(200).send(invoices); 
+}

backend/src/ee/controllers/v1/secretController.ts

@@ -1,15 +1,14 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { Secret } from '../../../models';
-import { SecretVersion } from '../../models';
-import { EESecretService } from '../../services';
+import { Request, Response } from "express";
+import { Secret } from "../../../models";
+import { SecretVersion } from "../../models";
+import { EESecretService } from "../../services";
 
 /**
  * Return secret versions for secret with id [secretId]
  * @param req
  * @param res
  */
- export const getSecretVersions = async (req: Request, res: Response) => {
+export const getSecretVersions = async (req: Request, res: Response) => {
   /* 
     #swagger.summary = 'Return secret versions'
     #swagger.description = 'Return secret versions'
@@ -55,32 +54,22 @@ import { EESecretService } from '../../services';
         }
     }   
     */
-	let secretVersions;
-	try {
   const { secretId } = req.params;
 
   const offset: number = parseInt(req.query.offset as string);
   const limit: number = parseInt(req.query.limit as string);
 
-		secretVersions = await SecretVersion.find({
+  const secretVersions = await SecretVersion.find({
     secret: secretId
   })
     .sort({ createdAt: -1 })
     .skip(offset)
     .limit(limit);
 
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get secret versions'
-		});
-	}
-	
   return res.status(200).send({
     secretVersions
   });
-}
+};
 
 /**
  * Roll back secret with id [secretId] to version [version]
@@ -137,8 +126,6 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
         }
     }   
     */
-	let secret;
-	try {
   const { secretId } = req.params;
   const { version } = req.body;
 
@@ -146,25 +133,29 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
   const oldSecretVersion = await SecretVersion.findOne({
     secret: secretId,
     version
-		});
+  }).select("+secretBlindIndex");
 
-		if (!oldSecretVersion) throw new Error('Failed to find secret version');
+  if (!oldSecretVersion) throw new Error("Failed to find secret version");
 
   const {
     workspace,
     type,
     user,
     environment,
+    secretBlindIndex,
     secretKeyCiphertext,
     secretKeyIV,
     secretKeyTag,
     secretValueCiphertext,
     secretValueIV,
     secretValueTag,
+    algorithm,
+    folder,
+    keyEncoding
   } = oldSecretVersion;
 
   // update secret
-		secret = await Secret.findByIdAndUpdate(
+  const secret = await Secret.findByIdAndUpdate(
     secretId,
     {
       $inc: {
@@ -174,19 +165,23 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
       type,
       user,
       environment,
+      ...(secretBlindIndex ? { secretBlindIndex } : {}),
       secretKeyCiphertext,
       secretKeyIV,
       secretKeyTag,
       secretValueCiphertext,
       secretValueIV,
       secretValueTag,
+      folderId: folder,
+      algorithm,
+      keyEncoding
     },
     {
       new: true
     }
   );
 
-		if (!secret) throw new Error('Failed to find and update secret');
+  if (!secret) throw new Error("Failed to find and update secret");
 
   // add new secret version
   await new SecretVersion({
@@ -197,28 +192,26 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
     user,
     environment,
     isDeleted: false,
+    ...(secretBlindIndex ? { secretBlindIndex } : {}),
     secretKeyCiphertext,
     secretKeyIV,
     secretKeyTag,
     secretValueCiphertext,
     secretValueIV,
-			secretValueTag
+    secretValueTag,
+    folder,
+    algorithm,
+    keyEncoding
   }).save();
 
   // take secret snapshot
   await EESecretService.takeSecretSnapshot({
-			workspaceId: secret.workspace.toString()
+    workspaceId: secret.workspace,
+    environment,
+    folderId: folder
   });
 
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to roll back secret version'
-		});
-	}
-	
   return res.status(200).send({
     secret
   });
-}
+};

backend/src/ee/controllers/v1/secretSnapshotController.ts

@@ -1,6 +1,9 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { SecretSnapshot } from '../../models';
+import { Request, Response } from "express";
+import {
+  ISecretVersion,
+  SecretSnapshot,
+  TFolderRootVersionSchema,
+} from "../../models";
 
 /**
  * Return secret snapshot with id [secretSnapshotId]
@@ -9,31 +12,34 @@ import { SecretSnapshot } from '../../models';
  * @returns
  */
 export const getSecretSnapshot = async (req: Request, res: Response) => {
-    let secretSnapshot;
-    try {
   const { secretSnapshotId } = req.params;
 
-        secretSnapshot = await SecretSnapshot
-            .findById(secretSnapshotId)
-            .populate({
-                path: 'secretVersions',
+  const secretSnapshot = await SecretSnapshot.findById(secretSnapshotId)
+    .lean()
+    .populate<{ secretVersions: ISecretVersion[] }>({
+      path: "secretVersions",
       populate: {
-                    path: 'tags',
-                    model: 'Tag',
-                }
-            });
+        path: "tags",
+        model: "Tag",
+      },
+    })
+    .populate<{ folderVersion: TFolderRootVersionSchema }>("folderVersion");
   
-        if (!secretSnapshot) throw new Error('Failed to find secret snapshot');
+  if (!secretSnapshot) throw new Error("Failed to find secret snapshot");
   
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get secret snapshot'
-		});
-    }
+  const folderId = secretSnapshot.folderId;
+  // to show only the folder required secrets
+  secretSnapshot.secretVersions = secretSnapshot.secretVersions.filter(
+    ({ folder }) => folder === folderId
+  );
+
+  secretSnapshot.folderVersion =
+    secretSnapshot?.folderVersion?.nodes?.children?.map(({ id, name }) => ({
+      id,
+      name,
+    })) as any;
 
   return res.status(200).send({
-        secretSnapshot
+    secretSnapshot,
   });
-}
+};

backend/src/ee/controllers/v1/ssoController.ts

@@ -0,0 +1,267 @@
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { BotOrgService } from "../../../services";
+import { SSOConfig } from "../../models";
+import { 
+    MembershipOrg,
+    User
+} from "../../../models";
+import { getSSOConfigHelper } from "../../helpers/organizations";
+import { client } from "../../../config";
+import { ResourceNotFoundError } from "../../../utils/errors";
+import { getSiteURL } from "../../../config";
+import { EELicenseService } from "../../services";
+
+/**
+ * Redirect user to appropriate SSO endpoint after successful authentication
+ * to finish inputting their master key for logging in or signing up
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const redirectSSO = async (req: Request, res: Response) => {
+    if (req.isUserCompleted) {
+      return res.redirect(`${await getSiteURL()}/login/sso?token=${encodeURIComponent(req.providerAuthToken)}`);
+    }
+    
+    return res.redirect(`${await getSiteURL()}/signup/sso?token=${encodeURIComponent(req.providerAuthToken)}`);
+}
+
+/**
+ * Return organization SAML SSO configuration
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getSSOConfig = async (req: Request, res: Response) => {
+    const organizationId = req.query.organizationId as string;
+    
+    const data = await getSSOConfigHelper({
+        organizationId: new Types.ObjectId(organizationId)
+    });
+
+    return res.status(200).send(data);
+}
+
+/**
+ * Update organization SAML SSO configuration
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const updateSSOConfig = async (req: Request, res: Response) => {
+    const {
+        organizationId,
+        authProvider,
+        isActive,
+        entryPoint,
+        issuer,
+        cert,
+        audience
+    } = req.body;
+
+    const plan = await EELicenseService.getPlan(organizationId);
+    
+    if (!plan.samlSSO) return res.status(400).send({
+        message: "Failed to update SAML SSO configuration due to plan restriction. Upgrade plan to update SSO configuration."
+    });
+    
+    interface PatchUpdate {
+        authProvider?: string;
+        isActive?: boolean;
+        encryptedEntryPoint?: string;
+        entryPointIV?: string;
+        entryPointTag?: string;
+        encryptedIssuer?: string;
+        issuerIV?: string;
+        issuerTag?: string;
+        encryptedCert?: string;
+        certIV?: string;
+        certTag?: string;
+        encryptedAudience?: string;
+        audienceIV?: string;
+        audienceTag?: string;
+    }
+    
+    const update: PatchUpdate = {};
+    
+    if (authProvider) {
+        update.authProvider = authProvider;
+    }
+    
+    if (isActive !== undefined) {
+        update.isActive = isActive;
+    }
+    
+    const key = await BotOrgService.getSymmetricKey(
+        new Types.ObjectId(organizationId)
+    );
+    
+    if (entryPoint) {
+        const {
+            ciphertext: encryptedEntryPoint,
+            iv: entryPointIV,
+            tag: entryPointTag
+        } = client.encryptSymmetric(entryPoint, key);
+        
+        update.encryptedEntryPoint = encryptedEntryPoint;
+        update.entryPointIV = entryPointIV;
+        update.entryPointTag = entryPointTag;
+    }
+
+    if (issuer) {
+        const {
+            ciphertext: encryptedIssuer,
+            iv: issuerIV,
+            tag: issuerTag
+        } = client.encryptSymmetric(issuer, key);
+        
+        update.encryptedIssuer = encryptedIssuer;
+        update.issuerIV = issuerIV;
+        update.issuerTag = issuerTag;
+    }
+
+    if (cert) {
+        const {
+            ciphertext: encryptedCert,
+            iv: certIV,
+            tag: certTag
+        } = client.encryptSymmetric(cert, key);
+        
+        update.encryptedCert = encryptedCert;
+        update.certIV = certIV;
+        update.certTag = certTag;
+    }
+
+    if (audience) {
+        const {
+            ciphertext: encryptedAudience,
+            iv: audienceIV,
+            tag: audienceTag
+        } = client.encryptSymmetric(audience, key);
+        
+        update.encryptedAudience = encryptedAudience;
+        update.audienceIV = audienceIV;
+        update.audienceTag = audienceTag;
+    }
+    
+    const ssoConfig = await SSOConfig.findOneAndUpdate(
+        {
+            organization: new Types.ObjectId(organizationId)
+        },
+        update,
+        {
+            new: true
+        }
+    );
+    
+    if (!ssoConfig) throw ResourceNotFoundError({
+        message: "Failed to find SSO config to update"
+    });
+    
+    if (update.isActive !== undefined) {
+        const membershipOrgs = await MembershipOrg.find({
+            organization: new Types.ObjectId(organizationId)
+        }).select("user");
+        
+        if (update.isActive) {
+            await User.updateMany(
+                {
+                    _id: {
+                        $in: membershipOrgs.map((membershipOrg) => membershipOrg.user)
+                    }
+                },
+                {
+                    authProvider: ssoConfig.authProvider
+                }
+            );
+        } else {
+            await User.updateMany(
+                {
+                    _id: {
+                        $in: membershipOrgs.map((membershipOrg) => membershipOrg.user)
+                    }
+                },
+                {
+                    $unset: {
+                        authProvider: 1
+                    }
+                }
+            );
+        }
+    }
+    
+    return res.status(200).send(ssoConfig);
+}
+
+/**
+ * Create organization SAML SSO configuration
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const createSSOConfig = async (req: Request, res: Response) => {
+    const {
+        organizationId,
+        authProvider,
+        isActive,
+        entryPoint,
+        issuer,
+        cert,
+        audience
+    } = req.body;
+
+    const plan = await EELicenseService.getPlan(organizationId);
+    
+    if (!plan.samlSSO) return res.status(400).send({
+        message: "Failed to create SAML SSO configuration due to plan restriction. Upgrade plan to add SSO configuration."
+    });
+    
+    const key = await BotOrgService.getSymmetricKey(
+        new Types.ObjectId(organizationId)
+    );
+
+    const {
+        ciphertext: encryptedEntryPoint,
+        iv: entryPointIV,
+        tag: entryPointTag
+    } = client.encryptSymmetric(entryPoint, key);
+
+    const {
+        ciphertext: encryptedIssuer,
+        iv: issuerIV,
+        tag: issuerTag
+    } = client.encryptSymmetric(issuer, key);
+
+    const {
+        ciphertext: encryptedCert,
+        iv: certIV,
+        tag: certTag
+    } = client.encryptSymmetric(cert, key);
+
+    const {
+        ciphertext: encryptedAudience,
+        iv: audienceIV,
+        tag: audienceTag
+    } = client.encryptSymmetric(audience, key);
+    
+    const ssoConfig = await new SSOConfig({
+        organization: new Types.ObjectId(organizationId),
+        authProvider,
+        isActive,
+        encryptedEntryPoint,
+        entryPointIV,
+        entryPointTag,
+        encryptedIssuer,
+        issuerIV,
+        issuerTag,
+        encryptedCert,
+        certIV,
+        certTag,
+        encryptedAudience,
+        audienceIV,
+        audienceTag
+    }).save();
+
+    return res.status(200).send(ssoConfig);
+}

backend/src/ee/controllers/v1/stripeController.ts

@@ -1,41 +0,0 @@
-import * as Sentry from '@sentry/node';
-import { Request, Response } from 'express';
-import Stripe from 'stripe';
-import { getStripeSecretKey, getStripeWebhookSecret } from '../../../config';
-
-/**
- * Handle service provisioning/un-provisioning via Stripe
- * @param req
- * @param res
- * @returns
- */
-export const handleWebhook = async (req: Request, res: Response) => {
-	let event;
-	try {
-		const stripe = new Stripe(getStripeSecretKey(), {
-			apiVersion: '2022-08-01'
-		});
-
-		// check request for valid stripe signature
-		const sig = req.headers['stripe-signature'] as string;
-		event = stripe.webhooks.constructEvent(
-			req.body,
-			sig,
-			getStripeWebhookSecret()
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			error: 'Failed to process webhook'
-		});
-	}
-
-	switch (event.type) {
-		case '':
-			break;
-		default:
-	}
-
-	return res.json({ received: true });
-};

backend/src/ee/controllers/v1/usersController.ts

@@ -0,0 +1,13 @@
+import { Request, Response } from "express";
+
+/**
+ * Return the ip address of the current user
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getMyIp = (req: Request, res: Response) => {
+    return res.status(200).send({
+        ip: req.authData.authIP
+    });
+}

backend/src/ee/controllers/v1/workspaceController.ts

@@ -1,24 +1,32 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
+import { Request, Response } from "express";
+import { PipelineStage, Types } from "mongoose";
+import { Secret } from "../../../models";
 import {
-	Secret
-} from '../../../models';
-import { 
-	SecretSnapshot,
+  FolderVersion,
+  IPType,
+  ISecretVersion,
   Log,
+  SecretSnapshot,
   SecretVersion,
-	ISecretVersion
-} from '../../models';
-import { EESecretService } from '../../services';
-import { getLatestSecretVersionIds } from '../../helpers/secretVersion';
+  TFolderRootVersionSchema,
+  TrustedIP
+} from "../../models";
+import { EESecretService } from "../../services";
+import { getLatestSecretVersionIds } from "../../helpers/secretVersion";
+import Folder, { TFolderSchema } from "../../../models/folder";
+import { searchByFolderId } from "../../../services/FolderService";
+import { EELicenseService } from "../../services";
+import { extractIPDetails, isValidIpOrCidr } from "../../../utils/ip";
 
 /**
  * Return secret snapshots for workspace with id [workspaceId]
  * @param req
  * @param res
  */
- export const getWorkspaceSecretSnapshots = async (req: Request, res: Response) => {
+export const getWorkspaceSecretSnapshots = async (
+  req: Request,
+  res: Response
+) => {
   /* 
     #swagger.summary = 'Return project secret snapshot ids'
     #swagger.description = 'Return project secret snapshots ids'
@@ -64,57 +72,48 @@ import { getLatestSecretVersionIds } from '../../helpers/secretVersion';
         }
     }
     */
-	let secretSnapshots;
-	try {
   const { workspaceId } = req.params;
+  const { environment, folderId } = req.query;
 
   const offset: number = parseInt(req.query.offset as string);
   const limit: number = parseInt(req.query.limit as string);
 
-		secretSnapshots = await SecretSnapshot.find({
-			workspace: workspaceId
+  const secretSnapshots = await SecretSnapshot.find({
+    workspace: workspaceId,
+    environment,
+    folderId: folderId || "root",
   })
     .sort({ createdAt: -1 })
     .skip(offset)
     .limit(limit);
 
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get secret snapshots'
-		});
-	}
-	
   return res.status(200).send({
-		secretSnapshots
+    secretSnapshots,
   });
-}
+};
 
 /**
  * Return count of secret snapshots for workspace with id [workspaceId]
  * @param req
  * @param res
  */
-export const getWorkspaceSecretSnapshotsCount = async (req: Request, res: Response) => {
-	let count;
-	try {
+export const getWorkspaceSecretSnapshotsCount = async (
+  req: Request,
+  res: Response
+) => {
   const { workspaceId } = req.params;
-		count = await SecretSnapshot.countDocuments({
-			workspace: workspaceId
+  const { environment, folderId } = req.query;
+
+  const count = await SecretSnapshot.countDocuments({
+    workspace: workspaceId,
+    environment,
+    folderId: folderId || "root",
   });
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to count number of secret snapshots'
-		});
-	}
 
   return res.status(200).send({
-		count
+    count,
   });
-}
+};
 
 /**
  * Rollback secret snapshot with id [secretSnapshotId] to version [version]
@@ -122,7 +121,10 @@ export const getWorkspaceSecretSnapshotsCount = async (req: Request, res: Respon
  * @param res
  * @returns
  */
-export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Response) => {
+export const rollbackWorkspaceSecretSnapshot = async (
+  req: Request,
+  res: Response
+) => {
   /* 
     #swagger.summary = 'Roll back project secrets to those captured in a secret snapshot version.'
     #swagger.description = 'Roll back project secrets to those captured in a secret snapshot version.'
@@ -173,106 +175,256 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
         }
     }   
     */
-	let secrets;
-    try {	
+
   const { workspaceId } = req.params;
-        const { version } = req.body;
+  const { version, environment, folderId = "root" } = req.body;
 
   // validate secret snapshot
   const secretSnapshot = await SecretSnapshot.findOne({
     workspace: workspaceId,
-			version
-		}).populate<{ secretVersions: ISecretVersion[]}>('secretVersions');
+    version,
+    environment,
+    folderId: folderId,
+  })
+    .populate<{ secretVersions: ISecretVersion[] }>({
+      path: "secretVersions",
+      select: "+secretBlindIndex",
+    })
+    .populate<{ folderVersion: TFolderRootVersionSchema }>("folderVersion");
 
-        if (!secretSnapshot) throw new Error('Failed to find secret snapshot');
+  if (!secretSnapshot) throw new Error("Failed to find secret snapshot");
+
+  const snapshotFolderTree = secretSnapshot.folderVersion;
+  const latestFolderTree = await Folder.findOne({
+    workspace: workspaceId,
+    environment,
+  });
+
+  const latestFolderVersion = await FolderVersion.findOne({
+    environment,
+    workspace: workspaceId,
+    "nodes.id": folderId,
+  }).sort({ "nodes.version": -1 });
+
+  const oldSecretVersionsObj: Record<string, ISecretVersion> = {};
+  const secretIds: Types.ObjectId[] = [];
+  const folderIds: string[] = [folderId];
+
+  secretSnapshot.secretVersions.forEach((snapSecVer) => {
+    oldSecretVersionsObj[snapSecVer.secret.toString()] = snapSecVer;
+    secretIds.push(snapSecVer.secret);
+  });
+
+  // the parent node from current latest one
+  // this will be modified according to the snapshot and latest snapshots
+  const newFolderTree =
+    latestFolderTree && searchByFolderId(latestFolderTree.nodes, folderId);
+
+  if (newFolderTree) {
+    newFolderTree.children = snapshotFolderTree?.nodes?.children || [];
+    const queue = [newFolderTree];
+    // a bfs algorithm in which we take the latest snapshots of all the folders in a level
+    while (queue.length) {
+      const groupByFolderId: Record<string, TFolderSchema> = {};
+      // the original queue is popped out completely to get what ever in a level
+      // subqueue is filled with all the children thus next level folders
+      // subQueue will then be transfered to the oriinal queue
+      const subQueue: TFolderSchema[] = [];
+      // get everything inside a level
+      while (queue.length) {
+        const folder = queue.pop() as TFolderSchema;
+        folder.children.forEach((el) => {
+          folderIds.push(el.id); // push ids and data into queu
+          subQueue.push(el);
+          // to modify the original tree very fast we keep a reference object
+          // key with folder id and pointing to the various nodes
+          groupByFolderId[el.id] = el;
+        });
+      }
+      // get latest snapshots of all the folder
+      const matchWsFoldersPipeline = {
+        $match: {
+          workspace: new Types.ObjectId(workspaceId),
+          environment,
+          folderId: {
+            $in: Object.keys(groupByFolderId),
+          },
+        },
+      };
+      const sortByFolderIdAndVersion: PipelineStage = {
+        $sort: { folderId: 1, version: -1 },
+      };
+      const pickLatestVersionOfEachFolder = {
+        $group: {
+          _id: "$folderId",
+          latestVersion: { $first: "$version" },
+          doc: {
+            $first: "$$ROOT",
+          },
+        },
+      };
+      const populateSecVersion = {
+        $lookup: {
+          from: SecretVersion.collection.name,
+          localField: "doc.secretVersions",
+          foreignField: "_id",
+          as: "doc.secretVersions",
+        },
+      };
+      const populateFolderVersion = {
+        $lookup: {
+          from: FolderVersion.collection.name,
+          localField: "doc.folderVersion",
+          foreignField: "_id",
+          as: "doc.folderVersion",
+        },
+      };
+      const unwindFolderVerField = {
+        $unwind: {
+          path: "$doc.folderVersion",
+          preserveNullAndEmptyArrays: true,
+        },
+      };
+      const latestSnapshotsByFolders: Array<{ doc: typeof secretSnapshot }> =
+        await SecretSnapshot.aggregate([
+          matchWsFoldersPipeline,
+          sortByFolderIdAndVersion,
+          pickLatestVersionOfEachFolder,
+          populateSecVersion,
+          populateFolderVersion,
+          unwindFolderVerField,
+        ]);
+
+      // recursive snapshotting each level
+      latestSnapshotsByFolders.forEach((snap) => {
+        // mutate the folder tree to update the nodes to the latest version tree
+        // we are reconstructing the folder tree by latest snapshots here
+        if (groupByFolderId[snap.doc.folderId]) {
+          groupByFolderId[snap.doc.folderId].children =
+            snap.doc?.folderVersion?.nodes?.children || [];
+        }
+
+        // push all children of next level snapshots
+        if (snap.doc.folderVersion?.nodes?.children) {
+          queue.push(...snap.doc.folderVersion.nodes.children);
+        }
+
+        snap.doc.secretVersions.forEach((snapSecVer) => {
+          // record all the secrets
+          oldSecretVersionsObj[snapSecVer.secret.toString()] = snapSecVer;
+          secretIds.push(snapSecVer.secret);
+        });
+      });
+
+      queue.push(...subQueue);
+    }
+  }
 
   // TODO: fix any
-		const oldSecretVersionsObj: any = secretSnapshot.secretVersions
-			.reduce((accumulator, s) => ({ 
-				...accumulator, 
-				[`${s.secret.toString()}`]: s 
-			}), {});	
-		
   const latestSecretVersionIds = await getLatestSecretVersionIds({
-			secretIds: secretSnapshot.secretVersions.map((sv) => sv.secret)
+    secretIds,
   });
 
   // TODO: fix any
-		const latestSecretVersions: any = (await SecretVersion.find({
+  const latestSecretVersions: any = (
+    await SecretVersion.find(
+      {
         _id: {
-				$in: latestSecretVersionIds.map((s) => s.versionId)
-			}
-		}, 'secret version'))
-		.reduce((accumulator, s) => ({ 
+          $in: latestSecretVersionIds.map((s) => s.versionId),
+        },
+      },
+      "secret version"
+    )
+  ).reduce(
+    (accumulator, s) => ({
       ...accumulator,
-			[`${s.secret.toString()}`]: s 
-		}), {});
+      [`${s.secret.toString()}`]: s,
+    }),
+    {}
+  );
+
+  const secDelQuery: Record<string, unknown> = {
+    workspace: workspaceId,
+    environment,
+    // undefined means root thus collect all secrets
+  };
+  if (folderId !== "root" && folderIds.length)
+    secDelQuery.folder = { $in: folderIds };
 
   // delete existing secrets
-		await Secret.deleteMany({
-			workspace: workspaceId
+  await Secret.deleteMany(secDelQuery);
+  await Folder.deleteOne({
+    workspace: workspaceId,
+    environment,
   });
 
   // add secrets
-        secrets = await Secret.insertMany(
-			secretSnapshot.secretVersions.map((sv) => {
-				const secretId = sv.secret;
+  const secrets = await Secret.insertMany(
+    Object.keys(oldSecretVersionsObj).map((sv) => {
       const {
+        secret: secretId,
         workspace,
         type,
         user,
         environment,
+        secretBlindIndex,
         secretKeyCiphertext,
         secretKeyIV,
         secretKeyTag,
-					secretKeyHash,
         secretValueCiphertext,
         secretValueIV,
         secretValueTag,
-					secretValueHash,
-					createdAt
-				} = oldSecretVersionsObj[secretId.toString()];
+        createdAt,
+        algorithm,
+        keyEncoding,
+        folder: secFolderId,
+      } = oldSecretVersionsObj[sv];
 
-				return ({
+      return {
         _id: secretId,
         version: latestSecretVersions[secretId.toString()].version + 1,
         workspace,
         type,
         user,
         environment,
+        secretBlindIndex: secretBlindIndex ?? undefined,
         secretKeyCiphertext,
         secretKeyIV,
         secretKeyTag,
-					secretKeyHash,
         secretValueCiphertext,
         secretValueIV,
         secretValueTag,
-					secretValueHash,
-					secretCommentCiphertext: '',
-					secretCommentIV: '',
-					secretCommentTag: '',
-					createdAt
-				});
+        secretCommentCiphertext: "",
+        secretCommentIV: "",
+        secretCommentTag: "",
+        createdAt,
+        algorithm,
+        keyEncoding,
+        folder: secFolderId,
+      };
     })
   );
 
   // add secret versions
-		await SecretVersion.insertMany(
-			secrets.map(({
+  const secretV = await SecretVersion.insertMany(
+    secrets.map(
+      ({
         _id,
         version,
         workspace,
         type,
         user,
         environment,
+        secretBlindIndex,
         secretKeyCiphertext,
         secretKeyIV,
         secretKeyTag,
-				secretKeyHash,
         secretValueCiphertext,
         secretValueIV,
         secretValueTag,
-				secretValueHash
+        algorithm,
+        keyEncoding,
+        folder: secFolderId,
       }) => ({
         _id: new Types.ObjectId(),
         secret: _id,
@@ -282,42 +434,61 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
         user,
         environment,
         isDeleted: false,
+        secretBlindIndex: secretBlindIndex ?? undefined,
         secretKeyCiphertext,
         secretKeyIV,
         secretKeyTag,
-				secretKeyHash,
         secretValueCiphertext,
         secretValueIV,
         secretValueTag,
-				secretValueHash
-			}))
+        algorithm,
+        keyEncoding,
+        folder: secFolderId,
+      })
+    )
   );
 
-		// update secret versions of restored secrets as not deleted
-		await SecretVersion.updateMany({
-			secret: {
-				$in: secretSnapshot.secretVersions.map((sv) => sv.secret)
-			}
-		}, {
-			isDeleted: false
+  if (newFolderTree && latestFolderTree) {
+    // save the updated folder tree to the present one
+    newFolderTree.version = (latestFolderVersion?.nodes?.version || 0) + 1;
+    latestFolderTree._id = new Types.ObjectId();
+    latestFolderTree.isNew = true;
+    await latestFolderTree.save();
+
+    // create new folder version
+    const newFolderVersion = new FolderVersion({
+      workspace: workspaceId,
+      environment,
+      nodes: newFolderTree,
     });
+    await newFolderVersion.save();
+  }
+
+  // update secret versions of restored secrets as not deleted
+  await SecretVersion.updateMany(
+    {
+      secret: {
+        $in: Object.keys(oldSecretVersionsObj).map(
+          (sv) => oldSecretVersionsObj[sv].secret
+        ),
+      },
+    },
+    {
+      isDeleted: false,
+    }
+  );
 
   // take secret snapshot
   await EESecretService.takeSecretSnapshot({
-			workspaceId
+    workspaceId: new Types.ObjectId(workspaceId),
+    environment,
+    folderId,
   });
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to roll back secret snapshot'
-		}); 
-    }
 
   return res.status(200).send({
-		secrets
+    secrets,
   });
-}
+};
 
 /**
  * Return (audit) logs for workspace with id [workspaceId]
@@ -392,8 +563,6 @@ export const getWorkspaceLogs = async (req: Request, res: Response) => {
         }
     }   
     */
-	let logs
-	try {
   const { workspaceId } = req.params;
 
   const offset: number = parseInt(req.query.offset as string);
@@ -402,33 +571,168 @@ export const getWorkspaceLogs = async (req: Request, res: Response) => {
   const userId: string = req.query.userId as string;
   const actionNames: string = req.query.actionNames as string;
 
-		logs = await Log.find({
+  const logs = await Log.find({
     workspace: workspaceId,
-			...( userId ? { user: userId } : {}),
-			...( 
-				actionNames 
+    ...(userId ? { user: userId } : {}),
+    ...(actionNames
       ? {
           actionNames: {
-						$in: actionNames.split(',')
+            $in: actionNames.split(","),
+          },
         }
-				} : {}
-			)
+      : {}),
   })
-		.sort({ createdAt: sortBy === 'recent' ? -1 : 1 })
+    .sort({ createdAt: sortBy === "recent" ? -1 : 1 })
     .skip(offset)
     .limit(limit)
-		.populate('actions')
-		.populate('user serviceAccount serviceTokenData');
-
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get workspace logs'
-		});
-	}
+    .populate("actions")
+    .populate("user serviceAccount serviceTokenData");
 
   return res.status(200).send({
-		logs
+    logs,
+  });
+};
+
+/**
+ * Return trusted ips for workspace with id [workspaceId]
+ * @param req
+ * @param res 
+ */
+export const getWorkspaceTrustedIps = async (req: Request, res: Response) => {
+  const { workspaceId } = req.params;
+
+  const trustedIps = await TrustedIP.find({
+    workspace: new Types.ObjectId(workspaceId)
+  });
+    
+  return res.status(200).send({
+    trustedIps
+  });
+}
+
+/**
+ * Add a trusted ip to workspace with id [workspaceId]
+ * @param req 
+ * @param res 
+ */
+export const addWorkspaceTrustedIp = async (req: Request, res: Response) => {
+  const { workspaceId } = req.params;
+  const {
+    ipAddress: ip,
+    comment,
+    isActive
+  } = req.body;
+  
+  const plan = await EELicenseService.getPlan(req.workspace.organization.toString());
+  
+  if (!plan.ipAllowlisting) return res.status(400).send({
+    message: "Failed to add IP access range due to plan restriction. Upgrade plan to add IP access range."
+  });
+  
+  const isValidIPOrCidr = isValidIpOrCidr(ip);
+  
+  if (!isValidIPOrCidr) return res.status(400).send({
+    message: "The IP is not a valid IPv4, IPv6, or CIDR block"
+  });
+  
+  const { ipAddress, type, prefix } = extractIPDetails(ip);
+
+  const trustedIp = await new TrustedIP({
+    workspace: new Types.ObjectId(workspaceId),
+    ipAddress,
+    type,
+    prefix,
+    isActive,
+    comment,
+  }).save();
+
+  return res.status(200).send({
+    trustedIp
+  });
+}
+
+/**
+ * Update trusted ip with id [trustedIpId] workspace with id [workspaceId]
+ * @param req 
+ * @param res 
+ */
+export const updateWorkspaceTrustedIp = async (req: Request, res: Response) => {
+  const { workspaceId, trustedIpId } = req.params;
+  const {
+    ipAddress: ip,
+    comment
+  } = req.body;
+
+  const plan = await EELicenseService.getPlan(req.workspace.organization.toString());
+
+  if (!plan.ipAllowlisting) return res.status(400).send({
+    message: "Failed to update IP access range due to plan restriction. Upgrade plan to update IP access range."
+  });
+
+  const isValidIPOrCidr = isValidIpOrCidr(ip);
+  
+  if (!isValidIPOrCidr) return res.status(400).send({
+    message: "The IP is not a valid IPv4, IPv6, or CIDR block"
+  });
+  
+  const { ipAddress, type, prefix } = extractIPDetails(ip);
+
+  const updateObject: {
+    ipAddress: string;
+    type: IPType;
+    comment: string;
+    prefix?: number;
+    $unset?: {
+      prefix: number;
+    }
+  } = {
+    ipAddress,
+    type,
+    comment
+  };
+  
+  if (prefix !== undefined) {
+    updateObject.prefix = prefix;
+  } else {
+    updateObject.$unset = { prefix: 1 };
+  }
+  
+  const trustedIp = await TrustedIP.findOneAndUpdate(
+    {
+      _id: new Types.ObjectId(trustedIpId),
+      workspace: new Types.ObjectId(workspaceId),
+    },
+    updateObject,
+    {
+      new: true
+    }
+  );
+  
+  return res.status(200).send({
+    trustedIp
+  });
+}
+
+/**
+ * Delete IP access range from workspace with id [workspaceId]
+ * @param req 
+ * @param res 
+ */
+export const deleteWorkspaceTrustedIp = async (req: Request, res: Response) => {
+  const { workspaceId, trustedIpId } = req.params;
+
+  const plan = await EELicenseService.getPlan(req.workspace.organization.toString());
+  
+  if (!plan.ipAllowlisting) return res.status(400).send({
+    message: "Failed to delete IP access range due to plan restriction. Upgrade plan to delete IP access range."
+  });
+  
+  const trustedIp = await TrustedIP.findOneAndDelete({
+    _id: new Types.ObjectId(trustedIpId),
+    workspace: new Types.ObjectId(workspaceId)
+  });
+
+  return res.status(200).send({
+    trustedIp
   });
 }

backend/src/ee/helpers/action.ts

@@ -1,18 +1,17 @@
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
-import { Action } from '../models';
+import { Types } from "mongoose";
+import { Action } from "../models";
 import { 
+    getLatestNSecretSecretVersionIds,
     getLatestSecretVersionIds,
-    getLatestNSecretSecretVersionIds
-} from '../helpers/secretVersion';
+} from "../helpers/secretVersion";
 import { 
+    ACTION_ADD_SECRETS,
+    ACTION_DELETE_SECRETS,
     ACTION_LOGIN,
     ACTION_LOGOUT,
-    ACTION_ADD_SECRETS,
     ACTION_READ_SECRETS,
-    ACTION_DELETE_SECRETS,
     ACTION_UPDATE_SECRETS,
-} from '../../variables';
+} from "../../variables";
 
 /**
  * Create an (audit) action for updating secrets
@@ -27,7 +26,7 @@ const createActionUpdateSecret = async ({
     serviceAccountId,
     serviceTokenDataId,
     workspaceId,
-    secretIds
+    secretIds,
 }: {
     name: string;
     userId?: Types.ObjectId;
@@ -36,34 +35,26 @@ const createActionUpdateSecret = async ({
     workspaceId: Types.ObjectId;
     secretIds: Types.ObjectId[];
 }) => {
-    let action;
-    try {
     const latestSecretVersions = (await getLatestNSecretSecretVersionIds({
             secretIds,
-                n: 2
+            n: 2,
         }))
         .map((s) => ({
             oldSecretVersion: s.versions[0]._id,
-                newSecretVersion: s.versions[1]._id
+            newSecretVersion: s.versions[1]._id,
         }));
     
-        action = await new Action({
+    const action = await new Action({
         name,
         user: userId,
         serviceAccount: serviceAccountId,
         serviceTokenData: serviceTokenDataId,
         workspace: workspaceId,
         payload: {
-                secretVersions: latestSecretVersions
-            }
+            secretVersions: latestSecretVersions,
+        },
     }).save();
     
-    } catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-        throw new Error('Failed to create update secret action');
-    }
-    
     return action;
 }
 
@@ -81,7 +72,7 @@ const createActionSecret = async ({
     serviceAccountId,
     serviceTokenDataId,
     workspaceId,
-    secretIds
+    secretIds,
 }: {
     name: string;
     userId?: Types.ObjectId;
@@ -90,34 +81,26 @@ const createActionSecret = async ({
     workspaceId: Types.ObjectId;
     secretIds: Types.ObjectId[];
 }) => {
-    let action;
-    try {
     // case: action is adding, deleting, or reading secrets
     // -> add new secret versions
     const latestSecretVersions = (await getLatestSecretVersionIds({
-            secretIds
+        secretIds,
     }))
     .map((s) => ({
-            newSecretVersion: s.versionId
+        newSecretVersion: s.versionId,
     }));
     
-       action = await new Action({
+   const action = await new Action({
         name,
         user: userId,
         serviceAccount: serviceAccountId,
         serviceTokenData: serviceTokenDataId,
         workspace: workspaceId,
         payload: {
-                secretVersions: latestSecretVersions
-            }
+            secretVersions: latestSecretVersions,
+        },
     }).save(); 
     
-    } catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-        throw new Error('Failed to create action create/read/delete secret action');
-    }
-    
     return action;
 }
 
@@ -133,26 +116,19 @@ const createActionClient = ({
     name,
     userId,
     serviceAccountId,
-    serviceTokenDataId
+    serviceTokenDataId,
 }: {
     name: string;
     userId?: Types.ObjectId;
     serviceAccountId?: Types.ObjectId;
     serviceTokenDataId?: Types.ObjectId;
 }) => {
-    let action;
-    try {
-        action = new Action({
+    const action = new Action({
         name,
         user: userId,
         serviceAccount: serviceAccountId,
-            serviceTokenData: serviceTokenDataId
+        serviceTokenData: serviceTokenDataId,
     }).save();
-    } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-        throw new Error('Failed to create client action');
-    }
 
     return action; 
 }
@@ -181,45 +157,39 @@ const createActionHelper = async ({
     secretIds?: Types.ObjectId[];
 }) => {
     let action;
-    try {
     switch (name) {
         case ACTION_LOGIN:
         case ACTION_LOGOUT:
             action = await createActionClient({
                 name,
-                    userId
+                userId,
             });
             break;
         case ACTION_ADD_SECRETS:
         case ACTION_READ_SECRETS:
         case ACTION_DELETE_SECRETS:
-                if (!workspaceId || !secretIds) throw new Error('Missing required params workspace id or secret ids to create action secret');
+            if (!workspaceId || !secretIds) throw new Error("Missing required params workspace id or secret ids to create action secret");
             action = await createActionSecret({
                 name,
                 userId,
                 workspaceId,
-                    secretIds
+                secretIds,
             });
             break;
         case ACTION_UPDATE_SECRETS:
-                if (!workspaceId || !secretIds) throw new Error('Missing required params workspace id or secret ids to create action secret');
+            if (!workspaceId || !secretIds) throw new Error("Missing required params workspace id or secret ids to create action secret");
             action = await createActionUpdateSecret({
                 name,
                 userId,
                 workspaceId,
-                    secretIds
+                secretIds,
             });
             break;
     }
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-        throw new Error('Failed to create action');
-    }
     
     return action;
 }
 
 export { 
-    createActionHelper
+    createActionHelper,
 };

backend/src/ee/helpers/checkMembershipPermissions.ts

@@ -1,7 +1,7 @@
-import { Types } from 'mongoose';
+import { Types } from "mongoose";
 import _ from "lodash";
 import { Membership } from "../../models";
-import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from '../../variables';
+import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from "../../variables";
 
 export const userHasWorkspaceAccess = async (userId: Types.ObjectId, workspaceId: Types.ObjectId, environment: string, action: any) => {
   const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })

backend/src/ee/helpers/log.ts

@@ -1,9 +1,9 @@
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
+import { Types } from "mongoose";
 import { 
+    IAction,
     Log,
-    IAction
-} from '../models';
+} from "../models";
+
 /**
  * Create an (audit) log
  * @param {Object} obj
@@ -21,7 +21,7 @@ const createLogHelper = async ({
     workspaceId,
     actions,
     channel,
-    ipAddress
+    ipAddress,
 }: {
     userId?: Types.ObjectId;
     serviceAccountId?: Types.ObjectId;
@@ -31,9 +31,7 @@ const createLogHelper = async ({
     channel: string;
     ipAddress: string;
 }) => {
-    let log;
-    try {
-        log = await new Log({
+    const log = await new Log({
         user: userId,
         serviceAccount: serviceAccountId,
         serviceTokenData: serviceTokenDataId,
@@ -41,17 +39,12 @@ const createLogHelper = async ({
         actionNames: actions.map((a) => a.name),
         actions,
         channel,
-            ipAddress
+        ipAddress,
     }).save();
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to create log');
-    }
 
     return log;
 }
 
 export {
-    createLogHelper
+    createLogHelper,
 }

backend/src/ee/helpers/organizations.ts

@@ -0,0 +1,72 @@
+import { Types } from "mongoose";
+import {
+    SSOConfig
+} from "../models";
+import {
+    BotOrgService
+} from "../../services";
+import { client } from "../../config";
+import { ValidationError } from "../../utils/errors";
+
+export const getSSOConfigHelper = async ({
+    organizationId,
+    ssoConfigId
+}: {
+    organizationId?: Types.ObjectId;
+    ssoConfigId?: Types.ObjectId;
+}) => {
+    
+    if (!organizationId && !ssoConfigId) throw ValidationError({
+        message: "Getting SSO data requires either id of organization or SSO data"
+    });
+    
+    const ssoConfig = await SSOConfig.findOne({
+        ...(organizationId ? { organization: organizationId } : {}),
+        ...(ssoConfigId ? { _id: ssoConfigId } : {})
+    });
+    
+    if (!ssoConfig) throw new Error("Failed to find organization SSO data");
+    
+    const key = await BotOrgService.getSymmetricKey(
+        ssoConfig.organization
+    );
+    
+    const entryPoint = client.decryptSymmetric(
+        ssoConfig.encryptedEntryPoint,
+        key,
+        ssoConfig.entryPointIV,
+        ssoConfig.entryPointTag
+    );
+
+    const issuer = client.decryptSymmetric(
+        ssoConfig.encryptedIssuer,
+        key,
+        ssoConfig.issuerIV,
+        ssoConfig.issuerTag
+    );
+
+    const cert = client.decryptSymmetric(
+        ssoConfig.encryptedCert,
+        key,
+        ssoConfig.certIV,
+        ssoConfig.certTag
+    );
+
+    const audience = client.decryptSymmetric(
+        ssoConfig.encryptedAudience,
+        key,
+        ssoConfig.audienceIV,
+        ssoConfig.audienceTag
+    );
+    
+    return ({
+        _id: ssoConfig._id,
+        organization: ssoConfig.organization,
+        authProvider: ssoConfig.authProvider,
+        isActive: ssoConfig.isActive,
+        entryPoint,
+        issuer,
+        cert,
+        audience
+    });
+}

backend/src/ee/helpers/secret.ts

@@ -1,14 +1,11 @@
-import { Types } from 'mongoose';
-import * as Sentry from '@sentry/node';
-import {
-	Secret,
-	ISecret
-} from '../../models';
+import { Types } from "mongoose";
+import { Secret } from "../../models";
 import {
+  FolderVersion,
+  ISecretVersion,
   SecretSnapshot,
   SecretVersion,
-	ISecretVersion
-} from '../models';
+} from "../models";
 
 /**
  * Save a secret snapshot that is a copy of the current state of secrets in workspace with id
@@ -19,56 +16,70 @@ import {
  * @returns {SecretSnapshot} secretSnapshot - new secret snapshot
  */
 const takeSecretSnapshotHelper = async ({
-	workspaceId
+  workspaceId,
+  environment,
+  folderId = "root",
 }: {
-	workspaceId: string;
+  workspaceId: Types.ObjectId;
+  environment: string;
+  folderId?: string;
 }) => {
+  // get all folder ids
+  const secretIds = (
+    await Secret.find(
+      {
+        workspace: workspaceId,
+        environment,
+        folder: folderId,
+      },
+      "_id"
+    ).lean()
+  ).map((s) => s._id);
 
-	let secretSnapshot;
-	try {
-		const secretIds = (await Secret.find({
-			workspace: workspaceId
-		}, '_id')).map((s) => s._id);
-
-		const latestSecretVersions = (await SecretVersion.aggregate([
+  const latestSecretVersions = (
+    await SecretVersion.aggregate([
       {
         $match: {
+          environment,
+          workspace: new Types.ObjectId(workspaceId),
           secret: {
-						$in: secretIds
-					}
-				}
+            $in: secretIds,
+          },
+        },
       },
       {
         $group: {
-					_id: '$secret',
-					version: { $max: '$version' },
-					versionId: { $max: '$_id' } // secret version id
-				}
+          _id: "$secret",
+          version: { $max: "$version" },
+          versionId: { $max: "$_id" }, // secret version id
+        },
       },
       {
-				$sort: { version: -1 }
-			}
-		])
-			.exec())
-			.map((s) => s.versionId);
+        $sort: { version: -1 },
+      },
+    ]).exec()
+  ).map((s) => s.versionId);
+  const latestFolderVersion = await FolderVersion.findOne({
+    environment,
+    workspace: workspaceId,
+    "nodes.id": folderId,
+  }).sort({ "nodes.version": -1 });
 
   const latestSecretSnapshot = await SecretSnapshot.findOne({
-			workspace: workspaceId
+    workspace: workspaceId,
   }).sort({ version: -1 });
 
-		secretSnapshot = await new SecretSnapshot({
+  const secretSnapshot = await new SecretSnapshot({
     workspace: workspaceId,
+    environment,
     version: latestSecretSnapshot ? latestSecretSnapshot.version + 1 : 1,
-			secretVersions: latestSecretVersions
+    secretVersions: latestSecretVersions,
+    folderId,
+    folderVersion: latestFolderVersion,
   }).save();
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to take a secret snapshot');
-	}
 
   return secretSnapshot;
-}
+};
 
 /**
  * Add secret versions [secretVersions] to the SecretVersion collection.
@@ -77,93 +88,35 @@ const takeSecretSnapshotHelper = async ({
  * @returns {SecretVersion[]} newSecretVersions - new secret versions
  */
 const addSecretVersionsHelper = async ({
-	secretVersions
+  secretVersions,
 }: {
-	secretVersions: ISecretVersion[]
+  secretVersions: ISecretVersion[];
 }) => {
-	let newSecretVersions;
-	try {
-		newSecretVersions = await SecretVersion.insertMany(secretVersions);
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error(`Failed to add secret versions [err=${err}]`);
-	}
+  const newSecretVersions = await SecretVersion.insertMany(secretVersions);
 
   return newSecretVersions;
-}
+};
 
 const markDeletedSecretVersionsHelper = async ({
-	secretIds
+  secretIds,
 }: {
   secretIds: Types.ObjectId[];
 }) => {
-	try {
-		await SecretVersion.updateMany({
-			secret: { $in: secretIds }
-		}, {
-			isDeleted: true
-		}, {
-			new: true
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to mark secret versions as deleted');
+  await SecretVersion.updateMany(
+    {
+      secret: { $in: secretIds },
+    },
+    {
+      isDeleted: true,
+    },
+    {
+      new: true,
     }
-}
-
-/**
- * Initialize secret versioning by setting previously unversioned
- * secrets to version 1 and begin populating secret versions.
- */
-const initSecretVersioningHelper = async () => {
-	try {
-
-		await Secret.updateMany(
-			{ version: { $exists: false } },
-			{ $set: { version: 1 } }
   );
-
-		const unversionedSecrets: ISecret[] = await Secret.aggregate([
-			{
-				$lookup: {
-					from: 'secretversions',
-					localField: '_id',
-					foreignField: 'secret',
-					as: 'versions',
-				},
-			},
-			{
-				$match: {
-					versions: { $size: 0 },
-				},
-			},
-		]);
-
-		if (unversionedSecrets.length > 0) {
-			await addSecretVersionsHelper({
-				secretVersions: unversionedSecrets.map((s, idx) => ({
-					...s,
-					secret: s._id,
-					version: s.version ? s.version : 1,
-					isDeleted: false,
-					workspace: s.workspace,
-					environment: s.environment
-				}))
-			});
-		}
-
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to ensure that secrets are versioned');
-	}
-}
+};
 
 export {
   takeSecretSnapshotHelper,
   addSecretVersionsHelper,
   markDeletedSecretVersionsHelper,
-	initSecretVersioningHelper
-}
+};

backend/src/ee/helpers/secretVersion.ts

@@ -1,6 +1,5 @@
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
-import { SecretVersion } from '../models';
+import { Types } from "mongoose";
+import { SecretVersion } from "../models";
 
 /**
  * Return latest secret versions for secrets with ids [secretIds]
@@ -9,48 +8,32 @@ import { SecretVersion } from '../models';
  * @returns
  */
 const getLatestSecretVersionIds = async ({
-    secretIds
+  secretIds,
 }: {
   secretIds: Types.ObjectId[];
 }) => {
-    
-    interface LatestSecretVersionId {
-        _id: Types.ObjectId;
-        version: number;
-        versionId: Types.ObjectId;
-    }
-    
-    let latestSecretVersionIds: LatestSecretVersionId[];
-    try {
-        latestSecretVersionIds = (await SecretVersion.aggregate([
+  const latestSecretVersionIds = await SecretVersion.aggregate([
     {
       $match: {
         secret: {
-                        $in: secretIds 
-                    } 
-                }
+          $in: secretIds,
+        },
+      },
     },
     {
       $group: {
-                    _id: '$secret',
-                    version: { $max: '$version' },
-                    versionId: { $max: '$_id' } // id of latest secret version
-                }
+        _id: "$secret",
+        version: { $max: "$version" },
+        versionId: { $max: "$_id" }, // id of latest secret version
+      },
     },
     {
-                $sort: { version: -1 }
-            }
-            ])
-            .exec());
-            
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-        throw new Error('Failed to get latest secret versions');
-    }
+      $sort: { version: -1 },
+    },
+  ]).exec();
 
   return latestSecretVersionIds;
-}
+};
 
 /**
  * Return latest [n] secret versions for secrets with ids [secretIds]
@@ -61,16 +44,13 @@ const getLatestSecretVersionIds = async ({
  */
 const getLatestNSecretSecretVersionIds = async ({
   secretIds,
-    n
+  n,
 }: {
   secretIds: Types.ObjectId[];
   n: number;
 }) => {
-    
   // TODO: optimize query
-    let latestNSecretVersions;
-    try {
-        latestNSecretVersions = (await SecretVersion.aggregate([
+  const latestNSecretVersions = await SecretVersion.aggregate([
     {
       $match: {
         secret: {
@@ -93,18 +73,10 @@ const getLatestNSecretSecretVersionIds = async ({
         secret: "$_id",
         versions: { $slice: ["$versions", n] },
       },
-            }
-        ]));
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-        throw new Error('Failed to get latest n secret versions');
-    }
+    },
+  ]);
 
   return latestNSecretVersions;
-}
+};
 
-export {
-    getLatestSecretVersionIds,
-    getLatestNSecretSecretVersionIds
-}
+export { getLatestSecretVersionIds, getLatestNSecretSecretVersionIds };

backend/src/ee/middleware/index.ts

@@ -1,7 +1,5 @@
-import requireLicenseAuth from './requireLicenseAuth';
-import requireSecretSnapshotAuth from './requireSecretSnapshotAuth';
+import requireSecretSnapshotAuth from "./requireSecretSnapshotAuth";
 
 export {
-    requireLicenseAuth,
-    requireSecretSnapshotAuth
+    requireSecretSnapshotAuth,
 }

backend/src/ee/middleware/requireLicenseAuth.ts

@@ -1,23 +0,0 @@
-import { Request, Response, NextFunction } from 'express';
-
-/**
- * Validate if organization hosting meets license requirements to 
- * access a license-specific route.
- * @param {Object} obj
- * @param {String[]} obj.acceptedTiers
- */
-const requireLicenseAuth = ({
-    acceptedTiers
-}: {
-    acceptedTiers: string[];
-}) => {
-    return async (req: Request, res: Response, next: NextFunction) => {
-        try {
-
-        } catch (err) {
-
-        }
-    }
-}
-
-export default requireLicenseAuth;

backend/src/ee/middleware/requireSecretSnapshotAuth.ts

@@ -1,9 +1,9 @@
-import { Request, Response, NextFunction } from 'express';
-import { UnauthorizedRequestError, SecretSnapshotNotFoundError } from '../../utils/errors';
-import { SecretSnapshot } from '../models';
+import { NextFunction, Request, Response } from "express";
+import { SecretSnapshotNotFoundError } from "../../utils/errors";
+import { SecretSnapshot } from "../models";
 import {
-    validateMembership
-} from '../../helpers/membership';
+    validateMembership,
+} from "../../helpers/membership";
 
 /**
  * Validate if user on request has proper membership for secret snapshot
@@ -15,7 +15,7 @@ import {
 const requireSecretSnapshotAuth = ({
     acceptedRoles,
 }: {
-    acceptedRoles: Array<'admin' | 'member'>;
+    acceptedRoles: Array<"admin" | "member">;
 }) => {
     return async (req: Request, res: Response, next: NextFunction) => {
         const { secretSnapshotId } = req.params;
@@ -24,14 +24,14 @@ const requireSecretSnapshotAuth = ({
         
         if (!secretSnapshot) {
             return next(SecretSnapshotNotFoundError({
-                message: 'Failed to find secret snapshot'
+                message: "Failed to find secret snapshot",
             }));
         }
         
         await validateMembership({
             userId: req.user._id,
             workspaceId: secretSnapshot.workspace,
-            acceptedRoles
+            acceptedRoles,
         });
         
         req.secretSnapshot = secretSnapshot as any;

backend/src/ee/models/action.ts

@@ -1,12 +1,12 @@
-import { Schema, model, Types } from 'mongoose';
+import { Schema, Types, model } from "mongoose";
 import {
+    ACTION_ADD_SECRETS,
+    ACTION_DELETE_SECRETS,
     ACTION_LOGIN,
     ACTION_LOGOUT,
-    ACTION_ADD_SECRETS,
-    ACTION_UPDATE_SECRETS,
     ACTION_READ_SECRETS,
-    ACTION_DELETE_SECRETS
-} from '../../variables';
+    ACTION_UPDATE_SECRETS,
+} from "../../variables";
 
 export interface IAction {
     name: string;
@@ -30,42 +30,40 @@ const actionSchema = new Schema<IAction>(
                 ACTION_ADD_SECRETS,
                 ACTION_UPDATE_SECRETS,
                 ACTION_READ_SECRETS,
-                ACTION_DELETE_SECRETS
-            ]
+                ACTION_DELETE_SECRETS,
+            ],
         },
         user: {
             type: Schema.Types.ObjectId,
-            ref: 'User'
+            ref: "User",
         },
         serviceAccount: {
             type: Schema.Types.ObjectId,
-            ref: 'ServiceAccount'
+            ref: "ServiceAccount",
         },
         serviceTokenData: {
             type: Schema.Types.ObjectId,
-            ref: 'ServiceTokenData'
+            ref: "ServiceTokenData",
         },
         workspace: {
             type: Schema.Types.ObjectId,
-            ref: 'Workspace'
+            ref: "Workspace",
         },
         payload: {
             secretVersions: [{
                 oldSecretVersion: {
                     type: Schema.Types.ObjectId,
-                    ref: 'SecretVersion'
+                    ref: "SecretVersion",
                 },
                 newSecretVersion: {
                     type: Schema.Types.ObjectId,
-                    ref: 'SecretVersion'
-                }
-            }]
-        }
+                    ref: "SecretVersion",
+                },
+            }],
+        },
     }, {
-        timestamps: true
+        timestamps: true,
     }
 );
 
-const Action = model<IAction>('Action', actionSchema);
-
-export default Action;
+export const Action = model<IAction>("Action", actionSchema);

backend/src/ee/models/folderVersion.ts

@@ -0,0 +1,58 @@
+import { Schema, Types, model } from "mongoose";
+
+export type TFolderRootVersionSchema = {
+  _id: Types.ObjectId;
+  workspace: Types.ObjectId;
+  environment: string;
+  nodes: TFolderVersionSchema;
+};
+
+export type TFolderVersionSchema = {
+  id: string;
+  name: string;
+  version: number;
+  children: TFolderVersionSchema[];
+};
+
+const folderVersionSchema = new Schema<TFolderVersionSchema>({
+  id: {
+    required: true,
+    type: String,
+    default: "root",
+  },
+  name: {
+    required: true,
+    type: String,
+    default: "root",
+  },
+  version: {
+    required: true,
+    type: Number,
+    default: 1,
+  },
+});
+
+folderVersionSchema.add({ children: [folderVersionSchema] });
+
+const folderRootVersionSchema = new Schema<TFolderRootVersionSchema>(
+  {
+    workspace: {
+      type: Schema.Types.ObjectId,
+      ref: "Workspace",
+      required: true,
+    },
+    environment: {
+      type: String,
+      required: true,
+    },
+    nodes: folderVersionSchema,
+  },
+  {
+    timestamps: true,
+  }
+);
+
+export const FolderVersion = model<TFolderRootVersionSchema>(
+  "FolderVersion",
+  folderRootVersionSchema
+);

backend/src/ee/models/index.ts

@@ -1,15 +1,7 @@
-import SecretSnapshot, { ISecretSnapshot } from './secretSnapshot';
-import SecretVersion, { ISecretVersion } from './secretVersion';
-import Log, { ILog } from './log';
-import Action, { IAction } from './action';
-
-export {
-    SecretSnapshot,
-    ISecretSnapshot,
-    SecretVersion,
-    ISecretVersion,
-    Log,
-    ILog,
-    Action,
-    IAction
-}
+export * from "./secretSnapshot";
+export * from "./secretVersion";
+export * from "./folderVersion";
+export * from "./log";
+export * from "./action";
+export * from "./ssoConfig";
+export * from "./trustedIp";

backend/src/ee/models/log.ts

@@ -1,12 +1,12 @@
-import { Schema, model, Types } from 'mongoose';
+import { Schema, Types, model } from "mongoose";
 import {
+    ACTION_ADD_SECRETS,
+    ACTION_DELETE_SECRETS,
     ACTION_LOGIN,
     ACTION_LOGOUT,
-    ACTION_ADD_SECRETS,
-    ACTION_UPDATE_SECRETS,
     ACTION_READ_SECRETS,
-    ACTION_DELETE_SECRETS
-} from '../../variables';
+    ACTION_UPDATE_SECRETS,
+} from "../../variables";
 
 export interface ILog {
     _id: Types.ObjectId;
@@ -24,19 +24,19 @@ const logSchema = new Schema<ILog>(
     {
         user: {
             type: Schema.Types.ObjectId,
-            ref: 'User'
+            ref: "User",
         },
         serviceAccount: {
             type: Schema.Types.ObjectId,
-            ref: 'ServiceAccount'
+            ref: "ServiceAccount",
         },
         serviceTokenData: {
             type: Schema.Types.ObjectId,
-            ref: 'ServiceTokenData'
+            ref: "ServiceTokenData",
         },
         workspace: {
             type: Schema.Types.ObjectId,
-            ref: 'Workspace'
+            ref: "Workspace",
         },
         actionNames: {
             type: [String],
@@ -46,28 +46,27 @@ const logSchema = new Schema<ILog>(
                 ACTION_ADD_SECRETS,
                 ACTION_UPDATE_SECRETS,
                 ACTION_READ_SECRETS,
-                ACTION_DELETE_SECRETS
+                ACTION_DELETE_SECRETS,
             ],
-            required: true
+            required: true,
         },
         actions: [{
             type: Schema.Types.ObjectId,
-            ref: 'Action',
-            required: true
+            ref: "Action",
+            required: true,
         }],
         channel: {
             type: String,
-            enum: ['web', 'cli', 'auto', 'k8-operator', 'other'],
-            required: true
+            enum: ["web", "cli", "auto", "k8-operator", "other"],
+            required: true,
         },
         ipAddress: {
-            type: String
+            type: String,
+        },
+    }, 
+    {
+        timestamps: true,
     }
-    }, {
-    timestamps: true
-}
 );
 
-const Log = model<ILog>('Log', logSchema);
-
-export default Log;
+export const Log = model<ILog>("Log", logSchema);

backend/src/ee/models/secretSnapshot.ts

@@ -1,33 +1,52 @@
-import { Schema, model, Types } from 'mongoose';
+import { Schema, Types, model } from "mongoose";
 
 export interface ISecretSnapshot {
   workspace: Types.ObjectId;
+  environment: string;
+  folderId: string | "root";
   version: number;
   secretVersions: Types.ObjectId[];
+  folderVersion: Types.ObjectId;
 }
 
 const secretSnapshotSchema = new Schema<ISecretSnapshot>(
   {
     workspace: {
       type: Schema.Types.ObjectId,
-            ref: 'Workspace',
-            required: true
+      ref: "Workspace",
+      required: true,
+    },
+    environment: {
+      type: String,
+      required: true,
+    },
+    folderId: {
+      type: String,
+      default: "root",
     },
     version: {
       type: Number,
-            required: true
+      default: 1,
+      required: true,
     },
-        secretVersions: [{
+    secretVersions: [
+      {
         type: Schema.Types.ObjectId,
-            ref: 'SecretVersion',
-            required: true
-        }]
+        ref: "SecretVersion",
+        required: true,
+      },
+    ],
+    folderVersion: {
+      type: Schema.Types.ObjectId,
+      ref: "FolderVersion",
+    },
   },
   {
-        timestamps: true
+    timestamps: true,
   }
 );
 
-const SecretSnapshot = model<ISecretSnapshot>('SecretSnapshot', secretSnapshotSchema);
-
-export default SecretSnapshot;
+export const SecretSnapshot = model<ISecretSnapshot>(
+  "SecretSnapshot",
+  secretSnapshotSchema
+);