chore(release): 0.11.5 [skip ci]

## [0.11.5](https://github.com/sasjs/server/compare/v0.11.4...v0.11.5) (2022-07-19) ### Bug Fixes * Revert "fix(security): missing cookie flags are added" ([ce5218a](ce5218a227))
fix: Revert "fix(security): missing cookie flags are added"
2025-12-10 19:34:34 +00:00 · 2022-07-19 23:03:43 +00:00 · 2022-07-20 03:58:25 +05:00 · 2022-07-19 21:06:05 +00:00 · 2022-07-19 22:02:05 +01:00 · 2022-07-20 01:40:31 +05:00
129 changed files with 7792 additions and 2078 deletions
--- a/.all-contributorsrc
+++ b/.all-contributorsrc
@@ -0,0 +1,84 @@
 {
  "projectName": "server",
  "projectOwner": "sasjs",
  "repoType": "github",
  "repoHost": "https://github.com",
  "files": [
    "README.md"
  ],
  "imageSize": 100,
  "commit": true,
  "commitConvention": "angular",
  "contributors": [
    {
      "login": "saadjutt01",
      "name": "Saad Jutt",
      "avatar_url": "https://avatars.githubusercontent.com/u/8914650?v=4",
      "profile": "https://github.com/saadjutt01",
      "contributions": [
        "code",
        "test"
      ]
    },
    {
      "login": "sabhas",
      "name": "Sabir Hassan",
      "avatar_url": "https://avatars.githubusercontent.com/u/82647447?v=4",
      "profile": "https://github.com/sabhas",
      "contributions": [
        "code",
        "test"
      ]
    },
    {
      "login": "YuryShkoda",
      "name": "Yury Shkoda",
      "avatar_url": "https://avatars.githubusercontent.com/u/25773492?v=4",
      "profile": "https://www.erudicat.com/",
      "contributions": [
        "code",
        "test"
      ]
    },
    {
      "login": "medjedovicm",
      "name": "Mihajlo Medjedovic",
      "avatar_url": "https://avatars.githubusercontent.com/u/18329105?v=4",
      "profile": "https://github.com/medjedovicm",
      "contributions": [
        "code",
        "test"
      ]
    },
    {
      "login": "allanbowe",
      "name": "Allan Bowe",
      "avatar_url": "https://avatars.githubusercontent.com/u/4420615?v=4",
      "profile": "https://4gl.io/",
      "contributions": [
        "code",
        "doc"
      ]
    },
    {
      "login": "VladislavParhomchik",
      "name": "Vladislav Parhomchik",
      "avatar_url": "https://avatars.githubusercontent.com/u/83717836?v=4",
      "profile": "https://github.com/VladislavParhomchik",
      "contributions": [
        "test"
      ]
    },
    {
      "login": "kknapen",
      "name": "Koen Knapen",
      "avatar_url": "https://avatars.githubusercontent.com/u/78609432?v=4",
      "profile": "https://github.com/kknapen",
      "contributions": [
        "userTesting"
      ]
    }
  ],
  "contributorsPerLine": 7,
  "skipCi": true
 }
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -0,0 +1,3 @@
 # These are supported funding model platforms
 github: [sasjs]
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -55,6 +55,9 @@ jobs:
          REFRESH_TOKEN_SECRET: ${{secrets.REFRESH_TOKEN_SECRET}}
          AUTH_CODE_SECRET: ${{secrets.AUTH_CODE_SECRET}}
          SESSION_SECRET: ${{secrets.SESSION_SECRET}}
          RUN_TIMES: 'sas,js'
          SAS_PATH: '/some/path/to/sas'
          NODE_PATH: '/some/path/to/node'
      - name: Build Package
        working-directory: ./api
--- a/.gitignore
+++ b/.gitignore
@@ -4,6 +4,7 @@ node_modules/
 .DS_Store
 .env*
 sas/
 sasjs_root/
 tmp/
 build/
 sasjsbuild/
--- a/.nvmrc
+++ b/.nvmrc
@@ -1 +1 @@
-v16.14.0
+v16.15.1
--- a/.releaserc
+++ b/.releaserc
@@ -36,7 +36,7 @@
    [
      "@semantic-release/exec",
      {
-        "publishCmd": "npx standard-version"
+        "publishCmd": "echo 'publish command'"
      }
    ]
  ]
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,325 @@
 ## [0.11.5](https://github.com/sasjs/server/compare/v0.11.4...v0.11.5) (2022-07-19)
 ### Bug Fixes
 * Revert "fix(security): missing cookie flags are added" ([ce5218a](https://github.com/sasjs/server/commit/ce5218a2278cc750f2b1032024685dc6cd72f796))
 ## [0.11.4](https://github.com/sasjs/server/compare/v0.11.3...v0.11.4) (2022-07-19)
 ### Bug Fixes
 * **security:** missing cookie flags are added ([526402f](https://github.com/sasjs/server/commit/526402fd73407ee4fa2d31092111a7e6a1741487))
 ## [0.11.3](https://github.com/sasjs/server/compare/v0.11.2...v0.11.3) (2022-07-19)
 ### Bug Fixes
 * filePath fix in code.js file for windows ([2995121](https://github.com/sasjs/server/commit/299512135d77c2ac9e34853cf35aee6f2e1d4da4))
 ## [0.11.2](https://github.com/sasjs/server/compare/v0.11.1...v0.11.2) (2022-07-18)
 ### Bug Fixes
 * apply icon option only for sas.exe ([d2ddd8a](https://github.com/sasjs/server/commit/d2ddd8aacadfdd143026881f2c6ae8c6b277610a))
 ## [0.11.1](https://github.com/sasjs/server/compare/v0.11.0...v0.11.1) (2022-07-18)
 ### Bug Fixes
 * bank operator ([aa02741](https://github.com/sasjs/server/commit/aa027414ed3ce51f1014ef36c4191e064b2e963d))
 * ensuring nosplash option only applies for sas.exe ([65e6de9](https://github.com/sasjs/server/commit/65e6de966383fe49a919b1f901d77c7f1e402c9b)), closes [#229](https://github.com/sasjs/server/issues/229)
 # [0.11.0](https://github.com/sasjs/server/compare/v0.10.0...v0.11.0) (2022-07-16)
 ### Bug Fixes
 * **logs:** logs location is configurable ([e024a92](https://github.com/sasjs/server/commit/e024a92f165990e08db8aa26ee326dbcb30e2e46))
 ### Features
 * **logs:** logs to file with rotating + code split into files ([92fda18](https://github.com/sasjs/server/commit/92fda183f3f0f3956b7c791669eb8dd52c389d1b))
 # [0.10.0](https://github.com/sasjs/server/compare/v0.9.0...v0.10.0) (2022-07-06)
 ### Bug Fixes
 * add authorize middleware for appStreams ([e54a09d](https://github.com/sasjs/server/commit/e54a09db19ec8690e54a40760531a4e06d250974))
 * add isAdmin attribute to return response of get session and login requests ([bdf63df](https://github.com/sasjs/server/commit/bdf63df1d915892486005ec904807749786b1c0c))
 * add permission authorization middleware to only specific routes ([f3dfc70](https://github.com/sasjs/server/commit/f3dfc7083fbfb4b447521341b1a86730fb90b4c0))
 * bumping core and running lint ([a2d1396](https://github.com/sasjs/server/commit/a2d13960578014312d2cb5e03145bfd1829d99ec))
 * controller fixed for deleting permission ([b5f595a](https://github.com/sasjs/server/commit/b5f595a25c50550d62482409353c7629c5a5c3e0))
 * do not show admin users in add permission modal ([a75edba](https://github.com/sasjs/server/commit/a75edbaa327ec2af49523c13996ac283061da7d8))
 * export GroupResponse interface ([38a7db8](https://github.com/sasjs/server/commit/38a7db8514de0acd94d74ba96bc1efb732add30c))
 * move permission filter modal to separate file and icons for different actions ([d000f75](https://github.com/sasjs/server/commit/d000f7508f6d7384afffafee4179151fca802ca8))
 * principalId type changed to  number from any ([4fcc191](https://github.com/sasjs/server/commit/4fcc191ce9edc7e4dcd8821fb8019f4eea5db4ea))
 * remove clientId from principal types ([0781ddd](https://github.com/sasjs/server/commit/0781ddd64e3b5e5ca39647bb4e4e1a9332a0f4f8))
 * remove duplicates principals from permission filter modal ([5b319f9](https://github.com/sasjs/server/commit/5b319f9ad1f941b306db6b9473a2128b2e42bf76))
 * show loading spinner in studio while executing code ([496247d](https://github.com/sasjs/server/commit/496247d0b9975097a008cf4d3a999d77648fd930))
 * show permission component only in server mode ([f863b81](https://github.com/sasjs/server/commit/f863b81a7d40a1296a061ec93946f204382af2c3))
 * update permission model ([39fc908](https://github.com/sasjs/server/commit/39fc908de1945f2aaea18d14e6bce703f6bf0c06))
 * update permission response ([e516b77](https://github.com/sasjs/server/commit/e516b7716da5ff7e23350a5f77cfa073b1171175))
 * **web:** only admin should be able to add, update or delete permission ([be8635c](https://github.com/sasjs/server/commit/be8635ccc5eb34c3f0a5951c8a0421292ef69c97))
 ### Features
 * add api endpoint for deleting permission ([0171344](https://github.com/sasjs/server/commit/01713440a4fa661b76368785c0ca731f096ac70a))
 * add api endpoint for updating permission setting ([540f54f](https://github.com/sasjs/server/commit/540f54fb77b364822da7889dbe75c02242f48a59))
 * add authorize middleware for validating permissions ([7d916ec](https://github.com/sasjs/server/commit/7d916ec3e9ef579dde1b73015715cd01098c2018))
 * add basic UI for settings and permissions ([5652325](https://github.com/sasjs/server/commit/56523254525a66e756196e90b39a2b8cdadc1518))
 * add documentation link under usename dropdown menu ([eeb63b3](https://github.com/sasjs/server/commit/eeb63b330c292afcdd5c8f006882b224c4235068))
 * add permission model ([6bea1f7](https://github.com/sasjs/server/commit/6bea1f76668ddb070ad95b3e02c31238af67c346))
 * add UI for updating permission ([e8c21a4](https://github.com/sasjs/server/commit/e8c21a43b215f5fced0463b70747cda1191a4e01))
 * add validation for registering permission ([e5200c1](https://github.com/sasjs/server/commit/e5200c1000903185dfad9ee49c99583e473c4388))
 * add, remove and update permissions from web component ([97ecfdc](https://github.com/sasjs/server/commit/97ecfdc95563c72dbdecaebcb504e5194250a763))
 * added get authorizedRoutes api endpoint ([b10e932](https://github.com/sasjs/server/commit/b10e9326058193dd65a57fab2d2f05b7b06096e7))
 * created modal for adding permission ([1413b18](https://github.com/sasjs/server/commit/1413b1850838ecc988ab289da4541bde36a9a346))
 * defined register permission and get all permissions api endpoints ([1103ffe](https://github.com/sasjs/server/commit/1103ffe07b88496967cb03683b08f058ca3bbb9f))
 * update swagger docs ([797c2bc](https://github.com/sasjs/server/commit/797c2bcc39005a05a995be15a150d584fecae259))
 # [0.9.0](https://github.com/sasjs/server/compare/v0.8.3...v0.9.0) (2022-07-03)
 ### Features
 * removed secrets from env variables ([9c3da56](https://github.com/sasjs/server/commit/9c3da56901672a818f54267f9defc9f4701ab7fb))
 ## [0.8.3](https://github.com/sasjs/server/compare/v0.8.2...v0.8.3) (2022-07-02)
 ### Bug Fixes
 * **deploy:** extract first json from zip file ([e290751](https://github.com/sasjs/server/commit/e290751c872d24009482871a8c398e834357dcde))
 ## [0.8.2](https://github.com/sasjs/server/compare/v0.8.1...v0.8.2) (2022-06-22)
 ### Bug Fixes
 * getRuntimeAndFilePath function to handle the scenarion when path is provided with an extension other than runtimes ([5cc85b5](https://github.com/sasjs/server/commit/5cc85b57f80b13296156811fe966d7b37d45f213))
 ## [0.8.1](https://github.com/sasjs/server/compare/v0.8.0...v0.8.1) (2022-06-21)
 ### Bug Fixes
 * make CA_ROOT optional in getCertificates method ([1b5859e](https://github.com/sasjs/server/commit/1b5859ee37ae73c419115b9debfd5141a79733de))
 * update /logout route to /SASLogon/logout ([65380be](https://github.com/sasjs/server/commit/65380be2f3945bae559f1749064845b514447a53))
 # [0.8.0](https://github.com/sasjs/server/compare/v0.7.3...v0.8.0) (2022-06-21)
 ### Features
 * **certs:** ENV variables updated and set CA Root for HTTPS server ([2119e9d](https://github.com/sasjs/server/commit/2119e9de9ab1e5ce1222658f554ac74f4f35cf4d))
 ## [0.7.3](https://github.com/sasjs/server/compare/v0.7.2...v0.7.3) (2022-06-20)
 ### Bug Fixes
 * path descriptions and defaults ([5d5d6ce](https://github.com/sasjs/server/commit/5d5d6ce3265a43af2e22bcd38cda54fafaf7b3ef))
 ## [0.7.2](https://github.com/sasjs/server/compare/v0.7.1...v0.7.2) (2022-06-20)
 ### Bug Fixes
 * removing UTF-8 options from commandline.  There appears to be no reliable way to enforce ([f6dc74f](https://github.com/sasjs/server/commit/f6dc74f16bddafa1de9c83c2f27671a241abdad4))
 ## [0.7.1](https://github.com/sasjs/server/compare/v0.7.0...v0.7.1) (2022-06-20)
 ### Bug Fixes
 * default runtime should be sas ([91d29cb](https://github.com/sasjs/server/commit/91d29cb1272c28afbceaf39d1e0a87e17fbfdcd6))
 * **Studio:** default selection of runtime fixed ([eb569c7](https://github.com/sasjs/server/commit/eb569c7b827c872ed2c4bc114559b97d87fd2aa0))
 * webout path fixed in code.js when running on windows ([99a1107](https://github.com/sasjs/server/commit/99a110736448f66f99a512396b268fc31a3feef0))
 # [0.7.0](https://github.com/sasjs/server/compare/v0.6.1...v0.7.0) (2022-06-19)
 ### Bug Fixes
 * add runtimes to global process object ([194eaec](https://github.com/sasjs/server/commit/194eaec7d4a561468f83bf6efce484909ee532eb))
 * code fixes for executing program from program path including file extension ([53854d0](https://github.com/sasjs/server/commit/53854d001279462104b24c0e59a8c94ab4938a94))
 * code/execute controller logic to handle different runtimes ([23b6692](https://github.com/sasjs/server/commit/23b6692f02e4afa33c9dc95d242eb8645c19d546))
 * convert single executeProgram method to two methods i.e. executeSASProgram and executeJSProgram ([c58666e](https://github.com/sasjs/server/commit/c58666eb81514de500519e7b96c1981778ec149b))
 * no need to stringify _webout in preProgramVarStatements, developer should have _webout as string in actual code ([9d5a5e0](https://github.com/sasjs/server/commit/9d5a5e051fd821295664ddb3a1fd64629894a44c))
 * pass _program to execute file without extension ([5df619b](https://github.com/sasjs/server/commit/5df619b3f63571e8e326261d8114869d33881d91))
 * refactor code for session selection in preUploadMiddleware function ([b444381](https://github.com/sasjs/server/commit/b4443819d42afecebc0f382c58afb9010d4775ef))
 * refactor code in executeFile method of session controller ([dffe6d7](https://github.com/sasjs/server/commit/dffe6d7121d569e5c7d13023c6ca68d8c901c88e))
 * refactor code in preUploadMiddleware function ([6d6bda5](https://github.com/sasjs/server/commit/6d6bda56267babde7b98cf69e32973d56d719f75))
 * refactor sas/js session controller classes to inherit from base session controller class ([2c704a5](https://github.com/sasjs/server/commit/2c704a544f4e31a8e8e833a9a62ba016bcfa6c7c))
 * **Studio:** style fix for runtime dropdown ([9023cf3](https://github.com/sasjs/server/commit/9023cf33b5fa4b13c2d5e9b80ae307df69c7fc02))
 ### Features
 * configure child process with writeStream to write logs to log file ([058b3b0](https://github.com/sasjs/server/commit/058b3b00816e582e143953c2f0b8330bde2181b8))
 * conver single session controller to two controller i.e. SASSessionController and JSSessionController ([07295aa](https://github.com/sasjs/server/commit/07295aa151175db8c93eeef806fc3b7fde40ac72))
 * create and inject code for uploaded files to code.js ([1685616](https://github.com/sasjs/server/commit/16856165fb292dc9ffa897189ba105bd9f362267))
 * validate sasjs_runtimes env var ([596ada7](https://github.com/sasjs/server/commit/596ada7ca88798d6d71f6845633a006fd22438ea))
 ## [0.6.1](https://github.com/sasjs/server/compare/v0.6.0...v0.6.1) (2022-06-17)
 ### Bug Fixes
 * home page wording.  Using fix to force previous change through.. ([8702a4e](https://github.com/sasjs/server/commit/8702a4e8fd1bbfaf4f426b75e8b85a87ede0e0b0))
 # [0.6.0](https://github.com/sasjs/server/compare/v0.5.0...v0.6.0) (2022-06-16)
 ### Features
 * get group by group name ([6b0b94a](https://github.com/sasjs/server/commit/6b0b94ad38215ae58e62279a4f73ac3ed2d9d0e8))
 # [0.5.0](https://github.com/sasjs/server/compare/v0.4.2...v0.5.0) (2022-06-16)
 ### Bug Fixes
 * npm audit fix to avoid warnings on npm i ([28a6a36](https://github.com/sasjs/server/commit/28a6a36bb708b93fb5c2b74d587e9b2e055582be))
 ### Features
 * **api:** deployment through zipped/compressed file ([b81d742](https://github.com/sasjs/server/commit/b81d742c6c70d4cf1cab365b0e3efc087441db00))
 ## [0.4.2](https://github.com/sasjs/server/compare/v0.4.1...v0.4.2) (2022-06-15)
 ### Bug Fixes
 * appStream redesign ([73792fb](https://github.com/sasjs/server/commit/73792fb574c90bd280c4324e0b41c6fee7d572b6))
 ## [0.4.1](https://github.com/sasjs/server/compare/v0.4.0...v0.4.1) (2022-06-15)
 ### Bug Fixes
 * add/remove group to User when adding/removing user from group and return group membership on getting user ([e08bbcc](https://github.com/sasjs/server/commit/e08bbcc5435cbabaee40a41a7fb667d4a1f078e6))
 # [0.4.0](https://github.com/sasjs/server/compare/v0.3.10...v0.4.0) (2022-06-14)
 ### Features
 * new APIs added for GET|PATCH|DELETE of user by username ([aef411a](https://github.com/sasjs/server/commit/aef411a0eac625c33274dfe3e88b6f75115c44d8))
 ## [0.3.10](https://github.com/sasjs/server/compare/v0.3.9...v0.3.10) (2022-06-14)
 ### Bug Fixes
 * correct syntax for encoding option ([32d372b](https://github.com/sasjs/server/commit/32d372b42fbf56b6c0779e8f704164eaae1c7548))
 ## [0.3.9](https://github.com/sasjs/server/compare/v0.3.8...v0.3.9) (2022-06-14)
 ### Bug Fixes
 * forcing utf 8 encoding. Closes [#76](https://github.com/sasjs/server/issues/76) ([8734489](https://github.com/sasjs/server/commit/8734489cf014aedaca3f325e689493e4fe0b71ca))
 ## [0.3.8](https://github.com/sasjs/server/compare/v0.3.7...v0.3.8) (2022-06-13)
 ### Bug Fixes
 * execution controller better error handling ([8a617a7](https://github.com/sasjs/server/commit/8a617a73ae63233332f5788c90f173d6cd5e1283))
 * execution controller error details ([3fa2a7e](https://github.com/sasjs/server/commit/3fa2a7e2e32f90050f6b09e30ce3ef725eb0b15f))
 ## [0.3.7](https://github.com/sasjs/server/compare/v0.3.6...v0.3.7) (2022-06-08)
 ### Bug Fixes
 * **appstream:** redirect to relative + nested resource should be accessed ([5ab35b0](https://github.com/sasjs/server/commit/5ab35b02c4417132dddb5a800982f31d0d50ef66))
 ## [0.3.6](https://github.com/sasjs/server/compare/v0.3.5...v0.3.6) (2022-06-02)
 ### Bug Fixes
 * **appstream:** should serve only new files for same app stream name with new deployment ([e6d1989](https://github.com/sasjs/server/commit/e6d1989847761fbe562d7861ffa0ee542839b125))
 ## [0.3.5](https://github.com/sasjs/server/compare/v0.3.4...v0.3.5) (2022-05-30)
 ### Bug Fixes
 * bumping sasjs/core library ([61815f8](https://github.com/sasjs/server/commit/61815f8ae18be132e17c199cd8e3afbcc2fa0b60))
 ## [0.3.4](https://github.com/sasjs/server/compare/v0.3.3...v0.3.4) (2022-05-30)
 ### Bug Fixes
 * **web:** system username for DESKTOP mode ([a8ba378](https://github.com/sasjs/server/commit/a8ba378fd1ff374ba025a96fdfae5c6c36954465))
 ## [0.3.3](https://github.com/sasjs/server/compare/v0.3.2...v0.3.3) (2022-05-30)
 ### Bug Fixes
 * usage of autoexec API in DESKTOP mode ([12d424a](https://github.com/sasjs/server/commit/12d424acce8108a6f53aefbac01fddcdc5efb48f))
 ## [0.3.2](https://github.com/sasjs/server/compare/v0.3.1...v0.3.2) (2022-05-27)
 ### Bug Fixes
 * **web:** ability to use get/patch User API in desktop mode. ([2c259fe](https://github.com/sasjs/server/commit/2c259fe1de95d84e6929e311aaa6b895e66b42a3))
 ## [0.3.1](https://github.com/sasjs/server/compare/v0.3.0...v0.3.1) (2022-05-26)
 ### Bug Fixes
 * **api:** username should be lowercase ([5ad6ee5](https://github.com/sasjs/server/commit/5ad6ee5e0f5d7d6faa45b72215f1d9d55cfc37db))
 * **web:** reduced width for autoexec input ([7d11cc7](https://github.com/sasjs/server/commit/7d11cc79161e5a07f6c5392d742ef6b9d8658071))
 # [0.3.0](https://github.com/sasjs/server/compare/v0.2.0...v0.3.0) (2022-05-25)
 ### Features
 * **web:** added profile + edit + autoexec changes ([c275db1](https://github.com/sasjs/server/commit/c275db184e874f0ee3a4f08f2592cfacf1e90742))
 # [0.2.0](https://github.com/sasjs/server/compare/v0.1.0...v0.2.0) (2022-05-25)
 ### Bug Fixes
 * **autoexec:** usage in case of desktop from file ([79dc2db](https://github.com/sasjs/server/commit/79dc2dba23dc48ec218a973119392a45cb3856b5))
 ### Features
 * **api:** added autoexec + major type setting changes ([2a7223a](https://github.com/sasjs/server/commit/2a7223ad7d6b8f3d4682447fd25d9426a7c79ac3))
 # [0.1.0](https://github.com/sasjs/server/compare/v0.0.77...v0.1.0) (2022-05-23)
 ### Bug Fixes
 * issue174 + issue175 + issue146 ([80b33c7](https://github.com/sasjs/server/commit/80b33c7a18c1b7727316ffeca71658346733e935))
 * **web:** click to copy + notification ([f37f8e9](https://github.com/sasjs/server/commit/f37f8e95d1a85e00ceca2413dbb5e1f3f3f72255))
 ### Features
 * **env:** added new env variable LOG_FORMAT_MORGAN ([53bf68a](https://github.com/sasjs/server/commit/53bf68a6aff44bb7b2f40d40d6554809253a01a8))
 ## [0.0.77](https://github.com/sasjs/server/compare/v0.0.76...v0.0.77) (2022-05-16)
--- a/PULL_REQUEST_TEMPLATE.md
+++ b/PULL_REQUEST_TEMPLATE.md
@@ -0,0 +1,19 @@
 ## Issue
 Link any related issue(s) in this section.
 ## Intent
 What this PR intends to achieve.
 ## Implementation
 What code changes have been made to achieve the intent.
 ## Checks
 - [ ] Code is formatted correctly (`npm run lint:fix`).
 - [ ] Any new functionality has been unit tested.
 - [ ] All unit tests are passing (`npm test`).
 - [ ] All CI checks are green.
 - [ ] Reviewer is assigned.
--- a/README.md
+++ b/README.md
@@ -1,5 +1,11 @@
 # SASjs Server
 <!-- ALL-CONTRIBUTORS-BADGE:START - Do not remove or modify this section -->
 [![All Contributors](https://img.shields.io/badge/all_contributors-7-orange.svg?style=flat-square)](#contributors-)
 <!-- ALL-CONTRIBUTORS-BADGE:END -->
 SASjs Server provides a NodeJS wrapper for calling the SAS binary executable. It can be installed on an actual SAS server, or locally on your desktop. It provides:
 - Virtual filesystem for storing SAS programs and other content
@@ -61,9 +67,13 @@ MODE=
 # Path to SAS executable (sas.exe / sas.sh)
 SAS_PATH=/path/to/sas/executable.exe
 # Path to Node.js executable
 NODE_PATH=~/.nvm/versions/node/v16.14.0/bin/node
 # Path to working directory
 # This location is for SAS WORK, staged files, DRIVE, configuration etc
-DRIVE_PATH=/tmp
+SASJS_ROOT=./sasjs_root
 # options: [http|https] default: http
 PROTOCOL=
@@ -89,15 +99,12 @@ SASV9_OPTIONS= -NOXCMD
 ## Additional Web Server Options
 #
-# ENV variables required for PROTOCOL: `https`
+# ENV variables for PROTOCOL: `https`
-PRIVATE_KEY=privkey.pem
+PRIVATE_KEY=privkey.pem (required)
-FULL_CHAIN=fullchain.pem
+CERT_CHAIN=certificate.pem (required)
 CA_ROOT=fullchain.pem (optional)
 # ENV variables required for MODE: `server`
 ACCESS_TOKEN_SECRET=<secret>
 REFRESH_TOKEN_SECRET=<secret>
 AUTH_CODE_SECRET=<secret>
 SESSION_SECRET=<secret>
 DB_CONNECT=mongodb+srv://<DB_USERNAME>:<DB_PASSWORD>@<CLUSTER>/<DB_NAME>?retryWrites=true&w=majority
 # options: [disable|enable] default: `disable` for `server` & `enable` for `desktop`
@@ -125,6 +132,20 @@ HELMET_COEP=
 # }
 HELMET_CSP_CONFIG_PATH=./csp.config.json
 # LOG_FORMAT_MORGAN options: [combined|common|dev|short|tiny] default: `common`
 # Docs: https://www.npmjs.com/package/morgan#predefined-formats
 LOG_FORMAT_MORGAN=
 # This location is for server logs with classical UNIX logrotate behavior
 LOG_LOCATION=./sasjs_root/logs
 # A comma separated string that defines the available runTimes.
 # Priority is given to the runtime that comes first in the string.
 # Possible options at the moment are sas and js
 # options: [sas,js|js,sas|sas|js] default:sas
 RUN_TIMES=
 ```
 ## Persisting the Session
@@ -147,7 +168,7 @@ Install the npm package [pm2](https://www.npmjs.com/package/pm2) (`npm install p
 ```bash
 export SAS_PATH=/opt/sas9/SASHome/SASFoundation/9.4/sasexe/sas
 export PORT=5001
-export DRIVE_PATH=./tmp
+export SASJS_ROOT=./sasjs_root
 pm2 start api-linux
 ```
@@ -181,3 +202,29 @@ The following credentials can be used for the initial connection to SASjs/server
 - CLIENTID: `clientID1`
 - USERNAME: `secretuser`
 - PASSWORD: `secretpassword`
 ## Contributors ✨
 Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):
 <!-- ALL-CONTRIBUTORS-LIST:START - Do not remove or modify this section -->
 <!-- prettier-ignore-start -->
 <!-- markdownlint-disable -->
 <table>
  <tr>
    <td align="center"><a href="https://github.com/saadjutt01"><img src="https://avatars.githubusercontent.com/u/8914650?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Saad Jutt</b></sub></a><br /><a href="https://github.com/sasjs/server/commits?author=saadjutt01" title="Code">💻</a> <a href="https://github.com/sasjs/server/commits?author=saadjutt01" title="Tests">⚠️</a></td>
    <td align="center"><a href="https://github.com/sabhas"><img src="https://avatars.githubusercontent.com/u/82647447?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Sabir Hassan</b></sub></a><br /><a href="https://github.com/sasjs/server/commits?author=sabhas" title="Code">💻</a> <a href="https://github.com/sasjs/server/commits?author=sabhas" title="Tests">⚠️</a></td>
    <td align="center"><a href="https://www.erudicat.com/"><img src="https://avatars.githubusercontent.com/u/25773492?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Yury Shkoda</b></sub></a><br /><a href="https://github.com/sasjs/server/commits?author=YuryShkoda" title="Code">💻</a> <a href="https://github.com/sasjs/server/commits?author=YuryShkoda" title="Tests">⚠️</a></td>
    <td align="center"><a href="https://github.com/medjedovicm"><img src="https://avatars.githubusercontent.com/u/18329105?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Mihajlo Medjedovic</b></sub></a><br /><a href="https://github.com/sasjs/server/commits?author=medjedovicm" title="Code">💻</a> <a href="https://github.com/sasjs/server/commits?author=medjedovicm" title="Tests">⚠️</a></td>
    <td align="center"><a href="https://4gl.io/"><img src="https://avatars.githubusercontent.com/u/4420615?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Allan Bowe</b></sub></a><br /><a href="https://github.com/sasjs/server/commits?author=allanbowe" title="Code">💻</a> <a href="https://github.com/sasjs/server/commits?author=allanbowe" title="Documentation">📖</a></td>
    <td align="center"><a href="https://github.com/VladislavParhomchik"><img src="https://avatars.githubusercontent.com/u/83717836?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Vladislav Parhomchik</b></sub></a><br /><a href="https://github.com/sasjs/server/commits?author=VladislavParhomchik" title="Tests">⚠️</a></td>
    <td align="center"><a href="https://github.com/kknapen"><img src="https://avatars.githubusercontent.com/u/78609432?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Koen Knapen</b></sub></a><br /><a href="#userTesting-kknapen" title="User Testing">📓</a></td>
  </tr>
 </table>
 <!-- markdownlint-restore -->
 <!-- prettier-ignore-end -->
 <!-- ALL-CONTRIBUTORS-LIST:END -->
 This project follows the [all-contributors](https://github.com/all-contributors/all-contributors) specification. Contributions of any kind welcome!
--- a/api/.env.example
+++ b/api/.env.example
@@ -4,18 +4,21 @@ WHITELIST=<space separated urls, each starting with protocol `http` or `https`>
 PROTOCOL=[http|https] default considered as http
 PRIVATE_KEY=privkey.pem
-FULL_CHAIN=fullchain.pem
+CERT_CHAIN=certificate.pem
 CA_ROOT=fullchain.pem
 PORT=[5000] default value is 5000
 HELMET_CSP_CONFIG_PATH=./csp.config.json if omitted HELMET default will be used
 HELMET_COEP=[true|false] if omitted HELMET default will be used
 ACCESS_TOKEN_SECRET=<secret>
 REFRESH_TOKEN_SECRET=<secret>
 AUTH_CODE_SECRET=<secret>
 SESSION_SECRET=<secret>
 DB_CONNECT=mongodb+srv://<DB_USERNAME>:<DB_PASSWORD>@<CLUSTER>/<DB_NAME>?retryWrites=true&w=majority
 RUN_TIMES=[sas|js|sas,js|js,sas] default considered as sas
 SAS_PATH=/opt/sas/sas9/SASHome/SASFoundation/9.4/sas
-DRIVE_PATH=./tmp
+NODE_PATH=~/.nvm/versions/node/v16.14.0/bin/node
 SASJS_ROOT=./sasjs_root
 LOG_FORMAT_MORGAN=common
 LOG_LOCATION=./sasjs_root/logs
--- a/api/.nvmrc
+++ b/api/.nvmrc
@@ -1 +1 @@
-v16.14.0
+v16.15.1
--- a/api/package-lock.json
+++ b/api/package-lock.json
--- a/api/package.json
+++ b/api/package.json
@@ -7,7 +7,7 @@
    "initial": "npm run swagger && npm run compileSysInit && npm run copySASjsCore",
    "prestart": "npm run initial",
    "prebuild": "npm run initial",
-    "start": "nodemon ./src/server.ts",
+    "start": "NODE_ENV=development nodemon ./src/server.ts",
    "start:prod": "node ./build/src/server.js",
    "build": "rimraf build && tsc",
    "postbuild": "npm run copy:files",
@@ -47,7 +47,7 @@
  },
  "author": "4GL Ltd",
  "dependencies": {
-    "@sasjs/core": "^4.23.1",
+    "@sasjs/core": "^4.31.3",
    "@sasjs/utils": "2.42.1",
    "bcryptjs": "^2.4.3",
    "connect-mongo": "^4.6.0",
@@ -63,9 +63,13 @@
    "mongoose-sequence": "^5.3.1",
    "morgan": "^1.10.0",
    "multer": "^1.4.3",
-    "swagger-ui-express": "4.3.0"
+    "rotating-file-stream": "^3.0.4",
    "swagger-ui-express": "4.3.0",
    "unzipper": "^0.10.11",
    "url": "^0.10.3"
  },
  "devDependencies": {
    "@types/adm-zip": "^0.5.0",
    "@types/bcryptjs": "^2.4.2",
    "@types/cookie-parser": "^1.4.2",
    "@types/cors": "^2.8.12",
@@ -80,6 +84,8 @@
    "@types/node": "^15.12.2",
    "@types/supertest": "^2.0.11",
    "@types/swagger-ui-express": "^4.1.3",
    "@types/unzipper": "^0.10.5",
    "adm-zip": "^0.5.9",
    "dotenv": "^10.0.0",
    "http-headers-validation": "^0.0.1",
    "jest": "^27.0.6",
@@ -94,12 +100,9 @@
    "tsoa": "3.14.1",
    "typescript": "^4.3.2"
  },
  "configuration": {
    "sasPath": "/opt/sas/sas9/SASHome/SASFoundation/9.4/sas"
  },
  "nodemonConfig": {
    "ignore": [
-      "tmp/**/*"
+      "sasjs_root/**/*"
    ]
  }
 }
--- a/api/public/swagger.yaml
+++ b/api/public/swagger.yaml
@@ -47,41 +47,6 @@ components:
                - userId
            type: object
            additionalProperties: false
        LoginPayload:
            properties:
                username:
                    type: string
                    description: 'Username for user'
                    example: secretuser
                password:
                    type: string
                    description: 'Password for user'
                    example: secretpassword
            required:
                - username
                - password
            type: object
            additionalProperties: false
        AuthorizeResponse:
            properties:
                code:
                    type: string
                    description: 'Authorization code'
                    example: someRandomCryptoString
            required:
                - code
            type: object
            additionalProperties: false
        AuthorizePayload:
            properties:
                clientId:
                    type: string
                    description: 'Client ID'
                    example: clientID1
            required:
                - clientId
            type: object
            additionalProperties: false
        ClientPayload:
            properties:
                clientId:
@@ -139,14 +104,24 @@ components:
                - httpHeaders
            type: object
            additionalProperties: false
-        ExecuteSASCodePayload:
+        RunTimeType:
            enum:
                - sas
                - js
            type: string
        ExecuteCodePayload:
            properties:
                code:
                    type: string
-                    description: 'Code of SAS program'
+                    description: 'Code of program'
-                    example: '* SAS Code HERE;'
+                    example: '* Code HERE;'
                runTime:
                    $ref: '#/components/schemas/RunTimeType'
                    description: 'runtime for program'
                    example: js
            required:
                - code
                - runTime
            type: object
            additionalProperties: false
        MemberType.folder:
@@ -304,10 +279,28 @@ components:
                    type: string
                displayName:
                    type: string
                isAdmin:
                    type: boolean
            required:
                - id
                - username
                - displayName
                - isAdmin
            type: object
            additionalProperties: false
        GroupResponse:
            properties:
                groupId:
                    type: number
                    format: double
                name:
                    type: string
                description:
                    type: string
            required:
                - groupId
                - name
                - description
            type: object
            additionalProperties: false
        UserDetailsResponse:
@@ -323,6 +316,12 @@ components:
                    type: boolean
                isAdmin:
                    type: boolean
                autoExec:
                    type: string
                groups:
                    items:
                        $ref: '#/components/schemas/GroupResponse'
                    type: array
            required:
                - id
                - displayName
@@ -352,27 +351,16 @@ components:
                    type: boolean
                    description: 'Account should be active or not, defaults to true'
                    example: 'true'
                autoExec:
                    type: string
                    description: 'User-specific auto-exec code'
                    example: ""
            required:
                - displayName
                - username
                - password
            type: object
            additionalProperties: false
        GroupResponse:
            properties:
                groupId:
                    type: number
                    format: double
                name:
                    type: string
                description:
                    type: string
            required:
                - groupId
                - name
                - description
            type: object
            additionalProperties: false
        GroupDetailsResponse:
            properties:
                groupId:
@@ -415,6 +403,27 @@ components:
                - description
            type: object
            additionalProperties: false
        _LeanDocument__LeanDocument_T__:
            properties: {}
            type: object
        Pick__LeanDocument_T_.Exclude_keyof_LeanDocument_T_.Exclude_keyofDocument._id-or-id-or-__v_-or-%24isSingleNested__:
            properties:
                _id:
                    $ref: '#/components/schemas/_LeanDocument__LeanDocument_T__'
                    description: 'This documents _id.'
                __v:
                    description: 'This documents __v.'
                id:
                    description: 'The string version of this documents _id.'
            type: object
            description: 'From T, pick a set of properties whose keys are in the union K'
        Omit__LeanDocument_this_.Exclude_keyofDocument._id-or-id-or-__v_-or-%24isSingleNested_:
            $ref: '#/components/schemas/Pick__LeanDocument_T_.Exclude_keyof_LeanDocument_T_.Exclude_keyofDocument._id-or-id-or-__v_-or-%24isSingleNested__'
            description: 'Construct a type with the properties of T except for those in type K.'
        LeanDocument_this_:
            $ref: '#/components/schemas/Omit__LeanDocument_this_.Exclude_keyofDocument._id-or-id-or-__v_-or-%24isSingleNested_'
        IGroup:
            $ref: '#/components/schemas/LeanDocument_this_'
        InfoResponse:
            properties:
                mode:
@@ -427,11 +436,26 @@ components:
                    type: array
                protocol:
                    type: string
                runTimes:
                    items:
                        type: string
                    type: array
            required:
                - mode
                - cors
                - whiteList
                - protocol
                - runTimes
            type: object
            additionalProperties: false
        AuthorizedRoutesResponse:
            properties:
                URIs:
                    items:
                        type: string
                    type: array
            required:
                - URIs
            type: object
            additionalProperties: false
        ExecuteReturnJsonPayload:
@@ -442,6 +466,106 @@ components:
                    example: /Public/somefolder/some.file
            type: object
            additionalProperties: false
        LoginPayload:
            properties:
                username:
                    type: string
                    description: 'Username for user'
                    example: secretuser
                password:
                    type: string
                    description: 'Password for user'
                    example: secretpassword
            required:
                - username
                - password
            type: object
            additionalProperties: false
        AuthorizeResponse:
            properties:
                code:
                    type: string
                    description: 'Authorization code'
                    example: someRandomCryptoString
            required:
                - code
            type: object
            additionalProperties: false
        AuthorizePayload:
            properties:
                clientId:
                    type: string
                    description: 'Client ID'
                    example: clientID1
            required:
                - clientId
            type: object
            additionalProperties: false
        PermissionDetailsResponse:
            properties:
                permissionId:
                    type: number
                    format: double
                uri:
                    type: string
                setting:
                    type: string
                user:
                    $ref: '#/components/schemas/UserResponse'
                group:
                    $ref: '#/components/schemas/GroupDetailsResponse'
            required:
                - permissionId
                - uri
                - setting
            type: object
            additionalProperties: false
        PermissionSetting:
            enum:
                - Grant
                - Deny
            type: string
        PrincipalType:
            enum:
                - user
                - group
            type: string
        RegisterPermissionPayload:
            properties:
                uri:
                    type: string
                    description: 'Name of affected resource'
                    example: /SASjsApi/code/execute
                setting:
                    $ref: '#/components/schemas/PermissionSetting'
                    description: 'The indication of whether (and to what extent) access is provided'
                    example: Grant
                principalType:
                    $ref: '#/components/schemas/PrincipalType'
                    description: 'Indicates the type of principal'
                    example: user
                principalId:
                    type: number
                    format: double
                    description: 'The id of user or group to which a rule is assigned.'
                    example: 123
            required:
                - uri
                - setting
                - principalType
                - principalId
            type: object
            additionalProperties: false
        UpdatePermissionPayload:
            properties:
                setting:
                    $ref: '#/components/schemas/PermissionSetting'
                    description: 'The indication of whether (and to what extent) access is provided'
                    example: Grant
            required:
                - setting
            type: object
            additionalProperties: false
    securitySchemes:
        bearerAuth:
            type: http
@@ -512,86 +636,6 @@ paths:
                -
                    bearerAuth: []
            parameters: []
    /:
        get:
            operationId: Home
            responses:
                '200':
                    description: Ok
                    content:
                        application/json:
                            schema:
                                type: string
            summary: 'Render index.html'
            tags:
                - Web
            security: []
            parameters: []
    /SASLogon/login:
        post:
            operationId: Login
            responses:
                '200':
                    description: Ok
                    content:
                        application/json:
                            schema:
                                properties:
                                    user: {properties: {displayName: {type: string}, username: {type: string}}, required: [displayName, username], type: object}
                                    loggedIn: {type: boolean}
                                required:
                                    - user
                                    - loggedIn
                                type: object
            summary: 'Accept a valid username/password'
            tags:
                - Web
            security: []
            parameters: []
            requestBody:
                required: true
                content:
                    application/json:
                        schema:
                            $ref: '#/components/schemas/LoginPayload'
    /SASLogon/authorize:
        post:
            operationId: Authorize
            responses:
                '200':
                    description: Ok
                    content:
                        application/json:
                            schema:
                                $ref: '#/components/schemas/AuthorizeResponse'
                            examples:
                                'Example 1':
                                    value: {code: someRandomCryptoString}
            summary: 'Accept a valid username/password, plus a CLIENT_ID, and return an AUTH_CODE'
            tags:
                - Web
            security: []
            parameters: []
            requestBody:
                required: true
                content:
                    application/json:
                        schema:
                            $ref: '#/components/schemas/AuthorizePayload'
    /logout:
        get:
            operationId: Logout
            responses:
                '200':
                    description: Ok
                    content:
                        application/json:
                            schema: {}
            summary: 'Accept a valid username/password'
            tags:
                - Web
            security: []
            parameters: []
    /SASjsApi/client:
        post:
            operationId: CreateClient
@@ -620,7 +664,7 @@ paths:
                            $ref: '#/components/schemas/ClientPayload'
    /SASjsApi/code/execute:
        post:
-            operationId: ExecuteSASCode
+            operationId: ExecuteCode
            responses:
                '200':
                    description: Ok
@@ -641,7 +685,7 @@ paths:
                content:
                    application/json:
                        schema:
-                            $ref: '#/components/schemas/ExecuteSASCodePayload'
+                            $ref: '#/components/schemas/ExecuteCodePayload'
    /SASjsApi/drive/deploy:
        post:
            operationId: Deploy
@@ -717,7 +761,8 @@ paths:
                            examples:
                                'Example 1':
                                    value: {status: failure, message: 'Deployment failed!'}
-            summary: 'Creates/updates files within SASjs Drive using uploaded JSON file.'
+            description: "Accepts JSON file and zipped compressed JSON file as well.\nCompressed file should only contain one JSON file and should have same name\nas of compressed file e.g. deploy.JSON should be compressed to deploy.JSON.zip\nAny other file or JSON file in zipped will be ignored!"
            summary: 'Creates/updates files within SASjs Drive using uploaded JSON/compressed JSON file.'
            tags:
                - Drive
            security:
@@ -946,7 +991,7 @@ paths:
                                type: array
                            examples:
                                'Example 1':
-                                    value: [{id: 123, username: johnusername, displayName: John}, {id: 456, username: starkusername, displayName: Stark}]
+                                    value: [{id: 123, username: johnusername, displayName: John, isAdmin: false}, {id: 456, username: starkusername, displayName: Stark, isAdmin: true}]
            summary: 'Get list of all users (username, displayname). All users can request this.'
            tags:
                - User
@@ -979,6 +1024,94 @@ paths:
                    application/json:
                        schema:
                            $ref: '#/components/schemas/UserPayload'
    '/SASjsApi/user/by/username/{username}':
        get:
            operationId: GetUserByUsername
            responses:
                '200':
                    description: Ok
                    content:
                        application/json:
                            schema:
                                $ref: '#/components/schemas/UserDetailsResponse'
            description: 'Only Admin or user itself will get user autoExec code.'
            summary: 'Get user properties - such as group memberships, userName, displayName.'
            tags:
                - User
            security:
                -
                    bearerAuth: []
            parameters:
                -
                    description: 'The User''s username'
                    in: path
                    name: username
                    required: true
                    schema:
                        type: string
                    example: johnSnow01
        patch:
            operationId: UpdateUserByUsername
            responses:
                '200':
                    description: Ok
                    content:
                        application/json:
                            schema:
                                $ref: '#/components/schemas/UserDetailsResponse'
                            examples:
                                'Example 1':
                                    value: {id: 1234, displayName: 'John Snow', username: johnSnow01, isAdmin: false, isActive: true}
            summary: 'Update user properties - such as displayName. Can be performed either by admins, or the user in question.'
            tags:
                - User
            security:
                -
                    bearerAuth: []
            parameters:
                -
                    description: 'The User''s username'
                    in: path
                    name: username
                    required: true
                    schema:
                        type: string
                    example: johnSnow01
            requestBody:
                required: true
                content:
                    application/json:
                        schema:
                            $ref: '#/components/schemas/UserPayload'
        delete:
            operationId: DeleteUserByUsername
            responses:
                '204':
                    description: 'No content'
            summary: 'Delete a user. Can be performed either by admins, or the user in question.'
            tags:
                - User
            security:
                -
                    bearerAuth: []
            parameters:
                -
                    description: 'The User''s username'
                    in: path
                    name: username
                    required: true
                    schema:
                        type: string
                    example: johnSnow01
            requestBody:
                required: true
                content:
                    application/json:
                        schema:
                            properties:
                                password:
                                    type: string
                            type: object
    '/SASjsApi/user/{userId}':
        get:
            operationId: GetUser
@@ -989,6 +1122,7 @@ paths:
                        application/json:
                            schema:
                                $ref: '#/components/schemas/UserDetailsResponse'
            description: 'Only Admin or user itself will get user autoExec code.'
            summary: 'Get user properties - such as group memberships, userName, displayName.'
            tags:
                - User
@@ -1116,6 +1250,30 @@ paths:
                    application/json:
                        schema:
                            $ref: '#/components/schemas/GroupPayload'
    '/SASjsApi/group/by/groupname/{name}':
        get:
            operationId: GetGroupByGroupName
            responses:
                '200':
                    description: Ok
                    content:
                        application/json:
                            schema:
                                $ref: '#/components/schemas/GroupDetailsResponse'
            summary: 'Get list of members of a group (userName). All users can request this.'
            tags:
                - Group
            security:
                -
                    bearerAuth: []
            parameters:
                -
                    description: 'The group''s name'
                    in: path
                    name: name
                    required: true
                    schema:
                        type: string
    '/SASjsApi/group/{groupId}':
        get:
            operationId: GetGroup
@@ -1145,8 +1303,14 @@ paths:
        delete:
            operationId: DeleteGroup
            responses:
-                '204':
+                '200':
-                    description: 'No content'
+                    description: Ok
                    content:
                        application/json:
                            schema:
                                allOf:
                                    - {$ref: '#/components/schemas/IGroup'}
                                    - {properties: {_id: {}}, required: [_id], type: object}
            summary: 'Delete a group. Admin task only.'
            tags:
                - Group
@@ -1250,12 +1414,30 @@ paths:
                                $ref: '#/components/schemas/InfoResponse'
                            examples:
                                'Example 1':
-                                    value: {mode: desktop, cors: enable, whiteList: ['http://example.com', 'http://example2.com'], protocol: http}
+                                    value: {mode: desktop, cors: enable, whiteList: ['http://example.com', 'http://example2.com'], protocol: http, runTimes: [sas, js]}
            summary: 'Get server info (mode, cors, whiteList, protocol).'
            tags:
                - Info
            security: []
            parameters: []
    /SASjsApi/info/authorizedRoutes:
        get:
            operationId: AuthorizedRoutes
            responses:
                '200':
                    description: Ok
                    content:
                        application/json:
                            schema:
                                $ref: '#/components/schemas/AuthorizedRoutesResponse'
                            examples:
                                'Example 1':
                                    value: {URIs: [/AppStream, /SASjsApi/stp/execute]}
            summary: 'Get authorized routes.'
            tags:
                - Info
            security: []
            parameters: []
    /SASjsApi/session:
        get:
            operationId: Session
@@ -1268,7 +1450,7 @@ paths:
                                $ref: '#/components/schemas/UserResponse'
                            examples:
                                'Example 1':
-                                    value: {id: 123, username: johnusername, displayName: John}
+                                    value: {id: 123, username: johnusername, displayName: John, isAdmin: false}
            summary: 'Get session info (username).'
            tags:
                - Session
@@ -1288,8 +1470,8 @@ paths:
                                anyOf:
                                    - {type: string}
                                    - {type: string, format: byte}
-            description: "Trigger a SAS program using it's location in the _program URL parameter.\nEnable debugging using the _debug URL parameter.  Setting _debug=131 will\ncause the log to be streamed in the output.\n\nAdditional URL parameters are turned into SAS macro variables.\n\nAny files provided in the request body are placed into the SAS session with\ncorresponding _WEBIN_XXX variables created.\n\nThe response headers can be adjusted using the mfs_httpheader() macro.  Any\nfile type can be returned, including binary files such as zip or xls.\n\nIf _debug is >= 131, response headers will contain Content-Type: 'text/plain'\n\nThis behaviour differs for POST requests, in which case the response is\nalways JSON."
+            description: "Trigger a SAS or JS program using the _program URL parameter.\n\nAccepts URL parameters and file uploads.  For more details, see docs:\n\nhttps://server.sasjs.io/storedprograms"
-            summary: 'Execute Stored Program, return raw _webout content.'
+            summary: 'Execute a Stored Program, returns raw _webout content.'
            tags:
                - STP
            security:
@@ -1297,13 +1479,13 @@ paths:
                    bearerAuth: []
            parameters:
                -
-                    description: 'Location of SAS program'
+                    description: 'Location of SAS or JS code'
                    in: query
                    name: _program
                    required: true
                    schema:
                        type: string
-                    example: /Public/somefolder/some.file
+                    example: /Projects/myApp/some/program
        post:
            operationId: ExecuteReturnJson
            responses:
@@ -1316,8 +1498,8 @@ paths:
                            examples:
                                'Example 1':
                                    value: {status: success, _webout: 'webout content', log: [], httpHeaders: {Content-type: application/zip, Cache-Control: 'public, max-age=1000'}}
-            description: "Trigger a SAS program using it's location in the _program URL parameter.\nEnable debugging using the _debug URL parameter.  In any case, the log is\nalways returned in the log object.\n\nAdditional URL parameters are turned into SAS macro variables.\n\nAny files provided in the request body are placed into the SAS session with\ncorresponding _WEBIN_XXX variables created.\n\nThe response will be a JSON object with the following root attributes: log,\nwebout, headers.\n\nThe webout will be a nested JSON object ONLY if the response-header\ncontains a content-type of application/json AND it is valid JSON.\nOtherwise it will be a stringified version of the webout content.\n\nResponse headers from the mfs_httpheader macro are simply listed in the\nheaders object, for POST requests they have no effect on the actual\nresponse header."
+            description: "Trigger a SAS or JS program using the _program URL parameter.\n\nAccepts URL parameters and file uploads.  For more details, see docs:\n\nhttps://server.sasjs.io/storedprograms\n\nThe response will be a JSON object with the following root attributes:\nlog, webout, headers.\n\nThe webout attribute will be nested JSON ONLY if the response-header\ncontains a content-type of application/json AND it is valid JSON.\nOtherwise it will be a stringified version of the webout content."
-            summary: 'Execute Stored Program, return JSON'
+            summary: 'Execute a Stored Program, return a JSON object'
            tags:
                - STP
            security:
@@ -1325,32 +1507,218 @@ paths:
                    bearerAuth: []
            parameters:
                -
-                    description: 'Location of SAS program'
+                    description: 'Location of SAS or JS code'
                    in: query
                    name: _program
                    required: false
                    schema:
                        type: string
-                    example: /Public/somefolder/some.file
+                    example: /Projects/myApp/some/program
            requestBody:
                required: false
                content:
                    application/json:
                        schema:
                            $ref: '#/components/schemas/ExecuteReturnJsonPayload'
    /:
        get:
            operationId: Home
            responses:
                '200':
                    description: Ok
                    content:
                        application/json:
                            schema:
                                type: string
            summary: 'Render index.html'
            tags:
                - Web
            security: []
            parameters: []
    /SASLogon/login:
        post:
            operationId: Login
            responses:
                '200':
                    description: Ok
                    content:
                        application/json:
                            schema:
                                properties:
                                    user: {properties: {isAdmin: {type: boolean}, displayName: {type: string}, username: {type: string}, id: {type: number, format: double}}, required: [isAdmin, displayName, username, id], type: object}
                                    loggedIn: {type: boolean}
                                required:
                                    - user
                                    - loggedIn
                                type: object
            summary: 'Accept a valid username/password'
            tags:
                - Web
            security: []
            parameters: []
            requestBody:
                required: true
                content:
                    application/json:
                        schema:
                            $ref: '#/components/schemas/LoginPayload'
    /SASLogon/authorize:
        post:
            operationId: Authorize
            responses:
                '200':
                    description: Ok
                    content:
                        application/json:
                            schema:
                                $ref: '#/components/schemas/AuthorizeResponse'
                            examples:
                                'Example 1':
                                    value: {code: someRandomCryptoString}
            summary: 'Accept a valid username/password, plus a CLIENT_ID, and return an AUTH_CODE'
            tags:
                - Web
            security: []
            parameters: []
            requestBody:
                required: true
                content:
                    application/json:
                        schema:
                            $ref: '#/components/schemas/AuthorizePayload'
    /SASLogon/logout:
        get:
            operationId: Logout
            responses:
                '200':
                    description: Ok
                    content:
                        application/json:
                            schema: {}
            summary: 'Destroy the session stored in cookies'
            tags:
                - Web
            security: []
            parameters: []
    /SASjsApi/permission:
        get:
            operationId: GetAllPermissions
            responses:
                '200':
                    description: Ok
                    content:
                        application/json:
                            schema:
                                items:
                                    $ref: '#/components/schemas/PermissionDetailsResponse'
                                type: array
                            examples:
                                'Example 1':
                                    value: [{permissionId: 123, uri: /SASjsApi/code/execute, setting: Grant, user: {id: 1, username: johnSnow01, displayName: 'John Snow', isAdmin: false}}, {permissionId: 124, uri: /SASjsApi/code/execute, setting: Grant, group: {groupId: 1, name: DCGroup, description: 'This group represents Data Controller Users', isActive: true, users: []}}]
            summary: 'Get list of all permissions (uri, setting and userDetail).'
            tags:
                - Permission
            security:
                -
                    bearerAuth: []
            parameters: []
        post:
            operationId: CreatePermission
            responses:
                '200':
                    description: Ok
                    content:
                        application/json:
                            schema:
                                $ref: '#/components/schemas/PermissionDetailsResponse'
                            examples:
                                'Example 1':
                                    value: {permissionId: 123, uri: /SASjsApi/code/execute, setting: Grant, user: {id: 1, username: johnSnow01, displayName: 'John Snow', isAdmin: false}}
            summary: 'Create a new permission. Admin only.'
            tags:
                - Permission
            security:
                -
                    bearerAuth: []
            parameters: []
            requestBody:
                required: true
                content:
                    application/json:
                        schema:
                            $ref: '#/components/schemas/RegisterPermissionPayload'
    '/SASjsApi/permission/{permissionId}':
        patch:
            operationId: UpdatePermission
            responses:
                '200':
                    description: Ok
                    content:
                        application/json:
                            schema:
                                $ref: '#/components/schemas/PermissionDetailsResponse'
                            examples:
                                'Example 1':
                                    value: {permissionId: 123, uri: /SASjsApi/code/execute, setting: Grant, user: {id: 1, username: johnSnow01, displayName: 'John Snow', isAdmin: false}}
            summary: 'Update permission setting. Admin only'
            tags:
                - Permission
            security:
                -
                    bearerAuth: []
            parameters:
                -
                    description: 'The permission''s identifier'
                    in: path
                    name: permissionId
                    required: true
                    schema:
                        format: double
                        type: number
                    example: 1234
            requestBody:
                required: true
                content:
                    application/json:
                        schema:
                            $ref: '#/components/schemas/UpdatePermissionPayload'
        delete:
            operationId: DeletePermission
            responses:
                '204':
                    description: 'No content'
            summary: 'Delete a permission. Admin only.'
            tags:
                - Permission
            security:
                -
                    bearerAuth: []
            parameters:
                -
                    description: 'The user''s identifier'
                    in: path
                    name: permissionId
                    required: true
                    schema:
                        format: double
                        type: number
                    example: 1234
 servers:
    -
        url: /
 tags:
    -
        name: Info
-        description: 'Get Server Info'
+        description: 'Get Server Information'
    -
        name: Session
        description: 'Get Session information'
    -
        name: User
-        description: 'Operations about users'
+        description: 'Operations with users'
    -
        name: Permission
        description: 'Operations about permissions'
    -
        name: Client
        description: 'Operations about clients'
@@ -1359,16 +1727,16 @@ tags:
        description: 'Operations about auth'
    -
        name: Drive
-        description: 'Operations about drive'
+        description: 'Operations on SASjs Drive'
    -
        name: Group
-        description: 'Operations about group'
+        description: 'Operations on groups and group memberships'
    -
        name: STP
-        description: 'Operations about STP'
+        description: 'Execution of Stored Programs'
    -
        name: CODE
-        description: 'Operations on SAS code'
+        description: 'Execution of code (various runtimes are supported)'
    -
        name: Web
        description: 'Operations on Web'
--- a/api/scripts/compileSysInit.ts
+++ b/api/scripts/compileSysInit.ts
@@ -6,7 +6,7 @@ import {
  readFile,
  SASJsFileType
 } from '@sasjs/utils'
-import { apiRoot, sysInitCompiledPath } from '../src/utils'
+import { apiRoot, sysInitCompiledPath } from '../src/utils/file'
 const macroCorePath = path.join(apiRoot, 'node_modules', '@sasjs', 'core')
--- a/api/scripts/copySASjsCore.ts
+++ b/api/scripts/copySASjsCore.ts
@@ -8,7 +8,11 @@ import {
  listFilesInFolder
 } from '@sasjs/utils'
-import { apiRoot, sasJSCoreMacros, sasJSCoreMacrosInfo } from '../src/utils'
+import {
  apiRoot,
  sasJSCoreMacros,
  sasJSCoreMacrosInfo
 } from '../src/utils/file'
 const macroCorePath = path.join(apiRoot, 'node_modules', '@sasjs', 'core')
--- a/api/src/app-modules/configureCors.ts
+++ b/api/src/app-modules/configureCors.ts
@@ -0,0 +1,21 @@
 import { Express } from 'express'
 import cors from 'cors'
 import { CorsType } from '../utils'
 export const configureCors = (app: Express) => {
  const { CORS, WHITELIST } = process.env
  if (CORS === CorsType.ENABLED) {
    const whiteList: string[] = []
    WHITELIST?.split(' ')
      ?.filter((url) => !!url)
      .forEach((url) => {
        if (url.startsWith('http'))
          // removing trailing slash of URLs listing for CORS
          whiteList.push(url.replace(/\/$/, ''))
      })
    console.log('All CORS Requests are enabled for:', whiteList)
    app.use(cors({ credentials: true, origin: whiteList }))
  }
 }
--- a/api/src/app-modules/configureExpressSession.ts
+++ b/api/src/app-modules/configureExpressSession.ts
@@ -0,0 +1,32 @@
 import { Express } from 'express'
 import mongoose from 'mongoose'
 import session from 'express-session'
 import MongoStore from 'connect-mongo'
 import { ModeType } from '../utils'
 import { cookieOptions } from '../app'
 export const configureExpressSession = (app: Express) => {
  const { MODE } = process.env
  if (MODE === ModeType.Server) {
    let store: MongoStore | undefined
    if (process.env.NODE_ENV !== 'test') {
      store = MongoStore.create({
        client: mongoose.connection!.getClient() as any,
        collectionName: 'sessions'
      })
    }
    app.use(
      session({
        secret: process.secrets.SESSION_SECRET,
        saveUninitialized: false, // don't create session until something stored
        resave: false, //don't save session if unmodified
        store,
        cookie: cookieOptions
      })
    )
  }
 }
--- a/api/src/app-modules/configureLogger.ts
+++ b/api/src/app-modules/configureLogger.ts
@@ -0,0 +1,33 @@
 import path from 'path'
 import { Express } from 'express'
 import morgan from 'morgan'
 import { createStream } from 'rotating-file-stream'
 import { generateTimestamp } from '@sasjs/utils'
 import { getLogFolder } from '../utils'
 export const configureLogger = (app: Express) => {
  const { LOG_FORMAT_MORGAN } = process.env
  let options
  if (
    process.env.NODE_ENV !== 'development' &&
    process.env.NODE_ENV !== 'test'
  ) {
    const timestamp = generateTimestamp()
    const filename = `${timestamp}.log`
    const logsFolder = getLogFolder()
    // create a rotating write stream
    var accessLogStream = createStream(filename, {
      interval: '1d', // rotate daily
      path: logsFolder
    })
    console.log('Writing Logs to :', path.join(logsFolder, filename))
    options = { stream: accessLogStream }
  }
  // setup the logger
  app.use(morgan(LOG_FORMAT_MORGAN as string, options))
 }
--- a/api/src/app-modules/configureSecurity.ts
+++ b/api/src/app-modules/configureSecurity.ts
@@ -0,0 +1,26 @@
 import { Express } from 'express'
 import { getEnvCSPDirectives } from '../utils/parseHelmetConfig'
 import { HelmetCoepType, ProtocolType } from '../utils'
 import helmet from 'helmet'
 export const configureSecurity = (app: Express) => {
  const { PROTOCOL, HELMET_CSP_CONFIG_PATH, HELMET_COEP } = process.env
  const cspConfigJson: { [key: string]: string[] | null } = getEnvCSPDirectives(
    HELMET_CSP_CONFIG_PATH
  )
  if (PROTOCOL === ProtocolType.HTTP)
    cspConfigJson['upgrade-insecure-requests'] = null
  app.use(
    helmet({
      contentSecurityPolicy: {
        directives: {
          ...helmet.contentSecurityPolicy.getDefaultDirectives(),
          ...cspConfigJson
        }
      },
      crossOriginEmbedderPolicy: HELMET_COEP === HelmetCoepType.TRUE
    })
  )
 }
--- a/api/src/app-modules/index.ts
+++ b/api/src/app-modules/index.ts
@@ -0,0 +1,4 @@
 export * from './configureCors'
 export * from './configureExpressSession'
 export * from './configureLogger'
 export * from './configureSecurity'
--- a/api/src/app.ts
+++ b/api/src/app.ts
@@ -1,113 +1,48 @@
 import path from 'path'
 import express, { ErrorRequestHandler } from 'express'
 import csrf from 'csurf'
 import session from 'express-session'
 import MongoStore from 'connect-mongo'
 import morgan from 'morgan'
 import cookieParser from 'cookie-parser'
 import dotenv from 'dotenv'
 import cors from 'cors'
 import helmet from 'helmet'
 import {
  connectDB,
  copySASjsCore,
-  getWebBuildFolderPath,
+  getWebBuildFolder,
  instantiateLogger,
  loadAppStreamConfig,
  ProtocolType,
  ReturnCode,
  setProcessVariables,
-  setupFolders
+  setupFolders,
  verifyEnvVariables
 } from './utils'
-import { getEnvCSPDirectives } from './utils/parseHelmetConfig'
+import {
  configureCors,
  configureExpressSession,
  configureLogger,
  configureSecurity
 } from './app-modules'
 dotenv.config()
 instantiateLogger()
 if (verifyEnvVariables()) process.exit(ReturnCode.InvalidEnv)
 const app = express()
-app.use(cookieParser())
+const { PROTOCOL } = process.env
 app.use(morgan('tiny'))
 const { MODE, CORS, WHITELIST, PROTOCOL, HELMET_CSP_CONFIG_PATH, HELMET_COEP } =
  process.env
 export const cookieOptions = {
-  secure: PROTOCOL === 'https',
+  secure: PROTOCOL === ProtocolType.HTTPS,
  httpOnly: true,
  maxAge: 24 * 60 * 60 * 1000 // 24 hours
 }
 const cspConfigJson: { [key: string]: string[] | null } = getEnvCSPDirectives(
  HELMET_CSP_CONFIG_PATH
 )
 const coepFlag =
  HELMET_COEP === 'true' || HELMET_COEP === undefined ? true : false
 if (PROTOCOL === 'http') cspConfigJson['upgrade-insecure-requests'] = null
 /***********************************
 *         CSRF Protection         *
 ***********************************/
 export const csrfProtection = csrf({ cookie: cookieOptions })
 /***********************************
 *   Handle security and origin    *
 ***********************************/
 app.use(
  helmet({
    contentSecurityPolicy: {
      directives: {
        ...helmet.contentSecurityPolicy.getDefaultDirectives(),
        ...cspConfigJson
      }
    },
    crossOriginEmbedderPolicy: coepFlag
  })
 )
 /***********************************
 *         Enabling CORS           *
 ***********************************/
 if (MODE?.trim() !== 'server' || CORS?.trim() === 'enable') {
  const whiteList: string[] = []
  WHITELIST?.split(' ')
    ?.filter((url) => !!url)
    .forEach((url) => {
      if (url.startsWith('http'))
        // removing trailing slash of URLs listing for CORS
        whiteList.push(url.replace(/\/$/, ''))
    })
  console.log('All CORS Requests are enabled for:', whiteList)
  app.use(cors({ credentials: true, origin: whiteList }))
 }
 /***********************************
 *         DB Connection &          *
 *        Express Sessions          *
 *        With Mongo Store          *
 ***********************************/
 if (MODE?.trim() === 'server') {
  let store: MongoStore | undefined
  // NOTE: when exporting app.js as agent for supertest
  // we should exclude connecting to the real database
  if (process.env.NODE_ENV !== 'test') {
    const clientPromise = connectDB().then((conn) => conn!.getClient() as any)
    store = MongoStore.create({ clientPromise, collectionName: 'sessions' })
  }
  app.use(
    session({
      secret: process.env.SESSION_SECRET as string,
      saveUninitialized: false, // don't create session until something stored
      resave: false, //don't save session if unmodified
      store,
      cookie: cookieOptions
    })
  )
 }
 app.use(express.json({ limit: '100mb' }))
 app.use(express.static(path.join(__dirname, '../public')))
 const onError: ErrorRequestHandler = (err, req, res, next) => {
  if (err.code === 'EBADCSRFTOKEN')
    return res.status(400).send('Invalid CSRF token!')
@@ -117,6 +52,30 @@ const onError: ErrorRequestHandler = (err, req, res, next) => {
 }
 export default setProcessVariables().then(async () => {
  app.use(cookieParser())
  configureLogger(app)
  /***********************************
   *   Handle security and origin    *
   ***********************************/
  configureSecurity(app)
  /***********************************
   *         Enabling CORS           *
   ***********************************/
  configureCors(app)
  /***********************************
   *         DB Connection &          *
   *        Express Sessions          *
   *        With Mongo Store          *
   ***********************************/
  configureExpressSession(app)
  app.use(express.json({ limit: '100mb' }))
  app.use(express.static(path.join(__dirname, '../public')))
  await setupFolders()
  await copySASjsCore()
@@ -129,7 +88,7 @@ export default setProcessVariables().then(async () => {
  // should be served after setting up web route
  // index.html needs to be injected with some js script.
-  app.use(express.static(getWebBuildFolderPath()))
+  app.use(express.static(getWebBuildFolder()))
  app.use(onError)
--- a/api/src/controllers/auth.ts
+++ b/api/src/controllers/auth.ts
@@ -129,8 +129,8 @@ const verifyAuthCode = async (
  clientId: string,
  code: string
 ): Promise<InfoJWT | undefined> => {
-  return new Promise((resolve, reject) => {
+  return new Promise((resolve) => {
-    jwt.verify(code, process.env.AUTH_CODE_SECRET as string, (err, data) => {
+    jwt.verify(code, process.secrets.AUTH_CODE_SECRET, (err, data) => {
      if (err) return resolve(undefined)
      const clientInfo: InfoJWT = {
--- a/api/src/controllers/code.ts
+++ b/api/src/controllers/code.ts
@@ -1,16 +1,26 @@
 import express from 'express'
 import { Request, Security, Route, Tags, Post, Body } from 'tsoa'
 import { ExecuteReturnJson, ExecutionController } from './internal'
 import { PreProgramVars } from '../types'
 import { ExecuteReturnJsonResponse } from '.'
-import { getPreProgramVariables, parseLogToArray } from '../utils'
+import {
  getPreProgramVariables,
  getUserAutoExec,
  ModeType,
  parseLogToArray,
  RunTimeType
 } from '../utils'
-interface ExecuteSASCodePayload {
+interface ExecuteCodePayload {
  /**
-   * Code of SAS program
+   * Code of program
-   * @example "* SAS Code HERE;"
+   * @example "* Code HERE;"
   */
  code: string
  /**
   * runtime for program
   * @example "js"
   */
  runTime: RunTimeType
 }
@Security('bearerAuth')
@@ -22,24 +32,34 @@ export class CodeController {
   * @summary Run SAS Code and returns log
   */
  @Post('/execute')
-  public async executeSASCode(
+  public async executeCode(
    @Request() request: express.Request,
-    @Body() body: ExecuteSASCodePayload
+    @Body() body: ExecuteCodePayload
  ): Promise<ExecuteReturnJsonResponse> {
-    return executeSASCode(request, body)
+    return executeCode(request, body)
  }
 }
-const executeSASCode = async (req: any, { code }: ExecuteSASCodePayload) => {
+const executeCode = async (
  req: express.Request,
  { code, runTime }: ExecuteCodePayload
 ) => {
  const { user } = req
  const userAutoExec =
    process.env.MODE === ModeType.Server
      ? user?.autoExec
      : await getUserAutoExec()
  try {
    const { webout, log, httpHeaders } =
-      (await new ExecutionController().executeProgram(
+      (await new ExecutionController().executeProgram({
-        code,
+        program: code,
-        getPreProgramVariables(req),
+        preProgramVariables: getPreProgramVariables(req),
-        { ...req.query, _debug: 131 },
+        vars: { ...req.query, _debug: 131 },
-        undefined,
+        otherArgs: { userAutoExec },
-        true
+        returnJson: true,
-      )) as ExecuteReturnJson
+        runTime: runTime
      })) as ExecuteReturnJson
    return {
      status: 'success',
--- a/api/src/controllers/drive.ts
+++ b/api/src/controllers/drive.ts
@@ -32,7 +32,7 @@ import {
 import { createFileTree, ExecutionController, getTreeExample } from './internal'
 import { TreeNode } from '../types'
-import { getTmpFilesFolderPath } from '../utils'
+import { getFilesFolder } from '../utils'
 interface DeployPayload {
  appLoc: string
@@ -96,7 +96,12 @@ export class DriveController {
  }
  /**
-   * @summary Creates/updates files within SASjs Drive using uploaded JSON file.
+   * Accepts JSON file and zipped compressed JSON file as well.
   * Compressed file should only contain one JSON file and should have same name
   * as of compressed file e.g. deploy.JSON should be compressed to deploy.JSON.zip
   * Any other file or JSON file in zipped will be ignored!
   *
   * @summary Creates/updates files within SASjs Drive using uploaded JSON/compressed JSON file.
   *
   */
  @Example<DeployResponse>(successDeployResponse)
@@ -214,12 +219,12 @@ const getFileTree = () => {
 }
 const deploy = async (data: DeployPayload) => {
-  const driveFilesPath = getTmpFilesFolderPath()
+  const driveFilesPath = getFilesFolder()
  const appLocParts = data.appLoc.replace(/^\//, '').split('/')
  const appLocPath = path
-    .join(getTmpFilesFolderPath(), ...appLocParts)
+    .join(getFilesFolder(), ...appLocParts)
    .replace(new RegExp('/', 'g'), path.sep)
  if (!appLocPath.includes(driveFilesPath)) {
@@ -238,10 +243,10 @@ const deploy = async (data: DeployPayload) => {
 }
 const getFile = async (req: express.Request, filePath: string) => {
-  const driveFilesPath = getTmpFilesFolderPath()
+  const driveFilesPath = getFilesFolder()
  const filePathFull = path
-    .join(getTmpFilesFolderPath(), filePath)
+    .join(getFilesFolder(), filePath)
    .replace(new RegExp('/', 'g'), path.sep)
  if (!filePathFull.includes(driveFilesPath)) {
@@ -261,11 +266,11 @@ const getFile = async (req: express.Request, filePath: string) => {
 }
 const getFolder = async (folderPath?: string) => {
-  const driveFilesPath = getTmpFilesFolderPath()
+  const driveFilesPath = getFilesFolder()
  if (folderPath) {
    const folderPathFull = path
-      .join(getTmpFilesFolderPath(), folderPath)
+      .join(getFilesFolder(), folderPath)
      .replace(new RegExp('/', 'g'), path.sep)
    if (!folderPathFull.includes(driveFilesPath)) {
@@ -291,10 +296,10 @@ const getFolder = async (folderPath?: string) => {
 }
 const deleteFile = async (filePath: string) => {
-  const driveFilesPath = getTmpFilesFolderPath()
+  const driveFilesPath = getFilesFolder()
  const filePathFull = path
-    .join(getTmpFilesFolderPath(), filePath)
+    .join(getFilesFolder(), filePath)
    .replace(new RegExp('/', 'g'), path.sep)
  if (!filePathFull.includes(driveFilesPath)) {
@@ -314,7 +319,7 @@ const saveFile = async (
  filePath: string,
  multerFile: Express.Multer.File
 ): Promise<GetFileResponse> => {
-  const driveFilesPath = getTmpFilesFolderPath()
+  const driveFilesPath = getFilesFolder()
  const filePathFull = path
    .join(driveFilesPath, filePath)
@@ -339,7 +344,7 @@ const updateFile = async (
  filePath: string,
  multerFile: Express.Multer.File
 ): Promise<GetFileResponse> => {
-  const driveFilesPath = getTmpFilesFolderPath()
+  const driveFilesPath = getFilesFolder()
  const filePathFull = path
    .join(driveFilesPath, filePath)
--- a/api/src/controllers/group.ts
+++ b/api/src/controllers/group.ts
@@ -14,13 +14,13 @@ import Group, { GroupPayload } from '../model/Group'
 import User from '../model/User'
 import { UserResponse } from './user'
-interface GroupResponse {
+export interface GroupResponse {
  groupId: number
  name: string
  description: string
 }
-interface GroupDetailsResponse {
+export interface GroupDetailsResponse {
  groupId: number
  name: string
  description: string
@@ -28,6 +28,11 @@ interface GroupDetailsResponse {
  users: UserResponse[]
 }
 interface GetGroupBy {
  groupId?: number
  name?: string
 }
@Security('bearerAuth')
@Route('SASjsApi/group')
@Tags('Group')
@@ -66,6 +71,18 @@ export class GroupController {
    return createGroup(body)
  }
  /**
   * @summary Get list of members of a group (userName). All users can request this.
   * @param name The group's name
   * @example dcgroup
   */
  @Get('by/groupname/{name}')
  public async getGroupByGroupName(
    @Path() name: string
  ): Promise<GroupDetailsResponse> {
    return getGroup({ name })
  }
  /**
   * @summary Get list of members of a group (userName). All users can request this.
   * @param groupId The group's identifier
@@ -75,7 +92,7 @@ export class GroupController {
  public async getGroup(
    @Path() groupId: number
  ): Promise<GroupDetailsResponse> {
-    return getGroup(groupId)
+    return getGroup({ groupId })
  }
  /**
@@ -129,9 +146,13 @@ export class GroupController {
   */
  @Delete('{groupId}')
  public async deleteGroup(@Path() groupId: number) {
-    const { deletedCount } = await Group.deleteOne({ groupId })
+    const group = await Group.findOne({ groupId })
-    if (deletedCount) return
+    if (group) return await group.remove()
-    throw new Error('No Group deleted!')
+    throw {
      code: 404,
      status: 'Not Found',
      message: 'Group not found.'
    }
  }
 }
@@ -145,6 +166,15 @@ const createGroup = async ({
  description,
  isActive
 }: GroupPayload): Promise<GroupDetailsResponse> => {
  // Checking if user is already in the database
  const groupnameExist = await Group.findOne({ name })
  if (groupnameExist)
    throw {
      code: 409,
      status: 'Conflict',
      message: 'Group name already exists.'
    }
  const group = new Group({
    name,
    description,
@@ -162,15 +192,20 @@ const createGroup = async ({
  }
 }
-const getGroup = async (groupId: number): Promise<GroupDetailsResponse> => {
+const getGroup = async (findBy: GetGroupBy): Promise<GroupDetailsResponse> => {
  const group = (await Group.findOne(
-    { groupId },
+    findBy,
    'groupId name description isActive users -_id'
  ).populate(
    'users',
-    'id username displayName -_id'
+    'id username displayName isAdmin -_id'
  )) as unknown as GroupDetailsResponse
-  if (!group) throw new Error('Group not found.')
+  if (!group)
    throw {
      code: 404,
      status: 'Not Found',
      message: 'Group not found.'
    }
  return {
    groupId: group.groupId,
@@ -199,16 +234,32 @@ const updateUsersListInGroup = async (
  action: 'addUser' | 'removeUser'
 ): Promise<GroupDetailsResponse> => {
  const group = await Group.findOne({ groupId })
-  if (!group) throw new Error('Group not found.')
+  if (!group)
    throw {
      code: 404,
      status: 'Not Found',
      message: 'Group not found.'
    }
  const user = await User.findOne({ id: userId })
-  if (!user) throw new Error('User not found.')
+  if (!user)
    throw {
      code: 404,
      status: 'Not Found',
      message: 'User not found.'
    }
-  const updatedGroup = (action === 'addUser'
+  const updatedGroup =
-    ? await group.addUser(user._id)
+    action === 'addUser'
-    : await group.removeUser(user._id)) as unknown as GroupDetailsResponse
+      ? await group.addUser(user)
      : await group.removeUser(user)
-  if (!updatedGroup) throw new Error('Unable to update group')
+  if (!updatedGroup)
    throw {
      code: 400,
      status: 'Bad Request',
      message: 'Unable to update group.'
    }
  return {
    groupId: updatedGroup.groupId,
--- a/api/src/controllers/index.ts
+++ b/api/src/controllers/index.ts
@@ -4,6 +4,7 @@ export * from './code'
 export * from './drive'
 export * from './group'
 export * from './info'
 export * from './permission'
 export * from './session'
 export * from './stp'
 export * from './user'
--- a/api/src/controllers/info.ts
+++ b/api/src/controllers/info.ts
@@ -1,10 +1,15 @@
 import { Route, Tags, Example, Get } from 'tsoa'
 import { getAuthorizedRoutes } from '../utils'
 export interface AuthorizedRoutesResponse {
  URIs: string[]
 }
 export interface InfoResponse {
  mode: string
  cors: string
  whiteList: string[]
  protocol: string
  runTimes: string[]
 }
@Route('SASjsApi/info')
@@ -18,7 +23,8 @@ export class InfoController {
    mode: 'desktop',
    cors: 'enable',
    whiteList: ['http://example.com', 'http://example2.com'],
-    protocol: 'http'
+    protocol: 'http',
    runTimes: ['sas', 'js']
  })
  @Get('/')
  public info(): InfoResponse {
@@ -29,7 +35,23 @@ export class InfoController {
        (process.env.MODE === 'server' ? 'disable' : 'enable'),
      whiteList:
        process.env.WHITELIST?.split(' ')?.filter((url) => !!url) ?? [],
-      protocol: process.env.PROTOCOL ?? 'http'
+      protocol: process.env.PROTOCOL ?? 'http',
      runTimes: process.runTimes
    }
    return response
  }
  /**
   * @summary Get authorized routes.
   *
   */
  @Example<AuthorizedRoutesResponse>({
    URIs: ['/AppStream', '/SASjsApi/stp/execute']
  })
  @Get('/authorizedRoutes')
  public authorizedRoutes(): AuthorizedRoutesResponse {
    const response = {
      URIs: getAuthorizedRoutes()
    }
    return response
  }
--- a/api/src/controllers/internal/Execution.ts
+++ b/api/src/controllers/internal/Execution.ts
@@ -1,21 +1,14 @@
 import path from 'path'
 import fs from 'fs'
-import { getSessionController } from './'
+import { getSessionController, processProgram } from './'
-import {
+import { readFile, fileExists, createFile, readFileBinary } from '@sasjs/utils'
  readFile,
  fileExists,
  createFile,
  moveFile,
  readFileBinary
 } from '@sasjs/utils'
 import { PreProgramVars, Session, TreeNode } from '../../types'
 import {
  extractHeaders,
-  generateFileUploadSasCode,
+  getFilesFolder,
  getTmpFilesFolderPath,
  getTmpMacrosPath,
  HTTPHeaders,
-  isDebugOn
+  isDebugOn,
  RunTimeType
 } from '../../utils'
 export interface ExecutionVars {
@@ -33,39 +26,53 @@ export interface ExecuteReturnJson {
  log?: string
 }
-export class ExecutionController {
+interface ExecuteFileParams {
-  async executeFile(
+  programPath: string
-    programPath: string,
+  preProgramVariables: PreProgramVars
-    preProgramVariables: PreProgramVars,
+  vars: ExecutionVars
-    vars: ExecutionVars,
+  otherArgs?: any
-    otherArgs?: any,
+  returnJson?: boolean
-    returnJson?: boolean,
+  session?: Session
-    session?: Session
+  runTime: RunTimeType
-  ) {
+}
    if (!(await fileExists(programPath)))
      throw 'ExecutionController: SAS file does not exist.'
 interface ExecuteProgramParams extends Omit<ExecuteFileParams, 'programPath'> {
  program: string
 }
 export class ExecutionController {
  async executeFile({
    programPath,
    preProgramVariables,
    vars,
    otherArgs,
    returnJson,
    session,
    runTime
  }: ExecuteFileParams) {
    const program = await readFile(programPath)
-    return this.executeProgram(
+    return this.executeProgram({
      program,
      preProgramVariables,
      vars,
      otherArgs,
      returnJson,
-      session
+      session,
-    )
+      runTime
    })
  }
-  async executeProgram(
+  async executeProgram({
-    program: string,
+    program,
-    preProgramVariables: PreProgramVars,
+    preProgramVariables,
-    vars: ExecutionVars,
+    vars,
-    otherArgs?: any,
+    otherArgs,
-    returnJson?: boolean,
+    returnJson,
-    sessionByFileUpload?: Session
+    session: sessionByFileUpload,
-  ): Promise<ExecuteReturnRaw | ExecuteReturnJson> {
+    runTime
-    const sessionController = getSessionController()
+  }: ExecuteProgramParams): Promise<ExecuteReturnRaw | ExecuteReturnJson> {
    const sessionController = getSessionController(runTime)
    const session =
      sessionByFileUpload ?? (await sessionController.getSession())
@@ -83,74 +90,18 @@ export class ExecutionController {
      preProgramVariables?.httpHeaders.join('\n') ?? ''
    )
-    const varStatments = Object.keys(vars).reduce(
+    await processProgram(
-      (computed: string, key: string) =>
+      program,
-        `${computed}%let ${key}=${vars[key]};\n`,
+      preProgramVariables,
-      ''
+      vars,
      session,
      weboutPath,
      tokenFile,
      runTime,
      logPath,
      otherArgs
    )
    const preProgramVarStatments = `
 %let _sasjs_tokenfile=${tokenFile};
 %let _sasjs_username=${preProgramVariables?.username};
 %let _sasjs_userid=${preProgramVariables?.userId};
 %let _sasjs_displayname=${preProgramVariables?.displayName};
 %let _sasjs_apiserverurl=${preProgramVariables?.serverUrl};
 %let _sasjs_apipath=/SASjsApi/stp/execute;
 %let _metaperson=&_sasjs_displayname;
 %let _metauser=&_sasjs_username;
 %let sasjsprocessmode=Stored Program;
 %let sasjs_stpsrv_header_loc=%sysfunc(pathname(work))/../stpsrv_header.txt;
 %global SYSPROCESSMODE SYSTCPIPHOSTNAME SYSHOSTINFOLONG;
 %macro _sasjs_server_init();
  %if "&SYSPROCESSMODE"="" %then %let SYSPROCESSMODE=&sasjsprocessmode;
  %if "&SYSTCPIPHOSTNAME"="" %then %let SYSTCPIPHOSTNAME=&_sasjs_apiserverurl;
 %mend;
 %_sasjs_server_init()
 `
    program = `
 options insert=(SASAUTOS="${getTmpMacrosPath()}");
 /* runtime vars */
 ${varStatments}
 filename _webout "${weboutPath}" mod;
 /* dynamic user-provided vars */
 ${preProgramVarStatments}
 /* actual job code */
 ${program}`
    // if no files are uploaded filesNamesMap will be undefined
    if (otherArgs?.filesNamesMap) {
      const uploadSasCode = await generateFileUploadSasCode(
        otherArgs.filesNamesMap,
        session.path
      )
      //If sas code for the file is generated it will be appended to the top of sasCode
      if (uploadSasCode.length > 0) {
        program = `${uploadSasCode}` + program
      }
    }
    const codePath = path.join(session.path, 'code.sas')
    // Creating this file in a RUNNING session will break out
    // the autoexec loop and actually execute the program
    // but - given it will take several milliseconds to create
    // (which can mean SAS trying to run a partial program, or
    // failing due to file lock) we first create the file THEN
    // we rename it.
    await createFile(codePath + '.bkp', program)
    await moveFile(codePath + '.bkp', codePath)
    // we now need to poll the session status
    while (!session.completed) {
      await delay(50)
    }
    const log = (await fileExists(logPath)) ? await readFile(logPath) : ''
    const headersContent = (await fileExists(headersPath))
      ? await readFile(headersPath)
@@ -191,7 +142,7 @@ ${program}`
    const root: TreeNode = {
      name: 'files',
      relativePath: '',
-      absolutePath: getTmpFilesFolderPath(),
+      absolutePath: getFilesFolder(),
      children: []
    }
@@ -224,5 +175,3 @@ ${program}`
    return root
  }
 }
 const delay = (ms: number) => new Promise((resolve) => setTimeout(resolve, ms))
--- a/api/src/controllers/internal/FileUploadController.ts
+++ b/api/src/controllers/internal/FileUploadController.ts
@@ -1,14 +1,20 @@
 import { Request, RequestHandler } from 'express'
 import multer from 'multer'
 import { uuidv4 } from '@sasjs/utils'
 import { getSessionController } from '.'
 import {
  executeProgramRawValidation,
  getRunTimeAndFilePath,
  RunTimeType
 } from '../../utils'
 export class FileUploadController {
  private storage = multer.diskStorage({
-    destination: function (req: any, file: any, cb: any) {
+    destination: function (req: Request, file: any, cb: any) {
      //Sending the intercepted files to the sessions subfolder
-      cb(null, req.sasSession.path)
+      cb(null, req.sasjsSession?.path)
    },
-    filename: function (req: any, file: any, cb: any) {
+    filename: function (req: Request, file: any, cb: any) {
      //req_file prefix + unique hash added to sas request files
      cb(null, `req_file_${uuidv4().replace(/-/gm, '')}`)
    }
@@ -18,16 +24,43 @@ export class FileUploadController {
  //It will intercept request and generate unique uuid to be used as a subfolder name
  //that will store the files uploaded
-  public preUploadMiddleware = async (req: any, res: any, next: any) => {
+  public preUploadMiddleware: RequestHandler = async (req, res, next) => {
-    let session
+    const { error: errQ, value: query } = executeProgramRawValidation(req.query)
    const { error: errB, value: body } = executeProgramRawValidation(req.body)
-    const sessionController = getSessionController()
+    if (errQ && errB) return res.status(400).send(errB.details[0].message)
-    session = await sessionController.getSession()
+
    const programPath = (query?._program ?? body?._program) as string
    let runTime
    try {
      ;({ runTime } = await getRunTimeAndFilePath(programPath))
    } catch (err: any) {
      return res.status(400).send({
        status: 'failure',
        message: 'Job execution failed',
        error: typeof err === 'object' ? err.toString() : err
      })
    }
    let sessionController
    try {
      sessionController = getSessionController(runTime)
    } catch (err: any) {
      return res.status(400).send({
        status: 'failure',
        message: err.message,
        error: typeof err === 'object' ? err.toString() : err
      })
    }
    const session = await sessionController.getSession()
    // marking consumed true, so that it's not available
    // as readySession for any other request
    session.consumed = true
-    req.sasSession = session
+    req.sasjsSession = session
    next()
  }
--- a/api/src/controllers/internal/Session.ts
+++ b/api/src/controllers/internal/Session.ts
@@ -3,26 +3,30 @@ import { Session } from '../../types'
 import { promisify } from 'util'
 import { execFile } from 'child_process'
 import {
-  getTmpSessionsFolderPath,
+  getSessionsFolder,
  generateUniqueFileName,
-  sysInitCompiledPath
+  sysInitCompiledPath,
  RunTimeType
 } from '../../utils'
 import {
  deleteFolder,
  createFile,
  fileExists,
  generateTimestamp,
-  readFile
+  readFile,
  isWindows
 } from '@sasjs/utils'
 const execFilePromise = promisify(execFile)
-export class SessionController {
+abstract class SessionController {
-  private sessions: Session[] = []
+  protected sessions: Session[] = []
-  private getReadySessions = (): Session[] =>
+  protected getReadySessions = (): Session[] =>
    this.sessions.filter((sess: Session) => sess.ready && !sess.consumed)
  protected abstract createSession(): Promise<Session>
  public async getSession() {
    const readySessions = this.getReadySessions()
@@ -34,10 +38,12 @@ export class SessionController {
    return session
  }
 }
-  private async createSession(): Promise<Session> {
+export class SASSessionController extends SessionController {
  protected async createSession(): Promise<Session> {
    const sessionId = generateUniqueFileName(generateTimestamp())
-    const sessionFolder = path.join(getTmpSessionsFolderPath(), sessionId)
+    const sessionFolder = path.join(getSessionsFolder(), sessionId)
    const creationTimeStamp = sessionId.split('-').pop() as string
    // death time of session is 15 mins from creation
@@ -82,7 +88,9 @@ ${autoExecContent}`
    // however we also need a promise so that we can update the
    // session array to say that it has (eventually) finished.
-    execFilePromise(process.sasLoc, [
+    // Additional windows specific options to avoid the desktop popups.
    execFilePromise(process.sasLoc!, [
      '-SYSIN',
      codePath,
      '-LOG',
@@ -93,7 +101,9 @@ ${autoExecContent}`
      session.path,
      '-AUTOEXEC',
      autoExecPath,
-      process.platform === 'win32' ? '-nosplash' : ''
+      process.sasLoc!.endsWith('sas.exe') ? '-nosplash' : '',
      process.sasLoc!.endsWith('sas.exe') ? '-icon' : '',
      isWindows() ? '-nologo' : ''
    ])
      .then(() => {
        session.completed = true
@@ -152,12 +162,66 @@ ${autoExecContent}`
  }
 }
-export const getSessionController = (): SessionController => {
+export class JSSessionController extends SessionController {
-  if (process.sessionController) return process.sessionController
+  protected async createSession(): Promise<Session> {
    const sessionId = generateUniqueFileName(generateTimestamp())
    const sessionFolder = path.join(getSessionsFolder(), sessionId)
-  process.sessionController = new SessionController()
+    const creationTimeStamp = sessionId.split('-').pop() as string
    // death time of session is 15 mins from creation
    const deathTimeStamp = (
      parseInt(creationTimeStamp) +
      15 * 60 * 1000 -
      1000
    ).toString()
-  return process.sessionController
+    const session: Session = {
      id: sessionId,
      ready: true,
      inUse: true,
      consumed: false,
      completed: false,
      creationTimeStamp,
      deathTimeStamp,
      path: sessionFolder
    }
    const headersPath = path.join(session.path, 'stpsrv_header.txt')
    await createFile(headersPath, 'Content-type: application/json')
    this.sessions.push(session)
    return session
  }
 }
 export const getSessionController = (
  runTime: RunTimeType
 ): SASSessionController | JSSessionController => {
  if (runTime === RunTimeType.SAS) {
    return getSASSessionController()
  }
  if (runTime === RunTimeType.JS) {
    return getJSSessionController()
  }
  throw new Error('No Runtime is configured')
 }
 const getSASSessionController = (): SASSessionController => {
  if (process.sasSessionController) return process.sasSessionController
  process.sasSessionController = new SASSessionController()
  return process.sasSessionController
 }
 const getJSSessionController = (): JSSessionController => {
  if (process.jsSessionController) return process.jsSessionController
  process.jsSessionController = new JSSessionController()
  return process.jsSessionController
 }
 const autoExecContent = `
--- a/api/src/controllers/internal/createJSProgram.ts
+++ b/api/src/controllers/internal/createJSProgram.ts
@@ -0,0 +1,69 @@
 import { isWindows } from '@sasjs/utils'
 import { PreProgramVars, Session } from '../../types'
 import { generateFileUploadJSCode } from '../../utils'
 import { ExecutionVars } from './'
 export const createJSProgram = async (
  program: string,
  preProgramVariables: PreProgramVars,
  vars: ExecutionVars,
  session: Session,
  weboutPath: string,
  tokenFile: string,
  otherArgs?: any
 ) => {
  const varStatments = Object.keys(vars).reduce(
    (computed: string, key: string) =>
      `${computed}const ${key} = '${vars[key]}';\n`,
    ''
  )
  const preProgramVarStatments = `
 let _webout = '';
 const weboutPath = '${
    isWindows() ? weboutPath.replace(/\\/g, '\\\\') : weboutPath
  }'; 
 const _sasjs_tokenfile = '${
    isWindows() ? tokenFile.replace(/\\/g, '\\\\') : tokenFile
  }';
 const _sasjs_username = '${preProgramVariables?.username}';
 const _sasjs_userid = '${preProgramVariables?.userId}';
 const _sasjs_displayname = '${preProgramVariables?.displayName}';
 const _metaperson = _sasjs_displayname;
 const _metauser = _sasjs_username;
 const sasjsprocessmode = 'Stored Program';
 `
  const requiredModules = `const fs = require('fs')`
  program = `
 /* runtime vars */
 ${varStatments}
 /* dynamic user-provided vars */
 ${preProgramVarStatments}
 /* actual job code */
 ${program}
 /* write webout file only if webout exists*/
 if (_webout) {
  fs.writeFile(weboutPath, _webout, function (err) {
    if (err) throw err;
  })
 }
 `
  // if no files are uploaded filesNamesMap will be undefined
  if (otherArgs?.filesNamesMap) {
    const uploadJSCode = await generateFileUploadJSCode(
      otherArgs.filesNamesMap,
      session.path
    )
    //If js code for the file is generated it will be appended to the top of jsCode
    if (uploadJSCode.length > 0) {
      program = `${uploadJSCode}\n` + program
    }
  }
  return requiredModules + program
 }
--- a/api/src/controllers/internal/createSASProgram.ts
+++ b/api/src/controllers/internal/createSASProgram.ts
@@ -0,0 +1,69 @@
 import { PreProgramVars, Session } from '../../types'
 import { generateFileUploadSasCode, getMacrosFolder } from '../../utils'
 import { ExecutionVars } from './'
 export const createSASProgram = async (
  program: string,
  preProgramVariables: PreProgramVars,
  vars: ExecutionVars,
  session: Session,
  weboutPath: string,
  tokenFile: string,
  otherArgs?: any
 ) => {
  const varStatments = Object.keys(vars).reduce(
    (computed: string, key: string) => `${computed}%let ${key}=${vars[key]};\n`,
    ''
  )
  const preProgramVarStatments = `
 %let _sasjs_tokenfile=${tokenFile};
 %let _sasjs_username=${preProgramVariables?.username};
 %let _sasjs_userid=${preProgramVariables?.userId};
 %let _sasjs_displayname=${preProgramVariables?.displayName};
 %let _sasjs_apiserverurl=${preProgramVariables?.serverUrl};
 %let _sasjs_apipath=/SASjsApi/stp/execute;
 %let _metaperson=&_sasjs_displayname;
 %let _metauser=&_sasjs_username;
 %let sasjsprocessmode=Stored Program;
 %let sasjs_stpsrv_header_loc=%sysfunc(pathname(work))/../stpsrv_header.txt;
 %global SYSPROCESSMODE SYSTCPIPHOSTNAME SYSHOSTINFOLONG;
 %macro _sasjs_server_init();
 %if "&SYSPROCESSMODE"="" %then %let SYSPROCESSMODE=&sasjsprocessmode;
 %if "&SYSTCPIPHOSTNAME"="" %then %let SYSTCPIPHOSTNAME=&_sasjs_apiserverurl;
 %mend;
 %_sasjs_server_init()
 `
  program = `
 options insert=(SASAUTOS="${getMacrosFolder()}");
 /* runtime vars */
 ${varStatments}
 filename _webout "${weboutPath}" mod;
 /* dynamic user-provided vars */
 ${preProgramVarStatments}
 /* user autoexec starts */
 ${otherArgs?.userAutoExec ?? ''}
 /* user autoexec ends */
 /* actual job code */
 ${program}`
  // if no files are uploaded filesNamesMap will be undefined
  if (otherArgs?.filesNamesMap) {
    const uploadSasCode = await generateFileUploadSasCode(
      otherArgs.filesNamesMap,
      session.path
    )
    //If sas code for the file is generated it will be appended to the top of sasCode
    if (uploadSasCode.length > 0) {
      program = `${uploadSasCode}` + program
    }
  }
  return program
 }
--- a/api/src/controllers/internal/deploy.ts
+++ b/api/src/controllers/internal/deploy.ts
@@ -1,5 +1,5 @@
 import path from 'path'
-import { getTmpFilesFolderPath } from '../../utils/file'
+import { getFilesFolder } from '../../utils/file'
 import {
  createFolder,
  createFile,
@@ -17,7 +17,7 @@ export const createFileTree = async (
  parentFolders: string[] = []
 ) => {
  const destinationPath = path.join(
-    getTmpFilesFolderPath(),
+    getFilesFolder(),
    path.join(...parentFolders)
  )
--- a/api/src/controllers/internal/index.ts
+++ b/api/src/controllers/internal/index.ts
@@ -2,3 +2,6 @@ export * from './deploy'
 export * from './Session'
 export * from './Execution'
 export * from './FileUploadController'
 export * from './createSASProgram'
 export * from './createJSProgram'
 export * from './processProgram'
--- a/api/src/controllers/internal/processProgram.ts
+++ b/api/src/controllers/internal/processProgram.ts
@@ -0,0 +1,86 @@
 import path from 'path'
 import fs from 'fs'
 import { execFileSync } from 'child_process'
 import { once } from 'stream'
 import { createFile, moveFile } from '@sasjs/utils'
 import { PreProgramVars, Session } from '../../types'
 import { RunTimeType } from '../../utils'
 import { ExecutionVars, createSASProgram, createJSProgram } from './'
 export const processProgram = async (
  program: string,
  preProgramVariables: PreProgramVars,
  vars: ExecutionVars,
  session: Session,
  weboutPath: string,
  tokenFile: string,
  runTime: RunTimeType,
  logPath: string,
  otherArgs?: any
 ) => {
  if (runTime === RunTimeType.JS) {
    program = await createJSProgram(
      program,
      preProgramVariables,
      vars,
      session,
      weboutPath,
      tokenFile,
      otherArgs
    )
    const codePath = path.join(session.path, 'code.js')
    try {
      await createFile(codePath, program)
      // create a stream that will write to console outputs to log file
      const writeStream = fs.createWriteStream(logPath)
      // waiting for the open event so that we can have underlying file descriptor
      await once(writeStream, 'open')
      execFileSync(process.nodeLoc!, [codePath], {
        stdio: ['ignore', writeStream, writeStream]
      })
      // copy the code.js program to log and end write stream
      writeStream.end(program)
      session.completed = true
      console.log('session completed', session)
    } catch (err: any) {
      session.completed = true
      session.crashed = err.toString()
      console.log('session crashed', session.id, session.crashed)
    }
  } else {
    program = await createSASProgram(
      program,
      preProgramVariables,
      vars,
      session,
      weboutPath,
      tokenFile,
      otherArgs
    )
    const codePath = path.join(session.path, 'code.sas')
    // Creating this file in a RUNNING session will break out
    // the autoexec loop and actually execute the program
    // but - given it will take several milliseconds to create
    // (which can mean SAS trying to run a partial program, or
    // failing due to file lock) we first create the file THEN
    // we rename it.
    await createFile(codePath + '.bkp', program)
    await moveFile(codePath + '.bkp', codePath)
    // we now need to poll the session status
    while (!session.completed) {
      await delay(50)
    }
  }
 }
 const delay = (ms: number) => new Promise((resolve) => setTimeout(resolve, ms))
--- a/api/src/controllers/permission.ts
+++ b/api/src/controllers/permission.ts
@@ -0,0 +1,331 @@
 import {
  Security,
  Route,
  Tags,
  Path,
  Example,
  Get,
  Post,
  Patch,
  Delete,
  Body
 } from 'tsoa'
 import Permission from '../model/Permission'
 import User from '../model/User'
 import Group from '../model/Group'
 import { UserResponse } from './user'
 import { GroupDetailsResponse } from './group'
 export enum PrincipalType {
  user = 'user',
  group = 'group'
 }
 export enum PermissionSetting {
  grant = 'Grant',
  deny = 'Deny'
 }
 interface RegisterPermissionPayload {
  /**
   * Name of affected resource
   * @example "/SASjsApi/code/execute"
   */
  uri: string
  /**
   * The indication of whether (and to what extent) access is provided
   * @example "Grant"
   */
  setting: PermissionSetting
  /**
   * Indicates the type of principal
   * @example "user"
   */
  principalType: PrincipalType
  /**
   * The id of user or group to which a rule is assigned.
   * @example 123
   */
  principalId: number
 }
 interface UpdatePermissionPayload {
  /**
   * The indication of whether (and to what extent) access is provided
   * @example "Grant"
   */
  setting: PermissionSetting
 }
 export interface PermissionDetailsResponse {
  permissionId: number
  uri: string
  setting: string
  user?: UserResponse
  group?: GroupDetailsResponse
 }
@Security('bearerAuth')
@Route('SASjsApi/permission')
@Tags('Permission')
 export class PermissionController {
  /**
   * @summary Get list of all permissions (uri, setting and userDetail).
   *
   */
  @Example<PermissionDetailsResponse[]>([
    {
      permissionId: 123,
      uri: '/SASjsApi/code/execute',
      setting: 'Grant',
      user: {
        id: 1,
        username: 'johnSnow01',
        displayName: 'John Snow',
        isAdmin: false
      }
    },
    {
      permissionId: 124,
      uri: '/SASjsApi/code/execute',
      setting: 'Grant',
      group: {
        groupId: 1,
        name: 'DCGroup',
        description: 'This group represents Data Controller Users',
        isActive: true,
        users: []
      }
    }
  ])
  @Get('/')
  public async getAllPermissions(): Promise<PermissionDetailsResponse[]> {
    return getAllPermissions()
  }
  /**
   * @summary Create a new permission. Admin only.
   *
   */
  @Example<PermissionDetailsResponse>({
    permissionId: 123,
    uri: '/SASjsApi/code/execute',
    setting: 'Grant',
    user: {
      id: 1,
      username: 'johnSnow01',
      displayName: 'John Snow',
      isAdmin: false
    }
  })
  @Post('/')
  public async createPermission(
    @Body() body: RegisterPermissionPayload
  ): Promise<PermissionDetailsResponse> {
    return createPermission(body)
  }
  /**
   * @summary Update permission setting. Admin only
   * @param permissionId The permission's identifier
   * @example permissionId 1234
   */
  @Example<PermissionDetailsResponse>({
    permissionId: 123,
    uri: '/SASjsApi/code/execute',
    setting: 'Grant',
    user: {
      id: 1,
      username: 'johnSnow01',
      displayName: 'John Snow',
      isAdmin: false
    }
  })
  @Patch('{permissionId}')
  public async updatePermission(
    @Path() permissionId: number,
    @Body() body: UpdatePermissionPayload
  ): Promise<PermissionDetailsResponse> {
    return updatePermission(permissionId, body)
  }
  /**
   * @summary Delete a permission. Admin only.
   * @param permissionId The user's identifier
   * @example permissionId 1234
   */
  @Delete('{permissionId}')
  public async deletePermission(@Path() permissionId: number) {
    return deletePermission(permissionId)
  }
 }
 const getAllPermissions = async (): Promise<PermissionDetailsResponse[]> =>
  (await Permission.find({})
    .select({
      _id: 0,
      permissionId: 1,
      uri: 1,
      setting: 1
    })
    .populate({ path: 'user', select: 'id username displayName isAdmin -_id' })
    .populate({
      path: 'group',
      select: 'groupId name description -_id',
      populate: {
        path: 'users',
        select: 'id username displayName isAdmin -_id',
        options: { limit: 15 }
      }
    })) as unknown as PermissionDetailsResponse[]
 const createPermission = async ({
  uri,
  setting,
  principalType,
  principalId
 }: RegisterPermissionPayload): Promise<PermissionDetailsResponse> => {
  const permission = new Permission({
    uri,
    setting
  })
  let user: UserResponse | undefined
  let group: GroupDetailsResponse | undefined
  switch (principalType) {
    case PrincipalType.user: {
      const userInDB = await User.findOne({ id: principalId })
      if (!userInDB)
        throw {
          code: 404,
          status: 'Not Found',
          message: 'User not found.'
        }
      if (userInDB.isAdmin)
        throw {
          code: 400,
          status: 'Bad Request',
          message: 'Can not add permission for admin user.'
        }
      const alreadyExists = await Permission.findOne({
        uri,
        user: userInDB._id
      })
      if (alreadyExists)
        throw {
          code: 409,
          status: 'Conflict',
          message: 'Permission already exists with provided URI and User.'
        }
      permission.user = userInDB._id
      user = {
        id: userInDB.id,
        username: userInDB.username,
        displayName: userInDB.displayName,
        isAdmin: userInDB.isAdmin
      }
      break
    }
    case PrincipalType.group: {
      const groupInDB = await Group.findOne({ groupId: principalId })
      if (!groupInDB)
        throw {
          code: 404,
          status: 'Not Found',
          message: 'Group not found.'
        }
      const alreadyExists = await Permission.findOne({
        uri,
        group: groupInDB._id
      })
      if (alreadyExists)
        throw {
          code: 409,
          status: 'Conflict',
          message: 'Permission already exists with provided URI and Group.'
        }
      permission.group = groupInDB._id
      group = {
        groupId: groupInDB.groupId,
        name: groupInDB.name,
        description: groupInDB.description,
        isActive: groupInDB.isActive,
        users: groupInDB.populate({
          path: 'users',
          select: 'id username displayName isAdmin -_id',
          options: { limit: 15 }
        }) as unknown as UserResponse[]
      }
      break
    }
    default:
      throw {
        code: 400,
        status: 'Bad Request',
        message: 'Invalid principal type. Valid types are user or group.'
      }
  }
  const savedPermission = await permission.save()
  return {
    permissionId: savedPermission.permissionId,
    uri: savedPermission.uri,
    setting: savedPermission.setting,
    user,
    group
  }
 }
 const updatePermission = async (
  id: number,
  data: UpdatePermissionPayload
 ): Promise<PermissionDetailsResponse> => {
  const { setting } = data
  const updatedPermission = (await Permission.findOneAndUpdate(
    { permissionId: id },
    { setting },
    { new: true }
  )
    .select({
      _id: 0,
      permissionId: 1,
      uri: 1,
      setting: 1
    })
    .populate({ path: 'user', select: 'id username displayName isAdmin -_id' })
    .populate({
      path: 'group',
      select: 'groupId name description -_id'
    })) as unknown as PermissionDetailsResponse
  if (!updatedPermission)
    throw {
      code: 404,
      status: 'Not Found',
      message: 'Permission not found.'
    }
  return updatedPermission
 }
 const deletePermission = async (id: number) => {
  const permission = await Permission.findOne({ permissionId: id })
  if (!permission)
    throw {
      code: 404,
      status: 'Not Found',
      message: 'Permission not found.'
    }
  await Permission.deleteOne({ permissionId: id })
 }
--- a/api/src/controllers/session.ts
+++ b/api/src/controllers/session.ts
@@ -13,7 +13,8 @@ export class SessionController {
  @Example<UserResponse>({
    id: 123,
    username: 'johnusername',
-    displayName: 'John'
+    displayName: 'John',
    isAdmin: false
  })
  @Get('/')
  public async session(
@@ -23,8 +24,9 @@ export class SessionController {
  }
 }
-const session = (req: any) => ({
+const session = (req: express.Request) => ({
-  id: req.user.userId,
+  id: req.user!.userId,
-  username: req.user.username,
+  username: req.user!.username,
-  displayName: req.user.displayName
+  displayName: req.user!.displayName,
  isAdmin: req.user!.isAdmin
 })
--- a/api/src/controllers/stp.ts
+++ b/api/src/controllers/stp.ts
@@ -1,5 +1,4 @@
 import express from 'express'
 import path from 'path'
 import {
  Request,
  Security,
@@ -19,13 +18,14 @@ import {
 } from './internal'
 import {
  getPreProgramVariables,
  getTmpFilesFolderPath,
  HTTPHeaders,
  isDebugOn,
  LogLine,
  makeFilesNamesMap,
-  parseLogToArray
+  parseLogToArray,
  getRunTimeAndFilePath
 } from '../utils'
 import { MulterFile } from '../types/Upload'
 interface ExecuteReturnJsonPayload {
  /**
@@ -51,26 +51,15 @@ export interface ExecuteReturnJsonResponse {
@Tags('STP')
 export class STPController {
  /**
-   * Trigger a SAS program using it's location in the _program URL parameter.
+   * Trigger a SAS or JS program using the _program URL parameter.
   * Enable debugging using the _debug URL parameter.  Setting _debug=131 will
   * cause the log to be streamed in the output.
   *
-   * Additional URL parameters are turned into SAS macro variables.
+   * Accepts URL parameters and file uploads.  For more details, see docs:
   *
-   * Any files provided in the request body are placed into the SAS session with
+   * https://server.sasjs.io/storedprograms
   * corresponding _WEBIN_XXX variables created.
   *
-   * The response headers can be adjusted using the mfs_httpheader() macro.  Any
+   * @summary Execute a Stored Program, returns raw _webout content.
-   * file type can be returned, including binary files such as zip or xls.
+   * @param _program Location of SAS or JS code
-   *
+   * @example _program "/Projects/myApp/some/program"
   * If _debug is >= 131, response headers will contain Content-Type: 'text/plain'
   *
   * This behaviour differs for POST requests, in which case the response is
   * always JSON.
   *
   * @summary Execute Stored Program, return raw _webout content.
   * @param _program Location of SAS program
   * @example _program "/Public/somefolder/some.file"
   */
  @Get('/execute')
  public async executeReturnRaw(
@@ -81,29 +70,22 @@ export class STPController {
  }
  /**
-   * Trigger a SAS program using it's location in the _program URL parameter.
+   * Trigger a SAS or JS program using the _program URL parameter.
   * Enable debugging using the _debug URL parameter.  In any case, the log is
   * always returned in the log object.
   *
-   * Additional URL parameters are turned into SAS macro variables.
+   * Accepts URL parameters and file uploads.  For more details, see docs:
   *
-   * Any files provided in the request body are placed into the SAS session with
+   * https://server.sasjs.io/storedprograms
   * corresponding _WEBIN_XXX variables created.
   *
-   * The response will be a JSON object with the following root attributes: log,
+   * The response will be a JSON object with the following root attributes:
-   * webout, headers.
+   * log, webout, headers.
   *
-   * The webout will be a nested JSON object ONLY if the response-header
+   * The webout attribute will be nested JSON ONLY if the response-header
   * contains a content-type of application/json AND it is valid JSON.
   * Otherwise it will be a stringified version of the webout content.
   *
-   * Response headers from the mfs_httpheader macro are simply listed in the
+   * @summary Execute a Stored Program, return a JSON object
-   * headers object, for POST requests they have no effect on the actual
+   * @param _program Location of SAS or JS code
-   * response header.
+   * @example _program "/Projects/myApp/some/program"
   *
   * @summary Execute Stored Program, return JSON
   * @param _program Location of SAS program
   * @example _program "/Public/somefolder/some.file"
   */
  @Example<ExecuteReturnJsonResponse>({
    status: 'success',
@@ -130,18 +112,17 @@ const executeReturnRaw = async (
  _program: string
 ): Promise<string | Buffer> => {
  const query = req.query as ExecutionVars
  const sasCodePath =
    path
      .join(getTmpFilesFolderPath(), _program)
      .replace(new RegExp('/', 'g'), path.sep) + '.sas'
  try {
    const { codePath, runTime } = await getRunTimeAndFilePath(_program)
    const { result, httpHeaders } =
-      (await new ExecutionController().executeFile(
+      (await new ExecutionController().executeFile({
-        sasCodePath,
+        programPath: codePath,
-        getPreProgramVariables(req),
+        preProgramVariables: getPreProgramVariables(req),
-        query
+        vars: query,
-      )) as ExecuteReturnRaw
+        runTime
      })) as ExecuteReturnRaw
    // Should over-ride response header for debug
    // on GET request to see entire log rendering on browser.
@@ -167,26 +148,26 @@ const executeReturnRaw = async (
 }
 const executeReturnJson = async (
-  req: any,
+  req: express.Request,
  _program: string
 ): Promise<ExecuteReturnJsonResponse> => {
-  const sasCodePath =
+  const filesNamesMap = req.files?.length
-    path
+    ? makeFilesNamesMap(req.files as MulterFile[])
-      .join(getTmpFilesFolderPath(), _program)
+    : null
      .replace(new RegExp('/', 'g'), path.sep) + '.sas'
  const filesNamesMap = req.files?.length ? makeFilesNamesMap(req.files) : null
  try {
    const { codePath, runTime } = await getRunTimeAndFilePath(_program)
    const { webout, log, httpHeaders } =
-      (await new ExecutionController().executeFile(
+      (await new ExecutionController().executeFile({
-        sasCodePath,
+        programPath: codePath,
-        getPreProgramVariables(req),
+        preProgramVariables: getPreProgramVariables(req),
-        { ...req.query, ...req.body },
+        vars: { ...req.query, ...req.body },
-        { filesNamesMap: filesNamesMap },
+        otherArgs: { filesNamesMap: filesNamesMap },
-        true,
+        returnJson: true,
-        req.sasSession
+        session: req.sasjsSession,
-      )) as ExecuteReturnJson
+        runTime
      })) as ExecuteReturnJson
    let weboutRes: string | IRecordOfAny = webout
    if (httpHeaders['content-type']?.toLowerCase() === 'application/json') {
--- a/api/src/controllers/user.ts
+++ b/api/src/controllers/user.ts
@@ -1,3 +1,4 @@
 import express from 'express'
 import {
  Security,
  Route,
@@ -10,23 +11,30 @@ import {
  Patch,
  Delete,
  Body,
-  Hidden
+  Hidden,
  Request
 } from 'tsoa'
 import { desktopUser } from '../middlewares'
 import User, { UserPayload } from '../model/User'
 import { getUserAutoExec, updateUserAutoExec, ModeType } from '../utils'
 import { GroupResponse } from './group'
 export interface UserResponse {
  id: number
  username: string
  displayName: string
  isAdmin: boolean
 }
-interface UserDetailsResponse {
+export interface UserDetailsResponse {
  id: number
  displayName: string
  username: string
  isActive: boolean
  isAdmin: boolean
  autoExec?: string
  groups?: GroupResponse[]
 }
@Security('bearerAuth')
@@ -41,12 +49,14 @@ export class UserController {
    {
      id: 123,
      username: 'johnusername',
-      displayName: 'John'
+      displayName: 'John',
      isAdmin: false
    },
    {
      id: 456,
      username: 'starkusername',
-      displayName: 'Stark'
+      displayName: 'Stark',
      isAdmin: true
    }
  ])
  @Get('/')
@@ -73,13 +83,68 @@ export class UserController {
  }
  /**
   * Only Admin or user itself will get user autoExec code.
   * @summary Get user properties - such as group memberships, userName, displayName.
   * @param username The User's username
   * @example username "johnSnow01"
   */
  @Get('by/username/{username}')
  public async getUserByUsername(
    @Request() req: express.Request,
    @Path() username: string
  ): Promise<UserDetailsResponse> {
    const { MODE } = process.env
    if (MODE === ModeType.Desktop) return getDesktopAutoExec()
    const { user } = req
    const getAutoExec = user!.isAdmin || user!.username == username
    return getUser({ username }, getAutoExec)
  }
  /**
   * Only Admin or user itself will get user autoExec code.
   * @summary Get user properties - such as group memberships, userName, displayName.
   * @param userId The user's identifier
   * @example userId 1234
   */
  @Get('{userId}')
-  public async getUser(@Path() userId: number): Promise<UserDetailsResponse> {
+  public async getUser(
-    return getUser(userId)
+    @Request() req: express.Request,
    @Path() userId: number
  ): Promise<UserDetailsResponse> {
    const { MODE } = process.env
    if (MODE === ModeType.Desktop) return getDesktopAutoExec()
    const { user } = req
    const getAutoExec = user!.isAdmin || user!.userId == userId
    return getUser({ id: userId }, getAutoExec)
  }
  /**
   * @summary Update user properties - such as displayName. Can be performed either by admins, or the user in question.
   * @param username The User's username
   * @example username "johnSnow01"
   */
  @Example<UserDetailsResponse>({
    id: 1234,
    displayName: 'John Snow',
    username: 'johnSnow01',
    isAdmin: false,
    isActive: true
  })
  @Patch('by/username/{username}')
  public async updateUserByUsername(
    @Path() username: string,
    @Body() body: UserPayload
  ): Promise<UserDetailsResponse> {
    const { MODE } = process.env
    if (MODE === ModeType.Desktop)
      return updateDesktopAutoExec(body.autoExec ?? '')
    return updateUser({ username }, body)
  }
  /**
@@ -99,7 +164,26 @@ export class UserController {
    @Path() userId: number,
    @Body() body: UserPayload
  ): Promise<UserDetailsResponse> {
-    return updateUser(userId, body)
+    const { MODE } = process.env
    if (MODE === ModeType.Desktop)
      return updateDesktopAutoExec(body.autoExec ?? '')
    return updateUser({ id: userId }, body)
  }
  /**
   * @summary Delete a user. Can be performed either by admins, or the user in question.
   * @param username The User's username
   * @example username "johnSnow01"
   */
  @Delete('by/username/{username}')
  public async deleteUserByUsername(
    @Path() username: string,
    @Body() body: { password?: string },
    @Query() @Hidden() isAdmin: boolean = false
  ) {
    return deleteUser({ username }, isAdmin, body)
  }
  /**
@@ -113,17 +197,17 @@ export class UserController {
    @Body() body: { password?: string },
    @Query() @Hidden() isAdmin: boolean = false
  ) {
-    return deleteUser(userId, isAdmin, body)
+    return deleteUser({ id: userId }, isAdmin, body)
  }
 }
 const getAllUsers = async (): Promise<UserResponse[]> =>
  await User.find({})
-    .select({ _id: 0, id: 1, username: 1, displayName: 1 })
+    .select({ _id: 0, id: 1, username: 1, displayName: 1, isAdmin: 1 })
    .exec()
 const createUser = async (data: UserPayload): Promise<UserDetailsResponse> => {
-  const { displayName, username, password, isAdmin, isActive } = data
+  const { displayName, username, password, isAdmin, isActive, autoExec } = data
  // Checking if user is already in the database
  const usernameExist = await User.findOne({ username })
@@ -138,7 +222,8 @@ const createUser = async (data: UserPayload): Promise<UserDetailsResponse> => {
    username,
    password: hashPassword,
    isAdmin,
-    isActive
+    isActive,
    autoExec
  })
  const savedUser = await user.save()
@@ -148,38 +233,67 @@ const createUser = async (data: UserPayload): Promise<UserDetailsResponse> => {
    displayName: savedUser.displayName,
    username: savedUser.username,
    isActive: savedUser.isActive,
-    isAdmin: savedUser.isAdmin
+    isAdmin: savedUser.isAdmin,
    autoExec: savedUser.autoExec
  }
 }
-const getUser = async (id: number): Promise<UserDetailsResponse> => {
+interface GetUserBy {
-  const user = await User.findOne({ id })
+  id?: number
-    .select({
+  username?: string
-      _id: 0,
+}
-      id: 1,
+
-      username: 1,
+const getUser = async (
-      displayName: 1,
+  findBy: GetUserBy,
-      isAdmin: 1,
+  getAutoExec: boolean
-      isActive: 1
+): Promise<UserDetailsResponse> => {
-    })
+  const user = (await User.findOne(
-    .exec()
+    findBy,
    `id displayName username isActive isAdmin autoExec -_id`
  ).populate(
    'groups',
    'groupId name description -_id'
  )) as unknown as UserDetailsResponse
  if (!user) throw new Error('User is not found.')
-  return user
+  return {
    id: user.id,
    displayName: user.displayName,
    username: user.username,
    isActive: user.isActive,
    isAdmin: user.isAdmin,
    autoExec: getAutoExec ? user.autoExec ?? '' : undefined,
    groups: user.groups
  }
 }
 const getDesktopAutoExec = async () => {
  return {
    ...desktopUser,
    id: desktopUser.userId,
    autoExec: await getUserAutoExec()
  }
 }
 const updateUser = async (
-  id: number,
+  findBy: GetUserBy,
-  data: UserPayload
+  data: Partial<UserPayload>
 ): Promise<UserDetailsResponse> => {
-  const { displayName, username, password, isAdmin, isActive } = data
+  const { displayName, username, password, isAdmin, isActive, autoExec } = data
-  const params: any = { displayName, isAdmin, isActive }
+  const params: any = { displayName, isAdmin, isActive, autoExec }
  if (username) {
    // Checking if user is already in the database
    const usernameExist = await User.findOne({ username })
-    if (usernameExist?.id != id) throw new Error('Username already exists.')
+    if (usernameExist) {
      if (
        (findBy.id && usernameExist.id != findBy.id) ||
        (findBy.username && usernameExist.username != findBy.username)
      )
        throw new Error('Username already exists.')
    }
    params.username = username
  }
@@ -188,27 +302,36 @@ const updateUser = async (
    params.password = User.hashPassword(password)
  }
-  const updatedUser = await User.findOneAndUpdate({ id }, params, { new: true })
+  const updatedUser = await User.findOneAndUpdate(findBy, params, { new: true })
    .select({
      _id: 0,
      id: 1,
      username: 1,
      displayName: 1,
      isAdmin: 1,
      isActive: 1
    })
    .exec()
  if (!updatedUser) throw new Error('Unable to update user')
-  return updatedUser
+  if (!updatedUser)
    throw new Error(`Unable to find user with ${findBy.id || findBy.username}`)
  return {
    id: updatedUser.id,
    username: updatedUser.username,
    displayName: updatedUser.displayName,
    isAdmin: updatedUser.isAdmin,
    isActive: updatedUser.isActive,
    autoExec: updatedUser.autoExec
  }
 }
 const updateDesktopAutoExec = async (autoExec: string) => {
  await updateUserAutoExec(autoExec)
  return {
    ...desktopUser,
    id: desktopUser.userId,
    autoExec
  }
 }
 const deleteUser = async (
-  id: number,
+  findBy: GetUserBy,
  isAdmin: boolean,
  { password }: { password?: string }
 ) => {
-  const user = await User.findOne({ id })
+  const user = await User.findOne(findBy)
  if (!user) throw new Error('User is not found.')
  if (!isAdmin) {
@@ -216,5 +339,5 @@ const deleteUser = async (
    if (!validPass) throw new Error('Invalid password.')
  }
-  await User.deleteOne({ id })
+  await User.deleteOne(findBy)
 }
--- a/api/src/controllers/web.ts
+++ b/api/src/controllers/web.ts
@@ -5,7 +5,7 @@ import { readFile } from '@sasjs/utils'
 import User from '../model/User'
 import Client from '../model/Client'
-import { getWebBuildFolderPath, generateAuthCode } from '../utils'
+import { getWebBuildFolder, generateAuthCode } from '../utils'
 import { InfoJWT } from '../types'
 import { AuthController } from './auth'
@@ -49,10 +49,10 @@ export class WebController {
  }
  /**
-   * @summary Accept a valid username/password
+   * @summary Destroy the session stored in cookies
   *
   */
-  @Get('/logout')
+  @Get('/SASLogon/logout')
  public async logout(@Request() req: express.Request) {
    return new Promise((resolve) => {
      req.session.destroy(() => {
@@ -63,7 +63,7 @@ export class WebController {
 }
 const home = async () => {
-  const indexHtmlPath = path.join(getWebBuildFolderPath(), 'index.html')
+  const indexHtmlPath = path.join(getWebBuildFolder(), 'index.html')
  // Attention! Cannot use fileExists here,
  // due to limitation after building executable
@@ -90,14 +90,17 @@ const login = async (
    username: user.username,
    displayName: user.displayName,
    isAdmin: user.isAdmin,
-    isActive: user.isActive
+    isActive: user.isActive,
    autoExec: user.autoExec
  }
  return {
    loggedIn: true,
    user: {
      id: user.id,
      username: user.username,
-      displayName: user.displayName
+      displayName: user.displayName,
      isAdmin: user.isAdmin
    }
  }
 }
--- a/api/src/middlewares/authenticateToken.ts
+++ b/api/src/middlewares/authenticateToken.ts
@@ -1,46 +1,76 @@
 import { RequestHandler, Request, Response, NextFunction } from 'express'
 import jwt from 'jsonwebtoken'
 import { csrfProtection } from '../app'
-import { verifyTokenInDB } from '../utils'
+import {
  fetchLatestAutoExec,
  ModeType,
  verifyTokenInDB,
  isAuthorizingRoute
 } from '../utils'
 import { desktopUser } from './desktop'
 import { authorize } from './authorize'
 export const authenticateAccessToken: RequestHandler = async (
  req,
  res,
  next
 ) => {
  const { MODE } = process.env
  if (MODE === ModeType.Desktop) {
    req.user = desktopUser
    return next()
  }
  const nextFunction = isAuthorizingRoute(req)
    ? () => authorize(req, res, next)
    : next
 export const authenticateAccessToken = (req: any, res: any, next: any) => {
  // if request is coming from web and has valid session
-  // we can validate the request and check for CSRF Token
+  // it can be validated.
  if (req.session?.loggedIn) {
-    req.user = req.session.user
+    if (req.session.user) {
      const user = await fetchLatestAutoExec(req.session.user)
-    return csrfProtection(req, res, next)
+      if (user) {
        if (user.isActive) {
          req.user = user
          return csrfProtection(req, res, nextFunction)
        } else return res.sendStatus(401)
      }
    }
    return res.sendStatus(401)
  }
  authenticateToken(
    req,
    res,
-    next,
+    nextFunction,
-    process.env.ACCESS_TOKEN_SECRET as string,
+    process.secrets.ACCESS_TOKEN_SECRET,
    'accessToken'
  )
 }
-export const authenticateRefreshToken = (req: any, res: any, next: any) => {
+export const authenticateRefreshToken: RequestHandler = (req, res, next) => {
  authenticateToken(
    req,
    res,
    next,
-    process.env.REFRESH_TOKEN_SECRET as string,
+    process.secrets.REFRESH_TOKEN_SECRET,
    'refreshToken'
  )
 }
 const authenticateToken = (
-  req: any,
+  req: Request,
-  res: any,
+  res: Response,
-  next: any,
+  next: NextFunction,
  key: string,
  tokenType: 'accessToken' | 'refreshToken'
 ) => {
  const { MODE } = process.env
-  if (MODE?.trim() !== 'server') {
+  if (MODE === ModeType.Desktop) {
    req.user = {
-      userId: '1234',
+      userId: 1234,
      clientId: 'desktopModeClientId',
      username: 'desktopModeUsername',
      displayName: 'desktopModeDisplayName',
--- a/api/src/middlewares/authorize.ts
+++ b/api/src/middlewares/authorize.ts
@@ -0,0 +1,36 @@
 import { RequestHandler } from 'express'
 import User from '../model/User'
 import Permission from '../model/Permission'
 import { PermissionSetting } from '../controllers/permission'
 import { getUri } from '../utils'
 export const authorize: RequestHandler = async (req, res, next) => {
  const { user } = req
  if (!user) {
    return res.sendStatus(401)
  }
  // no need to check for permissions when user is admin
  if (user.isAdmin) return next()
  const dbUser = await User.findOne({ id: user.userId })
  if (!dbUser) return res.sendStatus(401)
  const uri = getUri(req)
  // find permission w.r.t user
  const permission = await Permission.findOne({ uri, user: dbUser._id })
  if (permission) {
    if (permission.setting === PermissionSetting.grant) return next()
    else return res.sendStatus(401)
  }
  // find permission w.r.t user's groups
  for (const group of dbUser.groups) {
    const groupPermission = await Permission.findOne({ uri, group })
    if (groupPermission?.setting === PermissionSetting.grant) return next()
  }
  return res.sendStatus(401)
 }
--- a/api/src/middlewares/desktop.ts
+++ b/api/src/middlewares/desktop.ts
@@ -1,18 +1,37 @@
-export const desktopRestrict = (req: any, res: any, next: any) => {
+import { RequestHandler, Request } from 'express'
 import { userInfo } from 'os'
 import { RequestUser } from '../types'
 import { ModeType } from '../utils'
 const regexUser = /^\/SASjsApi\/user\/[0-9]*$/ // /SASjsApi/user/1
 const allowedInDesktopMode: { [key: string]: RegExp[] } = {
  GET: [regexUser],
  PATCH: [regexUser]
 }
 const reqAllowedInDesktopMode = (request: Request): boolean => {
  const { method, originalUrl: url } = request
  return !!allowedInDesktopMode[method]?.find((urlRegex) => urlRegex.test(url))
 }
 export const desktopRestrict: RequestHandler = (req, res, next) => {
  const { MODE } = process.env
-  if (MODE?.trim() !== 'server')
+
-    return res.status(403).send('Not Allowed while in Desktop Mode.')
+  if (MODE === ModeType.Desktop) {
    if (!reqAllowedInDesktopMode(req))
      return res.status(403).send('Not Allowed while in Desktop Mode.')
  }
  next()
 }
 export const desktopUsername = (req: any, res: any, next: any) => {
  const { MODE } = process.env
  if (MODE?.trim() !== 'server')
    return res.status(200).send({
      userId: 12345,
      username: 'DESKTOPusername',
      displayName: 'DESKTOP User'
    })
-  next()
+export const desktopUser: RequestUser = {
  userId: 12345,
  clientId: 'desktop_app',
  username: userInfo().username,
  displayName: userInfo().username,
  isAdmin: true,
  isActive: true
 }
--- a/api/src/middlewares/index.ts
+++ b/api/src/middlewares/index.ts
@@ -2,3 +2,4 @@ export * from './authenticateToken'
 export * from './desktop'
 export * from './verifyAdmin'
 export * from './verifyAdminIfNeeded'
 export * from './authorize'
--- a/api/src/middlewares/multer.ts
+++ b/api/src/middlewares/multer.ts
@@ -1,13 +1,13 @@
 import path from 'path'
 import { Request } from 'express'
 import multer, { FileFilterCallback, Options } from 'multer'
-import { blockFileRegex, getTmpUploadsPath } from '../utils'
+import { blockFileRegex, getUploadsFolder } from '../utils'
 const fieldNameSize = 300
 const fileSize = 104857600 // 100 MB
 const storage = multer.diskStorage({
-  destination: getTmpUploadsPath(),
+  destination: getUploadsFolder(),
  filename: function (
    _req: Request,
    file: Express.Multer.File,
--- a/api/src/middlewares/verifyAdmin.ts
+++ b/api/src/middlewares/verifyAdmin.ts
@@ -1,6 +1,9 @@
-export const verifyAdmin = (req: any, res: any, next: any) => {
+import { RequestHandler } from 'express'
 import { ModeType } from '../utils'
 export const verifyAdmin: RequestHandler = (req, res, next) => {
  const { MODE } = process.env
-  if (MODE?.trim() !== 'server') return next()
+  if (MODE === ModeType.Desktop) return next()
  const { user } = req
  if (!user?.isAdmin) return res.status(401).send('Admin account required')
--- a/api/src/middlewares/verifyAdminIfNeeded.ts
+++ b/api/src/middlewares/verifyAdminIfNeeded.ts
@@ -1,9 +1,22 @@
-export const verifyAdminIfNeeded = (req: any, res: any, next: any) => {
+import { RequestHandler } from 'express'
  const { user } = req
  const userId = parseInt(req.params.userId)
-  if (!user.isAdmin && user.userId !== userId) {
+// This middleware checks if a non-admin user trying to
-    return res.status(401).send('Admin account required')
+// access information of other user
 export const verifyAdminIfNeeded: RequestHandler = (req, res, next) => {
  const { user } = req
  if (!user?.isAdmin) {
    let adminAccountRequired: boolean = true
    if (req.params.userId) {
      adminAccountRequired = user?.userId !== parseInt(req.params.userId)
    } else if (req.params.username) {
      adminAccountRequired = user?.username !== req.params.username
    }
    if (adminAccountRequired)
      return res.status(401).send('Admin account required')
  }
  next()
 }
--- a/api/src/model/Configuration.ts
+++ b/api/src/model/Configuration.ts
@@ -0,0 +1,45 @@
 import mongoose, { Schema } from 'mongoose'
 export interface ConfigurationType {
  /**
   * SecretOrPrivateKey to sign Access Token
   * @example "someRandomCryptoString"
   */
  ACCESS_TOKEN_SECRET: string
  /**
   * SecretOrPrivateKey to sign Refresh Token
   * @example "someRandomCryptoString"
   */
  REFRESH_TOKEN_SECRET: string
  /**
   * SecretOrPrivateKey to sign Auth Code
   * @example "someRandomCryptoString"
   */
  AUTH_CODE_SECRET: string
  /**
   * Secret used to sign the session cookie
   * @example "someRandomCryptoString"
   */
  SESSION_SECRET: string
 }
 const ConfigurationSchema = new Schema<ConfigurationType>({
  ACCESS_TOKEN_SECRET: {
    type: String,
    required: true
  },
  REFRESH_TOKEN_SECRET: {
    type: String,
    required: true
  },
  AUTH_CODE_SECRET: {
    type: String,
    required: true
  },
  SESSION_SECRET: {
    type: String,
    required: true
  }
 })
 export default mongoose.model('Configuration', ConfigurationSchema)
--- a/api/src/model/Group.ts
+++ b/api/src/model/Group.ts
@@ -1,4 +1,6 @@
 import mongoose, { Schema, model, Document, Model } from 'mongoose'
 import { GroupDetailsResponse } from '../controllers'
 import User, { IUser } from './User'
 const AutoIncrement = require('mongoose-sequence')(mongoose)
 export interface GroupPayload {
@@ -26,15 +28,17 @@ interface IGroupDocument extends GroupPayload, Document {
 }
 interface IGroup extends IGroupDocument {
-  addUser(userObjectId: Schema.Types.ObjectId): Promise<IGroup>
+  addUser(user: IUser): Promise<GroupDetailsResponse>
-  removeUser(userObjectId: Schema.Types.ObjectId): Promise<IGroup>
+  removeUser(user: IUser): Promise<GroupDetailsResponse>
  hasUser(user: IUser): boolean
 }
 interface IGroupModel extends Model<IGroup> {}
 const groupSchema = new Schema<IGroupDocument>({
  name: {
    type: String,
-    required: true
+    required: true,
    unique: true
  },
  description: {
    type: String,
@@ -46,6 +50,7 @@ const groupSchema = new Schema<IGroupDocument>({
  },
  users: [{ type: Schema.Types.ObjectId, ref: 'User' }]
 })
 groupSchema.plugin(AutoIncrement, { inc_field: 'groupId' })
 // Hooks
@@ -55,29 +60,43 @@ groupSchema.post('save', function (group: IGroup, next: Function) {
  })
 })
 // pre remove hook to remove all references of group from users
 groupSchema.pre('remove', async function () {
  const userIds = this.users
  await Promise.all(
    userIds.map(async (userId) => {
      const user = await User.findById(userId)
      user?.removeGroup(this._id)
    })
  )
 })
 // Instance Methods
-groupSchema.method(
+groupSchema.method('addUser', async function (user: IUser) {
-  'addUser',
+  const userObjectId = user._id
-  async function (userObjectId: Schema.Types.ObjectId) {
+  const userIdIndex = this.users.indexOf(userObjectId)
-    const userIdIndex = this.users.indexOf(userObjectId)
+  if (userIdIndex === -1) {
-    if (userIdIndex === -1) {
+    this.users.push(userObjectId)
-      this.users.push(userObjectId)
+    user.addGroup(this._id)
    }
    this.markModified('users')
    return this.save()
  }
-)
+  this.markModified('users')
-groupSchema.method(
+  return this.save()
-  'removeUser',
+})
-  async function (userObjectId: Schema.Types.ObjectId) {
+groupSchema.method('removeUser', async function (user: IUser) {
-    const userIdIndex = this.users.indexOf(userObjectId)
+  const userObjectId = user._id
-    if (userIdIndex > -1) {
+  const userIdIndex = this.users.indexOf(userObjectId)
-      this.users.splice(userIdIndex, 1)
+  if (userIdIndex > -1) {
-    }
+    this.users.splice(userIdIndex, 1)
-    this.markModified('users')
+    user.removeGroup(this._id)
    return this.save()
  }
-)
+  this.markModified('users')
  return this.save()
 })
 groupSchema.method('hasUser', function (user: IUser) {
  const userObjectId = user._id
  const userIdIndex = this.users.indexOf(userObjectId)
  return userIdIndex > -1
 })
 export const Group: IGroupModel = model<IGroup, IGroupModel>(
  'Group',
--- a/api/src/model/Permission.ts
+++ b/api/src/model/Permission.ts
@@ -0,0 +1,36 @@
 import mongoose, { Schema, model, Document, Model } from 'mongoose'
 const AutoIncrement = require('mongoose-sequence')(mongoose)
 interface IPermissionDocument extends Document {
  uri: string
  setting: string
  permissionId: number
  user: Schema.Types.ObjectId
  group: Schema.Types.ObjectId
 }
 interface IPermission extends IPermissionDocument {}
 interface IPermissionModel extends Model<IPermission> {}
 const permissionSchema = new Schema<IPermissionDocument>({
  uri: {
    type: String,
    required: true
  },
  setting: {
    type: String,
    required: true
  },
  user: { type: Schema.Types.ObjectId, ref: 'User' },
  group: { type: Schema.Types.ObjectId, ref: 'Group' }
 })
 permissionSchema.plugin(AutoIncrement, { inc_field: 'permissionId' })
 export const Permission: IPermissionModel = model<
  IPermission,
  IPermissionModel
 >('Permission', permissionSchema)
 export default Permission
--- a/api/src/model/User.ts
+++ b/api/src/model/User.ts
@@ -27,18 +27,27 @@ export interface UserPayload {
   * @example "true"
   */
  isActive?: boolean
  /**
   * User-specific auto-exec code
   * @example ""
   */
  autoExec?: string
 }
 interface IUserDocument extends UserPayload, Document {
  _id: Schema.Types.ObjectId
  id: number
  isAdmin: boolean
  isActive: boolean
  autoExec: string
  groups: Schema.Types.ObjectId[]
  tokens: [{ [key: string]: string }]
 }
-interface IUser extends IUserDocument {
+export interface IUser extends IUserDocument {
  comparePassword(password: string): boolean
  addGroup(groupObjectId: Schema.Types.ObjectId): Promise<IUser>
  removeGroup(groupObjectId: Schema.Types.ObjectId): Promise<IUser>
 }
 interface IUserModel extends Model<IUser> {
  hashPassword(password: string): string
@@ -66,6 +75,9 @@ const userSchema = new Schema<IUserDocument>({
    type: Boolean,
    default: true
  },
  autoExec: {
    type: String
  },
  groups: [{ type: Schema.Types.ObjectId, ref: 'Group' }],
  tokens: [
    {
@@ -97,6 +109,28 @@ userSchema.method('comparePassword', function (password: string): boolean {
  if (bcrypt.compareSync(password, this.password)) return true
  return false
 })
 userSchema.method(
  'addGroup',
  async function (groupObjectId: Schema.Types.ObjectId) {
    const groupIdIndex = this.groups.indexOf(groupObjectId)
    if (groupIdIndex === -1) {
      this.groups.push(groupObjectId)
    }
    this.markModified('groups')
    return this.save()
  }
 )
 userSchema.method(
  'removeGroup',
  async function (groupObjectId: Schema.Types.ObjectId) {
    const groupIdIndex = this.groups.indexOf(groupObjectId)
    if (groupIdIndex > -1) {
      this.groups.splice(groupIdIndex, 1)
    }
    this.markModified('groups')
    return this.save()
  }
 )
 export const User: IUserModel = model<IUser, IUserModel>('User', userSchema)
--- a/api/src/routes/api/auth.ts
+++ b/api/src/routes/api/auth.ts
@@ -26,8 +26,11 @@ authRouter.post('/token', async (req, res) => {
  }
 })
-authRouter.post('/refresh', authenticateRefreshToken, async (req: any, res) => {
+authRouter.post('/refresh', authenticateRefreshToken, async (req, res) => {
-  const userInfo: InfoJWT = req.user
+  const userInfo: InfoJWT = {
    userId: req.user!.userId!,
    clientId: req.user!.clientId!
  }
  try {
    const response = await controller.refresh(userInfo)
@@ -38,8 +41,11 @@ authRouter.post('/refresh', authenticateRefreshToken, async (req: any, res) => {
  }
 })
-authRouter.delete('/logout', authenticateAccessToken, async (req: any, res) => {
+authRouter.delete('/logout', authenticateAccessToken, async (req, res) => {
-  const userInfo: InfoJWT = req.user
+  const userInfo: InfoJWT = {
    userId: req.user!.userId!,
    clientId: req.user!.clientId!
  }
  try {
    await controller.logout(userInfo)
--- a/api/src/routes/api/code.ts
+++ b/api/src/routes/api/code.ts
@@ -1,5 +1,5 @@
 import express from 'express'
-import { runSASValidation } from '../../utils'
+import { runCodeValidation } from '../../utils'
 import { CodeController } from '../../controllers/'
 const runRouter = express.Router()
@@ -7,11 +7,11 @@ const runRouter = express.Router()
 const controller = new CodeController()
 runRouter.post('/execute', async (req, res) => {
-  const { error, value: body } = runSASValidation(req.body)
+  const { error, value: body } = runCodeValidation(req.body)
  if (error) return res.status(400).send(error.details[0].message)
  try {
-    const response = await controller.executeSASCode(req, body)
+    const response = await controller.executeCode(req, body)
    if (response instanceof Buffer) {
      res.writeHead(200, (req as any).sasHeaders)
--- a/api/src/routes/api/drive.ts
+++ b/api/src/routes/api/drive.ts
@@ -7,9 +7,12 @@ import { multerSingle } from '../../middlewares/multer'
 import { DriveController } from '../../controllers/'
 import {
  deployValidation,
  extractJSONFromZip,
  extractName,
  fileBodyValidation,
  fileParamValidation,
-  folderParamValidation
+  folderParamValidation,
  isZipFile
 } from '../../utils'
 const controller = new DriveController()
@@ -49,7 +52,24 @@ driveRouter.post(
  async (req, res) => {
    if (!req.file) return res.status(400).send('"file" is not present.')
-    const fileContent = await readFile(req.file.path)
+    let fileContent: string = ''
    const { value: zipFile } = isZipFile(req.file)
    if (zipFile) {
      fileContent = await extractJSONFromZip(zipFile)
      const fileInZip = extractName(zipFile.originalname)
      if (!fileContent) {
        deleteFile(req.file.path)
        return res
          .status(400)
          .send(
            `No content present in ${fileInZip} of compressed file ${zipFile.originalname}`
          )
      }
    } else {
      fileContent = await readFile(req.file.path)
    }
    let jsonContent
    try {
--- a/api/src/routes/api/group.ts
+++ b/api/src/routes/api/group.ts
@@ -1,7 +1,7 @@
 import express from 'express'
 import { GroupController } from '../../controllers/'
 import { authenticateAccessToken, verifyAdmin } from '../../middlewares'
-import { registerGroupValidation } from '../../utils'
+import { getGroupValidation, registerGroupValidation } from '../../utils'
 const groupRouter = express.Router()
@@ -18,7 +18,11 @@ groupRouter.post(
      const response = await controller.createGroup(body)
      res.send(response)
    } catch (err: any) {
-      res.status(403).send(err.toString())
+      const statusCode = err.code
      delete err.code
      res.status(statusCode).send(err.message)
    }
  }
 )
@@ -29,35 +33,73 @@ groupRouter.get('/', authenticateAccessToken, async (req, res) => {
    const response = await controller.getAllGroups()
    res.send(response)
  } catch (err: any) {
-    res.status(403).send(err.toString())
+    const statusCode = err.code
    delete err.code
    res.status(statusCode).send(err.message)
  }
 })
-groupRouter.get('/:groupId', authenticateAccessToken, async (req: any, res) => {
+groupRouter.get('/:groupId', authenticateAccessToken, async (req, res) => {
  const { groupId } = req.params
  const controller = new GroupController()
  try {
-    const response = await controller.getGroup(groupId)
+    const response = await controller.getGroup(parseInt(groupId))
    res.send(response)
  } catch (err: any) {
-    res.status(403).send(err.toString())
+    const statusCode = err.code
    delete err.code
    res.status(statusCode).send(err.message)
  }
 })
 groupRouter.get(
  '/by/groupname/:name',
  authenticateAccessToken,
  async (req, res) => {
    const { error, value: params } = getGroupValidation(req.params)
    if (error) return res.status(400).send(error.details[0].message)
    const { name } = params
    const controller = new GroupController()
    try {
      const response = await controller.getGroupByGroupName(name)
      res.send(response)
    } catch (err: any) {
      const statusCode = err.code
      delete err.code
      res.status(statusCode).send(err.message)
    }
  }
 )
 groupRouter.post(
  '/:groupId/:userId',
  authenticateAccessToken,
  verifyAdmin,
-  async (req: any, res) => {
+  async (req, res) => {
    const { groupId, userId } = req.params
    const controller = new GroupController()
    try {
-      const response = await controller.addUserToGroup(groupId, userId)
+      const response = await controller.addUserToGroup(
        parseInt(groupId),
        parseInt(userId)
      )
      res.send(response)
    } catch (err: any) {
-      res.status(403).send(err.toString())
+      const statusCode = err.code
      delete err.code
      res.status(statusCode).send(err.message)
    }
  }
 )
@@ -66,15 +108,22 @@ groupRouter.delete(
  '/:groupId/:userId',
  authenticateAccessToken,
  verifyAdmin,
-  async (req: any, res) => {
+  async (req, res) => {
    const { groupId, userId } = req.params
    const controller = new GroupController()
    try {
-      const response = await controller.removeUserFromGroup(groupId, userId)
+      const response = await controller.removeUserFromGroup(
        parseInt(groupId),
        parseInt(userId)
      )
      res.send(response)
    } catch (err: any) {
-      res.status(403).send(err.toString())
+      const statusCode = err.code
      delete err.code
      res.status(statusCode).send(err.message)
    }
  }
 )
@@ -83,15 +132,19 @@ groupRouter.delete(
  '/:groupId',
  authenticateAccessToken,
  verifyAdmin,
-  async (req: any, res) => {
+  async (req, res) => {
    const { groupId } = req.params
    const controller = new GroupController()
    try {
-      await controller.deleteGroup(groupId)
+      await controller.deleteGroup(parseInt(groupId))
      res.status(200).send('Group Deleted!')
    } catch (err: any) {
-      res.status(403).send(err.toString())
+      const statusCode = err.code
      delete err.code
      res.status(statusCode).send(err.message)
    }
  }
 )
--- a/api/src/routes/api/index.ts
+++ b/api/src/routes/api/index.ts
@@ -5,7 +5,6 @@ import swaggerUi from 'swagger-ui-express'
 import {
  authenticateAccessToken,
  desktopRestrict,
  desktopUsername,
  verifyAdmin
 } from '../../middlewares'
@@ -18,11 +17,12 @@ import groupRouter from './group'
 import clientRouter from './client'
 import authRouter from './auth'
 import sessionRouter from './session'
 import permissionRouter from './permission'
 const router = express.Router()
 router.use('/info', infoRouter)
-router.use('/session', desktopUsername, authenticateAccessToken, sessionRouter)
+router.use('/session', authenticateAccessToken, sessionRouter)
 router.use('/auth', desktopRestrict, authRouter)
 router.use(
  '/client',
@@ -36,6 +36,12 @@ router.use('/group', desktopRestrict, groupRouter)
 router.use('/stp', authenticateAccessToken, stpRouter)
 router.use('/code', authenticateAccessToken, codeRouter)
 router.use('/user', desktopRestrict, userRouter)
 router.use(
  '/permission',
  desktopRestrict,
  authenticateAccessToken,
  permissionRouter
 )
 router.use(
  '/',
--- a/api/src/routes/api/info.ts
+++ b/api/src/routes/api/info.ts
@@ -13,4 +13,14 @@ infoRouter.get('/', async (req, res) => {
  }
 })
 infoRouter.get('/authorizedRoutes', async (req, res) => {
  const controller = new InfoController()
  try {
    const response = controller.authorizedRoutes()
    res.send(response)
  } catch (err: any) {
    res.status(403).send(err.toString())
  }
 })
 export default infoRouter
--- a/api/src/routes/api/permission.ts
+++ b/api/src/routes/api/permission.ts
@@ -0,0 +1,69 @@
 import express from 'express'
 import { PermissionController } from '../../controllers/'
 import { verifyAdmin } from '../../middlewares'
 import {
  registerPermissionValidation,
  updatePermissionValidation
 } from '../../utils'
 const permissionRouter = express.Router()
 const controller = new PermissionController()
 permissionRouter.get('/', async (req, res) => {
  try {
    const response = await controller.getAllPermissions()
    res.send(response)
  } catch (err: any) {
    const statusCode = err.code
    delete err.code
    res.status(statusCode).send(err.message)
  }
 })
 permissionRouter.post('/', verifyAdmin, async (req, res) => {
  const { error, value: body } = registerPermissionValidation(req.body)
  if (error) return res.status(400).send(error.details[0].message)
  try {
    const response = await controller.createPermission(body)
    res.send(response)
  } catch (err: any) {
    const statusCode = err.code
    delete err.code
    res.status(statusCode).send(err.message)
  }
 })
 permissionRouter.patch('/:permissionId', verifyAdmin, async (req: any, res) => {
  const { permissionId } = req.params
  const { error, value: body } = updatePermissionValidation(req.body)
  if (error) return res.status(400).send(error.details[0].message)
  try {
    const response = await controller.updatePermission(permissionId, body)
    res.send(response)
  } catch (err: any) {
    const statusCode = err.code
    delete err.code
    res.status(statusCode).send(err.message)
  }
 })
 permissionRouter.delete(
  '/:permissionId',
  verifyAdmin,
  async (req: any, res) => {
    const { permissionId } = req.params
    try {
      await controller.deletePermission(permissionId)
      res.status(200).send('Permission Deleted!')
    } catch (err: any) {
      const statusCode = err.code
      delete err.code
      res.status(statusCode).send(err.message)
    }
  }
 )
 export default permissionRouter
--- a/api/src/routes/api/spec/drive.spec.ts
+++ b/api/src/routes/api/spec/drive.spec.ts
@@ -3,6 +3,7 @@ import { Express } from 'express'
 import mongoose, { Mongoose } from 'mongoose'
 import { MongoMemoryServer } from 'mongodb-memory-server'
 import request from 'supertest'
 import AdmZip from 'adm-zip'
 import {
  folderExists,
@@ -21,17 +22,22 @@ import * as fileUtilModules from '../../../utils/file'
 const timestamp = generateTimestamp()
 const tmpFolder = path.join(process.cwd(), `tmp-${timestamp}`)
 jest
-  .spyOn(fileUtilModules, 'getTmpFolderPath')
+  .spyOn(fileUtilModules, 'getSasjsRootFolder')
  .mockImplementation(() => tmpFolder)
 jest
-  .spyOn(fileUtilModules, 'getTmpUploadsPath')
+  .spyOn(fileUtilModules, 'getUploadsFolder')
  .mockImplementation(() => path.join(tmpFolder, 'uploads'))
 import appPromise from '../../../app'
-import { UserController } from '../../../controllers/'
+import {
  UserController,
  PermissionController,
  PermissionSetting,
  PrincipalType
 } from '../../../controllers/'
 import { getTreeExample } from '../../../controllers/internal'
 import { generateAccessToken, saveTokensInDB } from '../../../utils/'
-const { getTmpFilesFolderPath } = fileUtilModules
+const { getFilesFolder } = fileUtilModules
 const clientId = 'someclientID'
 const user = {
@@ -47,6 +53,7 @@ describe('drive', () => {
  let con: Mongoose
  let mongoServer: MongoMemoryServer
  const controller = new UserController()
  const permissionController = new PermissionController()
  let accessToken: string
@@ -57,11 +64,31 @@ describe('drive', () => {
    con = await mongoose.connect(mongoServer.getUri())
    const dbUser = await controller.createUser(user)
-    accessToken = generateAccessToken({
+    accessToken = await generateAndSaveToken(dbUser.id)
-      clientId,
+    await permissionController.createPermission({
-      userId: dbUser.id
+      uri: '/SASjsApi/drive/deploy',
      principalType: PrincipalType.user,
      principalId: dbUser.id,
      setting: PermissionSetting.grant
    })
    await permissionController.createPermission({
      uri: '/SASjsApi/drive/deploy/upload',
      principalType: PrincipalType.user,
      principalId: dbUser.id,
      setting: PermissionSetting.grant
    })
    await permissionController.createPermission({
      uri: '/SASjsApi/drive/file',
      principalType: PrincipalType.user,
      principalId: dbUser.id,
      setting: PermissionSetting.grant
    })
    await permissionController.createPermission({
      uri: '/SASjsApi/drive/folder',
      principalType: PrincipalType.user,
      principalId: dbUser.id,
      setting: PermissionSetting.grant
    })
    await saveTokensInDB(dbUser.id, clientId, accessToken, 'refreshToken')
  })
  afterAll(async () => {
@@ -72,11 +99,52 @@ describe('drive', () => {
  })
  describe('deploy', () => {
-    const shouldFailAssertion = async (payload: any) => {
+    const makeRequest = async (payload: any, type: string = 'payload') => {
-      const res = await request(app)
+      const requestUrl =
-        .post('/SASjsApi/drive/deploy')
+        type === 'payload'
-        .auth(accessToken, { type: 'bearer' })
+          ? '/SASjsApi/drive/deploy'
-        .send({ appLoc: '/Public', fileTree: payload })
+          : '/SASjsApi/drive/deploy/upload'
      if (type === 'payload') {
        return await request(app)
          .post(requestUrl)
          .auth(accessToken, { type: 'bearer' })
          .send({ appLoc: '/Public', fileTree: payload })
      }
      if (type === 'file') {
        const deployContents = JSON.stringify({
          appLoc: '/Public',
          fileTree: payload
        })
        return await request(app)
          .post(requestUrl)
          .auth(accessToken, { type: 'bearer' })
          .attach('file', Buffer.from(deployContents), 'deploy.json')
      } else {
        const deployContents = JSON.stringify({
          appLoc: '/Public',
          fileTree: payload
        })
        const zip = new AdmZip()
        // add file directly
        zip.addFile(
          'deploy.json',
          Buffer.from(deployContents, 'utf8'),
          'entry comment goes here'
        )
        return await request(app)
          .post(requestUrl)
          .auth(accessToken, { type: 'bearer' })
          .attach('file', zip.toBuffer(), 'deploy.json.zip')
      }
    }
    const shouldFailAssertion = async (
      payload: any,
      type: string = 'payload'
    ) => {
      const res = await makeRequest(payload, type)
      expect(res.statusCode).toEqual(400)
@@ -157,10 +225,10 @@ describe('drive', () => {
      expect(res.text).toEqual(
        '{"status":"success","message":"Files deployed successfully to @sasjs/server."}'
      )
-      await expect(folderExists(getTmpFilesFolderPath())).resolves.toEqual(true)
+      await expect(folderExists(getFilesFolder())).resolves.toEqual(true)
      const testJobFolder = path.join(
-        getTmpFilesFolderPath(),
+        getFilesFolder(),
        'public',
        'jobs',
        'extract'
@@ -174,7 +242,241 @@ describe('drive', () => {
      await expect(readFile(testJobFile)).resolves.toEqual(exampleService.code)
-      await deleteFolder(path.join(getTmpFilesFolderPath(), 'public'))
+      await deleteFolder(path.join(getFilesFolder(), 'public'))
    })
    describe('upload', () => {
      it('should respond with payload example if valid JSON file was not provided', async () => {
        await shouldFailAssertion(null, 'file')
        await shouldFailAssertion(undefined, 'file')
        await shouldFailAssertion('data', 'file')
        await shouldFailAssertion({}, 'file')
        await shouldFailAssertion(
          {
            userId: 1,
            title: 'test is cool'
          },
          'file'
        )
        await shouldFailAssertion(
          {
            membersWRONG: []
          },
          'file'
        )
        await shouldFailAssertion(
          {
            members: {}
          },
          'file'
        )
        await shouldFailAssertion(
          {
            members: [
              {
                nameWRONG: 'jobs',
                type: 'folder',
                members: []
              }
            ]
          },
          'file'
        )
        await shouldFailAssertion(
          {
            members: [
              {
                name: 'jobs',
                type: 'WRONG',
                members: []
              }
            ]
          },
          'file'
        )
        await shouldFailAssertion(
          {
            members: [
              {
                name: 'jobs',
                type: 'folder',
                members: [
                  {
                    name: 'extract',
                    type: 'folder',
                    members: [
                      {
                        name: 'makedata1',
                        type: 'service',
                        codeWRONG: '%put Hello World!;'
                      }
                    ]
                  }
                ]
              }
            ]
          },
          'file'
        )
      })
      it('should successfully deploy if valid JSON file was provided', async () => {
        const deployContents = JSON.stringify({
          appLoc: '/public',
          fileTree: getTreeExample()
        })
        const res = await request(app)
          .post('/SASjsApi/drive/deploy/upload')
          .auth(accessToken, { type: 'bearer' })
          .attach('file', Buffer.from(deployContents), 'deploy.json')
        expect(res.statusCode).toEqual(200)
        expect(res.text).toEqual(
          '{"status":"success","message":"Files deployed successfully to @sasjs/server."}'
        )
        await expect(folderExists(getFilesFolder())).resolves.toEqual(true)
        const testJobFolder = path.join(
          getFilesFolder(),
          'public',
          'jobs',
          'extract'
        )
        await expect(folderExists(testJobFolder)).resolves.toEqual(true)
        const exampleService = getExampleService()
        const testJobFile =
          path.join(testJobFolder, exampleService.name) + '.sas'
        await expect(fileExists(testJobFile)).resolves.toEqual(true)
        await expect(readFile(testJobFile)).resolves.toEqual(
          exampleService.code
        )
        await deleteFolder(path.join(getFilesFolder(), 'public'))
      })
    })
    describe('upload - zipped', () => {
      it('should respond with payload example if valid Zipped file was not provided', async () => {
        await shouldFailAssertion(null, 'zip')
        await shouldFailAssertion(undefined, 'zip')
        await shouldFailAssertion('data', 'zip')
        await shouldFailAssertion({}, 'zip')
        await shouldFailAssertion(
          {
            userId: 1,
            title: 'test is cool'
          },
          'zip'
        )
        await shouldFailAssertion(
          {
            membersWRONG: []
          },
          'zip'
        )
        await shouldFailAssertion(
          {
            members: {}
          },
          'zip'
        )
        await shouldFailAssertion(
          {
            members: [
              {
                nameWRONG: 'jobs',
                type: 'folder',
                members: []
              }
            ]
          },
          'zip'
        )
        await shouldFailAssertion(
          {
            members: [
              {
                name: 'jobs',
                type: 'WRONG',
                members: []
              }
            ]
          },
          'zip'
        )
        await shouldFailAssertion(
          {
            members: [
              {
                name: 'jobs',
                type: 'folder',
                members: [
                  {
                    name: 'extract',
                    type: 'folder',
                    members: [
                      {
                        name: 'makedata1',
                        type: 'service',
                        codeWRONG: '%put Hello World!;'
                      }
                    ]
                  }
                ]
              }
            ]
          },
          'zip'
        )
      })
      it('should successfully deploy if valid Zipped file was provided', async () => {
        const deployContents = JSON.stringify({
          appLoc: '/public',
          fileTree: getTreeExample()
        })
        const zip = new AdmZip()
        // add file directly
        zip.addFile(
          'deploy.json',
          Buffer.from(deployContents, 'utf8'),
          'entry comment goes here'
        )
        const res = await request(app)
          .post('/SASjsApi/drive/deploy/upload')
          .auth(accessToken, { type: 'bearer' })
          .attach('file', zip.toBuffer(), 'deploy.json.zip')
        expect(res.statusCode).toEqual(200)
        expect(res.text).toEqual(
          '{"status":"success","message":"Files deployed successfully to @sasjs/server."}'
        )
        await expect(folderExists(getFilesFolder())).resolves.toEqual(true)
        const testJobFolder = path.join(
          getFilesFolder(),
          'public',
          'jobs',
          'extract'
        )
        await expect(folderExists(testJobFolder)).resolves.toEqual(true)
        const exampleService = getExampleService()
        const testJobFile =
          path.join(testJobFolder, exampleService.name) + '.sas'
        await expect(fileExists(testJobFile)).resolves.toEqual(true)
        await expect(readFile(testJobFile)).resolves.toEqual(
          exampleService.code
        )
        await deleteFolder(path.join(getFilesFolder(), 'public'))
      })
    })
  })
@@ -192,7 +494,7 @@ describe('drive', () => {
      })
      it('should get a SAS folder on drive having _folderPath as query param', async () => {
-        const pathToDrive = fileUtilModules.getTmpFilesFolderPath()
+        const pathToDrive = fileUtilModules.getFilesFolder()
        const dirLevel1 = 'level1'
        const dirLevel2 = 'level2'
@@ -267,10 +569,7 @@ describe('drive', () => {
        const fileToCopyPath = path.join(__dirname, 'files', 'sample.sas')
        const filePath = '/my/path/code.sas'
-        const pathToCopy = path.join(
+        const pathToCopy = path.join(fileUtilModules.getFilesFolder(), filePath)
          fileUtilModules.getTmpFilesFolderPath(),
          filePath
        )
        await copy(fileToCopyPath, pathToCopy)
        const res = await request(app)
@@ -333,7 +632,7 @@ describe('drive', () => {
        const pathToUpload = `/my/path/code-${generateTimestamp()}.sas`
        const pathToCopy = path.join(
-          fileUtilModules.getTmpFilesFolderPath(),
+          fileUtilModules.getFilesFolder(),
          pathToUpload
        )
        await copy(fileToAttachPath, pathToCopy)
@@ -445,7 +744,7 @@ describe('drive', () => {
        const pathToUpload = '/my/path/code.sas'
        const pathToCopy = path.join(
-          fileUtilModules.getTmpFilesFolderPath(),
+          fileUtilModules.getFilesFolder(),
          pathToUpload
        )
        await copy(fileToAttachPath, pathToCopy)
@@ -467,7 +766,7 @@ describe('drive', () => {
        const pathToUpload = '/my/path/code.sas'
        const pathToCopy = path.join(
-          fileUtilModules.getTmpFilesFolderPath(),
+          fileUtilModules.getFilesFolder(),
          pathToUpload
        )
        await copy(fileToAttachPath, pathToCopy)
@@ -603,10 +902,7 @@ describe('drive', () => {
        const fileToCopyContent = await readFile(fileToCopyPath)
        const filePath = '/my/path/code.sas'
-        const pathToCopy = path.join(
+        const pathToCopy = path.join(fileUtilModules.getFilesFolder(), filePath)
          fileUtilModules.getTmpFilesFolderPath(),
          filePath
        )
        await copy(fileToCopyPath, pathToCopy)
        const res = await request(app)
@@ -675,3 +971,12 @@ describe('drive', () => {
 const getExampleService = (): ServiceMember =>
  ((getTreeExample().members[0] as FolderMember).members[0] as FolderMember)
    .members[0] as ServiceMember
 const generateAndSaveToken = async (userId: number) => {
  const adminAccessToken = generateAccessToken({
    clientId,
    userId
  })
  await saveTokensInDB(userId, clientId, adminAccessToken, 'refreshToken')
  return adminAccessToken
 }
--- a/api/src/routes/api/spec/group.spec.ts
+++ b/api/src/routes/api/spec/group.spec.ts
@@ -23,7 +23,7 @@ const user = {
 }
 const group = {
-  name: 'DCGroup1',
+  name: 'dcgroup1',
  description: 'DC group for testing purposes.'
 }
@@ -70,6 +70,32 @@ describe('group', () => {
      expect(res.body.users).toEqual([])
    })
    it('should respond with Conflict when group already exists with same name', async () => {
      await groupController.createGroup(group)
      const res = await request(app)
        .post('/SASjsApi/group')
        .auth(adminAccessToken, { type: 'bearer' })
        .send(group)
        .expect(409)
      expect(res.text).toEqual('Group name already exists.')
      expect(res.body).toEqual({})
    })
    it('should respond with Bad Request when group name does not match the group name schema', async () => {
      const res = await request(app)
        .post('/SASjsApi/group')
        .auth(adminAccessToken, { type: 'bearer' })
        .send({ ...group, name: 'Wrong Group Name' })
        .expect(400)
      expect(res.text).toEqual(
        '"name" must only contain alpha-numeric characters'
      )
      expect(res.body).toEqual({})
    })
    it('should respond with Unauthorized if access token is not present', async () => {
      const res = await request(app).post('/SASjsApi/group').send().expect(401)
@@ -125,14 +151,51 @@ describe('group', () => {
      expect(res.body).toEqual({})
    })
-    it('should respond with Forbidden if groupId is incorrect', async () => {
+    it(`should delete group's reference from users' groups array`, async () => {
      const dbGroup = await groupController.createGroup(group)
      const dbUser1 = await userController.createUser({
        ...user,
        username: 'deletegroup1'
      })
      const dbUser2 = await userController.createUser({
        ...user,
        username: 'deletegroup2'
      })
      await groupController.addUserToGroup(dbGroup.groupId, dbUser1.id)
      await groupController.addUserToGroup(dbGroup.groupId, dbUser2.id)
      await request(app)
        .delete(`/SASjsApi/group/${dbGroup.groupId}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(200)
      const res1 = await request(app)
        .get(`/SASjsApi/user/${dbUser1.id}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(200)
      expect(res1.body.groups).toEqual([])
      const res2 = await request(app)
        .get(`/SASjsApi/user/${dbUser2.id}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(200)
      expect(res2.body.groups).toEqual([])
    })
    it('should respond with Not Found if groupId is incorrect', async () => {
      const res = await request(app)
        .delete(`/SASjsApi/group/1234`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
-        .expect(403)
+        .expect(404)
-      expect(res.text).toEqual('Error: No Group deleted!')
+      expect(res.text).toEqual('Group not found.')
      expect(res.body).toEqual({})
    })
@@ -216,16 +279,76 @@ describe('group', () => {
      expect(res.body).toEqual({})
    })
-    it('should respond with Forbidden if groupId is incorrect', async () => {
+    it('should respond with Not Found if groupId is incorrect', async () => {
      const res = await request(app)
        .get('/SASjsApi/group/1234')
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
-        .expect(403)
+        .expect(404)
-      expect(res.text).toEqual('Error: Group not found.')
+      expect(res.text).toEqual('Group not found.')
      expect(res.body).toEqual({})
    })
    describe('by group name', () => {
      it('should respond with group', async () => {
        const { name } = await groupController.createGroup(group)
        const res = await request(app)
          .get(`/SASjsApi/group/by/groupname/${name}`)
          .auth(adminAccessToken, { type: 'bearer' })
          .send()
          .expect(200)
        expect(res.body.groupId).toBeTruthy()
        expect(res.body.name).toEqual(group.name)
        expect(res.body.description).toEqual(group.description)
        expect(res.body.isActive).toEqual(true)
        expect(res.body.users).toEqual([])
      })
      it('should respond with group when access token is not of an admin account', async () => {
        const accessToken = await generateSaveTokenAndCreateUser({
          ...user,
          username: 'getbyname' + user.username
        })
        const { name } = await groupController.createGroup(group)
        const res = await request(app)
          .get(`/SASjsApi/group/by/groupname/${name}`)
          .auth(accessToken, { type: 'bearer' })
          .send()
          .expect(200)
        expect(res.body.groupId).toBeTruthy()
        expect(res.body.name).toEqual(group.name)
        expect(res.body.description).toEqual(group.description)
        expect(res.body.isActive).toEqual(true)
        expect(res.body.users).toEqual([])
      })
      it('should respond with Unauthorized if access token is not present', async () => {
        const res = await request(app)
          .get('/SASjsApi/group/by/groupname/dcgroup')
          .send()
          .expect(401)
        expect(res.text).toEqual('Unauthorized')
        expect(res.body).toEqual({})
      })
      it('should respond with Not Found if groupname is incorrect', async () => {
        const res = await request(app)
          .get('/SASjsApi/group/by/groupname/randomCharacters')
          .auth(adminAccessToken, { type: 'bearer' })
          .send()
          .expect(404)
        expect(res.text).toEqual('Group not found.')
        expect(res.body).toEqual({})
      })
    })
  })
  describe('getAll', () => {
@@ -245,8 +368,8 @@ describe('group', () => {
      expect(res.body).toEqual([
        {
          groupId: expect.anything(),
-          name: 'DCGroup1',
+          name: group.name,
-          description: 'DC group for testing purposes.'
+          description: group.description
        }
      ])
    })
@@ -267,8 +390,8 @@ describe('group', () => {
      expect(res.body).toEqual([
        {
          groupId: expect.anything(),
-          name: 'DCGroup1',
+          name: group.name,
-          description: 'DC group for testing purposes.'
+          description: group.description
        }
      ])
    })
@@ -309,6 +432,34 @@ describe('group', () => {
      ])
    })
    it(`should add group to user's groups array`, async () => {
      const dbGroup = await groupController.createGroup(group)
      const dbUser = await userController.createUser({
        ...user,
        username: 'addUserToGroup'
      })
      await request(app)
        .post(`/SASjsApi/group/${dbGroup.groupId}/${dbUser.id}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(200)
      const res = await request(app)
        .get(`/SASjsApi/user/${dbUser.id}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(200)
      expect(res.body.groups).toEqual([
        {
          groupId: expect.anything(),
          name: group.name,
          description: group.description
        }
      ])
    })
    it('should respond with group without duplicating user', async () => {
      const dbGroup = await groupController.createGroup(group)
      const dbUser = await userController.createUser({
@@ -362,26 +513,26 @@ describe('group', () => {
      expect(res.body).toEqual({})
    })
-    it('should respond with Forbidden if groupId is incorrect', async () => {
+    it('should respond with Not Found if groupId is incorrect', async () => {
      const res = await request(app)
        .post('/SASjsApi/group/123/123')
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
-        .expect(403)
+        .expect(404)
-      expect(res.text).toEqual('Error: Group not found.')
+      expect(res.text).toEqual('Group not found.')
      expect(res.body).toEqual({})
    })
-    it('should respond with Forbidden if userId is incorrect', async () => {
+    it('should respond with Not Found if userId is incorrect', async () => {
      const dbGroup = await groupController.createGroup(group)
      const res = await request(app)
        .post(`/SASjsApi/group/${dbGroup.groupId}/123`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
-        .expect(403)
+        .expect(404)
-      expect(res.text).toEqual('Error: User not found.')
+      expect(res.text).toEqual('User not found.')
      expect(res.body).toEqual({})
    })
  })
@@ -412,6 +563,29 @@ describe('group', () => {
      expect(res.body.users).toEqual([])
    })
    it(`should remove group from user's groups array`, async () => {
      const dbGroup = await groupController.createGroup(group)
      const dbUser = await userController.createUser({
        ...user,
        username: 'removeGroupFromUser'
      })
      await groupController.addUserToGroup(dbGroup.groupId, dbUser.id)
      await request(app)
        .delete(`/SASjsApi/group/${dbGroup.groupId}/${dbUser.id}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(200)
      const res = await request(app)
        .get(`/SASjsApi/user/${dbUser.id}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(200)
      expect(res.body.groups).toEqual([])
    })
    it('should respond with Unauthorized if access token is not present', async () => {
      const res = await request(app)
        .delete('/SASjsApi/group/123/123')
@@ -438,26 +612,26 @@ describe('group', () => {
      expect(res.body).toEqual({})
    })
-    it('should respond with Forbidden if groupId is incorrect', async () => {
+    it('should respond with Not Found if groupId is incorrect', async () => {
      const res = await request(app)
        .delete('/SASjsApi/group/123/123')
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
-        .expect(403)
+        .expect(404)
-      expect(res.text).toEqual('Error: Group not found.')
+      expect(res.text).toEqual('Group not found.')
      expect(res.body).toEqual({})
    })
-    it('should respond with Forbidden if userId is incorrect', async () => {
+    it('should respond with Not Found if userId is incorrect', async () => {
      const dbGroup = await groupController.createGroup(group)
      const res = await request(app)
        .delete(`/SASjsApi/group/${dbGroup.groupId}/123`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
-        .expect(403)
+        .expect(404)
-      expect(res.text).toEqual('Error: User not found.')
+      expect(res.text).toEqual('User not found.')
      expect(res.body).toEqual({})
    })
  })
--- a/api/src/routes/api/spec/permission.spec.ts
+++ b/api/src/routes/api/spec/permission.spec.ts
@@ -0,0 +1,571 @@
 import { Express } from 'express'
 import mongoose, { Mongoose } from 'mongoose'
 import { MongoMemoryServer } from 'mongodb-memory-server'
 import request from 'supertest'
 import appPromise from '../../../app'
 import {
  DriveController,
  UserController,
  GroupController,
  ClientController,
  PermissionController,
  PrincipalType,
  PermissionSetting
 } from '../../../controllers/'
 import {
  UserDetailsResponse,
  PermissionDetailsResponse
 } from '../../../controllers'
 import { generateAccessToken, saveTokensInDB } from '../../../utils'
 const deployPayload = {
  appLoc: 'string',
  streamWebFolder: 'string',
  fileTree: {
    members: [
      {
        name: 'string',
        type: 'folder',
        members: [
          'string',
          {
            name: 'string',
            type: 'service',
            code: 'string'
          }
        ]
      }
    ]
  }
 }
 const clientId = 'someclientID'
 const adminUser = {
  displayName: 'Test Admin',
  username: 'testAdminUsername',
  password: '12345678',
  isAdmin: true,
  isActive: true
 }
 const user = {
  displayName: 'Test User',
  username: 'testUsername',
  password: '87654321',
  isAdmin: false,
  isActive: true
 }
 const permission = {
  uri: '/SASjsApi/code/execute',
  setting: PermissionSetting.grant,
  principalType: PrincipalType.user,
  principalId: 123
 }
 const group = {
  name: 'DCGroup1',
  description: 'DC group for testing purposes.'
 }
 const userController = new UserController()
 const groupController = new GroupController()
 const clientController = new ClientController()
 const permissionController = new PermissionController()
 describe('permission', () => {
  let app: Express
  let con: Mongoose
  let mongoServer: MongoMemoryServer
  let adminAccessToken: string
  let dbUser: UserDetailsResponse
  beforeAll(async () => {
    app = await appPromise
    mongoServer = await MongoMemoryServer.create()
    con = await mongoose.connect(mongoServer.getUri())
    adminAccessToken = await generateSaveTokenAndCreateUser()
    dbUser = await userController.createUser(user)
  })
  afterAll(async () => {
    await con.connection.dropDatabase()
    await con.connection.close()
    await mongoServer.stop()
  })
  describe('create', () => {
    afterEach(async () => {
      await deleteAllPermissions()
    })
    it('should respond with new permission when principalType is user', async () => {
      const res = await request(app)
        .post('/SASjsApi/permission')
        .auth(adminAccessToken, { type: 'bearer' })
        .send({ ...permission, principalId: dbUser.id })
        .expect(200)
      expect(res.body.permissionId).toBeTruthy()
      expect(res.body.uri).toEqual(permission.uri)
      expect(res.body.setting).toEqual(permission.setting)
      expect(res.body.user).toBeTruthy()
    })
    it('should respond with new permission when principalType is group', async () => {
      const dbGroup = await groupController.createGroup(group)
      const res = await request(app)
        .post('/SASjsApi/permission')
        .auth(adminAccessToken, { type: 'bearer' })
        .send({
          ...permission,
          principalType: 'group',
          principalId: dbGroup.groupId
        })
        .expect(200)
      expect(res.body.permissionId).toBeTruthy()
      expect(res.body.uri).toEqual(permission.uri)
      expect(res.body.setting).toEqual(permission.setting)
      expect(res.body.group).toBeTruthy()
    })
    it('should respond with Unauthorized if access token is not present', async () => {
      const res = await request(app)
        .post('/SASjsApi/permission')
        .send(permission)
        .expect(401)
      expect(res.text).toEqual('Unauthorized')
      expect(res.body).toEqual({})
    })
    it('should respond with Unauthorized if access token is not of an admin account even if user has permission', async () => {
      const accessToken = await generateAndSaveToken(dbUser.id)
      await permissionController.createPermission({
        uri: '/SASjsApi/permission',
        principalType: PrincipalType.user,
        principalId: dbUser.id,
        setting: PermissionSetting.grant
      })
      const res = await request(app)
        .post('/SASjsApi/permission')
        .auth(accessToken, { type: 'bearer' })
        .send()
        .expect(401)
      expect(res.text).toEqual('Admin account required')
      expect(res.body).toEqual({})
    })
    it('should respond with Bad Request if uri is missing', async () => {
      const res = await request(app)
        .post('/SASjsApi/permission')
        .auth(adminAccessToken, { type: 'bearer' })
        .send({
          ...permission,
          uri: undefined
        })
        .expect(400)
      expect(res.text).toEqual(`"uri" is required`)
      expect(res.body).toEqual({})
    })
    it('should respond with Bad Request if uri is not valid', async () => {
      const res = await request(app)
        .post('/SASjsApi/permission')
        .auth(adminAccessToken, { type: 'bearer' })
        .send({
          ...permission,
          uri: '/some/random/api/endpoint'
        })
        .expect(400)
      expect(res.body).toEqual({})
    })
    it('should respond with Bad Request if setting is missing', async () => {
      const res = await request(app)
        .post('/SASjsApi/permission')
        .auth(adminAccessToken, { type: 'bearer' })
        .send({
          ...permission,
          setting: undefined
        })
        .expect(400)
      expect(res.text).toEqual(`"setting" is required`)
      expect(res.body).toEqual({})
    })
    it('should respond with Bad Request if principalType is missing', async () => {
      const res = await request(app)
        .post('/SASjsApi/permission')
        .auth(adminAccessToken, { type: 'bearer' })
        .send({
          ...permission,
          principalType: undefined
        })
        .expect(400)
      expect(res.text).toEqual(`"principalType" is required`)
      expect(res.body).toEqual({})
    })
    it('should respond with Bad Request if principalId is missing', async () => {
      const res = await request(app)
        .post('/SASjsApi/permission')
        .auth(adminAccessToken, { type: 'bearer' })
        .send({
          ...permission,
          principalId: undefined
        })
        .expect(400)
      expect(res.text).toEqual(`"principalId" is required`)
      expect(res.body).toEqual({})
    })
    it('should respond with Bad Request if principal type is not valid', async () => {
      const res = await request(app)
        .post('/SASjsApi/permission')
        .auth(adminAccessToken, { type: 'bearer' })
        .send({
          ...permission,
          principalType: 'invalid'
        })
        .expect(400)
      expect(res.text).toEqual('"principalType" must be one of [user, group]')
      expect(res.body).toEqual({})
    })
    it('should respond with Bad Request if setting is not valid', async () => {
      const res = await request(app)
        .post('/SASjsApi/permission')
        .auth(adminAccessToken, { type: 'bearer' })
        .send({
          ...permission,
          setting: 'invalid'
        })
        .expect(400)
      expect(res.text).toEqual('"setting" must be one of [Grant, Deny]')
      expect(res.body).toEqual({})
    })
    it('should respond with Bad Request if principalId is not a number', async () => {
      const res = await request(app)
        .post('/SASjsApi/permission')
        .auth(adminAccessToken, { type: 'bearer' })
        .send({
          ...permission,
          principalId: 'someCharacters'
        })
        .expect(400)
      expect(res.text).toEqual('"principalId" must be a number')
      expect(res.body).toEqual({})
    })
    it('should respond with Bad Request if adding permission for admin user', async () => {
      const adminUser = await userController.createUser({
        ...user,
        username: 'adminUser',
        isAdmin: true
      })
      const res = await request(app)
        .post('/SASjsApi/permission')
        .auth(adminAccessToken, { type: 'bearer' })
        .send({
          ...permission,
          principalId: adminUser.id
        })
        .expect(400)
      expect(res.text).toEqual('Can not add permission for admin user.')
      expect(res.body).toEqual({})
    })
    it('should respond with Not Found (404) if user is not found', async () => {
      const res = await request(app)
        .post('/SASjsApi/permission')
        .auth(adminAccessToken, { type: 'bearer' })
        .send({
          ...permission,
          principalId: 123
        })
        .expect(404)
      expect(res.text).toEqual('User not found.')
      expect(res.body).toEqual({})
    })
    it('should respond with Not Found (404) if group is not found', async () => {
      const res = await request(app)
        .post('/SASjsApi/permission')
        .auth(adminAccessToken, { type: 'bearer' })
        .send({
          ...permission,
          principalType: 'group'
        })
        .expect(404)
      expect(res.text).toEqual('Group not found.')
      expect(res.body).toEqual({})
    })
    it('should respond with Conflict (409) if permission already exists', async () => {
      await permissionController.createPermission({
        ...permission,
        principalId: dbUser.id
      })
      const res = await request(app)
        .post('/SASjsApi/permission')
        .auth(adminAccessToken, { type: 'bearer' })
        .send({ ...permission, principalId: dbUser.id })
        .expect(409)
      expect(res.text).toEqual(
        'Permission already exists with provided URI and User.'
      )
      expect(res.body).toEqual({})
    })
  })
  describe('update', () => {
    let dbPermission: PermissionDetailsResponse | undefined
    beforeAll(async () => {
      dbPermission = await permissionController.createPermission({
        ...permission,
        principalId: dbUser.id
      })
    })
    afterEach(async () => {
      await deleteAllPermissions()
    })
    it('should respond with updated permission', async () => {
      const res = await request(app)
        .patch(`/SASjsApi/permission/${dbPermission?.permissionId}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send({ setting: 'Deny' })
        .expect(200)
      expect(res.body.setting).toEqual('Deny')
    })
    it('should respond with Unauthorized if access token is not present', async () => {
      const res = await request(app)
        .patch(`/SASjsApi/permission/${dbPermission?.permissionId}`)
        .send(permission)
        .expect(401)
      expect(res.text).toEqual('Unauthorized')
      expect(res.body).toEqual({})
    })
    it('should respond with Unauthorized if access token is not of an admin account', async () => {
      const accessToken = await generateSaveTokenAndCreateUser({
        ...user,
        username: 'update' + user.username
      })
      const res = await request(app)
        .patch(`/SASjsApi/permission/${dbPermission?.permissionId}`)
        .auth(accessToken, { type: 'bearer' })
        .send()
        .expect(401)
      expect(res.text).toEqual('Admin account required')
      expect(res.body).toEqual({})
    })
    it('should respond with Bad Request if setting is missing', async () => {
      const res = await request(app)
        .patch(`/SASjsApi/permission/${dbPermission?.permissionId}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(400)
      expect(res.text).toEqual(`"setting" is required`)
      expect(res.body).toEqual({})
    })
    it('should respond with Bad Request if setting is not valid', async () => {
      const res = await request(app)
        .post('/SASjsApi/permission')
        .auth(adminAccessToken, { type: 'bearer' })
        .send({
          ...permission,
          setting: 'invalid'
        })
        .expect(400)
      expect(res.text).toEqual('"setting" must be one of [Grant, Deny]')
      expect(res.body).toEqual({})
    })
    it('should respond with not found (404) if permission with provided id does not exists', async () => {
      const res = await request(app)
        .patch('/SASjsApi/permission/123')
        .auth(adminAccessToken, { type: 'bearer' })
        .send({
          setting: PermissionSetting.deny
        })
        .expect(404)
      expect(res.text).toEqual('Permission not found.')
      expect(res.body).toEqual({})
    })
  })
  describe('delete', () => {
    it('should delete permission', async () => {
      const dbPermission = await permissionController.createPermission({
        ...permission,
        principalId: dbUser.id
      })
      const res = await request(app)
        .delete(`/SASjsApi/permission/${dbPermission?.permissionId}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(200)
      expect(res.text).toEqual('Permission Deleted!')
    })
    it('should respond with not found (404) if permission with provided id does not exists', async () => {
      const res = await request(app)
        .delete('/SASjsApi/permission/123')
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(404)
      expect(res.text).toEqual('Permission not found.')
    })
  })
  describe('get', () => {
    beforeAll(async () => {
      await permissionController.createPermission({
        ...permission,
        uri: '/test-1',
        principalId: dbUser.id
      })
      await permissionController.createPermission({
        ...permission,
        uri: '/test-2',
        principalId: dbUser.id
      })
    })
    it('should give a list of all permissions when user is admin', async () => {
      const res = await request(app)
        .get('/SASjsApi/permission/')
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(200)
      expect(res.body).toHaveLength(2)
    })
    it('should give a list of all permissions when user is not admin', async () => {
      const dbUser = await userController.createUser({
        ...user,
        username: 'get' + user.username
      })
      const accessToken = await generateAndSaveToken(dbUser.id)
      await permissionController.createPermission({
        uri: '/SASjsApi/permission',
        principalType: PrincipalType.user,
        principalId: dbUser.id,
        setting: PermissionSetting.grant
      })
      const res = await request(app)
        .get('/SASjsApi/permission/')
        .auth(accessToken, { type: 'bearer' })
        .send()
        .expect(200)
      expect(res.body).toHaveLength(3)
    })
  })
  describe.only('verify', () => {
    beforeAll(async () => {
      await permissionController.createPermission({
        ...permission,
        uri: '/SASjsApi/drive/deploy',
        principalId: dbUser.id
      })
    })
    beforeEach(() => {
      jest
        .spyOn(DriveController.prototype, 'deploy')
        .mockImplementation((deployPayload) =>
          Promise.resolve({
            status: 'success',
            message: 'Files deployed successfully to @sasjs/server.'
          })
        )
    })
    afterEach(() => {
      jest.resetAllMocks()
    })
    it('should create files in SASJS drive', async () => {
      const accessToken = await generateAndSaveToken(dbUser.id)
      await request(app)
        .get('/SASjsApi/drive/deploy')
        .auth(accessToken, { type: 'bearer' })
        .send(deployPayload)
        .expect(200)
    })
    it('should respond unauthorized', async () => {
      const accessToken = await generateAndSaveToken(dbUser.id)
      await request(app)
        .get('/SASjsApi/drive/deploy/upload')
        .auth(accessToken, { type: 'bearer' })
        .send()
        .expect(401)
    })
  })
 })
 const generateSaveTokenAndCreateUser = async (
  someUser?: any
 ): Promise<string> => {
  const dbUser = await userController.createUser(someUser ?? adminUser)
  return generateAndSaveToken(dbUser.id)
 }
 const generateAndSaveToken = async (userId: number) => {
  const adminAccessToken = generateAccessToken({
    clientId,
    userId
  })
  await saveTokensInDB(userId, clientId, adminAccessToken, 'refreshToken')
  return adminAccessToken
 }
 const deleteAllPermissions = async () => {
  const { collections } = mongoose.connection
  const collection = collections['permissions']
  await collection.deleteMany({})
 }
--- a/api/src/routes/api/spec/stp.spec.ts
+++ b/api/src/routes/api/spec/stp.spec.ts
@@ -0,0 +1,397 @@
 import path from 'path'
 import { Express } from 'express'
 import mongoose, { Mongoose } from 'mongoose'
 import { MongoMemoryServer } from 'mongodb-memory-server'
 import request from 'supertest'
 import appPromise from '../../../app'
 import {
  UserController,
  PermissionController,
  PermissionSetting,
  PrincipalType
 } from '../../../controllers/'
 import {
  generateAccessToken,
  saveTokensInDB,
  getFilesFolder,
  RunTimeType,
  generateUniqueFileName,
  getSessionsFolder
 } from '../../../utils'
 import { createFile, generateTimestamp, deleteFolder } from '@sasjs/utils'
 import {
  SASSessionController,
  JSSessionController
 } from '../../../controllers/internal'
 import * as ProcessProgramModule from '../../../controllers/internal/processProgram'
 import { Session } from '../../../types'
 const clientId = 'someclientID'
 const user = {
  displayName: 'Test User',
  username: 'testUsername',
  password: '87654321',
  isAdmin: false,
  isActive: true
 }
 const sampleSasProgram = '%put hello world!;'
 const sampleJsProgram = `console.log('hello world!/')`
 const filesFolder = getFilesFolder()
 describe('stp', () => {
  let app: Express
  let con: Mongoose
  let mongoServer: MongoMemoryServer
  let accessToken: string
  const userController = new UserController()
  const permissionController = new PermissionController()
  beforeAll(async () => {
    app = await appPromise
    mongoServer = await MongoMemoryServer.create()
    con = await mongoose.connect(mongoServer.getUri())
    const dbUser = await userController.createUser(user)
    accessToken = await generateAndSaveToken(dbUser.id)
    await permissionController.createPermission({
      uri: '/SASjsApi/stp/execute',
      principalType: PrincipalType.user,
      principalId: dbUser.id,
      setting: PermissionSetting.grant
    })
  })
  afterAll(async () => {
    await con.connection.dropDatabase()
    await con.connection.close()
    await mongoServer.stop()
  })
  describe('execute', () => {
    const testFilesFolder = `test-stp-${generateTimestamp()}`
    describe('get', () => {
      describe('with runtime js', () => {
        const testFilesFolder = `test-stp-${generateTimestamp()}`
        beforeAll(() => {
          process.runTimes = [RunTimeType.JS]
        })
        beforeEach(() => {
          jest.resetModules() // it clears the cache
          setupMocks()
        })
        afterEach(async () => {
          jest.resetAllMocks()
          await deleteFolder(path.join(filesFolder, testFilesFolder))
        })
        it('should execute js program when both js and sas program are present', async () => {
          const programPath = path.join(testFilesFolder, 'program')
          const sasProgramPath = path.join(filesFolder, `${programPath}.sas`)
          const jsProgramPath = path.join(filesFolder, `${programPath}.js`)
          await createFile(sasProgramPath, sampleSasProgram)
          await createFile(jsProgramPath, sampleJsProgram)
          await request(app)
            .get(`/SASjsApi/stp/execute?_program=${programPath}`)
            .auth(accessToken, { type: 'bearer' })
            .send()
            .expect(200)
          expect(ProcessProgramModule.processProgram).toHaveBeenCalledWith(
            expect.anything(),
            expect.anything(),
            expect.anything(),
            expect.anything(),
            expect.anything(),
            expect.anything(),
            RunTimeType.JS,
            expect.anything(),
            undefined
          )
        })
        it('should throw error when js program is not present but sas program exists', async () => {
          const programPath = path.join(testFilesFolder, 'program')
          const sasProgramPath = path.join(filesFolder, `${programPath}.sas`)
          await createFile(sasProgramPath, sampleSasProgram)
          await request(app)
            .get(`/SASjsApi/stp/execute?_program=${programPath}`)
            .auth(accessToken, { type: 'bearer' })
            .send()
            .expect(400)
        })
      })
      describe('with runtime sas', () => {
        beforeAll(() => {
          process.runTimes = [RunTimeType.SAS]
        })
        beforeEach(() => {
          jest.resetModules() // it clears the cache
          setupMocks()
        })
        afterEach(async () => {
          jest.resetAllMocks()
          await deleteFolder(path.join(filesFolder, testFilesFolder))
        })
        it('should execute sas program when both sas and js programs are present', async () => {
          const programPath = path.join(testFilesFolder, 'program')
          const sasProgramPath = path.join(filesFolder, `${programPath}.sas`)
          const jsProgramPath = path.join(filesFolder, `${programPath}.js`)
          await createFile(sasProgramPath, sampleSasProgram)
          await createFile(jsProgramPath, sampleJsProgram)
          await request(app)
            .get(`/SASjsApi/stp/execute?_program=${programPath}`)
            .auth(accessToken, { type: 'bearer' })
            .send()
            .expect(200)
          expect(ProcessProgramModule.processProgram).toHaveBeenCalledWith(
            expect.anything(),
            expect.anything(),
            expect.anything(),
            expect.anything(),
            expect.anything(),
            expect.anything(),
            RunTimeType.SAS,
            expect.anything(),
            undefined
          )
        })
        it('should throw error when sas program do not exit but js exists', async () => {
          const programPath = path.join(testFilesFolder, 'program')
          const jsProgramPath = path.join(filesFolder, `${programPath}.js`)
          await createFile(jsProgramPath, sampleJsProgram)
          await request(app)
            .get(`/SASjsApi/stp/execute?_program=${programPath}`)
            .auth(accessToken, { type: 'bearer' })
            .send()
            .expect(400)
        })
      })
      describe('with runtime js and sas', () => {
        beforeAll(() => {
          process.runTimes = [RunTimeType.JS, RunTimeType.SAS]
        })
        beforeEach(() => {
          jest.resetModules() // it clears the cache
          setupMocks()
        })
        afterEach(async () => {
          jest.resetAllMocks()
          await deleteFolder(path.join(filesFolder, testFilesFolder))
        })
        it('should execute js program when both js and sas program are present', async () => {
          const programPath = path.join(testFilesFolder, 'program')
          const sasProgramPath = path.join(filesFolder, `${programPath}.sas`)
          const jsProgramPath = path.join(filesFolder, `${programPath}.js`)
          await createFile(sasProgramPath, sampleSasProgram)
          await createFile(jsProgramPath, sampleJsProgram)
          await request(app)
            .get(`/SASjsApi/stp/execute?_program=${programPath}`)
            .auth(accessToken, { type: 'bearer' })
            .send()
            .expect(200)
          expect(ProcessProgramModule.processProgram).toHaveBeenCalledWith(
            expect.anything(),
            expect.anything(),
            expect.anything(),
            expect.anything(),
            expect.anything(),
            expect.anything(),
            RunTimeType.JS,
            expect.anything(),
            undefined
          )
        })
        it('should execute sas program when js program is not present but sas program exists', async () => {
          const programPath = path.join(testFilesFolder, 'program')
          const sasProgramPath = path.join(filesFolder, `${programPath}.sas`)
          await createFile(sasProgramPath, sampleSasProgram)
          await request(app)
            .get(`/SASjsApi/stp/execute?_program=${programPath}`)
            .auth(accessToken, { type: 'bearer' })
            .send()
            .expect(200)
          expect(ProcessProgramModule.processProgram).toHaveBeenCalledWith(
            expect.anything(),
            expect.anything(),
            expect.anything(),
            expect.anything(),
            expect.anything(),
            expect.anything(),
            RunTimeType.SAS,
            expect.anything(),
            undefined
          )
        })
        it('should throw error when both sas and js programs do not exist', async () => {
          const programPath = path.join(testFilesFolder, 'program')
          await request(app)
            .get(`/SASjsApi/stp/execute?_program=${programPath}`)
            .auth(accessToken, { type: 'bearer' })
            .send()
            .expect(400)
        })
      })
      describe('with runtime sas and js', () => {
        beforeAll(() => {
          process.runTimes = [RunTimeType.SAS, RunTimeType.JS]
        })
        beforeEach(() => {
          jest.resetModules() // it clears the cache
          setupMocks()
        })
        afterEach(async () => {
          jest.resetAllMocks()
          await deleteFolder(path.join(filesFolder, testFilesFolder))
        })
        it('should execute sas program when both sas and js programs  exist', async () => {
          const programPath = path.join(testFilesFolder, 'program')
          const sasProgramPath = path.join(filesFolder, `${programPath}.sas`)
          const jsProgramPath = path.join(filesFolder, `${programPath}.js`)
          await createFile(sasProgramPath, sampleSasProgram)
          await createFile(jsProgramPath, sampleJsProgram)
          await request(app)
            .get(`/SASjsApi/stp/execute?_program=${programPath}`)
            .auth(accessToken, { type: 'bearer' })
            .send()
            .expect(200)
          expect(ProcessProgramModule.processProgram).toHaveBeenCalledWith(
            expect.anything(),
            expect.anything(),
            expect.anything(),
            expect.anything(),
            expect.anything(),
            expect.anything(),
            RunTimeType.SAS,
            expect.anything(),
            undefined
          )
        })
        it('should execute js program when sas program is not present but js program exists', async () => {
          const programPath = path.join(testFilesFolder, 'program')
          const jsProgramPath = path.join(filesFolder, `${programPath}.js`)
          await createFile(jsProgramPath, sampleJsProgram)
          await request(app)
            .get(`/SASjsApi/stp/execute?_program=${programPath}`)
            .auth(accessToken, { type: 'bearer' })
            .send()
            .expect(200)
          expect(ProcessProgramModule.processProgram).toHaveBeenCalledWith(
            expect.anything(),
            expect.anything(),
            expect.anything(),
            expect.anything(),
            expect.anything(),
            expect.anything(),
            RunTimeType.JS,
            expect.anything(),
            undefined
          )
        })
        it('should throw error when both sas and js programs do not exist', async () => {
          const programPath = path.join(testFilesFolder, 'program')
          await request(app)
            .get(`/SASjsApi/stp/execute?_program=${programPath}`)
            .auth(accessToken, { type: 'bearer' })
            .send()
            .expect(400)
        })
      })
    })
  })
 })
 const generateSaveTokenAndCreateUser = async (
  someUser: any
 ): Promise<string> => {
  const userController = new UserController()
  const dbUser = await userController.createUser(someUser)
  return generateAndSaveToken(dbUser.id)
 }
 const generateAndSaveToken = async (userId: number) => {
  const accessToken = generateAccessToken({
    clientId,
    userId
  })
  await saveTokensInDB(userId, clientId, accessToken, 'refreshToken')
  return accessToken
 }
 const setupMocks = async () => {
  jest
    .spyOn(SASSessionController.prototype, 'getSession')
    .mockImplementation(mockedGetSession)
  jest
    .spyOn(JSSessionController.prototype, 'getSession')
    .mockImplementation(mockedGetSession)
  jest
    .spyOn(ProcessProgramModule, 'processProgram')
    .mockImplementation(() => Promise.resolve())
 }
 const mockedGetSession = async () => {
  const sessionId = generateUniqueFileName(generateTimestamp())
  const sessionFolder = path.join(getSessionsFolder(), sessionId)
  const creationTimeStamp = sessionId.split('-').pop() as string
  // death time of session is 15 mins from creation
  const deathTimeStamp = (
    parseInt(creationTimeStamp) +
    15 * 60 * 1000 -
    1000
  ).toString()
  const session: Session = {
    id: sessionId,
    ready: true,
    inUse: true,
    consumed: false,
    completed: false,
    creationTimeStamp,
    deathTimeStamp,
    path: sessionFolder
  }
  return session
 }
--- a/api/src/routes/api/spec/user.spec.ts
+++ b/api/src/routes/api/spec/user.spec.ts
@@ -3,23 +3,24 @@ import mongoose, { Mongoose } from 'mongoose'
 import { MongoMemoryServer } from 'mongodb-memory-server'
 import request from 'supertest'
 import appPromise from '../../../app'
-import { UserController } from '../../../controllers/'
+import { UserController, GroupController } from '../../../controllers/'
 import { generateAccessToken, saveTokensInDB } from '../../../utils'
 const clientId = 'someclientID'
 const adminUser = {
  displayName: 'Test Admin',
-  username: 'testAdminUsername',
+  username: 'testadminusername',
  password: '12345678',
  isAdmin: true,
  isActive: true
 }
 const user = {
  displayName: 'Test User',
-  username: 'testUsername',
+  username: 'testusername',
  password: '87654321',
  isAdmin: false,
-  isActive: true
+  isActive: true,
  autoExec: 'some sas code for auto exec;'
 }
 const controller = new UserController()
@@ -64,6 +65,21 @@ describe('user', () => {
      expect(res.body.displayName).toEqual(user.displayName)
      expect(res.body.isAdmin).toEqual(user.isAdmin)
      expect(res.body.isActive).toEqual(user.isActive)
      expect(res.body.autoExec).toEqual(user.autoExec)
    })
    it('should respond with new user having username as lowercase', async () => {
      const res = await request(app)
        .post('/SASjsApi/user')
        .auth(adminAccessToken, { type: 'bearer' })
        .send({ ...user, username: user.username.toUpperCase() })
        .expect(200)
      expect(res.body.username).toEqual(user.username)
      expect(res.body.displayName).toEqual(user.displayName)
      expect(res.body.isAdmin).toEqual(user.isAdmin)
      expect(res.body.isActive).toEqual(user.isActive)
      expect(res.body.autoExec).toEqual(user.autoExec)
    })
    it('should respond with Unauthorized if access token is not present', async () => {
@@ -242,7 +258,7 @@ describe('user', () => {
      const dbUser1 = await controller.createUser(user)
      const dbUser2 = await controller.createUser({
        ...user,
-        username: 'randomUser'
+        username: 'randomuser'
      })
      const res = await request(app)
@@ -254,6 +270,102 @@ describe('user', () => {
      expect(res.text).toEqual('Error: Username already exists.')
      expect(res.body).toEqual({})
    })
    describe('by username', () => {
      it('should respond with updated user when admin user requests', async () => {
        const dbUser = await controller.createUser(user)
        const newDisplayName = 'My new display Name'
        const res = await request(app)
          .patch(`/SASjsApi/user/by/username/${user.username}`)
          .auth(adminAccessToken, { type: 'bearer' })
          .send({ ...user, displayName: newDisplayName })
          .expect(200)
        expect(res.body.username).toEqual(user.username)
        expect(res.body.displayName).toEqual(newDisplayName)
        expect(res.body.isAdmin).toEqual(user.isAdmin)
        expect(res.body.isActive).toEqual(user.isActive)
      })
      it('should respond with updated user when user himself requests', async () => {
        const dbUser = await controller.createUser(user)
        const accessToken = await generateAndSaveToken(dbUser.id)
        const newDisplayName = 'My new display Name'
        const res = await request(app)
          .patch(`/SASjsApi/user/by/username/${user.username}`)
          .auth(accessToken, { type: 'bearer' })
          .send({
            displayName: newDisplayName,
            username: user.username,
            password: user.password
          })
          .expect(200)
        expect(res.body.username).toEqual(user.username)
        expect(res.body.displayName).toEqual(newDisplayName)
        expect(res.body.isAdmin).toEqual(user.isAdmin)
        expect(res.body.isActive).toEqual(user.isActive)
      })
      it('should respond with Bad Request, only admin can update isAdmin/isActive', async () => {
        const dbUser = await controller.createUser(user)
        const accessToken = await generateAndSaveToken(dbUser.id)
        const newDisplayName = 'My new display Name'
        await request(app)
          .patch(`/SASjsApi/user/by/username/${user.username}`)
          .auth(accessToken, { type: 'bearer' })
          .send({ ...user, displayName: newDisplayName })
          .expect(400)
      })
      it('should respond with Unauthorized if access token is not present', async () => {
        const res = await request(app)
          .patch('/SASjsApi/user/by/username/1234')
          .send(user)
          .expect(401)
        expect(res.text).toEqual('Unauthorized')
        expect(res.body).toEqual({})
      })
      it('should respond with Unauthorized when access token is not of an admin account or himself', async () => {
        const dbUser1 = await controller.createUser(user)
        const dbUser2 = await controller.createUser({
          ...user,
          username: 'randomUser'
        })
        const accessToken = await generateAndSaveToken(dbUser2.id)
        const res = await request(app)
          .patch(`/SASjsApi/user/${dbUser1.id}`)
          .auth(accessToken, { type: 'bearer' })
          .send(user)
          .expect(401)
        expect(res.text).toEqual('Admin account required')
        expect(res.body).toEqual({})
      })
      it('should respond with Forbidden if username is already present', async () => {
        const dbUser1 = await controller.createUser(user)
        const dbUser2 = await controller.createUser({
          ...user,
          username: 'randomuser'
        })
        const res = await request(app)
          .patch(`/SASjsApi/user/by/username/${dbUser1.username}`)
          .auth(adminAccessToken, { type: 'bearer' })
          .send({ username: dbUser2.username })
          .expect(403)
        expect(res.text).toEqual('Error: Username already exists.')
        expect(res.body).toEqual({})
      })
    })
  })
  describe('delete', () => {
@@ -347,6 +459,89 @@ describe('user', () => {
      expect(res.text).toEqual('Error: Invalid password.')
      expect(res.body).toEqual({})
    })
    describe('by username', () => {
      it('should respond with OK when admin user requests', async () => {
        const dbUser = await controller.createUser(user)
        const res = await request(app)
          .delete(`/SASjsApi/user/by/username/${dbUser.username}`)
          .auth(adminAccessToken, { type: 'bearer' })
          .send()
          .expect(200)
        expect(res.body).toEqual({})
      })
      it('should respond with OK when user himself requests', async () => {
        const dbUser = await controller.createUser(user)
        const accessToken = await generateAndSaveToken(dbUser.id)
        const res = await request(app)
          .delete(`/SASjsApi/user/by/username/${dbUser.username}`)
          .auth(accessToken, { type: 'bearer' })
          .send({ password: user.password })
          .expect(200)
        expect(res.body).toEqual({})
      })
      it('should respond with Bad Request when user himself requests and password is missing', async () => {
        const dbUser = await controller.createUser(user)
        const accessToken = await generateAndSaveToken(dbUser.id)
        const res = await request(app)
          .delete(`/SASjsApi/user/by/username/${dbUser.username}`)
          .auth(accessToken, { type: 'bearer' })
          .send()
          .expect(400)
        expect(res.text).toEqual(`"password" is required`)
        expect(res.body).toEqual({})
      })
      it('should respond with Unauthorized when access token is not present', async () => {
        const res = await request(app)
          .delete('/SASjsApi/user/by/username/RandomUsername')
          .send(user)
          .expect(401)
        expect(res.text).toEqual('Unauthorized')
        expect(res.body).toEqual({})
      })
      it('should respond with Unauthorized when access token is not of an admin account or himself', async () => {
        const dbUser1 = await controller.createUser(user)
        const dbUser2 = await controller.createUser({
          ...user,
          username: 'randomUser'
        })
        const accessToken = await generateAndSaveToken(dbUser2.id)
        const res = await request(app)
          .delete(`/SASjsApi/user/by/username/${dbUser1.username}`)
          .auth(accessToken, { type: 'bearer' })
          .send(user)
          .expect(401)
        expect(res.text).toEqual('Admin account required')
        expect(res.body).toEqual({})
      })
      it('should respond with Forbidden when user himself requests and password is incorrect', async () => {
        const dbUser = await controller.createUser(user)
        const accessToken = await generateAndSaveToken(dbUser.id)
        const res = await request(app)
          .delete(`/SASjsApi/user/by/username/${dbUser.username}`)
          .auth(accessToken, { type: 'bearer' })
          .send({ password: 'incorrectpassword' })
          .expect(403)
        expect(res.text).toEqual('Error: Invalid password.')
        expect(res.body).toEqual({})
      })
    })
  })
  describe('get', () => {
@@ -360,7 +555,26 @@ describe('user', () => {
      await deleteAllUsers()
    })
-    it('should respond with user', async () => {
+    it('should respond with user autoExec when same user requests', async () => {
      const dbUser = await controller.createUser(user)
      const userId = dbUser.id
      const accessToken = await generateAndSaveToken(userId)
      const res = await request(app)
        .get(`/SASjsApi/user/${userId}`)
        .auth(accessToken, { type: 'bearer' })
        .send()
        .expect(200)
      expect(res.body.username).toEqual(user.username)
      expect(res.body.displayName).toEqual(user.displayName)
      expect(res.body.isAdmin).toEqual(user.isAdmin)
      expect(res.body.isActive).toEqual(user.isActive)
      expect(res.body.autoExec).toEqual(user.autoExec)
      expect(res.body.groups).toEqual([])
    })
    it('should respond with user autoExec when admin user requests', async () => {
      const dbUser = await controller.createUser(user)
      const userId = dbUser.id
@@ -374,6 +588,8 @@ describe('user', () => {
      expect(res.body.displayName).toEqual(user.displayName)
      expect(res.body.isAdmin).toEqual(user.isAdmin)
      expect(res.body.isActive).toEqual(user.isActive)
      expect(res.body.autoExec).toEqual(user.autoExec)
      expect(res.body.groups).toEqual([])
    })
    it('should respond with user when access token is not of an admin account', async () => {
@@ -395,6 +611,35 @@ describe('user', () => {
      expect(res.body.displayName).toEqual(user.displayName)
      expect(res.body.isAdmin).toEqual(user.isAdmin)
      expect(res.body.isActive).toEqual(user.isActive)
      expect(res.body.autoExec).toBeUndefined()
      expect(res.body.groups).toEqual([])
    })
    it('should respond with user along with associated groups', async () => {
      const dbUser = await controller.createUser(user)
      const userId = dbUser.id
      const accessToken = await generateAndSaveToken(userId)
      const group = {
        name: 'DCGroup1',
        description: 'DC group for testing purposes.'
      }
      const groupController = new GroupController()
      const dbGroup = await groupController.createGroup(group)
      await groupController.addUserToGroup(dbGroup.groupId, dbUser.id)
      const res = await request(app)
        .get(`/SASjsApi/user/${userId}`)
        .auth(accessToken, { type: 'bearer' })
        .send()
        .expect(200)
      expect(res.body.username).toEqual(user.username)
      expect(res.body.displayName).toEqual(user.displayName)
      expect(res.body.isAdmin).toEqual(user.isAdmin)
      expect(res.body.isActive).toEqual(user.isActive)
      expect(res.body.autoExec).toEqual(user.autoExec)
      expect(res.body.groups.length).toBeGreaterThan(0)
    })
    it('should respond with Unauthorized if access token is not present', async () => {
@@ -419,6 +664,86 @@ describe('user', () => {
      expect(res.text).toEqual('Error: User is not found.')
      expect(res.body).toEqual({})
    })
    describe('by username', () => {
      it('should respond with user autoExec when same user requests', async () => {
        const dbUser = await controller.createUser(user)
        const userId = dbUser.id
        const accessToken = await generateAndSaveToken(userId)
        const res = await request(app)
          .get(`/SASjsApi/user/by/username/${dbUser.username}`)
          .auth(accessToken, { type: 'bearer' })
          .send()
          .expect(200)
        expect(res.body.username).toEqual(user.username)
        expect(res.body.displayName).toEqual(user.displayName)
        expect(res.body.isAdmin).toEqual(user.isAdmin)
        expect(res.body.isActive).toEqual(user.isActive)
        expect(res.body.autoExec).toEqual(user.autoExec)
      })
      it('should respond with user autoExec when admin user requests', async () => {
        const dbUser = await controller.createUser(user)
        const res = await request(app)
          .get(`/SASjsApi/user/by/username/${dbUser.username}`)
          .auth(adminAccessToken, { type: 'bearer' })
          .send()
          .expect(200)
        expect(res.body.username).toEqual(user.username)
        expect(res.body.displayName).toEqual(user.displayName)
        expect(res.body.isAdmin).toEqual(user.isAdmin)
        expect(res.body.isActive).toEqual(user.isActive)
        expect(res.body.autoExec).toEqual(user.autoExec)
      })
      it('should respond with user when access token is not of an admin account', async () => {
        const accessToken = await generateSaveTokenAndCreateUser({
          ...user,
          username: 'randomUser'
        })
        const dbUser = await controller.createUser(user)
        const res = await request(app)
          .get(`/SASjsApi/user/by/username/${dbUser.username}`)
          .auth(accessToken, { type: 'bearer' })
          .send()
          .expect(200)
        expect(res.body.username).toEqual(user.username)
        expect(res.body.displayName).toEqual(user.displayName)
        expect(res.body.isAdmin).toEqual(user.isAdmin)
        expect(res.body.isActive).toEqual(user.isActive)
        expect(res.body.autoExec).toBeUndefined()
      })
      it('should respond with Unauthorized if access token is not present', async () => {
        const res = await request(app)
          .get('/SASjsApi/user/by/username/randomUsername')
          .send()
          .expect(401)
        expect(res.text).toEqual('Unauthorized')
        expect(res.body).toEqual({})
      })
      it('should respond with Forbidden if username is incorrect', async () => {
        await controller.createUser(user)
        const res = await request(app)
          .get('/SASjsApi/user/by/username/randomUsername')
          .auth(adminAccessToken, { type: 'bearer' })
          .send()
          .expect(403)
        expect(res.text).toEqual('Error: User is not found.')
        expect(res.body).toEqual({})
      })
    })
  })
  describe('getAll', () => {
@@ -445,12 +770,14 @@ describe('user', () => {
        {
          id: expect.anything(),
          username: adminUser.username,
-          displayName: adminUser.displayName
+          displayName: adminUser.displayName,
          isAdmin: adminUser.isAdmin
        },
        {
          id: expect.anything(),
          username: user.username,
-          displayName: user.displayName
+          displayName: user.displayName,
          isAdmin: user.isAdmin
        }
      ])
    })
@@ -471,12 +798,14 @@ describe('user', () => {
        {
          id: expect.anything(),
          username: adminUser.username,
-          displayName: adminUser.displayName
+          displayName: adminUser.displayName,
          isAdmin: adminUser.isAdmin
        },
        {
          id: expect.anything(),
          username: 'randomUser',
-          displayName: user.displayName
+          displayName: user.displayName,
          isAdmin: user.isAdmin
        }
      ])
    })
--- a/api/src/routes/api/spec/web.spec.ts
+++ b/api/src/routes/api/spec/web.spec.ts
@@ -10,7 +10,7 @@ const clientSecret = 'someclientSecret'
 const user = {
  id: 1234,
  displayName: 'Test User',
-  username: 'testUsername',
+  username: 'testusername',
  password: '87654321',
  isAdmin: false,
  isActive: true
@@ -77,8 +77,10 @@ describe('web', () => {
      expect(res.body.loggedIn).toBeTruthy()
      expect(res.body.user).toEqual({
        id: expect.any(Number),
        username: user.username,
-        displayName: user.displayName
+        displayName: user.displayName,
        isAdmin: user.isAdmin
      })
    })
  })
@@ -155,7 +157,6 @@ const getCSRF = async (app: Express) => {
  const { header } = await request(app).get('/')
  const cookies = header['set-cookie'].join()
  console.log('cookies', cookies)
  const csrfToken = extractCSRF(cookies)
  return { csrfToken, cookies }
 }
--- a/api/src/routes/api/stp.ts
+++ b/api/src/routes/api/stp.ts
@@ -34,23 +34,25 @@ stpRouter.post(
  '/execute',
  fileUploadController.preUploadMiddleware,
  fileUploadController.getMulterUploadObject().any(),
-  async (req: any, res: any) => {
+  async (req, res: any) => {
-    const { error: errQ, value: query } = executeProgramRawValidation(req.query)
+    // below validations are moved to preUploadMiddleware
-    const { error: errB, value: body } = executeProgramRawValidation(req.body)
+    // const { error: errQ, value: query } = executeProgramRawValidation(req.query)
    // const { error: errB, value: body } = executeProgramRawValidation(req.body)
-    if (errQ && errB) return res.status(400).send(errB.details[0].message)
+    // if (errQ && errB) return res.status(400).send(errB.details[0].message)
    try {
      const response = await controller.executeReturnJson(
        req,
-        body,
+        req.body,
-        query?._program
+        req.query?._program as string
      )
-      if (response instanceof Buffer) {
+      // TODO: investigate if this code is required
-        res.writeHead(200, (req as any).sasHeaders)
+      // if (response instanceof Buffer) {
-        return res.end(response)
+      //   res.writeHead(200, (req as any).sasHeaders)
-      }
+      //   return res.end(response)
      // }
      res.send(response)
    } catch (err: any) {
--- a/api/src/routes/api/user.ts
+++ b/api/src/routes/api/user.ts
@@ -7,6 +7,7 @@ import {
 } from '../../middlewares'
 import {
  deleteUserValidation,
  getUserValidation,
  registerUserValidation,
  updateUserValidation
 } from '../../utils'
@@ -36,12 +37,31 @@ userRouter.get('/', authenticateAccessToken, async (req, res) => {
  }
 })
-userRouter.get('/:userId', authenticateAccessToken, async (req: any, res) => {
+userRouter.get(
  '/by/username/:username',
  authenticateAccessToken,
  async (req, res) => {
    const { error, value: params } = getUserValidation(req.params)
    if (error) return res.status(400).send(error.details[0].message)
    const { username } = params
    const controller = new UserController()
    try {
      const response = await controller.getUserByUsername(req, username)
      res.send(response)
    } catch (err: any) {
      res.status(403).send(err.toString())
    }
  }
 )
 userRouter.get('/:userId', authenticateAccessToken, async (req, res) => {
  const { userId } = req.params
  const controller = new UserController()
  try {
-    const response = await controller.getUser(userId)
+    const response = await controller.getUser(req, parseInt(userId))
    res.send(response)
  } catch (err: any) {
    res.status(403).send(err.toString())
@@ -49,20 +69,26 @@ userRouter.get('/:userId', authenticateAccessToken, async (req: any, res) => {
 })
 userRouter.patch(
-  '/:userId',
+  '/by/username/:username',
  authenticateAccessToken,
  verifyAdminIfNeeded,
-  async (req: any, res) => {
+  async (req, res) => {
    const { user } = req
-    const { userId } = req.params
+    const { error: errorUsername, value: params } = getUserValidation(
      req.params
    )
    if (errorUsername)
      return res.status(400).send(errorUsername.details[0].message)
    const { username } = params
    // only an admin can update `isActive` and `isAdmin` fields
-    const { error, value: body } = updateUserValidation(req.body, user.isAdmin)
+    const { error, value: body } = updateUserValidation(req.body, user!.isAdmin)
    if (error) return res.status(400).send(error.details[0].message)
    const controller = new UserController()
    try {
-      const response = await controller.updateUser(userId, body)
+      const response = await controller.updateUserByUsername(username, body)
      res.send(response)
    } catch (err: any) {
      res.status(403).send(err.toString())
@@ -70,21 +96,71 @@ userRouter.patch(
  }
 )
 userRouter.patch(
  '/:userId',
  authenticateAccessToken,
  verifyAdminIfNeeded,
  async (req, res) => {
    const { user } = req
    const { userId } = req.params
    // only an admin can update `isActive` and `isAdmin` fields
    const { error, value: body } = updateUserValidation(req.body, user!.isAdmin)
    if (error) return res.status(400).send(error.details[0].message)
    const controller = new UserController()
    try {
      const response = await controller.updateUser(parseInt(userId), body)
      res.send(response)
    } catch (err: any) {
      res.status(403).send(err.toString())
    }
  }
 )
 userRouter.delete(
  '/by/username/:username',
  authenticateAccessToken,
  verifyAdminIfNeeded,
  async (req, res) => {
    const { user } = req
    const { error: errorUsername, value: params } = getUserValidation(
      req.params
    )
    if (errorUsername)
      return res.status(400).send(errorUsername.details[0].message)
    const { username } = params
    // only an admin can delete user without providing password
    const { error, value: data } = deleteUserValidation(req.body, user!.isAdmin)
    if (error) return res.status(400).send(error.details[0].message)
    const controller = new UserController()
    try {
      await controller.deleteUserByUsername(username, data, user!.isAdmin)
      res.status(200).send('Account Deleted!')
    } catch (err: any) {
      res.status(403).send(err.toString())
    }
  }
 )
 userRouter.delete(
  '/:userId',
  authenticateAccessToken,
  verifyAdminIfNeeded,
-  async (req: any, res) => {
+  async (req, res) => {
    const { user } = req
    const { userId } = req.params
    // only an admin can delete user without providing password
-    const { error, value: data } = deleteUserValidation(req.body, user.isAdmin)
+    const { error, value: data } = deleteUserValidation(req.body, user!.isAdmin)
    if (error) return res.status(400).send(error.details[0].message)
    const controller = new UserController()
    try {
-      await controller.deleteUser(userId, data, user.isAdmin)
+      await controller.deleteUser(parseInt(userId), data, user!.isAdmin)
      res.status(200).send('Account Deleted!')
    } catch (err: any) {
      res.status(403).send(err.toString())
--- a/api/src/routes/appStream/appStreamHtml.ts
+++ b/api/src/routes/appStream/appStreamHtml.ts
@@ -23,13 +23,21 @@ export const appStreamHtml = (appStreamConfig: AppStreamConfig) => `
    ${style}
  </head>
  <body>
-    <h1>App Stream</h1>
+    <header>
      <a href="/"><img src="/logo.png" alt="logo" class="logo"></a>
      <h1>App Stream</h1>
    </header>
    <div class="app-container">
-      ${Object.entries(appStreamConfig)
+        ${Object.entries(appStreamConfig)
-        .map(([streamServiceName, entry]) =>
+          .map(([streamServiceName, entry]) =>
-          singleAppStreamHtml(streamServiceName, entry.appLoc, entry.streamLogo)
+            singleAppStreamHtml(
-        )
+              streamServiceName,
-        .join('')}
+              entry.appLoc,
              entry.streamLogo
            )
          )
          .join('')}
        <a class="app" title="Upload build.json">
          <input id="fileId" type="file" hidden />
          <button id="uploadButton" style="margin-bottom: 5px; cursor: pointer">
--- a/api/src/routes/appStream/index.ts
+++ b/api/src/routes/appStream/index.ts
@@ -1,13 +1,16 @@
 import path from 'path'
-import express from 'express'
+import express, { Request } from 'express'
 import { authenticateAccessToken } from '../../middlewares'
 import { folderExists } from '@sasjs/utils'
-import { addEntryToAppStreamConfig, getTmpFilesFolderPath } from '../../utils'
+import { addEntryToAppStreamConfig, getFilesFolder } from '../../utils'
 import { appStreamHtml } from './appStreamHtml'
 const appStreams: { [key: string]: string } = {}
 const router = express.Router()
-router.get('/', async (req, res) => {
+router.get('/', authenticateAccessToken, async (req, res) => {
  const content = appStreamHtml(process.appStreamConfig)
  res.cookie('XSRF-TOKEN', req.csrfToken())
@@ -22,7 +25,7 @@ export const publishAppStream = async (
  streamLogo?: string,
  addEntryToFile: boolean = true
 ) => {
-  const driveFilesPath = getTmpFilesFolderPath()
+  const driveFilesPath = getFilesFolder()
  const appLocParts = appLoc.replace(/^\//, '')?.split('/')
  const appLocPath = path.join(driveFilesPath, ...appLocParts)
@@ -44,7 +47,7 @@ export const publishAppStream = async (
      streamServiceName = `AppStreamName${appCount + 1}`
    }
-    router.use(`/${streamServiceName}`, express.static(pathToDeployment))
+    appStreams[streamServiceName] = pathToDeployment
    addEntryToAppStreamConfig(
      streamServiceName,
@@ -64,4 +67,26 @@ export const publishAppStream = async (
  return {}
 }
 router.get(`/*`, authenticateAccessToken, function (req: Request, res, next) {
  const reqPath = req.path.replace(/^\//, '')
  // Redirecting to url with trailing slash for appStream base URL only
  if (reqPath.split('/').length === 1 && !reqPath.endsWith('/'))
    // navigating to same url with slash at start
    return res.redirect(301, `${reqPath}/`)
  const appStream = reqPath.split('/')[0]
  const appStreamFilesPath = appStreams[appStream]
  if (appStreamFilesPath) {
    // resourcePath is without appStream base path
    const resourcePath = reqPath.split('/').slice(1).join('/') || 'index.html'
    req.url = resourcePath
    return express.static(appStreamFilesPath)(req, res, next)
  }
  return res.send("There's no App Stream available here.")
 })
 export default router
--- a/api/src/routes/appStream/style.ts
+++ b/api/src/routes/appStream/style.ts
@@ -5,18 +5,71 @@ export const style = `<style>
 .app-container {
  display: flex;
  flex-wrap: wrap;
-  align-items: baseline;
+  align-items: center;
  justify-content: center;
  padding-top: 50px;
 }
 .app-container .app {
  width: 150px;
  height: 180px;
  margin: 10px;
  overflow: hidden;
  text-align: center;
  text-decoration: none;
  color: black;
  background: #efefef;
  padding: 10px;
  border-radius: 7px;
  border: 1px solid #d7d7d7;
 }
 .app-container .app img{
  width: 100%;
  margin-bottom: 10px;
  border-radius: 10px;
 }
 #uploadButton {
  border: 0
 }
 #uploadButton:focus {
  outline: 0
 }
 #uploadMessage {
  position: relative;
  bottom: -5px;
 }
 header {
  transition: box-shadow 300ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;
  box-shadow: rgb(0 0 0 / 20%) 0px 2px 4px -1px, rgb(0 0 0 / 14%) 0px 4px 5px 0px, rgb(0 0 0 / 12%) 0px 1px 10px 0px;
  display: flex;
  width: 100%;
  box-sizing: border-box;
  flex-shrink: 0;
  position: fixed;
  top: 0px;
  left: auto;
  right: 0px;
  background-color: rgb(0, 0, 0);
  color: rgb(255, 255, 255);
  z-index: 1201;
 }
 header h1 {
  margin: 13px;
  font-size: 20px;
 }
 header a {
  align-self: center;
 }
 header .logo {
  width: 35px;
  margin-left: 10px;
  align-self: center;
 }
 </style>`
--- a/api/src/routes/web/web.ts
+++ b/api/src/routes/web/web.ts
@@ -1,6 +1,6 @@
 import express from 'express'
 import { WebController } from '../../controllers/web'
-import { authenticateAccessToken } from '../../middlewares'
+import { authenticateAccessToken, desktopRestrict } from '../../middlewares'
 import { authorizeValidation, loginWebValidation } from '../../utils'
 const webRouter = express.Router()
@@ -19,7 +19,7 @@ webRouter.get('/', async (req, res) => {
  }
 })
-webRouter.post('/SASLogon/login', async (req, res) => {
+webRouter.post('/SASLogon/login', desktopRestrict, async (req, res) => {
  const { error, value: body } = loginWebValidation(req.body)
  if (error) return res.status(400).send(error.details[0].message)
@@ -33,6 +33,7 @@ webRouter.post('/SASLogon/login', async (req, res) => {
 webRouter.post(
  '/SASLogon/authorize',
  desktopRestrict,
  authenticateAccessToken,
  async (req, res) => {
    const { error, value: body } = authorizeValidation(req.body)
@@ -47,7 +48,7 @@ webRouter.post(
  }
 )
-webRouter.get('/logout', async (req, res) => {
+webRouter.get('/SASLogon/logout', desktopRestrict, async (req, res) => {
  try {
    await controller.logout(req)
    res.status(200).send('OK!')
--- a/api/src/server.ts
+++ b/api/src/server.ts
@@ -16,9 +16,9 @@ appPromise.then(async (app) => {
      )
    })
  } else {
-    const { key, cert } = await getCertificates()
+    const { key, cert, ca } = await getCertificates()
-    const httpsServer = createServer({ key, cert }, app)
+    const httpsServer = createServer({ key, cert, ca }, app)
    httpsServer.listen(sasJsPort, () => {
      console.log(
        `⚡️[server]: Server is running at https://localhost:${sasJsPort}`
--- a/api/src/types/RequestUser.ts
+++ b/api/src/types/RequestUser.ts
@@ -0,0 +1,9 @@
 export interface RequestUser {
  userId: number
  clientId: string
  username: string
  displayName: string
  isAdmin: boolean
  isActive: boolean
  autoExec?: string
 }
--- a/api/src/types/index.ts
+++ b/api/src/types/index.ts
@@ -5,3 +5,4 @@ export * from './InfoJWT'
 export * from './PreProgramVars'
 export * from './Session'
 export * from './TreeNode'
 export * from './RequestUser'
--- a/api/src/types/system/express-session.d.ts
+++ b/api/src/types/system/express-session.d.ts
@@ -2,13 +2,6 @@ import express from 'express'
 declare module 'express-session' {
  interface SessionData {
    loggedIn: boolean
-    user: {
+    user: import('../').RequestUser
      userId: number
      clientId: string
      username: string
      displayName: string
      isAdmin: boolean
      isActive: boolean
    }
  }
 }
--- a/api/src/types/system/express.d.ts
+++ b/api/src/types/system/express.d.ts
@@ -0,0 +1,7 @@
 declare namespace Express {
  export interface Request {
    accessToken?: string
    user?: import('../').RequestUser
    sasjsSession?: import('../').Session
  }
 }
--- a/api/src/types/system/process.d.ts
+++ b/api/src/types/system/process.d.ts
@@ -1,8 +1,14 @@
 declare namespace NodeJS {
  export interface Process {
-    sasLoc: string
+    sasLoc?: string
    nodeLoc?: string
    driveLoc: string
-    sessionController?: import('../../controllers/internal').SessionController
+    logsLoc: string
    sasSessionController?: import('../../controllers/internal').SASSessionController
    jsSessionController?: import('../../controllers/internal').JSSessionController
    appStreamConfig: import('../').AppStreamConfig
    logger: import('@sasjs/utils/logger').Logger
    runTimes: import('../../utils').RunTimeType[]
    secrets: import('../../model/Configuration').ConfigurationType
  }
 }
--- a/api/src/utils/appStreamConfig.ts
+++ b/api/src/utils/appStreamConfig.ts
@@ -2,12 +2,14 @@ import { createFile, fileExists, readFile } from '@sasjs/utils'
 import { publishAppStream } from '../routes/appStream'
 import { AppStreamConfig } from '../types'
-import { getTmpAppStreamConfigPath } from './file'
+import { getAppStreamConfigPath } from './file'
 export const loadAppStreamConfig = async () => {
  process.appStreamConfig = {}
  if (process.env.NODE_ENV === 'test') return
-  const appStreamConfigPath = getTmpAppStreamConfigPath()
+  const appStreamConfigPath = getAppStreamConfigPath()
  const content = (await fileExists(appStreamConfigPath))
    ? await readFile(appStreamConfigPath)
@@ -21,7 +23,6 @@ export const loadAppStreamConfig = async () => {
  } catch (_) {
    appStreamConfig = {}
  }
  process.appStreamConfig = {}
  for (const [streamServiceName, entry] of Object.entries(appStreamConfig)) {
    const { appLoc, streamWebFolder, streamLogo } = entry
@@ -63,7 +64,7 @@ export const removeEntryFromAppStreamConfig = (streamServiceName: string) => {
 }
 const saveAppStreamConfig = async () => {
-  const appStreamConfigPath = getTmpAppStreamConfigPath()
+  const appStreamConfigPath = getAppStreamConfigPath()
  try {
    await createFile(
--- a/api/src/utils/connectDB.ts
+++ b/api/src/utils/connectDB.ts
@@ -9,7 +9,5 @@ export const connectDB = async () => {
  }
  console.log('Connected to DB!')
-  await seedDB()
+  return seedDB()
  return mongoose.connection
 }
--- a/api/src/utils/copySASjsCore.ts
+++ b/api/src/utils/copySASjsCore.ts
@@ -7,14 +7,14 @@ import {
  readFile
 } from '@sasjs/utils'
-import { getTmpMacrosPath, sasJSCoreMacros, sasJSCoreMacrosInfo } from '.'
+import { getMacrosFolder, sasJSCoreMacros, sasJSCoreMacrosInfo } from '.'
 export const copySASjsCore = async () => {
  if (process.env.NODE_ENV === 'test') return
  console.log('Copying Macros from container to drive(tmp).')
-  const macrosDrivePath = getTmpMacrosPath()
+  const macrosDrivePath = getMacrosFolder()
  await deleteFolder(macrosDrivePath)
  await createFolder(macrosDrivePath)
--- a/api/src/utils/desktopAutoExec.ts
+++ b/api/src/utils/desktopAutoExec.ts
@@ -0,0 +1,8 @@
 import { createFile, readFile } from '@sasjs/utils'
 import { getDesktopUserAutoExecPath } from './file'
 export const getUserAutoExec = async (): Promise<string> =>
  readFile(getDesktopUserAutoExecPath())
 export const updateUserAutoExec = async (autoExecContent: string) =>
  createFile(getDesktopUserAutoExecPath(), autoExecContent)
--- a/api/src/utils/extractName.ts
+++ b/api/src/utils/extractName.ts
@@ -0,0 +1,6 @@
 import path from 'path'
 export const extractName = (filePath: string) => {
  const extension = path.extname(filePath)
  return path.basename(filePath, extension)
 }
--- a/api/src/utils/file.ts
+++ b/api/src/utils/file.ts
@@ -1,4 +1,6 @@
 import path from 'path'
 import { homedir } from 'os'
 import fs from 'fs-extra'
 export const apiRoot = path.join(__dirname, '..', '..')
 export const codebaseRoot = path.join(apiRoot, '..')
@@ -11,28 +13,31 @@ export const sysInitCompiledPath = path.join(
 export const sasJSCoreMacros = path.join(apiRoot, 'sasjscore')
 export const sasJSCoreMacrosInfo = path.join(sasJSCoreMacros, '.macrolist')
-export const getWebBuildFolderPath = () =>
+export const getWebBuildFolder = () => path.join(codebaseRoot, 'web', 'build')
  path.join(codebaseRoot, 'web', 'build')
-export const getTmpFolderPath = () => process.driveLoc
+export const getSasjsHomeFolder = () => path.join(homedir(), '.sasjs-server')
-export const getTmpAppStreamConfigPath = () =>
+export const getDesktopUserAutoExecPath = () =>
-  path.join(getTmpFolderPath(), 'appStreamConfig.json')
+  path.join(getSasjsHomeFolder(), 'user-autoexec.sas')
-export const getTmpMacrosPath = () => path.join(getTmpFolderPath(), 'sasjscore')
+export const getSasjsRootFolder = () => process.driveLoc
-export const getTmpUploadsPath = () => path.join(getTmpFolderPath(), 'uploads')
+export const getLogFolder = () => process.logsLoc
-export const getTmpFilesFolderPath = () =>
+export const getAppStreamConfigPath = () =>
-  path.join(getTmpFolderPath(), 'files')
+  path.join(getSasjsRootFolder(), 'appStreamConfig.json')
-export const getTmpLogFolderPath = () => path.join(getTmpFolderPath(), 'logs')
+export const getMacrosFolder = () =>
  path.join(getSasjsRootFolder(), 'sasjscore')
-export const getTmpWeboutFolderPath = () =>
+export const getUploadsFolder = () => path.join(getSasjsRootFolder(), 'uploads')
  path.join(getTmpFolderPath(), 'webouts')
-export const getTmpSessionsFolderPath = () =>
+export const getFilesFolder = () => path.join(getSasjsRootFolder(), 'files')
-  path.join(getTmpFolderPath(), 'sessions')
+
 export const getWeboutFolder = () => path.join(getSasjsRootFolder(), 'webouts')
 export const getSessionsFolder = () =>
  path.join(getSasjsRootFolder(), 'sessions')
 export const generateUniqueFileName = (fileName: string, extension = '') =>
  [
@@ -43,3 +48,6 @@ export const generateUniqueFileName = (fileName: string, extension = '') =>
    new Date().getTime(),
    extension
  ].join('')
 export const createReadStream = async (filePath: string) =>
  fs.createReadStream(filePath)
--- a/api/src/utils/generateAccessToken.ts
+++ b/api/src/utils/generateAccessToken.ts
@@ -2,6 +2,6 @@ import jwt from 'jsonwebtoken'
 import { InfoJWT } from '../types'
 export const generateAccessToken = (data: InfoJWT) =>
-  jwt.sign(data, process.env.ACCESS_TOKEN_SECRET as string, {
+  jwt.sign(data, process.secrets.ACCESS_TOKEN_SECRET, {
    expiresIn: '1day'
  })
--- a/api/src/utils/generateAuthCode.ts
+++ b/api/src/utils/generateAuthCode.ts
@@ -2,6 +2,6 @@ import jwt from 'jsonwebtoken'
 import { InfoJWT } from '../types'
 export const generateAuthCode = (data: InfoJWT) =>
-  jwt.sign(data, process.env.AUTH_CODE_SECRET as string, {
+  jwt.sign(data, process.secrets.AUTH_CODE_SECRET, {
    expiresIn: '30s'
  })
--- a/api/src/utils/generateRefreshToken.ts
+++ b/api/src/utils/generateRefreshToken.ts
@@ -2,6 +2,6 @@ import jwt from 'jsonwebtoken'
 import { InfoJWT } from '../types'
 export const generateRefreshToken = (data: InfoJWT) =>
-  jwt.sign(data, process.env.REFRESH_TOKEN_SECRET as string, {
+  jwt.sign(data, process.secrets.REFRESH_TOKEN_SECRET, {
    expiresIn: '30 days'
  })
--- a/api/src/utils/getAuthorizedRoutes.ts
+++ b/api/src/utils/getAuthorizedRoutes.ts
@@ -0,0 +1,35 @@
 import { Request } from 'express'
 const StaticAuthorizedRoutes = [
  '/AppStream',
  '/SASjsApi/code/execute',
  '/SASjsApi/stp/execute',
  '/SASjsApi/drive/deploy',
  '/SASjsApi/drive/deploy/upload',
  '/SASjsApi/drive/file',
  '/SASjsApi/drive/folder',
  '/SASjsApi/drive/fileTree',
  '/SASjsApi/permission'
 ]
 export const getAuthorizedRoutes = () => {
  const streamingApps = Object.keys(process.appStreamConfig)
  const streamingAppsRoutes = streamingApps.map((app) => `/AppStream/${app}`)
  return [...StaticAuthorizedRoutes, ...streamingAppsRoutes]
 }
 export const getUri = (req: Request) => {
  const { baseUrl, path: reqPath } = req
  if (baseUrl === '/AppStream') {
    const appStream = reqPath.split('/')[1]
    // removing trailing slash of URLs
    return (baseUrl + '/' + appStream).replace(/\/$/, '')
  }
  return (baseUrl + reqPath).replace(/\/$/, '')
 }
 export const isAuthorizingRoute = (req: Request): boolean =>
  getAuthorizedRoutes().includes(getUri(req))
--- a/api/src/utils/getCertificates.ts
+++ b/api/src/utils/getCertificates.ts
@@ -2,22 +2,32 @@ import path from 'path'
 import { fileExists, getString, readFile } from '@sasjs/utils'
 export const getCertificates = async () => {
-  const { PRIVATE_KEY, FULL_CHAIN } = process.env
+  const { PRIVATE_KEY, CERT_CHAIN, CA_ROOT } = process.env
  let ca
  const keyPath = PRIVATE_KEY ?? (await getFileInput('Private Key (PEM)'))
-  const certPath = FULL_CHAIN ?? (await getFileInput('Full Chain (PEM)'))
+  const certPath = CERT_CHAIN ?? (await getFileInput('Certificate Chain (PEM)'))
  const caPath = CA_ROOT
  console.log('keyPath: ', keyPath)
  console.log('certPath: ', certPath)
  if (caPath) console.log('caPath: ', caPath)
  const key = await readFile(keyPath)
  const cert = await readFile(certPath)
  if (caPath) ca = await readFile(caPath)
-  return { key, cert }
+  return { key, cert, ca }
 }
-const getFileInput = async (filename: string): Promise<string> => {
+const getFileInput = async (
  filename: string,
  required: boolean = true
 ): Promise<string> => {
  const validator = async (filePath: string) => {
    if (!required) return true
    if (!filePath) return `Path to ${filename} is required.`
    if (!(await fileExists(path.join(process.cwd(), filePath)))) {
--- a/api/src/utils/getDesktopFields.ts
+++ b/api/src/utils/getDesktopFields.ts
@@ -1,16 +1,22 @@
 import path from 'path'
 import { getString } from '@sasjs/utils/input'
-import { createFolder, fileExists, folderExists } from '@sasjs/utils'
+import { createFolder, fileExists, folderExists, isWindows } from '@sasjs/utils'
-
+import { RunTimeType } from './verifyEnvVariables'
 const isWindows = () => process.platform === 'win32'
 export const getDesktopFields = async () => {
-  const { SAS_PATH, DRIVE_PATH } = process.env
+  const { SAS_PATH, NODE_PATH } = process.env
-  const sasLoc = SAS_PATH ?? (await getSASLocation())
+  let sasLoc, nodeLoc
  const driveLoc = DRIVE_PATH ?? (await getDriveLocation())
-  return { sasLoc, driveLoc }
+  if (process.runTimes.includes(RunTimeType.SAS)) {
    sasLoc = SAS_PATH ?? (await getSASLocation())
  }
  if (process.runTimes.includes(RunTimeType.JS)) {
    nodeLoc = NODE_PATH ?? (await getNodeLocation())
  }
  return { sasLoc, nodeLoc }
 }
 const getDriveLocation = async (): Promise<string> => {
@@ -54,7 +60,31 @@ const getSASLocation = async (): Promise<string> => {
    : '/opt/sas/sas9/SASHome/SASFoundation/9.4/sasexe/sas'
  const targetName = await getString(
-    'Please enter path to SAS executable (absolute path): ',
+    'Please enter full path to a SAS executable with UTF-8 encoding: ',
    validator,
    defaultLocation
  )
  return targetName
 }
 const getNodeLocation = async (): Promise<string> => {
  const validator = async (filePath: string) => {
    if (!filePath) return 'Path to NodeJS executable is required.'
    if (!(await fileExists(filePath))) {
      return 'No file found at provided path.'
    }
    return true
  }
  const defaultLocation = isWindows()
    ? 'C:\\Program Files\\nodejs\\node.exe'
    : '/usr/local/nodejs/bin/node.sh'
  const targetName = await getString(
    'Please enter full path to a NodeJS executable: ',
    validator,
    defaultLocation
  )
--- a/api/src/utils/getPreProgramVariables.ts
+++ b/api/src/utils/getPreProgramVariables.ts
@@ -1,6 +1,7 @@
 import { Request } from 'express'
 import { PreProgramVars } from '../types'
-export const getPreProgramVariables = (req: any): PreProgramVars => {
+export const getPreProgramVariables = (req: Request): PreProgramVars => {
  const host = req.get('host')
  const protocol = req.protocol + '://'
  const { user, accessToken } = req
@@ -20,9 +21,9 @@ export const getPreProgramVariables = (req: any): PreProgramVars => {
  if (cookies.length) httpHeaders.push(`cookie: ${cookies.join('; ')}`)
  return {
-    username: user.username,
+    username: user!.username,
-    userId: user.userId,
+    userId: user!.userId,
-    displayName: user.displayName,
+    displayName: user!.displayName,
    serverUrl: protocol + host,
    httpHeaders
  }
--- a/api/src/utils/getRunTimeAndFilePath.ts
+++ b/api/src/utils/getRunTimeAndFilePath.ts
@@ -0,0 +1,33 @@
 import path from 'path'
 import { fileExists } from '@sasjs/utils'
 import { getFilesFolder } from './file'
 import { RunTimeType } from '.'
 export const getRunTimeAndFilePath = async (programPath: string) => {
  const ext = path.extname(programPath)
  // If programPath (_program) is provided with a ".sas" or ".js" extension
  // we should use that extension to determine the appropriate runTime
  if (ext && Object.values(RunTimeType).includes(ext.slice(1) as RunTimeType)) {
    const runTime = ext.slice(1)
    const codePath = path
      .join(getFilesFolder(), programPath)
      .replace(new RegExp('/', 'g'), path.sep)
    if (await fileExists(codePath)) {
      return { codePath, runTime: runTime as RunTimeType }
    }
  } else {
    for (const runTime of process.runTimes) {
      const codePath =
        path
          .join(getFilesFolder(), programPath)
          .replace(new RegExp('/', 'g'), path.sep) +
        '.' +
        runTime
      if (await fileExists(codePath)) return { codePath, runTime }
    }
  }
  throw `The Program at (${programPath}) does not exist.`
 }
--- a/api/src/utils/getServerUrl.ts
+++ b/api/src/utils/getServerUrl.ts
@@ -0,0 +1,15 @@
 import express from 'express'
 import url from 'url'
 export const getFullUrl = (req: express.Request) =>
  url.format({
    protocol: req.protocol,
    host: req.get('host'),
    pathname: req.originalUrl
  })
 export const getServerUrl = (req: express.Request) =>
  url.format({
    protocol: req.protocol,
    host: req.get('x-forwarded-host') || req.get('host')
  })
--- a/api/src/utils/index.ts
+++ b/api/src/utils/index.ts
@@ -1,15 +1,22 @@
 export * from './appStreamConfig'
 export * from './connectDB'
 export * from './copySASjsCore'
 export * from './desktopAutoExec'
 export * from './extractHeaders'
 export * from './extractName'
 export * from './file'
 export * from './generateAccessToken'
 export * from './generateAuthCode'
 export * from './generateRefreshToken'
 export * from './getAuthorizedRoutes'
 export * from './getCertificates'
 export * from './getDesktopFields'
 export * from './getPreProgramVariables'
 export * from './getRunTimeAndFilePath'
 export * from './getServerUrl'
 export * from './instantiateLogger'
 export * from './isDebugOn'
 export * from './zipped'
 export * from './parseLogToArray'
 export * from './removeTokensInDB'
 export * from './saveTokensInDB'
@@ -18,4 +25,5 @@ export * from './setProcessVariables'
 export * from './setupFolders'
 export * from './upload'
 export * from './validation'
 export * from './verifyEnvVariables'
 export * from './verifyTokenInDB'
--- a/api/src/utils/instantiateLogger.ts
+++ b/api/src/utils/instantiateLogger.ts
@@ -0,0 +1,7 @@
 import { LogLevel, Logger } from '@sasjs/utils/logger'
 export const instantiateLogger = () => {
  const logLevel = (process.env.LOG_LEVEL || LogLevel.Info) as LogLevel
  const logger = new Logger(logLevel)
  process.logger = logger
 }
--- a/api/src/utils/seedDB.ts
+++ b/api/src/utils/seedDB.ts
@@ -1,6 +1,73 @@
 import Client from '../model/Client'
 import Group from '../model/Group'
 import User from '../model/User'
 import Configuration, { ConfigurationType } from '../model/Configuration'
 import { randomBytes } from 'crypto'
 export const SECRETS: ConfigurationType = {
  ACCESS_TOKEN_SECRET: randomBytes(64).toString('hex'),
  REFRESH_TOKEN_SECRET: randomBytes(64).toString('hex'),
  AUTH_CODE_SECRET: randomBytes(64).toString('hex'),
  SESSION_SECRET: randomBytes(64).toString('hex')
 }
 export const seedDB = async (): Promise<ConfigurationType> => {
  // Checking if client is already in the database
  const clientExist = await Client.findOne({ clientId: CLIENT.clientId })
  if (!clientExist) {
    const client = new Client(CLIENT)
    await client.save()
    console.log(`DB Seed - client created: ${CLIENT.clientId}`)
  }
  // Checking if 'AllUsers' Group is already in the database
  let groupExist = await Group.findOne({ name: GROUP.name })
  if (!groupExist) {
    const group = new Group(GROUP)
    groupExist = await group.save()
    console.log(`DB Seed - Group created: ${GROUP.name}`)
  }
  // Checking if user is already in the database
  let usernameExist = await User.findOne({ username: ADMIN_USER.username })
  if (!usernameExist) {
    const user = new User(ADMIN_USER)
    usernameExist = await user.save()
    console.log(`DB Seed - admin account created: ${ADMIN_USER.username}`)
  }
  if (!groupExist.hasUser(usernameExist)) {
    groupExist.addUser(usernameExist)
    console.log(
      `DB Seed - admin account '${ADMIN_USER.username}' added to Group '${GROUP.name}'`
    )
  }
  // checking if configuration is present in the database
  let configExist = await Configuration.findOne()
  if (!configExist) {
    const configuration = new Configuration(SECRETS)
    configExist = await configuration.save()
    console.log('DB Seed - configuration added')
  }
  return {
    ACCESS_TOKEN_SECRET: configExist.ACCESS_TOKEN_SECRET,
    REFRESH_TOKEN_SECRET: configExist.REFRESH_TOKEN_SECRET,
    AUTH_CODE_SECRET: configExist.AUTH_CODE_SECRET,
    SESSION_SECRET: configExist.SESSION_SECRET
  }
 }
 const GROUP = {
  name: 'AllUsers',
  description: 'Group contains all users'
 }
 const CLIENT = {
  clientId: 'clientID1',
  clientSecret: 'clientSecret'
@@ -13,23 +80,3 @@ const ADMIN_USER = {
  isAdmin: true,
  isActive: true
 }
 export const seedDB = async () => {
  // Checking if client is already in the database
  const clientExist = await Client.findOne({ clientId: CLIENT.clientId })
  if (!clientExist) {
    const client = new Client(CLIENT)
    await client.save()
    console.log(`DB Seed - client created: ${CLIENT.clientId}`)
  }
  // Checking if user is already in the database
  const usernameExist = await User.findOne({ username: ADMIN_USER.username })
  if (!usernameExist) {
    const user = new User(ADMIN_USER)
    await user.save()
    console.log(`DB Seed - admin account created: ${ADMIN_USER.username}`)
  }
 }
--- a/api/src/utils/setProcessVariables.ts
+++ b/api/src/utils/setProcessVariables.ts
@@ -1,30 +1,55 @@
 import path from 'path'
-import { getAbsolutePath, getRealPath } from '@sasjs/utils'
+import { createFolder, getAbsolutePath, getRealPath } from '@sasjs/utils'
-import { configuration } from '../../package.json'
+import { connectDB, getDesktopFields, ModeType, RunTimeType, SECRETS } from '.'
 import { getDesktopFields } from '.'
 export const setProcessVariables = async () => {
  const { MODE, RUN_TIMES } = process.env
  if (MODE === ModeType.Server) {
    // NOTE: when exporting app.js as agent for supertest
    // it should prevent connecting to the real database
    if (process.env.NODE_ENV !== 'test') {
      const secrets = await connectDB()
      process.secrets = secrets
    } else {
      process.secrets = SECRETS
    }
  }
  if (process.env.NODE_ENV === 'test') {
-    process.driveLoc = path.join(process.cwd(), 'tmp')
+    process.driveLoc = path.join(process.cwd(), 'sasjs_root')
    return
  }
-  const { MODE } = process.env
+  process.runTimes = (RUN_TIMES?.split(',') as RunTimeType[]) ?? []
-  if (MODE?.trim() === 'server') {
+  if (MODE === ModeType.Server) {
-    const { SAS_PATH, DRIVE_PATH } = process.env
+    process.sasLoc = process.env.SAS_PATH
-
+    process.nodeLoc = process.env.NODE_PATH
    process.sasLoc = SAS_PATH ?? configuration.sasPath
    const absPath = getAbsolutePath(DRIVE_PATH ?? 'tmp', process.cwd())
    process.driveLoc = getRealPath(absPath)
  } else {
-    const { sasLoc, driveLoc } = await getDesktopFields()
+    const { sasLoc, nodeLoc } = await getDesktopFields()
    process.sasLoc = sasLoc
-    process.driveLoc = driveLoc
+    process.nodeLoc = nodeLoc
  }
  const { SASJS_ROOT } = process.env
  const absPath = getAbsolutePath(SASJS_ROOT ?? 'sasjs_root', process.cwd())
  await createFolder(absPath)
  process.driveLoc = getRealPath(absPath)
  const { LOG_LOCATION } = process.env
  const absLogsPath = getAbsolutePath(
    LOG_LOCATION ?? `sasjs_root${path.sep}logs`,
    process.cwd()
  )
  await createFolder(absLogsPath)
  process.logsLoc = getRealPath(absLogsPath)
  console.log('sasLoc: ', process.sasLoc)
  console.log('sasDrive: ', process.driveLoc)
  console.log('sasLogs: ', process.logsLoc)
  console.log('runTimes: ', process.runTimes)
 }
--- a/api/src/utils/setupFolders.ts
+++ b/api/src/utils/setupFolders.ts
@@ -1,7 +1,14 @@
-import { createFolder } from '@sasjs/utils'
+import { createFile, createFolder, fileExists } from '@sasjs/utils'
-import { getTmpFilesFolderPath } from './file'
+import { getDesktopUserAutoExecPath, getFilesFolder } from './file'
 import { ModeType } from './verifyEnvVariables'
 export const setupFolders = async () => {
-  const drivePath = getTmpFilesFolderPath()
+  const drivePath = getFilesFolder()
  await createFolder(drivePath)
  if (process.env.MODE === ModeType.Desktop) {
    if (!(await fileExists(getDesktopUserAutoExecPath()))) {
      await createFile(getDesktopUserAutoExecPath(), '')
    }
  }
 }
--- a/api/src/utils/specs/extractHeaders.spec.ts
+++ b/api/src/utils/specs/extractHeaders.spec.ts
@@ -1,4 +1,4 @@
-import { extractHeaders } from '..'
+import { extractHeaders } from '../extractHeaders'
 describe('extractHeaders', () => {
  it('should return valid http headers', () => {
--- a/api/src/utils/specs/parseLogToArray.spec.ts
+++ b/api/src/utils/specs/parseLogToArray.spec.ts
@@ -1,4 +1,4 @@
-import { parseLogToArray } from '..'
+import { parseLogToArray } from '../parseLogToArray'
 describe('parseLogToArray', () => {
  it('should parse log to array type', () => {
--- a/api/src/utils/upload.ts
+++ b/api/src/utils/upload.ts
@@ -1,5 +1,6 @@
 import path from 'path'
 import { MulterFile } from '../types/Upload'
-import { listFilesInFolder } from '@sasjs/utils'
+import { listFilesInFolder, readFileBinary, isWindows } from '@sasjs/utils'
 interface FilenameMapSingle {
  fieldName: string
@@ -98,3 +99,36 @@ export const generateFileUploadSasCode = async (
  return uploadSasCode
 }
 /**
 * Generates the js code that references uploaded files in the concurrent request
 * @param filesNamesMap object that maps hashed file names and original file names
 * @param sessionFolder name of the folder that is created for the purpose of files in concurrent request
 * @returns generated js code
 */
 export const generateFileUploadJSCode = async (
  filesNamesMap: FilenamesMap,
  sessionFolder: string
 ) => {
  let uploadCode = ''
  let fileCount = 0
  const sessionFolderList: string[] = await listFilesInFolder(sessionFolder)
  sessionFolderList.forEach(async (fileName) => {
    if (fileName.includes('req_file')) {
      fileCount++
      const filePath = path.join(sessionFolder, fileName)
      uploadCode += `\nconst _WEBIN_FILEREF${fileCount} = fs.readFileSync('${
        isWindows() ? filePath.replace(/\\/g, '\\\\') : filePath
      }')`
      uploadCode += `\nconst _WEBIN_FILENAME${fileCount} = '${filesNamesMap[fileName].originalName}'`
      uploadCode += `\nconst _WEBIN_NAME${fileCount} = '${filesNamesMap[fileName].fieldName}'`
    }
  })
  if (fileCount) {
    uploadCode = `\nconst _WEBIN_FILE_COUNT = ${fileCount}` + uploadCode
  }
  return uploadCode
 }
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1,3 @@`
							`# These are supported funding model platforms`

							`github: [sasjs]`