Merge c43afabe28 into c261745f1d

chore(release): 0.39.0 [skip ci]
# [0.39.0](https://github.com/sasjs/server/compare/v0.38.0...v0.39.0) (2024-10-31) ### Bug Fixes * **api:** fixed condition in processProgram ([48a9a4d](48a9a4dd0e)) ### Features * **api:** added session state endpoint ([6b6546c](6b6546c7ad))
2025-12-10 11:24:35 +00:00 · 2024-11-20 23:45:33 +00:00 · 2024-10-31 12:54:02 +00:00 · 2024-10-31 15:51:13 +03:00 · 2024-10-31 15:30:32 +03:00 · 2024-10-31 15:20:35 +03:00
167 changed files with 14597 additions and 5736 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -56,4 +56,4 @@ jobs:

      - name: Release
        run: |
-          GITHUB_TOKEN=${{ secrets.GH_TOKEN }} semantic-release
+          GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} semantic-release
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,5 +1,3 @@
 {
-  "cSpell.words": [
-    "autoexec"
-  ]
+  "cSpell.words": ["autoexec", "initialising"]
 }
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,526 @@
+# [0.39.0](https://github.com/sasjs/server/compare/v0.38.0...v0.39.0) (2024-10-31)
+
+
+### Bug Fixes
+
+* **api:** fixed condition in processProgram ([48a9a4d](https://github.com/sasjs/server/commit/48a9a4dd0e31f84209635382be4ec4bb2c3a9c0c))
+
+
+### Features
+
+* **api:** added session state endpoint ([6b6546c](https://github.com/sasjs/server/commit/6b6546c7ad0833347f8dc4cdba6ad19132f7aaef))
+
+# [0.38.0](https://github.com/sasjs/server/compare/v0.37.0...v0.38.0) (2024-10-30)
+
+
+### Features
+
+* **api:** enabled query params in stp/trigger endpoint ([5cda9cd](https://github.com/sasjs/server/commit/5cda9cd5d8623b7ea2ecd989d7808f47ec866672))
+
+# [0.37.0](https://github.com/sasjs/server/compare/v0.36.0...v0.37.0) (2024-10-29)
+
+
+### Features
+
+* **stp:** added trigger endpoint ([b0723f1](https://github.com/sasjs/server/commit/b0723f14448d60ffce4f2175cf8a73fc4d4dd0ee))
+
+# [0.36.0](https://github.com/sasjs/server/compare/v0.35.4...v0.36.0) (2024-10-29)
+
+
+### Features
+
+* **code:** added code/trigger API endpoint ([ffcf193](https://github.com/sasjs/server/commit/ffcf193b87d811b166d79af74013776a253b50b0))
+
+## [0.35.4](https://github.com/sasjs/server/compare/v0.35.3...v0.35.4) (2024-01-15)
+
+
+### Bug Fixes
+
+* **api:** fixed env issue in MacOS executable ([73d965d](https://github.com/sasjs/server/commit/73d965daf54b16c0921e4b18d11a1e6f8650884d))
+
+## [0.35.3](https://github.com/sasjs/server/compare/v0.35.2...v0.35.3) (2023-11-07)
+
+
+### Bug Fixes
+
+* enable embedded LFs in JS STP vars ([7e8cbbf](https://github.com/sasjs/server/commit/7e8cbbf377b27a7f5dd9af0bc6605c01f302f5d9))
+
+## [0.35.2](https://github.com/sasjs/server/compare/v0.35.1...v0.35.2) (2023-08-07)
+
+
+### Bug Fixes
+
+* add _debug as optional query param in swagger apis for GET stp/execute ([9586dbb](https://github.com/sasjs/server/commit/9586dbb2d0d6611061c9efdfb84030144f62c2ee))
+
+## [0.35.1](https://github.com/sasjs/server/compare/v0.35.0...v0.35.1) (2023-07-25)
+
+
+### Bug Fixes
+
+* **log-separator:** log separator should always wrap log ([8940f4d](https://github.com/sasjs/server/commit/8940f4dc47abae2036b4fcdeb772c31a0ca07cca))
+
+# [0.35.0](https://github.com/sasjs/server/compare/v0.34.2...v0.35.0) (2023-05-03)
+
+
+### Bug Fixes
+
+* **editor:** fixed log/webout/print tabs ([d2de9dc](https://github.com/sasjs/server/commit/d2de9dc13ef2e980286dd03cca5e22cea443ed0c))
+* **execute:** added atribute indicating stp api ([e78f87f](https://github.com/sasjs/server/commit/e78f87f5c00038ea11261dffb525ac8f1024e40b))
+* **execute:** fixed adding print output ([9aaffce](https://github.com/sasjs/server/commit/9aaffce82051d81bf39adb69942bb321e9795141))
+* **execution:** removed empty webout from response ([6dd2f4f](https://github.com/sasjs/server/commit/6dd2f4f87673336135bc7a6de0d2e143e192c025))
+* **webout:** fixed adding empty webout to response payload ([31df72a](https://github.com/sasjs/server/commit/31df72ad88fe2c771d0ef8445d6db9dd147c40c9))
+
+
+### Features
+
+* **editor:** parse print output in response payload ([eb42683](https://github.com/sasjs/server/commit/eb42683fff701bd5b4d2b68760fe0c3ecad573dd))
+
+## [0.34.2](https://github.com/sasjs/server/compare/v0.34.1...v0.34.2) (2023-05-01)
+
+
+### Bug Fixes
+
+* use custom logic for handling sequence ids ([dba53de](https://github.com/sasjs/server/commit/dba53de64664c9d8a40fe69de6281c53d1c73641))
+
+## [0.34.1](https://github.com/sasjs/server/compare/v0.34.0...v0.34.1) (2023-04-28)
+
+
+### Bug Fixes
+
+* **css:** fixed css loading ([9c5acd6](https://github.com/sasjs/server/commit/9c5acd6de32afdbc186f79ae5b35375dda2e49b0))
+* **log:** fixed chunk collapsing ([64b156f](https://github.com/sasjs/server/commit/64b156f7627969b7f13022726f984fbbfe1a33ef))
+
+# [0.34.0](https://github.com/sasjs/server/compare/v0.33.3...v0.34.0) (2023-04-28)
+
+
+### Bug Fixes
+
+* **log:** fixed checks for errors and warnings ([02e2b06](https://github.com/sasjs/server/commit/02e2b060f9bedf4806f45f5205fd87bfa2ecae90))
+* **log:** fixed default runtime ([e04300a](https://github.com/sasjs/server/commit/e04300ad2ac237be7b28a6332fa87a3bcf761c7b))
+* **log:** fixed parsing log for different runtime ([3b1e4a1](https://github.com/sasjs/server/commit/3b1e4a128b1f22ff6f3069f5aaada6bfb1b40d12))
+* **log:** fixed scrolling issue ([56a522c](https://github.com/sasjs/server/commit/56a522c07c6f6d4c26c6d3b7cd6e9ef7007067a9))
+* **log:** fixed single chunk display ([8254b78](https://github.com/sasjs/server/commit/8254b789555cb8bbb169f52b754b4ce24e876dd2))
+* **log:** fixed single chunk scrolling ([57b7f95](https://github.com/sasjs/server/commit/57b7f954a17936f39aa9b757998b5b25e9442601))
+* **log:** fixed switching runtime ([c7a7399](https://github.com/sasjs/server/commit/c7a73991a7aa25d0c75d0c00e712bdc78769300b))
+* **log:** fixing switching from SAS to other runtime ([c72ecc7](https://github.com/sasjs/server/commit/c72ecc7e5943af9536ee31cfa85398e016d5354f))
+
+
+### Features
+
+* **log:** added download chunk and entire log ([a38a9f9](https://github.com/sasjs/server/commit/a38a9f9c3dfe36bd55d32024c166147318216995))
+* **log:** added logComponent and LogTabWithIcons ([3a887de](https://github.com/sasjs/server/commit/3a887dec55371b6a00b92291bb681e4cccb770c0))
+* **log:** added parseErrorsAndWarnings utility ([7c1c1e2](https://github.com/sasjs/server/commit/7c1c1e241002313c10f94dd61702584b9f148010))
+* **log:** added time to downloaded log name ([3848bb0](https://github.com/sasjs/server/commit/3848bb0added69ca81a5c9419ea414bdd1c294bb))
+* **log:** put download log icon into log tab ([777b3a5](https://github.com/sasjs/server/commit/777b3a55be1ecf5b05bf755ce8b14735496509e1))
+* **log:** split large log into chunks ([75f5a3c](https://github.com/sasjs/server/commit/75f5a3c0b39665bef8b83dc7e1e8b3e5f23fc303))
+* **log:** use improved log for SAS run time only ([7b12591](https://github.com/sasjs/server/commit/7b12591595cdd5144d9311ffa06a80c5dab79364))
+
+## [0.33.3](https://github.com/sasjs/server/compare/v0.33.2...v0.33.3) (2023-04-27)
+
+
+### Bug Fixes
+
+* use RateLimiterMemory instead of RateLimiterMongo ([6a520f5](https://github.com/sasjs/server/commit/6a520f5b26a3e2ed6345721b30ff4e3d9bfa903d))
+
+## [0.33.2](https://github.com/sasjs/server/compare/v0.33.1...v0.33.2) (2023-04-24)
+
+
+### Bug Fixes
+
+* removing print redirection pending full [#274](https://github.com/sasjs/server/issues/274) fix ([d49ea47](https://github.com/sasjs/server/commit/d49ea47bd7a2add42bdb9a717082201f29e16597))
+
+## [0.33.1](https://github.com/sasjs/server/compare/v0.33.0...v0.33.1) (2023-04-20)
+
+
+### Bug Fixes
+
+* applying nologo only for sas.exe ([b4436ba](https://github.com/sasjs/server/commit/b4436bad0d24d5b5a402272632db1739b1018c90)), closes [#352](https://github.com/sasjs/server/issues/352)
+
+# [0.33.0](https://github.com/sasjs/server/compare/v0.32.0...v0.33.0) (2023-04-05)
+
+
+### Features
+
+* option to reset admin password on startup ([eda8e56](https://github.com/sasjs/server/commit/eda8e56bb0ea20fdaacabbbe7dcf1e3ea7bd215a))
+
+# [0.32.0](https://github.com/sasjs/server/compare/v0.31.0...v0.32.0) (2023-04-05)
+
+
+### Features
+
+* add an api endpoint for admin to get list of client ids ([6ffaa7e](https://github.com/sasjs/server/commit/6ffaa7e9e2a62c083bb9fcc3398dcbed10cebdb1))
+
+# [0.31.0](https://github.com/sasjs/server/compare/v0.30.3...v0.31.0) (2023-03-30)
+
+
+### Features
+
+* prevent brute force attack by rate limiting login endpoint ([a82cabb](https://github.com/sasjs/server/commit/a82cabb00134c79c5ee77afd1b1628a1f768e050))
+
+## [0.30.3](https://github.com/sasjs/server/compare/v0.30.2...v0.30.3) (2023-03-07)
+
+
+### Bug Fixes
+
+* add location.pathname to location.origin conditionally ([edab51c](https://github.com/sasjs/server/commit/edab51c51997f17553e037dc7c2b5e5fa6ea8ffe))
+
+## [0.30.2](https://github.com/sasjs/server/compare/v0.30.1...v0.30.2) (2023-03-07)
+
+
+### Bug Fixes
+
+* **web:** add path to base in launch program url ([2c31922](https://github.com/sasjs/server/commit/2c31922f58a8aa20d7fa6bfc95b53a350f90c798))
+
+## [0.30.1](https://github.com/sasjs/server/compare/v0.30.0...v0.30.1) (2023-03-01)
+
+
+### Bug Fixes
+
+* **web:** add proper base url in axios.defaults ([5e3ce8a](https://github.com/sasjs/server/commit/5e3ce8a98f1825e14c1d26d8da0c9821beeff7b3))
+
+# [0.30.0](https://github.com/sasjs/server/compare/v0.29.0...v0.30.0) (2023-02-28)
+
+
+### Bug Fixes
+
+* lint + remove default settings ([3de59ac](https://github.com/sasjs/server/commit/3de59ac4f8e3d95cad31f09e6963bd04c4811f26))
+
+
+### Features
+
+* add new env config DB_TYPE ([158f044](https://github.com/sasjs/server/commit/158f044363abf2576c8248f0ca9da4bc9cb7e9d8))
+
+# [0.29.0](https://github.com/sasjs/server/compare/v0.28.7...v0.29.0) (2023-02-06)
+
+
+### Features
+
+* Add /SASjsApi endpoint in permissions ([b3402ea](https://github.com/sasjs/server/commit/b3402ea80afb8802eee8b8b6cbbbcc29903424bc))
+
+## [0.28.7](https://github.com/sasjs/server/compare/v0.28.6...v0.28.7) (2023-02-03)
+
+
+### Bug Fixes
+
+* add user to all users group on user creation ([2bae52e](https://github.com/sasjs/server/commit/2bae52e307327d7ee4a94b19d843abdc0ccec9d1))
+
+## [0.28.6](https://github.com/sasjs/server/compare/v0.28.5...v0.28.6) (2023-01-26)
+
+
+### Bug Fixes
+
+* show loading spinner on login screen while request is in process ([69f2576](https://github.com/sasjs/server/commit/69f2576ee6d3d7b7f3325922a88656d511e3ac88))
+
+## [0.28.5](https://github.com/sasjs/server/compare/v0.28.4...v0.28.5) (2023-01-01)
+
+
+### Bug Fixes
+
+* adding NOPRNGETLIST system option for faster startup ([96eca3a](https://github.com/sasjs/server/commit/96eca3a35dce4521150257ee019beb4488c8a08f))
+
+## [0.28.4](https://github.com/sasjs/server/compare/v0.28.3...v0.28.4) (2022-12-07)
+
+
+### Bug Fixes
+
+* replace main class with container class ([71c429b](https://github.com/sasjs/server/commit/71c429b093b91e2444ae75d946579dccc2e48636))
+
+## [0.28.3](https://github.com/sasjs/server/compare/v0.28.2...v0.28.3) (2022-12-06)
+
+
+### Bug Fixes
+
+* stringify json file ([1192583](https://github.com/sasjs/server/commit/1192583843d7efd1a6ab6943207f394c3ae966be))
+
+## [0.28.2](https://github.com/sasjs/server/compare/v0.28.1...v0.28.2) (2022-12-05)
+
+
+### Bug Fixes
+
+* execute child process asyncronously ([23c997b](https://github.com/sasjs/server/commit/23c997b3beabeb6b733ae893031d2f1a48f28ad2))
+* JS / Python / R session folders should be NEW folders, not existing SAS folders ([39ba995](https://github.com/sasjs/server/commit/39ba995355daa24bb7ab22720f8fc57d2dc85f40))
+
+## [0.28.1](https://github.com/sasjs/server/compare/v0.28.0...v0.28.1) (2022-11-28)
+
+
+### Bug Fixes
+
+* update the content type header after the program has been executed ([4dcee4b](https://github.com/sasjs/server/commit/4dcee4b3c3950d402220b8f451c50ad98a317d83))
+
+# [0.28.0](https://github.com/sasjs/server/compare/v0.27.0...v0.28.0) (2022-11-28)
+
+
+### Bug Fixes
+
+* update the response header of request to stp/execute routes ([112431a](https://github.com/sasjs/server/commit/112431a1b7461989c04100418d67d975a2a8f354))
+
+
+### Features
+
+* **api:** add the api endpoint for updating user password ([4581f32](https://github.com/sasjs/server/commit/4581f325344eb68c5df5a28492f132312f15bb5c))
+* ask for updated password on first login ([1d48f88](https://github.com/sasjs/server/commit/1d48f8856b1fbbf3ef868914558333190e04981f))
+* **web:** add the UI for updating user password ([8b8c43c](https://github.com/sasjs/server/commit/8b8c43c21bde5379825c5ec44ecd81a92425f605))
+
+# [0.27.0](https://github.com/sasjs/server/compare/v0.26.2...v0.27.0) (2022-11-17)
+
+
+### Features
+
+* on startup add webout.sas file in sasautos folder ([200f6c5](https://github.com/sasjs/server/commit/200f6c596a6e732d799ed408f1f0fd92f216ba58))
+
+## [0.26.2](https://github.com/sasjs/server/compare/v0.26.1...v0.26.2) (2022-11-15)
+
+
+### Bug Fixes
+
+* comments ([7ae862c](https://github.com/sasjs/server/commit/7ae862c5ce720e9483d4728f4295dede4f849436))
+
+## [0.26.1](https://github.com/sasjs/server/compare/v0.26.0...v0.26.1) (2022-11-15)
+
+
+### Bug Fixes
+
+* change the expiration of access/refresh tokens from days to seconds ([bb05493](https://github.com/sasjs/server/commit/bb054938c5bd0535ae6b9da93ba0b14f9b80ddcd))
+
+# [0.26.0](https://github.com/sasjs/server/compare/v0.25.1...v0.26.0) (2022-11-13)
+
+
+### Bug Fixes
+
+* **web:** dispose monaco editor actions in return of useEffect ([acc25cb](https://github.com/sasjs/server/commit/acc25cbd686952d3f1c65e57aefcebe1cb859cc7))
+
+
+### Features
+
+* make access token duration configurable when creating client/secret ([2413c05](https://github.com/sasjs/server/commit/2413c05fea3960f7e5c3c8b7b2f85d61314f08db))
+* make refresh token duration configurable ([abd5c64](https://github.com/sasjs/server/commit/abd5c64b4a726e3f17594a98111b6aa269b71fee))
+
+## [0.25.1](https://github.com/sasjs/server/compare/v0.25.0...v0.25.1) (2022-11-07)
+
+
+### Bug Fixes
+
+* **web:** use mui treeView instead of custom implementation ([c51b504](https://github.com/sasjs/server/commit/c51b50428f32608bc46438e9d7964429b2d595da))
+
+# [0.25.0](https://github.com/sasjs/server/compare/v0.24.0...v0.25.0) (2022-11-02)
+
+
+### Features
+
+* Enable DRIVE_LOCATION setting for deploying multiple instances of SASjs Server ([1c9d167](https://github.com/sasjs/server/commit/1c9d167f86bbbb108b96e9bc30efaf8de65d82ff))
+
+# [0.24.0](https://github.com/sasjs/server/compare/v0.23.4...v0.24.0) (2022-10-28)
+
+
+### Features
+
+* cli mock testing ([6434123](https://github.com/sasjs/server/commit/643412340162e854f31fba2f162d83b7ab1751d8))
+* mocking sas9 responses with JS STP ([36be3a7](https://github.com/sasjs/server/commit/36be3a7d5e7df79f9a1f3f00c3661b925f462383))
+
+## [0.23.4](https://github.com/sasjs/server/compare/v0.23.3...v0.23.4) (2022-10-11)
+
+
+### Bug Fixes
+
+* add action to editor ref for running code ([2412622](https://github.com/sasjs/server/commit/2412622367eb46c40f388e988ae4606a7ec239b2))
+
+## [0.23.3](https://github.com/sasjs/server/compare/v0.23.2...v0.23.3) (2022-10-09)
+
+
+### Bug Fixes
+
+* added domain for session cookies ([94072c3](https://github.com/sasjs/server/commit/94072c3d24a4d0d4c97900dc31bfbf1c9d2559b7))
+
+## [0.23.2](https://github.com/sasjs/server/compare/v0.23.1...v0.23.2) (2022-10-06)
+
+
+### Bug Fixes
+
+* bump in correct place ([14731e8](https://github.com/sasjs/server/commit/14731e8824fa9f3d1daf89fd62f9916d5e3fcae4))
+* bumping sasjs/score ([258cc35](https://github.com/sasjs/server/commit/258cc35f14cf50f2160f607000c60de27593fd79))
+* reverting commit ([fda0e0b](https://github.com/sasjs/server/commit/fda0e0b57d56e3b5231e626a8d933343ac0c5cdc))
+
+## [0.23.1](https://github.com/sasjs/server/compare/v0.23.0...v0.23.1) (2022-10-04)
+
+
+### Bug Fixes
+
+* ldap issues ([4d64420](https://github.com/sasjs/server/commit/4d64420c45424134b4d2014a2d5dd6e846ed03b3))
+
+# [0.23.0](https://github.com/sasjs/server/compare/v0.22.1...v0.23.0) (2022-10-03)
+
+
+### Features
+
+* Enable SAS_PACKAGES in SASjs Server ([424f0fc](https://github.com/sasjs/server/commit/424f0fc1faec765eb7a14619584e649454105b70))
+
+## [0.22.1](https://github.com/sasjs/server/compare/v0.22.0...v0.22.1) (2022-10-03)
+
+
+### Bug Fixes
+
+* spelling issues ([3bb0597](https://github.com/sasjs/server/commit/3bb05974d216d69368f4498eb9f309bce7d97fd8))
+
+# [0.22.0](https://github.com/sasjs/server/compare/v0.21.7...v0.22.0) (2022-10-03)
+
+
+### Bug Fixes
+
+* do not throw error on deleting group when it is created by an external auth provider ([68f0c5c](https://github.com/sasjs/server/commit/68f0c5c5884431e7e8f586dccf98132abebb193e))
+* no need to restrict api endpoints when ldap auth is applied ([a142660](https://github.com/sasjs/server/commit/a14266077d3541c7a33b7635efa4208335e73519))
+* remove authProvider attribute from user and group payload interface ([bbd7786](https://github.com/sasjs/server/commit/bbd7786c6ce13b374d896a45c23255b8fa3e8bd2))
+
+
+### Features
+
+* implemented LDAP authentication ([f915c51](https://github.com/sasjs/server/commit/f915c51b077a2b8c4099727355ed914ecd6364bd))
+
+## [0.21.7](https://github.com/sasjs/server/compare/v0.21.6...v0.21.7) (2022-09-30)
+
+
+### Bug Fixes
+
+* csrf package is changed to pillarjs-csrf ([fe3e508](https://github.com/sasjs/server/commit/fe3e5088f8dfff50042ec8e8aac9ba5ba1394deb))
+
+## [0.21.6](https://github.com/sasjs/server/compare/v0.21.5...v0.21.6) (2022-09-23)
+
+
+### Bug Fixes
+
+* in getTokensFromDB handle the scenario when tokens are expired ([40f95f9](https://github.com/sasjs/server/commit/40f95f9072c8685910138d88fd2410f8704fc975))
+
+## [0.21.5](https://github.com/sasjs/server/compare/v0.21.4...v0.21.5) (2022-09-22)
+
+
+### Bug Fixes
+
+* made files extensions case insensitive ([2496043](https://github.com/sasjs/server/commit/249604384e42be4c12c88c70a7dff90fc1917a8f))
+
+## [0.21.4](https://github.com/sasjs/server/compare/v0.21.3...v0.21.4) (2022-09-21)
+
+
+### Bug Fixes
+
+* removing single quotes from _program value ([a0e7875](https://github.com/sasjs/server/commit/a0e7875ae61cbb6e7d3995d2e36e7300b0daec86))
+
+## [0.21.3](https://github.com/sasjs/server/compare/v0.21.2...v0.21.3) (2022-09-21)
+
+
+### Bug Fixes
+
+* return same tokens if not expired ([330c020](https://github.com/sasjs/server/commit/330c020933f1080261b38f07d6b627f6d7c62446))
+
+## [0.21.2](https://github.com/sasjs/server/compare/v0.21.1...v0.21.2) (2022-09-20)
+
+
+### Bug Fixes
+
+* default content-type for sas programs should be text/plain ([9977c9d](https://github.com/sasjs/server/commit/9977c9d161947b11d45ab2513f99a5320a3f5a06))
+* **studio:** inject program path to code before sending for execution ([edc2e2a](https://github.com/sasjs/server/commit/edc2e2a302ccea4985f3d6b83ef8c23620ab82b6))
+
+## [0.21.1](https://github.com/sasjs/server/compare/v0.21.0...v0.21.1) (2022-09-19)
+
+
+### Bug Fixes
+
+* SASJS_WEBOUT_HEADERS path for windows ([0749d65](https://github.com/sasjs/server/commit/0749d65173e8cfe9a93464711b7be1e123c289ff))
+
+# [0.21.0](https://github.com/sasjs/server/compare/v0.20.0...v0.21.0) (2022-09-19)
+
+
+### Features
+
+* sas9 mocker improved - public access denied scenario ([06d3b17](https://github.com/sasjs/server/commit/06d3b1715432ea245ee755ae1dfd0579d3eb30e9))
+
+# [0.20.0](https://github.com/sasjs/server/compare/v0.19.0...v0.20.0) (2022-09-16)
+
+
+### Features
+
+* add support for R stored programs ([d6651bb](https://github.com/sasjs/server/commit/d6651bbdbeee5067f53c36e69a0eefa973c523b6))
+
+# [0.19.0](https://github.com/sasjs/server/compare/v0.18.0...v0.19.0) (2022-09-05)
+
+
+### Features
+
+* added mocking endpoints ([0a0ba2c](https://github.com/sasjs/server/commit/0a0ba2cca5db867de46fb2486d856a84ec68d3b4))
+
+# [0.18.0](https://github.com/sasjs/server/compare/v0.17.5...v0.18.0) (2022-09-02)
+
+
+### Features
+
+* add option for program launch in context menu ([ee2db27](https://github.com/sasjs/server/commit/ee2db276bb0bbd522f758e0b66f7e7b2f4afd9d5))
+
+## [0.17.5](https://github.com/sasjs/server/compare/v0.17.4...v0.17.5) (2022-09-02)
+
+
+### Bug Fixes
+
+* SASINITIALFOLDER split over 2 params, closes [#271](https://github.com/sasjs/server/issues/271) ([393b5ea](https://github.com/sasjs/server/commit/393b5eaf990049c39eecf2b9e8dd21a001b6e298))
+
+## [0.17.4](https://github.com/sasjs/server/compare/v0.17.3...v0.17.4) (2022-09-01)
+
+
+### Bug Fixes
+
+* invalid JS logic ([9f06080](https://github.com/sasjs/server/commit/9f06080348aed076f8188a26fb4890d38a5a3510))
+
+## [0.17.3](https://github.com/sasjs/server/compare/v0.17.2...v0.17.3) (2022-09-01)
+
+
+### Bug Fixes
+
+* making SASINITIALFOLDER option windows only.  Closes [#267](https://github.com/sasjs/server/issues/267) ([e63271a](https://github.com/sasjs/server/commit/e63271a67a0deb3059a5f2bec1854efee5a6e5a5))
+
+## [0.17.2](https://github.com/sasjs/server/compare/v0.17.1...v0.17.2) (2022-08-31)
+
+
+### Bug Fixes
+
+* addition of SASINITIALFOLDER startup option.  Closes [#260](https://github.com/sasjs/server/issues/260) ([a5ee2f2](https://github.com/sasjs/server/commit/a5ee2f292384f90e9d95d003d652311c0d91a7a7))
+
+## [0.17.1](https://github.com/sasjs/server/compare/v0.17.0...v0.17.1) (2022-08-30)
+
+
+### Bug Fixes
+
+* typo mistake ([ee17d37](https://github.com/sasjs/server/commit/ee17d37aa188b0ca43cea0e89d6cd1a566b765cb))
+
+# [0.17.0](https://github.com/sasjs/server/compare/v0.16.1...v0.17.0) (2022-08-25)
+
+
+### Bug Fixes
+
+* allow underscores in file name ([bce83cb](https://github.com/sasjs/server/commit/bce83cb6fbc98f8198564c9399821f5829acc767))
+
+
+### Features
+
+* add the functionality of saving file by ctrl + s in editor ([3a3c90d](https://github.com/sasjs/server/commit/3a3c90d9e690ac5267bf1acc834b5b5c5b4dadb6))
+
+## [0.16.1](https://github.com/sasjs/server/compare/v0.16.0...v0.16.1) (2022-08-24)
+
+
+### Bug Fixes
+
+* update response of /SASjsApi/stp/execute and /SASjsApi/code/execute ([98ea2ac](https://github.com/sasjs/server/commit/98ea2ac9b98631605e39e5900e533727ea0e3d85))
+
+# [0.16.0](https://github.com/sasjs/server/compare/v0.15.3...v0.16.0) (2022-08-17)
+
+
+### Bug Fixes
+
+* add a new variable _SASJS_WEBOUT_HEADERS to code.js and code.py ([882bedd](https://github.com/sasjs/server/commit/882bedd5d5da22de6ed45c03d0a261aadfb3a33c))
+* update content for code.sas file ([02e88ae](https://github.com/sasjs/server/commit/02e88ae7280d020a753bc2c095a931c79ac392d1))
+* update default content type for python and js runtimes ([8780b80](https://github.com/sasjs/server/commit/8780b800a34aa618631821e5d97e26e8b0f15806))
+
+
+### Features
+
+* implement the logic for running python stored programs ([b06993a](https://github.com/sasjs/server/commit/b06993ab9ea24b28d9e553763187387685aaa666))
+
 ## [0.15.3](https://github.com/sasjs/server/compare/v0.15.2...v0.15.3) (2022-08-11)


--- a/README.md
+++ b/README.md
@@ -64,23 +64,53 @@ Example contents of a `.env` file:
 # Server mode is multi-user and suitable for intranet / internet use
 MODE=

+# A comma separated string that defines the available runTimes.
+# Priority is given to the runtime that comes first in the string.
+# Possible options at the moment are sas, js, py and r
+
+# This string sets the priority of the available analytic runtimes
+# Valid runtimes are SAS (sas), JavaScript (js), Python (py) and R (r)
+# For each option provided, there should be a corresponding path,
+# eg SAS_PATH, NODE_PATH, PYTHON_PATH or RSCRIPT_PATH
+# Priority is given to runtimes earlier in the string
+# Example options:  [sas,js,py | js,py | sas | sas,js | r | sas,r]
+RUN_TIMES=
+
 # Path to SAS executable (sas.exe / sas.sh)
 SAS_PATH=/path/to/sas/executable.exe

 # Path to Node.js executable
 NODE_PATH=~/.nvm/versions/node/v16.14.0/bin/node

+# Path to Python executable
+PYTHON_PATH=/usr/bin/python
+
+# Path to R executable
+R_PATH=/usr/bin/Rscript
+
 # Path to working directory
 # This location is for SAS WORK, staged files, DRIVE, configuration etc
 SASJS_ROOT=./sasjs_root


+# This location is for files, sasjs packages and appStreamConfig.json
+DRIVE_LOCATION=./sasjs_root/drive
+
+
 # options: [http|https] default: http
 PROTOCOL=

 # default: 5000
 PORT=

+# options: [sas9|sasviya]
+# If not present, mocking function is disabled
+MOCK_SERVERTYPE=
+
+# default: /api/mocks
+# Path to mocking folder, for generic responses, it's sub directories should be: sas9, viya, sasjs
+# Server will automatically use subdirectory accordingly
+STATIC_MOCK_LOCATION=

 #
 ## Additional SAS Options
@@ -104,9 +134,22 @@ PRIVATE_KEY=privkey.pem (required)
 CERT_CHAIN=certificate.pem (required)
 CA_ROOT=fullchain.pem (optional)

-# ENV variables required for MODE: `server`
+## ENV variables required for MODE: `server`
 DB_CONNECT=mongodb+srv://<DB_USERNAME>:<DB_PASSWORD>@<CLUSTER>/<DB_NAME>?retryWrites=true&w=majority

+# options: [mongodb|cosmos_mongodb] default: mongodb
+DB_TYPE=
+
+# AUTH_PROVIDERS options: [ldap] default: ``
+AUTH_PROVIDERS=
+
+## ENV variables required for AUTH_MECHANISM: `ldap`
+LDAP_URL= <LDAP_SERVER_URL>
+LDAP_BIND_DN= <cn=admin,ou=system,dc=cloudron>
+LDAP_BIND_PASSWORD = <password>
+LDAP_USERS_BASE_DN = <ou=users,dc=cloudron>
+LDAP_GROUPS_BASE_DN = <ou=groups,dc=cloudron>
+
 # options: [disable|enable] default: `disable` for `server` & `enable` for `desktop`
 # If enabled, be sure to also configure the WHITELIST of third party servers.
 CORS=
@@ -115,7 +158,7 @@ CORS=
 WHITELIST=

 # HELMET Cross Origin Embedder Policy
-# Sets the Cross-Origin-Embedder-Policy header to require-corp when `true`
+# Sets the Cross-Origin-Embedder-Policy header to require-corp when `true`
 # options: [true|false] default: true
 # Docs: https://helmetjs.github.io/#reference (`crossOriginEmbedderPolicy`)
 HELMET_COEP=
@@ -132,6 +175,32 @@ HELMET_COEP=
 # }
 HELMET_CSP_CONFIG_PATH=./csp.config.json

+# To prevent brute force attack on login route we have implemented rate limiter
+# Only valid for MODE: server
+# Following are configurable env variable rate limiter
+
+# After this, access is blocked for 1 day
+MAX_WRONG_ATTEMPTS_BY_IP_PER_DAY = <number> default: 100;
+
+
+# After this, access is blocked for an hour
+# Store number for 24 days since first fail
+# Once a successful login is attempted, it resets
+MAX_CONSECUTIVE_FAILS_BY_USERNAME_AND_IP = <number> default: 10;
+
+# Name of the admin user that will be created on startup if not exists already
+# Default is `secretuser`
+ADMIN_USERNAME=secretuser
+
+# Temporary password for the ADMIN_USERNAME, which is in place until the first login
+# Default is `secretpassword`
+ADMIN_PASSWORD_INITIAL=secretpassword
+
+# Specify whether app has to reset the ADMIN_USERNAME's password or not
+# Default is NO. Possible options are YES and NO
+# If ADMIN_PASSWORD_RESET is YES then the ADMIN_USERNAME will be prompted to change the password from ADMIN_PASSWORD_INITIAL on their next login. This will repeat on every server restart, unless the option is removed / set to NO.
+ADMIN_PASSWORD_RESET=NO
+
 # LOG_FORMAT_MORGAN options: [combined|common|dev|short|tiny] default: `common`
 # Docs: https://www.npmjs.com/package/morgan#predefined-formats
 LOG_FORMAT_MORGAN=
@@ -139,13 +208,6 @@ LOG_FORMAT_MORGAN=
 # This location is for server logs with classical UNIX logrotate behavior
 LOG_LOCATION=./sasjs_root/logs

-# A comma separated string that defines the available runTimes.
-# Priority is given to the runtime that comes first in the string.
-# Possible options at the moment are sas and js
-
-# options: [sas,js|js,sas|sas|js] default:sas
-RUN_TIMES=
-
 ```

 ## Persisting the Session
--- a/api/.env.example
+++ b/api/.env.example
@@ -1,5 +1,6 @@
 MODE=[desktop|server] default considered as desktop
 CORS=[disable|enable] default considered as disable for server MODE & enable for desktop MODE
+ALLOWED_DOMAIN=<just domain e.g. example.com >
 WHITELIST=<space separated urls, each starting with protocol `http` or `https`>

 PROTOCOL=[http|https] default considered as http
@@ -13,12 +14,34 @@ HELMET_CSP_CONFIG_PATH=./csp.config.json if omitted HELMET default will be used
 HELMET_COEP=[true|false] if omitted HELMET default will be used

 DB_CONNECT=mongodb+srv://<DB_USERNAME>:<DB_PASSWORD>@<CLUSTER>/<DB_NAME>?retryWrites=true&w=majority
+DB_TYPE=[mongodb|cosmos_mongodb] default considered as mongodb

-RUN_TIMES=[sas|js|sas,js|js,sas] default considered as sas
+AUTH_PROVIDERS=[ldap]
+
+LDAP_URL= <LDAP_SERVER_URL>
+LDAP_BIND_DN= <cn=admin,ou=system,dc=cloudron>
+LDAP_BIND_PASSWORD = <password>
+LDAP_USERS_BASE_DN = <ou=users,dc=cloudron>
+LDAP_GROUPS_BASE_DN = <ou=groups,dc=cloudron>
+
+#default value is 100
+MAX_WRONG_ATTEMPTS_BY_IP_PER_DAY=100
+
+#default value is 10
+MAX_CONSECUTIVE_FAILS_BY_USERNAME_AND_IP=10
+
+ADMIN_USERNAME=secretuser
+ADMIN_PASSWORD_INITIAL=secretpassword
+ADMIN_PASSWORD_RESET=NO
+
+RUN_TIMES=[sas,js,py | js,py | sas | sas,js] default considered as sas
 SAS_PATH=/opt/sas/sas9/SASHome/SASFoundation/9.4/sas
 NODE_PATH=~/.nvm/versions/node/v16.14.0/bin/node
+PYTHON_PATH=/usr/bin/python
+R_PATH=/usr/bin/Rscript

 SASJS_ROOT=./sasjs_root
+DRIVE_LOCATION=./sasjs_root/drive

 LOG_FORMAT_MORGAN=common
 LOG_LOCATION=./sasjs_root/logs
--- a/api/mocks/sas9/generic/logged-in
+++ b/api/mocks/sas9/generic/logged-in
@@ -0,0 +1 @@
+You have signed in.
--- a/api/mocks/sas9/generic/logged-out
+++ b/api/mocks/sas9/generic/logged-out
@@ -0,0 +1 @@
+You have signed out.
--- a/api/mocks/sas9/generic/login
+++ b/api/mocks/sas9/generic/login
@@ -0,0 +1,30 @@
+<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" dir="ltr" class="bg">
+
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="initial-scale=1" />
+</head>
+
+
+<div class="content">
+  <form id="credentials" class="minimal" action="/SASLogon/login?service=http%3A%2F%2Flocalhost:5004%2FSASStoredProcess%2Fj_spring_cas_security_check" method="post">
+    <!--form container-->
+    <input type="hidden" name="lt" value="validtoken" aria-hidden="true" />
+    <input type="hidden" name="execution" value="e2s1" aria-hidden="true" />
+    <input type="hidden" name="_eventId" value="submit" aria-hidden="true" />
+
+    <span class="userid">
+
+      <input id="username" name="username" tabindex="3" aria-labelledby="username1 message1 message2 message3" name="username" placeholder="User ID" type="text" autofocus="true" value="" maxlength="500" autocomplete="off" />
+    </span>
+    <span class="password">
+
+      <input id="password" name="password" tabindex="4" name="password" placeholder="Password" type="password" value="" maxlength="500" autocomplete="off" />
+    </span>
+
+    <button type="submit" class="btn-submit" title="Sign In" tabindex="5" onClick="this.disabled=true;setSubmitUrl(this.form);this.form.submit();return false;">Sign In</button>
+
+
+  </form>
+</div>
+</html>
--- a/api/mocks/sas9/generic/public-access-denied
+++ b/api/mocks/sas9/generic/public-access-denied
@@ -0,0 +1 @@
+Public access has been denied.
--- a/api/mocks/sas9/generic/sas-stored-process
+++ b/api/mocks/sas9/generic/sas-stored-process
@@ -0,0 +1 @@
+"title": "Log Off SAS Demo User"
--- a/api/package-lock.json
+++ b/api/package-lock.json
--- a/api/package.json
+++ b/api/package.json
@@ -4,7 +4,7 @@
  "description": "Api of SASjs server",
  "main": "./src/server.ts",
  "scripts": {
-    "initial": "npm run swagger && npm run compileSysInit && npm run copySASjsCore",
+    "initial": "npm run swagger && npm run compileSysInit && npm run copySASjsCore && npm run downloadMacros",
    "prestart": "npm run initial",
    "prebuild": "npm run initial",
    "start": "NODE_ENV=development nodemon ./src/server.ts",
@@ -17,20 +17,21 @@
    "lint:fix": "npx prettier --write \"src/**/*.{ts,tsx,js,jsx,html,css,sass,less,yml,md,graphql}\"",
    "lint": "npx prettier --check \"src/**/*.{ts,tsx,js,jsx,html,css,sass,less,yml,md,graphql}\"",
    "exe": "npm run build && pkg .",
-    "copy:files": "npm run public:copy && npm run sasjsbuild:copy && npm run sasjscore:copy && npm run web:copy",
+    "copy:files": "npm run public:copy && npm run sasjsbuild:copy && npm run sas:copy && npm run web:copy",
    "public:copy": "cp -r ./public/ ./build/public/",
    "sasjsbuild:copy": "cp -r ./sasjsbuild/ ./build/sasjsbuild/",
-    "sasjscore:copy": "cp -r ./sasjscore/ ./build/sasjscore/",
+    "sas:copy": "cp -r ./sas/ ./build/sas/",
    "web:copy": "rimraf web && mkdir web && cp -r ../web/build/ ./web/build/",
    "compileSysInit": "ts-node ./scripts/compileSysInit.ts",
-    "copySASjsCore": "ts-node ./scripts/copySASjsCore.ts"
+    "copySASjsCore": "ts-node ./scripts/copySASjsCore.ts",
+    "downloadMacros": "ts-node ./scripts/downloadMacros.ts"
  },
  "bin": "./build/src/server.js",
  "pkg": {
    "assets": [
      "./build/public/**/*",
      "./build/sasjsbuild/**/*",
-      "./build/sasjscore/**/*",
+      "./build/sas/**/*",
      "./web/build/**/*"
    ],
    "targets": [
@@ -47,22 +48,22 @@
  },
  "author": "4GL Ltd",
  "dependencies": {
-    "@sasjs/core": "^4.31.3",
-    "@sasjs/utils": "2.42.1",
+    "@sasjs/core": "^4.40.1",
+    "@sasjs/utils": "3.2.0",
    "bcryptjs": "^2.4.3",
    "connect-mongo": "^4.6.0",
    "cookie-parser": "^1.4.6",
    "cors": "^2.8.5",
-    "csurf": "^1.11.0",
    "express": "^4.17.1",
    "express-session": "^1.17.2",
    "helmet": "^5.0.2",
    "joi": "^17.4.2",
    "jsonwebtoken": "^8.5.1",
+    "ldapjs": "2.3.3",
    "mongoose": "^6.0.12",
-    "mongoose-sequence": "^5.3.1",
    "morgan": "^1.10.0",
    "multer": "^1.4.5-lts.1",
+    "rate-limiter-flexible": "2.4.1",
    "rotating-file-stream": "^3.0.4",
    "swagger-ui-express": "4.3.0",
    "unzipper": "^0.10.11",
@@ -73,12 +74,11 @@
    "@types/bcryptjs": "^2.4.2",
    "@types/cookie-parser": "^1.4.2",
    "@types/cors": "^2.8.12",
-    "@types/csurf": "^1.11.2",
    "@types/express": "^4.17.12",
    "@types/express-session": "^1.17.4",
    "@types/jest": "^26.0.24",
    "@types/jsonwebtoken": "^8.5.5",
-    "@types/mongoose-sequence": "^3.0.6",
+    "@types/ldapjs": "^2.2.4",
    "@types/morgan": "^1.9.3",
    "@types/multer": "^1.4.7",
    "@types/node": "^15.12.2",
@@ -86,10 +86,13 @@
    "@types/swagger-ui-express": "^4.1.3",
    "@types/unzipper": "^0.10.5",
    "adm-zip": "^0.5.9",
-    "dotenv": "^10.0.0",
+    "axios": "0.27.2",
+    "csrf": "^3.1.0",
+    "dotenv": "^16.0.1",
    "http-headers-validation": "^0.0.1",
    "jest": "^27.0.6",
-    "mongodb-memory-server": "^8.0.0",
+    "mongodb-memory-server": "8.11.4",
+    "nodejs-file-downloader": "4.10.2",
    "nodemon": "^2.0.7",
    "pkg": "5.6.0",
    "prettier": "^2.3.1",
--- a/api/public/swagger.yaml
+++ b/api/public/swagger.yaml
--- a/api/scripts/downloadMacros.ts
+++ b/api/scripts/downloadMacros.ts
@@ -0,0 +1,39 @@
+import axios from 'axios'
+import Downloader from 'nodejs-file-downloader'
+import { createFile, listFilesInFolder } from '@sasjs/utils'
+
+import { sasJSCoreMacros, sasJSCoreMacrosInfo } from '../src/utils/file'
+
+export const downloadMacros = async () => {
+  const url =
+    'https://api.github.com/repos/yabwon/SAS_PACKAGES/contents/SPF/Macros'
+
+  console.info(`Downloading macros from ${url}`)
+
+  await axios
+    .get(url)
+    .then(async (res) => {
+      await downloadFiles(res.data)
+    })
+    .catch((err) => {
+      throw new Error(err)
+    })
+}
+
+const downloadFiles = async function (fileList: any) {
+  for (const file of fileList) {
+    const downloader = new Downloader({
+      url: file.download_url,
+      directory: sasJSCoreMacros,
+      fileName: file.path.replace(/^SPF\/Macros/, ''),
+      cloneFiles: false
+    })
+    await downloader.download()
+  }
+
+  const fileNames = await listFilesInFolder(sasJSCoreMacros)
+
+  await createFile(sasJSCoreMacrosInfo, fileNames.join('\n'))
+}
+
+downloadMacros()
--- a/api/src/app-modules/configureCors.ts
+++ b/api/src/app-modules/configureCors.ts
@@ -15,7 +15,7 @@ export const configureCors = (app: Express) => {
          whiteList.push(url.replace(/\/$/, ''))
      })

-    console.log('All CORS Requests are enabled for:', whiteList)
+    process.logger.info('All CORS Requests are enabled for:', whiteList)
    app.use(cors({ credentials: true, origin: whiteList }))
  }
 }
--- a/api/src/app-modules/configureExpressSession.ts
+++ b/api/src/app-modules/configureExpressSession.ts
@@ -1,22 +1,38 @@
-import { Express } from 'express'
+import { Express, CookieOptions } from 'express'
 import mongoose from 'mongoose'
 import session from 'express-session'
 import MongoStore from 'connect-mongo'

-import { ModeType } from '../utils'
-import { cookieOptions } from '../app'
+import { DatabaseType, ModeType, ProtocolType } from '../utils'

 export const configureExpressSession = (app: Express) => {
-  const { MODE } = process.env
+  const { MODE, DB_TYPE } = process.env

  if (MODE === ModeType.Server) {
    let store: MongoStore | undefined

    if (process.env.NODE_ENV !== 'test') {
-      store = MongoStore.create({
-        client: mongoose.connection!.getClient() as any,
-        collectionName: 'sessions'
-      })
+      if (DB_TYPE === DatabaseType.COSMOS_MONGODB) {
+        // COSMOS DB requires specific connection options (compatibility mode)
+        // See: https://www.npmjs.com/package/connect-mongo#set-the-compatibility-mode
+        store = MongoStore.create({
+          client: mongoose.connection!.getClient() as any,
+          autoRemove: 'interval'
+        })
+      } else {
+        store = MongoStore.create({
+          client: mongoose.connection!.getClient() as any
+        })
+      }
+    }
+
+    const { PROTOCOL, ALLOWED_DOMAIN } = process.env
+    const cookieOptions: CookieOptions = {
+      secure: PROTOCOL === ProtocolType.HTTPS,
+      httpOnly: true,
+      sameSite: PROTOCOL === ProtocolType.HTTPS ? 'none' : undefined,
+      maxAge: 24 * 60 * 60 * 1000, // 24 hours
+      domain: ALLOWED_DOMAIN?.trim() || undefined
    }

    app.use(
--- a/api/src/app-modules/configureLogger.ts
+++ b/api/src/app-modules/configureLogger.ts
@@ -23,7 +23,7 @@ export const configureLogger = (app: Express) => {
      path: logsFolder
    })

-    console.log('Writing Logs to :', path.join(logsFolder, filename))
+    process.logger.info('Writing Logs to :', path.join(logsFolder, filename))

    options = { stream: accessLogStream }
  }
--- a/api/src/app.ts
+++ b/api/src/app.ts
@@ -1,18 +1,21 @@
 import path from 'path'
 import express, { ErrorRequestHandler } from 'express'
-import csrf, { CookieOptions } from 'csurf'
 import cookieParser from 'cookie-parser'
 import dotenv from 'dotenv'

 import {
  copySASjsCore,
+  createWeboutSasFile,
+  getFilesFolder,
+  getPackagesFolder,
  getWebBuildFolder,
  instantiateLogger,
  loadAppStreamConfig,
-  ProtocolType,
  ReturnCode,
  setProcessVariables,
-  setupFolders,
+  setupFilesFolder,
+  setupPackagesFolder,
+  setupUserAutoExec,
  verifyEnvVariables
 } from './utils'
 import {
@@ -21,6 +24,7 @@ import {
  configureLogger,
  configureSecurity
 } from './app-modules'
+import { folderExists } from '@sasjs/utils'

 dotenv.config()

@@ -30,25 +34,8 @@ if (verifyEnvVariables()) process.exit(ReturnCode.InvalidEnv)

 const app = express()

-const { PROTOCOL } = process.env
-
-export const cookieOptions: CookieOptions = {
-  secure: PROTOCOL === ProtocolType.HTTPS,
-  httpOnly: true,
-  sameSite: PROTOCOL === ProtocolType.HTTPS ? 'none' : undefined,
-  maxAge: 24 * 60 * 60 * 1000 // 24 hours
-}
-
-/***********************************
- *         CSRF Protection         *
- ***********************************/
-export const csrfProtection = csrf({ cookie: cookieOptions })
-
 const onError: ErrorRequestHandler = (err, req, res, next) => {
-  if (err.code === 'EBADCSRFTOKEN')
-    return res.status(400).send('Invalid CSRF token!')
-
-  console.error(err.stack)
+  process.logger.error(err.stack)
  res.status(500).send('Something broke!')
 }

@@ -77,8 +64,25 @@ export default setProcessVariables().then(async () => {
  app.use(express.json({ limit: '100mb' }))
  app.use(express.static(path.join(__dirname, '../public')))

-  await setupFolders()
-  await copySASjsCore()
+  // Body parser is used for decoding the formdata on POST request.
+  // Currently only place we use it is SAS9 Mock - POST /SASLogon/login
+  app.use(express.urlencoded({ extended: true }))
+
+  await setupUserAutoExec()
+
+  if (!(await folderExists(getFilesFolder()))) await setupFilesFolder()
+
+  if (!(await folderExists(getPackagesFolder()))) await setupPackagesFolder()
+
+  const sasautosPath = path.join(process.driveLoc, 'sas', 'sasautos')
+  if (await folderExists(sasautosPath)) {
+    process.logger.warn(
+      `SASAUTOS was not refreshed. To force a refresh, delete the ${sasautosPath} folder`
+    )
+  } else {
+    await copySASjsCore()
+    await createWeboutSasFile()
+  }

  // loading these modules after setting up variables due to
  // multer's usage of process var process.driveLoc
--- a/api/src/controllers/auth.ts
+++ b/api/src/controllers/auth.ts
@@ -1,25 +1,40 @@
-import { Security, Route, Tags, Example, Post, Body, Query, Hidden } from 'tsoa'
+import express from 'express'
+import {
+  Security,
+  Route,
+  Tags,
+  Example,
+  Post,
+  Patch,
+  Request,
+  Body,
+  Query,
+  Hidden
+} from 'tsoa'
 import jwt from 'jsonwebtoken'
 import { InfoJWT } from '../types'
 import {
  generateAccessToken,
  generateRefreshToken,
+  getTokensFromDB,
  removeTokensInDB,
  saveTokensInDB
 } from '../utils'
+import Client from '../model/Client'
+import User from '../model/User'

@Route('SASjsApi/auth')
@Tags('Auth')
 export class AuthController {
  static authCodes: { [key: string]: { [key: string]: string } } = {}
-  static saveCode = (userId: number, clientId: string, code: string) => {
+  static saveCode = (userId: string, clientId: string, code: string) => {
    if (AuthController.authCodes[userId])
      return (AuthController.authCodes[userId][clientId] = code)

    AuthController.authCodes[userId] = { [clientId]: code }
    return AuthController.authCodes[userId][clientId]
  }
-  static deleteCode = (userId: number, clientId: string) =>
+  static deleteCode = (userId: string, clientId: string) =>
    delete AuthController.authCodes[userId][clientId]

  /**
@@ -60,6 +75,18 @@ export class AuthController {
  public async logout(@Query() @Hidden() data?: InfoJWT) {
    return logout(data!)
  }
+
+  /**
+   * @summary Update user's password.
+   */
+  @Security('bearerAuth')
+  @Patch('updatePassword')
+  public async updatePassword(
+    @Request() req: express.Request,
+    @Body() body: UpdatePasswordPayload
+  ) {
+    return updatePassword(req, body)
+  }
 }

 const token = async (data: any): Promise<TokenResponse> => {
@@ -73,8 +100,26 @@ const token = async (data: any): Promise<TokenResponse> => {

  AuthController.deleteCode(userInfo.userId, clientId)

-  const accessToken = generateAccessToken(userInfo)
-  const refreshToken = generateRefreshToken(userInfo)
+  // get tokens from DB
+  const existingTokens = await getTokensFromDB(userInfo.userId, clientId)
+  if (existingTokens) {
+    return {
+      accessToken: existingTokens.accessToken,
+      refreshToken: existingTokens.refreshToken
+    }
+  }
+
+  const client = await Client.findOne({ clientId })
+  if (!client) throw new Error('Invalid clientId.')
+
+  const accessToken = generateAccessToken(
+    userInfo,
+    client.accessTokenExpiration
+  )
+  const refreshToken = generateRefreshToken(
+    userInfo,
+    client.refreshTokenExpiration
+  )

  await saveTokensInDB(userInfo.userId, clientId, accessToken, refreshToken)

@@ -82,8 +127,17 @@ const token = async (data: any): Promise<TokenResponse> => {
 }

 const refresh = async (userInfo: InfoJWT): Promise<TokenResponse> => {
-  const accessToken = generateAccessToken(userInfo)
-  const refreshToken = generateRefreshToken(userInfo)
+  const client = await Client.findOne({ clientId: userInfo.clientId })
+  if (!client) throw new Error('Invalid clientId.')
+
+  const accessToken = generateAccessToken(
+    userInfo,
+    client.accessTokenExpiration
+  )
+  const refreshToken = generateRefreshToken(
+    userInfo,
+    client.refreshTokenExpiration
+  )

  await saveTokensInDB(
    userInfo.userId,
@@ -99,6 +153,40 @@ const logout = async (userInfo: InfoJWT) => {
  await removeTokensInDB(userInfo.userId, userInfo.clientId)
 }

+const updatePassword = async (
+  req: express.Request,
+  data: UpdatePasswordPayload
+) => {
+  const { currentPassword, newPassword } = data
+  const userId = req.user?.userId
+  const dbUser = await User.findOne({ _id: userId })
+
+  if (!dbUser)
+    throw {
+      code: 404,
+      message: `User not found!`
+    }
+
+  if (dbUser?.authProvider) {
+    throw {
+      code: 405,
+      message:
+        'Can not update password of user that is created by an external auth provider.'
+    }
+  }
+
+  const validPass = dbUser.comparePassword(currentPassword)
+  if (!validPass)
+    throw {
+      code: 403,
+      message: `Invalid current password!`
+    }
+
+  dbUser.password = User.hashPassword(newPassword)
+  dbUser.needsToUpdatePassword = false
+  await dbUser.save()
+}
+
 interface TokenPayload {
  /**
   * Client ID
@@ -125,6 +213,19 @@ interface TokenResponse {
  refreshToken: string
 }

+interface UpdatePasswordPayload {
+  /**
+   * Current Password
+   * @example "currentPasswordString"
+   */
+  currentPassword: string
+  /**
+   * New Password
+   * @example "newPassword"
+   */
+  newPassword: string
+}
+
 const verifyAuthCode = async (
  clientId: string,
  code: string
--- a/api/src/controllers/authConfig.ts
+++ b/api/src/controllers/authConfig.ts
@@ -0,0 +1,186 @@
+import express from 'express'
+import { Security, Route, Tags, Get, Post, Example } from 'tsoa'
+
+import { LDAPClient, LDAPUser, LDAPGroup, AuthProviderType } from '../utils'
+import { randomBytes } from 'crypto'
+import User from '../model/User'
+import Group from '../model/Group'
+import Permission from '../model/Permission'
+
+@Security('bearerAuth')
+@Route('SASjsApi/authConfig')
+@Tags('Auth_Config')
+export class AuthConfigController {
+  /**
+   * @summary Gives the detail of Auth Mechanism.
+   *
+   */
+  @Example({
+    ldap: {
+      LDAP_URL: 'ldaps://my.ldap.server:636',
+      LDAP_BIND_DN: 'cn=admin,ou=system,dc=cloudron',
+      LDAP_BIND_PASSWORD: 'secret',
+      LDAP_USERS_BASE_DN: 'ou=users,dc=cloudron',
+      LDAP_GROUPS_BASE_DN: 'ou=groups,dc=cloudron'
+    }
+  })
+  @Get('/')
+  public getDetail() {
+    return getAuthConfigDetail()
+  }
+
+  /**
+   * @summary Synchronises LDAP users and groups with internal DB and returns the count of imported users and groups.
+   *
+   */
+  @Example({
+    users: 5,
+    groups: 3
+  })
+  @Post('/synchroniseWithLDAP')
+  public async synchroniseWithLDAP() {
+    return synchroniseWithLDAP()
+  }
+}
+
+const synchroniseWithLDAP = async () => {
+  process.logger.info('Syncing LDAP with internal DB')
+
+  const permissions = await Permission.get({})
+  await Permission.deleteMany()
+  await User.deleteMany({ authProvider: AuthProviderType.LDAP })
+  await Group.deleteMany({ authProvider: AuthProviderType.LDAP })
+
+  const ldapClient = await LDAPClient.init()
+
+  process.logger.info('fetching LDAP users')
+  const users = await ldapClient.getAllLDAPUsers()
+
+  process.logger.info('inserting LDAP users to DB')
+
+  const existingUsers: string[] = []
+  const importedUsers: LDAPUser[] = []
+
+  for (const user of users) {
+    const usernameExists = await User.findOne({ username: user.username })
+    if (usernameExists) {
+      existingUsers.push(user.username)
+      continue
+    }
+
+    const hashPassword = User.hashPassword(randomBytes(64).toString('hex'))
+
+    await User.create({
+      displayName: user.displayName,
+      username: user.username,
+      password: hashPassword,
+      authProvider: AuthProviderType.LDAP,
+      needsToUpdatePassword: false
+    })
+
+    importedUsers.push(user)
+  }
+
+  if (existingUsers.length > 0) {
+    process.logger.info(
+      'Failed to insert following users as they already exist in DB:'
+    )
+    existingUsers.forEach((user) => process.logger.log(`* ${user}`))
+  }
+
+  process.logger.info('fetching LDAP groups')
+  const groups = await ldapClient.getAllLDAPGroups()
+
+  process.logger.info('inserting LDAP groups to DB')
+
+  const existingGroups: string[] = []
+  const importedGroups: LDAPGroup[] = []
+
+  for (const group of groups) {
+    const groupExists = await Group.findOne({ name: group.name })
+    if (groupExists) {
+      existingGroups.push(group.name)
+      continue
+    }
+
+    await Group.create({
+      name: group.name,
+      authProvider: AuthProviderType.LDAP
+    })
+
+    importedGroups.push(group)
+  }
+
+  if (existingGroups.length > 0) {
+    process.logger.info(
+      'Failed to insert following groups as they already exist in DB:'
+    )
+    existingGroups.forEach((group) => process.logger.log(`* ${group}`))
+  }
+
+  process.logger.info('associating users and groups')
+
+  for (const group of importedGroups) {
+    const dbGroup = await Group.findOne({ name: group.name })
+    if (dbGroup) {
+      for (const member of group.members) {
+        const user = importedUsers.find((user) => user.uid === member)
+        if (user) {
+          const dbUser = await User.findOne({ username: user.username })
+          if (dbUser) await dbGroup.addUser(dbUser)
+        }
+      }
+    }
+  }
+
+  process.logger.info('setting permissions')
+
+  for (const permission of permissions) {
+    const newPermission = new Permission({
+      path: permission.path,
+      type: permission.type,
+      setting: permission.setting
+    })
+
+    if (permission.user) {
+      const dbUser = await User.findOne({ username: permission.user.username })
+      if (dbUser) newPermission.user = dbUser._id
+    } else if (permission.group) {
+      const dbGroup = await Group.findOne({ name: permission.group.name })
+      if (dbGroup) newPermission.group = dbGroup._id
+    }
+    await newPermission.save()
+  }
+
+  process.logger.info('LDAP synchronization completed!')
+
+  return {
+    userCount: importedUsers.length,
+    groupCount: importedGroups.length
+  }
+}
+
+const getAuthConfigDetail = () => {
+  const { AUTH_PROVIDERS } = process.env
+
+  const returnObj: any = {}
+
+  if (AUTH_PROVIDERS === AuthProviderType.LDAP) {
+    const {
+      LDAP_URL,
+      LDAP_BIND_DN,
+      LDAP_BIND_PASSWORD,
+      LDAP_USERS_BASE_DN,
+      LDAP_GROUPS_BASE_DN
+    } = process.env
+
+    returnObj.ldap = {
+      LDAP_URL: LDAP_URL ?? '',
+      LDAP_BIND_DN: LDAP_BIND_DN ?? '',
+      LDAP_BIND_PASSWORD: LDAP_BIND_PASSWORD ?? '',
+      LDAP_USERS_BASE_DN: LDAP_USERS_BASE_DN ?? '',
+      LDAP_GROUPS_BASE_DN: LDAP_GROUPS_BASE_DN ?? ''
+    }
+  }
+  return returnObj
+}
--- a/api/src/controllers/client.ts
+++ b/api/src/controllers/client.ts
@@ -1,18 +1,27 @@
-import { Security, Route, Tags, Example, Post, Body } from 'tsoa'
+import { Security, Route, Tags, Example, Post, Body, Get } from 'tsoa'

-import Client, { ClientPayload } from '../model/Client'
+import Client, {
+  ClientPayload,
+  NUMBER_OF_SECONDS_IN_A_DAY
+} from '../model/Client'

@Security('bearerAuth')
@Route('SASjsApi/client')
@Tags('Client')
 export class ClientController {
  /**
-   * @summary Create client with the following attributes: ClientId, ClientSecret. Admin only task.
+   * @summary Admin only task. Create client with the following attributes:
+   * ClientId,
+   * ClientSecret,
+   * accessTokenExpiration (optional),
+   * refreshTokenExpiration (optional)
   *
   */
  @Example<ClientPayload>({
    clientId: 'someFormattedClientID1234',
-    clientSecret: 'someRandomCryptoString'
+    clientSecret: 'someRandomCryptoString',
+    accessTokenExpiration: NUMBER_OF_SECONDS_IN_A_DAY,
+    refreshTokenExpiration: NUMBER_OF_SECONDS_IN_A_DAY * 30
  })
  @Post('/')
  public async createClient(
@@ -20,10 +29,37 @@ export class ClientController {
  ): Promise<ClientPayload> {
    return createClient(body)
  }
+
+  /**
+   * @summary Admin only task. Returns the list of all the clients
+   */
+  @Example<ClientPayload[]>([
+    {
+      clientId: 'someClientID1234',
+      clientSecret: 'someRandomCryptoString',
+      accessTokenExpiration: NUMBER_OF_SECONDS_IN_A_DAY,
+      refreshTokenExpiration: NUMBER_OF_SECONDS_IN_A_DAY * 30
+    },
+    {
+      clientId: 'someOtherClientID',
+      clientSecret: 'someOtherRandomCryptoString',
+      accessTokenExpiration: NUMBER_OF_SECONDS_IN_A_DAY,
+      refreshTokenExpiration: NUMBER_OF_SECONDS_IN_A_DAY * 30
+    }
+  ])
+  @Get('/')
+  public async getAllClients(): Promise<ClientPayload[]> {
+    return getAllClients()
+  }
 }

-const createClient = async (data: any): Promise<ClientPayload> => {
-  const { clientId, clientSecret } = data
+const createClient = async (data: ClientPayload): Promise<ClientPayload> => {
+  const {
+    clientId,
+    clientSecret,
+    accessTokenExpiration,
+    refreshTokenExpiration
+  } = data

  // Checking if client is already in the database
  const clientExist = await Client.findOne({ clientId })
@@ -32,13 +68,27 @@ const createClient = async (data: any): Promise<ClientPayload> => {
  // Create a new client
  const client = new Client({
    clientId,
-    clientSecret
+    clientSecret,
+    accessTokenExpiration,
+    refreshTokenExpiration
  })

  const savedClient = await client.save()

  return {
    clientId: savedClient.clientId,
-    clientSecret: savedClient.clientSecret
+    clientSecret: savedClient.clientSecret,
+    accessTokenExpiration: savedClient.accessTokenExpiration,
+    refreshTokenExpiration: savedClient.refreshTokenExpiration
  }
 }
+
+const getAllClients = async (): Promise<ClientPayload[]> => {
+  return Client.find({}).select({
+    _id: 0,
+    clientId: 1,
+    clientSecret: 1,
+    accessTokenExpiration: 1,
+    refreshTokenExpiration: 1
+  })
+}
--- a/api/src/controllers/code.ts
+++ b/api/src/controllers/code.ts
@@ -1,43 +1,91 @@
 import express from 'express'
 import { Request, Security, Route, Tags, Post, Body } from 'tsoa'
-import { ExecuteReturnJson, ExecutionController } from './internal'
-import { ExecuteReturnJsonResponse } from '.'
+import { ExecutionController, getSessionController } from './internal'
 import {
  getPreProgramVariables,
  getUserAutoExec,
  ModeType,
-  parseLogToArray,
  RunTimeType
 } from '../utils'

 interface ExecuteCodePayload {
  /**
-   * Code of program
-   * @example "* Code HERE;"
+   * The code to be executed
+   * @example "* Your Code HERE;"
   */
  code: string
  /**
-   * runtime for program
+   * The runtime for the code - eg SAS, JS, PY or R
   * @example "js"
   */
  runTime: RunTimeType
 }

+interface TriggerCodePayload {
+  /**
+   * The code to be executed
+   * @example "* Your Code HERE;"
+   */
+  code: string
+  /**
+   * The runtime for the code - eg SAS, JS, PY or R
+   * @example "sas"
+   */
+  runTime: RunTimeType
+  /**
+   * Amount of minutes after the completion of the job when the session must be
+   * destroyed.
+   * @example 15
+   */
+  expiresAfterMins?: number
+}
+
+interface TriggerCodeResponse {
+  /**
+   * `sessionId` is the ID of the session and the name of the temporary folder
+   * used to store code outputs.<br><br>
+   * For SAS, this would be the location of the SASWORK folder.<br><br>
+   * `sessionId` can be used to poll session state using the
+   * GET /SASjsApi/session/{sessionId}/state endpoint.
+   * @example "20241028074744-54132-1730101664824"
+   */
+  sessionId: string
+}
+
@Security('bearerAuth')
@Route('SASjsApi/code')
-@Tags('CODE')
+@Tags('Code')
 export class CodeController {
  /**
-   * Execute SAS code.
-   * @summary Run SAS Code and returns log
+   * Execute Code on the Specified Runtime
+   * @summary Run Code and Return Webout Content, Log and Print output
+   * The order of returned parts of the payload is:
+   * 1. Webout (if present)
+   * 2. Logs UUID (used as separator)
+   * 3. Log
+   * 4. Logs UUID (used as separator)
+   * 5. Print (if present and if the runtime is SAS)
+   * Please see @sasjs/server/api/src/controllers/internal/Execution.ts for more information
   */
  @Post('/execute')
  public async executeCode(
    @Request() request: express.Request,
    @Body() body: ExecuteCodePayload
-  ): Promise<ExecuteReturnJsonResponse> {
+  ): Promise<string | Buffer> {
    return executeCode(request, body)
  }
+
+  /**
+   * Trigger Code on the Specified Runtime
+   * @summary Triggers code and returns SessionId immediately - does not wait for job completion
+   */
+  @Post('/trigger')
+  public async triggerCode(
+    @Request() request: express.Request,
+    @Body() body: TriggerCodePayload
+  ): Promise<TriggerCodeResponse> {
+    return triggerCode(request, body)
+  }
 }

 const executeCode = async (
@@ -51,22 +99,62 @@ const executeCode = async (
      : await getUserAutoExec()

  try {
-    const { webout, log, httpHeaders } =
-      (await new ExecutionController().executeProgram({
-        program: code,
-        preProgramVariables: getPreProgramVariables(req),
-        vars: { ...req.query, _debug: 131 },
-        otherArgs: { userAutoExec },
-        returnJson: true,
-        runTime: runTime
-      })) as ExecuteReturnJson
+    const { result } = await new ExecutionController().executeProgram({
+      program: code,
+      preProgramVariables: getPreProgramVariables(req),
+      vars: { ...req.query, _debug: 131 },
+      otherArgs: { userAutoExec },
+      runTime: runTime,
+      includePrintOutput: true
+    })

-    return {
-      status: 'success',
-      _webout: webout as string,
-      log: parseLogToArray(log),
-      httpHeaders
-    }
+    return result
+  } catch (err: any) {
+    throw {
+      code: 400,
+      status: 'failure',
+      message: 'Job execution failed.',
+      error: typeof err === 'object' ? err.toString() : err
+    }
+  }
+}
+
+const triggerCode = async (
+  req: express.Request,
+  { code, runTime, expiresAfterMins }: TriggerCodePayload
+): Promise<TriggerCodeResponse> => {
+  const { user } = req
+  const userAutoExec =
+    process.env.MODE === ModeType.Server
+      ? user?.autoExec
+      : await getUserAutoExec()
+
+  // get session controller based on runTime
+  const sessionController = getSessionController(runTime)
+
+  // get session
+  const session = await sessionController.getSession()
+
+  // add expiresAfterMins to session if provided
+  if (expiresAfterMins) {
+    // expiresAfterMins.used is set initially to false
+    session.expiresAfterMins = { mins: expiresAfterMins, used: false }
+  }
+
+  try {
+    // call executeProgram method of ExecutionController without awaiting
+    new ExecutionController().executeProgram({
+      program: code,
+      preProgramVariables: getPreProgramVariables(req),
+      vars: { ...req.query, _debug: 131 },
+      otherArgs: { userAutoExec },
+      runTime: runTime,
+      includePrintOutput: true,
+      session // session is provided
+    })
+
+    // return session id
+    return { sessionId: session.id }
  } catch (err: any) {
    throw {
      code: 400,
--- a/api/src/controllers/group.ts
+++ b/api/src/controllers/group.ts
@@ -12,27 +12,29 @@ import {

 import Group, { GroupPayload, PUBLIC_GROUP_NAME } from '../model/Group'
 import User from '../model/User'
-import { UserResponse } from './user'
+import { GetUserBy, UserResponse } from './user'

 export interface GroupResponse {
-  groupId: number
+  uid: string
  name: string
  description: string
 }

-export interface GroupDetailsResponse {
-  groupId: number
-  name: string
-  description: string
+export interface GroupDetailsResponse extends GroupResponse {
  isActive: boolean
  users: UserResponse[]
 }

 interface GetGroupBy {
-  groupId?: number
+  _id?: string
  name?: string
 }

+enum GroupAction {
+  AddUser = 'addUser',
+  RemoveUser = 'removeUser'
+}
+
@Security('bearerAuth')
@Route('SASjsApi/group')
@Tags('Group')
@@ -43,7 +45,7 @@ export class GroupController {
   */
  @Example<GroupResponse[]>([
    {
-      groupId: 123,
+      uid: 'groupIdString',
      name: 'DCGroup',
      description: 'This group represents Data Controller Users'
    }
@@ -58,7 +60,7 @@ export class GroupController {
   *
   */
  @Example<GroupDetailsResponse>({
-    groupId: 123,
+    uid: 'groupIdString',
    name: 'DCGroup',
    description: 'This group represents Data Controller Users',
    isActive: true,
@@ -77,7 +79,7 @@ export class GroupController {
   * @example dcgroup
   */
  @Get('by/groupname/{name}')
-  public async getGroupByGroupName(
+  public async getGroupByName(
    @Path() name: string
  ): Promise<GroupDetailsResponse> {
    return getGroup({ name })
@@ -85,81 +87,79 @@ export class GroupController {

  /**
   * @summary Get list of members of a group (userName). All users can request this.
-   * @param groupId The group's identifier
-   * @example groupId 1234
+   * @param uid The group's identifier
+   * @example uid "12ByteString"
   */
-  @Get('{groupId}')
-  public async getGroup(
-    @Path() groupId: number
-  ): Promise<GroupDetailsResponse> {
-    return getGroup({ groupId })
+  @Get('{uid}')
+  public async getGroup(@Path() uid: string): Promise<GroupDetailsResponse> {
+    return getGroup({ _id: uid })
  }

  /**
   * @summary Add a user to a group. Admin task only.
-   * @param groupId The group's identifier
-   * @example groupId "1234"
-   * @param userId The user's identifier
-   * @example userId "6789"
+   * @param groupUid The group's identifier
+   * @example groupUid "12ByteString"
+   * @param userUid The user's identifier
+   * @example userId "12ByteString"
   */
  @Example<GroupDetailsResponse>({
-    groupId: 123,
+    uid: 'groupIdString',
    name: 'DCGroup',
    description: 'This group represents Data Controller Users',
    isActive: true,
    users: []
  })
-  @Post('{groupId}/{userId}')
+  @Post('{groupUid}/{userUid}')
  public async addUserToGroup(
-    @Path() groupId: number,
-    @Path() userId: number
+    @Path() groupUid: string,
+    @Path() userUid: string
  ): Promise<GroupDetailsResponse> {
-    return addUserToGroup(groupId, userId)
+    return addUserToGroup(groupUid, userUid)
  }

  /**
-   * @summary Remove a user to a group. Admin task only.
-   * @param groupId The group's identifier
-   * @example groupId "1234"
-   * @param userId The user's identifier
-   * @example userId "6789"
+   * @summary Remove a user from a group. Admin task only.
+   * @param groupUid The group's identifier
+   * @example groupUid "12ByteString"
+   * @param userUid The user's identifier
+   * @example userUid "12ByteString"
   */
  @Example<GroupDetailsResponse>({
-    groupId: 123,
+    uid: 'groupIdString',
    name: 'DCGroup',
    description: 'This group represents Data Controller Users',
    isActive: true,
    users: []
  })
-  @Delete('{groupId}/{userId}')
+  @Delete('{groupUid}/{userUid}')
  public async removeUserFromGroup(
-    @Path() groupId: number,
-    @Path() userId: number
+    @Path() groupUid: string,
+    @Path() userUid: string
  ): Promise<GroupDetailsResponse> {
-    return removeUserFromGroup(groupId, userId)
+    return removeUserFromGroup(groupUid, userUid)
  }

  /**
   * @summary Delete a group. Admin task only.
-   * @param groupId The group's identifier
-   * @example groupId 1234
+   * @param uid The group's identifier
+   * @example uid "12ByteString"
   */
-  @Delete('{groupId}')
-  public async deleteGroup(@Path() groupId: number) {
-    const group = await Group.findOne({ groupId })
-    if (group) return await group.remove()
-    throw {
-      code: 404,
-      status: 'Not Found',
-      message: 'Group not found.'
-    }
+  @Delete('{uid}')
+  public async deleteGroup(@Path() uid: string) {
+    const group = await Group.findOne({ _id: uid })
+    if (!group)
+      throw {
+        code: 404,
+        status: 'Not Found',
+        message: 'Group not found.'
+      }
+
+    return await group.remove()
  }
 }

 const getAllGroups = async (): Promise<GroupResponse[]> =>
-  await Group.find({})
-    .select({ _id: 0, groupId: 1, name: 1, description: 1 })
-    .exec()
+  await Group.find({}).select('uid name description').exec()

 const createGroup = async ({
  name,
@@ -184,7 +184,7 @@ const createGroup = async ({
  const savedGroup = await group.save()

  return {
-    groupId: savedGroup.groupId,
+    uid: savedGroup.uid,
    name: savedGroup.name,
    description: savedGroup.description,
    isActive: savedGroup.isActive,
@@ -195,11 +195,12 @@ const createGroup = async ({
 const getGroup = async (findBy: GetGroupBy): Promise<GroupDetailsResponse> => {
  const group = (await Group.findOne(
    findBy,
-    'groupId name description isActive users -_id'
+    'uid name description isActive users'
  ).populate(
    'users',
-    'id username displayName isAdmin -_id'
+    'uid username displayName isAdmin'
  )) as unknown as GroupDetailsResponse
+
  if (!group)
    throw {
      code: 404,
@@ -208,7 +209,7 @@ const getGroup = async (findBy: GetGroupBy): Promise<GroupDetailsResponse> => {
    }

  return {
-    groupId: group.groupId,
+    uid: group.uid,
    name: group.name,
    description: group.description,
    isActive: group.isActive,
@@ -217,23 +218,23 @@ const getGroup = async (findBy: GetGroupBy): Promise<GroupDetailsResponse> => {
 }

 const addUserToGroup = async (
-  groupId: number,
-  userId: number
+  groupUid: string,
+  userUid: string
 ): Promise<GroupDetailsResponse> =>
-  updateUsersListInGroup(groupId, userId, 'addUser')
+  updateUsersListInGroup(groupUid, userUid, GroupAction.AddUser)

 const removeUserFromGroup = async (
-  groupId: number,
-  userId: number
+  groupUid: string,
+  userUid: string
 ): Promise<GroupDetailsResponse> =>
-  updateUsersListInGroup(groupId, userId, 'removeUser')
+  updateUsersListInGroup(groupUid, userUid, GroupAction.RemoveUser)

 const updateUsersListInGroup = async (
-  groupId: number,
-  userId: number,
-  action: 'addUser' | 'removeUser'
+  groupUid: string,
+  userUid: string,
+  action: GroupAction
 ): Promise<GroupDetailsResponse> => {
-  const group = await Group.findOne({ groupId })
+  const group = await Group.findOne({ _id: groupUid })
  if (!group)
    throw {
      code: 404,
@@ -248,7 +249,14 @@ const updateUsersListInGroup = async (
      message: `Can't add/remove user to '${PUBLIC_GROUP_NAME}' group.`
    }

-  const user = await User.findOne({ id: userId })
+  if (group.authProvider)
+    throw {
+      code: 405,
+      status: 'Method Not Allowed',
+      message: `Can't add/remove user to group created by external auth provider.`
+    }
+
+  const user = await User.findOne({ _id: userUid })
  if (!user)
    throw {
      code: 404,
@@ -256,8 +264,15 @@ const updateUsersListInGroup = async (
      message: 'User not found.'
    }

+  if (user.authProvider)
+    throw {
+      code: 405,
+      status: 'Method Not Allowed',
+      message: `Can't add/remove user to group created by external auth provider.`
+    }
+
  const updatedGroup =
-    action === 'addUser'
+    action === GroupAction.AddUser
      ? await group.addUser(user)
      : await group.removeUser(user)

@@ -269,7 +284,7 @@ const updateUsersListInGroup = async (
    }

  return {
-    groupId: updatedGroup.groupId,
+    uid: updatedGroup.uid,
    name: updatedGroup.name,
    description: updatedGroup.description,
    isActive: updatedGroup.isActive,
--- a/api/src/controllers/index.ts
+++ b/api/src/controllers/index.ts
@@ -1,4 +1,5 @@
 export * from './auth'
+export * from './authConfig'
 export * from './client'
 export * from './code'
 export * from './drive'
--- a/api/src/controllers/internal/Execution.ts
+++ b/api/src/controllers/internal/Execution.ts
@@ -2,7 +2,7 @@ import path from 'path'
 import fs from 'fs'
 import { getSessionController, processProgram } from './'
 import { readFile, fileExists, createFile, readFileBinary } from '@sasjs/utils'
-import { PreProgramVars, Session, TreeNode } from '../../types'
+import { PreProgramVars, Session, TreeNode, SessionState } from '../../types'
 import {
  extractHeaders,
  getFilesFolder,
@@ -20,12 +20,6 @@ export interface ExecuteReturnRaw {
  result: string | Buffer
 }

-export interface ExecuteReturnJson {
-  httpHeaders: HTTPHeaders
-  webout: string | Buffer
-  log?: string
-}
-
 interface ExecuteFileParams {
  programPath: string
  preProgramVariables: PreProgramVars
@@ -34,10 +28,12 @@ interface ExecuteFileParams {
  returnJson?: boolean
  session?: Session
  runTime: RunTimeType
+  forceStringResult?: boolean
 }

 interface ExecuteProgramParams extends Omit<ExecuteFileParams, 'programPath'> {
  program: string
+  includePrintOutput?: boolean
 }

 export class ExecutionController {
@@ -48,7 +44,8 @@ export class ExecutionController {
    otherArgs,
    returnJson,
    session,
-    runTime
+    runTime,
+    forceStringResult
  }: ExecuteFileParams) {
    const program = await readFile(programPath)

@@ -59,7 +56,8 @@ export class ExecutionController {
      otherArgs,
      returnJson,
      session,
-      runTime
+      runTime,
+      forceStringResult
    })
  }

@@ -68,16 +66,16 @@ export class ExecutionController {
    preProgramVariables,
    vars,
    otherArgs,
-    returnJson,
    session: sessionByFileUpload,
-    runTime
-  }: ExecuteProgramParams): Promise<ExecuteReturnRaw | ExecuteReturnJson> {
+    runTime,
+    forceStringResult,
+    includePrintOutput
+  }: ExecuteProgramParams): Promise<ExecuteReturnRaw> {
    const sessionController = getSessionController(runTime)

    const session =
      sessionByFileUpload ?? (await sessionController.getSession())
-    session.inUse = true
-    session.consumed = true
+    session.state = SessionState.running

    const logPath = path.join(session.path, 'log.log')
    const headersPath = path.join(session.path, 'stpsrv_header.txt')
@@ -96,6 +94,7 @@ export class ExecutionController {
      vars,
      session,
      weboutPath,
+      headersPath,
      tokenFile,
      runTime,
      logPath,
@@ -107,33 +106,46 @@ export class ExecutionController {
      ? await readFile(headersPath)
      : ''
    const httpHeaders: HTTPHeaders = extractHeaders(headersContent)
-    const fileResponse: boolean =
-      httpHeaders.hasOwnProperty('content-type') &&
-      !returnJson && // not a POST Request
-      !isDebugOn(vars) // Debug is not enabled
+
+    if (isDebugOn(vars)) {
+      httpHeaders['content-type'] = 'text/plain'
+    }
+
+    const fileResponse: boolean = httpHeaders.hasOwnProperty('content-type')

    const webout = (await fileExists(weboutPath))
-      ? fileResponse
+      ? fileResponse && !forceStringResult
        ? await readFileBinary(weboutPath)
        : await readFile(weboutPath)
      : ''

    // it should be deleted by scheduleSessionDestroy
-    session.inUse = false
+    session.state = SessionState.completed

-    if (returnJson) {
-      return {
-        httpHeaders,
-        webout,
-        log: isDebugOn(vars) || session.crashed ? log : undefined
-      }
+    const resultParts = []
+
+    // INFO: webout can be a Buffer, that is why it's length should be checked to determine if it is empty
+    if (webout && webout.length !== 0) resultParts.push(webout)
+
+    // INFO: log separator wraps the log from the beginning and the end
+    resultParts.push(process.logsUUID)
+    resultParts.push(log)
+    resultParts.push(process.logsUUID)
+
+    if (includePrintOutput && runTime === RunTimeType.SAS) {
+      const printOutputPath = path.join(session.path, 'output.lst')
+      const printOutput = (await fileExists(printOutputPath))
+        ? await readFile(printOutputPath)
+        : ''
+
+      if (printOutput) resultParts.push(printOutput)
    }

    return {
      httpHeaders,
      result:
-        isDebugOn(vars) || session.crashed
-          ? `<html><body>${webout}<div style="text-align:left"><hr /><h2>SAS Log</h2><pre>${log}</pre></div></body></html>`
+        isDebugOn(vars) || session.failureReason
+          ? resultParts.join(`\n`)
          : webout
    }
  }
--- a/api/src/controllers/internal/FileUploadController.ts
+++ b/api/src/controllers/internal/FileUploadController.ts
@@ -2,11 +2,8 @@ import { Request, RequestHandler } from 'express'
 import multer from 'multer'
 import { uuidv4 } from '@sasjs/utils'
 import { getSessionController } from '.'
-import {
-  executeProgramRawValidation,
-  getRunTimeAndFilePath,
-  RunTimeType
-} from '../../utils'
+import { executeProgramRawValidation, getRunTimeAndFilePath } from '../../utils'
+import { SessionState } from '../../types'

 export class FileUploadController {
  private storage = multer.diskStorage({
@@ -56,9 +53,8 @@ export class FileUploadController {
    }

    const session = await sessionController.getSession()
-    // marking consumed true, so that it's not available
-    // as readySession for any other request
-    session.consumed = true
+    // change session state to 'running', so that it's not available for any other request
+    session.state = SessionState.running

    req.sasjsSession = session

--- a/api/src/controllers/internal/Session.ts
+++ b/api/src/controllers/internal/Session.ts
@@ -1,8 +1,9 @@
 import path from 'path'
-import { Session } from '../../types'
+import { Session, SessionState } from '../../types'
 import { promisify } from 'util'
 import { execFile } from 'child_process'
 import {
+  getPackagesFolder,
  getSessionsFolder,
  generateUniqueFileName,
  sysInitCompiledPath,
@@ -13,19 +14,47 @@ import {
  createFile,
  fileExists,
  generateTimestamp,
-  readFile,
-  isWindows
+  readFile
 } from '@sasjs/utils'

 const execFilePromise = promisify(execFile)

-abstract class SessionController {
+export class SessionController {
  protected sessions: Session[] = []

  protected getReadySessions = (): Session[] =>
-    this.sessions.filter((sess: Session) => sess.ready && !sess.consumed)
+    this.sessions.filter(
+      (session: Session) => session.state === SessionState.pending
+    )

-  protected abstract createSession(): Promise<Session>
+  protected async createSession(): Promise<Session> {
+    const sessionId = generateUniqueFileName(generateTimestamp())
+    const sessionFolder = path.join(getSessionsFolder(), sessionId)
+
+    const creationTimeStamp = sessionId.split('-').pop() as string
+    // death time of session is 15 mins from creation
+    const deathTimeStamp = (
+      parseInt(creationTimeStamp) +
+      15 * 60 * 1000 -
+      1000
+    ).toString()
+
+    const session: Session = {
+      id: sessionId,
+      state: SessionState.pending,
+      creationTimeStamp,
+      deathTimeStamp,
+      path: sessionFolder
+    }
+
+    const headersPath = path.join(session.path, 'stpsrv_header.txt')
+
+    await createFile(headersPath, 'content-type: text/html; charset=utf-8')
+
+    this.sessions.push(session)
+
+    return session
+  }

  public async getSession() {
    const readySessions = this.getReadySessions()
@@ -38,6 +67,10 @@ abstract class SessionController {

    return session
  }
+
+  public getSessionById(id: string) {
+    return this.sessions.find((session) => session.id === id)
+  }
 }

 export class SASSessionController extends SessionController {
@@ -55,15 +88,15 @@ export class SASSessionController extends SessionController {

    const session: Session = {
      id: sessionId,
-      ready: false,
-      inUse: false,
-      consumed: false,
-      completed: false,
+      state: SessionState.initialising,
      creationTimeStamp,
      deathTimeStamp,
      path: sessionFolder
    }

+    const headersPath = path.join(session.path, 'stpsrv_header.txt')
+    await createFile(headersPath, 'content-type: text/html; charset=utf-8\n')
+
    // we do not want to leave sessions running forever
    // we clean them up after a predefined period, if unused
    this.scheduleSessionDestroy(session)
@@ -73,7 +106,8 @@ export class SASSessionController extends SessionController {

    // the autoexec file is executed on SAS startup
    const autoExecPath = path.join(sessionFolder, 'autoexec.sas')
-    const contentForAutoExec = `/* compiled systemInit */
+    const contentForAutoExec = `filename packages "${getPackagesFolder()}";
+/* compiled systemInit */
 ${compiledSystemInitContent}
 /* autoexec */
 ${autoExecContent}`
@@ -101,21 +135,31 @@ ${autoExecContent}`
      session.path,
      '-AUTOEXEC',
      autoExecPath,
+      process.sasLoc!.endsWith('sas.exe') ? '-nologo' : '',
      process.sasLoc!.endsWith('sas.exe') ? '-nosplash' : '',
      process.sasLoc!.endsWith('sas.exe') ? '-icon' : '',
      process.sasLoc!.endsWith('sas.exe') ? '-nodms' : '',
      process.sasLoc!.endsWith('sas.exe') ? '-noterminal' : '',
      process.sasLoc!.endsWith('sas.exe') ? '-nostatuswin' : '',
-      isWindows() ? '-nologo' : ''
+      process.sasLoc!.endsWith('sas.exe') ? '-NOPRNGETLIST' : '',
+      process.sasLoc!.endsWith('sas.exe') ? '-SASINITIALFOLDER' : '',
+      process.sasLoc!.endsWith('sas.exe') ? session.path : ''
    ])
      .then(() => {
-        session.completed = true
-        console.log('session completed', session)
+        session.state = SessionState.completed
+
+        process.logger.info('session completed', session)
      })
      .catch((err) => {
-        session.completed = true
-        session.crashed = err.toString()
-        console.log('session crashed', session.id, session.crashed)
+        session.state = SessionState.failed
+
+        session.failureReason = err.toString()
+
+        process.logger.error(
+          'session crashed',
+          session.id,
+          session.failureReason
+        )
      })

    // we have a triggered session - add to array
@@ -132,15 +176,22 @@ ${autoExecContent}`
    const codeFilePath = path.join(session.path, 'code.sas')

    // TODO: don't wait forever
-    while ((await fileExists(codeFilePath)) && !session.crashed) {}
+    while (
+      (await fileExists(codeFilePath)) &&
+      session.state !== SessionState.failed
+    ) {}

-    if (session.crashed)
-      console.log('session crashed! while waiting to be ready', session.crashed)
-
-    session.ready = true
+    if (session.state === SessionState.failed) {
+      process.logger.error(
+        'session crashed! while waiting to be ready',
+        session.failureReason
+      )
+    } else {
+      session.state = SessionState.pending
+    }
  }

-  public async deleteSession(session: Session) {
+  private async deleteSession(session: Session) {
    // remove the temporary files, to avoid buildup
    await deleteFolder(session.path)

@@ -151,80 +202,54 @@ ${autoExecContent}`
  }

  private scheduleSessionDestroy(session: Session) {
-    setTimeout(async () => {
-      if (session.inUse) {
-        // adding 10 more minutes
-        const newDeathTimeStamp = parseInt(session.deathTimeStamp) + 10 * 1000
-        session.deathTimeStamp = newDeathTimeStamp.toString()
+    setTimeout(
+      async () => {
+        if (session.state === SessionState.running) {
+          // adding 10 more minutes
+          const newDeathTimeStamp =
+            parseInt(session.deathTimeStamp) + 10 * 60 * 1000
+          session.deathTimeStamp = newDeathTimeStamp.toString()

-        this.scheduleSessionDestroy(session)
-      } else {
-        await this.deleteSession(session)
-      }
-    }, parseInt(session.deathTimeStamp) - new Date().getTime() - 100)
-  }
-}
+          this.scheduleSessionDestroy(session)
+        } else {
+          const { expiresAfterMins } = session

-export class JSSessionController extends SessionController {
-  protected async createSession(): Promise<Session> {
-    const sessionId = generateUniqueFileName(generateTimestamp())
-    const sessionFolder = path.join(getSessionsFolder(), sessionId)
+          // delay session destroy if expiresAfterMins present
+          if (expiresAfterMins && session.state !== SessionState.completed) {
+            // calculate session death time using expiresAfterMins
+            const newDeathTimeStamp =
+              parseInt(session.deathTimeStamp) +
+              expiresAfterMins.mins * 60 * 1000
+            session.deathTimeStamp = newDeathTimeStamp.toString()

-    const creationTimeStamp = sessionId.split('-').pop() as string
-    // death time of session is 15 mins from creation
-    const deathTimeStamp = (
-      parseInt(creationTimeStamp) +
-      15 * 60 * 1000 -
-      1000
-    ).toString()
+            // set expiresAfterMins to true to avoid using it again
+            session.expiresAfterMins!.used = true

-    const session: Session = {
-      id: sessionId,
-      ready: true,
-      inUse: true,
-      consumed: false,
-      completed: false,
-      creationTimeStamp,
-      deathTimeStamp,
-      path: sessionFolder
-    }
-
-    const headersPath = path.join(session.path, 'stpsrv_header.txt')
-    await createFile(headersPath, 'Content-type: application/json')
-
-    this.sessions.push(session)
-    return session
+            this.scheduleSessionDestroy(session)
+          } else {
+            await this.deleteSession(session)
+          }
+        }
+      },
+      parseInt(session.deathTimeStamp) - new Date().getTime() - 100
+    )
  }
 }

 export const getSessionController = (
  runTime: RunTimeType
-): SASSessionController | JSSessionController => {
+): SessionController => {
  if (runTime === RunTimeType.SAS) {
-    return getSASSessionController()
+    process.sasSessionController =
+      process.sasSessionController || new SASSessionController()
+
+    return process.sasSessionController
  }

-  if (runTime === RunTimeType.JS) {
-    return getJSSessionController()
-  }
+  process.sessionController =
+    process.sessionController || new SessionController()

-  throw new Error('No Runtime is configured')
-}
-
-const getSASSessionController = (): SASSessionController => {
-  if (process.sasSessionController) return process.sasSessionController
-
-  process.sasSessionController = new SASSessionController()
-
-  return process.sasSessionController
-}
-
-const getJSSessionController = (): JSSessionController => {
-  if (process.jsSessionController) return process.jsSessionController
-
-  process.jsSessionController = new JSSessionController()
-
-  return process.jsSessionController
+  return process.sessionController
 }

 const autoExecContent = `
--- a/api/src/controllers/internal/createJSProgram.ts
+++ b/api/src/controllers/internal/createJSProgram.ts
@@ -1,4 +1,4 @@
-import { isWindows } from '@sasjs/utils'
+import { escapeWinSlashes } from '@sasjs/utils'
 import { PreProgramVars, Session } from '../../types'
 import { generateFileUploadJSCode } from '../../utils'
 import { ExecutionVars } from './'
@@ -9,29 +9,27 @@ export const createJSProgram = async (
  vars: ExecutionVars,
  session: Session,
  weboutPath: string,
+  headersPath: string,
  tokenFile: string,
  otherArgs?: any
 ) => {
  const varStatments = Object.keys(vars).reduce(
    (computed: string, key: string) =>
-      `${computed}const ${key} = '${vars[key]}';\n`,
+      `${computed}const ${key} = \`${vars[key]}\`;\n`,
    ''
  )

  const preProgramVarStatments = `
 let _webout = '';
-const weboutPath = '${
-    isWindows() ? weboutPath.replace(/\\/g, '\\\\') : weboutPath
-  }'; 
-const _sasjs_tokenfile = '${
-    isWindows() ? tokenFile.replace(/\\/g, '\\\\') : tokenFile
-  }';
-const _sasjs_username = '${preProgramVariables?.username}';
-const _sasjs_userid = '${preProgramVariables?.userId}';
-const _sasjs_displayname = '${preProgramVariables?.displayName}';
-const _metaperson = _sasjs_displayname;
-const _metauser = _sasjs_username;
-const sasjsprocessmode = 'Stored Program';
+const weboutPath = '${escapeWinSlashes(weboutPath)}'; 
+const _SASJS_TOKENFILE = '${escapeWinSlashes(tokenFile)}';
+const _SASJS_WEBOUT_HEADERS = '${escapeWinSlashes(headersPath)}';
+const _SASJS_USERNAME = '${preProgramVariables?.username}';
+const _SASJS_USERID = '${preProgramVariables?.userId}';
+const _SASJS_DISPLAYNAME = '${preProgramVariables?.displayName}';
+const _METAPERSON = _SASJS_DISPLAYNAME;
+const _METAUSER = _SASJS_USERNAME;
+const SASJSPROCESSMODE = 'Stored Program';
 `

  const requiredModules = `const fs = require('fs')`
@@ -55,14 +53,15 @@ if (_webout) {
 `
  // if no files are uploaded filesNamesMap will be undefined
  if (otherArgs?.filesNamesMap) {
-    const uploadJSCode = await generateFileUploadJSCode(
+    const uploadJsCode = await generateFileUploadJSCode(
      otherArgs.filesNamesMap,
      session.path
    )

-    //If js code for the file is generated it will be appended to the top of jsCode
-    if (uploadJSCode.length > 0) {
-      program = `${uploadJSCode}\n` + program
+    // If any files are uploaded, the program needs to be updated with some
+    // dynamically generated variables (pointers) for ease of ingestion
+    if (uploadJsCode.length > 0) {
+      program = `${uploadJsCode}\n` + program
    }
  }
  return requiredModules + program
--- a/api/src/controllers/internal/createPythonProgram.ts
+++ b/api/src/controllers/internal/createPythonProgram.ts
@@ -0,0 +1,64 @@
+import { escapeWinSlashes } from '@sasjs/utils'
+import { PreProgramVars, Session } from '../../types'
+import { generateFileUploadPythonCode } from '../../utils'
+import { ExecutionVars } from './'
+
+export const createPythonProgram = async (
+  program: string,
+  preProgramVariables: PreProgramVars,
+  vars: ExecutionVars,
+  session: Session,
+  weboutPath: string,
+  headersPath: string,
+  tokenFile: string,
+  otherArgs?: any
+) => {
+  const varStatments = Object.keys(vars).reduce(
+    (computed: string, key: string) => `${computed}${key} = '${vars[key]}';\n`,
+    ''
+  )
+
+  const preProgramVarStatments = `
+_SASJS_SESSION_PATH = '${escapeWinSlashes(session.path)}';
+_WEBOUT = '${escapeWinSlashes(weboutPath)}'; 
+_SASJS_WEBOUT_HEADERS = '${escapeWinSlashes(headersPath)}';
+_SASJS_TOKENFILE = '${escapeWinSlashes(tokenFile)}';
+_SASJS_USERNAME = '${preProgramVariables?.username}';
+_SASJS_USERID = '${preProgramVariables?.userId}';
+_SASJS_DISPLAYNAME = '${preProgramVariables?.displayName}';
+_METAPERSON = _SASJS_DISPLAYNAME;
+_METAUSER = _SASJS_USERNAME;
+SASJSPROCESSMODE = 'Stored Program';
+`
+
+  const requiredModules = `import os`
+
+  program = `
+# runtime vars
+${varStatments}
+
+# dynamic user-provided vars
+${preProgramVarStatments}
+
+# change working directory to  session folder
+os.chdir(_SASJS_SESSION_PATH)
+
+# actual job code
+${program}
+
+`
+  // if no files are uploaded filesNamesMap will be undefined
+  if (otherArgs?.filesNamesMap) {
+    const uploadPythonCode = await generateFileUploadPythonCode(
+      otherArgs.filesNamesMap,
+      session.path
+    )
+
+    // If any files are uploaded, the program needs to be updated with some
+    // dynamically generated variables (pointers) for ease of ingestion
+    if (uploadPythonCode.length > 0) {
+      program = `${uploadPythonCode}\n` + program
+    }
+  }
+  return requiredModules + program
+}
--- a/api/src/controllers/internal/createRProgram.ts
+++ b/api/src/controllers/internal/createRProgram.ts
@@ -0,0 +1,64 @@
+import { escapeWinSlashes } from '@sasjs/utils'
+import { PreProgramVars, Session } from '../../types'
+import { generateFileUploadRCode } from '../../utils'
+import { ExecutionVars } from '.'
+
+export const createRProgram = async (
+  program: string,
+  preProgramVariables: PreProgramVars,
+  vars: ExecutionVars,
+  session: Session,
+  weboutPath: string,
+  headersPath: string,
+  tokenFile: string,
+  otherArgs?: any
+) => {
+  const varStatments = Object.keys(vars).reduce(
+    (computed: string, key: string) => `${computed}.${key} <- '${vars[key]}'\n`,
+    ''
+  )
+
+  const preProgramVarStatments = `
+._SASJS_SESSION_PATH <- '${escapeWinSlashes(session.path)}';
+._WEBOUT <- '${escapeWinSlashes(weboutPath)}'; 
+._SASJS_WEBOUT_HEADERS <- '${escapeWinSlashes(headersPath)}';
+._SASJS_TOKENFILE <- '${escapeWinSlashes(tokenFile)}';
+._SASJS_USERNAME <- '${preProgramVariables?.username}';
+._SASJS_USERID <- '${preProgramVariables?.userId}';
+._SASJS_DISPLAYNAME <- '${preProgramVariables?.displayName}';
+._METAPERSON <- ._SASJS_DISPLAYNAME;
+._METAUSER <- ._SASJS_USERNAME;
+SASJSPROCESSMODE <- 'Stored Program';
+`
+
+  const requiredModules = ``
+
+  program = `
+# runtime vars
+${varStatments}
+
+# dynamic user-provided vars
+${preProgramVarStatments}
+
+# change working directory to  session folder
+setwd(._SASJS_SESSION_PATH)
+
+# actual job code
+${program}
+
+`
+  // if no files are uploaded filesNamesMap will be undefined
+  if (otherArgs?.filesNamesMap) {
+    const uploadRCode = await generateFileUploadRCode(
+      otherArgs.filesNamesMap,
+      session.path
+    )
+
+    // If any files are uploaded, the program needs to be updated with some
+    // dynamically generated variables (pointers) for ease of ingestion
+    if (uploadRCode.length > 0) {
+      program = `${uploadRCode}\n` + program
+    }
+  }
+  return requiredModules + program
+}
--- a/api/src/controllers/internal/createSASProgram.ts
+++ b/api/src/controllers/internal/createSASProgram.ts
@@ -8,6 +8,7 @@ export const createSASProgram = async (
  vars: ExecutionVars,
  session: Session,
  weboutPath: string,
+  headersPath: string,
  tokenFile: string,
  otherArgs?: any
 ) => {
@@ -23,10 +24,14 @@ export const createSASProgram = async (
 %let _sasjs_displayname=${preProgramVariables?.displayName};
 %let _sasjs_apiserverurl=${preProgramVariables?.serverUrl};
 %let _sasjs_apipath=/SASjsApi/stp/execute;
+%let _sasjs_webout_headers=${headersPath};
 %let _metaperson=&_sasjs_displayname;
 %let _metauser=&_sasjs_username;
+
+/* the below is here for compatibility and will be removed in a future release */
+%let sasjs_stpsrv_header_loc=&_sasjs_webout_headers;
+
 %let sasjsprocessmode=Stored Program;
-%let sasjs_stpsrv_header_loc=%sysfunc(pathname(work))/../stpsrv_header.txt;

 %global SYSPROCESSMODE SYSTCPIPHOSTNAME SYSHOSTINFOLONG;
 %macro _sasjs_server_init();
@@ -35,8 +40,6 @@ export const createSASProgram = async (
 %mend;
 %_sasjs_server_init()

-proc printto print="%sysfunc(getoption(log))";
-run;
 `

  program = `
@@ -63,7 +66,8 @@ ${program}`
      session.path
    )

-    //If sas code for the file is generated it will be appended to the top of sasCode
+    // If any files are uploaded, the program needs to be updated with some
+    // dynamically generated variables (pointers) for ease of ingestion
    if (uploadSasCode.length > 0) {
      program = `${uploadSasCode}` + program
    }
--- a/api/src/controllers/internal/index.ts
+++ b/api/src/controllers/internal/index.ts
@@ -4,4 +4,6 @@ export * from './Execution'
 export * from './FileUploadController'
 export * from './createSASProgram'
 export * from './createJSProgram'
+export * from './createPythonProgram'
+export * from './createRProgram'
 export * from './processProgram'
--- a/api/src/controllers/internal/processProgram.ts
+++ b/api/src/controllers/internal/processProgram.ts
@@ -1,11 +1,17 @@
 import path from 'path'
-import fs from 'fs'
-import { execFileSync } from 'child_process'
+import { WriteStream, createWriteStream } from 'fs'
+import { execFile } from 'child_process'
 import { once } from 'stream'
 import { createFile, moveFile } from '@sasjs/utils'
-import { PreProgramVars, Session } from '../../types'
+import { PreProgramVars, Session, SessionState } from '../../types'
 import { RunTimeType } from '../../utils'
-import { ExecutionVars, createSASProgram, createJSProgram } from './'
+import {
+  ExecutionVars,
+  createSASProgram,
+  createJSProgram,
+  createPythonProgram,
+  createRProgram
+} from './'

 export const processProgram = async (
  program: string,
@@ -13,54 +19,20 @@ export const processProgram = async (
  vars: ExecutionVars,
  session: Session,
  weboutPath: string,
+  headersPath: string,
  tokenFile: string,
  runTime: RunTimeType,
  logPath: string,
  otherArgs?: any
 ) => {
-  if (runTime === RunTimeType.JS) {
-    program = await createJSProgram(
-      program,
-      preProgramVariables,
-      vars,
-      session,
-      weboutPath,
-      tokenFile,
-      otherArgs
-    )
-
-    const codePath = path.join(session.path, 'code.js')
-
-    try {
-      await createFile(codePath, program)
-
-      // create a stream that will write to console outputs to log file
-      const writeStream = fs.createWriteStream(logPath)
-
-      // waiting for the open event so that we can have underlying file descriptor
-      await once(writeStream, 'open')
-
-      execFileSync(process.nodeLoc!, [codePath], {
-        stdio: ['ignore', writeStream, writeStream]
-      })
-
-      // copy the code.js program to log and end write stream
-      writeStream.end(program)
-
-      session.completed = true
-      console.log('session completed', session)
-    } catch (err: any) {
-      session.completed = true
-      session.crashed = err.toString()
-      console.log('session crashed', session.id, session.crashed)
-    }
-  } else {
+  if (runTime === RunTimeType.SAS) {
    program = await createSASProgram(
      program,
      preProgramVariables,
      vars,
      session,
      weboutPath,
+      headersPath,
      tokenFile,
      otherArgs
    )
@@ -77,10 +49,121 @@ export const processProgram = async (
    await moveFile(codePath + '.bkp', codePath)

    // we now need to poll the session status
-    while (!session.completed) {
+    while (session.state !== SessionState.completed) {
      await delay(50)
    }
+  } else {
+    let codePath: string
+    let executablePath: string
+    switch (runTime) {
+      case RunTimeType.JS:
+        program = await createJSProgram(
+          program,
+          preProgramVariables,
+          vars,
+          session,
+          weboutPath,
+          headersPath,
+          tokenFile,
+          otherArgs
+        )
+        codePath = path.join(session.path, 'code.js')
+        executablePath = process.nodeLoc!
+
+        break
+      case RunTimeType.PY:
+        program = await createPythonProgram(
+          program,
+          preProgramVariables,
+          vars,
+          session,
+          weboutPath,
+          headersPath,
+          tokenFile,
+          otherArgs
+        )
+        codePath = path.join(session.path, 'code.py')
+        executablePath = process.pythonLoc!
+
+        break
+      case RunTimeType.R:
+        program = await createRProgram(
+          program,
+          preProgramVariables,
+          vars,
+          session,
+          weboutPath,
+          headersPath,
+          tokenFile,
+          otherArgs
+        )
+        codePath = path.join(session.path, 'code.r')
+        executablePath = process.rLoc!
+
+        break
+      default:
+        throw new Error('Invalid runtime!')
+    }
+
+    await createFile(codePath, program)
+
+    // create a stream that will write to console outputs to log file
+    const writeStream = createWriteStream(logPath)
+    // waiting for the open event so that we can have underlying file descriptor
+    await once(writeStream, 'open')
+
+    await execFilePromise(executablePath, [codePath], writeStream)
+      .then(() => {
+        session.state = SessionState.completed
+
+        process.logger.info('session completed', session)
+      })
+      .catch((err) => {
+        session.state = SessionState.failed
+
+        session.failureReason = err.toString()
+
+        process.logger.error(
+          'session crashed',
+          session.id,
+          session.failureReason
+        )
+      })
+
+    // copy the code file to log and end write stream
+    writeStream.end(program)
  }
 }

+/**
+ * Promisified child_process.execFile
+ *
+ * @param file - The name or path of the executable file to run.
+ * @param args - List of string arguments.
+ * @param writeStream - Child process stdout and stderr will be piped to it.
+ *
+ * @returns {Promise<{ stdout: string, stderr: string }>}
+ */
+const execFilePromise = (
+  file: string,
+  args: string[],
+  writeStream: WriteStream
+): Promise<{ stdout: string; stderr: string }> => {
+  return new Promise((resolve, reject) => {
+    const child = execFile(file, args, (err, stdout, stderr) => {
+      if (err) reject(err)
+
+      resolve({ stdout, stderr })
+    })
+
+    child.stdout?.on('data', (data) => {
+      writeStream.write(data)
+    })
+
+    child.stderr?.on('data', (data) => {
+      writeStream.write(data)
+    })
+  })
+}
+
 const delay = (ms: number) => new Promise((resolve) => setTimeout(resolve, ms))
--- a/api/src/controllers/mock-sas9.ts
+++ b/api/src/controllers/mock-sas9.ts
@@ -0,0 +1,283 @@
+import { readFile } from '@sasjs/utils'
+import express from 'express'
+import path from 'path'
+import { Request, Post, Get } from 'tsoa'
+import dotenv from 'dotenv'
+import { ExecutionController } from './internal'
+import {
+  getPreProgramVariables,
+  getRunTimeAndFilePath,
+  makeFilesNamesMap
+} from '../utils'
+import { MulterFile } from '../types/Upload'
+
+dotenv.config()
+
+export interface Sas9Response {
+  content: string
+  redirect?: string
+  error?: boolean
+}
+
+export interface MockFileRead {
+  content: string
+  error?: boolean
+}
+
+export class MockSas9Controller {
+  private loggedIn: string | undefined
+  private mocksPath = process.env.STATIC_MOCK_LOCATION || 'mocks'
+
+  @Get('/SASStoredProcess')
+  public async sasStoredProcess(
+    @Request() req: express.Request
+  ): Promise<Sas9Response> {
+    const username = req.query._username?.toString() || undefined
+    const password = req.query._password?.toString() || undefined
+
+    if (username && password) this.loggedIn = req.body.username
+
+    if (!this.loggedIn) {
+      return {
+        content: '',
+        redirect: '/SASLogon/login'
+      }
+    }
+
+    let program = req.query._program?.toString() || undefined
+    const filePath: string[] = program
+      ? program.replace('/', '').split('/')
+      : ['generic', 'sas-stored-process']
+
+    if (program) {
+      return await getMockResponseFromFile([
+        process.cwd(),
+        this.mocksPath,
+        'sas9',
+        ...filePath
+      ])
+    }
+
+    return await getMockResponseFromFile([
+      process.cwd(),
+      'mocks',
+      'sas9',
+      ...filePath
+    ])
+  }
+
+  @Get('/SASStoredProcess/do')
+  public async sasStoredProcessDoGet(
+    @Request() req: express.Request
+  ): Promise<Sas9Response> {
+    const username = req.query._username?.toString() || undefined
+    const password = req.query._password?.toString() || undefined
+
+    if (username && password) this.loggedIn = username
+
+    if (!this.loggedIn) {
+      return {
+        content: '',
+        redirect: '/SASLogon/login'
+      }
+    }
+
+    const program = req.query._program ?? req.body?._program
+    const filePath: string[] = ['generic', 'sas-stored-process']
+
+    if (program) {
+      const vars = { ...req.query, ...req.body, _requestMethod: req.method }
+      const otherArgs = {}
+
+      try {
+        const { codePath, runTime } = await getRunTimeAndFilePath(
+          program + '.js'
+        )
+
+        const result = await new ExecutionController().executeFile({
+          programPath: codePath,
+          preProgramVariables: getPreProgramVariables(req),
+          vars: vars,
+          otherArgs: otherArgs,
+          runTime,
+          forceStringResult: true
+        })
+
+        return {
+          content: result.result as string
+        }
+      } catch (err) {
+        process.logger.error('err', err)
+      }
+
+      return {
+        content: 'No webout returned.'
+      }
+    }
+
+    return await getMockResponseFromFile([
+      process.cwd(),
+      'mocks',
+      'sas9',
+      ...filePath
+    ])
+  }
+
+  @Post('/SASStoredProcess/do/')
+  public async sasStoredProcessDoPost(
+    @Request() req: express.Request
+  ): Promise<Sas9Response> {
+    if (!this.loggedIn) {
+      return {
+        content: '',
+        redirect: '/SASLogon/login'
+      }
+    }
+
+    if (this.isPublicAccount()) {
+      return {
+        content: '',
+        redirect: '/SASLogon/Login'
+      }
+    }
+
+    const program = req.query._program ?? req.body?._program
+    const vars = {
+      ...req.query,
+      ...req.body,
+      _requestMethod: req.method,
+      _driveLoc: process.driveLoc
+    }
+    const filesNamesMap = req.files?.length
+      ? makeFilesNamesMap(req.files as MulterFile[])
+      : null
+    const otherArgs = { filesNamesMap: filesNamesMap }
+    const { codePath, runTime } = await getRunTimeAndFilePath(program + '.js')
+    try {
+      const result = await new ExecutionController().executeFile({
+        programPath: codePath,
+        preProgramVariables: getPreProgramVariables(req),
+        vars: vars,
+        otherArgs: otherArgs,
+        runTime,
+        session: req.sasjsSession,
+        forceStringResult: true
+      })
+
+      return {
+        content: result.result as string
+      }
+    } catch (err) {
+      process.logger.error('err', err)
+    }
+
+    return {
+      content: 'No webout returned.'
+    }
+  }
+
+  @Get('/SASLogon/login')
+  public async loginGet(): Promise<Sas9Response> {
+    if (this.loggedIn) {
+      if (this.isPublicAccount()) {
+        return {
+          content: '',
+          redirect: '/SASStoredProcess/Logoff?publicDenied=true'
+        }
+      } else {
+        return await getMockResponseFromFile([
+          process.cwd(),
+          'mocks',
+          'sas9',
+          'generic',
+          'logged-in'
+        ])
+      }
+    }
+
+    return await getMockResponseFromFile([
+      process.cwd(),
+      'mocks',
+      'sas9',
+      'generic',
+      'login'
+    ])
+  }
+
+  @Post('/SASLogon/login')
+  public async loginPost(req: express.Request): Promise<Sas9Response> {
+    if (req.body.lt && req.body.lt !== 'validtoken')
+      return {
+        content: '',
+        redirect: '/SASLogon/login'
+      }
+
+    this.loggedIn = req.body.username
+
+    return await getMockResponseFromFile([
+      process.cwd(),
+      'mocks',
+      'sas9',
+      'generic',
+      'logged-in'
+    ])
+  }
+
+  @Get('/SASLogon/logout')
+  public async logout(req: express.Request): Promise<Sas9Response> {
+    this.loggedIn = undefined
+
+    if (req.query.publicDenied === 'true') {
+      return await getMockResponseFromFile([
+        process.cwd(),
+        'mocks',
+        'sas9',
+        'generic',
+        'public-access-denied'
+      ])
+    }
+
+    return await getMockResponseFromFile([
+      process.cwd(),
+      'mocks',
+      'sas9',
+      'generic',
+      'logged-out'
+    ])
+  }
+
+  @Get('/SASStoredProcess/Logoff') //publicDenied=true
+  public async logoff(req: express.Request): Promise<Sas9Response> {
+    const params = req.query.publicDenied
+      ? `?publicDenied=${req.query.publicDenied}`
+      : ''
+
+    return {
+      content: '',
+      redirect: '/SASLogon/logout' + params
+    }
+  }
+
+  private isPublicAccount = () => this.loggedIn?.toLowerCase() === 'public'
+}
+
+const getMockResponseFromFile = async (
+  filePath: string[]
+): Promise<MockFileRead> => {
+  const filePathParsed = path.join(...filePath)
+  let error: boolean = false
+
+  let file = await readFile(filePathParsed).catch((err: any) => {
+    const errMsg = `Error reading mocked file on path: ${filePathParsed}\nError: ${err}`
+    process.logger.error(errMsg)
+
+    error = true
+
+    return errMsg
+  })
+
+  return {
+    content: file,
+    error: error
+  }
+}
--- a/api/src/controllers/permission.ts
+++ b/api/src/controllers/permission.ts
@@ -56,9 +56,9 @@ interface RegisterPermissionPayload {
  principalType: PrincipalType
  /**
   * The id of user or group to which a rule is assigned.
-   * @example 123
+   * @example 'groupIdString'
   */
-  principalId: number
+  principalId: string
 }

 interface UpdatePermissionPayload {
@@ -70,7 +70,7 @@ interface UpdatePermissionPayload {
 }

 export interface PermissionDetailsResponse {
-  permissionId: number
+  uid: string
  path: string
  type: string
  setting: string
@@ -91,24 +91,24 @@ export class PermissionController {
   */
  @Example<PermissionDetailsResponse[]>([
    {
-      permissionId: 123,
+      uid: 'permissionId1String',
      path: '/SASjsApi/code/execute',
      type: 'Route',
      setting: 'Grant',
      user: {
-        id: 1,
+        uid: 'user1-id',
        username: 'johnSnow01',
        displayName: 'John Snow',
        isAdmin: false
      }
    },
    {
-      permissionId: 124,
+      uid: 'permissionId2String',
      path: '/SASjsApi/code/execute',
      type: 'Route',
      setting: 'Grant',
      group: {
-        groupId: 1,
+        uid: 'group1-id',
        name: 'DCGroup',
        description: 'This group represents Data Controller Users',
        isActive: true,
@@ -128,12 +128,12 @@ export class PermissionController {
   *
   */
  @Example<PermissionDetailsResponse>({
-    permissionId: 123,
+    uid: 'permissionIdString',
    path: '/SASjsApi/code/execute',
    type: 'Route',
    setting: 'Grant',
    user: {
-      id: 1,
+      uid: 'userIdString',
      username: 'johnSnow01',
      displayName: 'John Snow',
      isAdmin: false
@@ -149,36 +149,36 @@ export class PermissionController {
  /**
   * @summary Update permission setting. Admin only
   * @param permissionId The permission's identifier
-   * @example permissionId 1234
+   * @example permissionId "permissionIdString"
   */
  @Example<PermissionDetailsResponse>({
-    permissionId: 123,
+    uid: 'permissionIdString',
    path: '/SASjsApi/code/execute',
    type: 'Route',
    setting: 'Grant',
    user: {
-      id: 1,
+      uid: 'userIdString',
      username: 'johnSnow01',
      displayName: 'John Snow',
      isAdmin: false
    }
  })
-  @Patch('{permissionId}')
+  @Patch('{uid}')
  public async updatePermission(
-    @Path() permissionId: number,
+    @Path() uid: string,
    @Body() body: UpdatePermissionPayload
  ): Promise<PermissionDetailsResponse> {
-    return updatePermission(permissionId, body)
+    return updatePermission(uid, body)
  }

  /**
   * @summary Delete a permission. Admin only.
   * @param permissionId The user's identifier
-   * @example permissionId 1234
+   * @example permissionId "permissionIdString"
   */
-  @Delete('{permissionId}')
-  public async deletePermission(@Path() permissionId: number) {
-    return deletePermission(permissionId)
+  @Delete('{uid}')
+  public async deletePermission(@Path() uid: string) {
+    return deletePermission(uid)
  }
 }

@@ -191,7 +191,7 @@ const getAllPermissions = async (
  else {
    const permissions: PermissionDetailsResponse[] = []

-    const dbUser = await User.findOne({ id: user?.userId })
+    const dbUser = await User.findOne({ _id: user?.userId })
    if (!dbUser)
      throw {
        code: 404,
@@ -227,7 +227,7 @@ const createPermission = async ({

  switch (principalType) {
    case PrincipalType.user: {
-      const userInDB = await User.findOne({ id: principalId })
+      const userInDB = await User.findOne({ _id: principalId })
      if (!userInDB)
        throw {
          code: 404,
@@ -259,7 +259,7 @@ const createPermission = async ({
      permission.user = userInDB._id

      user = {
-        id: userInDB.id,
+        uid: userInDB.uid,
        username: userInDB.username,
        displayName: userInDB.displayName,
        isAdmin: userInDB.isAdmin
@@ -267,7 +267,7 @@ const createPermission = async ({
      break
    }
    case PrincipalType.group: {
-      const groupInDB = await Group.findOne({ groupId: principalId })
+      const groupInDB = await Group.findOne({ _id: principalId })
      if (!groupInDB)
        throw {
          code: 404,
@@ -291,13 +291,13 @@ const createPermission = async ({
      permission.group = groupInDB._id

      group = {
-        groupId: groupInDB.groupId,
+        uid: groupInDB.uid,
        name: groupInDB.name,
        description: groupInDB.description,
        isActive: groupInDB.isActive,
        users: groupInDB.populate({
          path: 'users',
-          select: 'id username displayName isAdmin -_id',
+          select: 'uid username displayName isAdmin -_id',
          options: { limit: 15 }
        }) as unknown as UserResponse[]
      }
@@ -314,7 +314,7 @@ const createPermission = async ({
  const savedPermission = await permission.save()

  return {
-    permissionId: savedPermission.permissionId,
+    uid: savedPermission.uid,
    path: savedPermission.path,
    type: savedPermission.type,
    setting: savedPermission.setting,
@@ -324,27 +324,21 @@ const createPermission = async ({
 }

 const updatePermission = async (
-  id: number,
+  uid: string,
  data: UpdatePermissionPayload
 ): Promise<PermissionDetailsResponse> => {
  const { setting } = data

  const updatedPermission = (await Permission.findOneAndUpdate(
-    { permissionId: id },
+    { _id: uid },
    { setting },
    { new: true }
  )
-    .select({
-      _id: 0,
-      permissionId: 1,
-      path: 1,
-      type: 1,
-      setting: 1
-    })
-    .populate({ path: 'user', select: 'id username displayName isAdmin -_id' })
+    .select('uid path type setting')
+    .populate({ path: 'user', select: 'uid username displayName isAdmin' })
    .populate({
      path: 'group',
-      select: 'groupId name description -_id'
+      select: 'groupId name description'
    })) as unknown as PermissionDetailsResponse
  if (!updatedPermission)
    throw {
@@ -356,13 +350,13 @@ const updatePermission = async (
  return updatedPermission
 }

-const deletePermission = async (id: number) => {
-  const permission = await Permission.findOne({ permissionId: id })
+const deletePermission = async (uid: string) => {
+  const permission = await Permission.findOne({ _id: uid })
  if (!permission)
    throw {
      code: 404,
      status: 'Not Found',
      message: 'Permission not found.'
    }
-  await Permission.deleteOne({ permissionId: id })
+  await Permission.deleteOne({ _id: uid })
 }
--- a/api/src/controllers/session.ts
+++ b/api/src/controllers/session.ts
@@ -1,6 +1,13 @@
 import express from 'express'
 import { Request, Security, Route, Tags, Example, Get } from 'tsoa'
 import { UserResponse } from './user'
+import { getSessionController } from './internal'
+import { SessionState } from '../types'
+
+interface SessionResponse extends Omit<UserResponse, 'uid'> {
+  id: string
+  needsToUpdatePassword?: boolean
+}

@Security('bearerAuth')
@Route('SASjsApi/session')
@@ -10,23 +17,57 @@ export class SessionController {
   * @summary Get session info (username).
   *
   */
-  @Example<UserResponse>({
-    id: 123,
+  @Example<SessionResponse>({
+    id: 'userIdString',
    username: 'johnusername',
    displayName: 'John',
-    isAdmin: false
+    isAdmin: false,
+    needsToUpdatePassword: false
  })
  @Get('/')
  public async session(
    @Request() request: express.Request
-  ): Promise<UserResponse> {
+  ): Promise<SessionResponse> {
    return session(request)
  }
+
+  /**
+   * The polling endpoint is currently implemented for single-server deployments only.<br>
+   * Load balanced / grid topologies will be supported in a future release.<br>
+   * If your site requires this, please reach out to SASjs Support.
+   * @summary Get session state (initialising, pending, running, completed, failed).
+   * @example completed
+   */
+  @Get('/:sessionId/state')
+  public async sessionState(sessionId: string): Promise<SessionState> {
+    return sessionState(sessionId)
+  }
 }

 const session = (req: express.Request) => ({
  id: req.user!.userId,
  username: req.user!.username,
  displayName: req.user!.displayName,
-  isAdmin: req.user!.isAdmin
+  isAdmin: req.user!.isAdmin,
+  needsToUpdatePassword: req.user!.needsToUpdatePassword
 })
+
+const sessionState = (sessionId: string): SessionState => {
+  for (let runTime of process.runTimes) {
+    // get session controller for each available runTime
+    const sessionController = getSessionController(runTime)
+
+    // get session by sessionId
+    const session = sessionController.getSessionById(sessionId)
+
+    // return session state if session was found
+    if (session) {
+      return session.state
+    }
+  }
+
+  throw {
+    code: 404,
+    message: `Session with ID '${sessionId}' was not found.`
+  }
+}
--- a/api/src/controllers/stp.ts
+++ b/api/src/controllers/stp.ts
@@ -1,33 +1,18 @@
 import express from 'express'
+import { Request, Security, Route, Tags, Post, Body, Get, Query } from 'tsoa'
 import {
-  Request,
-  Security,
-  Route,
-  Tags,
-  Post,
-  Body,
-  Get,
-  Query,
-  Example
-} from 'tsoa'
-import {
-  ExecuteReturnJson,
-  ExecuteReturnRaw,
  ExecutionController,
-  ExecutionVars
+  ExecutionVars,
+  getSessionController
 } from './internal'
 import {
  getPreProgramVariables,
-  HTTPHeaders,
-  isDebugOn,
-  LogLine,
  makeFilesNamesMap,
-  parseLogToArray,
  getRunTimeAndFilePath
 } from '../utils'
 import { MulterFile } from '../types/Upload'

-interface ExecuteReturnJsonPayload {
+interface ExecutePostRequestPayload {
  /**
   * Location of SAS program
   * @example "/Public/somefolder/some.file"
@@ -35,15 +20,34 @@ interface ExecuteReturnJsonPayload {
  _program?: string
 }

-interface IRecordOfAny {
-  [key: string]: any
+interface TriggerProgramPayload {
+  /**
+   * Location of SAS program.
+   * @example "/Public/somefolder/some.file"
+   */
+  _program: string
+  /**
+   * Amount of minutes after the completion of the program when the session must be
+   * destroyed.
+   * @example 15
+   */
+  expiresAfterMins?: number
+  /**
+   * Query param for setting debug mode.
+   */
+  _debug?: number
 }
-export interface ExecuteReturnJsonResponse {
-  status: string
-  _webout: string | IRecordOfAny
-  log: LogLine[]
-  message?: string
-  httpHeaders: HTTPHeaders
+
+interface TriggerProgramResponse {
+  /**
+   * `sessionId` is the ID of the session and the name of the temporary folder
+   * used to store program outputs.<br><br>
+   * For SAS, this would be the location of the SASWORK folder.<br><br>
+   * `sessionId` can be used to poll session state using the
+   * GET /SASjsApi/session/{sessionId}/state endpoint.
+   * @example "20241028074744-54132-1730101664824"
+   */
+  sessionId: string
 }

@Security('bearerAuth')
@@ -51,86 +55,106 @@ export interface ExecuteReturnJsonResponse {
@Tags('STP')
 export class STPController {
  /**
-   * Trigger a SAS or JS program using the _program URL parameter.
+   * Trigger a Stored Program using the _program URL parameter.
   *
-   * Accepts URL parameters and file uploads.  For more details, see docs:
+   * Accepts additional URL parameters (converted to session variables)
+   * and file uploads.  For more details, see docs:
   *
   * https://server.sasjs.io/storedprograms
   *
-   * @summary Execute a Stored Program, returns raw _webout content.
-   * @param _program Location of SAS or JS code
+   * @summary Execute a Stored Program, returns _webout and (optionally) log.
+   * @param _program Location of Stored Program in SASjs Drive.
+   * @param _debug Optional query param for setting debug mode (returns the session log in the response body).
   * @example _program "/Projects/myApp/some/program"
+   * @example _debug 131
   */
  @Get('/execute')
-  public async executeReturnRaw(
+  public async executeGetRequest(
    @Request() request: express.Request,
-    @Query() _program: string
+    @Query() _program: string,
+    @Query() _debug?: number
  ): Promise<string | Buffer> {
-    return executeReturnRaw(request, _program)
+    let vars = request.query as ExecutionVars
+    if (_debug) {
+      vars = {
+        ...vars,
+        _debug
+      }
+    }
+
+    return execute(request, _program, vars)
  }

  /**
-   * Trigger a SAS or JS program using the _program URL parameter.
+   * Trigger a Stored Program using the _program URL parameter.
   *
   * Accepts URL parameters and file uploads.  For more details, see docs:
   *
   * https://server.sasjs.io/storedprograms
   *
-   * The response will be a JSON object with the following root attributes:
-   * log, webout, headers.
   *
-   * The webout attribute will be nested JSON ONLY if the response-header
-   * contains a content-type of application/json AND it is valid JSON.
-   * Otherwise it will be a stringified version of the webout content.
-   *
-   * @summary Execute a Stored Program, return a JSON object
-   * @param _program Location of SAS or JS code
+   * @summary Execute a Stored Program, returns _webout and (optionally) log.
+   * @param _program Location of code in SASjs Drive
   * @example _program "/Projects/myApp/some/program"
   */
-  @Example<ExecuteReturnJsonResponse>({
-    status: 'success',
-    _webout: 'webout content',
-    log: [],
-    httpHeaders: {
-      'Content-type': 'application/zip',
-      'Cache-Control': 'public, max-age=1000'
-    }
-  })
  @Post('/execute')
-  public async executeReturnJson(
+  public async executePostRequest(
    @Request() request: express.Request,
-    @Body() body?: ExecuteReturnJsonPayload,
+    @Body() body?: ExecutePostRequestPayload,
    @Query() _program?: string
-  ): Promise<ExecuteReturnJsonResponse> {
+  ): Promise<string | Buffer> {
    const program = _program ?? body?._program
-    return executeReturnJson(request, program!)
+    const vars = { ...request.query, ...request.body }
+    const filesNamesMap = request.files?.length
+      ? makeFilesNamesMap(request.files as MulterFile[])
+      : null
+    const otherArgs = { filesNamesMap: filesNamesMap }
+
+    return execute(request, program!, vars, otherArgs)
+  }
+
+  /**
+   * Trigger Program on the Specified Runtime.
+   * @summary Triggers program and returns SessionId immediately - does not wait for program completion.
+   * @param _program Location of code in SASjs Drive.
+   * @param expiresAfterMins Optional query param for setting amount of minutes after the completion of the program when the session must be destroyed.
+   * @param _debug Optional query param for setting debug mode.
+   * @example _program "/Projects/myApp/some/program"
+   * @example _debug 131
+   * @example expiresAfterMins 15
+   */
+  @Post('/trigger')
+  public async triggerProgram(
+    @Request() request: express.Request,
+    @Query() _program: string,
+    @Query() _debug?: number,
+    @Query() expiresAfterMins?: number
+  ): Promise<TriggerProgramResponse> {
+    return triggerProgram(request, { _program, _debug, expiresAfterMins })
  }
 }

-const executeReturnRaw = async (
+const execute = async (
  req: express.Request,
-  _program: string
+  _program: string,
+  vars: ExecutionVars,
+  otherArgs?: any
 ): Promise<string | Buffer> => {
-  const query = req.query as ExecutionVars
-
  try {
    const { codePath, runTime } = await getRunTimeAndFilePath(_program)

-    const { result, httpHeaders } =
-      (await new ExecutionController().executeFile({
+    const { result, httpHeaders } = await new ExecutionController().executeFile(
+      {
        programPath: codePath,
+        runTime,
        preProgramVariables: getPreProgramVariables(req),
-        vars: query,
-        runTime
-      })) as ExecuteReturnRaw
+        vars,
+        otherArgs,
+        session: req.sasjsSession
+      }
+    )

-    // Should over-ride response header for debug
-    // on GET request to see entire log rendering on browser.
-    if (isDebugOn(query)) {
-      httpHeaders['content-type'] = 'text/plain'
-    }
-
-    req.res?.set(httpHeaders)
+    req.res?.header(httpHeaders)

    if (result instanceof Buffer) {
      ;(req as any).sasHeaders = httpHeaders
@@ -147,41 +171,45 @@ const executeReturnRaw = async (
  }
 }

-const executeReturnJson = async (
+const triggerProgram = async (
  req: express.Request,
-  _program: string
-): Promise<ExecuteReturnJsonResponse> => {
-  const filesNamesMap = req.files?.length
-    ? makeFilesNamesMap(req.files as MulterFile[])
-    : null
-
+  { _program, _debug, expiresAfterMins }: TriggerProgramPayload
+): Promise<TriggerProgramResponse> => {
  try {
+    // put _program query param into vars object
+    const vars: { [key: string]: string | number } = { _program }
+
+    // if present add _debug query param to vars object
+    if (_debug) {
+      vars._debug = _debug
+    }
+
+    // get code path and runTime
    const { codePath, runTime } = await getRunTimeAndFilePath(_program)

-    const { webout, log, httpHeaders } =
-      (await new ExecutionController().executeFile({
-        programPath: codePath,
-        preProgramVariables: getPreProgramVariables(req),
-        vars: { ...req.query, ...req.body },
-        otherArgs: { filesNamesMap: filesNamesMap },
-        returnJson: true,
-        session: req.sasjsSession,
-        runTime
-      })) as ExecuteReturnJson
+    // get session controller based on runTime
+    const sessionController = getSessionController(runTime)

-    let weboutRes: string | IRecordOfAny = webout
-    if (httpHeaders['content-type']?.toLowerCase() === 'application/json') {
-      try {
-        weboutRes = JSON.parse(webout as string)
-      } catch (_) {}
+    // get session
+    const session = await sessionController.getSession()
+
+    // add expiresAfterMins to session if provided
+    if (expiresAfterMins) {
+      // expiresAfterMins.used is set initially to false
+      session.expiresAfterMins = { mins: expiresAfterMins, used: false }
    }

-    return {
-      status: 'success',
-      _webout: weboutRes,
-      log: parseLogToArray(log),
-      httpHeaders
-    }
+    // call executeFile method of ExecutionController without awaiting
+    new ExecutionController().executeFile({
+      programPath: codePath,
+      runTime,
+      preProgramVariables: getPreProgramVariables(req),
+      vars,
+      session
+    })
+
+    // return session id
+    return { sessionId: session.id }
  } catch (err: any) {
    throw {
      code: 400,
--- a/api/src/controllers/user.ts
+++ b/api/src/controllers/user.ts
@@ -17,22 +17,23 @@ import {
 import { desktopUser } from '../middlewares'

 import User, { UserPayload } from '../model/User'
-import { getUserAutoExec, updateUserAutoExec, ModeType } from '../utils'
-import { GroupResponse } from './group'
+import {
+  getUserAutoExec,
+  updateUserAutoExec,
+  ModeType,
+  ALL_USERS_GROUP
+} from '../utils'
+import { GroupController, GroupResponse } from './group'

 export interface UserResponse {
-  id: number
+  uid: string
  username: string
  displayName: string
  isAdmin: boolean
 }

-export interface UserDetailsResponse {
-  id: number
-  displayName: string
-  username: string
+export interface UserDetailsResponse extends UserResponse {
  isActive: boolean
-  isAdmin: boolean
  autoExec?: string
  groups?: GroupResponse[]
 }
@@ -47,13 +48,13 @@ export class UserController {
   */
  @Example<UserResponse[]>([
    {
-      id: 123,
+      uid: 'userIdString',
      username: 'johnusername',
      displayName: 'John',
      isAdmin: false
    },
    {
-      id: 456,
+      uid: 'anotherUserIdString',
      username: 'starkusername',
      displayName: 'Stark',
      isAdmin: true
@@ -69,7 +70,7 @@ export class UserController {
   *
   */
  @Example<UserDetailsResponse>({
-    id: 1234,
+    uid: 'userIdString',
    displayName: 'John Snow',
    username: 'johnSnow01',
    isAdmin: false,
@@ -106,20 +107,20 @@ export class UserController {
   * Only Admin or user itself will get user autoExec code.
   * @summary Get user properties - such as group memberships, userName, displayName.
   * @param userId The user's identifier
-   * @example userId 1234
+   * @example userId "userIdString"
   */
-  @Get('{userId}')
+  @Get('{uid}')
  public async getUser(
    @Request() req: express.Request,
-    @Path() userId: number
+    @Path() uid: string
  ): Promise<UserDetailsResponse> {
    const { MODE } = process.env

    if (MODE === ModeType.Desktop) return getDesktopAutoExec()

    const { user } = req
-    const getAutoExec = user!.isAdmin || user!.userId == userId
-    return getUser({ id: userId }, getAutoExec)
+    const getAutoExec = user!.isAdmin || user!.userId === uid
+    return getUser({ _id: uid }, getAutoExec)
  }

  /**
@@ -128,7 +129,7 @@ export class UserController {
   * @example username "johnSnow01"
   */
  @Example<UserDetailsResponse>({
-    id: 1234,
+    uid: 'userIdString',
    displayName: 'John Snow',
    username: 'johnSnow01',
    isAdmin: false,
@@ -153,7 +154,7 @@ export class UserController {
   * @example userId "1234"
   */
  @Example<UserDetailsResponse>({
-    id: 1234,
+    uid: 'userIdString',
    displayName: 'John Snow',
    username: 'johnSnow01',
    isAdmin: false,
@@ -161,7 +162,7 @@ export class UserController {
  })
  @Patch('{userId}')
  public async updateUser(
-    @Path() userId: number,
+    @Path() userId: string,
    @Body() body: UserPayload
  ): Promise<UserDetailsResponse> {
    const { MODE } = process.env
@@ -169,7 +170,7 @@ export class UserController {
    if (MODE === ModeType.Desktop)
      return updateDesktopAutoExec(body.autoExec ?? '')

-    return updateUser({ id: userId }, body)
+    return updateUser({ _id: userId }, body)
  }

  /**
@@ -193,25 +194,27 @@ export class UserController {
   */
  @Delete('{userId}')
  public async deleteUser(
-    @Path() userId: number,
+    @Path() userId: string,
    @Body() body: { password?: string },
    @Query() @Hidden() isAdmin: boolean = false
  ) {
-    return deleteUser({ id: userId }, isAdmin, body)
+    return deleteUser({ _id: userId }, isAdmin, body)
  }
 }

 const getAllUsers = async (): Promise<UserResponse[]> =>
-  await User.find({})
-    .select({ _id: 0, id: 1, username: 1, displayName: 1, isAdmin: 1 })
-    .exec()
+  await User.find({}).select('uid username displayName isAdmin').exec()

 const createUser = async (data: UserPayload): Promise<UserDetailsResponse> => {
  const { displayName, username, password, isAdmin, isActive, autoExec } = data

  // Checking if user is already in the database
  const usernameExist = await User.findOne({ username })
-  if (usernameExist) throw new Error('Username already exists.')
+  if (usernameExist)
+    throw {
+      code: 409,
+      message: 'Username already exists.'
+    }

  // Hash passwords
  const hashPassword = User.hashPassword(password)
@@ -228,8 +231,17 @@ const createUser = async (data: UserPayload): Promise<UserDetailsResponse> => {

  const savedUser = await user.save()

+  const groupController = new GroupController()
+  const allUsersGroup = await groupController
+    .getGroupByName(ALL_USERS_GROUP.name)
+    .catch(() => {})
+
+  if (allUsersGroup) {
+    await groupController.addUserToGroup(allUsersGroup.uid, savedUser.uid)
+  }
+
  return {
-    id: savedUser.id,
+    uid: savedUser.uid,
    displayName: savedUser.displayName,
    username: savedUser.username,
    isActive: savedUser.isActive,
@@ -238,8 +250,8 @@ const createUser = async (data: UserPayload): Promise<UserDetailsResponse> => {
  }
 }

-interface GetUserBy {
-  id?: number
+export interface GetUserBy {
+  _id?: string
  username?: string
 }

@@ -249,21 +261,25 @@ const getUser = async (
 ): Promise<UserDetailsResponse> => {
  const user = (await User.findOne(
    findBy,
-    `id displayName username isActive isAdmin autoExec -_id`
+    `uid displayName username isActive isAdmin autoExec`
  ).populate(
    'groups',
-    'groupId name description -_id'
+    'uid name description'
  )) as unknown as UserDetailsResponse

-  if (!user) throw new Error('User is not found.')
+  if (!user)
+    throw {
+      code: 404,
+      message: 'User is not found.'
+    }

  return {
-    id: user.id,
+    uid: user.uid,
    displayName: user.displayName,
    username: user.username,
    isActive: user.isActive,
    isAdmin: user.isAdmin,
-    autoExec: getAutoExec ? user.autoExec ?? '' : undefined,
+    autoExec: getAutoExec ? (user.autoExec ?? '') : undefined,
    groups: user.groups
  }
 }
@@ -271,7 +287,7 @@ const getUser = async (
 const getDesktopAutoExec = async () => {
  return {
    ...desktopUser,
-    id: desktopUser.userId,
+    uid: desktopUser.userId,
    autoExec: await getUserAutoExec()
  }
 }
@@ -284,15 +300,36 @@ const updateUser = async (

  const params: any = { displayName, isAdmin, isActive, autoExec }

+  const user = await User.findOne(findBy)
+
+  if (username && username !== user?.username && user?.authProvider) {
+    throw {
+      code: 405,
+      message:
+        'Can not update username of user that is created by an external auth provider.'
+    }
+  }
+
+  if (displayName && displayName !== user?.displayName && user?.authProvider) {
+    throw {
+      code: 405,
+      message:
+        'Can not update display name of user that is created by an external auth provider.'
+    }
+  }
+
  if (username) {
    // Checking if user is already in the database
    const usernameExist = await User.findOne({ username })
    if (usernameExist) {
      if (
-        (findBy.id && usernameExist.id != findBy.id) ||
-        (findBy.username && usernameExist.username != findBy.username)
+        (findBy._id && usernameExist.uid !== findBy._id) ||
+        (findBy.username && usernameExist.username !== findBy.username)
      )
-        throw new Error('Username already exists.')
+        throw {
+          code: 409,
+          message: 'Username already exists.'
+        }
    }
    params.username = username
  }
@@ -305,10 +342,13 @@ const updateUser = async (
  const updatedUser = await User.findOneAndUpdate(findBy, params, { new: true })

  if (!updatedUser)
-    throw new Error(`Unable to find user with ${findBy.id || findBy.username}`)
+    throw {
+      code: 404,
+      message: `Unable to find user with ${findBy._id || findBy.username}`
+    }

  return {
-    id: updatedUser.id,
+    uid: updatedUser.uid,
    username: updatedUser.username,
    displayName: updatedUser.displayName,
    isAdmin: updatedUser.isAdmin,
@@ -321,7 +361,7 @@ const updateDesktopAutoExec = async (autoExec: string) => {
  await updateUserAutoExec(autoExec)
  return {
    ...desktopUser,
-    id: desktopUser.userId,
+    uid: desktopUser.userId,
    autoExec
  }
 }
@@ -332,11 +372,19 @@ const deleteUser = async (
  { password }: { password?: string }
 ) => {
  const user = await User.findOne(findBy)
-  if (!user) throw new Error('User is not found.')
+  if (!user)
+    throw {
+      code: 404,
+      message: 'User is not found.'
+    }

  if (!isAdmin) {
    const validPass = user.comparePassword(password!)
-    if (!validPass) throw new Error('Invalid password.')
+    if (!validPass)
+      throw {
+        code: 401,
+        message: 'Invalid password.'
+      }
  }

  await User.deleteOne(findBy)
--- a/api/src/controllers/web.ts
+++ b/api/src/controllers/web.ts
@@ -1,11 +1,17 @@
 import path from 'path'
 import express from 'express'
 import { Request, Route, Tags, Post, Body, Get, Example } from 'tsoa'
-import { readFile } from '@sasjs/utils'
+import { readFile, convertSecondsToHms } from '@sasjs/utils'

 import User from '../model/User'
 import Client from '../model/Client'
-import { getWebBuildFolder, generateAuthCode } from '../utils'
+import {
+  getWebBuildFolder,
+  generateAuthCode,
+  RateLimiter,
+  AuthProviderType,
+  LDAPClient
+} from '../utils'
 import { InfoJWT } from '../types'
 import { AuthController } from './auth'

@@ -78,10 +84,37 @@ const login = async (
 ) => {
  // Authenticate User
  const user = await User.findOne({ username })
-  if (!user) throw new Error('Username is not found.')

-  const validPass = user.comparePassword(password)
-  if (!validPass) throw new Error('Invalid password.')
+  let validPass = false
+
+  if (user) {
+    if (
+      process.env.AUTH_PROVIDERS === AuthProviderType.LDAP &&
+      user.authProvider === AuthProviderType.LDAP
+    ) {
+      const ldapClient = await LDAPClient.init()
+      validPass = await ldapClient
+        .verifyUser(username, password)
+        .catch(() => false)
+    } else {
+      validPass = user.comparePassword(password)
+    }
+  }
+
+  // code to prevent brute force attack
+
+  const rateLimiter = RateLimiter.getInstance()
+
+  if (!validPass) {
+    const retrySecs = await rateLimiter.consume(req.ip, user?.username)
+    if (retrySecs > 0) throw errors.tooManyRequests(retrySecs)
+  }
+
+  if (!user) throw errors.userNotFound
+  if (!validPass) throw errors.invalidPassword
+
+  // Reset on successful authorization
+  rateLimiter.resetOnSuccess(req.ip, user.username)

  req.session.loggedIn = true
  req.session.user = {
@@ -91,7 +124,8 @@ const login = async (
    displayName: user.displayName,
    isAdmin: user.isAdmin,
    isActive: user.isActive,
-    autoExec: user.autoExec
+    autoExec: user.autoExec,
+    needsToUpdatePassword: user.needsToUpdatePassword
  }

  return {
@@ -100,7 +134,8 @@ const login = async (
      id: user.id,
      username: user.username,
      displayName: user.displayName,
-      isAdmin: user.isAdmin
+      isAdmin: user.isAdmin,
+      needsToUpdatePassword: user.needsToUpdatePassword
    }
  }
 }
@@ -157,3 +192,18 @@ interface AuthorizeResponse {
   */
  code: string
 }
+
+const errors = {
+  invalidPassword: {
+    code: 401,
+    message: 'Invalid Password.'
+  },
+  userNotFound: {
+    code: 401,
+    message: 'Username is not found.'
+  },
+  tooManyRequests: (seconds: number) => ({
+    code: 429,
+    message: `Too Many Requests! Retry after ${convertSecondsToHms(seconds)}`
+  })
+}
--- a/api/src/middlewares/authenticateToken.ts
+++ b/api/src/middlewares/authenticateToken.ts
@@ -1,6 +1,6 @@
 import { RequestHandler, Request, Response, NextFunction } from 'express'
 import jwt from 'jsonwebtoken'
-import { csrfProtection } from '../app'
+import { csrfProtection } from './'
 import {
  fetchLatestAutoExec,
  ModeType,
@@ -76,12 +76,13 @@ const authenticateToken = async (
  const { MODE } = process.env
  if (MODE === ModeType.Desktop) {
    req.user = {
-      userId: 1234,
+      userId: '1234',
      clientId: 'desktopModeClientId',
      username: 'desktopModeUsername',
      displayName: 'desktopModeDisplayName',
      isAdmin: true,
-      isActive: true
+      isActive: true,
+      needsToUpdatePassword: false
    }
    req.accessToken = 'desktopModeAccessToken'
    return next()
--- a/api/src/middlewares/authorize.ts
+++ b/api/src/middlewares/authorize.ts
@@ -5,14 +5,12 @@ import {
  PermissionSettingForRoute,
  PermissionType
 } from '../controllers/permission'
-import { getPath, isPublicRoute } from '../utils'
+import { getPath, isPublicRoute, TopLevelRoutes } from '../utils'

 export const authorize: RequestHandler = async (req, res, next) => {
  const { user } = req

-  if (!user) {
-    return res.sendStatus(401)
-  }
+  if (!user) return res.sendStatus(401)

  // no need to check for permissions when user is admin
  if (user.isAdmin) return next()
@@ -20,10 +18,13 @@ export const authorize: RequestHandler = async (req, res, next) => {
  // no need to check for permissions when route is Public
  if (await isPublicRoute(req)) return next()

-  const dbUser = await User.findOne({ id: user.userId })
+  const dbUser = await User.findOne({ _id: user.userId })
  if (!dbUser) return res.sendStatus(401)

  const path = getPath(req)
+  const { baseUrl } = req
+  const topLevelRoute =
+    TopLevelRoutes.find((route) => baseUrl.startsWith(route)) || baseUrl

  // find permission w.r.t user
  const permission = await Permission.findOne({
@@ -37,6 +38,21 @@ export const authorize: RequestHandler = async (req, res, next) => {
    else return res.sendStatus(401)
  }

+  // find permission w.r.t user on top level
+  const topLevelPermission = await Permission.findOne({
+    path: topLevelRoute,
+    type: PermissionType.route,
+    user: dbUser._id
+  })
+
+  if (topLevelPermission) {
+    if (topLevelPermission.setting === PermissionSettingForRoute.grant)
+      return next()
+    else return res.sendStatus(401)
+  }
+
+  let isPermissionDenied = false
+
  // find permission w.r.t user's groups
  for (const group of dbUser.groups) {
    const groupPermission = await Permission.findOne({
@@ -44,8 +60,28 @@ export const authorize: RequestHandler = async (req, res, next) => {
      type: PermissionType.route,
      group
    })
-    if (groupPermission?.setting === PermissionSettingForRoute.grant)
-      return next()
+
+    if (groupPermission) {
+      if (groupPermission.setting === PermissionSettingForRoute.grant) {
+        return next()
+      } else {
+        isPermissionDenied = true
+      }
+    }
  }
+
+  if (!isPermissionDenied) {
+    // find permission w.r.t user's groups on top level
+    for (const group of dbUser.groups) {
+      const groupPermission = await Permission.findOne({
+        path: topLevelRoute,
+        type: PermissionType.route,
+        group
+      })
+      if (groupPermission?.setting === PermissionSettingForRoute.grant)
+        return next()
+    }
+  }
+
  return res.sendStatus(401)
 }
--- a/api/src/middlewares/bruteForceProtection.ts
+++ b/api/src/middlewares/bruteForceProtection.ts
@@ -0,0 +1,22 @@
+import { RequestHandler } from 'express'
+import { convertSecondsToHms } from '@sasjs/utils'
+import { RateLimiter } from '../utils'
+
+export const bruteForceProtection: RequestHandler = async (req, res, next) => {
+  const ip = req.ip
+  const username = req.body.username
+
+  const rateLimiter = RateLimiter.getInstance()
+
+  const retrySecs = await rateLimiter.check(ip, username)
+
+  if (retrySecs > 0) {
+    res
+      .status(429)
+      .send(`Too Many Requests! Retry after ${convertSecondsToHms(retrySecs)}`)
+
+    return
+  }
+
+  next()
+}
--- a/api/src/middlewares/csrfProtection.ts
+++ b/api/src/middlewares/csrfProtection.ts
@@ -0,0 +1,32 @@
+import { RequestHandler } from 'express'
+import csrf from 'csrf'
+
+const csrfTokens = new csrf()
+const secret = csrfTokens.secretSync()
+
+export const generateCSRFToken = () => csrfTokens.create(secret)
+
+export const csrfProtection: RequestHandler = (req, res, next) => {
+  if (req.method === 'GET') return next()
+
+  // Reads the token from the following locations, in order:
+  // req.body.csrf_token - typically generated by the body-parser module.
+  // req.query.csrf_token - a built-in from Express.js to read from the URL query string.
+  // req.headers['csrf-token'] - the CSRF-Token HTTP request header.
+  // req.headers['xsrf-token'] - the XSRF-Token HTTP request header.
+  // req.headers['x-csrf-token'] - the X-CSRF-Token HTTP request header.
+  // req.headers['x-xsrf-token'] - the X-XSRF-Token HTTP request header.
+
+  const token =
+    req.body?.csrf_token ||
+    req.query?.csrf_token ||
+    req.headers['csrf-token'] ||
+    req.headers['xsrf-token'] ||
+    req.headers['x-csrf-token'] ||
+    req.headers['x-xsrf-token']
+
+  if (!csrfTokens.verify(secret, token)) {
+    return res.status(400).send('Invalid CSRF token!')
+  }
+  next()
+}
--- a/api/src/middlewares/desktop.ts
+++ b/api/src/middlewares/desktop.ts
@@ -28,10 +28,11 @@ export const desktopRestrict: RequestHandler = (req, res, next) => {
 }

 export const desktopUser: RequestUser = {
-  userId: 12345,
+  userId: '12345',
  clientId: 'desktop_app',
  username: userInfo().username,
  displayName: userInfo().username,
  isAdmin: true,
-  isActive: true
+  isActive: true,
+  needsToUpdatePassword: false
 }
--- a/api/src/middlewares/index.ts
+++ b/api/src/middlewares/index.ts
@@ -1,5 +1,7 @@
 export * from './authenticateToken'
+export * from './authorize'
+export * from './csrfProtection'
 export * from './desktop'
 export * from './verifyAdmin'
 export * from './verifyAdminIfNeeded'
-export * from './authorize'
+export * from './bruteForceProtection'
--- a/api/src/middlewares/verifyAdminIfNeeded.ts
+++ b/api/src/middlewares/verifyAdminIfNeeded.ts
@@ -8,8 +8,8 @@ export const verifyAdminIfNeeded: RequestHandler = (req, res, next) => {
  if (!user?.isAdmin) {
    let adminAccountRequired: boolean = true

-    if (req.params.userId) {
-      adminAccountRequired = user?.userId !== parseInt(req.params.userId)
+    if (req.params.uid) {
+      adminAccountRequired = user?.userId !== req.params.uid
    } else if (req.params.username) {
      adminAccountRequired = user?.username !== req.params.username
    }
--- a/api/src/model/Client.ts
+++ b/api/src/model/Client.ts
@@ -1,5 +1,6 @@
 import mongoose, { Schema } from 'mongoose'

+export const NUMBER_OF_SECONDS_IN_A_DAY = 86400
 export interface ClientPayload {
  /**
   * Client ID
@@ -11,6 +12,16 @@ export interface ClientPayload {
   * @example "someRandomCryptoString"
   */
  clientSecret: string
+  /**
+   * Number of seconds after which access token will expire. Default is 86400 (1 day)
+   * @example 86400
+   */
+  accessTokenExpiration?: number
+  /**
+   * Number of seconds after which access token will expire. Default is 2592000 (30 days)
+   * @example 2592000
+   */
+  refreshTokenExpiration?: number
 }

 const ClientSchema = new Schema<ClientPayload>({
@@ -21,6 +32,14 @@ const ClientSchema = new Schema<ClientPayload>({
  clientSecret: {
    type: String,
    required: true
+  },
+  accessTokenExpiration: {
+    type: Number,
+    default: NUMBER_OF_SECONDS_IN_A_DAY
+  },
+  refreshTokenExpiration: {
+    type: Number,
+    default: NUMBER_OF_SECONDS_IN_A_DAY * 30
  }
 })

--- a/api/src/model/Group.ts
+++ b/api/src/model/Group.ts
@@ -1,9 +1,9 @@
-import mongoose, { Schema, model, Document, Model } from 'mongoose'
+import { Schema, model, Document, Model } from 'mongoose'
 import { GroupDetailsResponse } from '../controllers'
 import User, { IUser } from './User'
-const AutoIncrement = require('mongoose-sequence')(mongoose)
+import { AuthProviderType } from '../utils'

-export const PUBLIC_GROUP_NAME = 'Public'
+export const PUBLIC_GROUP_NAME = 'public'

 export interface GroupPayload {
  /**
@@ -24,9 +24,12 @@ export interface GroupPayload {
 }

 interface IGroupDocument extends GroupPayload, Document {
-  groupId: number
  isActive: boolean
  users: Schema.Types.ObjectId[]
+  authProvider?: AuthProviderType
+
+  // Declare virtual properties as read-only properties
+  readonly uid: string
 }

 interface IGroup extends IGroupDocument {
@@ -36,28 +39,46 @@ interface IGroup extends IGroupDocument {
 }
 interface IGroupModel extends Model<IGroup> {}

-const groupSchema = new Schema<IGroupDocument>({
-  name: {
-    type: String,
-    required: true,
-    unique: true
+const opts = {
+  toJSON: {
+    virtuals: true,
+    transform: function (doc: any, ret: any, options: any) {
+      delete ret._id
+      delete ret.id
+      return ret
+    }
+  }
+}
+const groupSchema = new Schema<IGroupDocument>(
+  {
+    name: {
+      type: String,
+      required: true,
+      unique: true
+    },
+    description: {
+      type: String,
+      default: 'Group description.'
+    },
+    authProvider: {
+      type: String,
+      enum: AuthProviderType
+    },
+    isActive: {
+      type: Boolean,
+      default: true
+    },
+    users: [{ type: Schema.Types.ObjectId, ref: 'User' }]
  },
-  description: {
-    type: String,
-    default: 'Group description.'
-  },
-  isActive: {
-    type: Boolean,
-    default: true
-  },
-  users: [{ type: Schema.Types.ObjectId, ref: 'User' }]
+  opts
+)
+
+groupSchema.virtual('uid').get(function () {
+  return this._id.toString()
 })

-groupSchema.plugin(AutoIncrement, { inc_field: 'groupId' })
-
-// Hooks
 groupSchema.post('save', function (group: IGroup, next: Function) {
-  group.populate('users', 'id username displayName -_id').then(function () {
+  group.populate('users', 'uid username displayName').then(function () {
    next()
  })
 })
--- a/api/src/model/Permission.ts
+++ b/api/src/model/Permission.ts
@@ -1,5 +1,4 @@
-import mongoose, { Schema, model, Document, Model } from 'mongoose'
-const AutoIncrement = require('mongoose-sequence')(mongoose)
+import { Schema, model, Document, Model } from 'mongoose'
 import { PermissionDetailsResponse } from '../controllers'

 interface GetPermissionBy {
@@ -11,9 +10,11 @@ interface IPermissionDocument extends Document {
  path: string
  type: string
  setting: string
-  permissionId: number
  user: Schema.Types.ObjectId
  group: Schema.Types.ObjectId
+
+  // Declare virtual properties as read-only properties
+  readonly uid: string
 }

 interface IPermission extends IPermissionDocument {}
@@ -22,44 +23,54 @@ interface IPermissionModel extends Model<IPermission> {
  get(getBy: GetPermissionBy): Promise<PermissionDetailsResponse[]>
 }

-const permissionSchema = new Schema<IPermissionDocument>({
-  path: {
-    type: String,
-    required: true
-  },
-  type: {
-    type: String,
-    required: true
-  },
-  setting: {
-    type: String,
-    required: true
-  },
-  user: { type: Schema.Types.ObjectId, ref: 'User' },
-  group: { type: Schema.Types.ObjectId, ref: 'Group' }
-})
+const opts = {
+  toJSON: {
+    virtuals: true,
+    transform: function (doc: any, ret: any, options: any) {
+      delete ret._id
+      delete ret.id
+      return ret
+    }
+  }
+}

-permissionSchema.plugin(AutoIncrement, { inc_field: 'permissionId' })
+const permissionSchema = new Schema<IPermissionDocument>(
+  {
+    path: {
+      type: String,
+      required: true
+    },
+    type: {
+      type: String,
+      required: true
+    },
+    setting: {
+      type: String,
+      required: true
+    },
+    user: { type: Schema.Types.ObjectId, ref: 'User' },
+    group: { type: Schema.Types.ObjectId, ref: 'Group' }
+  },
+  opts
+)
+
+permissionSchema.virtual('uid').get(function () {
+  return this._id.toString()
+})

 // Static Methods
 permissionSchema.static('get', async function (getBy: GetPermissionBy): Promise<
  PermissionDetailsResponse[]
 > {
  return (await this.find(getBy)
-    .select({
-      _id: 0,
-      permissionId: 1,
-      path: 1,
-      type: 1,
-      setting: 1
-    })
-    .populate({ path: 'user', select: 'id username displayName isAdmin -_id' })
+    .select('uid path type setting')
+    .populate({ path: 'user', select: 'uid username displayName isAdmin' })
    .populate({
      path: 'group',
-      select: 'groupId name description -_id',
+      select: 'uid name description',
      populate: {
        path: 'users',
-        select: 'id username displayName isAdmin -_id',
+        select: 'uid username displayName isAdmin',
        options: { limit: 15 }
      }
    })) as unknown as PermissionDetailsResponse[]
--- a/api/src/model/User.ts
+++ b/api/src/model/User.ts
@@ -1,6 +1,6 @@
-import mongoose, { Schema, model, Document, Model } from 'mongoose'
-const AutoIncrement = require('mongoose-sequence')(mongoose)
+import { Schema, model, Document, Model, ObjectId } from 'mongoose'
 import bcrypt from 'bcryptjs'
+import { AuthProviderType } from '../utils'

 export interface UserPayload {
  /**
@@ -36,12 +36,16 @@ export interface UserPayload {

 interface IUserDocument extends UserPayload, Document {
  _id: Schema.Types.ObjectId
-  id: number
  isAdmin: boolean
  isActive: boolean
+  needsToUpdatePassword: boolean
  autoExec: string
  groups: Schema.Types.ObjectId[]
  tokens: [{ [key: string]: string }]
+  authProvider?: AuthProviderType
+
+  // Declare virtual properties as read-only properties
+  readonly uid: string
 }

 export interface IUser extends IUserDocument {
@@ -52,51 +56,75 @@ export interface IUser extends IUserDocument {
 interface IUserModel extends Model<IUser> {
  hashPassword(password: string): string
 }
-
-const userSchema = new Schema<IUserDocument>({
-  displayName: {
-    type: String,
-    required: true
-  },
-  username: {
-    type: String,
-    required: true,
-    unique: true
-  },
-  password: {
-    type: String,
-    required: true
-  },
-  isAdmin: {
-    type: Boolean,
-    default: false
-  },
-  isActive: {
-    type: Boolean,
-    default: true
-  },
-  autoExec: {
-    type: String
-  },
-  groups: [{ type: Schema.Types.ObjectId, ref: 'Group' }],
-  tokens: [
-    {
-      clientId: {
-        type: String,
-        required: true
-      },
-      accessToken: {
-        type: String,
-        required: true
-      },
-      refreshToken: {
-        type: String,
-        required: true
-      }
+const opts = {
+  toJSON: {
+    virtuals: true,
+    transform: function (doc: any, ret: any, options: any) {
+      delete ret._id
+      delete ret.id
+      return ret
    }
-  ]
+  }
+}
+
+const userSchema = new Schema<IUserDocument>(
+  {
+    displayName: {
+      type: String,
+      required: true
+    },
+    username: {
+      type: String,
+      required: true,
+      unique: true
+    },
+    password: {
+      type: String,
+      required: true
+    },
+    authProvider: {
+      type: String,
+      enum: AuthProviderType
+    },
+    isAdmin: {
+      type: Boolean,
+      default: false
+    },
+    isActive: {
+      type: Boolean,
+      default: true
+    },
+    needsToUpdatePassword: {
+      type: Boolean,
+      default: true
+    },
+    autoExec: {
+      type: String
+    },
+    groups: [{ type: Schema.Types.ObjectId, ref: 'Group' }],
+    tokens: [
+      {
+        clientId: {
+          type: String,
+          required: true
+        },
+        accessToken: {
+          type: String,
+          required: true
+        },
+        refreshToken: {
+          type: String,
+          required: true
+        }
+      }
+    ]
+  },
+  opts
+)
+
+userSchema.virtual('uid').get(function () {
+  return this._id.toString()
 })
-userSchema.plugin(AutoIncrement, { inc_field: 'id' })

 // Static Methods
 userSchema.static('hashPassword', (password: string): string => {
--- a/api/src/routes/api/auth.ts
+++ b/api/src/routes/api/auth.ts
@@ -7,12 +7,28 @@ import {
  authenticateRefreshToken
 } from '../../middlewares'

-import { authorizeValidation, tokenValidation } from '../../utils'
+import { tokenValidation, updatePasswordValidation } from '../../utils'
 import { InfoJWT } from '../../types'

 const authRouter = express.Router()
 const controller = new AuthController()

+authRouter.patch(
+  '/updatePassword',
+  authenticateAccessToken,
+  async (req, res) => {
+    const { error, value: body } = updatePasswordValidation(req.body)
+    if (error) return res.status(400).send(error.details[0].message)
+
+    try {
+      await controller.updatePassword(req, body)
+      res.sendStatus(204)
+    } catch (err: any) {
+      res.status(err.code).send(err.message)
+    }
+  }
+)
+
 authRouter.post('/token', async (req, res) => {
  const { error, value: body } = tokenValidation(req.body)
  if (error) return res.status(400).send(error.details[0].message)
--- a/api/src/routes/api/authConfig.ts
+++ b/api/src/routes/api/authConfig.ts
@@ -0,0 +1,25 @@
+import express from 'express'
+import { AuthConfigController } from '../../controllers'
+const authConfigRouter = express.Router()
+
+authConfigRouter.get('/', async (req, res) => {
+  const controller = new AuthConfigController()
+  try {
+    const response = controller.getDetail()
+    res.send(response)
+  } catch (err: any) {
+    res.status(500).send(err.toString())
+  }
+})
+
+authConfigRouter.post('/synchroniseWithLDAP', async (req, res) => {
+  const controller = new AuthConfigController()
+  try {
+    const response = await controller.synchroniseWithLDAP()
+    res.send(response)
+  } catch (err: any) {
+    res.status(500).send(err.toString())
+  }
+})
+
+export default authConfigRouter
--- a/api/src/routes/api/client.ts
+++ b/api/src/routes/api/client.ts
@@ -1,6 +1,7 @@
 import express from 'express'
 import { ClientController } from '../../controllers'
 import { registerClientValidation } from '../../utils'
+import { authenticateAccessToken, verifyAdmin } from '../../middlewares'

 const clientRouter = express.Router()

@@ -17,4 +18,19 @@ clientRouter.post('/', async (req, res) => {
  }
 })

+clientRouter.get(
+  '/',
+  authenticateAccessToken,
+  verifyAdmin,
+  async (req, res) => {
+    const controller = new ClientController()
+    try {
+      const response = await controller.getAllClients()
+      res.send(response)
+    } catch (err: any) {
+      res.status(403).send(err.toString())
+    }
+  }
+)
+
 export default clientRouter
--- a/api/src/routes/api/code.ts
+++ b/api/src/routes/api/code.ts
@@ -1,5 +1,5 @@
 import express from 'express'
-import { runCodeValidation } from '../../utils'
+import { runCodeValidation, triggerCodeValidation } from '../../utils'
 import { CodeController } from '../../controllers/'

 const runRouter = express.Router()
@@ -28,4 +28,22 @@ runRouter.post('/execute', async (req, res) => {
  }
 })

+runRouter.post('/trigger', async (req, res) => {
+  const { error, value: body } = triggerCodeValidation(req.body)
+  if (error) return res.status(400).send(error.details[0].message)
+
+  try {
+    const response = await controller.triggerCode(req, body)
+
+    res.status(200)
+    res.send(response)
+  } catch (err: any) {
+    const statusCode = err.code
+
+    delete err.code
+
+    res.status(statusCode).send(err)
+  }
+})
+
 export default runRouter
--- a/api/src/routes/api/group.ts
+++ b/api/src/routes/api/group.ts
@@ -1,7 +1,11 @@
 import express from 'express'
 import { GroupController } from '../../controllers/'
 import { authenticateAccessToken, verifyAdmin } from '../../middlewares'
-import { getGroupValidation, registerGroupValidation } from '../../utils'
+import {
+  getGroupValidation,
+  registerGroupValidation,
+  uidValidation
+} from '../../utils'

 const groupRouter = express.Router()

@@ -18,11 +22,7 @@ groupRouter.post(
      const response = await controller.createGroup(body)
      res.send(response)
    } catch (err: any) {
-      const statusCode = err.code
-
-      delete err.code
-
-      res.status(statusCode).send(err.message)
+      res.status(err.code).send(err.message)
    }
  }
 )
@@ -33,27 +33,22 @@ groupRouter.get('/', authenticateAccessToken, async (req, res) => {
    const response = await controller.getAllGroups()
    res.send(response)
  } catch (err: any) {
-    const statusCode = err.code
-
-    delete err.code
-
-    res.status(statusCode).send(err.message)
+    res.status(err.code).send(err.message)
  }
 })

-groupRouter.get('/:groupId', authenticateAccessToken, async (req, res) => {
-  const { groupId } = req.params
+groupRouter.get('/:uid', authenticateAccessToken, async (req, res) => {
+  const { error: uidError, value: params } = uidValidation(req.params)
+  if (uidError) return res.status(400).send(uidError.details[0].message)
+
+  const { uid } = params

  const controller = new GroupController()
  try {
-    const response = await controller.getGroup(parseInt(groupId))
+    const response = await controller.getGroup(uid)
    res.send(response)
  } catch (err: any) {
-    const statusCode = err.code
-
-    delete err.code
-
-    res.status(statusCode).send(err.message)
+    res.status(err.code).send(err.message)
  }
 })

@@ -68,83 +63,64 @@ groupRouter.get(

    const controller = new GroupController()
    try {
-      const response = await controller.getGroupByGroupName(name)
+      const response = await controller.getGroupByName(name)
      res.send(response)
    } catch (err: any) {
-      const statusCode = err.code
-
-      delete err.code
-
-      res.status(statusCode).send(err.message)
+      res.status(err.code).send(err.message)
    }
  }
 )

 groupRouter.post(
-  '/:groupId/:userId',
+  '/:groupUid/:userUid',
  authenticateAccessToken,
  verifyAdmin,
  async (req, res) => {
-    const { groupId, userId } = req.params
+    const { groupUid, userUid } = req.params

    const controller = new GroupController()
    try {
-      const response = await controller.addUserToGroup(
-        parseInt(groupId),
-        parseInt(userId)
-      )
+      const response = await controller.addUserToGroup(groupUid, userUid)
      res.send(response)
    } catch (err: any) {
-      const statusCode = err.code
-
-      delete err.code
-
-      res.status(statusCode).send(err.message)
+      res.status(err.code).send(err.message)
    }
  }
 )

 groupRouter.delete(
-  '/:groupId/:userId',
+  '/:groupUid/:userUid',
  authenticateAccessToken,
  verifyAdmin,
  async (req, res) => {
-    const { groupId, userId } = req.params
+    const { groupUid, userUid } = req.params

    const controller = new GroupController()
    try {
-      const response = await controller.removeUserFromGroup(
-        parseInt(groupId),
-        parseInt(userId)
-      )
+      const response = await controller.removeUserFromGroup(groupUid, userUid)
      res.send(response)
    } catch (err: any) {
-      const statusCode = err.code
-
-      delete err.code
-
-      res.status(statusCode).send(err.message)
+      res.status(err.code).send(err.message)
    }
  }
 )

 groupRouter.delete(
-  '/:groupId',
+  '/:uid',
  authenticateAccessToken,
  verifyAdmin,
  async (req, res) => {
-    const { groupId } = req.params
+    const { error: uidError, value: params } = uidValidation(req.params)
+    if (uidError) return res.status(400).send(uidError.details[0].message)
+
+    const { uid } = params

    const controller = new GroupController()
    try {
-      await controller.deleteGroup(parseInt(groupId))
+      await controller.deleteGroup(uid)
      res.status(200).send('Group Deleted!')
    } catch (err: any) {
-      const statusCode = err.code
-
-      delete err.code
-
-      res.status(statusCode).send(err.message)
+      res.status(err.code).send(err.message)
    }
  }
 )
--- a/api/src/routes/api/index.ts
+++ b/api/src/routes/api/index.ts
@@ -18,6 +18,7 @@ import clientRouter from './client'
 import authRouter from './auth'
 import sessionRouter from './session'
 import permissionRouter from './permission'
+import authConfigRouter from './authConfig'

 const router = express.Router()

@@ -43,6 +44,14 @@ router.use(
  permissionRouter
 )

+router.use(
+  '/authConfig',
+  desktopRestrict,
+  authenticateAccessToken,
+  verifyAdmin,
+  authConfigRouter
+)
+
 router.use(
  '/',
  swaggerUi.serve,
--- a/api/src/routes/api/permission.ts
+++ b/api/src/routes/api/permission.ts
@@ -3,6 +3,7 @@ import { PermissionController } from '../../controllers/'
 import { verifyAdmin } from '../../middlewares'
 import {
  registerPermissionValidation,
+  uidValidation,
  updatePermissionValidation
 } from '../../utils'

@@ -34,14 +35,17 @@ permissionRouter.post('/', verifyAdmin, async (req, res) => {
  }
 })

-permissionRouter.patch('/:permissionId', verifyAdmin, async (req: any, res) => {
-  const { permissionId } = req.params
+permissionRouter.patch('/:uid', verifyAdmin, async (req: any, res) => {
+  const { error: uidError, value: params } = uidValidation(req.params)
+  if (uidError) return res.status(400).send(uidError.details[0].message)
+
+  const { uid } = params

  const { error, value: body } = updatePermissionValidation(req.body)
  if (error) return res.status(400).send(error.details[0].message)

  try {
-    const response = await controller.updatePermission(permissionId, body)
+    const response = await controller.updatePermission(uid, body)
    res.send(response)
  } catch (err: any) {
    const statusCode = err.code
@@ -50,20 +54,18 @@ permissionRouter.patch('/:permissionId', verifyAdmin, async (req: any, res) => {
  }
 })

-permissionRouter.delete(
-  '/:permissionId',
-  verifyAdmin,
-  async (req: any, res) => {
-    const { permissionId } = req.params
+permissionRouter.delete('/:uid', verifyAdmin, async (req: any, res) => {
+  const { error: uidError, value: params } = uidValidation(req.params)
+  if (uidError) return res.status(400).send(uidError.details[0].message)

-    try {
-      await controller.deletePermission(permissionId)
-      res.status(200).send('Permission Deleted!')
-    } catch (err: any) {
-      const statusCode = err.code
-      delete err.code
-      res.status(statusCode).send(err.message)
-    }
+  const { uid } = params
+  try {
+    await controller.deletePermission(uid)
+    res.status(200).send('Permission Deleted!')
+  } catch (err: any) {
+    const statusCode = err.code
+    delete err.code
+    res.status(statusCode).send(err.message)
  }
-)
+})
 export default permissionRouter
--- a/api/src/routes/api/session.ts
+++ b/api/src/routes/api/session.ts
@@ -1,16 +1,37 @@
 import express from 'express'
 import { SessionController } from '../../controllers'
+import { sessionIdValidation } from '../../utils'

 const sessionRouter = express.Router()

+const controller = new SessionController()
+
 sessionRouter.get('/', async (req, res) => {
-  const controller = new SessionController()
  try {
    const response = await controller.session(req)
+
    res.send(response)
  } catch (err: any) {
    res.status(403).send(err.toString())
  }
 })

+sessionRouter.get('/:sessionId/state', async (req, res) => {
+  const { error, value: params } = sessionIdValidation(req.params)
+  if (error) return res.status(400).send(error.details[0].message)
+
+  try {
+    const response = await controller.sessionState(params.sessionId)
+
+    res.status(200)
+    res.send(response)
+  } catch (err: any) {
+    const statusCode = err.code
+
+    delete err.code
+
+    res.status(statusCode).send(err)
+  }
+})
+
 export default sessionRouter
--- a/api/src/routes/api/spec/auth.spec.ts
+++ b/api/src/routes/api/spec/auth.spec.ts
@@ -13,6 +13,7 @@ import {
  generateAccessToken,
  generateAuthCode,
  generateRefreshToken,
+  randomBytesHexString,
  saveTokensInDB,
  verifyTokenInDB
 } from '../../../utils'
@@ -20,7 +21,6 @@ import {
 const clientId = 'someclientID'
 const clientSecret = 'someclientSecret'
 const user = {
-  id: 1234,
  displayName: 'Test User',
  username: 'testUsername',
  password: '87654321',
@@ -52,7 +52,7 @@ describe('auth', () => {
  describe('token', () => {
    const userInfo: InfoJWT = {
      clientId,
-      userId: user.id
+      userId: randomBytesHexString(12)
    }
    beforeAll(async () => {
      await userController.createUser(user)
@@ -151,10 +151,10 @@ describe('auth', () => {
      currentUser = await userController.createUser(user)
      refreshToken = generateRefreshToken({
        clientId,
-        userId: currentUser.id
+        userId: currentUser.uid
      })
      await saveTokensInDB(
-        currentUser.id,
+        currentUser.uid,
        clientId,
        'accessToken',
        refreshToken
@@ -202,11 +202,11 @@ describe('auth', () => {
      currentUser = await userController.createUser(user)
      accessToken = generateAccessToken({
        clientId,
-        userId: currentUser.id
+        userId: currentUser.uid
      })

      await saveTokensInDB(
-        currentUser.id,
+        currentUser.uid,
        clientId,
        accessToken,
        'refreshToken'
--- a/api/src/routes/api/spec/client.spec.ts
+++ b/api/src/routes/api/spec/client.spec.ts
@@ -5,6 +5,7 @@ import request from 'supertest'
 import appPromise from '../../../app'
 import { UserController, ClientController } from '../../../controllers/'
 import { generateAccessToken, saveTokensInDB } from '../../../utils'
+import { NUMBER_OF_SECONDS_IN_A_DAY } from '../../../model/Client'

 const client = {
  clientId: 'someclientID',
@@ -26,6 +27,7 @@ describe('client', () => {
  let app: Express
  let con: Mongoose
  let mongoServer: MongoMemoryServer
+  let adminAccessToken: string
  const userController = new UserController()
  const clientController = new ClientController()

@@ -34,6 +36,18 @@ describe('client', () => {

    mongoServer = await MongoMemoryServer.create()
    con = await mongoose.connect(mongoServer.getUri())
+
+    const dbUser = await userController.createUser(adminUser)
+    adminAccessToken = generateAccessToken({
+      clientId: client.clientId,
+      userId: dbUser.uid
+    })
+    await saveTokensInDB(
+      dbUser.uid,
+      client.clientId,
+      adminAccessToken,
+      'refreshToken'
+    )
  })

  afterAll(async () => {
@@ -43,22 +57,6 @@ describe('client', () => {
  })

  describe('create', () => {
-    let adminAccessToken: string
-
-    beforeAll(async () => {
-      const dbUser = await userController.createUser(adminUser)
-      adminAccessToken = generateAccessToken({
-        clientId: client.clientId,
-        userId: dbUser.id
-      })
-      await saveTokensInDB(
-        dbUser.id,
-        client.clientId,
-        adminAccessToken,
-        'refreshToken'
-      )
-    })
-
    afterEach(async () => {
      const collections = mongoose.connection.collections
      const collection = collections['clients']
@@ -97,10 +95,10 @@ describe('client', () => {
      const dbUser = await userController.createUser(user)
      const accessToken = generateAccessToken({
        clientId: client.clientId,
-        userId: dbUser.id
+        userId: dbUser.uid
      })
      await saveTokensInDB(
-        dbUser.id,
+        dbUser.uid,
        client.clientId,
        accessToken,
        'refreshToken'
@@ -157,4 +155,80 @@ describe('client', () => {
      expect(res.body).toEqual({})
    })
  })
+
+  describe('get', () => {
+    afterEach(async () => {
+      const collections = mongoose.connection.collections
+      const collection = collections['clients']
+      await collection.deleteMany({})
+    })
+
+    it('should respond with an array of all clients', async () => {
+      await clientController.createClient(newClient)
+      await clientController.createClient({
+        clientId: 'clientID',
+        clientSecret: 'clientSecret'
+      })
+
+      const res = await request(app)
+        .get('/SASjsApi/client')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(200)
+
+      const expected = [
+        {
+          clientId: 'newClientID',
+          clientSecret: 'newClientSecret',
+          accessTokenExpiration: NUMBER_OF_SECONDS_IN_A_DAY,
+          refreshTokenExpiration: NUMBER_OF_SECONDS_IN_A_DAY * 30
+        },
+        {
+          clientId: 'clientID',
+          clientSecret: 'clientSecret',
+          accessTokenExpiration: NUMBER_OF_SECONDS_IN_A_DAY,
+          refreshTokenExpiration: NUMBER_OF_SECONDS_IN_A_DAY * 30
+        }
+      ]
+
+      expect(res.body).toEqual(expected)
+    })
+
+    it('should respond with Unauthorized if access token is not present', async () => {
+      const res = await request(app).get('/SASjsApi/client').send().expect(401)
+
+      expect(res.text).toEqual('Unauthorized')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Forbideen if access token is not of an admin account', async () => {
+      const user = {
+        displayName: 'User 2',
+        username: 'username2',
+        password: '12345678',
+        isAdmin: false,
+        isActive: true
+      }
+      const dbUser = await userController.createUser(user)
+      const accessToken = generateAccessToken({
+        clientId: client.clientId,
+        userId: dbUser.uid
+      })
+      await saveTokensInDB(
+        dbUser.uid,
+        client.clientId,
+        accessToken,
+        'refreshToken'
+      )
+
+      const res = await request(app)
+        .get('/SASjsApi/client')
+        .auth(accessToken, { type: 'bearer' })
+        .send()
+        .expect(401)
+
+      expect(res.text).toEqual('Admin account required')
+      expect(res.body).toEqual({})
+    })
+  })
 })
--- a/api/src/routes/api/spec/drive.spec.ts
+++ b/api/src/routes/api/spec/drive.spec.ts
@@ -71,31 +71,31 @@ describe('drive', () => {
    con = await mongoose.connect(mongoServer.getUri())

    const dbUser = await controller.createUser(user)
-    accessToken = await generateAndSaveToken(dbUser.id)
+    accessToken = await generateAndSaveToken(dbUser.uid)
    await permissionController.createPermission({
      ...permission,
      path: '/SASjsApi/drive/deploy',
-      principalId: dbUser.id
+      principalId: dbUser.uid
    })
    await permissionController.createPermission({
      ...permission,
      path: '/SASjsApi/drive/deploy/upload',
-      principalId: dbUser.id
+      principalId: dbUser.uid
    })
    await permissionController.createPermission({
      ...permission,
      path: '/SASjsApi/drive/file',
-      principalId: dbUser.id
+      principalId: dbUser.uid
    })
    await permissionController.createPermission({
      ...permission,
      path: '/SASjsApi/drive/folder',
-      principalId: dbUser.id
+      principalId: dbUser.uid
    })
    await permissionController.createPermission({
      ...permission,
      path: '/SASjsApi/drive/rename',
-      principalId: dbUser.id
+      principalId: dbUser.uid
    })
  })

@@ -1197,7 +1197,7 @@ const getExampleService = (): ServiceMember =>
  ((getTreeExample().members[0] as FolderMember).members[0] as FolderMember)
    .members[0] as ServiceMember

-const generateAndSaveToken = async (userId: number) => {
+const generateAndSaveToken = async (userId: string) => {
  const adminAccessToken = generateAccessToken({
    clientId,
    userId
--- a/api/src/routes/api/spec/group.spec.ts
+++ b/api/src/routes/api/spec/group.spec.ts
@@ -4,8 +4,14 @@ import { MongoMemoryServer } from 'mongodb-memory-server'
 import request from 'supertest'
 import appPromise from '../../../app'
 import { UserController, GroupController } from '../../../controllers/'
-import { generateAccessToken, saveTokensInDB } from '../../../utils'
-import { PUBLIC_GROUP_NAME } from '../../../model/Group'
+import {
+  generateAccessToken,
+  saveTokensInDB,
+  AuthProviderType
+} from '../../../utils'
+import Group, { PUBLIC_GROUP_NAME } from '../../../model/Group'
+import User from '../../../model/User'
+import { randomBytes } from 'crypto'

 const clientId = 'someclientID'
 const adminUser = {
@@ -70,7 +76,7 @@ describe('group', () => {
        .send(group)
        .expect(200)

-      expect(res.body.groupId).toBeTruthy()
+      expect(res.body.uid).toBeTruthy()
      expect(res.body.name).toEqual(group.name)
      expect(res.body.description).toEqual(group.description)
      expect(res.body.isActive).toEqual(true)
@@ -150,7 +156,7 @@ describe('group', () => {
      const dbGroup = await groupController.createGroup(group)

      const res = await request(app)
-        .delete(`/SASjsApi/group/${dbGroup.groupId}`)
+        .delete(`/SASjsApi/group/${dbGroup.uid}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(200)
@@ -169,17 +175,17 @@ describe('group', () => {
        username: 'deletegroup2'
      })

-      await groupController.addUserToGroup(dbGroup.groupId, dbUser1.id)
-      await groupController.addUserToGroup(dbGroup.groupId, dbUser2.id)
+      await groupController.addUserToGroup(dbGroup.uid, dbUser1.uid)
+      await groupController.addUserToGroup(dbGroup.uid, dbUser2.uid)

      await request(app)
-        .delete(`/SASjsApi/group/${dbGroup.groupId}`)
+        .delete(`/SASjsApi/group/${dbGroup.uid}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(200)

      const res1 = await request(app)
-        .get(`/SASjsApi/user/${dbUser1.id}`)
+        .get(`/SASjsApi/user/${dbUser1.uid}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(200)
@@ -187,7 +193,7 @@ describe('group', () => {
      expect(res1.body.groups).toEqual([])

      const res2 = await request(app)
-        .get(`/SASjsApi/user/${dbUser2.id}`)
+        .get(`/SASjsApi/user/${dbUser2.uid}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(200)
@@ -196,8 +202,10 @@ describe('group', () => {
    })

    it('should respond with Not Found if groupId is incorrect', async () => {
+      const hexValue = randomBytes(12).toString('hex')
+
      const res = await request(app)
-        .delete(`/SASjsApi/group/1234`)
+        .delete(`/SASjsApi/group/${hexValue}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(404)
@@ -224,7 +232,7 @@ describe('group', () => {
      })

      const res = await request(app)
-        .delete(`/SASjsApi/group/${dbGroup.groupId}`)
+        .delete(`/SASjsApi/group/${dbGroup.uid}`)
        .auth(accessToken, { type: 'bearer' })
        .send()
        .expect(401)
@@ -240,15 +248,15 @@ describe('group', () => {
    })

    it('should respond with group', async () => {
-      const { groupId } = await groupController.createGroup(group)
+      const { uid } = await groupController.createGroup(group)

      const res = await request(app)
-        .get(`/SASjsApi/group/${groupId}`)
+        .get(`/SASjsApi/group/${uid}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(200)

-      expect(res.body.groupId).toBeTruthy()
+      expect(res.body.uid).toBeTruthy()
      expect(res.body.name).toEqual(group.name)
      expect(res.body.description).toEqual(group.description)
      expect(res.body.isActive).toEqual(true)
@@ -261,15 +269,15 @@ describe('group', () => {
        username: 'get' + user.username
      })

-      const { groupId } = await groupController.createGroup(group)
+      const { uid } = await groupController.createGroup(group)

      const res = await request(app)
-        .get(`/SASjsApi/group/${groupId}`)
+        .get(`/SASjsApi/group/${uid}`)
        .auth(accessToken, { type: 'bearer' })
        .send()
        .expect(200)

-      expect(res.body.groupId).toBeTruthy()
+      expect(res.body.uid).toBeTruthy()
      expect(res.body.name).toEqual(group.name)
      expect(res.body.description).toEqual(group.description)
      expect(res.body.isActive).toEqual(true)
@@ -287,8 +295,10 @@ describe('group', () => {
    })

    it('should respond with Not Found if groupId is incorrect', async () => {
+      const hexValue = randomBytes(12).toString('hex')
+
      const res = await request(app)
-        .get('/SASjsApi/group/1234')
+        .get(`/SASjsApi/group/${hexValue}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(404)
@@ -307,7 +317,7 @@ describe('group', () => {
          .send()
          .expect(200)

-        expect(res.body.groupId).toBeTruthy()
+        expect(res.body.uid).toBeTruthy()
        expect(res.body.name).toEqual(group.name)
        expect(res.body.description).toEqual(group.description)
        expect(res.body.isActive).toEqual(true)
@@ -328,7 +338,7 @@ describe('group', () => {
          .send()
          .expect(200)

-        expect(res.body.groupId).toBeTruthy()
+        expect(res.body.uid).toBeTruthy()
        expect(res.body.name).toEqual(group.name)
        expect(res.body.description).toEqual(group.description)
        expect(res.body.isActive).toEqual(true)
@@ -374,7 +384,7 @@ describe('group', () => {

      expect(res.body).toEqual([
        {
-          groupId: expect.anything(),
+          uid: expect.anything(),
          name: group.name,
          description: group.description
        }
@@ -396,7 +406,7 @@ describe('group', () => {

      expect(res.body).toEqual([
        {
-          groupId: expect.anything(),
+          uid: expect.anything(),
          name: group.name,
          description: group.description
        }
@@ -421,18 +431,18 @@ describe('group', () => {
      const dbUser = await userController.createUser(user)

      const res = await request(app)
-        .post(`/SASjsApi/group/${dbGroup.groupId}/${dbUser.id}`)
+        .post(`/SASjsApi/group/${dbGroup.uid}/${dbUser.uid}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(200)

-      expect(res.body.groupId).toBeTruthy()
+      expect(res.body.uid).toBeTruthy()
      expect(res.body.name).toEqual(group.name)
      expect(res.body.description).toEqual(group.description)
      expect(res.body.isActive).toEqual(true)
      expect(res.body.users).toEqual([
        {
-          id: expect.anything(),
+          uid: expect.anything(),
          username: user.username,
          displayName: user.displayName
        }
@@ -447,20 +457,20 @@ describe('group', () => {
      })

      await request(app)
-        .post(`/SASjsApi/group/${dbGroup.groupId}/${dbUser.id}`)
+        .post(`/SASjsApi/group/${dbGroup.uid}/${dbUser.uid}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(200)

      const res = await request(app)
-        .get(`/SASjsApi/user/${dbUser.id}`)
+        .get(`/SASjsApi/user/${dbUser.uid}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(200)

      expect(res.body.groups).toEqual([
        {
-          groupId: expect.anything(),
+          uid: expect.anything(),
          name: group.name,
          description: group.description
        }
@@ -473,21 +483,21 @@ describe('group', () => {
        ...user,
        username: 'addUserRandomUser'
      })
-      await groupController.addUserToGroup(dbGroup.groupId, dbUser.id)
+      await groupController.addUserToGroup(dbGroup.uid, dbUser.uid)

      const res = await request(app)
-        .post(`/SASjsApi/group/${dbGroup.groupId}/${dbUser.id}`)
+        .post(`/SASjsApi/group/${dbGroup.uid}/${dbUser.uid}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(200)

-      expect(res.body.groupId).toBeTruthy()
+      expect(res.body.uid).toBeTruthy()
      expect(res.body.name).toEqual(group.name)
      expect(res.body.description).toEqual(group.description)
      expect(res.body.isActive).toEqual(true)
      expect(res.body.users).toEqual([
        {
-          id: expect.anything(),
+          uid: expect.anything(),
          username: 'addUserRandomUser',
          displayName: user.displayName
        }
@@ -521,8 +531,10 @@ describe('group', () => {
    })

    it('should respond with Not Found if groupId is incorrect', async () => {
+      const hexValue = randomBytes(12).toString('hex')
+
      const res = await request(app)
-        .post('/SASjsApi/group/123/123')
+        .post(`/SASjsApi/group/${hexValue}/123`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(404)
@@ -533,8 +545,10 @@ describe('group', () => {

    it('should respond with Not Found if userId is incorrect', async () => {
      const dbGroup = await groupController.createGroup(group)
+      const hexValue = randomBytes(12).toString('hex')
+
      const res = await request(app)
-        .post(`/SASjsApi/group/${dbGroup.groupId}/123`)
+        .post(`/SASjsApi/group/${dbGroup.uid}/${hexValue}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(404)
@@ -551,7 +565,7 @@ describe('group', () => {
      })

      const res = await request(app)
-        .post(`/SASjsApi/group/${dbGroup.groupId}/${dbUser.id}`)
+        .post(`/SASjsApi/group/${dbGroup.uid}/${dbUser.uid}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(400)
@@ -560,6 +574,46 @@ describe('group', () => {
        `Can't add/remove user to '${PUBLIC_GROUP_NAME}' group.`
      )
    })
+
+    it('should respond with Method Not Allowed if group is created by an external authProvider', async () => {
+      const dbGroup = await Group.create({
+        ...group,
+        authProvider: AuthProviderType.LDAP
+      })
+      const dbUser = await userController.createUser({
+        ...user,
+        username: 'ldapGroupUser'
+      })
+
+      const res = await request(app)
+        .post(`/SASjsApi/group/${dbGroup.uid}/${dbUser.uid}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(405)
+
+      expect(res.text).toEqual(
+        `Can't add/remove user to group created by external auth provider.`
+      )
+    })
+
+    it('should respond with Method Not Allowed if user is created by an external authProvider', async () => {
+      const dbGroup = await groupController.createGroup(group)
+      const dbUser = await User.create({
+        ...user,
+        username: 'ldapUser',
+        authProvider: AuthProviderType.LDAP
+      })
+
+      const res = await request(app)
+        .post(`/SASjsApi/group/${dbGroup.uid}/${dbUser.uid}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(405)
+
+      expect(res.text).toEqual(
+        `Can't add/remove user to group created by external auth provider.`
+      )
+    })
  })

  describe('RemoveUser', () => {
@@ -573,15 +627,15 @@ describe('group', () => {
        ...user,
        username: 'removeUserRandomUser'
      })
-      await groupController.addUserToGroup(dbGroup.groupId, dbUser.id)
+      await groupController.addUserToGroup(dbGroup.uid, dbUser.uid)

      const res = await request(app)
-        .delete(`/SASjsApi/group/${dbGroup.groupId}/${dbUser.id}`)
+        .delete(`/SASjsApi/group/${dbGroup.uid}/${dbUser.uid}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(200)

-      expect(res.body.groupId).toBeTruthy()
+      expect(res.body.uid).toBeTruthy()
      expect(res.body.name).toEqual(group.name)
      expect(res.body.description).toEqual(group.description)
      expect(res.body.isActive).toEqual(true)
@@ -594,16 +648,16 @@ describe('group', () => {
        ...user,
        username: 'removeGroupFromUser'
      })
-      await groupController.addUserToGroup(dbGroup.groupId, dbUser.id)
+      await groupController.addUserToGroup(dbGroup.uid, dbUser.uid)

      await request(app)
-        .delete(`/SASjsApi/group/${dbGroup.groupId}/${dbUser.id}`)
+        .delete(`/SASjsApi/group/${dbGroup.uid}/${dbUser.uid}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(200)

      const res = await request(app)
-        .get(`/SASjsApi/user/${dbUser.id}`)
+        .get(`/SASjsApi/user/${dbUser.uid}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(200)
@@ -611,6 +665,46 @@ describe('group', () => {
      expect(res.body.groups).toEqual([])
    })

+    it('should respond with Method Not Allowed if group is created by an external authProvider', async () => {
+      const dbGroup = await Group.create({
+        ...group,
+        authProvider: AuthProviderType.LDAP
+      })
+      const dbUser = await userController.createUser({
+        ...user,
+        username: 'removeLdapGroupUser'
+      })
+
+      const res = await request(app)
+        .delete(`/SASjsApi/group/${dbGroup.uid}/${dbUser.uid}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(405)
+
+      expect(res.text).toEqual(
+        `Can't add/remove user to group created by external auth provider.`
+      )
+    })
+
+    it('should respond with Method Not Allowed if user is created by an external authProvider', async () => {
+      const dbGroup = await groupController.createGroup(group)
+      const dbUser = await User.create({
+        ...user,
+        username: 'removeLdapUser',
+        authProvider: AuthProviderType.LDAP
+      })
+
+      const res = await request(app)
+        .delete(`/SASjsApi/group/${dbGroup.uid}/${dbUser.uid}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(405)
+
+      expect(res.text).toEqual(
+        `Can't add/remove user to group created by external auth provider.`
+      )
+    })
+
    it('should respond with Unauthorized if access token is not present', async () => {
      const res = await request(app)
        .delete('/SASjsApi/group/123/123')
@@ -638,8 +732,10 @@ describe('group', () => {
    })

    it('should respond with Not Found if groupId is incorrect', async () => {
+      const hexValue = randomBytes(12).toString('hex')
+
      const res = await request(app)
-        .delete('/SASjsApi/group/123/123')
+        .delete(`/SASjsApi/group/${hexValue}/123`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(404)
@@ -650,8 +746,10 @@ describe('group', () => {

    it('should respond with Not Found if userId is incorrect', async () => {
      const dbGroup = await groupController.createGroup(group)
+      const hexValue = randomBytes(12).toString('hex')
+
      const res = await request(app)
-        .delete(`/SASjsApi/group/${dbGroup.groupId}/123`)
+        .delete(`/SASjsApi/group/${dbGroup.uid}/${hexValue}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(404)
@@ -667,10 +765,10 @@ const generateSaveTokenAndCreateUser = async (
 ): Promise<string> => {
  const dbUser = await userController.createUser(someUser ?? adminUser)

-  return generateAndSaveToken(dbUser.id)
+  return generateAndSaveToken(dbUser.uid)
 }

-const generateAndSaveToken = async (userId: number) => {
+const generateAndSaveToken = async (userId: string) => {
  const adminAccessToken = generateAccessToken({
    clientId,
    userId
--- a/api/src/routes/api/spec/permission.spec.ts
+++ b/api/src/routes/api/spec/permission.spec.ts
@@ -17,6 +17,7 @@ import {
  PermissionDetailsResponse
 } from '../../../controllers'
 import { generateAccessToken, saveTokensInDB } from '../../../utils'
+import { randomBytes } from 'crypto'

 const deployPayload = {
  appLoc: 'string',
@@ -103,10 +104,10 @@ describe('permission', () => {
      const res = await request(app)
        .post('/SASjsApi/permission')
        .auth(adminAccessToken, { type: 'bearer' })
-        .send({ ...permission, principalId: dbUser.id })
+        .send({ ...permission, principalId: dbUser.uid })
        .expect(200)

-      expect(res.body.permissionId).toBeTruthy()
+      expect(res.body.uid).toBeTruthy()
      expect(res.body.path).toEqual(permission.path)
      expect(res.body.type).toEqual(permission.type)
      expect(res.body.setting).toEqual(permission.setting)
@@ -122,11 +123,11 @@ describe('permission', () => {
        .send({
          ...permission,
          principalType: 'group',
-          principalId: dbGroup.groupId
+          principalId: dbGroup.uid
        })
        .expect(200)

-      expect(res.body.permissionId).toBeTruthy()
+      expect(res.body.uid).toBeTruthy()
      expect(res.body.path).toEqual(permission.path)
      expect(res.body.type).toEqual(permission.type)
      expect(res.body.setting).toEqual(permission.setting)
@@ -144,7 +145,7 @@ describe('permission', () => {
    })

    it('should respond with Unauthorized if access token is not of an admin account', async () => {
-      const accessToken = await generateAndSaveToken(dbUser.id)
+      const accessToken = await generateAndSaveToken(dbUser.uid)

      const res = await request(app)
        .post('/SASjsApi/permission')
@@ -281,17 +282,19 @@ describe('permission', () => {
      expect(res.body).toEqual({})
    })

-    it('should respond with Bad Request if principalId is not a number', async () => {
+    it('should respond with Bad Request if principalId is not a string of 24 hex characters', async () => {
      const res = await request(app)
        .post('/SASjsApi/permission')
        .auth(adminAccessToken, { type: 'bearer' })
        .send({
          ...permission,
-          principalId: 'someCharacters'
+          principalId: randomBytes(10).toString('hex')
        })
        .expect(400)

-      expect(res.text).toEqual('"principalId" must be a number')
+      expect(res.text).toEqual(
+        '"principalId" length must be 24 characters long'
+      )
      expect(res.body).toEqual({})
    })

@@ -307,7 +310,7 @@ describe('permission', () => {
        .auth(adminAccessToken, { type: 'bearer' })
        .send({
          ...permission,
-          principalId: adminUser.id
+          principalId: adminUser.uid
        })
        .expect(400)

@@ -321,7 +324,7 @@ describe('permission', () => {
        .auth(adminAccessToken, { type: 'bearer' })
        .send({
          ...permission,
-          principalId: 123
+          principalId: randomBytes(12).toString('hex')
        })
        .expect(404)

@@ -336,7 +339,7 @@ describe('permission', () => {
        .send({
          ...permission,
          principalType: 'group',
-          principalId: 123
+          principalId: randomBytes(12).toString('hex')
        })
        .expect(404)

@@ -347,13 +350,13 @@ describe('permission', () => {
    it('should respond with Conflict (409) if permission already exists', async () => {
      await permissionController.createPermission({
        ...permission,
-        principalId: dbUser.id
+        principalId: dbUser.uid
      })

      const res = await request(app)
        .post('/SASjsApi/permission')
        .auth(adminAccessToken, { type: 'bearer' })
-        .send({ ...permission, principalId: dbUser.id })
+        .send({ ...permission, principalId: dbUser.uid })
        .expect(409)

      expect(res.text).toEqual(
@@ -368,7 +371,7 @@ describe('permission', () => {
    beforeAll(async () => {
      dbPermission = await permissionController.createPermission({
        ...permission,
-        principalId: dbUser.id
+        principalId: dbUser.uid
      })
    })

@@ -378,7 +381,7 @@ describe('permission', () => {

    it('should respond with updated permission', async () => {
      const res = await request(app)
-        .patch(`/SASjsApi/permission/${dbPermission?.permissionId}`)
+        .patch(`/SASjsApi/permission/${dbPermission?.uid}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send({ setting: PermissionSettingForRoute.deny })
        .expect(200)
@@ -388,7 +391,7 @@ describe('permission', () => {

    it('should respond with Unauthorized if access token is not present', async () => {
      const res = await request(app)
-        .patch(`/SASjsApi/permission/${dbPermission?.permissionId}`)
+        .patch(`/SASjsApi/permission/${dbPermission?.uid}`)
        .send()
        .expect(401)

@@ -403,7 +406,7 @@ describe('permission', () => {
      })

      const res = await request(app)
-        .patch(`/SASjsApi/permission/${dbPermission?.permissionId}`)
+        .patch(`/SASjsApi/permission/${dbPermission?.uid}`)
        .auth(accessToken, { type: 'bearer' })
        .send()
        .expect(401)
@@ -414,7 +417,7 @@ describe('permission', () => {

    it('should respond with Bad Request if setting is missing', async () => {
      const res = await request(app)
-        .patch(`/SASjsApi/permission/${dbPermission?.permissionId}`)
+        .patch(`/SASjsApi/permission/${dbPermission?.uid}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(400)
@@ -425,7 +428,7 @@ describe('permission', () => {

    it('should respond with Bad Request if setting is  invalid', async () => {
      const res = await request(app)
-        .patch(`/SASjsApi/permission/${dbPermission?.permissionId}`)
+        .patch(`/SASjsApi/permission/${dbPermission?.uid}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send({
          setting: 'invalid'
@@ -437,8 +440,9 @@ describe('permission', () => {
    })

    it('should respond with not found (404) if permission with provided id does not exist', async () => {
+      const hexValue = randomBytes(12).toString('hex')
      const res = await request(app)
-        .patch('/SASjsApi/permission/123')
+        .patch(`/SASjsApi/permission/${hexValue}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send({
          setting: PermissionSettingForRoute.deny
@@ -454,10 +458,10 @@ describe('permission', () => {
    it('should delete permission', async () => {
      const dbPermission = await permissionController.createPermission({
        ...permission,
-        principalId: dbUser.id
+        principalId: dbUser.uid
      })
      const res = await request(app)
-        .delete(`/SASjsApi/permission/${dbPermission?.permissionId}`)
+        .delete(`/SASjsApi/permission/${dbPermission?.uid}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(200)
@@ -466,8 +470,10 @@ describe('permission', () => {
    })

    it('should respond with not found (404) if permission with provided id does not exists', async () => {
+      const hexValue = randomBytes(12).toString('hex')
+
      const res = await request(app)
-        .delete('/SASjsApi/permission/123')
+        .delete(`/SASjsApi/permission/${hexValue}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(404)
@@ -481,12 +487,12 @@ describe('permission', () => {
      await permissionController.createPermission({
        ...permission,
        path: '/test-1',
-        principalId: dbUser.id
+        principalId: dbUser.uid
      })
      await permissionController.createPermission({
        ...permission,
        path: '/test-2',
-        principalId: dbUser.id
+        principalId: dbUser.uid
      })
    })

@@ -505,12 +511,12 @@ describe('permission', () => {
        ...user,
        username: 'get' + user.username
      })
-      const accessToken = await generateAndSaveToken(nonAdminUser.id)
+      const accessToken = await generateAndSaveToken(nonAdminUser.uid)
      await permissionController.createPermission({
        path: '/test-1',
        type: PermissionType.route,
        principalType: PrincipalType.user,
-        principalId: nonAdminUser.id,
+        principalId: nonAdminUser.uid,
        setting: PermissionSettingForRoute.grant
      })

@@ -531,7 +537,7 @@ describe('permission', () => {
      await permissionController.createPermission({
        ...permission,
        path: '/SASjsApi/drive/deploy',
-        principalId: dbUser.id
+        principalId: dbUser.uid
      })
    })

@@ -551,7 +557,7 @@ describe('permission', () => {
    })

    it('should create files in SASJS drive', async () => {
-      const accessToken = await generateAndSaveToken(dbUser.id)
+      const accessToken = await generateAndSaveToken(dbUser.uid)

      await request(app)
        .get('/SASjsApi/drive/deploy')
@@ -561,7 +567,7 @@ describe('permission', () => {
    })

    it('should respond unauthorized', async () => {
-      const accessToken = await generateAndSaveToken(dbUser.id)
+      const accessToken = await generateAndSaveToken(dbUser.uid)

      await request(app)
        .get('/SASjsApi/drive/deploy/upload')
@@ -577,10 +583,10 @@ const generateSaveTokenAndCreateUser = async (
 ): Promise<string> => {
  const dbUser = await userController.createUser(someUser ?? adminUser)

-  return generateAndSaveToken(dbUser.id)
+  return generateAndSaveToken(dbUser.uid)
 }

-const generateAndSaveToken = async (userId: number) => {
+const generateAndSaveToken = async (userId: string) => {
  const adminAccessToken = generateAccessToken({
    clientId,
    userId
--- a/api/src/routes/api/spec/stp.spec.ts
+++ b/api/src/routes/api/spec/stp.spec.ts
@@ -21,11 +21,11 @@ import {
 } from '../../../utils'
 import { createFile, generateTimestamp, deleteFolder } from '@sasjs/utils'
 import {
-  SASSessionController,
-  JSSessionController
+  SessionController,
+  SASSessionController
 } from '../../../controllers/internal'
 import * as ProcessProgramModule from '../../../controllers/internal/processProgram'
-import { Session } from '../../../types'
+import { Session, SessionState } from '../../../types'

 const clientId = 'someclientID'

@@ -39,14 +39,17 @@ const user = {

 const sampleSasProgram = '%put hello world!;'
 const sampleJsProgram = `console.log('hello world!/')`
+const samplePyProgram = `print('hello world!/')`

 const filesFolder = getFilesFolder()
+const testFilesFolder = `test-stp-${generateTimestamp()}`
+
+let app: Express
+let accessToken: string

 describe('stp', () => {
-  let app: Express
  let con: Mongoose
  let mongoServer: MongoMemoryServer
-  let accessToken: string
  const userController = new UserController()
  const permissionController = new PermissionController()

@@ -55,12 +58,12 @@ describe('stp', () => {
    mongoServer = await MongoMemoryServer.create()
    con = await mongoose.connect(mongoServer.getUri())
    const dbUser = await userController.createUser(user)
-    accessToken = await generateAndSaveToken(dbUser.id)
+    accessToken = await generateAndSaveToken(dbUser.uid)
    await permissionController.createPermission({
      path: '/SASjsApi/stp/execute',
      type: PermissionType.route,
      principalType: PrincipalType.user,
-      principalId: dbUser.id,
+      principalId: dbUser.uid,
      setting: PermissionSettingForRoute.grant
    })
  })
@@ -72,8 +75,6 @@ describe('stp', () => {
  })

  describe('execute', () => {
-    const testFilesFolder = `test-stp-${generateTimestamp()}`
-
    describe('get', () => {
      describe('with runtime js', () => {
        const testFilesFolder = `test-stp-${generateTimestamp()}`
@@ -93,41 +94,45 @@ describe('stp', () => {
        })

        it('should execute js program when both js and sas program are present', async () => {
-          const programPath = path.join(testFilesFolder, 'program')
-          const sasProgramPath = path.join(filesFolder, `${programPath}.sas`)
-          const jsProgramPath = path.join(filesFolder, `${programPath}.js`)
-          await createFile(sasProgramPath, sampleSasProgram)
-          await createFile(jsProgramPath, sampleJsProgram)
-
-          await request(app)
-            .get(`/SASjsApi/stp/execute?_program=${programPath}`)
-            .auth(accessToken, { type: 'bearer' })
-            .send()
-            .expect(200)
-
-          expect(ProcessProgramModule.processProgram).toHaveBeenCalledWith(
-            expect.anything(),
-            expect.anything(),
-            expect.anything(),
-            expect.anything(),
-            expect.anything(),
-            expect.anything(),
-            RunTimeType.JS,
-            expect.anything(),
-            undefined
+          await makeRequestAndAssert(
+            [RunTimeType.JS, RunTimeType.SAS],
+            200,
+            RunTimeType.JS
          )
        })

        it('should throw error when js program is not present but sas program exists', async () => {
-          const programPath = path.join(testFilesFolder, 'program')
-          const sasProgramPath = path.join(filesFolder, `${programPath}.sas`)
-          await createFile(sasProgramPath, sampleSasProgram)
+          await makeRequestAndAssert([], 400)
+        })
+      })

-          await request(app)
-            .get(`/SASjsApi/stp/execute?_program=${programPath}`)
-            .auth(accessToken, { type: 'bearer' })
-            .send()
-            .expect(400)
+      describe('with runtime py', () => {
+        const testFilesFolder = `test-stp-${generateTimestamp()}`
+
+        beforeAll(() => {
+          process.runTimes = [RunTimeType.PY]
+        })
+
+        beforeEach(() => {
+          jest.resetModules() // it clears the cache
+          setupMocks()
+        })
+
+        afterEach(async () => {
+          jest.resetAllMocks()
+          await deleteFolder(path.join(filesFolder, testFilesFolder))
+        })
+
+        it('should execute python program when python, js and sas programs are present', async () => {
+          await makeRequestAndAssert(
+            [RunTimeType.PY, RunTimeType.SAS, RunTimeType.JS],
+            200,
+            RunTimeType.PY
+          )
+        })
+
+        it('should throw error when py program is not present but js or sas program exists', async () => {
+          await makeRequestAndAssert([], 400)
        })
      })

@@ -147,41 +152,11 @@ describe('stp', () => {
        })

        it('should execute sas program when both sas and js programs are present', async () => {
-          const programPath = path.join(testFilesFolder, 'program')
-          const sasProgramPath = path.join(filesFolder, `${programPath}.sas`)
-          const jsProgramPath = path.join(filesFolder, `${programPath}.js`)
-          await createFile(sasProgramPath, sampleSasProgram)
-          await createFile(jsProgramPath, sampleJsProgram)
-
-          await request(app)
-            .get(`/SASjsApi/stp/execute?_program=${programPath}`)
-            .auth(accessToken, { type: 'bearer' })
-            .send()
-            .expect(200)
-
-          expect(ProcessProgramModule.processProgram).toHaveBeenCalledWith(
-            expect.anything(),
-            expect.anything(),
-            expect.anything(),
-            expect.anything(),
-            expect.anything(),
-            expect.anything(),
-            RunTimeType.SAS,
-            expect.anything(),
-            undefined
-          )
+          await makeRequestAndAssert([RunTimeType.SAS], 200, RunTimeType.SAS)
        })

        it('should throw error when sas program do not exit but js exists', async () => {
-          const programPath = path.join(testFilesFolder, 'program')
-          const jsProgramPath = path.join(filesFolder, `${programPath}.js`)
-          await createFile(jsProgramPath, sampleJsProgram)
-
-          await request(app)
-            .get(`/SASjsApi/stp/execute?_program=${programPath}`)
-            .auth(accessToken, { type: 'bearer' })
-            .send()
-            .expect(400)
+          await makeRequestAndAssert([], 400)
        })
      })

@@ -201,63 +176,51 @@ describe('stp', () => {
        })

        it('should execute js program when both js and sas program are present', async () => {
-          const programPath = path.join(testFilesFolder, 'program')
-          const sasProgramPath = path.join(filesFolder, `${programPath}.sas`)
-          const jsProgramPath = path.join(filesFolder, `${programPath}.js`)
-          await createFile(sasProgramPath, sampleSasProgram)
-          await createFile(jsProgramPath, sampleJsProgram)
-
-          await request(app)
-            .get(`/SASjsApi/stp/execute?_program=${programPath}`)
-            .auth(accessToken, { type: 'bearer' })
-            .send()
-            .expect(200)
-
-          expect(ProcessProgramModule.processProgram).toHaveBeenCalledWith(
-            expect.anything(),
-            expect.anything(),
-            expect.anything(),
-            expect.anything(),
-            expect.anything(),
-            expect.anything(),
-            RunTimeType.JS,
-            expect.anything(),
-            undefined
+          await makeRequestAndAssert(
+            [RunTimeType.SAS, RunTimeType.JS],
+            200,
+            RunTimeType.JS
          )
        })

        it('should execute sas program when js program is not present but sas program exists', async () => {
-          const programPath = path.join(testFilesFolder, 'program')
-          const sasProgramPath = path.join(filesFolder, `${programPath}.sas`)
-          await createFile(sasProgramPath, sampleSasProgram)
-
-          await request(app)
-            .get(`/SASjsApi/stp/execute?_program=${programPath}`)
-            .auth(accessToken, { type: 'bearer' })
-            .send()
-            .expect(200)
-
-          expect(ProcessProgramModule.processProgram).toHaveBeenCalledWith(
-            expect.anything(),
-            expect.anything(),
-            expect.anything(),
-            expect.anything(),
-            expect.anything(),
-            expect.anything(),
-            RunTimeType.SAS,
-            expect.anything(),
-            undefined
-          )
+          await makeRequestAndAssert([RunTimeType.SAS], 200, RunTimeType.SAS)
        })

        it('should throw error when both sas and js programs do not exist', async () => {
-          const programPath = path.join(testFilesFolder, 'program')
+          await makeRequestAndAssert([], 400)
+        })
+      })

-          await request(app)
-            .get(`/SASjsApi/stp/execute?_program=${programPath}`)
-            .auth(accessToken, { type: 'bearer' })
-            .send()
-            .expect(400)
+      describe('with runtime py and sas', () => {
+        beforeAll(() => {
+          process.runTimes = [RunTimeType.PY, RunTimeType.SAS]
+        })
+
+        beforeEach(() => {
+          jest.resetModules() // it clears the cache
+          setupMocks()
+        })
+
+        afterEach(async () => {
+          jest.resetAllMocks()
+          await deleteFolder(path.join(filesFolder, testFilesFolder))
+        })
+
+        it('should execute python program when both python and sas program are present', async () => {
+          await makeRequestAndAssert(
+            [RunTimeType.PY, RunTimeType.SAS],
+            200,
+            RunTimeType.PY
+          )
+        })
+
+        it('should execute sas program when python program is not present but sas program exists', async () => {
+          await makeRequestAndAssert([RunTimeType.SAS], 200, RunTimeType.SAS)
+        })
+
+        it('should throw error when both sas and js programs do not exist', async () => {
+          await makeRequestAndAssert([], 400)
        })
      })

@@ -277,79 +240,223 @@ describe('stp', () => {
        })

        it('should execute sas program when both sas and js programs  exist', async () => {
-          const programPath = path.join(testFilesFolder, 'program')
-          const sasProgramPath = path.join(filesFolder, `${programPath}.sas`)
-          const jsProgramPath = path.join(filesFolder, `${programPath}.js`)
-          await createFile(sasProgramPath, sampleSasProgram)
-          await createFile(jsProgramPath, sampleJsProgram)
-
-          await request(app)
-            .get(`/SASjsApi/stp/execute?_program=${programPath}`)
-            .auth(accessToken, { type: 'bearer' })
-            .send()
-            .expect(200)
-
-          expect(ProcessProgramModule.processProgram).toHaveBeenCalledWith(
-            expect.anything(),
-            expect.anything(),
-            expect.anything(),
-            expect.anything(),
-            expect.anything(),
-            expect.anything(),
-            RunTimeType.SAS,
-            expect.anything(),
-            undefined
+          await makeRequestAndAssert(
+            [RunTimeType.SAS, RunTimeType.JS],
+            200,
+            RunTimeType.SAS
          )
        })

        it('should execute js program when sas program is not present but js program exists', async () => {
-          const programPath = path.join(testFilesFolder, 'program')
-          const jsProgramPath = path.join(filesFolder, `${programPath}.js`)
-          await createFile(jsProgramPath, sampleJsProgram)
-
-          await request(app)
-            .get(`/SASjsApi/stp/execute?_program=${programPath}`)
-            .auth(accessToken, { type: 'bearer' })
-            .send()
-            .expect(200)
-
-          expect(ProcessProgramModule.processProgram).toHaveBeenCalledWith(
-            expect.anything(),
-            expect.anything(),
-            expect.anything(),
-            expect.anything(),
-            expect.anything(),
-            expect.anything(),
-            RunTimeType.JS,
-            expect.anything(),
-            undefined
-          )
+          await makeRequestAndAssert([RunTimeType.JS], 200, RunTimeType.JS)
        })

        it('should throw error when both sas and js programs do not exist', async () => {
-          const programPath = path.join(testFilesFolder, 'program')
+          await makeRequestAndAssert([], 400)
+        })
+      })

-          await request(app)
-            .get(`/SASjsApi/stp/execute?_program=${programPath}`)
-            .auth(accessToken, { type: 'bearer' })
-            .send()
-            .expect(400)
+      describe('with runtime sas and py', () => {
+        beforeAll(() => {
+          process.runTimes = [RunTimeType.SAS, RunTimeType.PY]
+        })
+
+        beforeEach(() => {
+          jest.resetModules() // it clears the cache
+          setupMocks()
+        })
+
+        afterEach(async () => {
+          jest.resetAllMocks()
+          await deleteFolder(path.join(filesFolder, testFilesFolder))
+        })
+
+        it('should execute sas program when both sas and python programs exist', async () => {
+          await makeRequestAndAssert(
+            [RunTimeType.SAS, RunTimeType.PY],
+            200,
+            RunTimeType.SAS
+          )
+        })
+
+        it('should execute python program when sas program is not present but python program exists', async () => {
+          await makeRequestAndAssert([RunTimeType.PY], 200, RunTimeType.PY)
+        })
+
+        it('should throw error when both sas and python programs do not exist', async () => {
+          await makeRequestAndAssert([], 400)
+        })
+      })
+
+      describe('with runtime sas, js and py', () => {
+        beforeAll(() => {
+          process.runTimes = [RunTimeType.SAS, RunTimeType.JS, RunTimeType.PY]
+        })
+
+        beforeEach(() => {
+          jest.resetModules() // it clears the cache
+          setupMocks()
+        })
+
+        afterEach(async () => {
+          jest.resetAllMocks()
+          await deleteFolder(path.join(filesFolder, testFilesFolder))
+        })
+
+        it('should execute sas program when it exists, no matter js and python programs exist or not', async () => {
+          await makeRequestAndAssert(
+            [RunTimeType.SAS, RunTimeType.PY, RunTimeType.JS],
+            200,
+            RunTimeType.SAS
+          )
+        })
+
+        it('should execute js program when sas program is absent but js and python programs are present', async () => {
+          await makeRequestAndAssert(
+            [RunTimeType.JS, RunTimeType.PY],
+            200,
+            RunTimeType.JS
+          )
+        })
+
+        it('should execute python program when both sas and js programs are not present', async () => {
+          await makeRequestAndAssert([RunTimeType.PY], 200, RunTimeType.PY)
+        })
+
+        it('should throw error when no program exists', async () => {
+          await makeRequestAndAssert([], 400)
+        })
+      })
+
+      describe('with runtime js, sas and py', () => {
+        beforeAll(() => {
+          process.runTimes = [RunTimeType.JS, RunTimeType.SAS, RunTimeType.PY]
+        })
+
+        beforeEach(() => {
+          jest.resetModules() // it clears the cache
+          setupMocks()
+        })
+
+        afterEach(async () => {
+          jest.resetAllMocks()
+          await deleteFolder(path.join(filesFolder, testFilesFolder))
+        })
+
+        it('should execute js program when it exists, no matter sas and python programs exist or not', async () => {
+          await makeRequestAndAssert(
+            [RunTimeType.JS, RunTimeType.SAS, RunTimeType.PY],
+            200,
+            RunTimeType.JS
+          )
+        })
+
+        it('should execute sas program when js program is absent but sas and python programs are present', async () => {
+          await makeRequestAndAssert(
+            [RunTimeType.SAS, RunTimeType.PY],
+            200,
+            RunTimeType.SAS
+          )
+        })
+
+        it('should execute python program when both sas and js programs are not present', async () => {
+          await makeRequestAndAssert([RunTimeType.PY], 200, RunTimeType.PY)
+        })
+
+        it('should throw error when no program exists', async () => {
+          await makeRequestAndAssert([], 400)
+        })
+      })
+
+      describe('with runtime py, sas and js', () => {
+        beforeAll(() => {
+          process.runTimes = [RunTimeType.PY, RunTimeType.SAS, RunTimeType.JS]
+        })
+
+        beforeEach(() => {
+          jest.resetModules() // it clears the cache
+          setupMocks()
+        })
+
+        afterEach(async () => {
+          jest.resetAllMocks()
+          await deleteFolder(path.join(filesFolder, testFilesFolder))
+        })
+
+        it('should execute python program when it exists, no matter sas and js programs exist or not', async () => {
+          await makeRequestAndAssert(
+            [RunTimeType.PY, RunTimeType.SAS, RunTimeType.JS],
+            200,
+            RunTimeType.PY
+          )
+        })
+
+        it('should execute sas program when python program is absent but sas and js programs are present', async () => {
+          await makeRequestAndAssert(
+            [RunTimeType.SAS, RunTimeType.JS],
+            200,
+            RunTimeType.SAS
+          )
+        })
+
+        it('should execute js program when both sas and python programs are not present', async () => {
+          await makeRequestAndAssert([RunTimeType.JS], 200, RunTimeType.JS)
+        })
+
+        it('should throw error when no program exists', async () => {
+          await makeRequestAndAssert([], 400)
        })
      })
    })
  })
 })

-const generateSaveTokenAndCreateUser = async (
-  someUser: any
-): Promise<string> => {
-  const userController = new UserController()
-  const dbUser = await userController.createUser(someUser)
+const makeRequestAndAssert = async (
+  programTypes: RunTimeType[],
+  expectedStatusCode: number,
+  expectedRuntime?: RunTimeType
+) => {
+  const programPath = path.join(testFilesFolder, 'program')
+  for (const programType of programTypes) {
+    if (programType === RunTimeType.JS)
+      await createFile(
+        path.join(filesFolder, `${programPath}.js`),
+        sampleJsProgram
+      )
+    else if (programType === RunTimeType.PY)
+      await createFile(
+        path.join(filesFolder, `${programPath}.py`),
+        samplePyProgram
+      )
+    else if (programType === RunTimeType.SAS)
+      await createFile(
+        path.join(filesFolder, `${programPath}.sas`),
+        sampleSasProgram
+      )
+  }

-  return generateAndSaveToken(dbUser.id)
+  await request(app)
+    .get(`/SASjsApi/stp/execute?_program=${programPath}`)
+    .auth(accessToken, { type: 'bearer' })
+    .send()
+    .expect(expectedStatusCode)
+
+  if (expectedRuntime)
+    expect(ProcessProgramModule.processProgram).toHaveBeenCalledWith(
+      expect.anything(),
+      expect.anything(),
+      expect.anything(),
+      expect.anything(),
+      expect.anything(),
+      expect.anything(),
+      expect.anything(),
+      expectedRuntime,
+      expect.anything(),
+      undefined
+    )
 }

-const generateAndSaveToken = async (userId: number) => {
+const generateAndSaveToken = async (userId: string) => {
  const accessToken = generateAccessToken({
    clientId,
    userId
@@ -364,7 +471,7 @@ const setupMocks = async () => {
    .mockImplementation(mockedGetSession)

  jest
-    .spyOn(JSSessionController.prototype, 'getSession')
+    .spyOn(SASSessionController.prototype, 'getSession')
    .mockImplementation(mockedGetSession)

  jest
@@ -386,10 +493,7 @@ const mockedGetSession = async () => {

  const session: Session = {
    id: sessionId,
-    ready: true,
-    inUse: true,
-    consumed: false,
-    completed: false,
+    state: SessionState.pending,
    creationTimeStamp,
    deathTimeStamp,
    path: sessionFolder
--- a/api/src/routes/api/spec/user.spec.ts
+++ b/api/src/routes/api/spec/user.spec.ts
@@ -1,10 +1,16 @@
+import { randomBytes } from 'crypto'
 import { Express } from 'express'
 import mongoose, { Mongoose } from 'mongoose'
 import { MongoMemoryServer } from 'mongodb-memory-server'
 import request from 'supertest'
 import appPromise from '../../../app'
 import { UserController, GroupController } from '../../../controllers/'
-import { generateAccessToken, saveTokensInDB } from '../../../utils'
+import {
+  generateAccessToken,
+  saveTokensInDB,
+  AuthProviderType
+} from '../../../utils'
+import User from '../../../model/User'

 const clientId = 'someclientID'
 const adminUser = {
@@ -96,9 +102,9 @@ describe('user', () => {
      const dbUser = await controller.createUser(user)
      const accessToken = generateAccessToken({
        clientId,
-        userId: dbUser.id
+        userId: dbUser.uid
      })
-      await saveTokensInDB(dbUser.id, clientId, accessToken, 'refreshToken')
+      await saveTokensInDB(dbUser.uid, clientId, accessToken, 'refreshToken')

      const res = await request(app)
        .post('/SASjsApi/user')
@@ -110,16 +116,16 @@ describe('user', () => {
      expect(res.body).toEqual({})
    })

-    it('should respond with Forbidden if username is already present', async () => {
+    it('should respond with Conflict if username is already present', async () => {
      await controller.createUser(user)

      const res = await request(app)
        .post('/SASjsApi/user')
        .auth(adminAccessToken, { type: 'bearer' })
        .send(user)
-        .expect(403)
+        .expect(409)

-      expect(res.text).toEqual('Error: Username already exists.')
+      expect(res.text).toEqual('Username already exists.')
      expect(res.body).toEqual({})
    })

@@ -182,7 +188,7 @@ describe('user', () => {
      const newDisplayName = 'My new display Name'

      const res = await request(app)
-        .patch(`/SASjsApi/user/${dbUser.id}`)
+        .patch(`/SASjsApi/user/${dbUser.uid}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send({ ...user, displayName: newDisplayName })
        .expect(200)
@@ -195,11 +201,11 @@ describe('user', () => {

    it('should respond with updated user when user himself requests', async () => {
      const dbUser = await controller.createUser(user)
-      const accessToken = await generateAndSaveToken(dbUser.id)
+      const accessToken = await generateAndSaveToken(dbUser.uid)
      const newDisplayName = 'My new display Name'

      const res = await request(app)
-        .patch(`/SASjsApi/user/${dbUser.id}`)
+        .patch(`/SASjsApi/user/${dbUser.uid}`)
        .auth(accessToken, { type: 'bearer' })
        .send({
          displayName: newDisplayName,
@@ -216,16 +222,46 @@ describe('user', () => {

    it('should respond with Bad Request, only admin can update isAdmin/isActive', async () => {
      const dbUser = await controller.createUser(user)
-      const accessToken = await generateAndSaveToken(dbUser.id)
+      const accessToken = await generateAndSaveToken(dbUser.uid)
      const newDisplayName = 'My new display Name'

      await request(app)
-        .patch(`/SASjsApi/user/${dbUser.id}`)
+        .patch(`/SASjsApi/user/${dbUser.uid}`)
        .auth(accessToken, { type: 'bearer' })
        .send({ ...user, displayName: newDisplayName })
        .expect(400)
    })

+    it('should respond with Method Not Allowed, when updating username of user created by an external auth provider', async () => {
+      const dbUser = await User.create({
+        ...user,
+        authProvider: AuthProviderType.LDAP
+      })
+      const accessToken = await generateAndSaveToken(dbUser!.id)
+      const newUsername = 'newUsername'
+
+      await request(app)
+        .patch(`/SASjsApi/user/${dbUser!.id}`)
+        .auth(accessToken, { type: 'bearer' })
+        .send({ username: newUsername })
+        .expect(405)
+    })
+
+    it('should respond with Method Not Allowed, when updating displayName of user created by an external auth provider', async () => {
+      const dbUser = await User.create({
+        ...user,
+        authProvider: AuthProviderType.LDAP
+      })
+      const accessToken = await generateAndSaveToken(dbUser!.id)
+      const newDisplayName = 'My new display Name'
+
+      await request(app)
+        .patch(`/SASjsApi/user/${dbUser!.id}`)
+        .auth(accessToken, { type: 'bearer' })
+        .send({ displayName: newDisplayName })
+        .expect(405)
+    })
+
    it('should respond with Unauthorized if access token is not present', async () => {
      const res = await request(app)
        .patch('/SASjsApi/user/1234')
@@ -242,10 +278,10 @@ describe('user', () => {
        ...user,
        username: 'randomUser'
      })
-      const accessToken = await generateAndSaveToken(dbUser2.id)
+      const accessToken = await generateAndSaveToken(dbUser2.uid)

      const res = await request(app)
-        .patch(`/SASjsApi/user/${dbUser1.id}`)
+        .patch(`/SASjsApi/user/${dbUser1.uid}`)
        .auth(accessToken, { type: 'bearer' })
        .send(user)
        .expect(401)
@@ -254,7 +290,7 @@ describe('user', () => {
      expect(res.body).toEqual({})
    })

-    it('should respond with Forbidden if username is already present', async () => {
+    it('should respond with Conflict if username is already present', async () => {
      const dbUser1 = await controller.createUser(user)
      const dbUser2 = await controller.createUser({
        ...user,
@@ -262,12 +298,12 @@ describe('user', () => {
      })

      const res = await request(app)
-        .patch(`/SASjsApi/user/${dbUser1.id}`)
+        .patch(`/SASjsApi/user/${dbUser1.uid}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send({ username: dbUser2.username })
-        .expect(403)
+        .expect(409)

-      expect(res.text).toEqual('Error: Username already exists.')
+      expect(res.text).toEqual('Username already exists.')
      expect(res.body).toEqual({})
    })

@@ -290,7 +326,7 @@ describe('user', () => {

      it('should respond with updated user when user himself requests', async () => {
        const dbUser = await controller.createUser(user)
-        const accessToken = await generateAndSaveToken(dbUser.id)
+        const accessToken = await generateAndSaveToken(dbUser.uid)
        const newDisplayName = 'My new display Name'

        const res = await request(app)
@@ -311,7 +347,7 @@ describe('user', () => {

      it('should respond with Bad Request, only admin can update isAdmin/isActive', async () => {
        const dbUser = await controller.createUser(user)
-        const accessToken = await generateAndSaveToken(dbUser.id)
+        const accessToken = await generateAndSaveToken(dbUser.uid)
        const newDisplayName = 'My new display Name'

        await request(app)
@@ -337,10 +373,10 @@ describe('user', () => {
          ...user,
          username: 'randomUser'
        })
-        const accessToken = await generateAndSaveToken(dbUser2.id)
+        const accessToken = await generateAndSaveToken(dbUser2.uid)

        const res = await request(app)
-          .patch(`/SASjsApi/user/${dbUser1.id}`)
+          .patch(`/SASjsApi/user/${dbUser1.uid}`)
          .auth(accessToken, { type: 'bearer' })
          .send(user)
          .expect(401)
@@ -349,7 +385,7 @@ describe('user', () => {
        expect(res.body).toEqual({})
      })

-      it('should respond with Forbidden if username is already present', async () => {
+      it('should respond with Conflict if username is already present', async () => {
        const dbUser1 = await controller.createUser(user)
        const dbUser2 = await controller.createUser({
          ...user,
@@ -360,9 +396,9 @@ describe('user', () => {
          .patch(`/SASjsApi/user/by/username/${dbUser1.username}`)
          .auth(adminAccessToken, { type: 'bearer' })
          .send({ username: dbUser2.username })
-          .expect(403)
+          .expect(409)

-        expect(res.text).toEqual('Error: Username already exists.')
+        expect(res.text).toEqual('Username already exists.')
        expect(res.body).toEqual({})
      })
    })
@@ -383,7 +419,7 @@ describe('user', () => {
      const dbUser = await controller.createUser(user)

      const res = await request(app)
-        .delete(`/SASjsApi/user/${dbUser.id}`)
+        .delete(`/SASjsApi/user/${dbUser.uid}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(200)
@@ -393,10 +429,10 @@ describe('user', () => {

    it('should respond with OK when user himself requests', async () => {
      const dbUser = await controller.createUser(user)
-      const accessToken = await generateAndSaveToken(dbUser.id)
+      const accessToken = await generateAndSaveToken(dbUser.uid)

      const res = await request(app)
-        .delete(`/SASjsApi/user/${dbUser.id}`)
+        .delete(`/SASjsApi/user/${dbUser.uid}`)
        .auth(accessToken, { type: 'bearer' })
        .send({ password: user.password })
        .expect(200)
@@ -406,10 +442,10 @@ describe('user', () => {

    it('should respond with Bad Request when user himself requests and password is missing', async () => {
      const dbUser = await controller.createUser(user)
-      const accessToken = await generateAndSaveToken(dbUser.id)
+      const accessToken = await generateAndSaveToken(dbUser.uid)

      const res = await request(app)
-        .delete(`/SASjsApi/user/${dbUser.id}`)
+        .delete(`/SASjsApi/user/${dbUser.uid}`)
        .auth(accessToken, { type: 'bearer' })
        .send()
        .expect(400)
@@ -434,10 +470,10 @@ describe('user', () => {
        ...user,
        username: 'randomUser'
      })
-      const accessToken = await generateAndSaveToken(dbUser2.id)
+      const accessToken = await generateAndSaveToken(dbUser2.uid)

      const res = await request(app)
-        .delete(`/SASjsApi/user/${dbUser1.id}`)
+        .delete(`/SASjsApi/user/${dbUser1.uid}`)
        .auth(accessToken, { type: 'bearer' })
        .send(user)
        .expect(401)
@@ -446,17 +482,17 @@ describe('user', () => {
      expect(res.body).toEqual({})
    })

-    it('should respond with Forbidden when user himself requests and password is incorrect', async () => {
+    it('should respond with Unauthorized when user himself requests and password is incorrect', async () => {
      const dbUser = await controller.createUser(user)
-      const accessToken = await generateAndSaveToken(dbUser.id)
+      const accessToken = await generateAndSaveToken(dbUser.uid)

      const res = await request(app)
-        .delete(`/SASjsApi/user/${dbUser.id}`)
+        .delete(`/SASjsApi/user/${dbUser.uid}`)
        .auth(accessToken, { type: 'bearer' })
        .send({ password: 'incorrectpassword' })
-        .expect(403)
+        .expect(401)

-      expect(res.text).toEqual('Error: Invalid password.')
+      expect(res.text).toEqual('Invalid password.')
      expect(res.body).toEqual({})
    })

@@ -475,7 +511,7 @@ describe('user', () => {

      it('should respond with OK when user himself requests', async () => {
        const dbUser = await controller.createUser(user)
-        const accessToken = await generateAndSaveToken(dbUser.id)
+        const accessToken = await generateAndSaveToken(dbUser.uid)

        const res = await request(app)
          .delete(`/SASjsApi/user/by/username/${dbUser.username}`)
@@ -488,7 +524,7 @@ describe('user', () => {

      it('should respond with Bad Request when user himself requests and password is missing', async () => {
        const dbUser = await controller.createUser(user)
-        const accessToken = await generateAndSaveToken(dbUser.id)
+        const accessToken = await generateAndSaveToken(dbUser.uid)

        const res = await request(app)
          .delete(`/SASjsApi/user/by/username/${dbUser.username}`)
@@ -516,7 +552,7 @@ describe('user', () => {
          ...user,
          username: 'randomUser'
        })
-        const accessToken = await generateAndSaveToken(dbUser2.id)
+        const accessToken = await generateAndSaveToken(dbUser2.uid)

        const res = await request(app)
          .delete(`/SASjsApi/user/by/username/${dbUser1.username}`)
@@ -528,17 +564,17 @@ describe('user', () => {
        expect(res.body).toEqual({})
      })

-      it('should respond with Forbidden when user himself requests and password is incorrect', async () => {
+      it('should respond with Unauthorized when user himself requests and password is incorrect', async () => {
        const dbUser = await controller.createUser(user)
-        const accessToken = await generateAndSaveToken(dbUser.id)
+        const accessToken = await generateAndSaveToken(dbUser.uid)

        const res = await request(app)
          .delete(`/SASjsApi/user/by/username/${dbUser.username}`)
          .auth(accessToken, { type: 'bearer' })
          .send({ password: 'incorrectpassword' })
-          .expect(403)
+          .expect(401)

-        expect(res.text).toEqual('Error: Invalid password.')
+        expect(res.text).toEqual('Invalid password.')
        expect(res.body).toEqual({})
      })
    })
@@ -557,7 +593,7 @@ describe('user', () => {

    it('should respond with user autoExec when same user requests', async () => {
      const dbUser = await controller.createUser(user)
-      const userId = dbUser.id
+      const userId = dbUser.uid
      const accessToken = await generateAndSaveToken(userId)

      const res = await request(app)
@@ -576,7 +612,7 @@ describe('user', () => {

    it('should respond with user autoExec when admin user requests', async () => {
      const dbUser = await controller.createUser(user)
-      const userId = dbUser.id
+      const userId = dbUser.uid

      const res = await request(app)
        .get(`/SASjsApi/user/${userId}`)
@@ -599,7 +635,7 @@ describe('user', () => {
      })

      const dbUser = await controller.createUser(user)
-      const userId = dbUser.id
+      const userId = dbUser.uid

      const res = await request(app)
        .get(`/SASjsApi/user/${userId}`)
@@ -617,7 +653,7 @@ describe('user', () => {

    it('should respond with user along with associated groups', async () => {
      const dbUser = await controller.createUser(user)
-      const userId = dbUser.id
+      const userId = dbUser.uid
      const accessToken = await generateAndSaveToken(userId)

      const group = {
@@ -626,7 +662,7 @@ describe('user', () => {
      }
      const groupController = new GroupController()
      const dbGroup = await groupController.createGroup(group)
-      await groupController.addUserToGroup(dbGroup.groupId, dbUser.id)
+      await groupController.addUserToGroup(dbGroup.uid, dbUser.uid)

      const res = await request(app)
        .get(`/SASjsApi/user/${userId}`)
@@ -652,23 +688,25 @@ describe('user', () => {
      expect(res.body).toEqual({})
    })

-    it('should respond with Forbidden if userId is incorrect', async () => {
+    it('should respond with Not Found if userId is incorrect', async () => {
      await controller.createUser(user)

+      const hexValue = randomBytes(12).toString('hex')
+
      const res = await request(app)
-        .get('/SASjsApi/user/1234')
+        .get(`/SASjsApi/user/${hexValue}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
-        .expect(403)
+        .expect(404)

-      expect(res.text).toEqual('Error: User is not found.')
+      expect(res.text).toEqual('User is not found.')
      expect(res.body).toEqual({})
    })

    describe('by username', () => {
      it('should respond with user autoExec when same user requests', async () => {
        const dbUser = await controller.createUser(user)
-        const userId = dbUser.id
+        const userId = dbUser.uid
        const accessToken = await generateAndSaveToken(userId)

        const res = await request(app)
@@ -731,16 +769,16 @@ describe('user', () => {
        expect(res.body).toEqual({})
      })

-      it('should respond with Forbidden if username is incorrect', async () => {
+      it('should respond with Not Found if username is incorrect', async () => {
        await controller.createUser(user)

        const res = await request(app)
          .get('/SASjsApi/user/by/username/randomUsername')
          .auth(adminAccessToken, { type: 'bearer' })
          .send()
-          .expect(403)
+          .expect(404)

-        expect(res.text).toEqual('Error: User is not found.')
+        expect(res.text).toEqual('User is not found.')
        expect(res.body).toEqual({})
      })
    })
@@ -768,13 +806,13 @@ describe('user', () => {

      expect(res.body).toEqual([
        {
-          id: expect.anything(),
+          uid: expect.anything(),
          username: adminUser.username,
          displayName: adminUser.displayName,
          isAdmin: adminUser.isAdmin
        },
        {
-          id: expect.anything(),
+          uid: expect.anything(),
          username: user.username,
          displayName: user.displayName,
          isAdmin: user.isAdmin
@@ -796,13 +834,13 @@ describe('user', () => {

      expect(res.body).toEqual([
        {
-          id: expect.anything(),
+          uid: expect.anything(),
          username: adminUser.username,
          displayName: adminUser.displayName,
          isAdmin: adminUser.isAdmin
        },
        {
-          id: expect.anything(),
+          uid: expect.anything(),
          username: 'randomUser',
          displayName: user.displayName,
          isAdmin: user.isAdmin
@@ -824,10 +862,10 @@ const generateSaveTokenAndCreateUser = async (
 ): Promise<string> => {
  const dbUser = await controller.createUser(someUser ?? adminUser)

-  return generateAndSaveToken(dbUser.id)
+  return generateAndSaveToken(dbUser.uid)
 }

-const generateAndSaveToken = async (userId: number) => {
+const generateAndSaveToken = async (userId: string) => {
  const adminAccessToken = generateAccessToken({
    clientId,
    userId
--- a/api/src/routes/api/spec/web.spec.ts
+++ b/api/src/routes/api/spec/web.spec.ts
@@ -47,12 +47,82 @@ describe('web', () => {
    })
  })

-  describe('SASLogon/login', () => {
+  describe('SASLogon/authorize', () => {
    let csrfToken: string
-    let cookies: string
+    let authCookies: string

    beforeAll(async () => {
-      ;({ csrfToken, cookies } = await getCSRF(app))
+      ;({ csrfToken } = await getCSRF(app))
+
+      await userController.createUser(user)
+
+      const credentials = {
+        username: user.username,
+        password: user.password
+      }
+
+      ;({ authCookies } = await performLogin(app, credentials, csrfToken))
+    })
+
+    afterAll(async () => {
+      const collections = mongoose.connection.collections
+      const collection = collections['users']
+      await collection.deleteMany({})
+    })
+
+    it('should respond with authorization code', async () => {
+      const res = await request(app)
+        .post('/SASLogon/authorize')
+        .set('Cookie', [authCookies].join('; '))
+        .set('x-xsrf-token', csrfToken)
+        .send({ clientId })
+
+      expect(res.body).toHaveProperty('code')
+    })
+
+    it('should respond with Bad Request if CSRF Token is missing', async () => {
+      const res = await request(app)
+        .post('/SASLogon/authorize')
+        .set('Cookie', [authCookies].join('; '))
+        .send({ clientId })
+        .expect(400)
+
+      expect(res.text).toEqual('Invalid CSRF token!')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if clientId is missing', async () => {
+      const res = await request(app)
+        .post('/SASLogon/authorize')
+        .set('Cookie', [authCookies].join('; '))
+        .set('x-xsrf-token', csrfToken)
+        .send({})
+        .expect(400)
+
+      expect(res.text).toEqual(`"clientId" is required`)
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Forbidden if clientId is incorrect', async () => {
+      const res = await request(app)
+        .post('/SASLogon/authorize')
+        .set('Cookie', [authCookies].join('; '))
+        .set('x-xsrf-token', csrfToken)
+        .send({
+          clientId: 'WrongClientID'
+        })
+        .expect(403)
+
+      expect(res.text).toEqual('Error: Invalid clientId.')
+      expect(res.body).toEqual({})
+    })
+  })
+
+  describe('SASLogon/login', () => {
+    let csrfToken: string
+
+    beforeAll(async () => {
+      ;({ csrfToken } = await getCSRF(app))
    })

    afterEach(async () => {
@@ -66,7 +136,6 @@ describe('web', () => {

      const res = await request(app)
        .post('/SASLogon/login')
-        .set('Cookie', cookies)
        .set('x-xsrf-token', csrfToken)
        .send({
          username: user.username,
@@ -76,76 +145,116 @@ describe('web', () => {

      expect(res.body.loggedIn).toBeTruthy()
      expect(res.body.user).toEqual({
-        id: expect.any(Number),
+        id: expect.any(String),
        username: user.username,
        displayName: user.displayName,
-        isAdmin: user.isAdmin
+        isAdmin: user.isAdmin,
+        needsToUpdatePassword: true
      })
    })
-  })
-
-  describe('SASLogon/authorize', () => {
-    let csrfToken: string
-    let cookies: string
-    let authCookies: string
-
-    beforeAll(async () => {
-      ;({ csrfToken, cookies } = await getCSRF(app))

+    it('should respond with too many requests when attempting with invalid password for a same user too many times', async () => {
      await userController.createUser(user)

-      const credentials = {
-        username: user.username,
-        password: user.password
-      }
+      const promises: request.Test[] = []

-      ;({ cookies: authCookies } = await performLogin(
-        app,
-        credentials,
-        cookies,
-        csrfToken
-      ))
-    })
+      const maxConsecutiveFailsByUsernameAndIp = Number(
+        process.env.MAX_CONSECUTIVE_FAILS_BY_USERNAME_AND_IP
+      )

-    afterAll(async () => {
-      const collections = mongoose.connection.collections
-      const collection = collections['users']
-      await collection.deleteMany({})
-    })
+      Array(maxConsecutiveFailsByUsernameAndIp + 1)
+        .fill(0)
+        .map((_, i) => {
+          promises.push(
+            request(app)
+              .post('/SASLogon/login')
+              .set('x-xsrf-token', csrfToken)
+              .send({
+                username: user.username,
+                password: 'invalid-password'
+              })
+          )
+        })
+
+      await Promise.all(promises)

-    it('should respond with authorization code', async () => {
      const res = await request(app)
-        .post('/SASLogon/authorize')
-        .set('Cookie', [authCookies, cookies].join('; '))
+        .post('/SASLogon/login')
        .set('x-xsrf-token', csrfToken)
-        .send({ clientId })
+        .send({
+          username: user.username,
+          password: user.password
+        })
+        .expect(429)

-      expect(res.body).toHaveProperty('code')
+      expect(res.text).toContain('Too Many Requests!')
    })

-    it('should respond with Bad Request if clientId is missing', async () => {
+    it('should respond with too many requests when attempting with invalid credentials for different users but with same ip too many times', async () => {
+      await userController.createUser(user)
+
+      const promises: request.Test[] = []
+
+      const maxWrongAttemptsByIpPerDay = Number(
+        process.env.MAX_WRONG_ATTEMPTS_BY_IP_PER_DAY
+      )
+
+      Array(maxWrongAttemptsByIpPerDay + 1)
+        .fill(0)
+        .map((_, i) => {
+          promises.push(
+            request(app)
+              .post('/SASLogon/login')
+              .set('x-xsrf-token', csrfToken)
+              .send({
+                username: `user${i}`,
+                password: 'invalid-password'
+              })
+          )
+        })
+
+      await Promise.all(promises)
+
      const res = await request(app)
-        .post('/SASLogon/authorize')
-        .set('Cookie', [authCookies, cookies].join('; '))
+        .post('/SASLogon/login')
        .set('x-xsrf-token', csrfToken)
-        .send({})
+        .send({
+          username: user.username,
+          password: user.password
+        })
+        .expect(429)
+
+      expect(res.text).toContain('Too Many Requests!')
+    })
+
+    it('should respond with Bad Request if CSRF Token is not present', async () => {
+      await userController.createUser(user)
+
+      const res = await request(app)
+        .post('/SASLogon/login')
+        .send({
+          username: user.username,
+          password: user.password
+        })
        .expect(400)

-      expect(res.text).toEqual(`"clientId" is required`)
+      expect(res.text).toEqual('Invalid CSRF token!')
      expect(res.body).toEqual({})
    })

-    it('should respond with Forbidden if clientId is incorrect', async () => {
-      const res = await request(app)
-        .post('/SASLogon/authorize')
-        .set('Cookie', [authCookies, cookies].join('; '))
-        .set('x-xsrf-token', csrfToken)
-        .send({
-          clientId: 'WrongClientID'
-        })
-        .expect(403)
+    it('should respond with Bad Request if CSRF Token is invalid', async () => {
+      await userController.createUser(user)

-      expect(res.text).toEqual('Error: Invalid clientId.')
+      const res = await request(app)
+        .post('/SASLogon/login')
+        .set('x-xsrf-token', 'INVALID_CSRF_TOKEN')
+        .send({
+          username: user.username,
+          password: user.password
+        })
+        .expect(400)
+
+      expect(res.text).toEqual('Invalid CSRF token!')
      expect(res.body).toEqual({})
    })
  })
@@ -153,27 +262,22 @@ describe('web', () => {

 const getCSRF = async (app: Express) => {
  // make request to get CSRF
-  const { header, text } = await request(app).get('/')
-  const cookies = header['set-cookie'].join()
+  const { text } = await request(app).get('/')

-  const csrfToken = extractCSRF(text)
-  return { csrfToken, cookies }
+  return { csrfToken: extractCSRF(text) }
 }

 const performLogin = async (
  app: Express,
  credentials: { username: string; password: string },
-  cookies: string,
  csrfToken: string
 ) => {
  const { header } = await request(app)
    .post('/SASLogon/login')
-    .set('Cookie', cookies)
    .set('x-xsrf-token', csrfToken)
    .send(credentials)

-  const newCookies: string = header['set-cookie'].join()
-  return { cookies: newCookies }
+  return { authCookies: header['set-cookie'].join() }
 }

 const extractCSRF = (text: string) =>
--- a/api/src/routes/api/stp.ts
+++ b/api/src/routes/api/stp.ts
@@ -1,5 +1,8 @@
 import express from 'express'
-import { executeProgramRawValidation } from '../../utils'
+import {
+  executeProgramRawValidation,
+  triggerProgramValidation
+} from '../../utils'
 import { STPController } from '../../controllers/'
 import { FileUploadController } from '../../controllers/internal'

@@ -13,7 +16,11 @@ stpRouter.get('/execute', async (req, res) => {
  if (error) return res.status(400).send(error.details[0].message)

  try {
-    const response = await controller.executeReturnRaw(req, query._program)
+    const response = await controller.executeGetRequest(
+      req,
+      query._program,
+      query._debug
+    )

    if (response instanceof Buffer) {
      res.writeHead(200, (req as any).sasHeaders)
@@ -42,7 +49,7 @@ stpRouter.post(
    // if (errQ && errB) return res.status(400).send(errB.details[0].message)

    try {
-      const response = await controller.executeReturnJson(
+      const response = await controller.executePostRequest(
        req,
        req.body,
        req.query?._program as string
@@ -65,4 +72,28 @@ stpRouter.post(
  }
 )

+stpRouter.post('/trigger', async (req, res) => {
+  const { error, value: query } = triggerProgramValidation(req.query)
+
+  if (error) return res.status(400).send(error.details[0].message)
+
+  try {
+    const response = await controller.triggerProgram(
+      req,
+      query._program,
+      query._debug,
+      query.expiresAfterMins
+    )
+
+    res.status(200)
+    res.send(response)
+  } catch (err: any) {
+    const statusCode = err.code
+
+    delete err.code
+
+    res.status(statusCode).send(err)
+  }
+})
+
 export default stpRouter
--- a/api/src/routes/api/user.ts
+++ b/api/src/routes/api/user.ts
@@ -9,6 +9,7 @@ import {
  deleteUserValidation,
  getUserValidation,
  registerUserValidation,
+  uidValidation,
  updateUserValidation
 } from '../../utils'

@@ -23,7 +24,7 @@ userRouter.post('/', authenticateAccessToken, verifyAdmin, async (req, res) => {
    const response = await controller.createUser(body)
    res.send(response)
  } catch (err: any) {
-    res.status(403).send(err.toString())
+    res.status(err.code).send(err.message)
  }
 })

@@ -33,7 +34,7 @@ userRouter.get('/', authenticateAccessToken, async (req, res) => {
    const response = await controller.getAllUsers()
    res.send(response)
  } catch (err: any) {
-    res.status(403).send(err.toString())
+    res.status(err.code).send(err.message)
  }
 })

@@ -51,20 +52,23 @@ userRouter.get(
      const response = await controller.getUserByUsername(req, username)
      res.send(response)
    } catch (err: any) {
-      res.status(403).send(err.toString())
+      res.status(err.code).send(err.message)
    }
  }
 )

-userRouter.get('/:userId', authenticateAccessToken, async (req, res) => {
-  const { userId } = req.params
+userRouter.get('/:uid', authenticateAccessToken, async (req, res) => {
+  const { error, value: params } = uidValidation(req.params)
+  if (error) return res.status(400).send(error.details[0].message)
+
+  const { uid } = params

  const controller = new UserController()
  try {
-    const response = await controller.getUser(req, parseInt(userId))
+    const response = await controller.getUser(req, uid)
    res.send(response)
  } catch (err: any) {
-    res.status(403).send(err.toString())
+    res.status(err.code).send(err.message)
  }
 })

@@ -91,18 +95,22 @@ userRouter.patch(
      const response = await controller.updateUserByUsername(username, body)
      res.send(response)
    } catch (err: any) {
-      res.status(403).send(err.toString())
+      res.status(err.code).send(err.message)
    }
  }
 )

 userRouter.patch(
-  '/:userId',
+  '/:uid',
  authenticateAccessToken,
  verifyAdminIfNeeded,
  async (req, res) => {
    const { user } = req
-    const { userId } = req.params
+
+    const { error: uidError, value: params } = uidValidation(req.params)
+    if (uidError) return res.status(400).send(uidError.details[0].message)
+
+    const { uid } = params

    // only an admin can update `isActive` and `isAdmin` fields
    const { error, value: body } = updateUserValidation(req.body, user!.isAdmin)
@@ -110,10 +118,10 @@ userRouter.patch(

    const controller = new UserController()
    try {
-      const response = await controller.updateUser(parseInt(userId), body)
+      const response = await controller.updateUser(uid, body)
      res.send(response)
    } catch (err: any) {
-      res.status(403).send(err.toString())
+      res.status(err.code).send(err.message)
    }
  }
 )
@@ -141,18 +149,22 @@ userRouter.delete(
      await controller.deleteUserByUsername(username, data, user!.isAdmin)
      res.status(200).send('Account Deleted!')
    } catch (err: any) {
-      res.status(403).send(err.toString())
+      res.status(err.code).send(err.message)
    }
  }
 )

 userRouter.delete(
-  '/:userId',
+  '/:uid',
  authenticateAccessToken,
  verifyAdminIfNeeded,
  async (req, res) => {
    const { user } = req
-    const { userId } = req.params
+
+    const { error: uidError, value: params } = uidValidation(req.params)
+    if (uidError) return res.status(400).send(uidError.details[0].message)
+
+    const { uid } = params

    // only an admin can delete user without providing password
    const { error, value: data } = deleteUserValidation(req.body, user!.isAdmin)
@@ -160,10 +172,10 @@ userRouter.delete(

    const controller = new UserController()
    try {
-      await controller.deleteUser(parseInt(userId), data, user!.isAdmin)
+      await controller.deleteUser(uid, data, user!.isAdmin)
      res.status(200).send('Account Deleted!')
    } catch (err: any) {
-      res.status(403).send(err.toString())
+      res.status(err.code).send(err.message)
    }
  }
 )
--- a/api/src/routes/appStream/index.ts
+++ b/api/src/routes/appStream/index.ts
@@ -1,6 +1,6 @@
 import path from 'path'
 import express, { Request } from 'express'
-import { authenticateAccessToken } from '../../middlewares'
+import { authenticateAccessToken, generateCSRFToken } from '../../middlewares'
 import { folderExists } from '@sasjs/utils'

 import { addEntryToAppStreamConfig, getFilesFolder } from '../../utils'
@@ -13,7 +13,7 @@ const router = express.Router()
 router.get('/', authenticateAccessToken, async (req, res) => {
  const content = appStreamHtml(process.appStreamConfig)

-  res.cookie('XSRF-TOKEN', req.csrfToken())
+  res.cookie('XSRF-TOKEN', generateCSRFToken())

  return res.send(content)
 })
@@ -58,7 +58,7 @@ export const publishAppStream = async (
    )

    const sasJsPort = process.env.PORT || 5000
-    console.log(
+    process.logger.info(
      'Serving Stream App: ',
      `http://localhost:${sasJsPort}/AppStream/${streamServiceName}`
    )
--- a/api/src/routes/setupRoutes.ts
+++ b/api/src/routes/setupRoutes.ts
@@ -4,7 +4,7 @@ import webRouter from './web'
 import apiRouter from './api'
 import appStreamRouter from './appStream'

-import { csrfProtection } from '../app'
+import { csrfProtection } from '../middlewares'

 export const setupRoutes = (app: Express) => {
  app.use('/SASjsApi', apiRouter)
@@ -15,5 +15,5 @@ export const setupRoutes = (app: Express) => {
    appStreamRouter(req, res, next)
  })

-  app.use('/', csrfProtection, webRouter)
+  app.use('/', webRouter)
 }
--- a/api/src/routes/web/index.ts
+++ b/api/src/routes/web/index.ts
@@ -1,8 +1,26 @@
 import express from 'express'
+import sas9WebRouter from './sas9-web'
+import sasViyaWebRouter from './sasviya-web'
 import webRouter from './web'
+import { MOCK_SERVERTYPEType } from '../../utils'
+import { csrfProtection } from '../../middlewares'

 const router = express.Router()

-router.use('/', webRouter)
+const { MOCK_SERVERTYPE } = process.env
+
+switch (MOCK_SERVERTYPE) {
+  case MOCK_SERVERTYPEType.SAS9: {
+    router.use('/', sas9WebRouter)
+    break
+  }
+  case MOCK_SERVERTYPEType.SASVIYA: {
+    router.use('/', sasViyaWebRouter)
+    break
+  }
+  default: {
+    router.use('/', csrfProtection, webRouter)
+  }
+}

 export default router
--- a/api/src/routes/web/sas9-web.ts
+++ b/api/src/routes/web/sas9-web.ts
@@ -0,0 +1,152 @@
+import express from 'express'
+import { generateCSRFToken } from '../../middlewares'
+import { WebController } from '../../controllers'
+import { MockSas9Controller } from '../../controllers/mock-sas9'
+import multer from 'multer'
+import path from 'path'
+import dotenv from 'dotenv'
+import { FileUploadController } from '../../controllers/internal'
+
+dotenv.config()
+
+const sas9WebRouter = express.Router()
+const webController = new WebController()
+// Mock controller must be singleton because it keeps the states
+// for example `isLoggedIn` and potentially more in future mocks
+const controller = new MockSas9Controller()
+const fileUploadController = new FileUploadController()
+
+const mockPath = process.env.STATIC_MOCK_LOCATION || 'mocks'
+
+const upload = multer({
+  dest: path.join(process.cwd(), mockPath, 'sas9', 'files-received')
+})
+
+sas9WebRouter.get('/', async (req, res) => {
+  let response
+  try {
+    response = await webController.home()
+  } catch (_) {
+    response = '<html><head></head><body>Web Build is not present</body></html>'
+  } finally {
+    const codeToInject = `<script>document.cookie = 'XSRF-TOKEN=${generateCSRFToken()}; Max-Age=86400; SameSite=Strict; Path=/;'</script>`
+    const injectedContent = response?.replace(
+      '</head>',
+      `${codeToInject}</head>`
+    )
+
+    return res.send(injectedContent)
+  }
+})
+
+sas9WebRouter.get('/SASStoredProcess', async (req, res) => {
+  const response = await controller.sasStoredProcess(req)
+
+  if (response.redirect) {
+    res.redirect(response.redirect)
+    return
+  }
+
+  try {
+    res.send(response.content)
+  } catch (err: any) {
+    res.status(403).send(err.toString())
+  }
+})
+
+sas9WebRouter.get('/SASStoredProcess/do/', async (req, res) => {
+  const response = await controller.sasStoredProcessDoGet(req)
+
+  if (response.redirect) {
+    res.redirect(response.redirect)
+    return
+  }
+
+  try {
+    res.send(response.content)
+  } catch (err: any) {
+    res.status(403).send(err.toString())
+  }
+})
+
+sas9WebRouter.post(
+  '/SASStoredProcess/do/',
+  fileUploadController.preUploadMiddleware,
+  fileUploadController.getMulterUploadObject().any(),
+  async (req, res) => {
+    const response = await controller.sasStoredProcessDoPost(req)
+
+    if (response.redirect) {
+      res.redirect(response.redirect)
+      return
+    }
+
+    try {
+      res.send(response.content)
+    } catch (err: any) {
+      res.status(403).send(err.toString())
+    }
+  }
+)
+
+sas9WebRouter.get('/SASLogon/login', async (req, res) => {
+  const response = await controller.loginGet()
+
+  if (response.redirect) {
+    res.redirect(response.redirect)
+    return
+  }
+
+  try {
+    res.send(response.content)
+  } catch (err: any) {
+    res.status(403).send(err.toString())
+  }
+})
+
+sas9WebRouter.post('/SASLogon/login', async (req, res) => {
+  const response = await controller.loginPost(req)
+
+  if (response.redirect) {
+    res.redirect(response.redirect)
+    return
+  }
+
+  try {
+    res.send(response.content)
+  } catch (err: any) {
+    res.status(403).send(err.toString())
+  }
+})
+
+sas9WebRouter.get('/SASLogon/logout', async (req, res) => {
+  const response = await controller.logout(req)
+
+  if (response.redirect) {
+    res.redirect(response.redirect)
+    return
+  }
+
+  try {
+    res.send(response.content)
+  } catch (err: any) {
+    res.status(403).send(err.toString())
+  }
+})
+
+sas9WebRouter.get('/SASStoredProcess/Logoff', async (req, res) => {
+  const response = await controller.logoff(req)
+
+  if (response.redirect) {
+    res.redirect(response.redirect)
+    return
+  }
+
+  try {
+    res.send(response.content)
+  } catch (err: any) {
+    res.status(403).send(err.toString())
+  }
+})
+
+export default sas9WebRouter
--- a/api/src/routes/web/sasviya-web.ts
+++ b/api/src/routes/web/sasviya-web.ts
@@ -0,0 +1,33 @@
+import express from 'express'
+import { generateCSRFToken } from '../../middlewares'
+import { WebController } from '../../controllers/web'
+
+const sasViyaWebRouter = express.Router()
+const controller = new WebController()
+
+sasViyaWebRouter.get('/', async (req, res) => {
+  let response
+  try {
+    response = await controller.home()
+  } catch (_) {
+    response = '<html><head></head><body>Web Build is not present</body></html>'
+  } finally {
+    const codeToInject = `<script>document.cookie = 'XSRF-TOKEN=${generateCSRFToken()}; Max-Age=86400; SameSite=Strict; Path=/;'</script>`
+    const injectedContent = response?.replace(
+      '</head>',
+      `${codeToInject}</head>`
+    )
+
+    return res.send(injectedContent)
+  }
+})
+
+sasViyaWebRouter.post('/SASJobExecution/', async (req, res) => {
+  try {
+    res.send({ test: 'test' })
+  } catch (err: any) {
+    res.status(403).send(err.toString())
+  }
+})
+
+export default sasViyaWebRouter
--- a/api/src/routes/web/web.ts
+++ b/api/src/routes/web/web.ts
@@ -1,6 +1,11 @@
 import express from 'express'
+import { generateCSRFToken } from '../../middlewares'
 import { WebController } from '../../controllers/web'
-import { authenticateAccessToken, desktopRestrict } from '../../middlewares'
+import {
+  authenticateAccessToken,
+  bruteForceProtection,
+  desktopRestrict
+} from '../../middlewares'
 import { authorizeValidation, loginWebValidation } from '../../utils'

 const webRouter = express.Router()
@@ -13,7 +18,10 @@ webRouter.get('/', async (req, res) => {
  } catch (_) {
    response = '<html><head></head><body>Web Build is not present</body></html>'
  } finally {
-    const codeToInject = `<script>document.cookie = 'XSRF-TOKEN=${req.csrfToken()}; Max-Age=86400; SameSite=Strict; Path=/;'</script>`
+    const { ALLOWED_DOMAIN } = process.env
+    const allowedDomain = ALLOWED_DOMAIN?.trim()
+    const domain = allowedDomain ? ` Domain=${allowedDomain};` : ''
+    const codeToInject = `<script>document.cookie = 'XSRF-TOKEN=${generateCSRFToken()};${domain} Max-Age=86400; SameSite=Strict; Path=/;'</script>`
    const injectedContent = response?.replace(
      '</head>',
      `${codeToInject}</head>`
@@ -23,17 +31,26 @@ webRouter.get('/', async (req, res) => {
  }
 })

-webRouter.post('/SASLogon/login', desktopRestrict, async (req, res) => {
-  const { error, value: body } = loginWebValidation(req.body)
-  if (error) return res.status(400).send(error.details[0].message)
+webRouter.post(
+  '/SASLogon/login',
+  desktopRestrict,
+  bruteForceProtection,
+  async (req, res) => {
+    const { error, value: body } = loginWebValidation(req.body)
+    if (error) return res.status(400).send(error.details[0].message)

-  try {
-    const response = await controller.login(req, body)
-    res.send(response)
-  } catch (err: any) {
-    res.status(403).send(err.toString())
+    try {
+      const response = await controller.login(req, body)
+      res.send(response)
+    } catch (err: any) {
+      if (err instanceof Error) {
+        res.status(500).send(err.toString())
+      } else {
+        res.status(err.code).send(err.message)
+      }
+    }
  }
-})
+)

 webRouter.post(
  '/SASLogon/authorize',
--- a/api/src/server.ts
+++ b/api/src/server.ts
@@ -7,11 +7,11 @@ appPromise.then(async (app) => {
  const protocol = process.env.PROTOCOL || 'http'
  const sasJsPort = process.env.PORT || 5000

-  console.log('PROTOCOL: ', protocol)
+  process.logger.info('PROTOCOL: ', protocol)

  if (protocol !== 'https') {
    app.listen(sasJsPort, () => {
-      console.log(
+      process.logger.info(
        `⚡️[server]: Server is running at http://localhost:${sasJsPort}`
      )
    })
@@ -20,7 +20,7 @@ appPromise.then(async (app) => {

    const httpsServer = createServer({ key, cert, ca }, app)
    httpsServer.listen(sasJsPort, () => {
-      console.log(
+      process.logger.info(
        `⚡️[server]: Server is running at https://localhost:${sasJsPort}`
      )
    })
--- a/api/src/types/InfoJWT.ts
+++ b/api/src/types/InfoJWT.ts
@@ -1,4 +1,4 @@
 export interface InfoJWT {
  clientId: string
-  userId: number
+  userId: string
 }
--- a/api/src/types/PreProgramVars.ts
+++ b/api/src/types/PreProgramVars.ts
@@ -1,6 +1,6 @@
 export interface PreProgramVars {
  username: string
-  userId: number
+  userId: string
  displayName: string
  serverUrl: string
  httpHeaders: string[]
--- a/api/src/types/RequestUser.ts
+++ b/api/src/types/RequestUser.ts
@@ -1,9 +1,10 @@
 export interface RequestUser {
-  userId: number
+  userId: string
  clientId: string
  username: string
  displayName: string
  isAdmin: boolean
  isActive: boolean
+  needsToUpdatePassword: boolean
  autoExec?: string
 }
--- a/api/src/types/Session.ts
+++ b/api/src/types/Session.ts
@@ -1,11 +1,16 @@
+export enum SessionState {
+  initialising = 'initialising', // session is initialising and not ready to be used yet
+  pending = 'pending', // session is ready to be used
+  running = 'running', // session is in use
+  completed = 'completed', // session is completed and can be destroyed
+  failed = 'failed' // session failed
+}
 export interface Session {
  id: string
-  ready: boolean
+  state: SessionState
  creationTimeStamp: string
  deathTimeStamp: string
  path: string
-  inUse: boolean
-  consumed: boolean
-  completed: boolean
-  crashed?: string
+  expiresAfterMins?: { mins: number; used: boolean }
+  failureReason?: string
 }
--- a/api/src/types/system/process.d.ts
+++ b/api/src/types/system/process.d.ts
@@ -2,10 +2,14 @@ declare namespace NodeJS {
  export interface Process {
    sasLoc?: string
    nodeLoc?: string
+    pythonLoc?: string
+    rLoc?: string
    driveLoc: string
+    sasjsRoot: string
    logsLoc: string
+    logsUUID: string
+    sessionController?: import('../../controllers/internal').SessionController
    sasSessionController?: import('../../controllers/internal').SASSessionController
-    jsSessionController?: import('../../controllers/internal').JSSessionController
    appStreamConfig: import('../').AppStreamConfig
    logger: import('@sasjs/utils/logger').Logger
    runTimes: import('../../utils').RunTimeType[]
--- a/api/src/utils/appStreamConfig.ts
+++ b/api/src/utils/appStreamConfig.ts
@@ -36,7 +36,7 @@ export const loadAppStreamConfig = async () => {
    )
  }

-  console.log('App Stream Config loaded!')
+  process.logger.info('App Stream Config loaded!')
 }

 export const addEntryToAppStreamConfig = (
--- a/api/src/utils/connectDB.ts
+++ b/api/src/utils/connectDB.ts
@@ -8,6 +8,6 @@ export const connectDB = async () => {
    throw new Error('Unable to connect to DB!')
  }

-  console.log('Connected to DB!')
+  process.logger.success('Connected to DB!')
  return seedDB()
 }
--- a/api/src/utils/copySASjsCore.ts
+++ b/api/src/utils/copySASjsCore.ts
@@ -12,7 +12,7 @@ import { getMacrosFolder, sasJSCoreMacros, sasJSCoreMacrosInfo } from '.'
 export const copySASjsCore = async () => {
  if (process.env.NODE_ENV === 'test') return

-  console.log('Copying Macros from container to drive(tmp).')
+  process.logger.log('Copying Macros from container to drive.')

  const macrosDrivePath = getMacrosFolder()

@@ -30,5 +30,5 @@ export const copySASjsCore = async () => {
    await createFile(macroFileDestPath, macroContent)
  })

-  console.log('Macros Drive Path:', macrosDrivePath)
+  process.logger.info('Macros Drive Path:', macrosDrivePath)
 }
--- a/api/src/utils/createWeboutSasFile.ts
+++ b/api/src/utils/createWeboutSasFile.ts
@@ -0,0 +1,18 @@
+import path from 'path'
+import { createFile } from '@sasjs/utils'
+import { getMacrosFolder } from './file'
+
+const fileContent = `%macro webout(action,ds,dslabel=,fmt=,missing=NULL,showmeta=NO,maxobs=MAX);
+  %ms_webout(&action,ds=&ds,dslabel=&dslabel,fmt=&fmt
+    ,missing=&missing
+    ,showmeta=&showmeta
+    ,maxobs=&maxobs
+  )  
+%mend;`
+
+export const createWeboutSasFile = async () => {
+  const macrosDrivePath = getMacrosFolder()
+  process.logger.log(`Creating webout.sas at ${macrosDrivePath}`)
+  const filePath = path.join(macrosDrivePath, 'webout.sas')
+  await createFile(filePath, fileContent)
+}
--- a/api/src/utils/crypto.ts
+++ b/api/src/utils/crypto.ts
@@ -0,0 +1,4 @@
+import { randomBytes } from 'crypto'
+
+export const randomBytesHexString = (bytesCount: number) =>
+  randomBytes(bytesCount).toString('hex')
--- a/api/src/utils/file.ts
+++ b/api/src/utils/file.ts
@@ -10,7 +10,7 @@ export const sysInitCompiledPath = path.join(
  'systemInitCompiled.sas'
 )

-export const sasJSCoreMacros = path.join(apiRoot, 'sasjscore')
+export const sasJSCoreMacros = path.join(apiRoot, 'sas', 'sasautos')
 export const sasJSCoreMacrosInfo = path.join(sasJSCoreMacros, '.macrolist')

 export const getWebBuildFolder = () => path.join(codebaseRoot, 'web', 'build')
@@ -20,19 +20,24 @@ export const getSasjsHomeFolder = () => path.join(homedir(), '.sasjs-server')
 export const getDesktopUserAutoExecPath = () =>
  path.join(getSasjsHomeFolder(), 'user-autoexec.sas')

-export const getSasjsRootFolder = () => process.driveLoc
+export const getSasjsRootFolder = () => process.sasjsRoot
+
+export const getSasjsDriveFolder = () => process.driveLoc

 export const getLogFolder = () => process.logsLoc

 export const getAppStreamConfigPath = () =>
-  path.join(getSasjsRootFolder(), 'appStreamConfig.json')
+  path.join(getSasjsDriveFolder(), 'appStreamConfig.json')

 export const getMacrosFolder = () =>
-  path.join(getSasjsRootFolder(), 'sasjscore')
+  path.join(getSasjsDriveFolder(), 'sas', 'sasautos')
+
+export const getPackagesFolder = () =>
+  path.join(getSasjsDriveFolder(), 'sas', 'sas_packages')

 export const getUploadsFolder = () => path.join(getSasjsRootFolder(), 'uploads')

-export const getFilesFolder = () => path.join(getSasjsRootFolder(), 'files')
+export const getFilesFolder = () => path.join(getSasjsDriveFolder(), 'files')

 export const getWeboutFolder = () => path.join(getSasjsRootFolder(), 'webouts')

--- a/api/src/utils/generateAccessToken.ts
+++ b/api/src/utils/generateAccessToken.ts
@@ -1,7 +1,8 @@
 import jwt from 'jsonwebtoken'
 import { InfoJWT } from '../types'
+import { NUMBER_OF_SECONDS_IN_A_DAY } from '../model/Client'

-export const generateAccessToken = (data: InfoJWT) =>
+export const generateAccessToken = (data: InfoJWT, expiry?: number) =>
  jwt.sign(data, process.secrets.ACCESS_TOKEN_SECRET, {
-    expiresIn: '1day'
+    expiresIn: expiry ? expiry : NUMBER_OF_SECONDS_IN_A_DAY
  })
--- a/api/src/utils/generateRefreshToken.ts
+++ b/api/src/utils/generateRefreshToken.ts
@@ -1,7 +1,8 @@
 import jwt from 'jsonwebtoken'
 import { InfoJWT } from '../types'
+import { NUMBER_OF_SECONDS_IN_A_DAY } from '../model/Client'

-export const generateRefreshToken = (data: InfoJWT) =>
+export const generateRefreshToken = (data: InfoJWT, expiry?: number) =>
  jwt.sign(data, process.secrets.REFRESH_TOKEN_SECRET, {
-    expiresIn: '30 days'
+    expiresIn: expiry ? expiry : NUMBER_OF_SECONDS_IN_A_DAY
  })
--- a/api/src/utils/getAuthorizedRoutes.ts
+++ b/api/src/utils/getAuthorizedRoutes.ts
@@ -1,7 +1,8 @@
 import { Request } from 'express'

+export const TopLevelRoutes = ['/AppStream', '/SASjsApi']
+
 const StaticAuthorizedRoutes = [
-  '/AppStream',
  '/SASjsApi/code/execute',
  '/SASjsApi/stp/execute',
  '/SASjsApi/drive/deploy',
@@ -15,7 +16,7 @@ const StaticAuthorizedRoutes = [
 export const getAuthorizedRoutes = () => {
  const streamingApps = Object.keys(process.appStreamConfig)
  const streamingAppsRoutes = streamingApps.map((app) => `/AppStream/${app}`)
-  return [...StaticAuthorizedRoutes, ...streamingAppsRoutes]
+  return [...TopLevelRoutes, ...StaticAuthorizedRoutes, ...streamingAppsRoutes]
 }

 export const getPath = (req: Request) => {
--- a/api/src/utils/getCertificates.ts
+++ b/api/src/utils/getCertificates.ts
@@ -10,9 +10,9 @@ export const getCertificates = async () => {
  const certPath = CERT_CHAIN ?? (await getFileInput('Certificate Chain (PEM)'))
  const caPath = CA_ROOT

-  console.log('keyPath: ', keyPath)
-  console.log('certPath: ', certPath)
-  if (caPath) console.log('caPath: ', caPath)
+  process.logger.info('keyPath: ', keyPath)
+  process.logger.info('certPath: ', certPath)
+  if (caPath) process.logger.info('caPath: ', caPath)

  const key = await readFile(keyPath)
  const cert = await readFile(certPath)
--- a/api/src/utils/getDesktopFields.ts
+++ b/api/src/utils/getDesktopFields.ts
@@ -4,9 +4,9 @@ import { createFolder, fileExists, folderExists, isWindows } from '@sasjs/utils'
 import { RunTimeType } from './verifyEnvVariables'

 export const getDesktopFields = async () => {
-  const { SAS_PATH, NODE_PATH } = process.env
+  const { SAS_PATH, NODE_PATH, PYTHON_PATH, R_PATH } = process.env

-  let sasLoc, nodeLoc
+  let sasLoc, nodeLoc, pythonLoc, rLoc

  if (process.runTimes.includes(RunTimeType.SAS)) {
    sasLoc = SAS_PATH ?? (await getSASLocation())
@@ -16,7 +16,15 @@ export const getDesktopFields = async () => {
    nodeLoc = NODE_PATH ?? (await getNodeLocation())
  }

-  return { sasLoc, nodeLoc }
+  if (process.runTimes.includes(RunTimeType.PY)) {
+    pythonLoc = PYTHON_PATH ?? (await getPythonLocation())
+  }
+
+  if (process.runTimes.includes(RunTimeType.R)) {
+    rLoc = R_PATH ?? (await getRLocation())
+  }
+
+  return { sasLoc, nodeLoc, pythonLoc, rLoc }
 }

 const getDriveLocation = async (): Promise<string> => {
@@ -91,3 +99,47 @@ const getNodeLocation = async (): Promise<string> => {

  return targetName
 }
+
+const getPythonLocation = async (): Promise<string> => {
+  const validator = async (filePath: string) => {
+    if (!filePath) return 'Path to Python executable is required.'
+
+    if (!(await fileExists(filePath))) {
+      return 'No file found at provided path.'
+    }
+
+    return true
+  }
+
+  const defaultLocation = isWindows() ? 'C:\\Python' : '/usr/bin/python'
+
+  const targetName = await getString(
+    'Please enter full path to a Python executable: ',
+    validator,
+    defaultLocation
+  )
+
+  return targetName
+}
+
+const getRLocation = async (): Promise<string> => {
+  const validator = async (filePath: string) => {
+    if (!filePath) return 'Path to R executable is required.'
+
+    if (!(await fileExists(filePath))) {
+      return 'No file found at provided path.'
+    }
+
+    return true
+  }
+
+  const defaultLocation = isWindows() ? 'C:\\Rscript' : '/usr/bin/Rscript'
+
+  const targetName = await getString(
+    'Please enter full path to a R executable: ',
+    validator,
+    defaultLocation
+  )
+
+  return targetName
+}
--- a/api/src/utils/getPreProgramVariables.ts
+++ b/api/src/utils/getPreProgramVariables.ts
@@ -7,7 +7,6 @@ export const getPreProgramVariables = (req: Request): PreProgramVars => {
  const { user, accessToken } = req
  const csrfToken = req.headers['x-xsrf-token'] || req.cookies['XSRF-TOKEN']
  const sessionId = req.cookies['connect.sid']
-  const { _csrf } = req.cookies

  const httpHeaders: string[] = []

@@ -16,14 +15,15 @@ export const getPreProgramVariables = (req: Request): PreProgramVars => {

  const cookies: string[] = []
  if (sessionId) cookies.push(`connect.sid=${sessionId}`)
-  if (_csrf) cookies.push(`_csrf=${_csrf}`)

  if (cookies.length) httpHeaders.push(`cookie: ${cookies.join('; ')}`)

+  //In desktop mode when mocking mode is enabled, user was undefined.
+  //So this is workaround.
  return {
-    username: user!.username,
-    userId: user!.userId,
-    displayName: user!.displayName,
+    username: user ? user.username : 'demo',
+    userId: user ? user.userId : 'demoId',
+    displayName: user ? user.displayName : 'demo',
    serverUrl: protocol + host,
    httpHeaders
  }
--- a/api/src/utils/getRunTimeAndFilePath.ts
+++ b/api/src/utils/getRunTimeAndFilePath.ts
@@ -4,8 +4,8 @@ import { getFilesFolder } from './file'
 import { RunTimeType } from '.'

 export const getRunTimeAndFilePath = async (programPath: string) => {
-  const ext = path.extname(programPath)
-  // If programPath (_program) is provided with a ".sas" or ".js" extension
+  const ext = path.extname(programPath).toLowerCase()
+  // If programPath (_program) is provided with a ".sas", ".js", ".py" or ".r" extension
  // we should use that extension to determine the appropriate runTime
  if (ext && Object.values(RunTimeType).includes(ext.slice(1) as RunTimeType)) {
    const runTime = ext.slice(1)
--- a/api/src/utils/getTokensFromDB.ts
+++ b/api/src/utils/getTokensFromDB.ts
@@ -0,0 +1,55 @@
+import jwt from 'jsonwebtoken'
+import User from '../model/User'
+
+const isValidToken = async (
+  token: string,
+  key: string,
+  userId: string,
+  clientId: string
+) => {
+  const promise = new Promise<boolean>((resolve, reject) =>
+    jwt.verify(token, key, (err, decoded) => {
+      if (err) return reject(false)
+
+      if (decoded?.userId === userId && decoded?.clientId === clientId) {
+        return resolve(true)
+      }
+
+      return reject(false)
+    })
+  )
+
+  return await promise.then(() => true).catch(() => false)
+}
+
+export const getTokensFromDB = async (userId: string, clientId: string) => {
+  const user = await User.findOne({ _id: userId })
+  if (!user) return
+
+  const currentTokenObj = user.tokens.find(
+    (tokenObj: any) => tokenObj.clientId === clientId
+  )
+
+  if (currentTokenObj) {
+    const accessToken = currentTokenObj.accessToken
+    const refreshToken = currentTokenObj.refreshToken
+
+    const isValidAccessToken = await isValidToken(
+      accessToken,
+      process.secrets.ACCESS_TOKEN_SECRET,
+      userId,
+      clientId
+    )
+
+    const isValidRefreshToken = await isValidToken(
+      refreshToken,
+      process.secrets.REFRESH_TOKEN_SECRET,
+      userId,
+      clientId
+    )
+
+    if (isValidAccessToken && isValidRefreshToken) {
+      return { accessToken, refreshToken }
+    }
+  }
+}
--- a/api/src/utils/index.ts
+++ b/api/src/utils/index.ts
@@ -1,6 +1,8 @@
 export * from './appStreamConfig'
 export * from './connectDB'
 export * from './copySASjsCore'
+export * from './createWeboutSasFile'
+export * from './crypto'
 export * from './desktopAutoExec'
 export * from './extractHeaders'
 export * from './extractName'
@@ -14,17 +16,21 @@ export * from './getDesktopFields'
 export * from './getPreProgramVariables'
 export * from './getRunTimeAndFilePath'
 export * from './getServerUrl'
+export * from './getTokensFromDB'
 export * from './instantiateLogger'
 export * from './isDebugOn'
 export * from './isPublicRoute'
-export * from './zipped'
+export * from './ldapClient'
 export * from './parseLogToArray'
+export * from './rateLimiter'
 export * from './removeTokensInDB'
 export * from './saveTokensInDB'
 export * from './seedDB'
 export * from './setProcessVariables'
 export * from './setupFolders'
+export * from './setupUserAutoExec'
 export * from './upload'
 export * from './validation'
 export * from './verifyEnvVariables'
 export * from './verifyTokenInDB'
+export * from './zipped'
--- a/api/src/utils/isPublicRoute.ts
+++ b/api/src/utils/isPublicRoute.ts
@@ -22,10 +22,11 @@ export const isPublicRoute = async (req: Request): Promise<boolean> => {
 }

 export const publicUser: RequestUser = {
-  userId: 0,
+  userId: 'public_user_id',
  clientId: 'public_app',
  username: 'publicUser',
  displayName: 'Public User',
  isAdmin: false,
-  isActive: true
+  isActive: true,
+  needsToUpdatePassword: false
 }
--- a/api/src/utils/ldapClient.ts
+++ b/api/src/utils/ldapClient.ts
@@ -0,0 +1,163 @@
+import { createClient, Client } from 'ldapjs'
+import { ReturnCode } from './verifyEnvVariables'
+
+export interface LDAPUser {
+  uid: string
+  username: string
+  displayName: string
+}
+
+export interface LDAPGroup {
+  name: string
+  members: string[]
+}
+
+export class LDAPClient {
+  private ldapClient: Client
+  private static classInstance: LDAPClient | null
+
+  private constructor() {
+    process.logger.info('creating LDAP client')
+    this.ldapClient = createClient({ url: process.env.LDAP_URL as string })
+
+    this.ldapClient.on('error', (error) => {
+      process.logger.error(error.message)
+    })
+  }
+
+  static async init() {
+    if (!LDAPClient.classInstance) {
+      LDAPClient.classInstance = new LDAPClient()
+
+      process.logger.info('binding LDAP client')
+      await LDAPClient.classInstance.bind().catch((error) => {
+        LDAPClient.classInstance = null
+        throw error
+      })
+    }
+    return LDAPClient.classInstance
+  }
+
+  private async bind() {
+    const promise = new Promise<void>((resolve, reject) => {
+      const { LDAP_BIND_DN, LDAP_BIND_PASSWORD } = process.env
+      this.ldapClient.bind(LDAP_BIND_DN!, LDAP_BIND_PASSWORD!, (error) => {
+        if (error) reject(error)
+
+        resolve()
+      })
+    })
+
+    await promise.catch((error) => {
+      throw new Error(error.message)
+    })
+  }
+
+  async getAllLDAPUsers() {
+    const promise = new Promise<LDAPUser[]>((resolve, reject) => {
+      const { LDAP_USERS_BASE_DN } = process.env
+      const filter = `(objectClass=*)`
+
+      this.ldapClient.search(
+        LDAP_USERS_BASE_DN!,
+        { filter },
+        (error, result) => {
+          if (error) reject(error)
+
+          const users: LDAPUser[] = []
+
+          result.on('searchEntry', (entry) => {
+            users.push({
+              uid: entry.object.uid as string,
+              username: entry.object.username as string,
+              displayName: entry.object.displayname as string
+            })
+          })
+
+          result.on('end', (result) => {
+            resolve(users)
+          })
+        }
+      )
+    })
+
+    return await promise
+      .then((res) => res)
+      .catch((error) => {
+        throw new Error(error.message)
+      })
+  }
+
+  async getAllLDAPGroups() {
+    const promise = new Promise<LDAPGroup[]>((resolve, reject) => {
+      const { LDAP_GROUPS_BASE_DN } = process.env
+
+      this.ldapClient.search(LDAP_GROUPS_BASE_DN!, {}, (error, result) => {
+        if (error) reject(error)
+
+        const groups: LDAPGroup[] = []
+
+        result.on('searchEntry', (entry) => {
+          const members =
+            typeof entry.object.memberuid === 'string'
+              ? [entry.object.memberuid]
+              : entry.object.memberuid
+          groups.push({
+            name: entry.object.cn as string,
+            members
+          })
+        })
+
+        result.on('end', (result) => {
+          resolve(groups)
+        })
+      })
+    })
+
+    return await promise
+      .then((res) => res)
+      .catch((error) => {
+        throw new Error(error.message)
+      })
+  }
+
+  async verifyUser(username: string, password: string) {
+    const promise = new Promise<boolean>((resolve, reject) => {
+      const { LDAP_USERS_BASE_DN } = process.env
+      const filter = `(username=${username})`
+
+      this.ldapClient.search(
+        LDAP_USERS_BASE_DN!,
+        { filter },
+        (error, result) => {
+          if (error) reject(error)
+
+          const items: any = []
+
+          result.on('searchEntry', (entry) => {
+            items.push(entry.object)
+          })
+
+          result.on('end', (result) => {
+            if (result?.status !== 0 || items.length === 0) return reject()
+
+            // pick the first found
+            const user = items[0]
+
+            this.ldapClient.bind(user.dn, password, (error) => {
+              if (error) return reject(error)
+
+              resolve(true)
+            })
+          })
+        }
+      )
+    })
+
+    return await promise
+      .then(() => true)
+      .catch(() => {
+        throw new Error('Invalid password.')
+      })
+  }
+}
--- a/api/src/utils/parseHelmetConfig.ts
+++ b/api/src/utils/parseHelmetConfig.ts
@@ -22,12 +22,12 @@ export const getEnvCSPDirectives = (
      try {
        cspConfigJson = JSON.parse(file)
      } catch (e) {
-        console.error(
+        process.logger.error(
          'Parsing Content Security Policy JSON config failed. Make sure it is valid json'
        )
      }
    } catch (e) {
-      console.error('Error reading HELMET CSP config file', e)
+      process.logger.error('Error reading HELMET CSP config file', e)
    }
  }

--- a/api/src/utils/rateLimiter.ts
+++ b/api/src/utils/rateLimiter.ts
@@ -0,0 +1,123 @@
+import { RateLimiterMemory } from 'rate-limiter-flexible'
+
+export class RateLimiter {
+  private static instance: RateLimiter
+  private limiterSlowBruteByIP: RateLimiterMemory
+  private limiterConsecutiveFailsByUsernameAndIP: RateLimiterMemory
+  private maxWrongAttemptsByIpPerDay: number
+  private maxConsecutiveFailsByUsernameAndIp: number
+
+  private constructor() {
+    const {
+      MAX_WRONG_ATTEMPTS_BY_IP_PER_DAY,
+      MAX_CONSECUTIVE_FAILS_BY_USERNAME_AND_IP
+    } = process.env
+
+    this.maxWrongAttemptsByIpPerDay = Number(MAX_WRONG_ATTEMPTS_BY_IP_PER_DAY)
+    this.maxConsecutiveFailsByUsernameAndIp = Number(
+      MAX_CONSECUTIVE_FAILS_BY_USERNAME_AND_IP
+    )
+
+    this.limiterSlowBruteByIP = new RateLimiterMemory({
+      keyPrefix: 'login_fail_ip_per_day',
+      points: this.maxWrongAttemptsByIpPerDay,
+      duration: 60 * 60 * 24,
+      blockDuration: 60 * 60 * 24 // Block for 1 day
+    })
+
+    this.limiterConsecutiveFailsByUsernameAndIP = new RateLimiterMemory({
+      keyPrefix: 'login_fail_consecutive_username_and_ip',
+      points: this.maxConsecutiveFailsByUsernameAndIp,
+      duration: 60 * 60 * 24 * 24, // Store number for 24 days since first fail
+      blockDuration: 60 * 60 // Block for 1 hour
+    })
+  }
+
+  public static getInstance() {
+    if (!RateLimiter.instance) {
+      RateLimiter.instance = new RateLimiter()
+    }
+    return RateLimiter.instance
+  }
+
+  private getUsernameIPKey(ip: string, username: string) {
+    return `${username}_${ip}`
+  }
+
+  /**
+   *  This method checks for brute force attack
+   *  If attack is detected then returns the number of seconds after which user can make another request
+   *  Else returns 0
+   */
+  public async check(ip: string, username: string) {
+    const usernameIPkey = this.getUsernameIPKey(ip, username)
+
+    const [resSlowByIP, resUsernameAndIP] = await Promise.all([
+      this.limiterSlowBruteByIP.get(ip),
+      this.limiterConsecutiveFailsByUsernameAndIP.get(usernameIPkey)
+    ])
+
+    // NOTE: To make use of blockDuration option, comparison in both following if statements should have greater than symbol
+    //       otherwise, blockDuration option will not work
+    // For more info see: https://github.com/animir/node-rate-limiter-flexible/wiki/Options#blockduration
+
+    // Check if IP or Username + IP is already blocked
+    if (
+      resSlowByIP !== null &&
+      resSlowByIP.consumedPoints > this.maxWrongAttemptsByIpPerDay
+    ) {
+      return Math.ceil(resSlowByIP.msBeforeNext / 1000)
+    } else if (
+      resUsernameAndIP !== null &&
+      resUsernameAndIP.consumedPoints > this.maxConsecutiveFailsByUsernameAndIp
+    ) {
+      return Math.ceil(resUsernameAndIP.msBeforeNext / 1000)
+    }
+
+    return 0
+  }
+
+  /**
+   * Consume 1 point from limiters on wrong attempt and block if limits reached
+   * If limit is reached, return the number of seconds after which user can make another request
+   * Else return 0
+   */
+  public async consume(ip: string, username?: string) {
+    try {
+      const promises = [this.limiterSlowBruteByIP.consume(ip)]
+      if (username) {
+        const usernameIPkey = this.getUsernameIPKey(ip, username)
+
+        // Count failed attempts by Username + IP only for registered users
+        promises.push(
+          this.limiterConsecutiveFailsByUsernameAndIP.consume(usernameIPkey)
+        )
+      }
+
+      await Promise.all(promises)
+    } catch (rlRejected: any) {
+      if (rlRejected instanceof Error) {
+        throw rlRejected
+      } else {
+        // based upon the implementation of consume method of RateLimiterMemory
+        // we are sure that rlRejected will contain msBeforeNext
+        // for further reference,
+        // see https://github.com/animir/node-rate-limiter-flexible/wiki/Overall-example#login-endpoint-protection
+        // or see https://github.com/animir/node-rate-limiter-flexible#ratelimiterres-object
+        return Math.ceil(rlRejected.msBeforeNext / 1000)
+      }
+    }
+
+    return 0
+  }
+
+  public async resetOnSuccess(ip: string, username: string) {
+    const usernameIPkey = this.getUsernameIPKey(ip, username)
+    const resUsernameAndIP =
+      await this.limiterConsecutiveFailsByUsernameAndIP.get(usernameIPkey)
+
+    if (resUsernameAndIP !== null && resUsernameAndIP.consumedPoints > 0) {
+      await this.limiterConsecutiveFailsByUsernameAndIP.delete(usernameIPkey)
+    }
+  }
+}
--- a/api/src/utils/removeTokensInDB.ts
+++ b/api/src/utils/removeTokensInDB.ts
@@ -1,7 +1,7 @@
 import User from '../model/User'

-export const removeTokensInDB = async (userId: number, clientId: string) => {
-  const user = await User.findOne({ id: userId })
+export const removeTokensInDB = async (userId: string, clientId: string) => {
+  const user = await User.findOne({ _id: userId })
  if (!user) return

  const tokenObjIndex = user.tokens.findIndex(
--- a/Show More
+++ b/Show More