chore(release): 0.11.4 [skip ci]

## [0.11.4](https://github.com/sasjs/server/compare/v0.11.3...v0.11.4) (2022-07-19) ### Bug Fixes * **security:** missing cookie flags are added ([526402f](526402fd73))
Merge pull request #234 from sasjs/issue147
2025-12-10 11:24:35 +00:00 · 2022-07-19 21:06:05 +00:00 · 2022-07-19 22:02:05 +01:00 · 2022-07-20 01:40:31 +05:00 · 2022-07-19 14:50:19 +00:00 · 2022-07-19 15:46:18 +01:00
115 changed files with 7153 additions and 1966 deletions
--- a/.all-contributorsrc
+++ b/.all-contributorsrc
@@ -0,0 +1,84 @@
+{
+  "projectName": "server",
+  "projectOwner": "sasjs",
+  "repoType": "github",
+  "repoHost": "https://github.com",
+  "files": [
+    "README.md"
+  ],
+  "imageSize": 100,
+  "commit": true,
+  "commitConvention": "angular",
+  "contributors": [
+    {
+      "login": "saadjutt01",
+      "name": "Saad Jutt",
+      "avatar_url": "https://avatars.githubusercontent.com/u/8914650?v=4",
+      "profile": "https://github.com/saadjutt01",
+      "contributions": [
+        "code",
+        "test"
+      ]
+    },
+    {
+      "login": "sabhas",
+      "name": "Sabir Hassan",
+      "avatar_url": "https://avatars.githubusercontent.com/u/82647447?v=4",
+      "profile": "https://github.com/sabhas",
+      "contributions": [
+        "code",
+        "test"
+      ]
+    },
+    {
+      "login": "YuryShkoda",
+      "name": "Yury Shkoda",
+      "avatar_url": "https://avatars.githubusercontent.com/u/25773492?v=4",
+      "profile": "https://www.erudicat.com/",
+      "contributions": [
+        "code",
+        "test"
+      ]
+    },
+    {
+      "login": "medjedovicm",
+      "name": "Mihajlo Medjedovic",
+      "avatar_url": "https://avatars.githubusercontent.com/u/18329105?v=4",
+      "profile": "https://github.com/medjedovicm",
+      "contributions": [
+        "code",
+        "test"
+      ]
+    },
+    {
+      "login": "allanbowe",
+      "name": "Allan Bowe",
+      "avatar_url": "https://avatars.githubusercontent.com/u/4420615?v=4",
+      "profile": "https://4gl.io/",
+      "contributions": [
+        "code",
+        "doc"
+      ]
+    },
+    {
+      "login": "VladislavParhomchik",
+      "name": "Vladislav Parhomchik",
+      "avatar_url": "https://avatars.githubusercontent.com/u/83717836?v=4",
+      "profile": "https://github.com/VladislavParhomchik",
+      "contributions": [
+        "test"
+      ]
+    },
+    {
+      "login": "kknapen",
+      "name": "Koen Knapen",
+      "avatar_url": "https://avatars.githubusercontent.com/u/78609432?v=4",
+      "profile": "https://github.com/kknapen",
+      "contributions": [
+        "userTesting"
+      ]
+    }
+  ],
+  "contributorsPerLine": 7,
+  "skipCi": true
+}
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -0,0 +1,3 @@
+# These are supported funding model platforms
+
+github: [sasjs]
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -55,6 +55,9 @@ jobs:
          REFRESH_TOKEN_SECRET: ${{secrets.REFRESH_TOKEN_SECRET}}
          AUTH_CODE_SECRET: ${{secrets.AUTH_CODE_SECRET}}
          SESSION_SECRET: ${{secrets.SESSION_SECRET}}
+          RUN_TIMES: 'sas,js'
+          SAS_PATH: '/some/path/to/sas'
+          NODE_PATH: '/some/path/to/node'

      - name: Build Package
        working-directory: ./api
--- a/.nvmrc
+++ b/.nvmrc
@@ -1 +1 @@
-v16.14.0
+v16.15.1
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,293 @@
+## [0.11.4](https://github.com/sasjs/server/compare/v0.11.3...v0.11.4) (2022-07-19)
+
+
+### Bug Fixes
+
+* **security:** missing cookie flags are added ([526402f](https://github.com/sasjs/server/commit/526402fd73407ee4fa2d31092111a7e6a1741487))
+
+## [0.11.3](https://github.com/sasjs/server/compare/v0.11.2...v0.11.3) (2022-07-19)
+
+
+### Bug Fixes
+
+* filePath fix in code.js file for windows ([2995121](https://github.com/sasjs/server/commit/299512135d77c2ac9e34853cf35aee6f2e1d4da4))
+
+## [0.11.2](https://github.com/sasjs/server/compare/v0.11.1...v0.11.2) (2022-07-18)
+
+
+### Bug Fixes
+
+* apply icon option only for sas.exe ([d2ddd8a](https://github.com/sasjs/server/commit/d2ddd8aacadfdd143026881f2c6ae8c6b277610a))
+
+## [0.11.1](https://github.com/sasjs/server/compare/v0.11.0...v0.11.1) (2022-07-18)
+
+
+### Bug Fixes
+
+* bank operator ([aa02741](https://github.com/sasjs/server/commit/aa027414ed3ce51f1014ef36c4191e064b2e963d))
+* ensuring nosplash option only applies for sas.exe ([65e6de9](https://github.com/sasjs/server/commit/65e6de966383fe49a919b1f901d77c7f1e402c9b)), closes [#229](https://github.com/sasjs/server/issues/229)
+
+# [0.11.0](https://github.com/sasjs/server/compare/v0.10.0...v0.11.0) (2022-07-16)
+
+
+### Bug Fixes
+
+* **logs:** logs location is configurable ([e024a92](https://github.com/sasjs/server/commit/e024a92f165990e08db8aa26ee326dbcb30e2e46))
+
+
+### Features
+
+* **logs:** logs to file with rotating + code split into files ([92fda18](https://github.com/sasjs/server/commit/92fda183f3f0f3956b7c791669eb8dd52c389d1b))
+
+# [0.10.0](https://github.com/sasjs/server/compare/v0.9.0...v0.10.0) (2022-07-06)
+
+
+### Bug Fixes
+
+* add authorize middleware for appStreams ([e54a09d](https://github.com/sasjs/server/commit/e54a09db19ec8690e54a40760531a4e06d250974))
+* add isAdmin attribute to return response of get session and login requests ([bdf63df](https://github.com/sasjs/server/commit/bdf63df1d915892486005ec904807749786b1c0c))
+* add permission authorization middleware to only specific routes ([f3dfc70](https://github.com/sasjs/server/commit/f3dfc7083fbfb4b447521341b1a86730fb90b4c0))
+* bumping core and running lint ([a2d1396](https://github.com/sasjs/server/commit/a2d13960578014312d2cb5e03145bfd1829d99ec))
+* controller fixed for deleting permission ([b5f595a](https://github.com/sasjs/server/commit/b5f595a25c50550d62482409353c7629c5a5c3e0))
+* do not show admin users in add permission modal ([a75edba](https://github.com/sasjs/server/commit/a75edbaa327ec2af49523c13996ac283061da7d8))
+* export GroupResponse interface ([38a7db8](https://github.com/sasjs/server/commit/38a7db8514de0acd94d74ba96bc1efb732add30c))
+* move permission filter modal to separate file and icons for different actions ([d000f75](https://github.com/sasjs/server/commit/d000f7508f6d7384afffafee4179151fca802ca8))
+* principalId type changed to  number from any ([4fcc191](https://github.com/sasjs/server/commit/4fcc191ce9edc7e4dcd8821fb8019f4eea5db4ea))
+* remove clientId from principal types ([0781ddd](https://github.com/sasjs/server/commit/0781ddd64e3b5e5ca39647bb4e4e1a9332a0f4f8))
+* remove duplicates principals from permission filter modal ([5b319f9](https://github.com/sasjs/server/commit/5b319f9ad1f941b306db6b9473a2128b2e42bf76))
+* show loading spinner in studio while executing code ([496247d](https://github.com/sasjs/server/commit/496247d0b9975097a008cf4d3a999d77648fd930))
+* show permission component only in server mode ([f863b81](https://github.com/sasjs/server/commit/f863b81a7d40a1296a061ec93946f204382af2c3))
+* update permission model ([39fc908](https://github.com/sasjs/server/commit/39fc908de1945f2aaea18d14e6bce703f6bf0c06))
+* update permission response ([e516b77](https://github.com/sasjs/server/commit/e516b7716da5ff7e23350a5f77cfa073b1171175))
+* **web:** only admin should be able to add, update or delete permission ([be8635c](https://github.com/sasjs/server/commit/be8635ccc5eb34c3f0a5951c8a0421292ef69c97))
+
+
+### Features
+
+* add api endpoint for deleting permission ([0171344](https://github.com/sasjs/server/commit/01713440a4fa661b76368785c0ca731f096ac70a))
+* add api endpoint for updating permission setting ([540f54f](https://github.com/sasjs/server/commit/540f54fb77b364822da7889dbe75c02242f48a59))
+* add authorize middleware for validating permissions ([7d916ec](https://github.com/sasjs/server/commit/7d916ec3e9ef579dde1b73015715cd01098c2018))
+* add basic UI for settings and permissions ([5652325](https://github.com/sasjs/server/commit/56523254525a66e756196e90b39a2b8cdadc1518))
+* add documentation link under usename dropdown menu ([eeb63b3](https://github.com/sasjs/server/commit/eeb63b330c292afcdd5c8f006882b224c4235068))
+* add permission model ([6bea1f7](https://github.com/sasjs/server/commit/6bea1f76668ddb070ad95b3e02c31238af67c346))
+* add UI for updating permission ([e8c21a4](https://github.com/sasjs/server/commit/e8c21a43b215f5fced0463b70747cda1191a4e01))
+* add validation for registering permission ([e5200c1](https://github.com/sasjs/server/commit/e5200c1000903185dfad9ee49c99583e473c4388))
+* add, remove and update permissions from web component ([97ecfdc](https://github.com/sasjs/server/commit/97ecfdc95563c72dbdecaebcb504e5194250a763))
+* added get authorizedRoutes api endpoint ([b10e932](https://github.com/sasjs/server/commit/b10e9326058193dd65a57fab2d2f05b7b06096e7))
+* created modal for adding permission ([1413b18](https://github.com/sasjs/server/commit/1413b1850838ecc988ab289da4541bde36a9a346))
+* defined register permission and get all permissions api endpoints ([1103ffe](https://github.com/sasjs/server/commit/1103ffe07b88496967cb03683b08f058ca3bbb9f))
+* update swagger docs ([797c2bc](https://github.com/sasjs/server/commit/797c2bcc39005a05a995be15a150d584fecae259))
+
+# [0.9.0](https://github.com/sasjs/server/compare/v0.8.3...v0.9.0) (2022-07-03)
+
+
+### Features
+
+* removed secrets from env variables ([9c3da56](https://github.com/sasjs/server/commit/9c3da56901672a818f54267f9defc9f4701ab7fb))
+
+## [0.8.3](https://github.com/sasjs/server/compare/v0.8.2...v0.8.3) (2022-07-02)
+
+
+### Bug Fixes
+
+* **deploy:** extract first json from zip file ([e290751](https://github.com/sasjs/server/commit/e290751c872d24009482871a8c398e834357dcde))
+
+## [0.8.2](https://github.com/sasjs/server/compare/v0.8.1...v0.8.2) (2022-06-22)
+
+
+### Bug Fixes
+
+* getRuntimeAndFilePath function to handle the scenarion when path is provided with an extension other than runtimes ([5cc85b5](https://github.com/sasjs/server/commit/5cc85b57f80b13296156811fe966d7b37d45f213))
+
+## [0.8.1](https://github.com/sasjs/server/compare/v0.8.0...v0.8.1) (2022-06-21)
+
+
+### Bug Fixes
+
+* make CA_ROOT optional in getCertificates method ([1b5859e](https://github.com/sasjs/server/commit/1b5859ee37ae73c419115b9debfd5141a79733de))
+* update /logout route to /SASLogon/logout ([65380be](https://github.com/sasjs/server/commit/65380be2f3945bae559f1749064845b514447a53))
+
+# [0.8.0](https://github.com/sasjs/server/compare/v0.7.3...v0.8.0) (2022-06-21)
+
+
+### Features
+
+* **certs:** ENV variables updated and set CA Root for HTTPS server ([2119e9d](https://github.com/sasjs/server/commit/2119e9de9ab1e5ce1222658f554ac74f4f35cf4d))
+
+## [0.7.3](https://github.com/sasjs/server/compare/v0.7.2...v0.7.3) (2022-06-20)
+
+
+### Bug Fixes
+
+* path descriptions and defaults ([5d5d6ce](https://github.com/sasjs/server/commit/5d5d6ce3265a43af2e22bcd38cda54fafaf7b3ef))
+
+## [0.7.2](https://github.com/sasjs/server/compare/v0.7.1...v0.7.2) (2022-06-20)
+
+
+### Bug Fixes
+
+* removing UTF-8 options from commandline.  There appears to be no reliable way to enforce ([f6dc74f](https://github.com/sasjs/server/commit/f6dc74f16bddafa1de9c83c2f27671a241abdad4))
+
+## [0.7.1](https://github.com/sasjs/server/compare/v0.7.0...v0.7.1) (2022-06-20)
+
+
+### Bug Fixes
+
+* default runtime should be sas ([91d29cb](https://github.com/sasjs/server/commit/91d29cb1272c28afbceaf39d1e0a87e17fbfdcd6))
+* **Studio:** default selection of runtime fixed ([eb569c7](https://github.com/sasjs/server/commit/eb569c7b827c872ed2c4bc114559b97d87fd2aa0))
+* webout path fixed in code.js when running on windows ([99a1107](https://github.com/sasjs/server/commit/99a110736448f66f99a512396b268fc31a3feef0))
+
+# [0.7.0](https://github.com/sasjs/server/compare/v0.6.1...v0.7.0) (2022-06-19)
+
+
+### Bug Fixes
+
+* add runtimes to global process object ([194eaec](https://github.com/sasjs/server/commit/194eaec7d4a561468f83bf6efce484909ee532eb))
+* code fixes for executing program from program path including file extension ([53854d0](https://github.com/sasjs/server/commit/53854d001279462104b24c0e59a8c94ab4938a94))
+* code/execute controller logic to handle different runtimes ([23b6692](https://github.com/sasjs/server/commit/23b6692f02e4afa33c9dc95d242eb8645c19d546))
+* convert single executeProgram method to two methods i.e. executeSASProgram and executeJSProgram ([c58666e](https://github.com/sasjs/server/commit/c58666eb81514de500519e7b96c1981778ec149b))
+* no need to stringify _webout in preProgramVarStatements, developer should have _webout as string in actual code ([9d5a5e0](https://github.com/sasjs/server/commit/9d5a5e051fd821295664ddb3a1fd64629894a44c))
+* pass _program to execute file without extension ([5df619b](https://github.com/sasjs/server/commit/5df619b3f63571e8e326261d8114869d33881d91))
+* refactor code for session selection in preUploadMiddleware function ([b444381](https://github.com/sasjs/server/commit/b4443819d42afecebc0f382c58afb9010d4775ef))
+* refactor code in executeFile method of session controller ([dffe6d7](https://github.com/sasjs/server/commit/dffe6d7121d569e5c7d13023c6ca68d8c901c88e))
+* refactor code in preUploadMiddleware function ([6d6bda5](https://github.com/sasjs/server/commit/6d6bda56267babde7b98cf69e32973d56d719f75))
+* refactor sas/js session controller classes to inherit from base session controller class ([2c704a5](https://github.com/sasjs/server/commit/2c704a544f4e31a8e8e833a9a62ba016bcfa6c7c))
+* **Studio:** style fix for runtime dropdown ([9023cf3](https://github.com/sasjs/server/commit/9023cf33b5fa4b13c2d5e9b80ae307df69c7fc02))
+
+
+### Features
+
+* configure child process with writeStream to write logs to log file ([058b3b0](https://github.com/sasjs/server/commit/058b3b00816e582e143953c2f0b8330bde2181b8))
+* conver single session controller to two controller i.e. SASSessionController and JSSessionController ([07295aa](https://github.com/sasjs/server/commit/07295aa151175db8c93eeef806fc3b7fde40ac72))
+* create and inject code for uploaded files to code.js ([1685616](https://github.com/sasjs/server/commit/16856165fb292dc9ffa897189ba105bd9f362267))
+* validate sasjs_runtimes env var ([596ada7](https://github.com/sasjs/server/commit/596ada7ca88798d6d71f6845633a006fd22438ea))
+
+## [0.6.1](https://github.com/sasjs/server/compare/v0.6.0...v0.6.1) (2022-06-17)
+
+
+### Bug Fixes
+
+* home page wording.  Using fix to force previous change through.. ([8702a4e](https://github.com/sasjs/server/commit/8702a4e8fd1bbfaf4f426b75e8b85a87ede0e0b0))
+
+# [0.6.0](https://github.com/sasjs/server/compare/v0.5.0...v0.6.0) (2022-06-16)
+
+
+### Features
+
+* get group by group name ([6b0b94a](https://github.com/sasjs/server/commit/6b0b94ad38215ae58e62279a4f73ac3ed2d9d0e8))
+
+# [0.5.0](https://github.com/sasjs/server/compare/v0.4.2...v0.5.0) (2022-06-16)
+
+
+### Bug Fixes
+
+* npm audit fix to avoid warnings on npm i ([28a6a36](https://github.com/sasjs/server/commit/28a6a36bb708b93fb5c2b74d587e9b2e055582be))
+
+
+### Features
+
+* **api:** deployment through zipped/compressed file ([b81d742](https://github.com/sasjs/server/commit/b81d742c6c70d4cf1cab365b0e3efc087441db00))
+
+## [0.4.2](https://github.com/sasjs/server/compare/v0.4.1...v0.4.2) (2022-06-15)
+
+
+### Bug Fixes
+
+* appStream redesign ([73792fb](https://github.com/sasjs/server/commit/73792fb574c90bd280c4324e0b41c6fee7d572b6))
+
+## [0.4.1](https://github.com/sasjs/server/compare/v0.4.0...v0.4.1) (2022-06-15)
+
+
+### Bug Fixes
+
+* add/remove group to User when adding/removing user from group and return group membership on getting user ([e08bbcc](https://github.com/sasjs/server/commit/e08bbcc5435cbabaee40a41a7fb667d4a1f078e6))
+
+# [0.4.0](https://github.com/sasjs/server/compare/v0.3.10...v0.4.0) (2022-06-14)
+
+
+### Features
+
+* new APIs added for GET|PATCH|DELETE of user by username ([aef411a](https://github.com/sasjs/server/commit/aef411a0eac625c33274dfe3e88b6f75115c44d8))
+
+## [0.3.10](https://github.com/sasjs/server/compare/v0.3.9...v0.3.10) (2022-06-14)
+
+
+### Bug Fixes
+
+* correct syntax for encoding option ([32d372b](https://github.com/sasjs/server/commit/32d372b42fbf56b6c0779e8f704164eaae1c7548))
+
+## [0.3.9](https://github.com/sasjs/server/compare/v0.3.8...v0.3.9) (2022-06-14)
+
+
+### Bug Fixes
+
+* forcing utf 8 encoding. Closes [#76](https://github.com/sasjs/server/issues/76) ([8734489](https://github.com/sasjs/server/commit/8734489cf014aedaca3f325e689493e4fe0b71ca))
+
+## [0.3.8](https://github.com/sasjs/server/compare/v0.3.7...v0.3.8) (2022-06-13)
+
+
+### Bug Fixes
+
+* execution controller better error handling ([8a617a7](https://github.com/sasjs/server/commit/8a617a73ae63233332f5788c90f173d6cd5e1283))
+* execution controller error details ([3fa2a7e](https://github.com/sasjs/server/commit/3fa2a7e2e32f90050f6b09e30ce3ef725eb0b15f))
+
+## [0.3.7](https://github.com/sasjs/server/compare/v0.3.6...v0.3.7) (2022-06-08)
+
+
+### Bug Fixes
+
+* **appstream:** redirect to relative + nested resource should be accessed ([5ab35b0](https://github.com/sasjs/server/commit/5ab35b02c4417132dddb5a800982f31d0d50ef66))
+
+## [0.3.6](https://github.com/sasjs/server/compare/v0.3.5...v0.3.6) (2022-06-02)
+
+
+### Bug Fixes
+
+* **appstream:** should serve only new files for same app stream name with new deployment ([e6d1989](https://github.com/sasjs/server/commit/e6d1989847761fbe562d7861ffa0ee542839b125))
+
+## [0.3.5](https://github.com/sasjs/server/compare/v0.3.4...v0.3.5) (2022-05-30)
+
+
+### Bug Fixes
+
+* bumping sasjs/core library ([61815f8](https://github.com/sasjs/server/commit/61815f8ae18be132e17c199cd8e3afbcc2fa0b60))
+
+## [0.3.4](https://github.com/sasjs/server/compare/v0.3.3...v0.3.4) (2022-05-30)
+
+
+### Bug Fixes
+
+* **web:** system username for DESKTOP mode ([a8ba378](https://github.com/sasjs/server/commit/a8ba378fd1ff374ba025a96fdfae5c6c36954465))
+
+## [0.3.3](https://github.com/sasjs/server/compare/v0.3.2...v0.3.3) (2022-05-30)
+
+
+### Bug Fixes
+
+* usage of autoexec API in DESKTOP mode ([12d424a](https://github.com/sasjs/server/commit/12d424acce8108a6f53aefbac01fddcdc5efb48f))
+
+## [0.3.2](https://github.com/sasjs/server/compare/v0.3.1...v0.3.2) (2022-05-27)
+
+
+### Bug Fixes
+
+* **web:** ability to use get/patch User API in desktop mode. ([2c259fe](https://github.com/sasjs/server/commit/2c259fe1de95d84e6929e311aaa6b895e66b42a3))
+
+## [0.3.1](https://github.com/sasjs/server/compare/v0.3.0...v0.3.1) (2022-05-26)
+
+
+### Bug Fixes
+
+* **api:** username should be lowercase ([5ad6ee5](https://github.com/sasjs/server/commit/5ad6ee5e0f5d7d6faa45b72215f1d9d55cfc37db))
+* **web:** reduced width for autoexec input ([7d11cc7](https://github.com/sasjs/server/commit/7d11cc79161e5a07f6c5392d742ef6b9d8658071))
+
+# [0.3.0](https://github.com/sasjs/server/compare/v0.2.0...v0.3.0) (2022-05-25)
+
+
+### Features
+
+* **web:** added profile + edit + autoexec changes ([c275db1](https://github.com/sasjs/server/commit/c275db184e874f0ee3a4f08f2592cfacf1e90742))
+
 # [0.2.0](https://github.com/sasjs/server/compare/v0.1.0...v0.2.0) (2022-05-25)


--- a/PULL_REQUEST_TEMPLATE.md
+++ b/PULL_REQUEST_TEMPLATE.md
@@ -0,0 +1,19 @@
+## Issue
+
+Link any related issue(s) in this section.
+
+## Intent
+
+What this PR intends to achieve.
+
+## Implementation
+
+What code changes have been made to achieve the intent.
+
+## Checks
+
+- [ ] Code is formatted correctly (`npm run lint:fix`).
+- [ ] Any new functionality has been unit tested.
+- [ ] All unit tests are passing (`npm test`).
+- [ ] All CI checks are green.
+- [ ] Reviewer is assigned.
--- a/README.md
+++ b/README.md
@@ -1,5 +1,11 @@
 # SASjs Server

+<!-- ALL-CONTRIBUTORS-BADGE:START - Do not remove or modify this section -->
+
+[![All Contributors](https://img.shields.io/badge/all_contributors-7-orange.svg?style=flat-square)](#contributors-)
+
+<!-- ALL-CONTRIBUTORS-BADGE:END -->
+
 SASjs Server provides a NodeJS wrapper for calling the SAS binary executable. It can be installed on an actual SAS server, or locally on your desktop. It provides:

 - Virtual filesystem for storing SAS programs and other content
@@ -61,10 +67,14 @@ MODE=
 # Path to SAS executable (sas.exe / sas.sh)
 SAS_PATH=/path/to/sas/executable.exe

+# Path to Node.js executable
+NODE_PATH=~/.nvm/versions/node/v16.14.0/bin/node
+
 # Path to working directory
 # This location is for SAS WORK, staged files, DRIVE, configuration etc
 SASJS_ROOT=./sasjs_root

+
 # options: [http|https] default: http
 PROTOCOL=

@@ -89,15 +99,12 @@ SASV9_OPTIONS= -NOXCMD
 ## Additional Web Server Options
 #

-# ENV variables required for PROTOCOL: `https`
-PRIVATE_KEY=privkey.pem
-FULL_CHAIN=fullchain.pem
+# ENV variables for PROTOCOL: `https`
+PRIVATE_KEY=privkey.pem (required)
+CERT_CHAIN=certificate.pem (required)
+CA_ROOT=fullchain.pem (optional)

 # ENV variables required for MODE: `server`
-ACCESS_TOKEN_SECRET=<secret>
-REFRESH_TOKEN_SECRET=<secret>
-AUTH_CODE_SECRET=<secret>
-SESSION_SECRET=<secret>
 DB_CONNECT=mongodb+srv://<DB_USERNAME>:<DB_PASSWORD>@<CLUSTER>/<DB_NAME>?retryWrites=true&w=majority

 # options: [disable|enable] default: `disable` for `server` & `enable` for `desktop`
@@ -129,6 +136,16 @@ HELMET_CSP_CONFIG_PATH=./csp.config.json
 # Docs: https://www.npmjs.com/package/morgan#predefined-formats
 LOG_FORMAT_MORGAN=

+# This location is for server logs with classical UNIX logrotate behavior
+LOG_LOCATION=./sasjs_root/logs
+
+# A comma separated string that defines the available runTimes.
+# Priority is given to the runtime that comes first in the string.
+# Possible options at the moment are sas and js
+
+# options: [sas,js|js,sas|sas|js] default:sas
+RUN_TIMES=
+
 ```

 ## Persisting the Session
@@ -185,3 +202,29 @@ The following credentials can be used for the initial connection to SASjs/server
 - CLIENTID: `clientID1`
 - USERNAME: `secretuser`
 - PASSWORD: `secretpassword`
+
+## Contributors ✨
+
+Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):
+
+<!-- ALL-CONTRIBUTORS-LIST:START - Do not remove or modify this section -->
+<!-- prettier-ignore-start -->
+<!-- markdownlint-disable -->
+<table>
+  <tr>
+    <td align="center"><a href="https://github.com/saadjutt01"><img src="https://avatars.githubusercontent.com/u/8914650?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Saad Jutt</b></sub></a><br /><a href="https://github.com/sasjs/server/commits?author=saadjutt01" title="Code">💻</a> <a href="https://github.com/sasjs/server/commits?author=saadjutt01" title="Tests">⚠️</a></td>
+    <td align="center"><a href="https://github.com/sabhas"><img src="https://avatars.githubusercontent.com/u/82647447?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Sabir Hassan</b></sub></a><br /><a href="https://github.com/sasjs/server/commits?author=sabhas" title="Code">💻</a> <a href="https://github.com/sasjs/server/commits?author=sabhas" title="Tests">⚠️</a></td>
+    <td align="center"><a href="https://www.erudicat.com/"><img src="https://avatars.githubusercontent.com/u/25773492?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Yury Shkoda</b></sub></a><br /><a href="https://github.com/sasjs/server/commits?author=YuryShkoda" title="Code">💻</a> <a href="https://github.com/sasjs/server/commits?author=YuryShkoda" title="Tests">⚠️</a></td>
+    <td align="center"><a href="https://github.com/medjedovicm"><img src="https://avatars.githubusercontent.com/u/18329105?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Mihajlo Medjedovic</b></sub></a><br /><a href="https://github.com/sasjs/server/commits?author=medjedovicm" title="Code">💻</a> <a href="https://github.com/sasjs/server/commits?author=medjedovicm" title="Tests">⚠️</a></td>
+    <td align="center"><a href="https://4gl.io/"><img src="https://avatars.githubusercontent.com/u/4420615?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Allan Bowe</b></sub></a><br /><a href="https://github.com/sasjs/server/commits?author=allanbowe" title="Code">💻</a> <a href="https://github.com/sasjs/server/commits?author=allanbowe" title="Documentation">📖</a></td>
+    <td align="center"><a href="https://github.com/VladislavParhomchik"><img src="https://avatars.githubusercontent.com/u/83717836?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Vladislav Parhomchik</b></sub></a><br /><a href="https://github.com/sasjs/server/commits?author=VladislavParhomchik" title="Tests">⚠️</a></td>
+    <td align="center"><a href="https://github.com/kknapen"><img src="https://avatars.githubusercontent.com/u/78609432?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Koen Knapen</b></sub></a><br /><a href="#userTesting-kknapen" title="User Testing">📓</a></td>
+  </tr>
+</table>
+
+<!-- markdownlint-restore -->
+<!-- prettier-ignore-end -->
+
+<!-- ALL-CONTRIBUTORS-LIST:END -->
+
+This project follows the [all-contributors](https://github.com/all-contributors/all-contributors) specification. Contributions of any kind welcome!
--- a/api/.env.example
+++ b/api/.env.example
@@ -4,20 +4,21 @@ WHITELIST=<space separated urls, each starting with protocol `http` or `https`>

 PROTOCOL=[http|https] default considered as http
 PRIVATE_KEY=privkey.pem
-FULL_CHAIN=fullchain.pem
+CERT_CHAIN=certificate.pem
+CA_ROOT=fullchain.pem

 PORT=[5000] default value is 5000

 HELMET_CSP_CONFIG_PATH=./csp.config.json if omitted HELMET default will be used
 HELMET_COEP=[true|false] if omitted HELMET default will be used

-ACCESS_TOKEN_SECRET=<secret>
-REFRESH_TOKEN_SECRET=<secret>
-AUTH_CODE_SECRET=<secret>
-SESSION_SECRET=<secret>
 DB_CONNECT=mongodb+srv://<DB_USERNAME>:<DB_PASSWORD>@<CLUSTER>/<DB_NAME>?retryWrites=true&w=majority

+RUN_TIMES=[sas|js|sas,js|js,sas] default considered as sas
 SAS_PATH=/opt/sas/sas9/SASHome/SASFoundation/9.4/sas
+NODE_PATH=~/.nvm/versions/node/v16.14.0/bin/node
+
 SASJS_ROOT=./sasjs_root

-LOG_FORMAT_MORGAN=common
+LOG_FORMAT_MORGAN=common
+LOG_LOCATION=./sasjs_root/logs
--- a/api/.nvmrc
+++ b/api/.nvmrc
@@ -1 +1 @@
-v16.14.0
+v16.15.1
--- a/api/package-lock.json
+++ b/api/package-lock.json
--- a/api/package.json
+++ b/api/package.json
@@ -7,7 +7,7 @@
    "initial": "npm run swagger && npm run compileSysInit && npm run copySASjsCore",
    "prestart": "npm run initial",
    "prebuild": "npm run initial",
-    "start": "nodemon ./src/server.ts",
+    "start": "NODE_ENV=development nodemon ./src/server.ts",
    "start:prod": "node ./build/src/server.js",
    "build": "rimraf build && tsc",
    "postbuild": "npm run copy:files",
@@ -47,7 +47,7 @@
  },
  "author": "4GL Ltd",
  "dependencies": {
-    "@sasjs/core": "^4.23.1",
+    "@sasjs/core": "^4.31.3",
    "@sasjs/utils": "2.42.1",
    "bcryptjs": "^2.4.3",
    "connect-mongo": "^4.6.0",
@@ -63,9 +63,13 @@
    "mongoose-sequence": "^5.3.1",
    "morgan": "^1.10.0",
    "multer": "^1.4.3",
-    "swagger-ui-express": "4.3.0"
+    "rotating-file-stream": "^3.0.4",
+    "swagger-ui-express": "4.3.0",
+    "unzipper": "^0.10.11",
+    "url": "^0.10.3"
  },
  "devDependencies": {
+    "@types/adm-zip": "^0.5.0",
    "@types/bcryptjs": "^2.4.2",
    "@types/cookie-parser": "^1.4.2",
    "@types/cors": "^2.8.12",
@@ -80,6 +84,8 @@
    "@types/node": "^15.12.2",
    "@types/supertest": "^2.0.11",
    "@types/swagger-ui-express": "^4.1.3",
+    "@types/unzipper": "^0.10.5",
+    "adm-zip": "^0.5.9",
    "dotenv": "^10.0.0",
    "http-headers-validation": "^0.0.1",
    "jest": "^27.0.6",
@@ -96,7 +102,7 @@
  },
  "nodemonConfig": {
    "ignore": [
-      "tmp/**/*"
+      "sasjs_root/**/*"
    ]
  }
 }
--- a/api/public/swagger.yaml
+++ b/api/public/swagger.yaml
@@ -47,41 +47,6 @@ components:
                - userId
            type: object
            additionalProperties: false
-        LoginPayload:
-            properties:
-                username:
-                    type: string
-                    description: 'Username for user'
-                    example: secretuser
-                password:
-                    type: string
-                    description: 'Password for user'
-                    example: secretpassword
-            required:
-                - username
-                - password
-            type: object
-            additionalProperties: false
-        AuthorizeResponse:
-            properties:
-                code:
-                    type: string
-                    description: 'Authorization code'
-                    example: someRandomCryptoString
-            required:
-                - code
-            type: object
-            additionalProperties: false
-        AuthorizePayload:
-            properties:
-                clientId:
-                    type: string
-                    description: 'Client ID'
-                    example: clientID1
-            required:
-                - clientId
-            type: object
-            additionalProperties: false
        ClientPayload:
            properties:
                clientId:
@@ -139,14 +104,24 @@ components:
                - httpHeaders
            type: object
            additionalProperties: false
-        ExecuteSASCodePayload:
+        RunTimeType:
+            enum:
+                - sas
+                - js
+            type: string
+        ExecuteCodePayload:
            properties:
                code:
                    type: string
-                    description: 'Code of SAS program'
-                    example: '* SAS Code HERE;'
+                    description: 'Code of program'
+                    example: '* Code HERE;'
+                runTime:
+                    $ref: '#/components/schemas/RunTimeType'
+                    description: 'runtime for program'
+                    example: js
            required:
                - code
+                - runTime
            type: object
            additionalProperties: false
        MemberType.folder:
@@ -304,10 +279,28 @@ components:
                    type: string
                displayName:
                    type: string
+                isAdmin:
+                    type: boolean
            required:
                - id
                - username
                - displayName
+                - isAdmin
+            type: object
+            additionalProperties: false
+        GroupResponse:
+            properties:
+                groupId:
+                    type: number
+                    format: double
+                name:
+                    type: string
+                description:
+                    type: string
+            required:
+                - groupId
+                - name
+                - description
            type: object
            additionalProperties: false
        UserDetailsResponse:
@@ -325,6 +318,10 @@ components:
                    type: boolean
                autoExec:
                    type: string
+                groups:
+                    items:
+                        $ref: '#/components/schemas/GroupResponse'
+                    type: array
            required:
                - id
                - displayName
@@ -357,28 +354,13 @@ components:
                autoExec:
                    type: string
                    description: 'User-specific auto-exec code'
-                    example: '<SAS code>'
+                    example: ""
            required:
                - displayName
                - username
                - password
            type: object
            additionalProperties: false
-        GroupResponse:
-            properties:
-                groupId:
-                    type: number
-                    format: double
-                name:
-                    type: string
-                description:
-                    type: string
-            required:
-                - groupId
-                - name
-                - description
-            type: object
-            additionalProperties: false
        GroupDetailsResponse:
            properties:
                groupId:
@@ -421,6 +403,27 @@ components:
                - description
            type: object
            additionalProperties: false
+        _LeanDocument__LeanDocument_T__:
+            properties: {}
+            type: object
+        Pick__LeanDocument_T_.Exclude_keyof_LeanDocument_T_.Exclude_keyofDocument._id-or-id-or-__v_-or-%24isSingleNested__:
+            properties:
+                _id:
+                    $ref: '#/components/schemas/_LeanDocument__LeanDocument_T__'
+                    description: 'This documents _id.'
+                __v:
+                    description: 'This documents __v.'
+                id:
+                    description: 'The string version of this documents _id.'
+            type: object
+            description: 'From T, pick a set of properties whose keys are in the union K'
+        Omit__LeanDocument_this_.Exclude_keyofDocument._id-or-id-or-__v_-or-%24isSingleNested_:
+            $ref: '#/components/schemas/Pick__LeanDocument_T_.Exclude_keyof_LeanDocument_T_.Exclude_keyofDocument._id-or-id-or-__v_-or-%24isSingleNested__'
+            description: 'Construct a type with the properties of T except for those in type K.'
+        LeanDocument_this_:
+            $ref: '#/components/schemas/Omit__LeanDocument_this_.Exclude_keyofDocument._id-or-id-or-__v_-or-%24isSingleNested_'
+        IGroup:
+            $ref: '#/components/schemas/LeanDocument_this_'
        InfoResponse:
            properties:
                mode:
@@ -433,11 +436,26 @@ components:
                    type: array
                protocol:
                    type: string
+                runTimes:
+                    items:
+                        type: string
+                    type: array
            required:
                - mode
                - cors
                - whiteList
                - protocol
+                - runTimes
+            type: object
+            additionalProperties: false
+        AuthorizedRoutesResponse:
+            properties:
+                URIs:
+                    items:
+                        type: string
+                    type: array
+            required:
+                - URIs
            type: object
            additionalProperties: false
        ExecuteReturnJsonPayload:
@@ -448,6 +466,106 @@ components:
                    example: /Public/somefolder/some.file
            type: object
            additionalProperties: false
+        LoginPayload:
+            properties:
+                username:
+                    type: string
+                    description: 'Username for user'
+                    example: secretuser
+                password:
+                    type: string
+                    description: 'Password for user'
+                    example: secretpassword
+            required:
+                - username
+                - password
+            type: object
+            additionalProperties: false
+        AuthorizeResponse:
+            properties:
+                code:
+                    type: string
+                    description: 'Authorization code'
+                    example: someRandomCryptoString
+            required:
+                - code
+            type: object
+            additionalProperties: false
+        AuthorizePayload:
+            properties:
+                clientId:
+                    type: string
+                    description: 'Client ID'
+                    example: clientID1
+            required:
+                - clientId
+            type: object
+            additionalProperties: false
+        PermissionDetailsResponse:
+            properties:
+                permissionId:
+                    type: number
+                    format: double
+                uri:
+                    type: string
+                setting:
+                    type: string
+                user:
+                    $ref: '#/components/schemas/UserResponse'
+                group:
+                    $ref: '#/components/schemas/GroupDetailsResponse'
+            required:
+                - permissionId
+                - uri
+                - setting
+            type: object
+            additionalProperties: false
+        PermissionSetting:
+            enum:
+                - Grant
+                - Deny
+            type: string
+        PrincipalType:
+            enum:
+                - user
+                - group
+            type: string
+        RegisterPermissionPayload:
+            properties:
+                uri:
+                    type: string
+                    description: 'Name of affected resource'
+                    example: /SASjsApi/code/execute
+                setting:
+                    $ref: '#/components/schemas/PermissionSetting'
+                    description: 'The indication of whether (and to what extent) access is provided'
+                    example: Grant
+                principalType:
+                    $ref: '#/components/schemas/PrincipalType'
+                    description: 'Indicates the type of principal'
+                    example: user
+                principalId:
+                    type: number
+                    format: double
+                    description: 'The id of user or group to which a rule is assigned.'
+                    example: 123
+            required:
+                - uri
+                - setting
+                - principalType
+                - principalId
+            type: object
+            additionalProperties: false
+        UpdatePermissionPayload:
+            properties:
+                setting:
+                    $ref: '#/components/schemas/PermissionSetting'
+                    description: 'The indication of whether (and to what extent) access is provided'
+                    example: Grant
+            required:
+                - setting
+            type: object
+            additionalProperties: false
    securitySchemes:
        bearerAuth:
            type: http
@@ -518,86 +636,6 @@ paths:
                -
                    bearerAuth: []
            parameters: []
-    /:
-        get:
-            operationId: Home
-            responses:
-                '200':
-                    description: Ok
-                    content:
-                        application/json:
-                            schema:
-                                type: string
-            summary: 'Render index.html'
-            tags:
-                - Web
-            security: []
-            parameters: []
-    /SASLogon/login:
-        post:
-            operationId: Login
-            responses:
-                '200':
-                    description: Ok
-                    content:
-                        application/json:
-                            schema:
-                                properties:
-                                    user: {properties: {displayName: {type: string}, username: {type: string}}, required: [displayName, username], type: object}
-                                    loggedIn: {type: boolean}
-                                required:
-                                    - user
-                                    - loggedIn
-                                type: object
-            summary: 'Accept a valid username/password'
-            tags:
-                - Web
-            security: []
-            parameters: []
-            requestBody:
-                required: true
-                content:
-                    application/json:
-                        schema:
-                            $ref: '#/components/schemas/LoginPayload'
-    /SASLogon/authorize:
-        post:
-            operationId: Authorize
-            responses:
-                '200':
-                    description: Ok
-                    content:
-                        application/json:
-                            schema:
-                                $ref: '#/components/schemas/AuthorizeResponse'
-                            examples:
-                                'Example 1':
-                                    value: {code: someRandomCryptoString}
-            summary: 'Accept a valid username/password, plus a CLIENT_ID, and return an AUTH_CODE'
-            tags:
-                - Web
-            security: []
-            parameters: []
-            requestBody:
-                required: true
-                content:
-                    application/json:
-                        schema:
-                            $ref: '#/components/schemas/AuthorizePayload'
-    /logout:
-        get:
-            operationId: Logout
-            responses:
-                '200':
-                    description: Ok
-                    content:
-                        application/json:
-                            schema: {}
-            summary: 'Accept a valid username/password'
-            tags:
-                - Web
-            security: []
-            parameters: []
    /SASjsApi/client:
        post:
            operationId: CreateClient
@@ -626,7 +664,7 @@ paths:
                            $ref: '#/components/schemas/ClientPayload'
    /SASjsApi/code/execute:
        post:
-            operationId: ExecuteSASCode
+            operationId: ExecuteCode
            responses:
                '200':
                    description: Ok
@@ -647,7 +685,7 @@ paths:
                content:
                    application/json:
                        schema:
-                            $ref: '#/components/schemas/ExecuteSASCodePayload'
+                            $ref: '#/components/schemas/ExecuteCodePayload'
    /SASjsApi/drive/deploy:
        post:
            operationId: Deploy
@@ -723,7 +761,8 @@ paths:
                            examples:
                                'Example 1':
                                    value: {status: failure, message: 'Deployment failed!'}
-            summary: 'Creates/updates files within SASjs Drive using uploaded JSON file.'
+            description: "Accepts JSON file and zipped compressed JSON file as well.\nCompressed file should only contain one JSON file and should have same name\nas of compressed file e.g. deploy.JSON should be compressed to deploy.JSON.zip\nAny other file or JSON file in zipped will be ignored!"
+            summary: 'Creates/updates files within SASjs Drive using uploaded JSON/compressed JSON file.'
            tags:
                - Drive
            security:
@@ -952,7 +991,7 @@ paths:
                                type: array
                            examples:
                                'Example 1':
-                                    value: [{id: 123, username: johnusername, displayName: John}, {id: 456, username: starkusername, displayName: Stark}]
+                                    value: [{id: 123, username: johnusername, displayName: John, isAdmin: false}, {id: 456, username: starkusername, displayName: Stark, isAdmin: true}]
            summary: 'Get list of all users (username, displayname). All users can request this.'
            tags:
                - User
@@ -985,6 +1024,94 @@ paths:
                    application/json:
                        schema:
                            $ref: '#/components/schemas/UserPayload'
+    '/SASjsApi/user/by/username/{username}':
+        get:
+            operationId: GetUserByUsername
+            responses:
+                '200':
+                    description: Ok
+                    content:
+                        application/json:
+                            schema:
+                                $ref: '#/components/schemas/UserDetailsResponse'
+            description: 'Only Admin or user itself will get user autoExec code.'
+            summary: 'Get user properties - such as group memberships, userName, displayName.'
+            tags:
+                - User
+            security:
+                -
+                    bearerAuth: []
+            parameters:
+                -
+                    description: 'The User''s username'
+                    in: path
+                    name: username
+                    required: true
+                    schema:
+                        type: string
+                    example: johnSnow01
+        patch:
+            operationId: UpdateUserByUsername
+            responses:
+                '200':
+                    description: Ok
+                    content:
+                        application/json:
+                            schema:
+                                $ref: '#/components/schemas/UserDetailsResponse'
+                            examples:
+                                'Example 1':
+                                    value: {id: 1234, displayName: 'John Snow', username: johnSnow01, isAdmin: false, isActive: true}
+            summary: 'Update user properties - such as displayName. Can be performed either by admins, or the user in question.'
+            tags:
+                - User
+            security:
+                -
+                    bearerAuth: []
+            parameters:
+                -
+                    description: 'The User''s username'
+                    in: path
+                    name: username
+                    required: true
+                    schema:
+                        type: string
+                    example: johnSnow01
+            requestBody:
+                required: true
+                content:
+                    application/json:
+                        schema:
+                            $ref: '#/components/schemas/UserPayload'
+        delete:
+            operationId: DeleteUserByUsername
+            responses:
+                '204':
+                    description: 'No content'
+            summary: 'Delete a user. Can be performed either by admins, or the user in question.'
+            tags:
+                - User
+            security:
+                -
+                    bearerAuth: []
+            parameters:
+                -
+                    description: 'The User''s username'
+                    in: path
+                    name: username
+                    required: true
+                    schema:
+                        type: string
+                    example: johnSnow01
+            requestBody:
+                required: true
+                content:
+                    application/json:
+                        schema:
+                            properties:
+                                password:
+                                    type: string
+                            type: object
    '/SASjsApi/user/{userId}':
        get:
            operationId: GetUser
@@ -1123,6 +1250,30 @@ paths:
                    application/json:
                        schema:
                            $ref: '#/components/schemas/GroupPayload'
+    '/SASjsApi/group/by/groupname/{name}':
+        get:
+            operationId: GetGroupByGroupName
+            responses:
+                '200':
+                    description: Ok
+                    content:
+                        application/json:
+                            schema:
+                                $ref: '#/components/schemas/GroupDetailsResponse'
+            summary: 'Get list of members of a group (userName). All users can request this.'
+            tags:
+                - Group
+            security:
+                -
+                    bearerAuth: []
+            parameters:
+                -
+                    description: 'The group''s name'
+                    in: path
+                    name: name
+                    required: true
+                    schema:
+                        type: string
    '/SASjsApi/group/{groupId}':
        get:
            operationId: GetGroup
@@ -1152,8 +1303,14 @@ paths:
        delete:
            operationId: DeleteGroup
            responses:
-                '204':
-                    description: 'No content'
+                '200':
+                    description: Ok
+                    content:
+                        application/json:
+                            schema:
+                                allOf:
+                                    - {$ref: '#/components/schemas/IGroup'}
+                                    - {properties: {_id: {}}, required: [_id], type: object}
            summary: 'Delete a group. Admin task only.'
            tags:
                - Group
@@ -1257,12 +1414,30 @@ paths:
                                $ref: '#/components/schemas/InfoResponse'
                            examples:
                                'Example 1':
-                                    value: {mode: desktop, cors: enable, whiteList: ['http://example.com', 'http://example2.com'], protocol: http}
+                                    value: {mode: desktop, cors: enable, whiteList: ['http://example.com', 'http://example2.com'], protocol: http, runTimes: [sas, js]}
            summary: 'Get server info (mode, cors, whiteList, protocol).'
            tags:
                - Info
            security: []
            parameters: []
+    /SASjsApi/info/authorizedRoutes:
+        get:
+            operationId: AuthorizedRoutes
+            responses:
+                '200':
+                    description: Ok
+                    content:
+                        application/json:
+                            schema:
+                                $ref: '#/components/schemas/AuthorizedRoutesResponse'
+                            examples:
+                                'Example 1':
+                                    value: {URIs: [/AppStream, /SASjsApi/stp/execute]}
+            summary: 'Get authorized routes.'
+            tags:
+                - Info
+            security: []
+            parameters: []
    /SASjsApi/session:
        get:
            operationId: Session
@@ -1275,7 +1450,7 @@ paths:
                                $ref: '#/components/schemas/UserResponse'
                            examples:
                                'Example 1':
-                                    value: {id: 123, username: johnusername, displayName: John}
+                                    value: {id: 123, username: johnusername, displayName: John, isAdmin: false}
            summary: 'Get session info (username).'
            tags:
                - Session
@@ -1295,8 +1470,8 @@ paths:
                                anyOf:
                                    - {type: string}
                                    - {type: string, format: byte}
-            description: "Trigger a SAS program using it's location in the _program URL parameter.\nEnable debugging using the _debug URL parameter.  Setting _debug=131 will\ncause the log to be streamed in the output.\n\nAdditional URL parameters are turned into SAS macro variables.\n\nAny files provided in the request body are placed into the SAS session with\ncorresponding _WEBIN_XXX variables created.\n\nThe response headers can be adjusted using the mfs_httpheader() macro.  Any\nfile type can be returned, including binary files such as zip or xls.\n\nIf _debug is >= 131, response headers will contain Content-Type: 'text/plain'\n\nThis behaviour differs for POST requests, in which case the response is\nalways JSON."
-            summary: 'Execute Stored Program, return raw _webout content.'
+            description: "Trigger a SAS or JS program using the _program URL parameter.\n\nAccepts URL parameters and file uploads.  For more details, see docs:\n\nhttps://server.sasjs.io/storedprograms"
+            summary: 'Execute a Stored Program, returns raw _webout content.'
            tags:
                - STP
            security:
@@ -1304,13 +1479,13 @@ paths:
                    bearerAuth: []
            parameters:
                -
-                    description: 'Location of SAS program'
+                    description: 'Location of SAS or JS code'
                    in: query
                    name: _program
                    required: true
                    schema:
                        type: string
-                    example: /Public/somefolder/some.file
+                    example: /Projects/myApp/some/program
        post:
            operationId: ExecuteReturnJson
            responses:
@@ -1323,8 +1498,8 @@ paths:
                            examples:
                                'Example 1':
                                    value: {status: success, _webout: 'webout content', log: [], httpHeaders: {Content-type: application/zip, Cache-Control: 'public, max-age=1000'}}
-            description: "Trigger a SAS program using it's location in the _program URL parameter.\nEnable debugging using the _debug URL parameter.  In any case, the log is\nalways returned in the log object.\n\nAdditional URL parameters are turned into SAS macro variables.\n\nAny files provided in the request body are placed into the SAS session with\ncorresponding _WEBIN_XXX variables created.\n\nThe response will be a JSON object with the following root attributes: log,\nwebout, headers.\n\nThe webout will be a nested JSON object ONLY if the response-header\ncontains a content-type of application/json AND it is valid JSON.\nOtherwise it will be a stringified version of the webout content.\n\nResponse headers from the mfs_httpheader macro are simply listed in the\nheaders object, for POST requests they have no effect on the actual\nresponse header."
-            summary: 'Execute Stored Program, return JSON'
+            description: "Trigger a SAS or JS program using the _program URL parameter.\n\nAccepts URL parameters and file uploads.  For more details, see docs:\n\nhttps://server.sasjs.io/storedprograms\n\nThe response will be a JSON object with the following root attributes:\nlog, webout, headers.\n\nThe webout attribute will be nested JSON ONLY if the response-header\ncontains a content-type of application/json AND it is valid JSON.\nOtherwise it will be a stringified version of the webout content."
+            summary: 'Execute a Stored Program, return a JSON object'
            tags:
                - STP
            security:
@@ -1332,32 +1507,218 @@ paths:
                    bearerAuth: []
            parameters:
                -
-                    description: 'Location of SAS program'
+                    description: 'Location of SAS or JS code'
                    in: query
                    name: _program
                    required: false
                    schema:
                        type: string
-                    example: /Public/somefolder/some.file
+                    example: /Projects/myApp/some/program
            requestBody:
                required: false
                content:
                    application/json:
                        schema:
                            $ref: '#/components/schemas/ExecuteReturnJsonPayload'
+    /:
+        get:
+            operationId: Home
+            responses:
+                '200':
+                    description: Ok
+                    content:
+                        application/json:
+                            schema:
+                                type: string
+            summary: 'Render index.html'
+            tags:
+                - Web
+            security: []
+            parameters: []
+    /SASLogon/login:
+        post:
+            operationId: Login
+            responses:
+                '200':
+                    description: Ok
+                    content:
+                        application/json:
+                            schema:
+                                properties:
+                                    user: {properties: {isAdmin: {type: boolean}, displayName: {type: string}, username: {type: string}, id: {type: number, format: double}}, required: [isAdmin, displayName, username, id], type: object}
+                                    loggedIn: {type: boolean}
+                                required:
+                                    - user
+                                    - loggedIn
+                                type: object
+            summary: 'Accept a valid username/password'
+            tags:
+                - Web
+            security: []
+            parameters: []
+            requestBody:
+                required: true
+                content:
+                    application/json:
+                        schema:
+                            $ref: '#/components/schemas/LoginPayload'
+    /SASLogon/authorize:
+        post:
+            operationId: Authorize
+            responses:
+                '200':
+                    description: Ok
+                    content:
+                        application/json:
+                            schema:
+                                $ref: '#/components/schemas/AuthorizeResponse'
+                            examples:
+                                'Example 1':
+                                    value: {code: someRandomCryptoString}
+            summary: 'Accept a valid username/password, plus a CLIENT_ID, and return an AUTH_CODE'
+            tags:
+                - Web
+            security: []
+            parameters: []
+            requestBody:
+                required: true
+                content:
+                    application/json:
+                        schema:
+                            $ref: '#/components/schemas/AuthorizePayload'
+    /SASLogon/logout:
+        get:
+            operationId: Logout
+            responses:
+                '200':
+                    description: Ok
+                    content:
+                        application/json:
+                            schema: {}
+            summary: 'Destroy the session stored in cookies'
+            tags:
+                - Web
+            security: []
+            parameters: []
+    /SASjsApi/permission:
+        get:
+            operationId: GetAllPermissions
+            responses:
+                '200':
+                    description: Ok
+                    content:
+                        application/json:
+                            schema:
+                                items:
+                                    $ref: '#/components/schemas/PermissionDetailsResponse'
+                                type: array
+                            examples:
+                                'Example 1':
+                                    value: [{permissionId: 123, uri: /SASjsApi/code/execute, setting: Grant, user: {id: 1, username: johnSnow01, displayName: 'John Snow', isAdmin: false}}, {permissionId: 124, uri: /SASjsApi/code/execute, setting: Grant, group: {groupId: 1, name: DCGroup, description: 'This group represents Data Controller Users', isActive: true, users: []}}]
+            summary: 'Get list of all permissions (uri, setting and userDetail).'
+            tags:
+                - Permission
+            security:
+                -
+                    bearerAuth: []
+            parameters: []
+        post:
+            operationId: CreatePermission
+            responses:
+                '200':
+                    description: Ok
+                    content:
+                        application/json:
+                            schema:
+                                $ref: '#/components/schemas/PermissionDetailsResponse'
+                            examples:
+                                'Example 1':
+                                    value: {permissionId: 123, uri: /SASjsApi/code/execute, setting: Grant, user: {id: 1, username: johnSnow01, displayName: 'John Snow', isAdmin: false}}
+            summary: 'Create a new permission. Admin only.'
+            tags:
+                - Permission
+            security:
+                -
+                    bearerAuth: []
+            parameters: []
+            requestBody:
+                required: true
+                content:
+                    application/json:
+                        schema:
+                            $ref: '#/components/schemas/RegisterPermissionPayload'
+    '/SASjsApi/permission/{permissionId}':
+        patch:
+            operationId: UpdatePermission
+            responses:
+                '200':
+                    description: Ok
+                    content:
+                        application/json:
+                            schema:
+                                $ref: '#/components/schemas/PermissionDetailsResponse'
+                            examples:
+                                'Example 1':
+                                    value: {permissionId: 123, uri: /SASjsApi/code/execute, setting: Grant, user: {id: 1, username: johnSnow01, displayName: 'John Snow', isAdmin: false}}
+            summary: 'Update permission setting. Admin only'
+            tags:
+                - Permission
+            security:
+                -
+                    bearerAuth: []
+            parameters:
+                -
+                    description: 'The permission''s identifier'
+                    in: path
+                    name: permissionId
+                    required: true
+                    schema:
+                        format: double
+                        type: number
+                    example: 1234
+            requestBody:
+                required: true
+                content:
+                    application/json:
+                        schema:
+                            $ref: '#/components/schemas/UpdatePermissionPayload'
+        delete:
+            operationId: DeletePermission
+            responses:
+                '204':
+                    description: 'No content'
+            summary: 'Delete a permission. Admin only.'
+            tags:
+                - Permission
+            security:
+                -
+                    bearerAuth: []
+            parameters:
+                -
+                    description: 'The user''s identifier'
+                    in: path
+                    name: permissionId
+                    required: true
+                    schema:
+                        format: double
+                        type: number
+                    example: 1234
 servers:
    -
        url: /
 tags:
    -
        name: Info
-        description: 'Get Server Info'
+        description: 'Get Server Information'
    -
        name: Session
        description: 'Get Session information'
    -
        name: User
-        description: 'Operations about users'
+        description: 'Operations with users'
+    -
+        name: Permission
+        description: 'Operations about permissions'
    -
        name: Client
        description: 'Operations about clients'
@@ -1366,16 +1727,16 @@ tags:
        description: 'Operations about auth'
    -
        name: Drive
-        description: 'Operations about drive'
+        description: 'Operations on SASjs Drive'
    -
        name: Group
-        description: 'Operations about group'
+        description: 'Operations on groups and group memberships'
    -
        name: STP
-        description: 'Operations about STP'
+        description: 'Execution of Stored Programs'
    -
        name: CODE
-        description: 'Operations on SAS code'
+        description: 'Execution of code (various runtimes are supported)'
    -
        name: Web
        description: 'Operations on Web'
--- a/api/scripts/compileSysInit.ts
+++ b/api/scripts/compileSysInit.ts
@@ -6,7 +6,7 @@ import {
  readFile,
  SASJsFileType
 } from '@sasjs/utils'
-import { apiRoot, sysInitCompiledPath } from '../src/utils'
+import { apiRoot, sysInitCompiledPath } from '../src/utils/file'

 const macroCorePath = path.join(apiRoot, 'node_modules', '@sasjs', 'core')

--- a/api/scripts/copySASjsCore.ts
+++ b/api/scripts/copySASjsCore.ts
@@ -8,7 +8,11 @@ import {
  listFilesInFolder
 } from '@sasjs/utils'

-import { apiRoot, sasJSCoreMacros, sasJSCoreMacrosInfo } from '../src/utils'
+import {
+  apiRoot,
+  sasJSCoreMacros,
+  sasJSCoreMacrosInfo
+} from '../src/utils/file'

 const macroCorePath = path.join(apiRoot, 'node_modules', '@sasjs', 'core')

--- a/api/src/app-modules/configureCors.ts
+++ b/api/src/app-modules/configureCors.ts
@@ -0,0 +1,21 @@
+import { Express } from 'express'
+import cors from 'cors'
+import { CorsType } from '../utils'
+
+export const configureCors = (app: Express) => {
+  const { CORS, WHITELIST } = process.env
+
+  if (CORS === CorsType.ENABLED) {
+    const whiteList: string[] = []
+    WHITELIST?.split(' ')
+      ?.filter((url) => !!url)
+      .forEach((url) => {
+        if (url.startsWith('http'))
+          // removing trailing slash of URLs listing for CORS
+          whiteList.push(url.replace(/\/$/, ''))
+      })
+
+    console.log('All CORS Requests are enabled for:', whiteList)
+    app.use(cors({ credentials: true, origin: whiteList }))
+  }
+}
--- a/api/src/app-modules/configureExpressSession.ts
+++ b/api/src/app-modules/configureExpressSession.ts
@@ -0,0 +1,32 @@
+import { Express } from 'express'
+import mongoose from 'mongoose'
+import session from 'express-session'
+import MongoStore from 'connect-mongo'
+
+import { ModeType } from '../utils'
+import { cookieOptions } from '../app'
+
+export const configureExpressSession = (app: Express) => {
+  const { MODE } = process.env
+
+  if (MODE === ModeType.Server) {
+    let store: MongoStore | undefined
+
+    if (process.env.NODE_ENV !== 'test') {
+      store = MongoStore.create({
+        client: mongoose.connection!.getClient() as any,
+        collectionName: 'sessions'
+      })
+    }
+
+    app.use(
+      session({
+        secret: process.secrets.SESSION_SECRET,
+        saveUninitialized: false, // don't create session until something stored
+        resave: false, //don't save session if unmodified
+        store,
+        cookie: cookieOptions
+      })
+    )
+  }
+}
--- a/api/src/app-modules/configureLogger.ts
+++ b/api/src/app-modules/configureLogger.ts
@@ -0,0 +1,33 @@
+import path from 'path'
+import { Express } from 'express'
+import morgan from 'morgan'
+import { createStream } from 'rotating-file-stream'
+import { generateTimestamp } from '@sasjs/utils'
+import { getLogFolder } from '../utils'
+
+export const configureLogger = (app: Express) => {
+  const { LOG_FORMAT_MORGAN } = process.env
+
+  let options
+  if (
+    process.env.NODE_ENV !== 'development' &&
+    process.env.NODE_ENV !== 'test'
+  ) {
+    const timestamp = generateTimestamp()
+    const filename = `${timestamp}.log`
+    const logsFolder = getLogFolder()
+
+    // create a rotating write stream
+    var accessLogStream = createStream(filename, {
+      interval: '1d', // rotate daily
+      path: logsFolder
+    })
+
+    console.log('Writing Logs to :', path.join(logsFolder, filename))
+
+    options = { stream: accessLogStream }
+  }
+
+  // setup the logger
+  app.use(morgan(LOG_FORMAT_MORGAN as string, options))
+}
--- a/api/src/app-modules/configureSecurity.ts
+++ b/api/src/app-modules/configureSecurity.ts
@@ -0,0 +1,26 @@
+import { Express } from 'express'
+import { getEnvCSPDirectives } from '../utils/parseHelmetConfig'
+import { HelmetCoepType, ProtocolType } from '../utils'
+import helmet from 'helmet'
+
+export const configureSecurity = (app: Express) => {
+  const { PROTOCOL, HELMET_CSP_CONFIG_PATH, HELMET_COEP } = process.env
+
+  const cspConfigJson: { [key: string]: string[] | null } = getEnvCSPDirectives(
+    HELMET_CSP_CONFIG_PATH
+  )
+  if (PROTOCOL === ProtocolType.HTTP)
+    cspConfigJson['upgrade-insecure-requests'] = null
+
+  app.use(
+    helmet({
+      contentSecurityPolicy: {
+        directives: {
+          ...helmet.contentSecurityPolicy.getDefaultDirectives(),
+          ...cspConfigJson
+        }
+      },
+      crossOriginEmbedderPolicy: HELMET_COEP === HelmetCoepType.TRUE
+    })
+  )
+}
--- a/api/src/app-modules/index.ts
+++ b/api/src/app-modules/index.ts
@@ -0,0 +1,4 @@
+export * from './configureCors'
+export * from './configureExpressSession'
+export * from './configureLogger'
+export * from './configureSecurity'
--- a/api/src/app.ts
+++ b/api/src/app.ts
@@ -1,30 +1,26 @@
 import path from 'path'
 import express, { ErrorRequestHandler } from 'express'
 import csrf from 'csurf'
-import session from 'express-session'
-import MongoStore from 'connect-mongo'
-import morgan from 'morgan'
 import cookieParser from 'cookie-parser'
 import dotenv from 'dotenv'
-import cors from 'cors'
-import helmet from 'helmet'

 import {
-  connectDB,
  copySASjsCore,
-  CorsType,
  getWebBuildFolder,
-  HelmetCoepType,
  instantiateLogger,
  loadAppStreamConfig,
-  ModeType,
  ProtocolType,
  ReturnCode,
  setProcessVariables,
  setupFolders,
  verifyEnvVariables
 } from './utils'
-import { getEnvCSPDirectives } from './utils/parseHelmetConfig'
+import {
+  configureCors,
+  configureExpressSession,
+  configureLogger,
+  configureSecurity
+} from './app-modules'

 dotenv.config()

@@ -34,19 +30,7 @@ if (verifyEnvVariables()) process.exit(ReturnCode.InvalidEnv)

 const app = express()

-app.use(cookieParser())
-
-const {
-  MODE,
-  CORS,
-  WHITELIST,
-  PROTOCOL,
-  HELMET_CSP_CONFIG_PATH,
-  HELMET_COEP,
-  LOG_FORMAT_MORGAN
-} = process.env
-
-app.use(morgan(LOG_FORMAT_MORGAN as string))
+const { PROTOCOL } = process.env

 export const cookieOptions = {
  secure: PROTOCOL === ProtocolType.HTTPS,
@@ -54,79 +38,11 @@ export const cookieOptions = {
  maxAge: 24 * 60 * 60 * 1000 // 24 hours
 }

-const cspConfigJson: { [key: string]: string[] | null } = getEnvCSPDirectives(
-  HELMET_CSP_CONFIG_PATH
-)
-if (PROTOCOL === ProtocolType.HTTP)
-  cspConfigJson['upgrade-insecure-requests'] = null
-
 /***********************************
 *         CSRF Protection         *
 ***********************************/
 export const csrfProtection = csrf({ cookie: cookieOptions })

-/***********************************
- *   Handle security and origin    *
- ***********************************/
-app.use(
-  helmet({
-    contentSecurityPolicy: {
-      directives: {
-        ...helmet.contentSecurityPolicy.getDefaultDirectives(),
-        ...cspConfigJson
-      }
-    },
-    crossOriginEmbedderPolicy: HELMET_COEP === HelmetCoepType.TRUE
-  })
-)
-
-/***********************************
- *         Enabling CORS           *
- ***********************************/
-if (CORS === CorsType.ENABLED) {
-  const whiteList: string[] = []
-  WHITELIST?.split(' ')
-    ?.filter((url) => !!url)
-    .forEach((url) => {
-      if (url.startsWith('http'))
-        // removing trailing slash of URLs listing for CORS
-        whiteList.push(url.replace(/\/$/, ''))
-    })
-
-  console.log('All CORS Requests are enabled for:', whiteList)
-  app.use(cors({ credentials: true, origin: whiteList }))
-}
-
-/***********************************
- *         DB Connection &          *
- *        Express Sessions          *
- *        With Mongo Store          *
- ***********************************/
-if (MODE === ModeType.Server) {
-  let store: MongoStore | undefined
-
-  // NOTE: when exporting app.js as agent for supertest
-  // we should exclude connecting to the real database
-  if (process.env.NODE_ENV !== 'test') {
-    const clientPromise = connectDB().then((conn) => conn!.getClient() as any)
-
-    store = MongoStore.create({ clientPromise, collectionName: 'sessions' })
-  }
-
-  app.use(
-    session({
-      secret: process.env.SESSION_SECRET as string,
-      saveUninitialized: false, // don't create session until something stored
-      resave: false, //don't save session if unmodified
-      store,
-      cookie: cookieOptions
-    })
-  )
-}
-
-app.use(express.json({ limit: '100mb' }))
-app.use(express.static(path.join(__dirname, '../public')))
-
 const onError: ErrorRequestHandler = (err, req, res, next) => {
  if (err.code === 'EBADCSRFTOKEN')
    return res.status(400).send('Invalid CSRF token!')
@@ -136,6 +52,30 @@ const onError: ErrorRequestHandler = (err, req, res, next) => {
 }

 export default setProcessVariables().then(async () => {
+  app.use(cookieParser())
+
+  configureLogger(app)
+
+  /***********************************
+   *   Handle security and origin    *
+   ***********************************/
+  configureSecurity(app)
+
+  /***********************************
+   *         Enabling CORS           *
+   ***********************************/
+  configureCors(app)
+
+  /***********************************
+   *         DB Connection &          *
+   *        Express Sessions          *
+   *        With Mongo Store          *
+   ***********************************/
+  configureExpressSession(app)
+
+  app.use(express.json({ limit: '100mb' }))
+  app.use(express.static(path.join(__dirname, '../public')))
+
  await setupFolders()
  await copySASjsCore()

--- a/api/src/controllers/auth.ts
+++ b/api/src/controllers/auth.ts
@@ -129,8 +129,8 @@ const verifyAuthCode = async (
  clientId: string,
  code: string
 ): Promise<InfoJWT | undefined> => {
-  return new Promise((resolve, reject) => {
-    jwt.verify(code, process.env.AUTH_CODE_SECRET as string, (err, data) => {
+  return new Promise((resolve) => {
+    jwt.verify(code, process.secrets.AUTH_CODE_SECRET, (err, data) => {
      if (err) return resolve(undefined)

      const clientInfo: InfoJWT = {
--- a/api/src/controllers/code.ts
+++ b/api/src/controllers/code.ts
@@ -3,19 +3,24 @@ import { Request, Security, Route, Tags, Post, Body } from 'tsoa'
 import { ExecuteReturnJson, ExecutionController } from './internal'
 import { ExecuteReturnJsonResponse } from '.'
 import {
-  getDesktopUserAutoExecPath,
  getPreProgramVariables,
+  getUserAutoExec,
  ModeType,
-  parseLogToArray
+  parseLogToArray,
+  RunTimeType
 } from '../utils'
-import { readFile } from '@sasjs/utils'

-interface ExecuteSASCodePayload {
+interface ExecuteCodePayload {
  /**
-   * Code of SAS program
-   * @example "* SAS Code HERE;"
+   * Code of program
+   * @example "* Code HERE;"
   */
  code: string
+  /**
+   * runtime for program
+   * @example "js"
+   */
+  runTime: RunTimeType
 }

@Security('bearerAuth')
@@ -27,33 +32,34 @@ export class CodeController {
   * @summary Run SAS Code and returns log
   */
  @Post('/execute')
-  public async executeSASCode(
+  public async executeCode(
    @Request() request: express.Request,
-    @Body() body: ExecuteSASCodePayload
+    @Body() body: ExecuteCodePayload
  ): Promise<ExecuteReturnJsonResponse> {
-    return executeSASCode(request, body)
+    return executeCode(request, body)
  }
 }

-const executeSASCode = async (
+const executeCode = async (
  req: express.Request,
-  { code }: ExecuteSASCodePayload
+  { code, runTime }: ExecuteCodePayload
 ) => {
  const { user } = req
  const userAutoExec =
    process.env.MODE === ModeType.Server
      ? user?.autoExec
-      : await readFile(getDesktopUserAutoExecPath())
+      : await getUserAutoExec()

  try {
    const { webout, log, httpHeaders } =
-      (await new ExecutionController().executeProgram(
-        code,
-        getPreProgramVariables(req),
-        { ...req.query, _debug: 131 },
-        { userAutoExec },
-        true
-      )) as ExecuteReturnJson
+      (await new ExecutionController().executeProgram({
+        program: code,
+        preProgramVariables: getPreProgramVariables(req),
+        vars: { ...req.query, _debug: 131 },
+        otherArgs: { userAutoExec },
+        returnJson: true,
+        runTime: runTime
+      })) as ExecuteReturnJson

    return {
      status: 'success',
--- a/api/src/controllers/drive.ts
+++ b/api/src/controllers/drive.ts
@@ -96,7 +96,12 @@ export class DriveController {
  }

  /**
-   * @summary Creates/updates files within SASjs Drive using uploaded JSON file.
+   * Accepts JSON file and zipped compressed JSON file as well.
+   * Compressed file should only contain one JSON file and should have same name
+   * as of compressed file e.g. deploy.JSON should be compressed to deploy.JSON.zip
+   * Any other file or JSON file in zipped will be ignored!
+   *
+   * @summary Creates/updates files within SASjs Drive using uploaded JSON/compressed JSON file.
   *
   */
  @Example<DeployResponse>(successDeployResponse)
--- a/api/src/controllers/group.ts
+++ b/api/src/controllers/group.ts
@@ -14,13 +14,13 @@ import Group, { GroupPayload } from '../model/Group'
 import User from '../model/User'
 import { UserResponse } from './user'

-interface GroupResponse {
+export interface GroupResponse {
  groupId: number
  name: string
  description: string
 }

-interface GroupDetailsResponse {
+export interface GroupDetailsResponse {
  groupId: number
  name: string
  description: string
@@ -28,6 +28,11 @@ interface GroupDetailsResponse {
  users: UserResponse[]
 }

+interface GetGroupBy {
+  groupId?: number
+  name?: string
+}
+
@Security('bearerAuth')
@Route('SASjsApi/group')
@Tags('Group')
@@ -66,6 +71,18 @@ export class GroupController {
    return createGroup(body)
  }

+  /**
+   * @summary Get list of members of a group (userName). All users can request this.
+   * @param name The group's name
+   * @example dcgroup
+   */
+  @Get('by/groupname/{name}')
+  public async getGroupByGroupName(
+    @Path() name: string
+  ): Promise<GroupDetailsResponse> {
+    return getGroup({ name })
+  }
+
  /**
   * @summary Get list of members of a group (userName). All users can request this.
   * @param groupId The group's identifier
@@ -75,7 +92,7 @@ export class GroupController {
  public async getGroup(
    @Path() groupId: number
  ): Promise<GroupDetailsResponse> {
-    return getGroup(groupId)
+    return getGroup({ groupId })
  }

  /**
@@ -129,9 +146,13 @@ export class GroupController {
   */
  @Delete('{groupId}')
  public async deleteGroup(@Path() groupId: number) {
-    const { deletedCount } = await Group.deleteOne({ groupId })
-    if (deletedCount) return
-    throw new Error('No Group deleted!')
+    const group = await Group.findOne({ groupId })
+    if (group) return await group.remove()
+    throw {
+      code: 404,
+      status: 'Not Found',
+      message: 'Group not found.'
+    }
  }
 }

@@ -145,6 +166,15 @@ const createGroup = async ({
  description,
  isActive
 }: GroupPayload): Promise<GroupDetailsResponse> => {
+  // Checking if user is already in the database
+  const groupnameExist = await Group.findOne({ name })
+  if (groupnameExist)
+    throw {
+      code: 409,
+      status: 'Conflict',
+      message: 'Group name already exists.'
+    }
+
  const group = new Group({
    name,
    description,
@@ -162,15 +192,20 @@ const createGroup = async ({
  }
 }

-const getGroup = async (groupId: number): Promise<GroupDetailsResponse> => {
+const getGroup = async (findBy: GetGroupBy): Promise<GroupDetailsResponse> => {
  const group = (await Group.findOne(
-    { groupId },
+    findBy,
    'groupId name description isActive users -_id'
  ).populate(
    'users',
-    'id username displayName -_id'
+    'id username displayName isAdmin -_id'
  )) as unknown as GroupDetailsResponse
-  if (!group) throw new Error('Group not found.')
+  if (!group)
+    throw {
+      code: 404,
+      status: 'Not Found',
+      message: 'Group not found.'
+    }

  return {
    groupId: group.groupId,
@@ -199,16 +234,32 @@ const updateUsersListInGroup = async (
  action: 'addUser' | 'removeUser'
 ): Promise<GroupDetailsResponse> => {
  const group = await Group.findOne({ groupId })
-  if (!group) throw new Error('Group not found.')
+  if (!group)
+    throw {
+      code: 404,
+      status: 'Not Found',
+      message: 'Group not found.'
+    }

  const user = await User.findOne({ id: userId })
-  if (!user) throw new Error('User not found.')
+  if (!user)
+    throw {
+      code: 404,
+      status: 'Not Found',
+      message: 'User not found.'
+    }

-  const updatedGroup = (action === 'addUser'
-    ? await group.addUser(user._id)
-    : await group.removeUser(user._id)) as unknown as GroupDetailsResponse
+  const updatedGroup =
+    action === 'addUser'
+      ? await group.addUser(user)
+      : await group.removeUser(user)

-  if (!updatedGroup) throw new Error('Unable to update group')
+  if (!updatedGroup)
+    throw {
+      code: 400,
+      status: 'Bad Request',
+      message: 'Unable to update group.'
+    }

  return {
    groupId: updatedGroup.groupId,
--- a/api/src/controllers/index.ts
+++ b/api/src/controllers/index.ts
@@ -4,6 +4,7 @@ export * from './code'
 export * from './drive'
 export * from './group'
 export * from './info'
+export * from './permission'
 export * from './session'
 export * from './stp'
 export * from './user'
--- a/api/src/controllers/info.ts
+++ b/api/src/controllers/info.ts
@@ -1,10 +1,15 @@
 import { Route, Tags, Example, Get } from 'tsoa'
+import { getAuthorizedRoutes } from '../utils'
+export interface AuthorizedRoutesResponse {
+  URIs: string[]
+}

 export interface InfoResponse {
  mode: string
  cors: string
  whiteList: string[]
  protocol: string
+  runTimes: string[]
 }

@Route('SASjsApi/info')
@@ -18,7 +23,8 @@ export class InfoController {
    mode: 'desktop',
    cors: 'enable',
    whiteList: ['http://example.com', 'http://example2.com'],
-    protocol: 'http'
+    protocol: 'http',
+    runTimes: ['sas', 'js']
  })
  @Get('/')
  public info(): InfoResponse {
@@ -29,7 +35,23 @@ export class InfoController {
        (process.env.MODE === 'server' ? 'disable' : 'enable'),
      whiteList:
        process.env.WHITELIST?.split(' ')?.filter((url) => !!url) ?? [],
-      protocol: process.env.PROTOCOL ?? 'http'
+      protocol: process.env.PROTOCOL ?? 'http',
+      runTimes: process.runTimes
+    }
+    return response
+  }
+
+  /**
+   * @summary Get authorized routes.
+   *
+   */
+  @Example<AuthorizedRoutesResponse>({
+    URIs: ['/AppStream', '/SASjsApi/stp/execute']
+  })
+  @Get('/authorizedRoutes')
+  public authorizedRoutes(): AuthorizedRoutesResponse {
+    const response = {
+      URIs: getAuthorizedRoutes()
    }
    return response
  }
--- a/api/src/controllers/internal/Execution.ts
+++ b/api/src/controllers/internal/Execution.ts
@@ -1,21 +1,14 @@
 import path from 'path'
 import fs from 'fs'
-import { getSessionController } from './'
-import {
-  readFile,
-  fileExists,
-  createFile,
-  moveFile,
-  readFileBinary
-} from '@sasjs/utils'
+import { getSessionController, processProgram } from './'
+import { readFile, fileExists, createFile, readFileBinary } from '@sasjs/utils'
 import { PreProgramVars, Session, TreeNode } from '../../types'
 import {
  extractHeaders,
-  generateFileUploadSasCode,
  getFilesFolder,
-  getMacrosFolder,
  HTTPHeaders,
-  isDebugOn
+  isDebugOn,
+  RunTimeType
 } from '../../utils'

 export interface ExecutionVars {
@@ -33,39 +26,53 @@ export interface ExecuteReturnJson {
  log?: string
 }

-export class ExecutionController {
-  async executeFile(
-    programPath: string,
-    preProgramVariables: PreProgramVars,
-    vars: ExecutionVars,
-    otherArgs?: any,
-    returnJson?: boolean,
-    session?: Session
-  ) {
-    if (!(await fileExists(programPath)))
-      throw 'ExecutionController: SAS file does not exist.'
+interface ExecuteFileParams {
+  programPath: string
+  preProgramVariables: PreProgramVars
+  vars: ExecutionVars
+  otherArgs?: any
+  returnJson?: boolean
+  session?: Session
+  runTime: RunTimeType
+}

+interface ExecuteProgramParams extends Omit<ExecuteFileParams, 'programPath'> {
+  program: string
+}
+
+export class ExecutionController {
+  async executeFile({
+    programPath,
+    preProgramVariables,
+    vars,
+    otherArgs,
+    returnJson,
+    session,
+    runTime
+  }: ExecuteFileParams) {
    const program = await readFile(programPath)

-    return this.executeProgram(
+    return this.executeProgram({
      program,
      preProgramVariables,
      vars,
      otherArgs,
      returnJson,
-      session
-    )
+      session,
+      runTime
+    })
  }

-  async executeProgram(
-    program: string,
-    preProgramVariables: PreProgramVars,
-    vars: ExecutionVars,
-    otherArgs?: any,
-    returnJson?: boolean,
-    sessionByFileUpload?: Session
-  ): Promise<ExecuteReturnRaw | ExecuteReturnJson> {
-    const sessionController = getSessionController()
+  async executeProgram({
+    program,
+    preProgramVariables,
+    vars,
+    otherArgs,
+    returnJson,
+    session: sessionByFileUpload,
+    runTime
+  }: ExecuteProgramParams): Promise<ExecuteReturnRaw | ExecuteReturnJson> {
+    const sessionController = getSessionController(runTime)

    const session =
      sessionByFileUpload ?? (await sessionController.getSession())
@@ -83,78 +90,18 @@ export class ExecutionController {
      preProgramVariables?.httpHeaders.join('\n') ?? ''
    )

-    const varStatments = Object.keys(vars).reduce(
-      (computed: string, key: string) =>
-        `${computed}%let ${key}=${vars[key]};\n`,
-      ''
+    await processProgram(
+      program,
+      preProgramVariables,
+      vars,
+      session,
+      weboutPath,
+      tokenFile,
+      runTime,
+      logPath,
+      otherArgs
    )

-    const preProgramVarStatments = `
-%let _sasjs_tokenfile=${tokenFile};
-%let _sasjs_username=${preProgramVariables?.username};
-%let _sasjs_userid=${preProgramVariables?.userId};
-%let _sasjs_displayname=${preProgramVariables?.displayName};
-%let _sasjs_apiserverurl=${preProgramVariables?.serverUrl};
-%let _sasjs_apipath=/SASjsApi/stp/execute;
-%let _metaperson=&_sasjs_displayname;
-%let _metauser=&_sasjs_username;
-%let sasjsprocessmode=Stored Program;
-%let sasjs_stpsrv_header_loc=%sysfunc(pathname(work))/../stpsrv_header.txt;
-
-%global SYSPROCESSMODE SYSTCPIPHOSTNAME SYSHOSTINFOLONG;
-%macro _sasjs_server_init();
-  %if "&SYSPROCESSMODE"="" %then %let SYSPROCESSMODE=&sasjsprocessmode;
-  %if "&SYSTCPIPHOSTNAME"="" %then %let SYSTCPIPHOSTNAME=&_sasjs_apiserverurl;
-%mend;
-%_sasjs_server_init()
-`
-
-    program = `
-options insert=(SASAUTOS="${getMacrosFolder()}");
-
-/* runtime vars */
-${varStatments}
-filename _webout "${weboutPath}" mod;
-
-/* dynamic user-provided vars */
-${preProgramVarStatments}
-
-/* user auto exec starts */
-${otherArgs?.userAutoExec}
-/* user auto exec ends */
-
-/* actual job code */
-${program}`
-
-    // if no files are uploaded filesNamesMap will be undefined
-    if (otherArgs?.filesNamesMap) {
-      const uploadSasCode = await generateFileUploadSasCode(
-        otherArgs.filesNamesMap,
-        session.path
-      )
-
-      //If sas code for the file is generated it will be appended to the top of sasCode
-      if (uploadSasCode.length > 0) {
-        program = `${uploadSasCode}` + program
-      }
-    }
-
-    const codePath = path.join(session.path, 'code.sas')
-
-    // Creating this file in a RUNNING session will break out
-    // the autoexec loop and actually execute the program
-    // but - given it will take several milliseconds to create
-    // (which can mean SAS trying to run a partial program, or
-    // failing due to file lock) we first create the file THEN
-    // we rename it.
-    await createFile(codePath + '.bkp', program)
-    await moveFile(codePath + '.bkp', codePath)
-
-    // we now need to poll the session status
-    while (!session.completed) {
-      await delay(50)
-    }
-
    const log = (await fileExists(logPath)) ? await readFile(logPath) : ''
    const headersContent = (await fileExists(headersPath))
      ? await readFile(headersPath)
@@ -228,5 +175,3 @@ ${program}`
    return root
  }
 }
-
-const delay = (ms: number) => new Promise((resolve) => setTimeout(resolve, ms))
--- a/api/src/controllers/internal/FileUploadController.ts
+++ b/api/src/controllers/internal/FileUploadController.ts
@@ -2,12 +2,17 @@ import { Request, RequestHandler } from 'express'
 import multer from 'multer'
 import { uuidv4 } from '@sasjs/utils'
 import { getSessionController } from '.'
+import {
+  executeProgramRawValidation,
+  getRunTimeAndFilePath,
+  RunTimeType
+} from '../../utils'

 export class FileUploadController {
  private storage = multer.diskStorage({
    destination: function (req: Request, file: any, cb: any) {
      //Sending the intercepted files to the sessions subfolder
-      cb(null, req.sasSession?.path)
+      cb(null, req.sasjsSession?.path)
    },
    filename: function (req: Request, file: any, cb: any) {
      //req_file prefix + unique hash added to sas request files
@@ -20,15 +25,42 @@ export class FileUploadController {
  //It will intercept request and generate unique uuid to be used as a subfolder name
  //that will store the files uploaded
  public preUploadMiddleware: RequestHandler = async (req, res, next) => {
-    let session
+    const { error: errQ, value: query } = executeProgramRawValidation(req.query)
+    const { error: errB, value: body } = executeProgramRawValidation(req.body)

-    const sessionController = getSessionController()
-    session = await sessionController.getSession()
+    if (errQ && errB) return res.status(400).send(errB.details[0].message)
+
+    const programPath = (query?._program ?? body?._program) as string
+
+    let runTime
+
+    try {
+      ;({ runTime } = await getRunTimeAndFilePath(programPath))
+    } catch (err: any) {
+      return res.status(400).send({
+        status: 'failure',
+        message: 'Job execution failed',
+        error: typeof err === 'object' ? err.toString() : err
+      })
+    }
+
+    let sessionController
+    try {
+      sessionController = getSessionController(runTime)
+    } catch (err: any) {
+      return res.status(400).send({
+        status: 'failure',
+        message: err.message,
+        error: typeof err === 'object' ? err.toString() : err
+      })
+    }
+
+    const session = await sessionController.getSession()
    // marking consumed true, so that it's not available
    // as readySession for any other request
    session.consumed = true

-    req.sasSession = session
+    req.sasjsSession = session

    next()
  }
--- a/api/src/controllers/internal/Session.ts
+++ b/api/src/controllers/internal/Session.ts
@@ -5,24 +5,28 @@ import { execFile } from 'child_process'
 import {
  getSessionsFolder,
  generateUniqueFileName,
-  sysInitCompiledPath
+  sysInitCompiledPath,
+  RunTimeType
 } from '../../utils'
 import {
  deleteFolder,
  createFile,
  fileExists,
  generateTimestamp,
-  readFile
+  readFile,
+  isWindows
 } from '@sasjs/utils'

 const execFilePromise = promisify(execFile)

-export class SessionController {
-  private sessions: Session[] = []
+abstract class SessionController {
+  protected sessions: Session[] = []

-  private getReadySessions = (): Session[] =>
+  protected getReadySessions = (): Session[] =>
    this.sessions.filter((sess: Session) => sess.ready && !sess.consumed)

+  protected abstract createSession(): Promise<Session>
+
  public async getSession() {
    const readySessions = this.getReadySessions()

@@ -34,8 +38,10 @@ export class SessionController {

    return session
  }
+}

-  private async createSession(): Promise<Session> {
+export class SASSessionController extends SessionController {
+  protected async createSession(): Promise<Session> {
    const sessionId = generateUniqueFileName(generateTimestamp())
    const sessionFolder = path.join(getSessionsFolder(), sessionId)

@@ -82,7 +88,9 @@ ${autoExecContent}`
    // however we also need a promise so that we can update the
    // session array to say that it has (eventually) finished.

-    execFilePromise(process.sasLoc, [
+    // Additional windows specific options to avoid the desktop popups.
+
+    execFilePromise(process.sasLoc!, [
      '-SYSIN',
      codePath,
      '-LOG',
@@ -93,7 +101,9 @@ ${autoExecContent}`
      session.path,
      '-AUTOEXEC',
      autoExecPath,
-      process.platform === 'win32' ? '-nosplash' : ''
+      process.sasLoc!.endsWith('sas.exe') ? '-nosplash' : '',
+      process.sasLoc!.endsWith('sas.exe') ? '-icon' : '',
+      isWindows() ? '-nologo' : ''
    ])
      .then(() => {
        session.completed = true
@@ -152,12 +162,66 @@ ${autoExecContent}`
  }
 }

-export const getSessionController = (): SessionController => {
-  if (process.sessionController) return process.sessionController
+export class JSSessionController extends SessionController {
+  protected async createSession(): Promise<Session> {
+    const sessionId = generateUniqueFileName(generateTimestamp())
+    const sessionFolder = path.join(getSessionsFolder(), sessionId)

-  process.sessionController = new SessionController()
+    const creationTimeStamp = sessionId.split('-').pop() as string
+    // death time of session is 15 mins from creation
+    const deathTimeStamp = (
+      parseInt(creationTimeStamp) +
+      15 * 60 * 1000 -
+      1000
+    ).toString()

-  return process.sessionController
+    const session: Session = {
+      id: sessionId,
+      ready: true,
+      inUse: true,
+      consumed: false,
+      completed: false,
+      creationTimeStamp,
+      deathTimeStamp,
+      path: sessionFolder
+    }
+
+    const headersPath = path.join(session.path, 'stpsrv_header.txt')
+    await createFile(headersPath, 'Content-type: application/json')
+
+    this.sessions.push(session)
+    return session
+  }
+}
+
+export const getSessionController = (
+  runTime: RunTimeType
+): SASSessionController | JSSessionController => {
+  if (runTime === RunTimeType.SAS) {
+    return getSASSessionController()
+  }
+
+  if (runTime === RunTimeType.JS) {
+    return getJSSessionController()
+  }
+
+  throw new Error('No Runtime is configured')
+}
+
+const getSASSessionController = (): SASSessionController => {
+  if (process.sasSessionController) return process.sasSessionController
+
+  process.sasSessionController = new SASSessionController()
+
+  return process.sasSessionController
+}
+
+const getJSSessionController = (): JSSessionController => {
+  if (process.jsSessionController) return process.jsSessionController
+
+  process.jsSessionController = new JSSessionController()
+
+  return process.jsSessionController
 }

 const autoExecContent = `
--- a/api/src/controllers/internal/createJSProgram.ts
+++ b/api/src/controllers/internal/createJSProgram.ts
@@ -0,0 +1,69 @@
+import { isWindows } from '@sasjs/utils'
+import { PreProgramVars, Session } from '../../types'
+import { generateFileUploadJSCode } from '../../utils'
+import { ExecutionVars } from './'
+
+export const createJSProgram = async (
+  program: string,
+  preProgramVariables: PreProgramVars,
+  vars: ExecutionVars,
+  session: Session,
+  weboutPath: string,
+  tokenFile: string,
+  otherArgs?: any
+) => {
+  const varStatments = Object.keys(vars).reduce(
+    (computed: string, key: string) =>
+      `${computed}const ${key} = '${vars[key]}';\n`,
+    ''
+  )
+
+  const preProgramVarStatments = `
+let _webout = '';
+const weboutPath = '${
+    isWindows() ? weboutPath.replace(/\\/g, '\\\\') : weboutPath
+  }'; 
+const _sasjs_tokenfile = '${
+    isWindows() ? tokenFile.replace(/\\/g, '\\\\') : tokenFile
+  }';
+const _sasjs_username = '${preProgramVariables?.username}';
+const _sasjs_userid = '${preProgramVariables?.userId}';
+const _sasjs_displayname = '${preProgramVariables?.displayName}';
+const _metaperson = _sasjs_displayname;
+const _metauser = _sasjs_username;
+const sasjsprocessmode = 'Stored Program';
+`
+
+  const requiredModules = `const fs = require('fs')`
+
+  program = `
+/* runtime vars */
+${varStatments}
+
+/* dynamic user-provided vars */
+${preProgramVarStatments}
+
+/* actual job code */
+${program}
+
+/* write webout file only if webout exists*/
+if (_webout) {
+  fs.writeFile(weboutPath, _webout, function (err) {
+    if (err) throw err;
+  })
+}
+`
+  // if no files are uploaded filesNamesMap will be undefined
+  if (otherArgs?.filesNamesMap) {
+    const uploadJSCode = await generateFileUploadJSCode(
+      otherArgs.filesNamesMap,
+      session.path
+    )
+
+    //If js code for the file is generated it will be appended to the top of jsCode
+    if (uploadJSCode.length > 0) {
+      program = `${uploadJSCode}\n` + program
+    }
+  }
+  return requiredModules + program
+}
--- a/api/src/controllers/internal/createSASProgram.ts
+++ b/api/src/controllers/internal/createSASProgram.ts
@@ -0,0 +1,69 @@
+import { PreProgramVars, Session } from '../../types'
+import { generateFileUploadSasCode, getMacrosFolder } from '../../utils'
+import { ExecutionVars } from './'
+
+export const createSASProgram = async (
+  program: string,
+  preProgramVariables: PreProgramVars,
+  vars: ExecutionVars,
+  session: Session,
+  weboutPath: string,
+  tokenFile: string,
+  otherArgs?: any
+) => {
+  const varStatments = Object.keys(vars).reduce(
+    (computed: string, key: string) => `${computed}%let ${key}=${vars[key]};\n`,
+    ''
+  )
+
+  const preProgramVarStatments = `
+%let _sasjs_tokenfile=${tokenFile};
+%let _sasjs_username=${preProgramVariables?.username};
+%let _sasjs_userid=${preProgramVariables?.userId};
+%let _sasjs_displayname=${preProgramVariables?.displayName};
+%let _sasjs_apiserverurl=${preProgramVariables?.serverUrl};
+%let _sasjs_apipath=/SASjsApi/stp/execute;
+%let _metaperson=&_sasjs_displayname;
+%let _metauser=&_sasjs_username;
+%let sasjsprocessmode=Stored Program;
+%let sasjs_stpsrv_header_loc=%sysfunc(pathname(work))/../stpsrv_header.txt;
+
+%global SYSPROCESSMODE SYSTCPIPHOSTNAME SYSHOSTINFOLONG;
+%macro _sasjs_server_init();
+%if "&SYSPROCESSMODE"="" %then %let SYSPROCESSMODE=&sasjsprocessmode;
+%if "&SYSTCPIPHOSTNAME"="" %then %let SYSTCPIPHOSTNAME=&_sasjs_apiserverurl;
+%mend;
+%_sasjs_server_init()
+`
+
+  program = `
+options insert=(SASAUTOS="${getMacrosFolder()}");
+
+/* runtime vars */
+${varStatments}
+filename _webout "${weboutPath}" mod;
+
+/* dynamic user-provided vars */
+${preProgramVarStatments}
+
+/* user autoexec starts */
+${otherArgs?.userAutoExec ?? ''}
+/* user autoexec ends */
+
+/* actual job code */
+${program}`
+
+  // if no files are uploaded filesNamesMap will be undefined
+  if (otherArgs?.filesNamesMap) {
+    const uploadSasCode = await generateFileUploadSasCode(
+      otherArgs.filesNamesMap,
+      session.path
+    )
+
+    //If sas code for the file is generated it will be appended to the top of sasCode
+    if (uploadSasCode.length > 0) {
+      program = `${uploadSasCode}` + program
+    }
+  }
+  return program
+}
--- a/api/src/controllers/internal/index.ts
+++ b/api/src/controllers/internal/index.ts
@@ -2,3 +2,6 @@ export * from './deploy'
 export * from './Session'
 export * from './Execution'
 export * from './FileUploadController'
+export * from './createSASProgram'
+export * from './createJSProgram'
+export * from './processProgram'
--- a/api/src/controllers/internal/processProgram.ts
+++ b/api/src/controllers/internal/processProgram.ts
@@ -0,0 +1,86 @@
+import path from 'path'
+import fs from 'fs'
+import { execFileSync } from 'child_process'
+import { once } from 'stream'
+import { createFile, moveFile } from '@sasjs/utils'
+import { PreProgramVars, Session } from '../../types'
+import { RunTimeType } from '../../utils'
+import { ExecutionVars, createSASProgram, createJSProgram } from './'
+
+export const processProgram = async (
+  program: string,
+  preProgramVariables: PreProgramVars,
+  vars: ExecutionVars,
+  session: Session,
+  weboutPath: string,
+  tokenFile: string,
+  runTime: RunTimeType,
+  logPath: string,
+  otherArgs?: any
+) => {
+  if (runTime === RunTimeType.JS) {
+    program = await createJSProgram(
+      program,
+      preProgramVariables,
+      vars,
+      session,
+      weboutPath,
+      tokenFile,
+      otherArgs
+    )
+
+    const codePath = path.join(session.path, 'code.js')
+
+    try {
+      await createFile(codePath, program)
+
+      // create a stream that will write to console outputs to log file
+      const writeStream = fs.createWriteStream(logPath)
+
+      // waiting for the open event so that we can have underlying file descriptor
+      await once(writeStream, 'open')
+
+      execFileSync(process.nodeLoc!, [codePath], {
+        stdio: ['ignore', writeStream, writeStream]
+      })
+
+      // copy the code.js program to log and end write stream
+      writeStream.end(program)
+
+      session.completed = true
+      console.log('session completed', session)
+    } catch (err: any) {
+      session.completed = true
+      session.crashed = err.toString()
+      console.log('session crashed', session.id, session.crashed)
+    }
+  } else {
+    program = await createSASProgram(
+      program,
+      preProgramVariables,
+      vars,
+      session,
+      weboutPath,
+      tokenFile,
+      otherArgs
+    )
+
+    const codePath = path.join(session.path, 'code.sas')
+
+    // Creating this file in a RUNNING session will break out
+    // the autoexec loop and actually execute the program
+    // but - given it will take several milliseconds to create
+    // (which can mean SAS trying to run a partial program, or
+    // failing due to file lock) we first create the file THEN
+    // we rename it.
+    await createFile(codePath + '.bkp', program)
+    await moveFile(codePath + '.bkp', codePath)
+
+    // we now need to poll the session status
+    while (!session.completed) {
+      await delay(50)
+    }
+  }
+}
+
+const delay = (ms: number) => new Promise((resolve) => setTimeout(resolve, ms))
--- a/api/src/controllers/permission.ts
+++ b/api/src/controllers/permission.ts
@@ -0,0 +1,331 @@
+import {
+  Security,
+  Route,
+  Tags,
+  Path,
+  Example,
+  Get,
+  Post,
+  Patch,
+  Delete,
+  Body
+} from 'tsoa'
+
+import Permission from '../model/Permission'
+import User from '../model/User'
+import Group from '../model/Group'
+import { UserResponse } from './user'
+import { GroupDetailsResponse } from './group'
+
+export enum PrincipalType {
+  user = 'user',
+  group = 'group'
+}
+
+export enum PermissionSetting {
+  grant = 'Grant',
+  deny = 'Deny'
+}
+
+interface RegisterPermissionPayload {
+  /**
+   * Name of affected resource
+   * @example "/SASjsApi/code/execute"
+   */
+  uri: string
+  /**
+   * The indication of whether (and to what extent) access is provided
+   * @example "Grant"
+   */
+  setting: PermissionSetting
+  /**
+   * Indicates the type of principal
+   * @example "user"
+   */
+  principalType: PrincipalType
+  /**
+   * The id of user or group to which a rule is assigned.
+   * @example 123
+   */
+  principalId: number
+}
+
+interface UpdatePermissionPayload {
+  /**
+   * The indication of whether (and to what extent) access is provided
+   * @example "Grant"
+   */
+  setting: PermissionSetting
+}
+
+export interface PermissionDetailsResponse {
+  permissionId: number
+  uri: string
+  setting: string
+  user?: UserResponse
+  group?: GroupDetailsResponse
+}
+
+@Security('bearerAuth')
+@Route('SASjsApi/permission')
+@Tags('Permission')
+export class PermissionController {
+  /**
+   * @summary Get list of all permissions (uri, setting and userDetail).
+   *
+   */
+  @Example<PermissionDetailsResponse[]>([
+    {
+      permissionId: 123,
+      uri: '/SASjsApi/code/execute',
+      setting: 'Grant',
+      user: {
+        id: 1,
+        username: 'johnSnow01',
+        displayName: 'John Snow',
+        isAdmin: false
+      }
+    },
+    {
+      permissionId: 124,
+      uri: '/SASjsApi/code/execute',
+      setting: 'Grant',
+      group: {
+        groupId: 1,
+        name: 'DCGroup',
+        description: 'This group represents Data Controller Users',
+        isActive: true,
+        users: []
+      }
+    }
+  ])
+  @Get('/')
+  public async getAllPermissions(): Promise<PermissionDetailsResponse[]> {
+    return getAllPermissions()
+  }
+
+  /**
+   * @summary Create a new permission. Admin only.
+   *
+   */
+  @Example<PermissionDetailsResponse>({
+    permissionId: 123,
+    uri: '/SASjsApi/code/execute',
+    setting: 'Grant',
+    user: {
+      id: 1,
+      username: 'johnSnow01',
+      displayName: 'John Snow',
+      isAdmin: false
+    }
+  })
+  @Post('/')
+  public async createPermission(
+    @Body() body: RegisterPermissionPayload
+  ): Promise<PermissionDetailsResponse> {
+    return createPermission(body)
+  }
+
+  /**
+   * @summary Update permission setting. Admin only
+   * @param permissionId The permission's identifier
+   * @example permissionId 1234
+   */
+  @Example<PermissionDetailsResponse>({
+    permissionId: 123,
+    uri: '/SASjsApi/code/execute',
+    setting: 'Grant',
+    user: {
+      id: 1,
+      username: 'johnSnow01',
+      displayName: 'John Snow',
+      isAdmin: false
+    }
+  })
+  @Patch('{permissionId}')
+  public async updatePermission(
+    @Path() permissionId: number,
+    @Body() body: UpdatePermissionPayload
+  ): Promise<PermissionDetailsResponse> {
+    return updatePermission(permissionId, body)
+  }
+
+  /**
+   * @summary Delete a permission. Admin only.
+   * @param permissionId The user's identifier
+   * @example permissionId 1234
+   */
+  @Delete('{permissionId}')
+  public async deletePermission(@Path() permissionId: number) {
+    return deletePermission(permissionId)
+  }
+}
+
+const getAllPermissions = async (): Promise<PermissionDetailsResponse[]> =>
+  (await Permission.find({})
+    .select({
+      _id: 0,
+      permissionId: 1,
+      uri: 1,
+      setting: 1
+    })
+    .populate({ path: 'user', select: 'id username displayName isAdmin -_id' })
+    .populate({
+      path: 'group',
+      select: 'groupId name description -_id',
+      populate: {
+        path: 'users',
+        select: 'id username displayName isAdmin -_id',
+        options: { limit: 15 }
+      }
+    })) as unknown as PermissionDetailsResponse[]
+
+const createPermission = async ({
+  uri,
+  setting,
+  principalType,
+  principalId
+}: RegisterPermissionPayload): Promise<PermissionDetailsResponse> => {
+  const permission = new Permission({
+    uri,
+    setting
+  })
+
+  let user: UserResponse | undefined
+  let group: GroupDetailsResponse | undefined
+
+  switch (principalType) {
+    case PrincipalType.user: {
+      const userInDB = await User.findOne({ id: principalId })
+      if (!userInDB)
+        throw {
+          code: 404,
+          status: 'Not Found',
+          message: 'User not found.'
+        }
+
+      if (userInDB.isAdmin)
+        throw {
+          code: 400,
+          status: 'Bad Request',
+          message: 'Can not add permission for admin user.'
+        }
+
+      const alreadyExists = await Permission.findOne({
+        uri,
+        user: userInDB._id
+      })
+
+      if (alreadyExists)
+        throw {
+          code: 409,
+          status: 'Conflict',
+          message: 'Permission already exists with provided URI and User.'
+        }
+
+      permission.user = userInDB._id
+
+      user = {
+        id: userInDB.id,
+        username: userInDB.username,
+        displayName: userInDB.displayName,
+        isAdmin: userInDB.isAdmin
+      }
+      break
+    }
+    case PrincipalType.group: {
+      const groupInDB = await Group.findOne({ groupId: principalId })
+      if (!groupInDB)
+        throw {
+          code: 404,
+          status: 'Not Found',
+          message: 'Group not found.'
+        }
+
+      const alreadyExists = await Permission.findOne({
+        uri,
+        group: groupInDB._id
+      })
+      if (alreadyExists)
+        throw {
+          code: 409,
+          status: 'Conflict',
+          message: 'Permission already exists with provided URI and Group.'
+        }
+
+      permission.group = groupInDB._id
+
+      group = {
+        groupId: groupInDB.groupId,
+        name: groupInDB.name,
+        description: groupInDB.description,
+        isActive: groupInDB.isActive,
+        users: groupInDB.populate({
+          path: 'users',
+          select: 'id username displayName isAdmin -_id',
+          options: { limit: 15 }
+        }) as unknown as UserResponse[]
+      }
+      break
+    }
+    default:
+      throw {
+        code: 400,
+        status: 'Bad Request',
+        message: 'Invalid principal type. Valid types are user or group.'
+      }
+  }
+
+  const savedPermission = await permission.save()
+
+  return {
+    permissionId: savedPermission.permissionId,
+    uri: savedPermission.uri,
+    setting: savedPermission.setting,
+    user,
+    group
+  }
+}
+
+const updatePermission = async (
+  id: number,
+  data: UpdatePermissionPayload
+): Promise<PermissionDetailsResponse> => {
+  const { setting } = data
+
+  const updatedPermission = (await Permission.findOneAndUpdate(
+    { permissionId: id },
+    { setting },
+    { new: true }
+  )
+    .select({
+      _id: 0,
+      permissionId: 1,
+      uri: 1,
+      setting: 1
+    })
+    .populate({ path: 'user', select: 'id username displayName isAdmin -_id' })
+    .populate({
+      path: 'group',
+      select: 'groupId name description -_id'
+    })) as unknown as PermissionDetailsResponse
+  if (!updatedPermission)
+    throw {
+      code: 404,
+      status: 'Not Found',
+      message: 'Permission not found.'
+    }
+
+  return updatedPermission
+}
+
+const deletePermission = async (id: number) => {
+  const permission = await Permission.findOne({ permissionId: id })
+  if (!permission)
+    throw {
+      code: 404,
+      status: 'Not Found',
+      message: 'Permission not found.'
+    }
+  await Permission.deleteOne({ permissionId: id })
+}
--- a/api/src/controllers/session.ts
+++ b/api/src/controllers/session.ts
@@ -13,7 +13,8 @@ export class SessionController {
  @Example<UserResponse>({
    id: 123,
    username: 'johnusername',
-    displayName: 'John'
+    displayName: 'John',
+    isAdmin: false
  })
  @Get('/')
  public async session(
@@ -26,5 +27,6 @@ export class SessionController {
 const session = (req: express.Request) => ({
  id: req.user!.userId,
  username: req.user!.username,
-  displayName: req.user!.displayName
+  displayName: req.user!.displayName,
+  isAdmin: req.user!.isAdmin
 })
--- a/api/src/controllers/stp.ts
+++ b/api/src/controllers/stp.ts
@@ -1,5 +1,4 @@
 import express from 'express'
-import path from 'path'
 import {
  Request,
  Security,
@@ -19,12 +18,12 @@ import {
 } from './internal'
 import {
  getPreProgramVariables,
-  getFilesFolder,
  HTTPHeaders,
  isDebugOn,
  LogLine,
  makeFilesNamesMap,
-  parseLogToArray
+  parseLogToArray,
+  getRunTimeAndFilePath
 } from '../utils'
 import { MulterFile } from '../types/Upload'

@@ -52,26 +51,15 @@ export interface ExecuteReturnJsonResponse {
@Tags('STP')
 export class STPController {
  /**
-   * Trigger a SAS program using it's location in the _program URL parameter.
-   * Enable debugging using the _debug URL parameter.  Setting _debug=131 will
-   * cause the log to be streamed in the output.
+   * Trigger a SAS or JS program using the _program URL parameter.
   *
-   * Additional URL parameters are turned into SAS macro variables.
+   * Accepts URL parameters and file uploads.  For more details, see docs:
   *
-   * Any files provided in the request body are placed into the SAS session with
-   * corresponding _WEBIN_XXX variables created.
+   * https://server.sasjs.io/storedprograms
   *
-   * The response headers can be adjusted using the mfs_httpheader() macro.  Any
-   * file type can be returned, including binary files such as zip or xls.
-   *
-   * If _debug is >= 131, response headers will contain Content-Type: 'text/plain'
-   *
-   * This behaviour differs for POST requests, in which case the response is
-   * always JSON.
-   *
-   * @summary Execute Stored Program, return raw _webout content.
-   * @param _program Location of SAS program
-   * @example _program "/Public/somefolder/some.file"
+   * @summary Execute a Stored Program, returns raw _webout content.
+   * @param _program Location of SAS or JS code
+   * @example _program "/Projects/myApp/some/program"
   */
  @Get('/execute')
  public async executeReturnRaw(
@@ -82,29 +70,22 @@ export class STPController {
  }

  /**
-   * Trigger a SAS program using it's location in the _program URL parameter.
-   * Enable debugging using the _debug URL parameter.  In any case, the log is
-   * always returned in the log object.
+   * Trigger a SAS or JS program using the _program URL parameter.
   *
-   * Additional URL parameters are turned into SAS macro variables.
+   * Accepts URL parameters and file uploads.  For more details, see docs:
   *
-   * Any files provided in the request body are placed into the SAS session with
-   * corresponding _WEBIN_XXX variables created.
+   * https://server.sasjs.io/storedprograms
   *
-   * The response will be a JSON object with the following root attributes: log,
-   * webout, headers.
+   * The response will be a JSON object with the following root attributes:
+   * log, webout, headers.
   *
-   * The webout will be a nested JSON object ONLY if the response-header
+   * The webout attribute will be nested JSON ONLY if the response-header
   * contains a content-type of application/json AND it is valid JSON.
   * Otherwise it will be a stringified version of the webout content.
   *
-   * Response headers from the mfs_httpheader macro are simply listed in the
-   * headers object, for POST requests they have no effect on the actual
-   * response header.
-   *
-   * @summary Execute Stored Program, return JSON
-   * @param _program Location of SAS program
-   * @example _program "/Public/somefolder/some.file"
+   * @summary Execute a Stored Program, return a JSON object
+   * @param _program Location of SAS or JS code
+   * @example _program "/Projects/myApp/some/program"
   */
  @Example<ExecuteReturnJsonResponse>({
    status: 'success',
@@ -131,18 +112,17 @@ const executeReturnRaw = async (
  _program: string
 ): Promise<string | Buffer> => {
  const query = req.query as ExecutionVars
-  const sasCodePath =
-    path
-      .join(getFilesFolder(), _program)
-      .replace(new RegExp('/', 'g'), path.sep) + '.sas'

  try {
+    const { codePath, runTime } = await getRunTimeAndFilePath(_program)
+
    const { result, httpHeaders } =
-      (await new ExecutionController().executeFile(
-        sasCodePath,
-        getPreProgramVariables(req),
-        query
-      )) as ExecuteReturnRaw
+      (await new ExecutionController().executeFile({
+        programPath: codePath,
+        preProgramVariables: getPreProgramVariables(req),
+        vars: query,
+        runTime
+      })) as ExecuteReturnRaw

    // Should over-ride response header for debug
    // on GET request to see entire log rendering on browser.
@@ -171,25 +151,23 @@ const executeReturnJson = async (
  req: express.Request,
  _program: string
 ): Promise<ExecuteReturnJsonResponse> => {
-  const sasCodePath =
-    path
-      .join(getFilesFolder(), _program)
-      .replace(new RegExp('/', 'g'), path.sep) + '.sas'
-
  const filesNamesMap = req.files?.length
    ? makeFilesNamesMap(req.files as MulterFile[])
    : null

  try {
+    const { codePath, runTime } = await getRunTimeAndFilePath(_program)
+
    const { webout, log, httpHeaders } =
-      (await new ExecutionController().executeFile(
-        sasCodePath,
-        getPreProgramVariables(req),
-        { ...req.query, ...req.body },
-        { filesNamesMap: filesNamesMap },
-        true,
-        req.sasSession
-      )) as ExecuteReturnJson
+      (await new ExecutionController().executeFile({
+        programPath: codePath,
+        preProgramVariables: getPreProgramVariables(req),
+        vars: { ...req.query, ...req.body },
+        otherArgs: { filesNamesMap: filesNamesMap },
+        returnJson: true,
+        session: req.sasjsSession,
+        runTime
+      })) as ExecuteReturnJson

    let weboutRes: string | IRecordOfAny = webout
    if (httpHeaders['content-type']?.toLowerCase() === 'application/json') {
--- a/api/src/controllers/user.ts
+++ b/api/src/controllers/user.ts
@@ -14,22 +14,27 @@ import {
  Hidden,
  Request
 } from 'tsoa'
+import { desktopUser } from '../middlewares'

 import User, { UserPayload } from '../model/User'
+import { getUserAutoExec, updateUserAutoExec, ModeType } from '../utils'
+import { GroupResponse } from './group'

 export interface UserResponse {
  id: number
  username: string
  displayName: string
+  isAdmin: boolean
 }

-interface UserDetailsResponse {
+export interface UserDetailsResponse {
  id: number
  displayName: string
  username: string
  isActive: boolean
  isAdmin: boolean
  autoExec?: string
+  groups?: GroupResponse[]
 }

@Security('bearerAuth')
@@ -44,12 +49,14 @@ export class UserController {
    {
      id: 123,
      username: 'johnusername',
-      displayName: 'John'
+      displayName: 'John',
+      isAdmin: false
    },
    {
      id: 456,
      username: 'starkusername',
-      displayName: 'Stark'
+      displayName: 'Stark',
+      isAdmin: true
    }
  ])
  @Get('/')
@@ -75,6 +82,26 @@ export class UserController {
    return createUser(body)
  }

+  /**
+   * Only Admin or user itself will get user autoExec code.
+   * @summary Get user properties - such as group memberships, userName, displayName.
+   * @param username The User's username
+   * @example username "johnSnow01"
+   */
+  @Get('by/username/{username}')
+  public async getUserByUsername(
+    @Request() req: express.Request,
+    @Path() username: string
+  ): Promise<UserDetailsResponse> {
+    const { MODE } = process.env
+
+    if (MODE === ModeType.Desktop) return getDesktopAutoExec()
+
+    const { user } = req
+    const getAutoExec = user!.isAdmin || user!.username == username
+    return getUser({ username }, getAutoExec)
+  }
+
  /**
   * Only Admin or user itself will get user autoExec code.
   * @summary Get user properties - such as group memberships, userName, displayName.
@@ -86,9 +113,38 @@ export class UserController {
    @Request() req: express.Request,
    @Path() userId: number
  ): Promise<UserDetailsResponse> {
+    const { MODE } = process.env
+
+    if (MODE === ModeType.Desktop) return getDesktopAutoExec()
+
    const { user } = req
    const getAutoExec = user!.isAdmin || user!.userId == userId
-    return getUser(userId, getAutoExec)
+    return getUser({ id: userId }, getAutoExec)
+  }
+
+  /**
+   * @summary Update user properties - such as displayName. Can be performed either by admins, or the user in question.
+   * @param username The User's username
+   * @example username "johnSnow01"
+   */
+  @Example<UserDetailsResponse>({
+    id: 1234,
+    displayName: 'John Snow',
+    username: 'johnSnow01',
+    isAdmin: false,
+    isActive: true
+  })
+  @Patch('by/username/{username}')
+  public async updateUserByUsername(
+    @Path() username: string,
+    @Body() body: UserPayload
+  ): Promise<UserDetailsResponse> {
+    const { MODE } = process.env
+
+    if (MODE === ModeType.Desktop)
+      return updateDesktopAutoExec(body.autoExec ?? '')
+
+    return updateUser({ username }, body)
  }

  /**
@@ -108,7 +164,26 @@ export class UserController {
    @Path() userId: number,
    @Body() body: UserPayload
  ): Promise<UserDetailsResponse> {
-    return updateUser(userId, body)
+    const { MODE } = process.env
+
+    if (MODE === ModeType.Desktop)
+      return updateDesktopAutoExec(body.autoExec ?? '')
+
+    return updateUser({ id: userId }, body)
+  }
+
+  /**
+   * @summary Delete a user. Can be performed either by admins, or the user in question.
+   * @param username The User's username
+   * @example username "johnSnow01"
+   */
+  @Delete('by/username/{username}')
+  public async deleteUserByUsername(
+    @Path() username: string,
+    @Body() body: { password?: string },
+    @Query() @Hidden() isAdmin: boolean = false
+  ) {
+    return deleteUser({ username }, isAdmin, body)
  }

  /**
@@ -122,13 +197,13 @@ export class UserController {
    @Body() body: { password?: string },
    @Query() @Hidden() isAdmin: boolean = false
  ) {
-    return deleteUser(userId, isAdmin, body)
+    return deleteUser({ id: userId }, isAdmin, body)
  }
 }

 const getAllUsers = async (): Promise<UserResponse[]> =>
  await User.find({})
-    .select({ _id: 0, id: 1, username: 1, displayName: 1 })
+    .select({ _id: 0, id: 1, username: 1, displayName: 1, isAdmin: 1 })
    .exec()

 const createUser = async (data: UserPayload): Promise<UserDetailsResponse> => {
@@ -163,11 +238,22 @@ const createUser = async (data: UserPayload): Promise<UserDetailsResponse> => {
  }
 }

+interface GetUserBy {
+  id?: number
+  username?: string
+}
+
 const getUser = async (
-  id: number,
+  findBy: GetUserBy,
  getAutoExec: boolean
 ): Promise<UserDetailsResponse> => {
-  const user = await User.findOne({ id })
+  const user = (await User.findOne(
+    findBy,
+    `id displayName username isActive isAdmin autoExec -_id`
+  ).populate(
+    'groups',
+    'groupId name description -_id'
+  )) as unknown as UserDetailsResponse

  if (!user) throw new Error('User is not found.')

@@ -177,12 +263,21 @@ const getUser = async (
    username: user.username,
    isActive: user.isActive,
    isAdmin: user.isAdmin,
-    autoExec: getAutoExec ? user.autoExec : undefined
+    autoExec: getAutoExec ? user.autoExec ?? '' : undefined,
+    groups: user.groups
+  }
+}
+
+const getDesktopAutoExec = async () => {
+  return {
+    ...desktopUser,
+    id: desktopUser.userId,
+    autoExec: await getUserAutoExec()
  }
 }

 const updateUser = async (
-  id: number,
+  findBy: GetUserBy,
  data: Partial<UserPayload>
 ): Promise<UserDetailsResponse> => {
  const { displayName, username, password, isAdmin, isActive, autoExec } = data
@@ -192,8 +287,13 @@ const updateUser = async (
  if (username) {
    // Checking if user is already in the database
    const usernameExist = await User.findOne({ username })
-    if (usernameExist && usernameExist.id != id)
-      throw new Error('Username already exists.')
+    if (usernameExist) {
+      if (
+        (findBy.id && usernameExist.id != findBy.id) ||
+        (findBy.username && usernameExist.username != findBy.username)
+      )
+        throw new Error('Username already exists.')
+    }
    params.username = username
  }

@@ -202,9 +302,10 @@ const updateUser = async (
    params.password = User.hashPassword(password)
  }

-  const updatedUser = await User.findOneAndUpdate({ id }, params, { new: true })
+  const updatedUser = await User.findOneAndUpdate(findBy, params, { new: true })

-  if (!updatedUser) throw new Error(`Unable to find user with id: ${id}`)
+  if (!updatedUser)
+    throw new Error(`Unable to find user with ${findBy.id || findBy.username}`)

  return {
    id: updatedUser.id,
@@ -216,12 +317,21 @@ const updateUser = async (
  }
 }

+const updateDesktopAutoExec = async (autoExec: string) => {
+  await updateUserAutoExec(autoExec)
+  return {
+    ...desktopUser,
+    id: desktopUser.userId,
+    autoExec
+  }
+}
+
 const deleteUser = async (
-  id: number,
+  findBy: GetUserBy,
  isAdmin: boolean,
  { password }: { password?: string }
 ) => {
-  const user = await User.findOne({ id })
+  const user = await User.findOne(findBy)
  if (!user) throw new Error('User is not found.')

  if (!isAdmin) {
@@ -229,5 +339,5 @@ const deleteUser = async (
    if (!validPass) throw new Error('Invalid password.')
  }

-  await User.deleteOne({ id })
+  await User.deleteOne(findBy)
 }
--- a/api/src/controllers/web.ts
+++ b/api/src/controllers/web.ts
@@ -49,10 +49,10 @@ export class WebController {
  }

  /**
-   * @summary Accept a valid username/password
+   * @summary Destroy the session stored in cookies
   *
   */
-  @Get('/logout')
+  @Get('/SASLogon/logout')
  public async logout(@Request() req: express.Request) {
    return new Promise((resolve) => {
      req.session.destroy(() => {
@@ -97,8 +97,10 @@ const login = async (
  return {
    loggedIn: true,
    user: {
+      id: user.id,
      username: user.username,
-      displayName: user.displayName
+      displayName: user.displayName,
+      isAdmin: user.isAdmin
    }
  }
 }
--- a/api/src/middlewares/authenticateToken.ts
+++ b/api/src/middlewares/authenticateToken.ts
@@ -1,15 +1,32 @@
 import { RequestHandler, Request, Response, NextFunction } from 'express'
 import jwt from 'jsonwebtoken'
 import { csrfProtection } from '../app'
-import { fetchLatestAutoExec, verifyTokenInDB } from '../utils'
+import {
+  fetchLatestAutoExec,
+  ModeType,
+  verifyTokenInDB,
+  isAuthorizingRoute
+} from '../utils'
+import { desktopUser } from './desktop'
+import { authorize } from './authorize'

 export const authenticateAccessToken: RequestHandler = async (
  req,
  res,
  next
 ) => {
+  const { MODE } = process.env
+  if (MODE === ModeType.Desktop) {
+    req.user = desktopUser
+    return next()
+  }
+
+  const nextFunction = isAuthorizingRoute(req)
+    ? () => authorize(req, res, next)
+    : next
+
  // if request is coming from web and has valid session
-  // we can validate the request and check for CSRF Token
+  // it can be validated.
  if (req.session?.loggedIn) {
    if (req.session.user) {
      const user = await fetchLatestAutoExec(req.session.user)
@@ -17,7 +34,7 @@ export const authenticateAccessToken: RequestHandler = async (
      if (user) {
        if (user.isActive) {
          req.user = user
-          return csrfProtection(req, res, next)
+          return csrfProtection(req, res, nextFunction)
        } else return res.sendStatus(401)
      }
    }
@@ -27,8 +44,8 @@ export const authenticateAccessToken: RequestHandler = async (
  authenticateToken(
    req,
    res,
-    next,
-    process.env.ACCESS_TOKEN_SECRET as string,
+    nextFunction,
+    process.secrets.ACCESS_TOKEN_SECRET,
    'accessToken'
  )
 }
@@ -38,7 +55,7 @@ export const authenticateRefreshToken: RequestHandler = (req, res, next) => {
    req,
    res,
    next,
-    process.env.REFRESH_TOKEN_SECRET as string,
+    process.secrets.REFRESH_TOKEN_SECRET,
    'refreshToken'
  )
 }
@@ -51,7 +68,7 @@ const authenticateToken = (
  tokenType: 'accessToken' | 'refreshToken'
 ) => {
  const { MODE } = process.env
-  if (MODE?.trim() !== 'server') {
+  if (MODE === ModeType.Desktop) {
    req.user = {
      userId: 1234,
      clientId: 'desktopModeClientId',
--- a/api/src/middlewares/authorize.ts
+++ b/api/src/middlewares/authorize.ts
@@ -0,0 +1,36 @@
+import { RequestHandler } from 'express'
+import User from '../model/User'
+import Permission from '../model/Permission'
+import { PermissionSetting } from '../controllers/permission'
+import { getUri } from '../utils'
+
+export const authorize: RequestHandler = async (req, res, next) => {
+  const { user } = req
+
+  if (!user) {
+    return res.sendStatus(401)
+  }
+
+  // no need to check for permissions when user is admin
+  if (user.isAdmin) return next()
+
+  const dbUser = await User.findOne({ id: user.userId })
+  if (!dbUser) return res.sendStatus(401)
+
+  const uri = getUri(req)
+
+  // find permission w.r.t user
+  const permission = await Permission.findOne({ uri, user: dbUser._id })
+
+  if (permission) {
+    if (permission.setting === PermissionSetting.grant) return next()
+    else return res.sendStatus(401)
+  }
+
+  // find permission w.r.t user's groups
+  for (const group of dbUser.groups) {
+    const groupPermission = await Permission.findOne({ uri, group })
+    if (groupPermission?.setting === PermissionSetting.grant) return next()
+  }
+  return res.sendStatus(401)
+}
--- a/api/src/middlewares/desktop.ts
+++ b/api/src/middlewares/desktop.ts
@@ -1,20 +1,37 @@
-import { RequestHandler } from 'express'
+import { RequestHandler, Request } from 'express'
+import { userInfo } from 'os'
+import { RequestUser } from '../types'
+import { ModeType } from '../utils'
+
+const regexUser = /^\/SASjsApi\/user\/[0-9]*$/ // /SASjsApi/user/1
+
+const allowedInDesktopMode: { [key: string]: RegExp[] } = {
+  GET: [regexUser],
+  PATCH: [regexUser]
+}
+
+const reqAllowedInDesktopMode = (request: Request): boolean => {
+  const { method, originalUrl: url } = request
+
+  return !!allowedInDesktopMode[method]?.find((urlRegex) => urlRegex.test(url))
+}

 export const desktopRestrict: RequestHandler = (req, res, next) => {
  const { MODE } = process.env
-  if (MODE?.trim() !== 'server')
-    return res.status(403).send('Not Allowed while in Desktop Mode.')
+
+  if (MODE === ModeType.Desktop) {
+    if (!reqAllowedInDesktopMode(req))
+      return res.status(403).send('Not Allowed while in Desktop Mode.')
+  }

  next()
 }
-export const desktopUsername: RequestHandler = (req, res, next) => {
-  const { MODE } = process.env
-  if (MODE?.trim() !== 'server')
-    return res.status(200).send({
-      userId: 12345,
-      username: 'DESKTOPusername',
-      displayName: 'DESKTOP User'
-    })

-  next()
+export const desktopUser: RequestUser = {
+  userId: 12345,
+  clientId: 'desktop_app',
+  username: userInfo().username,
+  displayName: userInfo().username,
+  isAdmin: true,
+  isActive: true
 }
--- a/api/src/middlewares/index.ts
+++ b/api/src/middlewares/index.ts
@@ -2,3 +2,4 @@ export * from './authenticateToken'
 export * from './desktop'
 export * from './verifyAdmin'
 export * from './verifyAdminIfNeeded'
+export * from './authorize'
--- a/api/src/middlewares/verifyAdmin.ts
+++ b/api/src/middlewares/verifyAdmin.ts
@@ -1,8 +1,9 @@
 import { RequestHandler } from 'express'
+import { ModeType } from '../utils'

 export const verifyAdmin: RequestHandler = (req, res, next) => {
  const { MODE } = process.env
-  if (MODE?.trim() !== 'server') return next()
+  if (MODE === ModeType.Desktop) return next()

  const { user } = req
  if (!user?.isAdmin) return res.status(401).send('Admin account required')
--- a/api/src/middlewares/verifyAdminIfNeeded.ts
+++ b/api/src/middlewares/verifyAdminIfNeeded.ts
@@ -1,11 +1,22 @@
 import { RequestHandler } from 'express'

+// This middleware checks if a non-admin user trying to
+// access information of other user
 export const verifyAdminIfNeeded: RequestHandler = (req, res, next) => {
  const { user } = req
-  const userId = parseInt(req.params.userId)

-  if (!user?.isAdmin && user?.userId !== userId) {
-    return res.status(401).send('Admin account required')
+  if (!user?.isAdmin) {
+    let adminAccountRequired: boolean = true
+
+    if (req.params.userId) {
+      adminAccountRequired = user?.userId !== parseInt(req.params.userId)
+    } else if (req.params.username) {
+      adminAccountRequired = user?.username !== req.params.username
+    }
+
+    if (adminAccountRequired)
+      return res.status(401).send('Admin account required')
  }
+
  next()
 }
--- a/api/src/model/Configuration.ts
+++ b/api/src/model/Configuration.ts
@@ -0,0 +1,45 @@
+import mongoose, { Schema } from 'mongoose'
+
+export interface ConfigurationType {
+  /**
+   * SecretOrPrivateKey to sign Access Token
+   * @example "someRandomCryptoString"
+   */
+  ACCESS_TOKEN_SECRET: string
+  /**
+   * SecretOrPrivateKey to sign Refresh Token
+   * @example "someRandomCryptoString"
+   */
+  REFRESH_TOKEN_SECRET: string
+  /**
+   * SecretOrPrivateKey to sign Auth Code
+   * @example "someRandomCryptoString"
+   */
+  AUTH_CODE_SECRET: string
+  /**
+   * Secret used to sign the session cookie
+   * @example "someRandomCryptoString"
+   */
+  SESSION_SECRET: string
+}
+
+const ConfigurationSchema = new Schema<ConfigurationType>({
+  ACCESS_TOKEN_SECRET: {
+    type: String,
+    required: true
+  },
+  REFRESH_TOKEN_SECRET: {
+    type: String,
+    required: true
+  },
+  AUTH_CODE_SECRET: {
+    type: String,
+    required: true
+  },
+  SESSION_SECRET: {
+    type: String,
+    required: true
+  }
+})
+
+export default mongoose.model('Configuration', ConfigurationSchema)
--- a/api/src/model/Group.ts
+++ b/api/src/model/Group.ts
@@ -1,4 +1,6 @@
 import mongoose, { Schema, model, Document, Model } from 'mongoose'
+import { GroupDetailsResponse } from '../controllers'
+import User, { IUser } from './User'
 const AutoIncrement = require('mongoose-sequence')(mongoose)

 export interface GroupPayload {
@@ -26,15 +28,17 @@ interface IGroupDocument extends GroupPayload, Document {
 }

 interface IGroup extends IGroupDocument {
-  addUser(userObjectId: Schema.Types.ObjectId): Promise<IGroup>
-  removeUser(userObjectId: Schema.Types.ObjectId): Promise<IGroup>
+  addUser(user: IUser): Promise<GroupDetailsResponse>
+  removeUser(user: IUser): Promise<GroupDetailsResponse>
+  hasUser(user: IUser): boolean
 }
 interface IGroupModel extends Model<IGroup> {}

 const groupSchema = new Schema<IGroupDocument>({
  name: {
    type: String,
-    required: true
+    required: true,
+    unique: true
  },
  description: {
    type: String,
@@ -46,6 +50,7 @@ const groupSchema = new Schema<IGroupDocument>({
  },
  users: [{ type: Schema.Types.ObjectId, ref: 'User' }]
 })
+
 groupSchema.plugin(AutoIncrement, { inc_field: 'groupId' })

 // Hooks
@@ -55,29 +60,43 @@ groupSchema.post('save', function (group: IGroup, next: Function) {
  })
 })

+// pre remove hook to remove all references of group from users
+groupSchema.pre('remove', async function () {
+  const userIds = this.users
+  await Promise.all(
+    userIds.map(async (userId) => {
+      const user = await User.findById(userId)
+      user?.removeGroup(this._id)
+    })
+  )
+})
+
 // Instance Methods
-groupSchema.method(
-  'addUser',
-  async function (userObjectId: Schema.Types.ObjectId) {
-    const userIdIndex = this.users.indexOf(userObjectId)
-    if (userIdIndex === -1) {
-      this.users.push(userObjectId)
-    }
-    this.markModified('users')
-    return this.save()
+groupSchema.method('addUser', async function (user: IUser) {
+  const userObjectId = user._id
+  const userIdIndex = this.users.indexOf(userObjectId)
+  if (userIdIndex === -1) {
+    this.users.push(userObjectId)
+    user.addGroup(this._id)
  }
-)
-groupSchema.method(
-  'removeUser',
-  async function (userObjectId: Schema.Types.ObjectId) {
-    const userIdIndex = this.users.indexOf(userObjectId)
-    if (userIdIndex > -1) {
-      this.users.splice(userIdIndex, 1)
-    }
-    this.markModified('users')
-    return this.save()
+  this.markModified('users')
+  return this.save()
+})
+groupSchema.method('removeUser', async function (user: IUser) {
+  const userObjectId = user._id
+  const userIdIndex = this.users.indexOf(userObjectId)
+  if (userIdIndex > -1) {
+    this.users.splice(userIdIndex, 1)
+    user.removeGroup(this._id)
  }
-)
+  this.markModified('users')
+  return this.save()
+})
+groupSchema.method('hasUser', function (user: IUser) {
+  const userObjectId = user._id
+  const userIdIndex = this.users.indexOf(userObjectId)
+  return userIdIndex > -1
+})

 export const Group: IGroupModel = model<IGroup, IGroupModel>(
  'Group',
--- a/api/src/model/Permission.ts
+++ b/api/src/model/Permission.ts
@@ -0,0 +1,36 @@
+import mongoose, { Schema, model, Document, Model } from 'mongoose'
+const AutoIncrement = require('mongoose-sequence')(mongoose)
+
+interface IPermissionDocument extends Document {
+  uri: string
+  setting: string
+  permissionId: number
+  user: Schema.Types.ObjectId
+  group: Schema.Types.ObjectId
+}
+
+interface IPermission extends IPermissionDocument {}
+
+interface IPermissionModel extends Model<IPermission> {}
+
+const permissionSchema = new Schema<IPermissionDocument>({
+  uri: {
+    type: String,
+    required: true
+  },
+  setting: {
+    type: String,
+    required: true
+  },
+  user: { type: Schema.Types.ObjectId, ref: 'User' },
+  group: { type: Schema.Types.ObjectId, ref: 'Group' }
+})
+
+permissionSchema.plugin(AutoIncrement, { inc_field: 'permissionId' })
+
+export const Permission: IPermissionModel = model<
+  IPermission,
+  IPermissionModel
+>('Permission', permissionSchema)
+
+export default Permission
--- a/api/src/model/User.ts
+++ b/api/src/model/User.ts
@@ -29,12 +29,13 @@ export interface UserPayload {
  isActive?: boolean
  /**
   * User-specific auto-exec code
-   * @example "<SAS code>"
+   * @example ""
   */
  autoExec?: string
 }

 interface IUserDocument extends UserPayload, Document {
+  _id: Schema.Types.ObjectId
  id: number
  isAdmin: boolean
  isActive: boolean
@@ -43,8 +44,10 @@ interface IUserDocument extends UserPayload, Document {
  tokens: [{ [key: string]: string }]
 }

-interface IUser extends IUserDocument {
+export interface IUser extends IUserDocument {
  comparePassword(password: string): boolean
+  addGroup(groupObjectId: Schema.Types.ObjectId): Promise<IUser>
+  removeGroup(groupObjectId: Schema.Types.ObjectId): Promise<IUser>
 }
 interface IUserModel extends Model<IUser> {
  hashPassword(password: string): string
@@ -106,6 +109,28 @@ userSchema.method('comparePassword', function (password: string): boolean {
  if (bcrypt.compareSync(password, this.password)) return true
  return false
 })
+userSchema.method(
+  'addGroup',
+  async function (groupObjectId: Schema.Types.ObjectId) {
+    const groupIdIndex = this.groups.indexOf(groupObjectId)
+    if (groupIdIndex === -1) {
+      this.groups.push(groupObjectId)
+    }
+    this.markModified('groups')
+    return this.save()
+  }
+)
+userSchema.method(
+  'removeGroup',
+  async function (groupObjectId: Schema.Types.ObjectId) {
+    const groupIdIndex = this.groups.indexOf(groupObjectId)
+    if (groupIdIndex > -1) {
+      this.groups.splice(groupIdIndex, 1)
+    }
+    this.markModified('groups')
+    return this.save()
+  }
+)

 export const User: IUserModel = model<IUser, IUserModel>('User', userSchema)

--- a/api/src/routes/api/code.ts
+++ b/api/src/routes/api/code.ts
@@ -1,5 +1,5 @@
 import express from 'express'
-import { runSASValidation } from '../../utils'
+import { runCodeValidation } from '../../utils'
 import { CodeController } from '../../controllers/'

 const runRouter = express.Router()
@@ -7,11 +7,11 @@ const runRouter = express.Router()
 const controller = new CodeController()

 runRouter.post('/execute', async (req, res) => {
-  const { error, value: body } = runSASValidation(req.body)
+  const { error, value: body } = runCodeValidation(req.body)
  if (error) return res.status(400).send(error.details[0].message)

  try {
-    const response = await controller.executeSASCode(req, body)
+    const response = await controller.executeCode(req, body)

    if (response instanceof Buffer) {
      res.writeHead(200, (req as any).sasHeaders)
--- a/api/src/routes/api/drive.ts
+++ b/api/src/routes/api/drive.ts
@@ -7,9 +7,12 @@ import { multerSingle } from '../../middlewares/multer'
 import { DriveController } from '../../controllers/'
 import {
  deployValidation,
+  extractJSONFromZip,
+  extractName,
  fileBodyValidation,
  fileParamValidation,
-  folderParamValidation
+  folderParamValidation,
+  isZipFile
 } from '../../utils'

 const controller = new DriveController()
@@ -49,7 +52,24 @@ driveRouter.post(
  async (req, res) => {
    if (!req.file) return res.status(400).send('"file" is not present.')

-    const fileContent = await readFile(req.file.path)
+    let fileContent: string = ''
+
+    const { value: zipFile } = isZipFile(req.file)
+    if (zipFile) {
+      fileContent = await extractJSONFromZip(zipFile)
+      const fileInZip = extractName(zipFile.originalname)
+
+      if (!fileContent) {
+        deleteFile(req.file.path)
+        return res
+          .status(400)
+          .send(
+            `No content present in ${fileInZip} of compressed file ${zipFile.originalname}`
+          )
+      }
+    } else {
+      fileContent = await readFile(req.file.path)
+    }

    let jsonContent
    try {
--- a/api/src/routes/api/group.ts
+++ b/api/src/routes/api/group.ts
@@ -1,7 +1,7 @@
 import express from 'express'
 import { GroupController } from '../../controllers/'
 import { authenticateAccessToken, verifyAdmin } from '../../middlewares'
-import { registerGroupValidation } from '../../utils'
+import { getGroupValidation, registerGroupValidation } from '../../utils'

 const groupRouter = express.Router()

@@ -18,7 +18,11 @@ groupRouter.post(
      const response = await controller.createGroup(body)
      res.send(response)
    } catch (err: any) {
-      res.status(403).send(err.toString())
+      const statusCode = err.code
+
+      delete err.code
+
+      res.status(statusCode).send(err.message)
    }
  }
 )
@@ -29,7 +33,11 @@ groupRouter.get('/', authenticateAccessToken, async (req, res) => {
    const response = await controller.getAllGroups()
    res.send(response)
  } catch (err: any) {
-    res.status(403).send(err.toString())
+    const statusCode = err.code
+
+    delete err.code
+
+    res.status(statusCode).send(err.message)
  }
 })

@@ -41,10 +49,37 @@ groupRouter.get('/:groupId', authenticateAccessToken, async (req, res) => {
    const response = await controller.getGroup(parseInt(groupId))
    res.send(response)
  } catch (err: any) {
-    res.status(403).send(err.toString())
+    const statusCode = err.code
+
+    delete err.code
+
+    res.status(statusCode).send(err.message)
  }
 })

+groupRouter.get(
+  '/by/groupname/:name',
+  authenticateAccessToken,
+  async (req, res) => {
+    const { error, value: params } = getGroupValidation(req.params)
+    if (error) return res.status(400).send(error.details[0].message)
+
+    const { name } = params
+
+    const controller = new GroupController()
+    try {
+      const response = await controller.getGroupByGroupName(name)
+      res.send(response)
+    } catch (err: any) {
+      const statusCode = err.code
+
+      delete err.code
+
+      res.status(statusCode).send(err.message)
+    }
+  }
+)
+
 groupRouter.post(
  '/:groupId/:userId',
  authenticateAccessToken,
@@ -60,7 +95,11 @@ groupRouter.post(
      )
      res.send(response)
    } catch (err: any) {
-      res.status(403).send(err.toString())
+      const statusCode = err.code
+
+      delete err.code
+
+      res.status(statusCode).send(err.message)
    }
  }
 )
@@ -80,7 +119,11 @@ groupRouter.delete(
      )
      res.send(response)
    } catch (err: any) {
-      res.status(403).send(err.toString())
+      const statusCode = err.code
+
+      delete err.code
+
+      res.status(statusCode).send(err.message)
    }
  }
 )
@@ -97,7 +140,11 @@ groupRouter.delete(
      await controller.deleteGroup(parseInt(groupId))
      res.status(200).send('Group Deleted!')
    } catch (err: any) {
-      res.status(403).send(err.toString())
+      const statusCode = err.code
+
+      delete err.code
+
+      res.status(statusCode).send(err.message)
    }
  }
 )
--- a/api/src/routes/api/index.ts
+++ b/api/src/routes/api/index.ts
@@ -5,7 +5,6 @@ import swaggerUi from 'swagger-ui-express'
 import {
  authenticateAccessToken,
  desktopRestrict,
-  desktopUsername,
  verifyAdmin
 } from '../../middlewares'

@@ -18,11 +17,12 @@ import groupRouter from './group'
 import clientRouter from './client'
 import authRouter from './auth'
 import sessionRouter from './session'
+import permissionRouter from './permission'

 const router = express.Router()

 router.use('/info', infoRouter)
-router.use('/session', desktopUsername, authenticateAccessToken, sessionRouter)
+router.use('/session', authenticateAccessToken, sessionRouter)
 router.use('/auth', desktopRestrict, authRouter)
 router.use(
  '/client',
@@ -36,6 +36,12 @@ router.use('/group', desktopRestrict, groupRouter)
 router.use('/stp', authenticateAccessToken, stpRouter)
 router.use('/code', authenticateAccessToken, codeRouter)
 router.use('/user', desktopRestrict, userRouter)
+router.use(
+  '/permission',
+  desktopRestrict,
+  authenticateAccessToken,
+  permissionRouter
+)

 router.use(
  '/',
--- a/api/src/routes/api/info.ts
+++ b/api/src/routes/api/info.ts
@@ -13,4 +13,14 @@ infoRouter.get('/', async (req, res) => {
  }
 })

+infoRouter.get('/authorizedRoutes', async (req, res) => {
+  const controller = new InfoController()
+  try {
+    const response = controller.authorizedRoutes()
+    res.send(response)
+  } catch (err: any) {
+    res.status(403).send(err.toString())
+  }
+})
+
 export default infoRouter
--- a/api/src/routes/api/permission.ts
+++ b/api/src/routes/api/permission.ts
@@ -0,0 +1,69 @@
+import express from 'express'
+import { PermissionController } from '../../controllers/'
+import { verifyAdmin } from '../../middlewares'
+import {
+  registerPermissionValidation,
+  updatePermissionValidation
+} from '../../utils'
+
+const permissionRouter = express.Router()
+const controller = new PermissionController()
+
+permissionRouter.get('/', async (req, res) => {
+  try {
+    const response = await controller.getAllPermissions()
+    res.send(response)
+  } catch (err: any) {
+    const statusCode = err.code
+    delete err.code
+    res.status(statusCode).send(err.message)
+  }
+})
+
+permissionRouter.post('/', verifyAdmin, async (req, res) => {
+  const { error, value: body } = registerPermissionValidation(req.body)
+  if (error) return res.status(400).send(error.details[0].message)
+
+  try {
+    const response = await controller.createPermission(body)
+    res.send(response)
+  } catch (err: any) {
+    const statusCode = err.code
+    delete err.code
+    res.status(statusCode).send(err.message)
+  }
+})
+
+permissionRouter.patch('/:permissionId', verifyAdmin, async (req: any, res) => {
+  const { permissionId } = req.params
+
+  const { error, value: body } = updatePermissionValidation(req.body)
+  if (error) return res.status(400).send(error.details[0].message)
+
+  try {
+    const response = await controller.updatePermission(permissionId, body)
+    res.send(response)
+  } catch (err: any) {
+    const statusCode = err.code
+    delete err.code
+    res.status(statusCode).send(err.message)
+  }
+})
+
+permissionRouter.delete(
+  '/:permissionId',
+  verifyAdmin,
+  async (req: any, res) => {
+    const { permissionId } = req.params
+
+    try {
+      await controller.deletePermission(permissionId)
+      res.status(200).send('Permission Deleted!')
+    } catch (err: any) {
+      const statusCode = err.code
+      delete err.code
+      res.status(statusCode).send(err.message)
+    }
+  }
+)
+export default permissionRouter
--- a/api/src/routes/api/spec/drive.spec.ts
+++ b/api/src/routes/api/spec/drive.spec.ts
@@ -3,6 +3,7 @@ import { Express } from 'express'
 import mongoose, { Mongoose } from 'mongoose'
 import { MongoMemoryServer } from 'mongodb-memory-server'
 import request from 'supertest'
+import AdmZip from 'adm-zip'

 import {
  folderExists,
@@ -28,7 +29,12 @@ jest
  .mockImplementation(() => path.join(tmpFolder, 'uploads'))

 import appPromise from '../../../app'
-import { UserController } from '../../../controllers/'
+import {
+  UserController,
+  PermissionController,
+  PermissionSetting,
+  PrincipalType
+} from '../../../controllers/'
 import { getTreeExample } from '../../../controllers/internal'
 import { generateAccessToken, saveTokensInDB } from '../../../utils/'
 const { getFilesFolder } = fileUtilModules
@@ -47,6 +53,7 @@ describe('drive', () => {
  let con: Mongoose
  let mongoServer: MongoMemoryServer
  const controller = new UserController()
+  const permissionController = new PermissionController()

  let accessToken: string

@@ -57,11 +64,31 @@ describe('drive', () => {
    con = await mongoose.connect(mongoServer.getUri())

    const dbUser = await controller.createUser(user)
-    accessToken = generateAccessToken({
-      clientId,
-      userId: dbUser.id
+    accessToken = await generateAndSaveToken(dbUser.id)
+    await permissionController.createPermission({
+      uri: '/SASjsApi/drive/deploy',
+      principalType: PrincipalType.user,
+      principalId: dbUser.id,
+      setting: PermissionSetting.grant
+    })
+    await permissionController.createPermission({
+      uri: '/SASjsApi/drive/deploy/upload',
+      principalType: PrincipalType.user,
+      principalId: dbUser.id,
+      setting: PermissionSetting.grant
+    })
+    await permissionController.createPermission({
+      uri: '/SASjsApi/drive/file',
+      principalType: PrincipalType.user,
+      principalId: dbUser.id,
+      setting: PermissionSetting.grant
+    })
+    await permissionController.createPermission({
+      uri: '/SASjsApi/drive/folder',
+      principalType: PrincipalType.user,
+      principalId: dbUser.id,
+      setting: PermissionSetting.grant
    })
-    await saveTokensInDB(dbUser.id, clientId, accessToken, 'refreshToken')
  })

  afterAll(async () => {
@@ -72,11 +99,52 @@ describe('drive', () => {
  })

  describe('deploy', () => {
-    const shouldFailAssertion = async (payload: any) => {
-      const res = await request(app)
-        .post('/SASjsApi/drive/deploy')
-        .auth(accessToken, { type: 'bearer' })
-        .send({ appLoc: '/Public', fileTree: payload })
+    const makeRequest = async (payload: any, type: string = 'payload') => {
+      const requestUrl =
+        type === 'payload'
+          ? '/SASjsApi/drive/deploy'
+          : '/SASjsApi/drive/deploy/upload'
+
+      if (type === 'payload') {
+        return await request(app)
+          .post(requestUrl)
+          .auth(accessToken, { type: 'bearer' })
+          .send({ appLoc: '/Public', fileTree: payload })
+      }
+      if (type === 'file') {
+        const deployContents = JSON.stringify({
+          appLoc: '/Public',
+          fileTree: payload
+        })
+        return await request(app)
+          .post(requestUrl)
+          .auth(accessToken, { type: 'bearer' })
+          .attach('file', Buffer.from(deployContents), 'deploy.json')
+      } else {
+        const deployContents = JSON.stringify({
+          appLoc: '/Public',
+          fileTree: payload
+        })
+        const zip = new AdmZip()
+        // add file directly
+        zip.addFile(
+          'deploy.json',
+          Buffer.from(deployContents, 'utf8'),
+          'entry comment goes here'
+        )
+
+        return await request(app)
+          .post(requestUrl)
+          .auth(accessToken, { type: 'bearer' })
+          .attach('file', zip.toBuffer(), 'deploy.json.zip')
+      }
+    }
+
+    const shouldFailAssertion = async (
+      payload: any,
+      type: string = 'payload'
+    ) => {
+      const res = await makeRequest(payload, type)

      expect(res.statusCode).toEqual(400)

@@ -176,6 +244,240 @@ describe('drive', () => {

      await deleteFolder(path.join(getFilesFolder(), 'public'))
    })
+
+    describe('upload', () => {
+      it('should respond with payload example if valid JSON file was not provided', async () => {
+        await shouldFailAssertion(null, 'file')
+        await shouldFailAssertion(undefined, 'file')
+        await shouldFailAssertion('data', 'file')
+        await shouldFailAssertion({}, 'file')
+        await shouldFailAssertion(
+          {
+            userId: 1,
+            title: 'test is cool'
+          },
+          'file'
+        )
+        await shouldFailAssertion(
+          {
+            membersWRONG: []
+          },
+          'file'
+        )
+        await shouldFailAssertion(
+          {
+            members: {}
+          },
+          'file'
+        )
+        await shouldFailAssertion(
+          {
+            members: [
+              {
+                nameWRONG: 'jobs',
+                type: 'folder',
+                members: []
+              }
+            ]
+          },
+          'file'
+        )
+        await shouldFailAssertion(
+          {
+            members: [
+              {
+                name: 'jobs',
+                type: 'WRONG',
+                members: []
+              }
+            ]
+          },
+          'file'
+        )
+        await shouldFailAssertion(
+          {
+            members: [
+              {
+                name: 'jobs',
+                type: 'folder',
+                members: [
+                  {
+                    name: 'extract',
+                    type: 'folder',
+                    members: [
+                      {
+                        name: 'makedata1',
+                        type: 'service',
+                        codeWRONG: '%put Hello World!;'
+                      }
+                    ]
+                  }
+                ]
+              }
+            ]
+          },
+          'file'
+        )
+      })
+
+      it('should successfully deploy if valid JSON file was provided', async () => {
+        const deployContents = JSON.stringify({
+          appLoc: '/public',
+          fileTree: getTreeExample()
+        })
+        const res = await request(app)
+          .post('/SASjsApi/drive/deploy/upload')
+          .auth(accessToken, { type: 'bearer' })
+          .attach('file', Buffer.from(deployContents), 'deploy.json')
+
+        expect(res.statusCode).toEqual(200)
+        expect(res.text).toEqual(
+          '{"status":"success","message":"Files deployed successfully to @sasjs/server."}'
+        )
+        await expect(folderExists(getFilesFolder())).resolves.toEqual(true)
+
+        const testJobFolder = path.join(
+          getFilesFolder(),
+          'public',
+          'jobs',
+          'extract'
+        )
+        await expect(folderExists(testJobFolder)).resolves.toEqual(true)
+
+        const exampleService = getExampleService()
+        const testJobFile =
+          path.join(testJobFolder, exampleService.name) + '.sas'
+
+        await expect(fileExists(testJobFile)).resolves.toEqual(true)
+
+        await expect(readFile(testJobFile)).resolves.toEqual(
+          exampleService.code
+        )
+
+        await deleteFolder(path.join(getFilesFolder(), 'public'))
+      })
+    })
+
+    describe('upload - zipped', () => {
+      it('should respond with payload example if valid Zipped file was not provided', async () => {
+        await shouldFailAssertion(null, 'zip')
+        await shouldFailAssertion(undefined, 'zip')
+        await shouldFailAssertion('data', 'zip')
+        await shouldFailAssertion({}, 'zip')
+        await shouldFailAssertion(
+          {
+            userId: 1,
+            title: 'test is cool'
+          },
+          'zip'
+        )
+        await shouldFailAssertion(
+          {
+            membersWRONG: []
+          },
+          'zip'
+        )
+        await shouldFailAssertion(
+          {
+            members: {}
+          },
+          'zip'
+        )
+        await shouldFailAssertion(
+          {
+            members: [
+              {
+                nameWRONG: 'jobs',
+                type: 'folder',
+                members: []
+              }
+            ]
+          },
+          'zip'
+        )
+        await shouldFailAssertion(
+          {
+            members: [
+              {
+                name: 'jobs',
+                type: 'WRONG',
+                members: []
+              }
+            ]
+          },
+          'zip'
+        )
+        await shouldFailAssertion(
+          {
+            members: [
+              {
+                name: 'jobs',
+                type: 'folder',
+                members: [
+                  {
+                    name: 'extract',
+                    type: 'folder',
+                    members: [
+                      {
+                        name: 'makedata1',
+                        type: 'service',
+                        codeWRONG: '%put Hello World!;'
+                      }
+                    ]
+                  }
+                ]
+              }
+            ]
+          },
+          'zip'
+        )
+      })
+
+      it('should successfully deploy if valid Zipped file was provided', async () => {
+        const deployContents = JSON.stringify({
+          appLoc: '/public',
+          fileTree: getTreeExample()
+        })
+
+        const zip = new AdmZip()
+        // add file directly
+        zip.addFile(
+          'deploy.json',
+          Buffer.from(deployContents, 'utf8'),
+          'entry comment goes here'
+        )
+        const res = await request(app)
+          .post('/SASjsApi/drive/deploy/upload')
+          .auth(accessToken, { type: 'bearer' })
+          .attach('file', zip.toBuffer(), 'deploy.json.zip')
+
+        expect(res.statusCode).toEqual(200)
+        expect(res.text).toEqual(
+          '{"status":"success","message":"Files deployed successfully to @sasjs/server."}'
+        )
+        await expect(folderExists(getFilesFolder())).resolves.toEqual(true)
+
+        const testJobFolder = path.join(
+          getFilesFolder(),
+          'public',
+          'jobs',
+          'extract'
+        )
+        await expect(folderExists(testJobFolder)).resolves.toEqual(true)
+
+        const exampleService = getExampleService()
+        const testJobFile =
+          path.join(testJobFolder, exampleService.name) + '.sas'
+
+        await expect(fileExists(testJobFile)).resolves.toEqual(true)
+
+        await expect(readFile(testJobFile)).resolves.toEqual(
+          exampleService.code
+        )
+
+        await deleteFolder(path.join(getFilesFolder(), 'public'))
+      })
+    })
  })

  describe('folder', () => {
@@ -669,3 +971,12 @@ describe('drive', () => {
 const getExampleService = (): ServiceMember =>
  ((getTreeExample().members[0] as FolderMember).members[0] as FolderMember)
    .members[0] as ServiceMember
+
+const generateAndSaveToken = async (userId: number) => {
+  const adminAccessToken = generateAccessToken({
+    clientId,
+    userId
+  })
+  await saveTokensInDB(userId, clientId, adminAccessToken, 'refreshToken')
+  return adminAccessToken
+}
--- a/api/src/routes/api/spec/group.spec.ts
+++ b/api/src/routes/api/spec/group.spec.ts
@@ -23,7 +23,7 @@ const user = {
 }

 const group = {
-  name: 'DCGroup1',
+  name: 'dcgroup1',
  description: 'DC group for testing purposes.'
 }

@@ -70,6 +70,32 @@ describe('group', () => {
      expect(res.body.users).toEqual([])
    })

+    it('should respond with Conflict when group already exists with same name', async () => {
+      await groupController.createGroup(group)
+
+      const res = await request(app)
+        .post('/SASjsApi/group')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send(group)
+        .expect(409)
+
+      expect(res.text).toEqual('Group name already exists.')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request when group name does not match the group name schema', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/group')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({ ...group, name: 'Wrong Group Name' })
+        .expect(400)
+
+      expect(res.text).toEqual(
+        '"name" must only contain alpha-numeric characters'
+      )
+      expect(res.body).toEqual({})
+    })
+
    it('should respond with Unauthorized if access token is not present', async () => {
      const res = await request(app).post('/SASjsApi/group').send().expect(401)

@@ -125,14 +151,51 @@ describe('group', () => {
      expect(res.body).toEqual({})
    })

-    it('should respond with Forbidden if groupId is incorrect', async () => {
+    it(`should delete group's reference from users' groups array`, async () => {
+      const dbGroup = await groupController.createGroup(group)
+      const dbUser1 = await userController.createUser({
+        ...user,
+        username: 'deletegroup1'
+      })
+      const dbUser2 = await userController.createUser({
+        ...user,
+        username: 'deletegroup2'
+      })
+
+      await groupController.addUserToGroup(dbGroup.groupId, dbUser1.id)
+      await groupController.addUserToGroup(dbGroup.groupId, dbUser2.id)
+
+      await request(app)
+        .delete(`/SASjsApi/group/${dbGroup.groupId}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(200)
+
+      const res1 = await request(app)
+        .get(`/SASjsApi/user/${dbUser1.id}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(200)
+
+      expect(res1.body.groups).toEqual([])
+
+      const res2 = await request(app)
+        .get(`/SASjsApi/user/${dbUser2.id}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(200)
+
+      expect(res2.body.groups).toEqual([])
+    })
+
+    it('should respond with Not Found if groupId is incorrect', async () => {
      const res = await request(app)
        .delete(`/SASjsApi/group/1234`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
-        .expect(403)
+        .expect(404)

-      expect(res.text).toEqual('Error: No Group deleted!')
+      expect(res.text).toEqual('Group not found.')
      expect(res.body).toEqual({})
    })

@@ -216,16 +279,76 @@ describe('group', () => {
      expect(res.body).toEqual({})
    })

-    it('should respond with Forbidden if groupId is incorrect', async () => {
+    it('should respond with Not Found if groupId is incorrect', async () => {
      const res = await request(app)
        .get('/SASjsApi/group/1234')
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
-        .expect(403)
+        .expect(404)

-      expect(res.text).toEqual('Error: Group not found.')
+      expect(res.text).toEqual('Group not found.')
      expect(res.body).toEqual({})
    })
+
+    describe('by group name', () => {
+      it('should respond with group', async () => {
+        const { name } = await groupController.createGroup(group)
+
+        const res = await request(app)
+          .get(`/SASjsApi/group/by/groupname/${name}`)
+          .auth(adminAccessToken, { type: 'bearer' })
+          .send()
+          .expect(200)
+
+        expect(res.body.groupId).toBeTruthy()
+        expect(res.body.name).toEqual(group.name)
+        expect(res.body.description).toEqual(group.description)
+        expect(res.body.isActive).toEqual(true)
+        expect(res.body.users).toEqual([])
+      })
+
+      it('should respond with group when access token is not of an admin account', async () => {
+        const accessToken = await generateSaveTokenAndCreateUser({
+          ...user,
+          username: 'getbyname' + user.username
+        })
+
+        const { name } = await groupController.createGroup(group)
+
+        const res = await request(app)
+          .get(`/SASjsApi/group/by/groupname/${name}`)
+          .auth(accessToken, { type: 'bearer' })
+          .send()
+          .expect(200)
+
+        expect(res.body.groupId).toBeTruthy()
+        expect(res.body.name).toEqual(group.name)
+        expect(res.body.description).toEqual(group.description)
+        expect(res.body.isActive).toEqual(true)
+        expect(res.body.users).toEqual([])
+      })
+
+      it('should respond with Unauthorized if access token is not present', async () => {
+        const res = await request(app)
+          .get('/SASjsApi/group/by/groupname/dcgroup')
+          .send()
+          .expect(401)
+
+        expect(res.text).toEqual('Unauthorized')
+        expect(res.body).toEqual({})
+      })
+
+      it('should respond with Not Found if groupname is incorrect', async () => {
+        const res = await request(app)
+          .get('/SASjsApi/group/by/groupname/randomCharacters')
+          .auth(adminAccessToken, { type: 'bearer' })
+          .send()
+          .expect(404)
+
+        expect(res.text).toEqual('Group not found.')
+        expect(res.body).toEqual({})
+      })
+    })
  })

  describe('getAll', () => {
@@ -245,8 +368,8 @@ describe('group', () => {
      expect(res.body).toEqual([
        {
          groupId: expect.anything(),
-          name: 'DCGroup1',
-          description: 'DC group for testing purposes.'
+          name: group.name,
+          description: group.description
        }
      ])
    })
@@ -267,8 +390,8 @@ describe('group', () => {
      expect(res.body).toEqual([
        {
          groupId: expect.anything(),
-          name: 'DCGroup1',
-          description: 'DC group for testing purposes.'
+          name: group.name,
+          description: group.description
        }
      ])
    })
@@ -309,6 +432,34 @@ describe('group', () => {
      ])
    })

+    it(`should add group to user's groups array`, async () => {
+      const dbGroup = await groupController.createGroup(group)
+      const dbUser = await userController.createUser({
+        ...user,
+        username: 'addUserToGroup'
+      })
+
+      await request(app)
+        .post(`/SASjsApi/group/${dbGroup.groupId}/${dbUser.id}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(200)
+
+      const res = await request(app)
+        .get(`/SASjsApi/user/${dbUser.id}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(200)
+
+      expect(res.body.groups).toEqual([
+        {
+          groupId: expect.anything(),
+          name: group.name,
+          description: group.description
+        }
+      ])
+    })
+
    it('should respond with group without duplicating user', async () => {
      const dbGroup = await groupController.createGroup(group)
      const dbUser = await userController.createUser({
@@ -362,26 +513,26 @@ describe('group', () => {
      expect(res.body).toEqual({})
    })

-    it('should respond with Forbidden if groupId is incorrect', async () => {
+    it('should respond with Not Found if groupId is incorrect', async () => {
      const res = await request(app)
        .post('/SASjsApi/group/123/123')
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
-        .expect(403)
+        .expect(404)

-      expect(res.text).toEqual('Error: Group not found.')
+      expect(res.text).toEqual('Group not found.')
      expect(res.body).toEqual({})
    })

-    it('should respond with Forbidden if userId is incorrect', async () => {
+    it('should respond with Not Found if userId is incorrect', async () => {
      const dbGroup = await groupController.createGroup(group)
      const res = await request(app)
        .post(`/SASjsApi/group/${dbGroup.groupId}/123`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
-        .expect(403)
+        .expect(404)

-      expect(res.text).toEqual('Error: User not found.')
+      expect(res.text).toEqual('User not found.')
      expect(res.body).toEqual({})
    })
  })
@@ -412,6 +563,29 @@ describe('group', () => {
      expect(res.body.users).toEqual([])
    })

+    it(`should remove group from user's groups array`, async () => {
+      const dbGroup = await groupController.createGroup(group)
+      const dbUser = await userController.createUser({
+        ...user,
+        username: 'removeGroupFromUser'
+      })
+      await groupController.addUserToGroup(dbGroup.groupId, dbUser.id)
+
+      await request(app)
+        .delete(`/SASjsApi/group/${dbGroup.groupId}/${dbUser.id}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(200)
+
+      const res = await request(app)
+        .get(`/SASjsApi/user/${dbUser.id}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(200)
+
+      expect(res.body.groups).toEqual([])
+    })
+
    it('should respond with Unauthorized if access token is not present', async () => {
      const res = await request(app)
        .delete('/SASjsApi/group/123/123')
@@ -438,26 +612,26 @@ describe('group', () => {
      expect(res.body).toEqual({})
    })

-    it('should respond with Forbidden if groupId is incorrect', async () => {
+    it('should respond with Not Found if groupId is incorrect', async () => {
      const res = await request(app)
        .delete('/SASjsApi/group/123/123')
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
-        .expect(403)
+        .expect(404)

-      expect(res.text).toEqual('Error: Group not found.')
+      expect(res.text).toEqual('Group not found.')
      expect(res.body).toEqual({})
    })

-    it('should respond with Forbidden if userId is incorrect', async () => {
+    it('should respond with Not Found if userId is incorrect', async () => {
      const dbGroup = await groupController.createGroup(group)
      const res = await request(app)
        .delete(`/SASjsApi/group/${dbGroup.groupId}/123`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
-        .expect(403)
+        .expect(404)

-      expect(res.text).toEqual('Error: User not found.')
+      expect(res.text).toEqual('User not found.')
      expect(res.body).toEqual({})
    })
  })
--- a/api/src/routes/api/spec/permission.spec.ts
+++ b/api/src/routes/api/spec/permission.spec.ts
@@ -0,0 +1,571 @@
+import { Express } from 'express'
+import mongoose, { Mongoose } from 'mongoose'
+import { MongoMemoryServer } from 'mongodb-memory-server'
+import request from 'supertest'
+import appPromise from '../../../app'
+import {
+  DriveController,
+  UserController,
+  GroupController,
+  ClientController,
+  PermissionController,
+  PrincipalType,
+  PermissionSetting
+} from '../../../controllers/'
+import {
+  UserDetailsResponse,
+  PermissionDetailsResponse
+} from '../../../controllers'
+import { generateAccessToken, saveTokensInDB } from '../../../utils'
+
+const deployPayload = {
+  appLoc: 'string',
+  streamWebFolder: 'string',
+  fileTree: {
+    members: [
+      {
+        name: 'string',
+        type: 'folder',
+        members: [
+          'string',
+          {
+            name: 'string',
+            type: 'service',
+            code: 'string'
+          }
+        ]
+      }
+    ]
+  }
+}
+
+const clientId = 'someclientID'
+const adminUser = {
+  displayName: 'Test Admin',
+  username: 'testAdminUsername',
+  password: '12345678',
+  isAdmin: true,
+  isActive: true
+}
+const user = {
+  displayName: 'Test User',
+  username: 'testUsername',
+  password: '87654321',
+  isAdmin: false,
+  isActive: true
+}
+
+const permission = {
+  uri: '/SASjsApi/code/execute',
+  setting: PermissionSetting.grant,
+  principalType: PrincipalType.user,
+  principalId: 123
+}
+
+const group = {
+  name: 'DCGroup1',
+  description: 'DC group for testing purposes.'
+}
+
+const userController = new UserController()
+const groupController = new GroupController()
+const clientController = new ClientController()
+const permissionController = new PermissionController()
+
+describe('permission', () => {
+  let app: Express
+  let con: Mongoose
+  let mongoServer: MongoMemoryServer
+  let adminAccessToken: string
+  let dbUser: UserDetailsResponse
+
+  beforeAll(async () => {
+    app = await appPromise
+
+    mongoServer = await MongoMemoryServer.create()
+    con = await mongoose.connect(mongoServer.getUri())
+
+    adminAccessToken = await generateSaveTokenAndCreateUser()
+    dbUser = await userController.createUser(user)
+  })
+
+  afterAll(async () => {
+    await con.connection.dropDatabase()
+    await con.connection.close()
+    await mongoServer.stop()
+  })
+
+  describe('create', () => {
+    afterEach(async () => {
+      await deleteAllPermissions()
+    })
+
+    it('should respond with new permission when principalType is user', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({ ...permission, principalId: dbUser.id })
+        .expect(200)
+
+      expect(res.body.permissionId).toBeTruthy()
+      expect(res.body.uri).toEqual(permission.uri)
+      expect(res.body.setting).toEqual(permission.setting)
+      expect(res.body.user).toBeTruthy()
+    })
+
+    it('should respond with new permission when principalType is group', async () => {
+      const dbGroup = await groupController.createGroup(group)
+
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          ...permission,
+          principalType: 'group',
+          principalId: dbGroup.groupId
+        })
+        .expect(200)
+
+      expect(res.body.permissionId).toBeTruthy()
+      expect(res.body.uri).toEqual(permission.uri)
+      expect(res.body.setting).toEqual(permission.setting)
+      expect(res.body.group).toBeTruthy()
+    })
+
+    it('should respond with Unauthorized if access token is not present', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .send(permission)
+        .expect(401)
+
+      expect(res.text).toEqual('Unauthorized')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Unauthorized if access token is not of an admin account even if user has permission', async () => {
+      const accessToken = await generateAndSaveToken(dbUser.id)
+
+      await permissionController.createPermission({
+        uri: '/SASjsApi/permission',
+        principalType: PrincipalType.user,
+        principalId: dbUser.id,
+        setting: PermissionSetting.grant
+      })
+
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .auth(accessToken, { type: 'bearer' })
+        .send()
+        .expect(401)
+
+      expect(res.text).toEqual('Admin account required')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if uri is missing', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          ...permission,
+          uri: undefined
+        })
+        .expect(400)
+
+      expect(res.text).toEqual(`"uri" is required`)
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if uri is not valid', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          ...permission,
+          uri: '/some/random/api/endpoint'
+        })
+        .expect(400)
+
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if setting is missing', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          ...permission,
+          setting: undefined
+        })
+        .expect(400)
+
+      expect(res.text).toEqual(`"setting" is required`)
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if principalType is missing', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          ...permission,
+          principalType: undefined
+        })
+        .expect(400)
+
+      expect(res.text).toEqual(`"principalType" is required`)
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if principalId is missing', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          ...permission,
+          principalId: undefined
+        })
+        .expect(400)
+
+      expect(res.text).toEqual(`"principalId" is required`)
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if principal type is not valid', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          ...permission,
+          principalType: 'invalid'
+        })
+        .expect(400)
+
+      expect(res.text).toEqual('"principalType" must be one of [user, group]')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if setting is not valid', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          ...permission,
+          setting: 'invalid'
+        })
+        .expect(400)
+
+      expect(res.text).toEqual('"setting" must be one of [Grant, Deny]')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if principalId is not a number', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          ...permission,
+          principalId: 'someCharacters'
+        })
+        .expect(400)
+
+      expect(res.text).toEqual('"principalId" must be a number')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if adding permission for admin user', async () => {
+      const adminUser = await userController.createUser({
+        ...user,
+        username: 'adminUser',
+        isAdmin: true
+      })
+
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          ...permission,
+          principalId: adminUser.id
+        })
+        .expect(400)
+
+      expect(res.text).toEqual('Can not add permission for admin user.')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Not Found (404) if user is not found', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          ...permission,
+          principalId: 123
+        })
+        .expect(404)
+
+      expect(res.text).toEqual('User not found.')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Not Found (404) if group is not found', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          ...permission,
+          principalType: 'group'
+        })
+        .expect(404)
+
+      expect(res.text).toEqual('Group not found.')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Conflict (409) if permission already exists', async () => {
+      await permissionController.createPermission({
+        ...permission,
+        principalId: dbUser.id
+      })
+
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({ ...permission, principalId: dbUser.id })
+        .expect(409)
+
+      expect(res.text).toEqual(
+        'Permission already exists with provided URI and User.'
+      )
+      expect(res.body).toEqual({})
+    })
+  })
+
+  describe('update', () => {
+    let dbPermission: PermissionDetailsResponse | undefined
+    beforeAll(async () => {
+      dbPermission = await permissionController.createPermission({
+        ...permission,
+        principalId: dbUser.id
+      })
+    })
+
+    afterEach(async () => {
+      await deleteAllPermissions()
+    })
+
+    it('should respond with updated permission', async () => {
+      const res = await request(app)
+        .patch(`/SASjsApi/permission/${dbPermission?.permissionId}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({ setting: 'Deny' })
+        .expect(200)
+
+      expect(res.body.setting).toEqual('Deny')
+    })
+
+    it('should respond with Unauthorized if access token is not present', async () => {
+      const res = await request(app)
+        .patch(`/SASjsApi/permission/${dbPermission?.permissionId}`)
+        .send(permission)
+        .expect(401)
+
+      expect(res.text).toEqual('Unauthorized')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Unauthorized if access token is not of an admin account', async () => {
+      const accessToken = await generateSaveTokenAndCreateUser({
+        ...user,
+        username: 'update' + user.username
+      })
+
+      const res = await request(app)
+        .patch(`/SASjsApi/permission/${dbPermission?.permissionId}`)
+        .auth(accessToken, { type: 'bearer' })
+        .send()
+        .expect(401)
+
+      expect(res.text).toEqual('Admin account required')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if setting is missing', async () => {
+      const res = await request(app)
+        .patch(`/SASjsApi/permission/${dbPermission?.permissionId}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(400)
+
+      expect(res.text).toEqual(`"setting" is required`)
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if setting is not valid', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          ...permission,
+          setting: 'invalid'
+        })
+        .expect(400)
+
+      expect(res.text).toEqual('"setting" must be one of [Grant, Deny]')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with not found (404) if permission with provided id does not exists', async () => {
+      const res = await request(app)
+        .patch('/SASjsApi/permission/123')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          setting: PermissionSetting.deny
+        })
+        .expect(404)
+
+      expect(res.text).toEqual('Permission not found.')
+      expect(res.body).toEqual({})
+    })
+  })
+
+  describe('delete', () => {
+    it('should delete permission', async () => {
+      const dbPermission = await permissionController.createPermission({
+        ...permission,
+        principalId: dbUser.id
+      })
+      const res = await request(app)
+        .delete(`/SASjsApi/permission/${dbPermission?.permissionId}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(200)
+
+      expect(res.text).toEqual('Permission Deleted!')
+    })
+
+    it('should respond with not found (404) if permission with provided id does not exists', async () => {
+      const res = await request(app)
+        .delete('/SASjsApi/permission/123')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(404)
+
+      expect(res.text).toEqual('Permission not found.')
+    })
+  })
+
+  describe('get', () => {
+    beforeAll(async () => {
+      await permissionController.createPermission({
+        ...permission,
+        uri: '/test-1',
+        principalId: dbUser.id
+      })
+      await permissionController.createPermission({
+        ...permission,
+        uri: '/test-2',
+        principalId: dbUser.id
+      })
+    })
+
+    it('should give a list of all permissions when user is admin', async () => {
+      const res = await request(app)
+        .get('/SASjsApi/permission/')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(200)
+
+      expect(res.body).toHaveLength(2)
+    })
+
+    it('should give a list of all permissions when user is not admin', async () => {
+      const dbUser = await userController.createUser({
+        ...user,
+        username: 'get' + user.username
+      })
+      const accessToken = await generateAndSaveToken(dbUser.id)
+      await permissionController.createPermission({
+        uri: '/SASjsApi/permission',
+        principalType: PrincipalType.user,
+        principalId: dbUser.id,
+        setting: PermissionSetting.grant
+      })
+
+      const res = await request(app)
+        .get('/SASjsApi/permission/')
+        .auth(accessToken, { type: 'bearer' })
+        .send()
+        .expect(200)
+
+      expect(res.body).toHaveLength(3)
+    })
+  })
+
+  describe.only('verify', () => {
+    beforeAll(async () => {
+      await permissionController.createPermission({
+        ...permission,
+        uri: '/SASjsApi/drive/deploy',
+        principalId: dbUser.id
+      })
+    })
+
+    beforeEach(() => {
+      jest
+        .spyOn(DriveController.prototype, 'deploy')
+        .mockImplementation((deployPayload) =>
+          Promise.resolve({
+            status: 'success',
+            message: 'Files deployed successfully to @sasjs/server.'
+          })
+        )
+    })
+
+    afterEach(() => {
+      jest.resetAllMocks()
+    })
+
+    it('should create files in SASJS drive', async () => {
+      const accessToken = await generateAndSaveToken(dbUser.id)
+
+      await request(app)
+        .get('/SASjsApi/drive/deploy')
+        .auth(accessToken, { type: 'bearer' })
+        .send(deployPayload)
+        .expect(200)
+    })
+
+    it('should respond unauthorized', async () => {
+      const accessToken = await generateAndSaveToken(dbUser.id)
+
+      await request(app)
+        .get('/SASjsApi/drive/deploy/upload')
+        .auth(accessToken, { type: 'bearer' })
+        .send()
+        .expect(401)
+    })
+  })
+})
+
+const generateSaveTokenAndCreateUser = async (
+  someUser?: any
+): Promise<string> => {
+  const dbUser = await userController.createUser(someUser ?? adminUser)
+
+  return generateAndSaveToken(dbUser.id)
+}
+
+const generateAndSaveToken = async (userId: number) => {
+  const adminAccessToken = generateAccessToken({
+    clientId,
+    userId
+  })
+  await saveTokensInDB(userId, clientId, adminAccessToken, 'refreshToken')
+  return adminAccessToken
+}
+
+const deleteAllPermissions = async () => {
+  const { collections } = mongoose.connection
+  const collection = collections['permissions']
+  await collection.deleteMany({})
+}
--- a/api/src/routes/api/spec/stp.spec.ts
+++ b/api/src/routes/api/spec/stp.spec.ts
@@ -0,0 +1,397 @@
+import path from 'path'
+import { Express } from 'express'
+import mongoose, { Mongoose } from 'mongoose'
+import { MongoMemoryServer } from 'mongodb-memory-server'
+import request from 'supertest'
+import appPromise from '../../../app'
+import {
+  UserController,
+  PermissionController,
+  PermissionSetting,
+  PrincipalType
+} from '../../../controllers/'
+import {
+  generateAccessToken,
+  saveTokensInDB,
+  getFilesFolder,
+  RunTimeType,
+  generateUniqueFileName,
+  getSessionsFolder
+} from '../../../utils'
+import { createFile, generateTimestamp, deleteFolder } from '@sasjs/utils'
+import {
+  SASSessionController,
+  JSSessionController
+} from '../../../controllers/internal'
+import * as ProcessProgramModule from '../../../controllers/internal/processProgram'
+import { Session } from '../../../types'
+
+const clientId = 'someclientID'
+
+const user = {
+  displayName: 'Test User',
+  username: 'testUsername',
+  password: '87654321',
+  isAdmin: false,
+  isActive: true
+}
+
+const sampleSasProgram = '%put hello world!;'
+const sampleJsProgram = `console.log('hello world!/')`
+
+const filesFolder = getFilesFolder()
+
+describe('stp', () => {
+  let app: Express
+  let con: Mongoose
+  let mongoServer: MongoMemoryServer
+  let accessToken: string
+  const userController = new UserController()
+  const permissionController = new PermissionController()
+
+  beforeAll(async () => {
+    app = await appPromise
+    mongoServer = await MongoMemoryServer.create()
+    con = await mongoose.connect(mongoServer.getUri())
+    const dbUser = await userController.createUser(user)
+    accessToken = await generateAndSaveToken(dbUser.id)
+    await permissionController.createPermission({
+      uri: '/SASjsApi/stp/execute',
+      principalType: PrincipalType.user,
+      principalId: dbUser.id,
+      setting: PermissionSetting.grant
+    })
+  })
+
+  afterAll(async () => {
+    await con.connection.dropDatabase()
+    await con.connection.close()
+    await mongoServer.stop()
+  })
+
+  describe('execute', () => {
+    const testFilesFolder = `test-stp-${generateTimestamp()}`
+
+    describe('get', () => {
+      describe('with runtime js', () => {
+        const testFilesFolder = `test-stp-${generateTimestamp()}`
+
+        beforeAll(() => {
+          process.runTimes = [RunTimeType.JS]
+        })
+
+        beforeEach(() => {
+          jest.resetModules() // it clears the cache
+          setupMocks()
+        })
+
+        afterEach(async () => {
+          jest.resetAllMocks()
+          await deleteFolder(path.join(filesFolder, testFilesFolder))
+        })
+
+        it('should execute js program when both js and sas program are present', async () => {
+          const programPath = path.join(testFilesFolder, 'program')
+          const sasProgramPath = path.join(filesFolder, `${programPath}.sas`)
+          const jsProgramPath = path.join(filesFolder, `${programPath}.js`)
+          await createFile(sasProgramPath, sampleSasProgram)
+          await createFile(jsProgramPath, sampleJsProgram)
+
+          await request(app)
+            .get(`/SASjsApi/stp/execute?_program=${programPath}`)
+            .auth(accessToken, { type: 'bearer' })
+            .send()
+            .expect(200)
+
+          expect(ProcessProgramModule.processProgram).toHaveBeenCalledWith(
+            expect.anything(),
+            expect.anything(),
+            expect.anything(),
+            expect.anything(),
+            expect.anything(),
+            expect.anything(),
+            RunTimeType.JS,
+            expect.anything(),
+            undefined
+          )
+        })
+
+        it('should throw error when js program is not present but sas program exists', async () => {
+          const programPath = path.join(testFilesFolder, 'program')
+          const sasProgramPath = path.join(filesFolder, `${programPath}.sas`)
+          await createFile(sasProgramPath, sampleSasProgram)
+
+          await request(app)
+            .get(`/SASjsApi/stp/execute?_program=${programPath}`)
+            .auth(accessToken, { type: 'bearer' })
+            .send()
+            .expect(400)
+        })
+      })
+
+      describe('with runtime sas', () => {
+        beforeAll(() => {
+          process.runTimes = [RunTimeType.SAS]
+        })
+
+        beforeEach(() => {
+          jest.resetModules() // it clears the cache
+          setupMocks()
+        })
+
+        afterEach(async () => {
+          jest.resetAllMocks()
+          await deleteFolder(path.join(filesFolder, testFilesFolder))
+        })
+
+        it('should execute sas program when both sas and js programs are present', async () => {
+          const programPath = path.join(testFilesFolder, 'program')
+          const sasProgramPath = path.join(filesFolder, `${programPath}.sas`)
+          const jsProgramPath = path.join(filesFolder, `${programPath}.js`)
+          await createFile(sasProgramPath, sampleSasProgram)
+          await createFile(jsProgramPath, sampleJsProgram)
+
+          await request(app)
+            .get(`/SASjsApi/stp/execute?_program=${programPath}`)
+            .auth(accessToken, { type: 'bearer' })
+            .send()
+            .expect(200)
+
+          expect(ProcessProgramModule.processProgram).toHaveBeenCalledWith(
+            expect.anything(),
+            expect.anything(),
+            expect.anything(),
+            expect.anything(),
+            expect.anything(),
+            expect.anything(),
+            RunTimeType.SAS,
+            expect.anything(),
+            undefined
+          )
+        })
+
+        it('should throw error when sas program do not exit but js exists', async () => {
+          const programPath = path.join(testFilesFolder, 'program')
+          const jsProgramPath = path.join(filesFolder, `${programPath}.js`)
+          await createFile(jsProgramPath, sampleJsProgram)
+
+          await request(app)
+            .get(`/SASjsApi/stp/execute?_program=${programPath}`)
+            .auth(accessToken, { type: 'bearer' })
+            .send()
+            .expect(400)
+        })
+      })
+
+      describe('with runtime js and sas', () => {
+        beforeAll(() => {
+          process.runTimes = [RunTimeType.JS, RunTimeType.SAS]
+        })
+
+        beforeEach(() => {
+          jest.resetModules() // it clears the cache
+          setupMocks()
+        })
+
+        afterEach(async () => {
+          jest.resetAllMocks()
+          await deleteFolder(path.join(filesFolder, testFilesFolder))
+        })
+
+        it('should execute js program when both js and sas program are present', async () => {
+          const programPath = path.join(testFilesFolder, 'program')
+          const sasProgramPath = path.join(filesFolder, `${programPath}.sas`)
+          const jsProgramPath = path.join(filesFolder, `${programPath}.js`)
+          await createFile(sasProgramPath, sampleSasProgram)
+          await createFile(jsProgramPath, sampleJsProgram)
+
+          await request(app)
+            .get(`/SASjsApi/stp/execute?_program=${programPath}`)
+            .auth(accessToken, { type: 'bearer' })
+            .send()
+            .expect(200)
+
+          expect(ProcessProgramModule.processProgram).toHaveBeenCalledWith(
+            expect.anything(),
+            expect.anything(),
+            expect.anything(),
+            expect.anything(),
+            expect.anything(),
+            expect.anything(),
+            RunTimeType.JS,
+            expect.anything(),
+            undefined
+          )
+        })
+
+        it('should execute sas program when js program is not present but sas program exists', async () => {
+          const programPath = path.join(testFilesFolder, 'program')
+          const sasProgramPath = path.join(filesFolder, `${programPath}.sas`)
+          await createFile(sasProgramPath, sampleSasProgram)
+
+          await request(app)
+            .get(`/SASjsApi/stp/execute?_program=${programPath}`)
+            .auth(accessToken, { type: 'bearer' })
+            .send()
+            .expect(200)
+
+          expect(ProcessProgramModule.processProgram).toHaveBeenCalledWith(
+            expect.anything(),
+            expect.anything(),
+            expect.anything(),
+            expect.anything(),
+            expect.anything(),
+            expect.anything(),
+            RunTimeType.SAS,
+            expect.anything(),
+            undefined
+          )
+        })
+
+        it('should throw error when both sas and js programs do not exist', async () => {
+          const programPath = path.join(testFilesFolder, 'program')
+
+          await request(app)
+            .get(`/SASjsApi/stp/execute?_program=${programPath}`)
+            .auth(accessToken, { type: 'bearer' })
+            .send()
+            .expect(400)
+        })
+      })
+
+      describe('with runtime sas and js', () => {
+        beforeAll(() => {
+          process.runTimes = [RunTimeType.SAS, RunTimeType.JS]
+        })
+
+        beforeEach(() => {
+          jest.resetModules() // it clears the cache
+          setupMocks()
+        })
+
+        afterEach(async () => {
+          jest.resetAllMocks()
+          await deleteFolder(path.join(filesFolder, testFilesFolder))
+        })
+
+        it('should execute sas program when both sas and js programs  exist', async () => {
+          const programPath = path.join(testFilesFolder, 'program')
+          const sasProgramPath = path.join(filesFolder, `${programPath}.sas`)
+          const jsProgramPath = path.join(filesFolder, `${programPath}.js`)
+          await createFile(sasProgramPath, sampleSasProgram)
+          await createFile(jsProgramPath, sampleJsProgram)
+
+          await request(app)
+            .get(`/SASjsApi/stp/execute?_program=${programPath}`)
+            .auth(accessToken, { type: 'bearer' })
+            .send()
+            .expect(200)
+
+          expect(ProcessProgramModule.processProgram).toHaveBeenCalledWith(
+            expect.anything(),
+            expect.anything(),
+            expect.anything(),
+            expect.anything(),
+            expect.anything(),
+            expect.anything(),
+            RunTimeType.SAS,
+            expect.anything(),
+            undefined
+          )
+        })
+
+        it('should execute js program when sas program is not present but js program exists', async () => {
+          const programPath = path.join(testFilesFolder, 'program')
+          const jsProgramPath = path.join(filesFolder, `${programPath}.js`)
+          await createFile(jsProgramPath, sampleJsProgram)
+
+          await request(app)
+            .get(`/SASjsApi/stp/execute?_program=${programPath}`)
+            .auth(accessToken, { type: 'bearer' })
+            .send()
+            .expect(200)
+
+          expect(ProcessProgramModule.processProgram).toHaveBeenCalledWith(
+            expect.anything(),
+            expect.anything(),
+            expect.anything(),
+            expect.anything(),
+            expect.anything(),
+            expect.anything(),
+            RunTimeType.JS,
+            expect.anything(),
+            undefined
+          )
+        })
+
+        it('should throw error when both sas and js programs do not exist', async () => {
+          const programPath = path.join(testFilesFolder, 'program')
+
+          await request(app)
+            .get(`/SASjsApi/stp/execute?_program=${programPath}`)
+            .auth(accessToken, { type: 'bearer' })
+            .send()
+            .expect(400)
+        })
+      })
+    })
+  })
+})
+
+const generateSaveTokenAndCreateUser = async (
+  someUser: any
+): Promise<string> => {
+  const userController = new UserController()
+  const dbUser = await userController.createUser(someUser)
+
+  return generateAndSaveToken(dbUser.id)
+}
+
+const generateAndSaveToken = async (userId: number) => {
+  const accessToken = generateAccessToken({
+    clientId,
+    userId
+  })
+  await saveTokensInDB(userId, clientId, accessToken, 'refreshToken')
+  return accessToken
+}
+
+const setupMocks = async () => {
+  jest
+    .spyOn(SASSessionController.prototype, 'getSession')
+    .mockImplementation(mockedGetSession)
+
+  jest
+    .spyOn(JSSessionController.prototype, 'getSession')
+    .mockImplementation(mockedGetSession)
+
+  jest
+    .spyOn(ProcessProgramModule, 'processProgram')
+    .mockImplementation(() => Promise.resolve())
+}
+
+const mockedGetSession = async () => {
+  const sessionId = generateUniqueFileName(generateTimestamp())
+  const sessionFolder = path.join(getSessionsFolder(), sessionId)
+
+  const creationTimeStamp = sessionId.split('-').pop() as string
+  // death time of session is 15 mins from creation
+  const deathTimeStamp = (
+    parseInt(creationTimeStamp) +
+    15 * 60 * 1000 -
+    1000
+  ).toString()
+
+  const session: Session = {
+    id: sessionId,
+    ready: true,
+    inUse: true,
+    consumed: false,
+    completed: false,
+    creationTimeStamp,
+    deathTimeStamp,
+    path: sessionFolder
+  }
+
+  return session
+}
--- a/api/src/routes/api/spec/user.spec.ts
+++ b/api/src/routes/api/spec/user.spec.ts
@@ -3,20 +3,20 @@ import mongoose, { Mongoose } from 'mongoose'
 import { MongoMemoryServer } from 'mongodb-memory-server'
 import request from 'supertest'
 import appPromise from '../../../app'
-import { UserController } from '../../../controllers/'
+import { UserController, GroupController } from '../../../controllers/'
 import { generateAccessToken, saveTokensInDB } from '../../../utils'

 const clientId = 'someclientID'
 const adminUser = {
  displayName: 'Test Admin',
-  username: 'testAdminUsername',
+  username: 'testadminusername',
  password: '12345678',
  isAdmin: true,
  isActive: true
 }
 const user = {
  displayName: 'Test User',
-  username: 'testUsername',
+  username: 'testusername',
  password: '87654321',
  isAdmin: false,
  isActive: true,
@@ -68,6 +68,20 @@ describe('user', () => {
      expect(res.body.autoExec).toEqual(user.autoExec)
    })

+    it('should respond with new user having username as lowercase', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/user')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({ ...user, username: user.username.toUpperCase() })
+        .expect(200)
+
+      expect(res.body.username).toEqual(user.username)
+      expect(res.body.displayName).toEqual(user.displayName)
+      expect(res.body.isAdmin).toEqual(user.isAdmin)
+      expect(res.body.isActive).toEqual(user.isActive)
+      expect(res.body.autoExec).toEqual(user.autoExec)
+    })
+
    it('should respond with Unauthorized if access token is not present', async () => {
      const res = await request(app)
        .post('/SASjsApi/user')
@@ -244,7 +258,7 @@ describe('user', () => {
      const dbUser1 = await controller.createUser(user)
      const dbUser2 = await controller.createUser({
        ...user,
-        username: 'randomUser'
+        username: 'randomuser'
      })

      const res = await request(app)
@@ -256,6 +270,102 @@ describe('user', () => {
      expect(res.text).toEqual('Error: Username already exists.')
      expect(res.body).toEqual({})
    })
+
+    describe('by username', () => {
+      it('should respond with updated user when admin user requests', async () => {
+        const dbUser = await controller.createUser(user)
+        const newDisplayName = 'My new display Name'
+
+        const res = await request(app)
+          .patch(`/SASjsApi/user/by/username/${user.username}`)
+          .auth(adminAccessToken, { type: 'bearer' })
+          .send({ ...user, displayName: newDisplayName })
+          .expect(200)
+
+        expect(res.body.username).toEqual(user.username)
+        expect(res.body.displayName).toEqual(newDisplayName)
+        expect(res.body.isAdmin).toEqual(user.isAdmin)
+        expect(res.body.isActive).toEqual(user.isActive)
+      })
+
+      it('should respond with updated user when user himself requests', async () => {
+        const dbUser = await controller.createUser(user)
+        const accessToken = await generateAndSaveToken(dbUser.id)
+        const newDisplayName = 'My new display Name'
+
+        const res = await request(app)
+          .patch(`/SASjsApi/user/by/username/${user.username}`)
+          .auth(accessToken, { type: 'bearer' })
+          .send({
+            displayName: newDisplayName,
+            username: user.username,
+            password: user.password
+          })
+          .expect(200)
+
+        expect(res.body.username).toEqual(user.username)
+        expect(res.body.displayName).toEqual(newDisplayName)
+        expect(res.body.isAdmin).toEqual(user.isAdmin)
+        expect(res.body.isActive).toEqual(user.isActive)
+      })
+
+      it('should respond with Bad Request, only admin can update isAdmin/isActive', async () => {
+        const dbUser = await controller.createUser(user)
+        const accessToken = await generateAndSaveToken(dbUser.id)
+        const newDisplayName = 'My new display Name'
+
+        await request(app)
+          .patch(`/SASjsApi/user/by/username/${user.username}`)
+          .auth(accessToken, { type: 'bearer' })
+          .send({ ...user, displayName: newDisplayName })
+          .expect(400)
+      })
+
+      it('should respond with Unauthorized if access token is not present', async () => {
+        const res = await request(app)
+          .patch('/SASjsApi/user/by/username/1234')
+          .send(user)
+          .expect(401)
+
+        expect(res.text).toEqual('Unauthorized')
+        expect(res.body).toEqual({})
+      })
+
+      it('should respond with Unauthorized when access token is not of an admin account or himself', async () => {
+        const dbUser1 = await controller.createUser(user)
+        const dbUser2 = await controller.createUser({
+          ...user,
+          username: 'randomUser'
+        })
+        const accessToken = await generateAndSaveToken(dbUser2.id)
+
+        const res = await request(app)
+          .patch(`/SASjsApi/user/${dbUser1.id}`)
+          .auth(accessToken, { type: 'bearer' })
+          .send(user)
+          .expect(401)
+
+        expect(res.text).toEqual('Admin account required')
+        expect(res.body).toEqual({})
+      })
+
+      it('should respond with Forbidden if username is already present', async () => {
+        const dbUser1 = await controller.createUser(user)
+        const dbUser2 = await controller.createUser({
+          ...user,
+          username: 'randomuser'
+        })
+
+        const res = await request(app)
+          .patch(`/SASjsApi/user/by/username/${dbUser1.username}`)
+          .auth(adminAccessToken, { type: 'bearer' })
+          .send({ username: dbUser2.username })
+          .expect(403)
+
+        expect(res.text).toEqual('Error: Username already exists.')
+        expect(res.body).toEqual({})
+      })
+    })
  })

  describe('delete', () => {
@@ -349,6 +459,89 @@ describe('user', () => {
      expect(res.text).toEqual('Error: Invalid password.')
      expect(res.body).toEqual({})
    })
+
+    describe('by username', () => {
+      it('should respond with OK when admin user requests', async () => {
+        const dbUser = await controller.createUser(user)
+
+        const res = await request(app)
+          .delete(`/SASjsApi/user/by/username/${dbUser.username}`)
+          .auth(adminAccessToken, { type: 'bearer' })
+          .send()
+          .expect(200)
+
+        expect(res.body).toEqual({})
+      })
+
+      it('should respond with OK when user himself requests', async () => {
+        const dbUser = await controller.createUser(user)
+        const accessToken = await generateAndSaveToken(dbUser.id)
+
+        const res = await request(app)
+          .delete(`/SASjsApi/user/by/username/${dbUser.username}`)
+          .auth(accessToken, { type: 'bearer' })
+          .send({ password: user.password })
+          .expect(200)
+
+        expect(res.body).toEqual({})
+      })
+
+      it('should respond with Bad Request when user himself requests and password is missing', async () => {
+        const dbUser = await controller.createUser(user)
+        const accessToken = await generateAndSaveToken(dbUser.id)
+
+        const res = await request(app)
+          .delete(`/SASjsApi/user/by/username/${dbUser.username}`)
+          .auth(accessToken, { type: 'bearer' })
+          .send()
+          .expect(400)
+
+        expect(res.text).toEqual(`"password" is required`)
+        expect(res.body).toEqual({})
+      })
+
+      it('should respond with Unauthorized when access token is not present', async () => {
+        const res = await request(app)
+          .delete('/SASjsApi/user/by/username/RandomUsername')
+          .send(user)
+          .expect(401)
+
+        expect(res.text).toEqual('Unauthorized')
+        expect(res.body).toEqual({})
+      })
+
+      it('should respond with Unauthorized when access token is not of an admin account or himself', async () => {
+        const dbUser1 = await controller.createUser(user)
+        const dbUser2 = await controller.createUser({
+          ...user,
+          username: 'randomUser'
+        })
+        const accessToken = await generateAndSaveToken(dbUser2.id)
+
+        const res = await request(app)
+          .delete(`/SASjsApi/user/by/username/${dbUser1.username}`)
+          .auth(accessToken, { type: 'bearer' })
+          .send(user)
+          .expect(401)
+
+        expect(res.text).toEqual('Admin account required')
+        expect(res.body).toEqual({})
+      })
+
+      it('should respond with Forbidden when user himself requests and password is incorrect', async () => {
+        const dbUser = await controller.createUser(user)
+        const accessToken = await generateAndSaveToken(dbUser.id)
+
+        const res = await request(app)
+          .delete(`/SASjsApi/user/by/username/${dbUser.username}`)
+          .auth(accessToken, { type: 'bearer' })
+          .send({ password: 'incorrectpassword' })
+          .expect(403)
+
+        expect(res.text).toEqual('Error: Invalid password.')
+        expect(res.body).toEqual({})
+      })
+    })
  })

  describe('get', () => {
@@ -378,6 +571,7 @@ describe('user', () => {
      expect(res.body.isAdmin).toEqual(user.isAdmin)
      expect(res.body.isActive).toEqual(user.isActive)
      expect(res.body.autoExec).toEqual(user.autoExec)
+      expect(res.body.groups).toEqual([])
    })

    it('should respond with user autoExec when admin user requests', async () => {
@@ -395,6 +589,7 @@ describe('user', () => {
      expect(res.body.isAdmin).toEqual(user.isAdmin)
      expect(res.body.isActive).toEqual(user.isActive)
      expect(res.body.autoExec).toEqual(user.autoExec)
+      expect(res.body.groups).toEqual([])
    })

    it('should respond with user when access token is not of an admin account', async () => {
@@ -417,6 +612,34 @@ describe('user', () => {
      expect(res.body.isAdmin).toEqual(user.isAdmin)
      expect(res.body.isActive).toEqual(user.isActive)
      expect(res.body.autoExec).toBeUndefined()
+      expect(res.body.groups).toEqual([])
+    })
+
+    it('should respond with user along with associated groups', async () => {
+      const dbUser = await controller.createUser(user)
+      const userId = dbUser.id
+      const accessToken = await generateAndSaveToken(userId)
+
+      const group = {
+        name: 'DCGroup1',
+        description: 'DC group for testing purposes.'
+      }
+      const groupController = new GroupController()
+      const dbGroup = await groupController.createGroup(group)
+      await groupController.addUserToGroup(dbGroup.groupId, dbUser.id)
+
+      const res = await request(app)
+        .get(`/SASjsApi/user/${userId}`)
+        .auth(accessToken, { type: 'bearer' })
+        .send()
+        .expect(200)
+
+      expect(res.body.username).toEqual(user.username)
+      expect(res.body.displayName).toEqual(user.displayName)
+      expect(res.body.isAdmin).toEqual(user.isAdmin)
+      expect(res.body.isActive).toEqual(user.isActive)
+      expect(res.body.autoExec).toEqual(user.autoExec)
+      expect(res.body.groups.length).toBeGreaterThan(0)
    })

    it('should respond with Unauthorized if access token is not present', async () => {
@@ -441,6 +664,86 @@ describe('user', () => {
      expect(res.text).toEqual('Error: User is not found.')
      expect(res.body).toEqual({})
    })
+
+    describe('by username', () => {
+      it('should respond with user autoExec when same user requests', async () => {
+        const dbUser = await controller.createUser(user)
+        const userId = dbUser.id
+        const accessToken = await generateAndSaveToken(userId)
+
+        const res = await request(app)
+          .get(`/SASjsApi/user/by/username/${dbUser.username}`)
+          .auth(accessToken, { type: 'bearer' })
+          .send()
+          .expect(200)
+
+        expect(res.body.username).toEqual(user.username)
+        expect(res.body.displayName).toEqual(user.displayName)
+        expect(res.body.isAdmin).toEqual(user.isAdmin)
+        expect(res.body.isActive).toEqual(user.isActive)
+        expect(res.body.autoExec).toEqual(user.autoExec)
+      })
+
+      it('should respond with user autoExec when admin user requests', async () => {
+        const dbUser = await controller.createUser(user)
+
+        const res = await request(app)
+          .get(`/SASjsApi/user/by/username/${dbUser.username}`)
+          .auth(adminAccessToken, { type: 'bearer' })
+          .send()
+          .expect(200)
+
+        expect(res.body.username).toEqual(user.username)
+        expect(res.body.displayName).toEqual(user.displayName)
+        expect(res.body.isAdmin).toEqual(user.isAdmin)
+        expect(res.body.isActive).toEqual(user.isActive)
+        expect(res.body.autoExec).toEqual(user.autoExec)
+      })
+
+      it('should respond with user when access token is not of an admin account', async () => {
+        const accessToken = await generateSaveTokenAndCreateUser({
+          ...user,
+          username: 'randomUser'
+        })
+
+        const dbUser = await controller.createUser(user)
+
+        const res = await request(app)
+          .get(`/SASjsApi/user/by/username/${dbUser.username}`)
+          .auth(accessToken, { type: 'bearer' })
+          .send()
+          .expect(200)
+
+        expect(res.body.username).toEqual(user.username)
+        expect(res.body.displayName).toEqual(user.displayName)
+        expect(res.body.isAdmin).toEqual(user.isAdmin)
+        expect(res.body.isActive).toEqual(user.isActive)
+        expect(res.body.autoExec).toBeUndefined()
+      })
+
+      it('should respond with Unauthorized if access token is not present', async () => {
+        const res = await request(app)
+          .get('/SASjsApi/user/by/username/randomUsername')
+          .send()
+          .expect(401)
+
+        expect(res.text).toEqual('Unauthorized')
+        expect(res.body).toEqual({})
+      })
+
+      it('should respond with Forbidden if username is incorrect', async () => {
+        await controller.createUser(user)
+
+        const res = await request(app)
+          .get('/SASjsApi/user/by/username/randomUsername')
+          .auth(adminAccessToken, { type: 'bearer' })
+          .send()
+          .expect(403)
+
+        expect(res.text).toEqual('Error: User is not found.')
+        expect(res.body).toEqual({})
+      })
+    })
  })

  describe('getAll', () => {
@@ -467,12 +770,14 @@ describe('user', () => {
        {
          id: expect.anything(),
          username: adminUser.username,
-          displayName: adminUser.displayName
+          displayName: adminUser.displayName,
+          isAdmin: adminUser.isAdmin
        },
        {
          id: expect.anything(),
          username: user.username,
-          displayName: user.displayName
+          displayName: user.displayName,
+          isAdmin: user.isAdmin
        }
      ])
    })
@@ -493,12 +798,14 @@ describe('user', () => {
        {
          id: expect.anything(),
          username: adminUser.username,
-          displayName: adminUser.displayName
+          displayName: adminUser.displayName,
+          isAdmin: adminUser.isAdmin
        },
        {
          id: expect.anything(),
          username: 'randomUser',
-          displayName: user.displayName
+          displayName: user.displayName,
+          isAdmin: user.isAdmin
        }
      ])
    })
--- a/api/src/routes/api/spec/web.spec.ts
+++ b/api/src/routes/api/spec/web.spec.ts
@@ -10,7 +10,7 @@ const clientSecret = 'someclientSecret'
 const user = {
  id: 1234,
  displayName: 'Test User',
-  username: 'testUsername',
+  username: 'testusername',
  password: '87654321',
  isAdmin: false,
  isActive: true
@@ -77,8 +77,10 @@ describe('web', () => {

      expect(res.body.loggedIn).toBeTruthy()
      expect(res.body.user).toEqual({
+        id: expect.any(Number),
        username: user.username,
-        displayName: user.displayName
+        displayName: user.displayName,
+        isAdmin: user.isAdmin
      })
    })
  })
@@ -155,7 +157,6 @@ const getCSRF = async (app: Express) => {
  const { header } = await request(app).get('/')
  const cookies = header['set-cookie'].join()

-  console.log('cookies', cookies)
  const csrfToken = extractCSRF(cookies)
  return { csrfToken, cookies }
 }
--- a/api/src/routes/api/stp.ts
+++ b/api/src/routes/api/stp.ts
@@ -35,22 +35,24 @@ stpRouter.post(
  fileUploadController.preUploadMiddleware,
  fileUploadController.getMulterUploadObject().any(),
  async (req, res: any) => {
-    const { error: errQ, value: query } = executeProgramRawValidation(req.query)
-    const { error: errB, value: body } = executeProgramRawValidation(req.body)
+    // below validations are moved to preUploadMiddleware
+    // const { error: errQ, value: query } = executeProgramRawValidation(req.query)
+    // const { error: errB, value: body } = executeProgramRawValidation(req.body)

-    if (errQ && errB) return res.status(400).send(errB.details[0].message)
+    // if (errQ && errB) return res.status(400).send(errB.details[0].message)

    try {
      const response = await controller.executeReturnJson(
        req,
-        body,
-        query?._program
+        req.body,
+        req.query?._program as string
      )

-      if (response instanceof Buffer) {
-        res.writeHead(200, (req as any).sasHeaders)
-        return res.end(response)
-      }
+      // TODO: investigate if this code is required
+      // if (response instanceof Buffer) {
+      //   res.writeHead(200, (req as any).sasHeaders)
+      //   return res.end(response)
+      // }

      res.send(response)
    } catch (err: any) {
--- a/api/src/routes/api/user.ts
+++ b/api/src/routes/api/user.ts
@@ -7,6 +7,7 @@ import {
 } from '../../middlewares'
 import {
  deleteUserValidation,
+  getUserValidation,
  registerUserValidation,
  updateUserValidation
 } from '../../utils'
@@ -36,6 +37,25 @@ userRouter.get('/', authenticateAccessToken, async (req, res) => {
  }
 })

+userRouter.get(
+  '/by/username/:username',
+  authenticateAccessToken,
+  async (req, res) => {
+    const { error, value: params } = getUserValidation(req.params)
+    if (error) return res.status(400).send(error.details[0].message)
+
+    const { username } = params
+
+    const controller = new UserController()
+    try {
+      const response = await controller.getUserByUsername(req, username)
+      res.send(response)
+    } catch (err: any) {
+      res.status(403).send(err.toString())
+    }
+  }
+)
+
 userRouter.get('/:userId', authenticateAccessToken, async (req, res) => {
  const { userId } = req.params

@@ -48,6 +68,34 @@ userRouter.get('/:userId', authenticateAccessToken, async (req, res) => {
  }
 })

+userRouter.patch(
+  '/by/username/:username',
+  authenticateAccessToken,
+  verifyAdminIfNeeded,
+  async (req, res) => {
+    const { user } = req
+    const { error: errorUsername, value: params } = getUserValidation(
+      req.params
+    )
+    if (errorUsername)
+      return res.status(400).send(errorUsername.details[0].message)
+
+    const { username } = params
+
+    // only an admin can update `isActive` and `isAdmin` fields
+    const { error, value: body } = updateUserValidation(req.body, user!.isAdmin)
+    if (error) return res.status(400).send(error.details[0].message)
+
+    const controller = new UserController()
+    try {
+      const response = await controller.updateUserByUsername(username, body)
+      res.send(response)
+    } catch (err: any) {
+      res.status(403).send(err.toString())
+    }
+  }
+)
+
 userRouter.patch(
  '/:userId',
  authenticateAccessToken,
@@ -70,6 +118,34 @@ userRouter.patch(
  }
 )

+userRouter.delete(
+  '/by/username/:username',
+  authenticateAccessToken,
+  verifyAdminIfNeeded,
+  async (req, res) => {
+    const { user } = req
+    const { error: errorUsername, value: params } = getUserValidation(
+      req.params
+    )
+    if (errorUsername)
+      return res.status(400).send(errorUsername.details[0].message)
+
+    const { username } = params
+
+    // only an admin can delete user without providing password
+    const { error, value: data } = deleteUserValidation(req.body, user!.isAdmin)
+    if (error) return res.status(400).send(error.details[0].message)
+
+    const controller = new UserController()
+    try {
+      await controller.deleteUserByUsername(username, data, user!.isAdmin)
+      res.status(200).send('Account Deleted!')
+    } catch (err: any) {
+      res.status(403).send(err.toString())
+    }
+  }
+)
+
 userRouter.delete(
  '/:userId',
  authenticateAccessToken,
--- a/api/src/routes/appStream/appStreamHtml.ts
+++ b/api/src/routes/appStream/appStreamHtml.ts
@@ -23,13 +23,21 @@ export const appStreamHtml = (appStreamConfig: AppStreamConfig) => `
    ${style}
  </head>
  <body>
-    <h1>App Stream</h1>
+    <header>
+      <a href="/"><img src="/logo.png" alt="logo" class="logo"></a>
+      <h1>App Stream</h1>
+    </header>
    <div class="app-container">
-      ${Object.entries(appStreamConfig)
-        .map(([streamServiceName, entry]) =>
-          singleAppStreamHtml(streamServiceName, entry.appLoc, entry.streamLogo)
-        )
-        .join('')}
+        ${Object.entries(appStreamConfig)
+          .map(([streamServiceName, entry]) =>
+            singleAppStreamHtml(
+              streamServiceName,
+              entry.appLoc,
+              entry.streamLogo
+            )
+          )
+          .join('')}
+
        <a class="app" title="Upload build.json">
          <input id="fileId" type="file" hidden />
          <button id="uploadButton" style="margin-bottom: 5px; cursor: pointer">
--- a/api/src/routes/appStream/index.ts
+++ b/api/src/routes/appStream/index.ts
@@ -1,13 +1,16 @@
 import path from 'path'
-import express from 'express'
+import express, { Request } from 'express'
+import { authenticateAccessToken } from '../../middlewares'
 import { folderExists } from '@sasjs/utils'

 import { addEntryToAppStreamConfig, getFilesFolder } from '../../utils'
 import { appStreamHtml } from './appStreamHtml'

+const appStreams: { [key: string]: string } = {}
+
 const router = express.Router()

-router.get('/', async (req, res) => {
+router.get('/', authenticateAccessToken, async (req, res) => {
  const content = appStreamHtml(process.appStreamConfig)

  res.cookie('XSRF-TOKEN', req.csrfToken())
@@ -44,7 +47,7 @@ export const publishAppStream = async (
      streamServiceName = `AppStreamName${appCount + 1}`
    }

-    router.use(`/${streamServiceName}`, express.static(pathToDeployment))
+    appStreams[streamServiceName] = pathToDeployment

    addEntryToAppStreamConfig(
      streamServiceName,
@@ -64,4 +67,26 @@ export const publishAppStream = async (
  return {}
 }

+router.get(`/*`, authenticateAccessToken, function (req: Request, res, next) {
+  const reqPath = req.path.replace(/^\//, '')
+
+  // Redirecting to url with trailing slash for appStream base URL only
+  if (reqPath.split('/').length === 1 && !reqPath.endsWith('/'))
+    // navigating to same url with slash at start
+    return res.redirect(301, `${reqPath}/`)
+
+  const appStream = reqPath.split('/')[0]
+  const appStreamFilesPath = appStreams[appStream]
+  if (appStreamFilesPath) {
+    // resourcePath is without appStream base path
+    const resourcePath = reqPath.split('/').slice(1).join('/') || 'index.html'
+
+    req.url = resourcePath
+
+    return express.static(appStreamFilesPath)(req, res, next)
+  }
+
+  return res.send("There's no App Stream available here.")
+})
+
 export default router
--- a/api/src/routes/appStream/style.ts
+++ b/api/src/routes/appStream/style.ts
@@ -5,18 +5,71 @@ export const style = `<style>
 .app-container {
  display: flex;
  flex-wrap: wrap;
-  align-items: baseline;
+  align-items: center;
  justify-content: center;
+  padding-top: 50px;
 }
 .app-container .app {
  width: 150px;
+  height: 180px;
  margin: 10px;
  overflow: hidden;
  text-align: center;
+
+  text-decoration: none;
+  color: black;
+
+  background: #efefef;
+  padding: 10px;
+  border-radius: 7px;
+  border: 1px solid #d7d7d7;
 }
 .app-container .app img{
  width: 100%;
  margin-bottom: 10px;
  border-radius: 10px;
 }
+#uploadButton {
+  border: 0
+}
+
+#uploadButton:focus {
+  outline: 0
+}
+
+#uploadMessage {
+  position: relative;
+  bottom: -5px;
+}
+
+header {
+  transition: box-shadow 300ms cubic-bezier(0.4, 0, 0.2, 1) 0ms;
+  box-shadow: rgb(0 0 0 / 20%) 0px 2px 4px -1px, rgb(0 0 0 / 14%) 0px 4px 5px 0px, rgb(0 0 0 / 12%) 0px 1px 10px 0px;
+  display: flex;
+  width: 100%;
+  box-sizing: border-box;
+  flex-shrink: 0;
+  position: fixed;
+  top: 0px;
+  left: auto;
+  right: 0px;
+  background-color: rgb(0, 0, 0);
+  color: rgb(255, 255, 255);
+  z-index: 1201;
+}
+
+header h1 {
+  margin: 13px;
+  font-size: 20px;
+}
+
+header a {
+  align-self: center;
+}
+
+header .logo {
+  width: 35px;
+  margin-left: 10px;
+  align-self: center;
+}
 </style>`
--- a/api/src/routes/web/web.ts
+++ b/api/src/routes/web/web.ts
@@ -1,6 +1,7 @@
 import express from 'express'
+import { cookieOptions } from '../../app'
 import { WebController } from '../../controllers/web'
-import { authenticateAccessToken } from '../../middlewares'
+import { authenticateAccessToken, desktopRestrict } from '../../middlewares'
 import { authorizeValidation, loginWebValidation } from '../../utils'

 const webRouter = express.Router()
@@ -13,13 +14,13 @@ webRouter.get('/', async (req, res) => {
  } catch (_) {
    response = 'Web Build is not present'
  } finally {
-    res.cookie('XSRF-TOKEN', req.csrfToken())
+    res.cookie('XSRF-TOKEN', req.csrfToken(), cookieOptions)

    return res.send(response)
  }
 })

-webRouter.post('/SASLogon/login', async (req, res) => {
+webRouter.post('/SASLogon/login', desktopRestrict, async (req, res) => {
  const { error, value: body } = loginWebValidation(req.body)
  if (error) return res.status(400).send(error.details[0].message)

@@ -33,6 +34,7 @@ webRouter.post('/SASLogon/login', async (req, res) => {

 webRouter.post(
  '/SASLogon/authorize',
+  desktopRestrict,
  authenticateAccessToken,
  async (req, res) => {
    const { error, value: body } = authorizeValidation(req.body)
@@ -47,7 +49,7 @@ webRouter.post(
  }
 )

-webRouter.get('/logout', async (req, res) => {
+webRouter.get('/SASLogon/logout', desktopRestrict, async (req, res) => {
  try {
    await controller.logout(req)
    res.status(200).send('OK!')
--- a/api/src/server.ts
+++ b/api/src/server.ts
@@ -16,9 +16,9 @@ appPromise.then(async (app) => {
      )
    })
  } else {
-    const { key, cert } = await getCertificates()
+    const { key, cert, ca } = await getCertificates()

-    const httpsServer = createServer({ key, cert }, app)
+    const httpsServer = createServer({ key, cert, ca }, app)
    httpsServer.listen(sasJsPort, () => {
      console.log(
        `⚡️[server]: Server is running at https://localhost:${sasJsPort}`
--- a/api/src/types/system/express.d.ts
+++ b/api/src/types/system/express.d.ts
@@ -2,6 +2,6 @@ declare namespace Express {
  export interface Request {
    accessToken?: string
    user?: import('../').RequestUser
-    sasSession?: import('../').Session
+    sasjsSession?: import('../').Session
  }
 }
--- a/api/src/types/system/process.d.ts
+++ b/api/src/types/system/process.d.ts
@@ -1,9 +1,14 @@
 declare namespace NodeJS {
  export interface Process {
-    sasLoc: string
+    sasLoc?: string
+    nodeLoc?: string
    driveLoc: string
-    sessionController?: import('../../controllers/internal').SessionController
+    logsLoc: string
+    sasSessionController?: import('../../controllers/internal').SASSessionController
+    jsSessionController?: import('../../controllers/internal').JSSessionController
    appStreamConfig: import('../').AppStreamConfig
    logger: import('@sasjs/utils/logger').Logger
+    runTimes: import('../../utils').RunTimeType[]
+    secrets: import('../../model/Configuration').ConfigurationType
  }
 }
--- a/api/src/utils/appStreamConfig.ts
+++ b/api/src/utils/appStreamConfig.ts
@@ -5,6 +5,8 @@ import { AppStreamConfig } from '../types'
 import { getAppStreamConfigPath } from './file'

 export const loadAppStreamConfig = async () => {
+  process.appStreamConfig = {}
+
  if (process.env.NODE_ENV === 'test') return

  const appStreamConfigPath = getAppStreamConfigPath()
@@ -21,7 +23,6 @@ export const loadAppStreamConfig = async () => {
  } catch (_) {
    appStreamConfig = {}
  }
-  process.appStreamConfig = {}

  for (const [streamServiceName, entry] of Object.entries(appStreamConfig)) {
    const { appLoc, streamWebFolder, streamLogo } = entry
--- a/api/src/utils/connectDB.ts
+++ b/api/src/utils/connectDB.ts
@@ -9,7 +9,5 @@ export const connectDB = async () => {
  }

  console.log('Connected to DB!')
-  await seedDB()
-
-  return mongoose.connection
+  return seedDB()
 }
--- a/api/src/utils/desktopAutoExec.ts
+++ b/api/src/utils/desktopAutoExec.ts
@@ -0,0 +1,8 @@
+import { createFile, readFile } from '@sasjs/utils'
+import { getDesktopUserAutoExecPath } from './file'
+
+export const getUserAutoExec = async (): Promise<string> =>
+  readFile(getDesktopUserAutoExecPath())
+
+export const updateUserAutoExec = async (autoExecContent: string) =>
+  createFile(getDesktopUserAutoExecPath(), autoExecContent)
--- a/api/src/utils/extractName.ts
+++ b/api/src/utils/extractName.ts
@@ -0,0 +1,6 @@
+import path from 'path'
+
+export const extractName = (filePath: string) => {
+  const extension = path.extname(filePath)
+  return path.basename(filePath, extension)
+}
--- a/api/src/utils/file.ts
+++ b/api/src/utils/file.ts
@@ -1,5 +1,6 @@
 import path from 'path'
 import { homedir } from 'os'
+import fs from 'fs-extra'

 export const apiRoot = path.join(__dirname, '..', '..')
 export const codebaseRoot = path.join(apiRoot, '..')
@@ -21,6 +22,8 @@ export const getDesktopUserAutoExecPath = () =>

 export const getSasjsRootFolder = () => process.driveLoc

+export const getLogFolder = () => process.logsLoc
+
 export const getAppStreamConfigPath = () =>
  path.join(getSasjsRootFolder(), 'appStreamConfig.json')

@@ -31,8 +34,6 @@ export const getUploadsFolder = () => path.join(getSasjsRootFolder(), 'uploads')

 export const getFilesFolder = () => path.join(getSasjsRootFolder(), 'files')

-export const getLogFolder = () => path.join(getSasjsRootFolder(), 'logs')
-
 export const getWeboutFolder = () => path.join(getSasjsRootFolder(), 'webouts')

 export const getSessionsFolder = () =>
@@ -47,3 +48,6 @@ export const generateUniqueFileName = (fileName: string, extension = '') =>
    new Date().getTime(),
    extension
  ].join('')
+
+export const createReadStream = async (filePath: string) =>
+  fs.createReadStream(filePath)
--- a/api/src/utils/generateAccessToken.ts
+++ b/api/src/utils/generateAccessToken.ts
@@ -2,6 +2,6 @@ import jwt from 'jsonwebtoken'
 import { InfoJWT } from '../types'

 export const generateAccessToken = (data: InfoJWT) =>
-  jwt.sign(data, process.env.ACCESS_TOKEN_SECRET as string, {
+  jwt.sign(data, process.secrets.ACCESS_TOKEN_SECRET, {
    expiresIn: '1day'
  })
--- a/api/src/utils/generateAuthCode.ts
+++ b/api/src/utils/generateAuthCode.ts
@@ -2,6 +2,6 @@ import jwt from 'jsonwebtoken'
 import { InfoJWT } from '../types'

 export const generateAuthCode = (data: InfoJWT) =>
-  jwt.sign(data, process.env.AUTH_CODE_SECRET as string, {
+  jwt.sign(data, process.secrets.AUTH_CODE_SECRET, {
    expiresIn: '30s'
  })
--- a/api/src/utils/generateRefreshToken.ts
+++ b/api/src/utils/generateRefreshToken.ts
@@ -2,6 +2,6 @@ import jwt from 'jsonwebtoken'
 import { InfoJWT } from '../types'

 export const generateRefreshToken = (data: InfoJWT) =>
-  jwt.sign(data, process.env.REFRESH_TOKEN_SECRET as string, {
+  jwt.sign(data, process.secrets.REFRESH_TOKEN_SECRET, {
    expiresIn: '30 days'
  })
--- a/api/src/utils/getAuthorizedRoutes.ts
+++ b/api/src/utils/getAuthorizedRoutes.ts
@@ -0,0 +1,35 @@
+import { Request } from 'express'
+
+const StaticAuthorizedRoutes = [
+  '/AppStream',
+  '/SASjsApi/code/execute',
+  '/SASjsApi/stp/execute',
+  '/SASjsApi/drive/deploy',
+  '/SASjsApi/drive/deploy/upload',
+  '/SASjsApi/drive/file',
+  '/SASjsApi/drive/folder',
+  '/SASjsApi/drive/fileTree',
+  '/SASjsApi/permission'
+]
+
+export const getAuthorizedRoutes = () => {
+  const streamingApps = Object.keys(process.appStreamConfig)
+  const streamingAppsRoutes = streamingApps.map((app) => `/AppStream/${app}`)
+  return [...StaticAuthorizedRoutes, ...streamingAppsRoutes]
+}
+
+export const getUri = (req: Request) => {
+  const { baseUrl, path: reqPath } = req
+
+  if (baseUrl === '/AppStream') {
+    const appStream = reqPath.split('/')[1]
+
+    // removing trailing slash of URLs
+    return (baseUrl + '/' + appStream).replace(/\/$/, '')
+  }
+
+  return (baseUrl + reqPath).replace(/\/$/, '')
+}
+
+export const isAuthorizingRoute = (req: Request): boolean =>
+  getAuthorizedRoutes().includes(getUri(req))
--- a/api/src/utils/getCertificates.ts
+++ b/api/src/utils/getCertificates.ts
@@ -2,22 +2,32 @@ import path from 'path'
 import { fileExists, getString, readFile } from '@sasjs/utils'

 export const getCertificates = async () => {
-  const { PRIVATE_KEY, FULL_CHAIN } = process.env
+  const { PRIVATE_KEY, CERT_CHAIN, CA_ROOT } = process.env
+
+  let ca

  const keyPath = PRIVATE_KEY ?? (await getFileInput('Private Key (PEM)'))
-  const certPath = FULL_CHAIN ?? (await getFileInput('Full Chain (PEM)'))
+  const certPath = CERT_CHAIN ?? (await getFileInput('Certificate Chain (PEM)'))
+  const caPath = CA_ROOT

  console.log('keyPath: ', keyPath)
  console.log('certPath: ', certPath)
+  if (caPath) console.log('caPath: ', caPath)

  const key = await readFile(keyPath)
  const cert = await readFile(certPath)
+  if (caPath) ca = await readFile(caPath)

-  return { key, cert }
+  return { key, cert, ca }
 }

-const getFileInput = async (filename: string): Promise<string> => {
+const getFileInput = async (
+  filename: string,
+  required: boolean = true
+): Promise<string> => {
  const validator = async (filePath: string) => {
+    if (!required) return true
+
    if (!filePath) return `Path to ${filename} is required.`

    if (!(await fileExists(path.join(process.cwd(), filePath)))) {
--- a/api/src/utils/getDesktopFields.ts
+++ b/api/src/utils/getDesktopFields.ts
@@ -1,16 +1,22 @@
 import path from 'path'
 import { getString } from '@sasjs/utils/input'
-import { createFolder, fileExists, folderExists } from '@sasjs/utils'
-
-const isWindows = () => process.platform === 'win32'
+import { createFolder, fileExists, folderExists, isWindows } from '@sasjs/utils'
+import { RunTimeType } from './verifyEnvVariables'

 export const getDesktopFields = async () => {
-  const { SAS_PATH } = process.env
+  const { SAS_PATH, NODE_PATH } = process.env

-  const sasLoc = SAS_PATH ?? (await getSASLocation())
-  // const driveLoc = DRIVE_PATH ?? (await getDriveLocation())
+  let sasLoc, nodeLoc

-  return { sasLoc }
+  if (process.runTimes.includes(RunTimeType.SAS)) {
+    sasLoc = SAS_PATH ?? (await getSASLocation())
+  }
+
+  if (process.runTimes.includes(RunTimeType.JS)) {
+    nodeLoc = NODE_PATH ?? (await getNodeLocation())
+  }
+
+  return { sasLoc, nodeLoc }
 }

 const getDriveLocation = async (): Promise<string> => {
@@ -54,7 +60,31 @@ const getSASLocation = async (): Promise<string> => {
    : '/opt/sas/sas9/SASHome/SASFoundation/9.4/sasexe/sas'

  const targetName = await getString(
-    'Please enter path to SAS executable (absolute path): ',
+    'Please enter full path to a SAS executable with UTF-8 encoding: ',
+    validator,
+    defaultLocation
+  )
+
+  return targetName
+}
+
+const getNodeLocation = async (): Promise<string> => {
+  const validator = async (filePath: string) => {
+    if (!filePath) return 'Path to NodeJS executable is required.'
+
+    if (!(await fileExists(filePath))) {
+      return 'No file found at provided path.'
+    }
+
+    return true
+  }
+
+  const defaultLocation = isWindows()
+    ? 'C:\\Program Files\\nodejs\\node.exe'
+    : '/usr/local/nodejs/bin/node.sh'
+
+  const targetName = await getString(
+    'Please enter full path to a NodeJS executable: ',
    validator,
    defaultLocation
  )
--- a/api/src/utils/getRunTimeAndFilePath.ts
+++ b/api/src/utils/getRunTimeAndFilePath.ts
@@ -0,0 +1,33 @@
+import path from 'path'
+import { fileExists } from '@sasjs/utils'
+import { getFilesFolder } from './file'
+import { RunTimeType } from '.'
+
+export const getRunTimeAndFilePath = async (programPath: string) => {
+  const ext = path.extname(programPath)
+  // If programPath (_program) is provided with a ".sas" or ".js" extension
+  // we should use that extension to determine the appropriate runTime
+  if (ext && Object.values(RunTimeType).includes(ext.slice(1) as RunTimeType)) {
+    const runTime = ext.slice(1)
+
+    const codePath = path
+      .join(getFilesFolder(), programPath)
+      .replace(new RegExp('/', 'g'), path.sep)
+
+    if (await fileExists(codePath)) {
+      return { codePath, runTime: runTime as RunTimeType }
+    }
+  } else {
+    for (const runTime of process.runTimes) {
+      const codePath =
+        path
+          .join(getFilesFolder(), programPath)
+          .replace(new RegExp('/', 'g'), path.sep) +
+        '.' +
+        runTime
+
+      if (await fileExists(codePath)) return { codePath, runTime }
+    }
+  }
+  throw `The Program at (${programPath}) does not exist.`
+}
--- a/api/src/utils/getServerUrl.ts
+++ b/api/src/utils/getServerUrl.ts
@@ -0,0 +1,15 @@
+import express from 'express'
+import url from 'url'
+
+export const getFullUrl = (req: express.Request) =>
+  url.format({
+    protocol: req.protocol,
+    host: req.get('host'),
+    pathname: req.originalUrl
+  })
+
+export const getServerUrl = (req: express.Request) =>
+  url.format({
+    protocol: req.protocol,
+    host: req.get('x-forwarded-host') || req.get('host')
+  })
--- a/api/src/utils/index.ts
+++ b/api/src/utils/index.ts
@@ -1,16 +1,22 @@
 export * from './appStreamConfig'
 export * from './connectDB'
 export * from './copySASjsCore'
+export * from './desktopAutoExec'
 export * from './extractHeaders'
+export * from './extractName'
 export * from './file'
 export * from './generateAccessToken'
 export * from './generateAuthCode'
 export * from './generateRefreshToken'
+export * from './getAuthorizedRoutes'
 export * from './getCertificates'
 export * from './getDesktopFields'
 export * from './getPreProgramVariables'
+export * from './getRunTimeAndFilePath'
+export * from './getServerUrl'
 export * from './instantiateLogger'
 export * from './isDebugOn'
+export * from './zipped'
 export * from './parseLogToArray'
 export * from './removeTokensInDB'
 export * from './saveTokensInDB'
--- a/api/src/utils/seedDB.ts
+++ b/api/src/utils/seedDB.ts
@@ -1,6 +1,73 @@
 import Client from '../model/Client'
+import Group from '../model/Group'
 import User from '../model/User'
+import Configuration, { ConfigurationType } from '../model/Configuration'

+import { randomBytes } from 'crypto'
+
+export const SECRETS: ConfigurationType = {
+  ACCESS_TOKEN_SECRET: randomBytes(64).toString('hex'),
+  REFRESH_TOKEN_SECRET: randomBytes(64).toString('hex'),
+  AUTH_CODE_SECRET: randomBytes(64).toString('hex'),
+  SESSION_SECRET: randomBytes(64).toString('hex')
+}
+
+export const seedDB = async (): Promise<ConfigurationType> => {
+  // Checking if client is already in the database
+  const clientExist = await Client.findOne({ clientId: CLIENT.clientId })
+  if (!clientExist) {
+    const client = new Client(CLIENT)
+    await client.save()
+
+    console.log(`DB Seed - client created: ${CLIENT.clientId}`)
+  }
+
+  // Checking if 'AllUsers' Group is already in the database
+  let groupExist = await Group.findOne({ name: GROUP.name })
+  if (!groupExist) {
+    const group = new Group(GROUP)
+    groupExist = await group.save()
+
+    console.log(`DB Seed - Group created: ${GROUP.name}`)
+  }
+
+  // Checking if user is already in the database
+  let usernameExist = await User.findOne({ username: ADMIN_USER.username })
+  if (!usernameExist) {
+    const user = new User(ADMIN_USER)
+    usernameExist = await user.save()
+
+    console.log(`DB Seed - admin account created: ${ADMIN_USER.username}`)
+  }
+
+  if (!groupExist.hasUser(usernameExist)) {
+    groupExist.addUser(usernameExist)
+    console.log(
+      `DB Seed - admin account '${ADMIN_USER.username}' added to Group '${GROUP.name}'`
+    )
+  }
+
+  // checking if configuration is present in the database
+  let configExist = await Configuration.findOne()
+  if (!configExist) {
+    const configuration = new Configuration(SECRETS)
+    configExist = await configuration.save()
+
+    console.log('DB Seed - configuration added')
+  }
+
+  return {
+    ACCESS_TOKEN_SECRET: configExist.ACCESS_TOKEN_SECRET,
+    REFRESH_TOKEN_SECRET: configExist.REFRESH_TOKEN_SECRET,
+    AUTH_CODE_SECRET: configExist.AUTH_CODE_SECRET,
+    SESSION_SECRET: configExist.SESSION_SECRET
+  }
+}
+
+const GROUP = {
+  name: 'AllUsers',
+  description: 'Group contains all users'
+}
 const CLIENT = {
  clientId: 'clientID1',
  clientSecret: 'clientSecret'
@@ -13,23 +80,3 @@ const ADMIN_USER = {
  isAdmin: true,
  isActive: true
 }
-
-export const seedDB = async () => {
-  // Checking if client is already in the database
-  const clientExist = await Client.findOne({ clientId: CLIENT.clientId })
-  if (!clientExist) {
-    const client = new Client(CLIENT)
-    await client.save()
-
-    console.log(`DB Seed - client created: ${CLIENT.clientId}`)
-  }
-
-  // Checking if user is already in the database
-  const usernameExist = await User.findOne({ username: ADMIN_USER.username })
-  if (!usernameExist) {
-    const user = new User(ADMIN_USER)
-    await user.save()
-
-    console.log(`DB Seed - admin account created: ${ADMIN_USER.username}`)
-  }
-}
--- a/api/src/utils/setProcessVariables.ts
+++ b/api/src/utils/setProcessVariables.ts
@@ -1,22 +1,38 @@
 import path from 'path'
 import { createFolder, getAbsolutePath, getRealPath } from '@sasjs/utils'

-import { getDesktopFields, ModeType } from '.'
+import { connectDB, getDesktopFields, ModeType, RunTimeType, SECRETS } from '.'

 export const setProcessVariables = async () => {
+  const { MODE, RUN_TIMES } = process.env
+
+  if (MODE === ModeType.Server) {
+    // NOTE: when exporting app.js as agent for supertest
+    // it should prevent connecting to the real database
+    if (process.env.NODE_ENV !== 'test') {
+      const secrets = await connectDB()
+
+      process.secrets = secrets
+    } else {
+      process.secrets = SECRETS
+    }
+  }
+
  if (process.env.NODE_ENV === 'test') {
    process.driveLoc = path.join(process.cwd(), 'sasjs_root')
    return
  }

-  const { MODE } = process.env
+  process.runTimes = (RUN_TIMES?.split(',') as RunTimeType[]) ?? []

  if (MODE === ModeType.Server) {
-    process.sasLoc = process.env.SAS_PATH as string
+    process.sasLoc = process.env.SAS_PATH
+    process.nodeLoc = process.env.NODE_PATH
  } else {
-    const { sasLoc } = await getDesktopFields()
+    const { sasLoc, nodeLoc } = await getDesktopFields()

    process.sasLoc = sasLoc
+    process.nodeLoc = nodeLoc
  }

  const { SASJS_ROOT } = process.env
@@ -24,6 +40,16 @@ export const setProcessVariables = async () => {
  await createFolder(absPath)
  process.driveLoc = getRealPath(absPath)

+  const { LOG_LOCATION } = process.env
+  const absLogsPath = getAbsolutePath(
+    LOG_LOCATION ?? `sasjs_root${path.sep}logs`,
+    process.cwd()
+  )
+  await createFolder(absLogsPath)
+  process.logsLoc = getRealPath(absLogsPath)
+
  console.log('sasLoc: ', process.sasLoc)
  console.log('sasDrive: ', process.driveLoc)
+  console.log('sasLogs: ', process.logsLoc)
+  console.log('runTimes: ', process.runTimes)
 }
--- a/api/src/utils/specs/extractHeaders.spec.ts
+++ b/api/src/utils/specs/extractHeaders.spec.ts
@@ -1,4 +1,4 @@
-import { extractHeaders } from '..'
+import { extractHeaders } from '../extractHeaders'

 describe('extractHeaders', () => {
  it('should return valid http headers', () => {
--- a/api/src/utils/specs/parseLogToArray.spec.ts
+++ b/api/src/utils/specs/parseLogToArray.spec.ts
@@ -1,4 +1,4 @@
-import { parseLogToArray } from '..'
+import { parseLogToArray } from '../parseLogToArray'

 describe('parseLogToArray', () => {
  it('should parse log to array type', () => {
--- a/api/src/utils/upload.ts
+++ b/api/src/utils/upload.ts
@@ -1,5 +1,6 @@
+import path from 'path'
 import { MulterFile } from '../types/Upload'
-import { listFilesInFolder } from '@sasjs/utils'
+import { listFilesInFolder, readFileBinary, isWindows } from '@sasjs/utils'

 interface FilenameMapSingle {
  fieldName: string
@@ -98,3 +99,36 @@ export const generateFileUploadSasCode = async (

  return uploadSasCode
 }
+
+/**
+ * Generates the js code that references uploaded files in the concurrent request
+ * @param filesNamesMap object that maps hashed file names and original file names
+ * @param sessionFolder name of the folder that is created for the purpose of files in concurrent request
+ * @returns generated js code
+ */
+export const generateFileUploadJSCode = async (
+  filesNamesMap: FilenamesMap,
+  sessionFolder: string
+) => {
+  let uploadCode = ''
+  let fileCount = 0
+
+  const sessionFolderList: string[] = await listFilesInFolder(sessionFolder)
+  sessionFolderList.forEach(async (fileName) => {
+    if (fileName.includes('req_file')) {
+      fileCount++
+      const filePath = path.join(sessionFolder, fileName)
+      uploadCode += `\nconst _WEBIN_FILEREF${fileCount} = fs.readFileSync('${
+        isWindows() ? filePath.replace(/\\/g, '\\\\') : filePath
+      }')`
+      uploadCode += `\nconst _WEBIN_FILENAME${fileCount} = '${filesNamesMap[fileName].originalName}'`
+      uploadCode += `\nconst _WEBIN_NAME${fileCount} = '${filesNamesMap[fileName].fieldName}'`
+    }
+  })
+
+  if (fileCount) {
+    uploadCode = `\nconst _WEBIN_FILE_COUNT = ${fileCount}` + uploadCode
+  }
+
+  return uploadCode
+}
--- a/api/src/utils/validation.ts
+++ b/api/src/utils/validation.ts
@@ -1,10 +1,18 @@
 import Joi from 'joi'
+import { PermissionSetting, PrincipalType } from '../controllers/permission'
+import { getAuthorizedRoutes } from './getAuthorizedRoutes'

-const usernameSchema = Joi.string().alphanum().min(3).max(16)
+const usernameSchema = Joi.string().lowercase().alphanum().min(3).max(16)
 const passwordSchema = Joi.string().min(6).max(1024)
+const groupnameSchema = Joi.string().lowercase().alphanum().min(3).max(16)

 export const blockFileRegex = /\.(exe|sh|htaccess)$/i

+export const getUserValidation = (data: any): Joi.ValidationResult =>
+  Joi.object({
+    username: usernameSchema.required()
+  }).validate(data)
+
 export const loginWebValidation = (data: any): Joi.ValidationResult =>
  Joi.object({
    username: usernameSchema.required(),
@@ -24,11 +32,16 @@ export const tokenValidation = (data: any): Joi.ValidationResult =>

 export const registerGroupValidation = (data: any): Joi.ValidationResult =>
  Joi.object({
-    name: Joi.string().min(6).required(),
+    name: groupnameSchema.required(),
    description: Joi.string(),
    isActive: Joi.boolean()
  }).validate(data)

+export const getGroupValidation = (data: any): Joi.ValidationResult =>
+  Joi.object({
+    name: groupnameSchema.required()
+  }).validate(data)
+
 export const registerUserValidation = (data: any): Joi.ValidationResult =>
  Joi.object({
    displayName: Joi.string().min(6).required(),
@@ -36,7 +49,7 @@ export const registerUserValidation = (data: any): Joi.ValidationResult =>
    password: passwordSchema.required(),
    isAdmin: Joi.boolean(),
    isActive: Joi.boolean(),
-    autoExec: Joi.string()
+    autoExec: Joi.string().allow('')
  }).validate(data)

 export const deleteUserValidation = (
@@ -59,7 +72,7 @@ export const updateUserValidation = (
    displayName: Joi.string().min(6),
    username: usernameSchema,
    password: passwordSchema,
-    autoExec: Joi.string()
+    autoExec: Joi.string().allow('')
  }
  if (isAdmin) {
    validationChecks.isAdmin = Joi.boolean()
@@ -74,6 +87,27 @@ export const registerClientValidation = (data: any): Joi.ValidationResult =>
    clientSecret: Joi.string().required()
  }).validate(data)

+export const registerPermissionValidation = (data: any): Joi.ValidationResult =>
+  Joi.object({
+    uri: Joi.string()
+      .required()
+      .valid(...getAuthorizedRoutes()),
+    setting: Joi.string()
+      .required()
+      .valid(...Object.values(PermissionSetting)),
+    principalType: Joi.string()
+      .required()
+      .valid(...Object.values(PrincipalType)),
+    principalId: Joi.number().required()
+  }).validate(data)
+
+export const updatePermissionValidation = (data: any): Joi.ValidationResult =>
+  Joi.object({
+    setting: Joi.string()
+      .required()
+      .valid(...Object.values(PermissionSetting))
+  }).validate(data)
+
 export const deployValidation = (data: any): Joi.ValidationResult =>
  Joi.object({
    appLoc: Joi.string().pattern(/^\//).required().min(2),
@@ -109,9 +143,10 @@ export const folderParamValidation = (data: any): Joi.ValidationResult =>
    _folderPath: Joi.string()
  }).validate(data)

-export const runSASValidation = (data: any): Joi.ValidationResult =>
+export const runCodeValidation = (data: any): Joi.ValidationResult =>
  Joi.object({
-    code: Joi.string().required()
+    code: Joi.string().required(),
+    runTime: Joi.string().valid(...process.runTimes)
  }).validate(data)

 export const executeProgramRawValidation = (data: any): Joi.ValidationResult =>
--- a/api/src/utils/verifyEnvVariables.ts
+++ b/api/src/utils/verifyEnvVariables.ts
@@ -26,6 +26,11 @@ export enum LOG_FORMAT_MORGANType {
  tiny = 'tiny'
 }

+export enum RunTimeType {
+  SAS = 'sas',
+  JS = 'js'
+}
+
 export enum ReturnCode {
  Success,
  InvalidEnv
@@ -46,6 +51,10 @@ export const verifyEnvVariables = (): ReturnCode => {

  errors.push(...verifyLOG_FORMAT_MORGAN())

+  errors.push(...verifyRUN_TIMES())
+
+  errors.push(...verifyExecutablePaths())
+
  if (errors.length) {
    process.logger?.error(
      `Invalid environment variable(s) provided: \n${errors.join('\n')}`
@@ -69,33 +78,7 @@ const verifyMODE = (): string[] => {
  }

  if (process.env.MODE === ModeType.Server) {
-    const {
-      ACCESS_TOKEN_SECRET,
-      REFRESH_TOKEN_SECRET,
-      AUTH_CODE_SECRET,
-      SESSION_SECRET,
-      DB_CONNECT
-    } = process.env
-
-    if (!ACCESS_TOKEN_SECRET)
-      errors.push(
-        `- ACCESS_TOKEN_SECRET is required for PROTOCOL '${ModeType.Server}'`
-      )
-
-    if (!REFRESH_TOKEN_SECRET)
-      errors.push(
-        `- REFRESH_TOKEN_SECRET is required for PROTOCOL '${ModeType.Server}'`
-      )
-
-    if (!AUTH_CODE_SECRET)
-      errors.push(
-        `- AUTH_CODE_SECRET is required for PROTOCOL '${ModeType.Server}'`
-      )
-
-    if (!SESSION_SECRET)
-      errors.push(
-        `- SESSION_SECRET is required for PROTOCOL '${ModeType.Server}'`
-      )
+    const { DB_CONNECT } = process.env

    if (process.env.NODE_ENV !== 'test')
      if (!DB_CONNECT)
@@ -120,16 +103,16 @@ const verifyPROTOCOL = (): string[] => {
  }

  if (process.env.PROTOCOL === ProtocolType.HTTPS) {
-    const { PRIVATE_KEY, FULL_CHAIN } = process.env
+    const { PRIVATE_KEY, CERT_CHAIN } = process.env

    if (!PRIVATE_KEY)
      errors.push(
        `- PRIVATE_KEY is required for PROTOCOL '${ProtocolType.HTTPS}'`
      )

-    if (!FULL_CHAIN)
+    if (!CERT_CHAIN)
      errors.push(
-        `- FULL_CHAIN is required for PROTOCOL '${ProtocolType.HTTPS}'`
+        `- CERT_CHAIN is required for PROTOCOL '${ProtocolType.HTTPS}'`
      )
  }

@@ -202,10 +185,52 @@ const verifyLOG_FORMAT_MORGAN = (): string[] => {
  return errors
 }

+const verifyRUN_TIMES = (): string[] => {
+  const errors: string[] = []
+  const { RUN_TIMES } = process.env
+
+  if (RUN_TIMES) {
+    const runTimes = RUN_TIMES.split(',')
+
+    const runTimeTypes = Object.values(RunTimeType)
+
+    runTimes.forEach((runTime) => {
+      if (!runTimeTypes.includes(runTime as RunTimeType)) {
+        errors.push(
+          `- Invalid '${runTime}' runtime\n - valid options ${runTimeTypes}`
+        )
+      }
+    })
+  } else {
+    process.env.RUN_TIMES = DEFAULTS.RUN_TIMES
+  }
+  return errors
+}
+
+const verifyExecutablePaths = () => {
+  const errors: string[] = []
+  const { RUN_TIMES, SAS_PATH, NODE_PATH, MODE } = process.env
+
+  if (MODE === ModeType.Server) {
+    const runTimes = RUN_TIMES?.split(',')
+
+    if (runTimes?.includes(RunTimeType.SAS) && !SAS_PATH) {
+      errors.push(`- SAS_PATH is required for ${RunTimeType.SAS} run time`)
+    }
+
+    if (runTimes?.includes(RunTimeType.JS) && !NODE_PATH) {
+      errors.push(`- NODE_PATH is required for ${RunTimeType.JS} run time`)
+    }
+  }
+
+  return errors
+}
+
 const DEFAULTS = {
  MODE: ModeType.Desktop,
  PROTOCOL: ProtocolType.HTTP,
  PORT: '5000',
  HELMET_COEP: HelmetCoepType.TRUE,
-  LOG_FORMAT_MORGAN: LOG_FORMAT_MORGANType.Common
+  LOG_FORMAT_MORGAN: LOG_FORMAT_MORGANType.Common,
+  RUN_TIMES: RunTimeType.SAS
 }
--- a/api/src/utils/zipped.ts
+++ b/api/src/utils/zipped.ts
@@ -0,0 +1,41 @@
+import path from 'path'
+import unZipper from 'unzipper'
+import { extractName } from './extractName'
+import { createReadStream } from './file'
+
+export const isZipFile = (
+  file: Express.Multer.File
+): { error?: string; value?: Express.Multer.File } => {
+  const fileExtension = path.extname(file.originalname)
+  if (fileExtension.toUpperCase() !== '.ZIP')
+    return { error: `"file" has invalid extension ${fileExtension}` }
+
+  const allowedMimetypes = ['application/zip', 'application/x-zip-compressed']
+
+  if (!allowedMimetypes.includes(file.mimetype))
+    return { error: `"file" has invalid type ${file.mimetype}` }
+
+  return { value: file }
+}
+
+export const extractJSONFromZip = async (zipFile: Express.Multer.File) => {
+  let fileContent: string = ''
+
+  const fileInZip = extractName(zipFile.originalname)
+  const zip = (await createReadStream(zipFile.path)).pipe(
+    unZipper.Parse({ forceStream: true })
+  )
+
+  for await (const entry of zip) {
+    const fileName = entry.path as string
+    // grab the first json found in .zip
+    if (fileName.toUpperCase().endsWith('.JSON')) {
+      fileContent = await entry.buffer()
+      break
+    } else {
+      entry.autodrain()
+    }
+  }
+
+  return fileContent
+}
--- a/api/tsoa.json
+++ b/api/tsoa.json
@@ -13,7 +13,7 @@
    "tags": [
      {
        "name": "Info",
-        "description": "Get Server Info"
+        "description": "Get Server Information"
      },
      {
        "name": "Session",
@@ -21,7 +21,11 @@
      },
      {
        "name": "User",
-        "description": "Operations about users"
+        "description": "Operations with users"
+      },
+      {
+        "name": "Permission",
+        "description": "Operations about permissions"
      },
      {
        "name": "Client",
@@ -33,19 +37,19 @@
      },
      {
        "name": "Drive",
-        "description": "Operations about drive"
+        "description": "Operations on SASjs Drive"
      },
      {
        "name": "Group",
-        "description": "Operations about group"
+        "description": "Operations on groups and group memberships"
      },
      {
        "name": "STP",
-        "description": "Operations about STP"
+        "description": "Execution of Stored Programs"
      },
      {
        "name": "CODE",
-        "description": "Operations on SAS code"
+        "description": "Execution of code (various runtimes are supported)"
      },
      {
        "name": "Web",
--- a/package-lock.json
+++ b/package-lock.json
@@ -2770,9 +2770,9 @@
      }
    },
    "node_modules/npm": {
-      "version": "8.10.0",
-      "resolved": "https://registry.npmjs.org/npm/-/npm-8.10.0.tgz",
-      "integrity": "sha512-6oo65q9Quv9mRPGZJufmSH+C/UFdgelwzRXiglT/2mDB50zdy/lZK5dFY0TJ9fJ/8gHqnxcX1NM206KLjTBMlQ==",
+      "version": "8.12.2",
+      "resolved": "https://registry.npmjs.org/npm/-/npm-8.12.2.tgz",
+      "integrity": "sha512-TArexqro9wpl/6wz6t6YdYhOoiy/UArqiSsSsqI7fieEhQEswDQSJcgt/LuCDjl6mfCDi0So7S2UZ979qLYRPg==",
      "bundleDependencies": [
        "@isaacs/string-locale-compare",
        "@npmcli/arborist",
@@ -2858,7 +2858,7 @@
        "@npmcli/run-script": "^3.0.1",
        "abbrev": "~1.1.1",
        "archy": "~1.0.0",
-        "cacache": "^16.0.7",
+        "cacache": "^16.1.1",
        "chalk": "^4.1.2",
        "chownr": "^2.0.0",
        "cli-columns": "^4.0.0",
@@ -2883,7 +2883,7 @@
        "libnpmsearch": "^5.0.2",
        "libnpmteam": "^4.0.2",
        "libnpmversion": "^3.0.1",
-        "make-fetch-happen": "^10.1.3",
+        "make-fetch-happen": "^10.1.7",
        "minipass": "^3.1.6",
        "minipass-pipeline": "^1.2.4",
        "mkdirp": "^1.0.4",
@@ -2900,7 +2900,7 @@
        "npm-user-validate": "^1.0.1",
        "npmlog": "^6.0.2",
        "opener": "^1.5.2",
-        "pacote": "^13.3.0",
+        "pacote": "^13.6.0",
        "parse-conflict-json": "^2.0.2",
        "proc-log": "^2.0.1",
        "qrcode-terminal": "^0.12.0",
@@ -2910,7 +2910,7 @@
        "readdir-scoped-modules": "^1.1.0",
        "rimraf": "^3.0.2",
        "semver": "^7.3.7",
-        "ssri": "^9.0.0",
+        "ssri": "^9.0.1",
        "tar": "^6.1.11",
        "text-table": "~0.2.0",
        "tiny-relative-date": "^1.3.0",
@@ -2965,7 +2965,7 @@
      "peer": true
    },
    "node_modules/npm/node_modules/@npmcli/arborist": {
-      "version": "5.2.0",
+      "version": "5.2.1",
      "dev": true,
      "inBundle": true,
      "license": "ISC",
@@ -3389,7 +3389,7 @@
      }
    },
    "node_modules/npm/node_modules/cacache": {
-      "version": "16.0.7",
+      "version": "16.1.1",
      "dev": true,
      "inBundle": true,
      "license": "ISC",
@@ -3759,7 +3759,7 @@
      }
    },
    "node_modules/npm/node_modules/glob": {
-      "version": "8.0.1",
+      "version": "8.0.3",
      "dev": true,
      "inBundle": true,
      "license": "ISC",
@@ -3769,8 +3769,7 @@
        "inflight": "^1.0.4",
        "inherits": "2",
        "minimatch": "^5.0.1",
-        "once": "^1.3.0",
-        "path-is-absolute": "^1.0.0"
+        "once": "^1.3.0"
      },
      "engines": {
        "node": ">=12"
@@ -4121,7 +4120,7 @@
      }
    },
    "node_modules/npm/node_modules/libnpmexec": {
-      "version": "4.0.5",
+      "version": "4.0.6",
      "dev": true,
      "inBundle": true,
      "license": "ISC",
@@ -4186,7 +4185,7 @@
      }
    },
    "node_modules/npm/node_modules/libnpmpack": {
-      "version": "4.0.3",
+      "version": "4.1.0",
      "dev": true,
      "inBundle": true,
      "license": "ISC",
@@ -4194,7 +4193,7 @@
      "dependencies": {
        "@npmcli/run-script": "^3.0.0",
        "npm-package-arg": "^9.0.1",
-        "pacote": "^13.0.5"
+        "pacote": "^13.5.0"
      },
      "engines": {
        "node": "^12.13.0 || ^14.15.0 || >=16.0.0"
@@ -4272,14 +4271,14 @@
      }
    },
    "node_modules/npm/node_modules/make-fetch-happen": {
-      "version": "10.1.3",
+      "version": "10.1.7",
      "dev": true,
      "inBundle": true,
      "license": "ISC",
      "peer": true,
      "dependencies": {
        "agentkeepalive": "^4.2.1",
-        "cacache": "^16.0.2",
+        "cacache": "^16.1.0",
        "http-cache-semantics": "^4.1.0",
        "http-proxy-agent": "^5.0.0",
        "https-proxy-agent": "^5.0.0",
@@ -4292,7 +4291,7 @@
        "minipass-pipeline": "^1.2.4",
        "negotiator": "^0.6.3",
        "promise-retry": "^2.0.1",
-        "socks-proxy-agent": "^6.1.1",
+        "socks-proxy-agent": "^7.0.0",
        "ssri": "^9.0.0"
      },
      "engines": {
@@ -4300,7 +4299,7 @@
      }
    },
    "node_modules/npm/node_modules/minimatch": {
-      "version": "5.0.1",
+      "version": "5.1.0",
      "dev": true,
      "inBundle": true,
      "license": "ISC",
@@ -4509,7 +4508,7 @@
      }
    },
    "node_modules/npm/node_modules/node-gyp/node_modules/glob": {
-      "version": "7.2.0",
+      "version": "7.2.3",
      "dev": true,
      "inBundle": true,
      "license": "ISC",
@@ -4518,7 +4517,7 @@
        "fs.realpath": "^1.0.0",
        "inflight": "^1.0.4",
        "inherits": "2",
-        "minimatch": "^3.0.4",
+        "minimatch": "^3.1.1",
        "once": "^1.3.0",
        "path-is-absolute": "^1.0.0"
      },
@@ -4633,7 +4632,7 @@
      }
    },
    "node_modules/npm/node_modules/npm-packlist": {
-      "version": "5.0.3",
+      "version": "5.1.0",
      "dev": true,
      "inBundle": true,
      "license": "ISC",
@@ -4760,7 +4759,7 @@
      }
    },
    "node_modules/npm/node_modules/pacote": {
-      "version": "13.3.0",
+      "version": "13.6.0",
      "dev": true,
      "inBundle": true,
      "license": "ISC",
@@ -4777,7 +4776,7 @@
        "minipass": "^3.1.6",
        "mkdirp": "^1.0.4",
        "npm-package-arg": "^9.0.0",
-        "npm-packlist": "^5.0.0",
+        "npm-packlist": "^5.1.0",
        "npm-pick-manifest": "^7.0.0",
        "npm-registry-fetch": "^13.0.1",
        "proc-log": "^2.0.0",
@@ -5009,7 +5008,7 @@
      }
    },
    "node_modules/npm/node_modules/rimraf/node_modules/glob": {
-      "version": "7.2.0",
+      "version": "7.2.3",
      "dev": true,
      "inBundle": true,
      "license": "ISC",
@@ -5018,7 +5017,7 @@
        "fs.realpath": "^1.0.0",
        "inflight": "^1.0.4",
        "inherits": "2",
-        "minimatch": "^3.0.4",
+        "minimatch": "^3.1.1",
        "once": "^1.3.0",
        "path-is-absolute": "^1.0.0"
      },
@@ -5141,7 +5140,7 @@
      }
    },
    "node_modules/npm/node_modules/socks-proxy-agent": {
-      "version": "6.2.0",
+      "version": "7.0.0",
      "dev": true,
      "inBundle": true,
      "license": "MIT",
@@ -5192,7 +5191,7 @@
      "peer": true
    },
    "node_modules/npm/node_modules/ssri": {
-      "version": "9.0.0",
+      "version": "9.0.1",
      "dev": true,
      "inBundle": true,
      "license": "ISC",
@@ -5911,9 +5910,9 @@
      "peer": true
    },
    "node_modules/semantic-release": {
-      "version": "19.0.2",
-      "resolved": "https://registry.npmjs.org/semantic-release/-/semantic-release-19.0.2.tgz",
-      "integrity": "sha512-7tPonjZxukKECmClhsfyMKDt0GR38feIC2HxgyYaBi+9tDySBLjK/zYDLhh+m6yjnHIJa9eBTKYE7k63ZQcYbw==",
+      "version": "19.0.3",
+      "resolved": "https://registry.npmjs.org/semantic-release/-/semantic-release-19.0.3.tgz",
+      "integrity": "sha512-HaFbydST1cDKZHuFZxB8DTrBLJVK/AnDExpK0s3EqLIAAUAHUgnd+VSJCUtTYQKkAkauL8G9CucODrVCc7BuAA==",
      "dev": true,
      "peer": true,
      "dependencies": {
@@ -9019,9 +9018,9 @@
      "peer": true
    },
    "npm": {
-      "version": "8.10.0",
-      "resolved": "https://registry.npmjs.org/npm/-/npm-8.10.0.tgz",
-      "integrity": "sha512-6oo65q9Quv9mRPGZJufmSH+C/UFdgelwzRXiglT/2mDB50zdy/lZK5dFY0TJ9fJ/8gHqnxcX1NM206KLjTBMlQ==",
+      "version": "8.12.2",
+      "resolved": "https://registry.npmjs.org/npm/-/npm-8.12.2.tgz",
+      "integrity": "sha512-TArexqro9wpl/6wz6t6YdYhOoiy/UArqiSsSsqI7fieEhQEswDQSJcgt/LuCDjl6mfCDi0So7S2UZ979qLYRPg==",
      "dev": true,
      "peer": true,
      "requires": {
@@ -9035,7 +9034,7 @@
        "@npmcli/run-script": "^3.0.1",
        "abbrev": "~1.1.1",
        "archy": "~1.0.0",
-        "cacache": "^16.0.7",
+        "cacache": "^16.1.1",
        "chalk": "^4.1.2",
        "chownr": "^2.0.0",
        "cli-columns": "^4.0.0",
@@ -9060,7 +9059,7 @@
        "libnpmsearch": "^5.0.2",
        "libnpmteam": "^4.0.2",
        "libnpmversion": "^3.0.1",
-        "make-fetch-happen": "^10.1.3",
+        "make-fetch-happen": "^10.1.7",
        "minipass": "^3.1.6",
        "minipass-pipeline": "^1.2.4",
        "mkdirp": "^1.0.4",
@@ -9077,7 +9076,7 @@
        "npm-user-validate": "^1.0.1",
        "npmlog": "^6.0.2",
        "opener": "^1.5.2",
-        "pacote": "^13.3.0",
+        "pacote": "^13.6.0",
        "parse-conflict-json": "^2.0.2",
        "proc-log": "^2.0.1",
        "qrcode-terminal": "^0.12.0",
@@ -9087,7 +9086,7 @@
        "readdir-scoped-modules": "^1.1.0",
        "rimraf": "^3.0.2",
        "semver": "^7.3.7",
-        "ssri": "^9.0.0",
+        "ssri": "^9.0.1",
        "tar": "^6.1.11",
        "text-table": "~0.2.0",
        "tiny-relative-date": "^1.3.0",
@@ -9117,7 +9116,7 @@
          "peer": true
        },
        "@npmcli/arborist": {
-          "version": "5.2.0",
+          "version": "5.2.1",
          "bundled": true,
          "dev": true,
          "peer": true,
@@ -9432,7 +9431,7 @@
          }
        },
        "cacache": {
-          "version": "16.0.7",
+          "version": "16.1.1",
          "bundled": true,
          "dev": true,
          "peer": true,
@@ -9704,7 +9703,7 @@
          }
        },
        "glob": {
-          "version": "8.0.1",
+          "version": "8.0.3",
          "bundled": true,
          "dev": true,
          "peer": true,
@@ -9713,8 +9712,7 @@
            "inflight": "^1.0.4",
            "inherits": "2",
            "minimatch": "^5.0.1",
-            "once": "^1.3.0",
-            "path-is-absolute": "^1.0.0"
+            "once": "^1.3.0"
          }
        },
        "graceful-fs": {
@@ -9970,7 +9968,7 @@
          }
        },
        "libnpmexec": {
-          "version": "4.0.5",
+          "version": "4.0.6",
          "bundled": true,
          "dev": true,
          "peer": true,
@@ -10019,14 +10017,14 @@
          }
        },
        "libnpmpack": {
-          "version": "4.0.3",
+          "version": "4.1.0",
          "bundled": true,
          "dev": true,
          "peer": true,
          "requires": {
            "@npmcli/run-script": "^3.0.0",
            "npm-package-arg": "^9.0.1",
-            "pacote": "^13.0.5"
+            "pacote": "^13.5.0"
          }
        },
        "libnpmpublish": {
@@ -10081,13 +10079,13 @@
          "peer": true
        },
        "make-fetch-happen": {
-          "version": "10.1.3",
+          "version": "10.1.7",
          "bundled": true,
          "dev": true,
          "peer": true,
          "requires": {
            "agentkeepalive": "^4.2.1",
-            "cacache": "^16.0.2",
+            "cacache": "^16.1.0",
            "http-cache-semantics": "^4.1.0",
            "http-proxy-agent": "^5.0.0",
            "https-proxy-agent": "^5.0.0",
@@ -10100,12 +10098,12 @@
            "minipass-pipeline": "^1.2.4",
            "negotiator": "^0.6.3",
            "promise-retry": "^2.0.1",
-            "socks-proxy-agent": "^6.1.1",
+            "socks-proxy-agent": "^7.0.0",
            "ssri": "^9.0.0"
          }
        },
        "minimatch": {
-          "version": "5.0.1",
+          "version": "5.1.0",
          "bundled": true,
          "dev": true,
          "peer": true,
@@ -10254,7 +10252,7 @@
              }
            },
            "glob": {
-              "version": "7.2.0",
+              "version": "7.2.3",
              "bundled": true,
              "dev": true,
              "peer": true,
@@ -10262,7 +10260,7 @@
                "fs.realpath": "^1.0.0",
                "inflight": "^1.0.4",
                "inherits": "2",
-                "minimatch": "^3.0.4",
+                "minimatch": "^3.1.1",
                "once": "^1.3.0",
                "path-is-absolute": "^1.0.0"
              }
@@ -10344,7 +10342,7 @@
          }
        },
        "npm-packlist": {
-          "version": "5.0.3",
+          "version": "5.1.0",
          "bundled": true,
          "dev": true,
          "peer": true,
@@ -10435,7 +10433,7 @@
          }
        },
        "pacote": {
-          "version": "13.3.0",
+          "version": "13.6.0",
          "bundled": true,
          "dev": true,
          "peer": true,
@@ -10451,7 +10449,7 @@
            "minipass": "^3.1.6",
            "mkdirp": "^1.0.4",
            "npm-package-arg": "^9.0.0",
-            "npm-packlist": "^5.0.0",
+            "npm-packlist": "^5.1.0",
            "npm-pick-manifest": "^7.0.0",
            "npm-registry-fetch": "^13.0.1",
            "proc-log": "^2.0.0",
@@ -10615,7 +10613,7 @@
              }
            },
            "glob": {
-              "version": "7.2.0",
+              "version": "7.2.3",
              "bundled": true,
              "dev": true,
              "peer": true,
@@ -10623,7 +10621,7 @@
                "fs.realpath": "^1.0.0",
                "inflight": "^1.0.4",
                "inherits": "2",
-                "minimatch": "^3.0.4",
+                "minimatch": "^3.1.1",
                "once": "^1.3.0",
                "path-is-absolute": "^1.0.0"
              }
@@ -10701,7 +10699,7 @@
          }
        },
        "socks-proxy-agent": {
-          "version": "6.2.0",
+          "version": "7.0.0",
          "bundled": true,
          "dev": true,
          "peer": true,
@@ -10744,7 +10742,7 @@
          "peer": true
        },
        "ssri": {
-          "version": "9.0.0",
+          "version": "9.0.1",
          "bundled": true,
          "dev": true,
          "peer": true,
@@ -11270,9 +11268,9 @@
      "peer": true
    },
    "semantic-release": {
-      "version": "19.0.2",
-      "resolved": "https://registry.npmjs.org/semantic-release/-/semantic-release-19.0.2.tgz",
-      "integrity": "sha512-7tPonjZxukKECmClhsfyMKDt0GR38feIC2HxgyYaBi+9tDySBLjK/zYDLhh+m6yjnHIJa9eBTKYE7k63ZQcYbw==",
+      "version": "19.0.3",
+      "resolved": "https://registry.npmjs.org/semantic-release/-/semantic-release-19.0.3.tgz",
+      "integrity": "sha512-HaFbydST1cDKZHuFZxB8DTrBLJVK/AnDExpK0s3EqLIAAUAHUgnd+VSJCUtTYQKkAkauL8G9CucODrVCc7BuAA==",
      "dev": true,
      "peer": true,
      "requires": {
--- a/web/.nvmrc
+++ b/web/.nvmrc
@@ -1 +1 @@
-v16.14.0
+v16.15.1
--- a/web/package.json
+++ b/web/package.json
@@ -3,8 +3,8 @@
  "version": "0.1.0",
  "private": true,
  "scripts": {
-    "start": "npx webpack-dev-server --config webpack.dev.ts --hot",
-    "build": "npx webpack --config webpack.prod.ts"
+    "start": "webpack-dev-server --config webpack.dev.ts --hot",
+    "build": "webpack --config webpack.prod.ts"
  },
  "dependencies": {
    "@emotion/react": "^11.4.1",
--- a/web/src/App.tsx
+++ b/web/src/App.tsx
@@ -8,9 +8,11 @@ import Header from './components/header'
 import Home from './components/home'
 import Drive from './containers/Drive'
 import Studio from './containers/Studio'
+import Settings from './containers/Settings'

 import { AppContext } from './context/appContext'
 import AuthCode from './containers/AuthCode'
+import { ToastContainer } from 'react-toastify'

 function App() {
  const appContext = useContext(AppContext)
@@ -44,10 +46,14 @@ function App() {
          <Route exact path="/SASjsStudio">
            <Studio />
          </Route>
+          <Route exact path="/SASjsSettings">
+            <Settings />
+          </Route>
          <Route exact path="/SASjsLogon">
            <AuthCode />
          </Route>
        </Switch>
+        <ToastContainer />
      </HashRouter>
    </ThemeProvider>
  )
--- a/web/src/components/dialogTitle.tsx
+++ b/web/src/components/dialogTitle.tsx
@@ -0,0 +1,35 @@
+import React, { Dispatch, SetStateAction } from 'react'
+
+import DialogTitle from '@mui/material/DialogTitle'
+import IconButton from '@mui/material/IconButton'
+import CloseIcon from '@mui/icons-material/Close'
+
+export interface DialogTitleProps {
+  id: string
+  children?: React.ReactNode
+  handleOpen: Dispatch<SetStateAction<boolean>>
+}
+
+export const BootstrapDialogTitle = (props: DialogTitleProps) => {
+  const { children, handleOpen, ...other } = props
+
+  return (
+    <DialogTitle sx={{ m: 0, p: 2 }} {...other}>
+      {children}
+      {handleOpen ? (
+        <IconButton
+          aria-label="close"
+          onClick={() => handleOpen(false)}
+          sx={{
+            position: 'absolute',
+            right: 8,
+            top: 8,
+            color: (theme) => theme.palette.grey[500]
+          }}
+        >
+          <CloseIcon />
+        </IconButton>
+      ) : null}
+    </DialogTitle>
+  )
+}
--- a/web/src/components/header.tsx
+++ b/web/src/components/header.tsx
@@ -1,4 +1,4 @@
-import React, { useState, useContext } from 'react'
+import React, { useState, useEffect, useContext } from 'react'
 import { Link, useHistory, useLocation } from 'react-router-dom'

 import {
@@ -11,6 +11,7 @@ import {
  MenuItem
 } from '@mui/material'
 import OpenInNewIcon from '@mui/icons-material/OpenInNew'
+import SettingsIcon from '@mui/icons-material/Settings'

 import Username from './username'
 import { AppContext } from '../context/appContext'
@@ -20,17 +21,23 @@ const PORT_API = process.env.PORT_API
 const baseUrl =
  NODE_ENV === 'development' ? `http://localhost:${PORT_API ?? 5000}` : ''

+const validTabs = ['/', '/SASjsDrive', '/SASjsStudio']
+
 const Header = (props: any) => {
  const history = useHistory()
  const { pathname } = useLocation()
  const appContext = useContext(AppContext)
  const [tabValue, setTabValue] = useState(
-    pathname === '/SASjsLogon' ? '/' : pathname
+    validTabs.includes(pathname) ? pathname : '/'
  )
  const [anchorEl, setAnchorEl] = useState<
    (EventTarget & HTMLButtonElement) | null
  >(null)

+  useEffect(() => {
+    setTabValue(validTabs.includes(pathname) ? pathname : '/')
+  }, [pathname])
+
  const handleMenu = (
    event: React.MouseEvent<HTMLButtonElement, MouseEvent>
  ) => {
@@ -46,7 +53,10 @@ const Header = (props: any) => {
  }

  const handleLogout = () => {
-    if (appContext.logout) appContext.logout()
+    if (appContext.logout) {
+      handleClose()
+      appContext.logout()
+    }
  }
  return (
    <AppBar
@@ -134,6 +144,30 @@ const Header = (props: any) => {
            open={!!anchorEl}
            onClose={handleClose}
          >
+            <MenuItem sx={{ justifyContent: 'center' }}>
+              <Button
+                href={'https://server.sasjs.io'}
+                target="_blank"
+                rel="noreferrer"
+                variant="contained"
+                color="primary"
+                size="large"
+              >
+                Documentation
+              </Button>
+            </MenuItem>
+            <MenuItem sx={{ justifyContent: 'center' }}>
+              <Button
+                component={Link}
+                to="/SASjsSettings"
+                onClick={handleClose}
+                variant="contained"
+                color="primary"
+                startIcon={<SettingsIcon />}
+              >
+                Settings
+              </Button>
+            </MenuItem>
            <MenuItem onClick={handleLogout} sx={{ justifyContent: 'center' }}>
              <Button variant="contained" color="primary">
                Logout
--- a/web/src/components/home.tsx
+++ b/web/src/components/home.tsx
@@ -9,8 +9,8 @@ const Home = () => {
      <CssBaseline />
      <h2>Welcome to SASjs Server!</h2>
      <p>
-        This portal provides an interface for executing Stored Programs (drive)
-        and ad hoc code (studio) against a SAS executable. The source code is
+        SASjs Server provides a REST interface for executing Stored Programs and
+        ad hoc code (studio) against SAS and JS executables. The source is
        available on{' '}
        <a
          href="https://github.com/sasjs/server"
--- a/web/src/components/login.tsx
+++ b/web/src/components/login.tsx
@@ -22,14 +22,16 @@ const Login = () => {
      username,
      password
    }).catch((err: any) => {
-      setErrorMessage(err.response.data)
+      setErrorMessage(err.response?.data || err.toString())
      return {}
    })

    if (loggedIn) {
-      appContext.setLoggedIn?.(loggedIn)
+      appContext.setUserId?.(user.id)
      appContext.setUsername?.(user.username)
      appContext.setDisplayName?.(user.displayName)
+      appContext.setIsAdmin?.(user.isAdmin)
+      appContext.setLoggedIn?.(loggedIn)
    }
  }

--- a/Show More
+++ b/Show More