chore(release): 0.37.0 [skip ci]

# [0.37.0](https://github.com/sasjs/server/compare/v0.36.0...v0.37.0) (2024-10-29) ### Features * **stp:** added trigger endpoint ([b0723f1](b0723f1444))
Merge pull request #375 from sasjs/issue-373-stp
2025-12-10 11:24:35 +00:00 · 2024-10-29 14:11:35 +00:00 · 2024-10-29 17:08:38 +03:00 · 2024-10-29 16:55:40 +03:00 · 2024-10-29 16:27:53 +03:00 · 2024-10-29 16:20:27 +03:00
130 changed files with 9422 additions and 1874 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -56,4 +56,4 @@ jobs:
      - name: Release
        run: |
-          GITHUB_TOKEN=${{ secrets.GH_TOKEN }} semantic-release
+          GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} semantic-release
--- a/.gitignore
+++ b/.gitignore
@@ -5,8 +5,6 @@ node_modules/
 .env*
 sas/
 sasjs_root/
 api/mocks/custom/*
 !api/mocks/custom/.keep
 tmp/
 build/
 sasjsbuild/
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,396 @@
 # [0.37.0](https://github.com/sasjs/server/compare/v0.36.0...v0.37.0) (2024-10-29)
 ### Features
 * **stp:** added trigger endpoint ([b0723f1](https://github.com/sasjs/server/commit/b0723f14448d60ffce4f2175cf8a73fc4d4dd0ee))
 # [0.36.0](https://github.com/sasjs/server/compare/v0.35.4...v0.36.0) (2024-10-29)
 ### Features
 * **code:** added code/trigger API endpoint ([ffcf193](https://github.com/sasjs/server/commit/ffcf193b87d811b166d79af74013776a253b50b0))
 ## [0.35.4](https://github.com/sasjs/server/compare/v0.35.3...v0.35.4) (2024-01-15)
 ### Bug Fixes
 * **api:** fixed env issue in MacOS executable ([73d965d](https://github.com/sasjs/server/commit/73d965daf54b16c0921e4b18d11a1e6f8650884d))
 ## [0.35.3](https://github.com/sasjs/server/compare/v0.35.2...v0.35.3) (2023-11-07)
 ### Bug Fixes
 * enable embedded LFs in JS STP vars ([7e8cbbf](https://github.com/sasjs/server/commit/7e8cbbf377b27a7f5dd9af0bc6605c01f302f5d9))
 ## [0.35.2](https://github.com/sasjs/server/compare/v0.35.1...v0.35.2) (2023-08-07)
 ### Bug Fixes
 * add _debug as optional query param in swagger apis for GET stp/execute ([9586dbb](https://github.com/sasjs/server/commit/9586dbb2d0d6611061c9efdfb84030144f62c2ee))
 ## [0.35.1](https://github.com/sasjs/server/compare/v0.35.0...v0.35.1) (2023-07-25)
 ### Bug Fixes
 * **log-separator:** log separator should always wrap log ([8940f4d](https://github.com/sasjs/server/commit/8940f4dc47abae2036b4fcdeb772c31a0ca07cca))
 # [0.35.0](https://github.com/sasjs/server/compare/v0.34.2...v0.35.0) (2023-05-03)
 ### Bug Fixes
 * **editor:** fixed log/webout/print tabs ([d2de9dc](https://github.com/sasjs/server/commit/d2de9dc13ef2e980286dd03cca5e22cea443ed0c))
 * **execute:** added atribute indicating stp api ([e78f87f](https://github.com/sasjs/server/commit/e78f87f5c00038ea11261dffb525ac8f1024e40b))
 * **execute:** fixed adding print output ([9aaffce](https://github.com/sasjs/server/commit/9aaffce82051d81bf39adb69942bb321e9795141))
 * **execution:** removed empty webout from response ([6dd2f4f](https://github.com/sasjs/server/commit/6dd2f4f87673336135bc7a6de0d2e143e192c025))
 * **webout:** fixed adding empty webout to response payload ([31df72a](https://github.com/sasjs/server/commit/31df72ad88fe2c771d0ef8445d6db9dd147c40c9))
 ### Features
 * **editor:** parse print output in response payload ([eb42683](https://github.com/sasjs/server/commit/eb42683fff701bd5b4d2b68760fe0c3ecad573dd))
 ## [0.34.2](https://github.com/sasjs/server/compare/v0.34.1...v0.34.2) (2023-05-01)
 ### Bug Fixes
 * use custom logic for handling sequence ids ([dba53de](https://github.com/sasjs/server/commit/dba53de64664c9d8a40fe69de6281c53d1c73641))
 ## [0.34.1](https://github.com/sasjs/server/compare/v0.34.0...v0.34.1) (2023-04-28)
 ### Bug Fixes
 * **css:** fixed css loading ([9c5acd6](https://github.com/sasjs/server/commit/9c5acd6de32afdbc186f79ae5b35375dda2e49b0))
 * **log:** fixed chunk collapsing ([64b156f](https://github.com/sasjs/server/commit/64b156f7627969b7f13022726f984fbbfe1a33ef))
 # [0.34.0](https://github.com/sasjs/server/compare/v0.33.3...v0.34.0) (2023-04-28)
 ### Bug Fixes
 * **log:** fixed checks for errors and warnings ([02e2b06](https://github.com/sasjs/server/commit/02e2b060f9bedf4806f45f5205fd87bfa2ecae90))
 * **log:** fixed default runtime ([e04300a](https://github.com/sasjs/server/commit/e04300ad2ac237be7b28a6332fa87a3bcf761c7b))
 * **log:** fixed parsing log for different runtime ([3b1e4a1](https://github.com/sasjs/server/commit/3b1e4a128b1f22ff6f3069f5aaada6bfb1b40d12))
 * **log:** fixed scrolling issue ([56a522c](https://github.com/sasjs/server/commit/56a522c07c6f6d4c26c6d3b7cd6e9ef7007067a9))
 * **log:** fixed single chunk display ([8254b78](https://github.com/sasjs/server/commit/8254b789555cb8bbb169f52b754b4ce24e876dd2))
 * **log:** fixed single chunk scrolling ([57b7f95](https://github.com/sasjs/server/commit/57b7f954a17936f39aa9b757998b5b25e9442601))
 * **log:** fixed switching runtime ([c7a7399](https://github.com/sasjs/server/commit/c7a73991a7aa25d0c75d0c00e712bdc78769300b))
 * **log:** fixing switching from SAS to other runtime ([c72ecc7](https://github.com/sasjs/server/commit/c72ecc7e5943af9536ee31cfa85398e016d5354f))
 ### Features
 * **log:** added download chunk and entire log ([a38a9f9](https://github.com/sasjs/server/commit/a38a9f9c3dfe36bd55d32024c166147318216995))
 * **log:** added logComponent and LogTabWithIcons ([3a887de](https://github.com/sasjs/server/commit/3a887dec55371b6a00b92291bb681e4cccb770c0))
 * **log:** added parseErrorsAndWarnings utility ([7c1c1e2](https://github.com/sasjs/server/commit/7c1c1e241002313c10f94dd61702584b9f148010))
 * **log:** added time to downloaded log name ([3848bb0](https://github.com/sasjs/server/commit/3848bb0added69ca81a5c9419ea414bdd1c294bb))
 * **log:** put download log icon into log tab ([777b3a5](https://github.com/sasjs/server/commit/777b3a55be1ecf5b05bf755ce8b14735496509e1))
 * **log:** split large log into chunks ([75f5a3c](https://github.com/sasjs/server/commit/75f5a3c0b39665bef8b83dc7e1e8b3e5f23fc303))
 * **log:** use improved log for SAS run time only ([7b12591](https://github.com/sasjs/server/commit/7b12591595cdd5144d9311ffa06a80c5dab79364))
 ## [0.33.3](https://github.com/sasjs/server/compare/v0.33.2...v0.33.3) (2023-04-27)
 ### Bug Fixes
 * use RateLimiterMemory instead of RateLimiterMongo ([6a520f5](https://github.com/sasjs/server/commit/6a520f5b26a3e2ed6345721b30ff4e3d9bfa903d))
 ## [0.33.2](https://github.com/sasjs/server/compare/v0.33.1...v0.33.2) (2023-04-24)
 ### Bug Fixes
 * removing print redirection pending full [#274](https://github.com/sasjs/server/issues/274) fix ([d49ea47](https://github.com/sasjs/server/commit/d49ea47bd7a2add42bdb9a717082201f29e16597))
 ## [0.33.1](https://github.com/sasjs/server/compare/v0.33.0...v0.33.1) (2023-04-20)
 ### Bug Fixes
 * applying nologo only for sas.exe ([b4436ba](https://github.com/sasjs/server/commit/b4436bad0d24d5b5a402272632db1739b1018c90)), closes [#352](https://github.com/sasjs/server/issues/352)
 # [0.33.0](https://github.com/sasjs/server/compare/v0.32.0...v0.33.0) (2023-04-05)
 ### Features
 * option to reset admin password on startup ([eda8e56](https://github.com/sasjs/server/commit/eda8e56bb0ea20fdaacabbbe7dcf1e3ea7bd215a))
 # [0.32.0](https://github.com/sasjs/server/compare/v0.31.0...v0.32.0) (2023-04-05)
 ### Features
 * add an api endpoint for admin to get list of client ids ([6ffaa7e](https://github.com/sasjs/server/commit/6ffaa7e9e2a62c083bb9fcc3398dcbed10cebdb1))
 # [0.31.0](https://github.com/sasjs/server/compare/v0.30.3...v0.31.0) (2023-03-30)
 ### Features
 * prevent brute force attack by rate limiting login endpoint ([a82cabb](https://github.com/sasjs/server/commit/a82cabb00134c79c5ee77afd1b1628a1f768e050))
 ## [0.30.3](https://github.com/sasjs/server/compare/v0.30.2...v0.30.3) (2023-03-07)
 ### Bug Fixes
 * add location.pathname to location.origin conditionally ([edab51c](https://github.com/sasjs/server/commit/edab51c51997f17553e037dc7c2b5e5fa6ea8ffe))
 ## [0.30.2](https://github.com/sasjs/server/compare/v0.30.1...v0.30.2) (2023-03-07)
 ### Bug Fixes
 * **web:** add path to base in launch program url ([2c31922](https://github.com/sasjs/server/commit/2c31922f58a8aa20d7fa6bfc95b53a350f90c798))
 ## [0.30.1](https://github.com/sasjs/server/compare/v0.30.0...v0.30.1) (2023-03-01)
 ### Bug Fixes
 * **web:** add proper base url in axios.defaults ([5e3ce8a](https://github.com/sasjs/server/commit/5e3ce8a98f1825e14c1d26d8da0c9821beeff7b3))
 # [0.30.0](https://github.com/sasjs/server/compare/v0.29.0...v0.30.0) (2023-02-28)
 ### Bug Fixes
 * lint + remove default settings ([3de59ac](https://github.com/sasjs/server/commit/3de59ac4f8e3d95cad31f09e6963bd04c4811f26))
 ### Features
 * add new env config DB_TYPE ([158f044](https://github.com/sasjs/server/commit/158f044363abf2576c8248f0ca9da4bc9cb7e9d8))
 # [0.29.0](https://github.com/sasjs/server/compare/v0.28.7...v0.29.0) (2023-02-06)
 ### Features
 * Add /SASjsApi endpoint in permissions ([b3402ea](https://github.com/sasjs/server/commit/b3402ea80afb8802eee8b8b6cbbbcc29903424bc))
 ## [0.28.7](https://github.com/sasjs/server/compare/v0.28.6...v0.28.7) (2023-02-03)
 ### Bug Fixes
 * add user to all users group on user creation ([2bae52e](https://github.com/sasjs/server/commit/2bae52e307327d7ee4a94b19d843abdc0ccec9d1))
 ## [0.28.6](https://github.com/sasjs/server/compare/v0.28.5...v0.28.6) (2023-01-26)
 ### Bug Fixes
 * show loading spinner on login screen while request is in process ([69f2576](https://github.com/sasjs/server/commit/69f2576ee6d3d7b7f3325922a88656d511e3ac88))
 ## [0.28.5](https://github.com/sasjs/server/compare/v0.28.4...v0.28.5) (2023-01-01)
 ### Bug Fixes
 * adding NOPRNGETLIST system option for faster startup ([96eca3a](https://github.com/sasjs/server/commit/96eca3a35dce4521150257ee019beb4488c8a08f))
 ## [0.28.4](https://github.com/sasjs/server/compare/v0.28.3...v0.28.4) (2022-12-07)
 ### Bug Fixes
 * replace main class with container class ([71c429b](https://github.com/sasjs/server/commit/71c429b093b91e2444ae75d946579dccc2e48636))
 ## [0.28.3](https://github.com/sasjs/server/compare/v0.28.2...v0.28.3) (2022-12-06)
 ### Bug Fixes
 * stringify json file ([1192583](https://github.com/sasjs/server/commit/1192583843d7efd1a6ab6943207f394c3ae966be))
 ## [0.28.2](https://github.com/sasjs/server/compare/v0.28.1...v0.28.2) (2022-12-05)
 ### Bug Fixes
 * execute child process asyncronously ([23c997b](https://github.com/sasjs/server/commit/23c997b3beabeb6b733ae893031d2f1a48f28ad2))
 * JS / Python / R session folders should be NEW folders, not existing SAS folders ([39ba995](https://github.com/sasjs/server/commit/39ba995355daa24bb7ab22720f8fc57d2dc85f40))
 ## [0.28.1](https://github.com/sasjs/server/compare/v0.28.0...v0.28.1) (2022-11-28)
 ### Bug Fixes
 * update the content type header after the program has been executed ([4dcee4b](https://github.com/sasjs/server/commit/4dcee4b3c3950d402220b8f451c50ad98a317d83))
 # [0.28.0](https://github.com/sasjs/server/compare/v0.27.0...v0.28.0) (2022-11-28)
 ### Bug Fixes
 * update the response header of request to stp/execute routes ([112431a](https://github.com/sasjs/server/commit/112431a1b7461989c04100418d67d975a2a8f354))
 ### Features
 * **api:** add the api endpoint for updating user password ([4581f32](https://github.com/sasjs/server/commit/4581f325344eb68c5df5a28492f132312f15bb5c))
 * ask for updated password on first login ([1d48f88](https://github.com/sasjs/server/commit/1d48f8856b1fbbf3ef868914558333190e04981f))
 * **web:** add the UI for updating user password ([8b8c43c](https://github.com/sasjs/server/commit/8b8c43c21bde5379825c5ec44ecd81a92425f605))
 # [0.27.0](https://github.com/sasjs/server/compare/v0.26.2...v0.27.0) (2022-11-17)
 ### Features
 * on startup add webout.sas file in sasautos folder ([200f6c5](https://github.com/sasjs/server/commit/200f6c596a6e732d799ed408f1f0fd92f216ba58))
 ## [0.26.2](https://github.com/sasjs/server/compare/v0.26.1...v0.26.2) (2022-11-15)
 ### Bug Fixes
 * comments ([7ae862c](https://github.com/sasjs/server/commit/7ae862c5ce720e9483d4728f4295dede4f849436))
 ## [0.26.1](https://github.com/sasjs/server/compare/v0.26.0...v0.26.1) (2022-11-15)
 ### Bug Fixes
 * change the expiration of access/refresh tokens from days to seconds ([bb05493](https://github.com/sasjs/server/commit/bb054938c5bd0535ae6b9da93ba0b14f9b80ddcd))
 # [0.26.0](https://github.com/sasjs/server/compare/v0.25.1...v0.26.0) (2022-11-13)
 ### Bug Fixes
 * **web:** dispose monaco editor actions in return of useEffect ([acc25cb](https://github.com/sasjs/server/commit/acc25cbd686952d3f1c65e57aefcebe1cb859cc7))
 ### Features
 * make access token duration configurable when creating client/secret ([2413c05](https://github.com/sasjs/server/commit/2413c05fea3960f7e5c3c8b7b2f85d61314f08db))
 * make refresh token duration configurable ([abd5c64](https://github.com/sasjs/server/commit/abd5c64b4a726e3f17594a98111b6aa269b71fee))
 ## [0.25.1](https://github.com/sasjs/server/compare/v0.25.0...v0.25.1) (2022-11-07)
 ### Bug Fixes
 * **web:** use mui treeView instead of custom implementation ([c51b504](https://github.com/sasjs/server/commit/c51b50428f32608bc46438e9d7964429b2d595da))
 # [0.25.0](https://github.com/sasjs/server/compare/v0.24.0...v0.25.0) (2022-11-02)
 ### Features
 * Enable DRIVE_LOCATION setting for deploying multiple instances of SASjs Server ([1c9d167](https://github.com/sasjs/server/commit/1c9d167f86bbbb108b96e9bc30efaf8de65d82ff))
 # [0.24.0](https://github.com/sasjs/server/compare/v0.23.4...v0.24.0) (2022-10-28)
 ### Features
 * cli mock testing ([6434123](https://github.com/sasjs/server/commit/643412340162e854f31fba2f162d83b7ab1751d8))
 * mocking sas9 responses with JS STP ([36be3a7](https://github.com/sasjs/server/commit/36be3a7d5e7df79f9a1f3f00c3661b925f462383))
 ## [0.23.4](https://github.com/sasjs/server/compare/v0.23.3...v0.23.4) (2022-10-11)
 ### Bug Fixes
 * add action to editor ref for running code ([2412622](https://github.com/sasjs/server/commit/2412622367eb46c40f388e988ae4606a7ec239b2))
 ## [0.23.3](https://github.com/sasjs/server/compare/v0.23.2...v0.23.3) (2022-10-09)
 ### Bug Fixes
 * added domain for session cookies ([94072c3](https://github.com/sasjs/server/commit/94072c3d24a4d0d4c97900dc31bfbf1c9d2559b7))
 ## [0.23.2](https://github.com/sasjs/server/compare/v0.23.1...v0.23.2) (2022-10-06)
 ### Bug Fixes
 * bump in correct place ([14731e8](https://github.com/sasjs/server/commit/14731e8824fa9f3d1daf89fd62f9916d5e3fcae4))
 * bumping sasjs/score ([258cc35](https://github.com/sasjs/server/commit/258cc35f14cf50f2160f607000c60de27593fd79))
 * reverting commit ([fda0e0b](https://github.com/sasjs/server/commit/fda0e0b57d56e3b5231e626a8d933343ac0c5cdc))
 ## [0.23.1](https://github.com/sasjs/server/compare/v0.23.0...v0.23.1) (2022-10-04)
 ### Bug Fixes
 * ldap issues ([4d64420](https://github.com/sasjs/server/commit/4d64420c45424134b4d2014a2d5dd6e846ed03b3))
 # [0.23.0](https://github.com/sasjs/server/compare/v0.22.1...v0.23.0) (2022-10-03)
 ### Features
 * Enable SAS_PACKAGES in SASjs Server ([424f0fc](https://github.com/sasjs/server/commit/424f0fc1faec765eb7a14619584e649454105b70))
 ## [0.22.1](https://github.com/sasjs/server/compare/v0.22.0...v0.22.1) (2022-10-03)
 ### Bug Fixes
 * spelling issues ([3bb0597](https://github.com/sasjs/server/commit/3bb05974d216d69368f4498eb9f309bce7d97fd8))
 # [0.22.0](https://github.com/sasjs/server/compare/v0.21.7...v0.22.0) (2022-10-03)
 ### Bug Fixes
 * do not throw error on deleting group when it is created by an external auth provider ([68f0c5c](https://github.com/sasjs/server/commit/68f0c5c5884431e7e8f586dccf98132abebb193e))
 * no need to restrict api endpoints when ldap auth is applied ([a142660](https://github.com/sasjs/server/commit/a14266077d3541c7a33b7635efa4208335e73519))
 * remove authProvider attribute from user and group payload interface ([bbd7786](https://github.com/sasjs/server/commit/bbd7786c6ce13b374d896a45c23255b8fa3e8bd2))
 ### Features
 * implemented LDAP authentication ([f915c51](https://github.com/sasjs/server/commit/f915c51b077a2b8c4099727355ed914ecd6364bd))
 ## [0.21.7](https://github.com/sasjs/server/compare/v0.21.6...v0.21.7) (2022-09-30)
 ### Bug Fixes
 * csrf package is changed to pillarjs-csrf ([fe3e508](https://github.com/sasjs/server/commit/fe3e5088f8dfff50042ec8e8aac9ba5ba1394deb))
 ## [0.21.6](https://github.com/sasjs/server/compare/v0.21.5...v0.21.6) (2022-09-23)
 ### Bug Fixes
 * in getTokensFromDB handle the scenario when tokens are expired ([40f95f9](https://github.com/sasjs/server/commit/40f95f9072c8685910138d88fd2410f8704fc975))
 ## [0.21.5](https://github.com/sasjs/server/compare/v0.21.4...v0.21.5) (2022-09-22)
 ### Bug Fixes
 * made files extensions case insensitive ([2496043](https://github.com/sasjs/server/commit/249604384e42be4c12c88c70a7dff90fc1917a8f))
 ## [0.21.4](https://github.com/sasjs/server/compare/v0.21.3...v0.21.4) (2022-09-21)
 ### Bug Fixes
 * removing single quotes from _program value ([a0e7875](https://github.com/sasjs/server/commit/a0e7875ae61cbb6e7d3995d2e36e7300b0daec86))
 ## [0.21.3](https://github.com/sasjs/server/compare/v0.21.2...v0.21.3) (2022-09-21)
 ### Bug Fixes
 * return same tokens if not expired ([330c020](https://github.com/sasjs/server/commit/330c020933f1080261b38f07d6b627f6d7c62446))
 ## [0.21.2](https://github.com/sasjs/server/compare/v0.21.1...v0.21.2) (2022-09-20)
--- a/README.md
+++ b/README.md
@@ -93,6 +93,10 @@ R_PATH=/usr/bin/Rscript
 SASJS_ROOT=./sasjs_root
 # This location is for files, sasjs packages and appStreamConfig.json
 DRIVE_LOCATION=./sasjs_root/drive
 # options: [http|https] default: http
 PROTOCOL=
@@ -103,6 +107,11 @@ PORT=
 # If not present, mocking function is disabled
 MOCK_SERVERTYPE=
 # default: /api/mocks
 # Path to mocking folder, for generic responses, it's sub directories should be: sas9, viya, sasjs
 # Server will automatically use subdirectory accordingly
 STATIC_MOCK_LOCATION=
 #
 ## Additional SAS Options
 #
@@ -125,9 +134,22 @@ PRIVATE_KEY=privkey.pem (required)
 CERT_CHAIN=certificate.pem (required)
 CA_ROOT=fullchain.pem (optional)
-# ENV variables required for MODE: `server`
+## ENV variables required for MODE: `server`
 DB_CONNECT=mongodb+srv://<DB_USERNAME>:<DB_PASSWORD>@<CLUSTER>/<DB_NAME>?retryWrites=true&w=majority
 # options: [mongodb|cosmos_mongodb] default: mongodb
 DB_TYPE=
 # AUTH_PROVIDERS options: [ldap] default: ``
 AUTH_PROVIDERS=
 ## ENV variables required for AUTH_MECHANISM: `ldap`
 LDAP_URL= <LDAP_SERVER_URL>
 LDAP_BIND_DN= <cn=admin,ou=system,dc=cloudron>
 LDAP_BIND_PASSWORD = <password>
 LDAP_USERS_BASE_DN = <ou=users,dc=cloudron>
 LDAP_GROUPS_BASE_DN = <ou=groups,dc=cloudron>
 # options: [disable|enable] default: `disable` for `server` & `enable` for `desktop`
 # If enabled, be sure to also configure the WHITELIST of third party servers.
 CORS=
@@ -136,7 +158,7 @@ CORS=
 WHITELIST=
 # HELMET Cross Origin Embedder Policy
-# Sets the Cross-Origin-Embedder-Policy header to require-corp when `true`
+# Sets the Cross-Origin-Embedder-Policy header to require-corp when `true`
 # options: [true|false] default: true
 # Docs: https://helmetjs.github.io/#reference (`crossOriginEmbedderPolicy`)
 HELMET_COEP=
@@ -153,6 +175,32 @@ HELMET_COEP=
 # }
 HELMET_CSP_CONFIG_PATH=./csp.config.json
 # To prevent brute force attack on login route we have implemented rate limiter
 # Only valid for MODE: server
 # Following are configurable env variable rate limiter
 # After this, access is blocked for 1 day
 MAX_WRONG_ATTEMPTS_BY_IP_PER_DAY = <number> default: 100;
 # After this, access is blocked for an hour
 # Store number for 24 days since first fail
 # Once a successful login is attempted, it resets
 MAX_CONSECUTIVE_FAILS_BY_USERNAME_AND_IP = <number> default: 10;
 # Name of the admin user that will be created on startup if not exists already
 # Default is `secretuser`
 ADMIN_USERNAME=secretuser
 # Temporary password for the ADMIN_USERNAME, which is in place until the first login
 # Default is `secretpassword`
 ADMIN_PASSWORD_INITIAL=secretpassword
 # Specify whether app has to reset the ADMIN_USERNAME's password or not
 # Default is NO. Possible options are YES and NO
 # If ADMIN_PASSWORD_RESET is YES then the ADMIN_USERNAME will be prompted to change the password from ADMIN_PASSWORD_INITIAL on their next login. This will repeat on every server restart, unless the option is removed / set to NO.
 ADMIN_PASSWORD_RESET=NO
 # LOG_FORMAT_MORGAN options: [combined|common|dev|short|tiny] default: `common`
 # Docs: https://www.npmjs.com/package/morgan#predefined-formats
 LOG_FORMAT_MORGAN=
--- a/api/.env.example
+++ b/api/.env.example
@@ -1,5 +1,6 @@
 MODE=[desktop|server] default considered as desktop
 CORS=[disable|enable] default considered as disable for server MODE & enable for desktop MODE
 ALLOWED_DOMAIN=<just domain e.g. example.com >
 WHITELIST=<space separated urls, each starting with protocol `http` or `https`>
 PROTOCOL=[http|https] default considered as http
@@ -13,6 +14,25 @@ HELMET_CSP_CONFIG_PATH=./csp.config.json if omitted HELMET default will be used
 HELMET_COEP=[true|false] if omitted HELMET default will be used
 DB_CONNECT=mongodb+srv://<DB_USERNAME>:<DB_PASSWORD>@<CLUSTER>/<DB_NAME>?retryWrites=true&w=majority
 DB_TYPE=[mongodb|cosmos_mongodb] default considered as mongodb
 AUTH_PROVIDERS=[ldap]
 LDAP_URL= <LDAP_SERVER_URL>
 LDAP_BIND_DN= <cn=admin,ou=system,dc=cloudron>
 LDAP_BIND_PASSWORD = <password>
 LDAP_USERS_BASE_DN = <ou=users,dc=cloudron>
 LDAP_GROUPS_BASE_DN = <ou=groups,dc=cloudron>
 #default value is 100
 MAX_WRONG_ATTEMPTS_BY_IP_PER_DAY=100
 #default value is 10
 MAX_CONSECUTIVE_FAILS_BY_USERNAME_AND_IP=10
 ADMIN_USERNAME=secretuser
 ADMIN_PASSWORD_INITIAL=secretpassword
 ADMIN_PASSWORD_RESET=NO
 RUN_TIMES=[sas,js,py | js,py | sas | sas,js] default considered as sas
 SAS_PATH=/opt/sas/sas9/SASHome/SASFoundation/9.4/sas
@@ -21,6 +41,7 @@ PYTHON_PATH=/usr/bin/python
 R_PATH=/usr/bin/Rscript
 SASJS_ROOT=./sasjs_root
 DRIVE_LOCATION=./sasjs_root/drive
 LOG_FORMAT_MORGAN=common
 LOG_LOCATION=./sasjs_root/logs
--- a/api/mocks/custom/.keep
+++ b/api/mocks/custom/.keep
--- a/api/mocks/sas9/generic/logged-in
+++ b/api/mocks/sas9/generic/logged-in
--- a/api/mocks/sas9/generic/logged-out
+++ b/api/mocks/sas9/generic/logged-out
--- a/api/mocks/sas9/generic/login
+++ b/api/mocks/sas9/generic/login
@@ -9,7 +9,7 @@
 <div class="content">
  <form id="credentials" class="minimal" action="/SASLogon/login?service=http%3A%2F%2Flocalhost:5004%2FSASStoredProcess%2Fj_spring_cas_security_check" method="post">
    <!--form container-->
-    <input type="hidden" name="lt" value="LT-8-WGkt9EXwICBihaVbxGc92opjufTK1D" aria-hidden="true" />
+    <input type="hidden" name="lt" value="validtoken" aria-hidden="true" />
    <input type="hidden" name="execution" value="e2s1" aria-hidden="true" />
    <input type="hidden" name="_eventId" value="submit" aria-hidden="true" />
--- a/api/mocks/sas9/generic/public-access-denied
+++ b/api/mocks/sas9/generic/public-access-denied
--- a/api/mocks/sas9/generic/sas-stored-process
+++ b/api/mocks/sas9/generic/sas-stored-process
--- a/api/package-lock.json
+++ b/api/package-lock.json
--- a/api/package.json
+++ b/api/package.json
@@ -4,7 +4,7 @@
  "description": "Api of SASjs server",
  "main": "./src/server.ts",
  "scripts": {
-    "initial": "npm run swagger && npm run compileSysInit && npm run copySASjsCore",
+    "initial": "npm run swagger && npm run compileSysInit && npm run copySASjsCore && npm run downloadMacros",
    "prestart": "npm run initial",
    "prebuild": "npm run initial",
    "start": "NODE_ENV=development nodemon ./src/server.ts",
@@ -17,20 +17,21 @@
    "lint:fix": "npx prettier --write \"src/**/*.{ts,tsx,js,jsx,html,css,sass,less,yml,md,graphql}\"",
    "lint": "npx prettier --check \"src/**/*.{ts,tsx,js,jsx,html,css,sass,less,yml,md,graphql}\"",
    "exe": "npm run build && pkg .",
-    "copy:files": "npm run public:copy && npm run sasjsbuild:copy && npm run sasjscore:copy && npm run web:copy",
+    "copy:files": "npm run public:copy && npm run sasjsbuild:copy && npm run sas:copy && npm run web:copy",
    "public:copy": "cp -r ./public/ ./build/public/",
    "sasjsbuild:copy": "cp -r ./sasjsbuild/ ./build/sasjsbuild/",
-    "sasjscore:copy": "cp -r ./sasjscore/ ./build/sasjscore/",
+    "sas:copy": "cp -r ./sas/ ./build/sas/",
    "web:copy": "rimraf web && mkdir web && cp -r ../web/build/ ./web/build/",
    "compileSysInit": "ts-node ./scripts/compileSysInit.ts",
-    "copySASjsCore": "ts-node ./scripts/copySASjsCore.ts"
+    "copySASjsCore": "ts-node ./scripts/copySASjsCore.ts",
    "downloadMacros": "ts-node ./scripts/downloadMacros.ts"
  },
  "bin": "./build/src/server.js",
  "pkg": {
    "assets": [
      "./build/public/**/*",
      "./build/sasjsbuild/**/*",
-      "./build/sasjscore/**/*",
+      "./build/sas/**/*",
      "./web/build/**/*"
    ],
    "targets": [
@@ -47,22 +48,22 @@
  },
  "author": "4GL Ltd",
  "dependencies": {
-    "@sasjs/core": "^4.31.3",
+    "@sasjs/core": "^4.40.1",
-    "@sasjs/utils": "2.48.1",
+    "@sasjs/utils": "3.2.0",
    "bcryptjs": "^2.4.3",
    "connect-mongo": "^4.6.0",
    "cookie-parser": "^1.4.6",
    "cors": "^2.8.5",
    "csurf": "^1.11.0",
    "express": "^4.17.1",
    "express-session": "^1.17.2",
    "helmet": "^5.0.2",
    "joi": "^17.4.2",
    "jsonwebtoken": "^8.5.1",
    "ldapjs": "2.3.3",
    "mongoose": "^6.0.12",
    "mongoose-sequence": "^5.3.1",
    "morgan": "^1.10.0",
    "multer": "^1.4.5-lts.1",
    "rate-limiter-flexible": "2.4.1",
    "rotating-file-stream": "^3.0.4",
    "swagger-ui-express": "4.3.0",
    "unzipper": "^0.10.11",
@@ -73,12 +74,11 @@
    "@types/bcryptjs": "^2.4.2",
    "@types/cookie-parser": "^1.4.2",
    "@types/cors": "^2.8.12",
    "@types/csurf": "^1.11.2",
    "@types/express": "^4.17.12",
    "@types/express-session": "^1.17.4",
    "@types/jest": "^26.0.24",
    "@types/jsonwebtoken": "^8.5.5",
-    "@types/mongoose-sequence": "^3.0.6",
+    "@types/ldapjs": "^2.2.4",
    "@types/morgan": "^1.9.3",
    "@types/multer": "^1.4.7",
    "@types/node": "^15.12.2",
@@ -86,10 +86,13 @@
    "@types/swagger-ui-express": "^4.1.3",
    "@types/unzipper": "^0.10.5",
    "adm-zip": "^0.5.9",
-    "dotenv": "^10.0.0",
+    "axios": "0.27.2",
    "csrf": "^3.1.0",
    "dotenv": "^16.0.1",
    "http-headers-validation": "^0.0.1",
    "jest": "^27.0.6",
-    "mongodb-memory-server": "^8.0.0",
+    "mongodb-memory-server": "8.11.4",
    "nodejs-file-downloader": "4.10.2",
    "nodemon": "^2.0.7",
    "pkg": "5.6.0",
    "prettier": "^2.3.1",
--- a/api/public/swagger.yaml
+++ b/api/public/swagger.yaml
@@ -47,6 +47,21 @@ components:
                - userId
            type: object
            additionalProperties: false
        UpdatePasswordPayload:
            properties:
                currentPassword:
                    type: string
                    description: 'Current Password'
                    example: currentPasswordString
                newPassword:
                    type: string
                    description: 'New Password'
                    example: newPassword
            required:
                - currentPassword
                - newPassword
            type: object
            additionalProperties: false
        ClientPayload:
            properties:
                clientId:
@@ -57,6 +72,16 @@ components:
                    type: string
                    description: 'Client Secret'
                    example: someRandomCryptoString
                accessTokenExpiration:
                    type: number
                    format: double
                    description: 'Number of seconds after which access token will expire. Default is 86400 (1 day)'
                    example: 86400
                refreshTokenExpiration:
                    type: number
                    format: double
                    description: 'Number of seconds after which access token will expire. Default is 2592000 (30 days)'
                    example: 2592000
            required:
                - clientId
                - clientSecret
@@ -73,17 +98,47 @@ components:
            properties:
                code:
                    type: string
-                    description: 'Code of program'
+                    description: 'The code to be executed'
-                    example: '* Code HERE;'
+                    example: '* Your Code HERE;'
                runTime:
                    $ref: '#/components/schemas/RunTimeType'
-                    description: 'runtime for program'
+                    description: 'The runtime for the code - eg SAS, JS, PY or R'
                    example: js
            required:
                - code
                - runTime
            type: object
            additionalProperties: false
        TriggerCodeResponse:
            properties:
                sessionId:
                    type: string
                    description: "The SessionId is the name of the temporary folder used to store the outputs.\nFor SAS, this would be the SASWORK folder. Can be used to poll job status.\nThis session ID should be used to poll job status."
                    example: '{ sessionId: ''20241028074744-54132-1730101664824'' }'
            required:
                - sessionId
            type: object
            additionalProperties: false
        TriggerCodePayload:
            properties:
                code:
                    type: string
                    description: 'The code to be executed'
                    example: '* Your Code HERE;'
                runTime:
                    $ref: '#/components/schemas/RunTimeType'
                    description: 'The runtime for the code - eg SAS, JS, PY or R'
                    example: sas
                expiresAfterMins:
                    type: number
                    format: double
                    description: "Amount of minutes after the completion of the job when the session must be\ndestroyed."
                    example: 15
            required:
                - code
                - runTime
            type: object
            additionalProperties: false
        MemberType.folder:
            enum:
                - folder
@@ -509,6 +564,27 @@ components:
                - setting
            type: object
            additionalProperties: false
        SessionResponse:
            properties:
                id:
                    type: number
                    format: double
                username:
                    type: string
                displayName:
                    type: string
                isAdmin:
                    type: boolean
                needsToUpdatePassword:
                    type: boolean
            required:
                - id
                - username
                - displayName
                - isAdmin
                - needsToUpdatePassword
            type: object
            additionalProperties: false
        ExecutePostRequestPayload:
            properties:
                _program:
@@ -517,6 +593,31 @@ components:
                    example: /Public/somefolder/some.file
            type: object
            additionalProperties: false
        TriggerProgramResponse:
            properties:
                sessionId:
                    type: string
                    description: "The SessionId is the name of the temporary folder used to store the outputs.\nFor SAS, this would be the SASWORK folder. Can be used to poll program status.\nThis session ID should be used to poll program status."
                    example: '{ sessionId: ''20241028074744-54132-1730101664824'' }'
            required:
                - sessionId
            type: object
            additionalProperties: false
        TriggerProgramPayload:
            properties:
                _program:
                    type: string
                    description: 'Location of SAS program'
                    example: /Public/somefolder/some.file
                expiresAfterMins:
                    type: number
                    format: double
                    description: "Amount of minutes after the completion of the program when the session must be\ndestroyed."
                    example: 15
            required:
                - _program
            type: object
            additionalProperties: false
        LoginPayload:
            properties:
                username:
@@ -622,6 +723,70 @@ paths:
                -
                    bearerAuth: []
            parameters: []
    /SASjsApi/auth/updatePassword:
        patch:
            operationId: UpdatePassword
            responses:
                '204':
                    description: 'No content'
            summary: 'Update user''s password.'
            tags:
                - Auth
            security:
                -
                    bearerAuth: []
            parameters: []
            requestBody:
                required: true
                content:
                    application/json:
                        schema:
                            $ref: '#/components/schemas/UpdatePasswordPayload'
    /SASjsApi/authConfig:
        get:
            operationId: GetDetail
            responses:
                '200':
                    description: Ok
                    content:
                        application/json:
                            schema: {}
                            examples:
                                'Example 1':
                                    value: {ldap: {LDAP_URL: 'ldaps://my.ldap.server:636', LDAP_BIND_DN: 'cn=admin,ou=system,dc=cloudron', LDAP_BIND_PASSWORD: secret, LDAP_USERS_BASE_DN: 'ou=users,dc=cloudron', LDAP_GROUPS_BASE_DN: 'ou=groups,dc=cloudron'}}
            summary: 'Gives the detail of Auth Mechanism.'
            tags:
                - Auth_Config
            security:
                -
                    bearerAuth: []
            parameters: []
    /SASjsApi/authConfig/synchroniseWithLDAP:
        post:
            operationId: SynchroniseWithLDAP
            responses:
                '200':
                    description: Ok
                    content:
                        application/json:
                            schema:
                                properties:
                                    groupCount: {type: number, format: double}
                                    userCount: {type: number, format: double}
                                required:
                                    - groupCount
                                    - userCount
                                type: object
                            examples:
                                'Example 1':
                                    value: {users: 5, groups: 3}
            summary: 'Synchronises LDAP users and groups with internal DB and returns the count of imported users and groups.'
            tags:
                - Auth_Config
            security:
                -
                    bearerAuth: []
            parameters: []
    /SASjsApi/client:
        post:
            operationId: CreateClient
@@ -634,8 +799,8 @@ paths:
                                $ref: '#/components/schemas/ClientPayload'
                            examples:
                                'Example 1':
-                                    value: {clientId: someFormattedClientID1234, clientSecret: someRandomCryptoString}
+                                    value: {clientId: someFormattedClientID1234, clientSecret: someRandomCryptoString, accessTokenExpiration: 86400}
-            summary: 'Create client with the following attributes: ClientId, ClientSecret. Admin only task.'
+            summary: "Admin only task. Create client with the following attributes:\nClientId,\nClientSecret,\naccessTokenExpiration (optional),\nrefreshTokenExpiration (optional)"
            tags:
                - Client
            security:
@@ -648,6 +813,27 @@ paths:
                    application/json:
                        schema:
                            $ref: '#/components/schemas/ClientPayload'
        get:
            operationId: GetAllClients
            responses:
                '200':
                    description: Ok
                    content:
                        application/json:
                            schema:
                                items:
                                    $ref: '#/components/schemas/ClientPayload'
                                type: array
                            examples:
                                'Example 1':
                                    value: [{clientId: someClientID1234, clientSecret: someRandomCryptoString, accessTokenExpiration: 86400}, {clientId: someOtherClientID, clientSecret: someOtherRandomCryptoString, accessTokenExpiration: 86400}]
            summary: 'Admin only task. Returns the list of all the clients'
            tags:
                - Client
            security:
                -
                    bearerAuth: []
            parameters: []
    /SASjsApi/code/execute:
        post:
            operationId: ExecuteCode
@@ -660,8 +846,8 @@ paths:
                                anyOf:
                                    - {type: string}
                                    - {type: string, format: byte}
-            description: 'Execute SAS code.'
+            description: 'Execute Code on the Specified Runtime'
-            summary: 'Run SAS Code and returns log'
+            summary: "Run Code and Return Webout Content, Log and Print output\nThe order of returned parts of the payload is:\n1. Webout (if present)\n2. Logs UUID (used as separator)\n3. Log\n4. Logs UUID (used as separator)\n5. Print (if present and if the runtime is SAS)\nPlease see"
            tags:
                - Code
            security:
@@ -674,6 +860,30 @@ paths:
                    application/json:
                        schema:
                            $ref: '#/components/schemas/ExecuteCodePayload'
    /SASjsApi/code/trigger:
        post:
            operationId: TriggerCode
            responses:
                '200':
                    description: Ok
                    content:
                        application/json:
                            schema:
                                $ref: '#/components/schemas/TriggerCodeResponse'
            description: 'Trigger Code on the Specified Runtime'
            summary: 'Triggers code and returns SessionId immediately - does not wait for job completion'
            tags:
                - Code
            security:
                -
                    bearerAuth: []
            parameters: []
            requestBody:
                required: true
                content:
                    application/json:
                        schema:
                            $ref: '#/components/schemas/TriggerCodePayload'
    /SASjsApi/drive/deploy:
        post:
            operationId: Deploy
@@ -1635,7 +1845,7 @@ paths:
                    content:
                        application/json:
                            schema:
-                                $ref: '#/components/schemas/UserResponse'
+                                $ref: '#/components/schemas/SessionResponse'
                            examples:
                                'Example 1':
                                    value: {id: 123, username: johnusername, displayName: John, isAdmin: false}
@@ -1658,7 +1868,7 @@ paths:
                                anyOf:
                                    - {type: string}
                                    - {type: string, format: byte}
-            description: "Trigger a Stored Program using the _program URL parameter.\n\nAccepts URL parameters and file uploads.  For more details, see docs:\n\nhttps://server.sasjs.io/storedprograms"
+            description: "Trigger a Stored Program using the _program URL parameter.\n\nAccepts additional URL parameters (converted to session variables)\nand file uploads.  For more details, see docs:\n\nhttps://server.sasjs.io/storedprograms"
            summary: 'Execute a Stored Program, returns _webout and (optionally) log.'
            tags:
                - STP
@@ -1667,13 +1877,22 @@ paths:
                    bearerAuth: []
            parameters:
                -
-                    description: 'Location of code in SASjs Drive'
+                    description: 'Location of Stored Program in SASjs Drive.'
                    in: query
                    name: _program
                    required: true
                    schema:
                        type: string
                    example: /Projects/myApp/some/program
                -
                    description: 'Optional query param for setting debug mode (returns the session log in the response body).'
                    in: query
                    name: _debug
                    required: false
                    schema:
                        format: double
                        type: number
                    example: 131
        post:
            operationId: ExecutePostRequest
            responses:
@@ -1686,7 +1905,7 @@ paths:
                                    - {type: string}
                                    - {type: string, format: byte}
            description: "Trigger a Stored Program using the _program URL parameter.\n\nAccepts URL parameters and file uploads.  For more details, see docs:\n\nhttps://server.sasjs.io/storedprograms"
-            summary: 'Execute a Stored Program, return a JSON object'
+            summary: 'Execute a Stored Program, returns _webout and (optionally) log.'
            tags:
                - STP
            security:
@@ -1707,6 +1926,38 @@ paths:
                    application/json:
                        schema:
                            $ref: '#/components/schemas/ExecutePostRequestPayload'
    /SASjsApi/stp/trigger:
        post:
            operationId: TriggerProgram
            responses:
                '200':
                    description: Ok
                    content:
                        application/json:
                            schema:
                                $ref: '#/components/schemas/TriggerProgramResponse'
            description: 'Trigger Program on the Specified Runtime'
            summary: 'Triggers program and returns SessionId immediately - does not wait for program completion'
            tags:
                - STP
            security:
                -
                    bearerAuth: []
            parameters:
                -
                    description: 'Location of code in SASjs Drive'
                    in: query
                    name: _program
                    required: false
                    schema:
                        type: string
                    example: /Projects/myApp/some/program
            requestBody:
                required: true
                content:
                    application/json:
                        schema:
                            $ref: '#/components/schemas/TriggerProgramPayload'
    /:
        get:
            operationId: Home
@@ -1732,7 +1983,7 @@ paths:
                        application/json:
                            schema:
                                properties:
-                                    user: {properties: {isAdmin: {type: boolean}, displayName: {type: string}, username: {type: string}, id: {type: number, format: double}}, required: [isAdmin, displayName, username, id], type: object}
+                                    user: {properties: {needsToUpdatePassword: {type: boolean}, isAdmin: {type: boolean}, displayName: {type: string}, username: {type: string}, id: {type: number, format: double}}, required: [needsToUpdatePassword, isAdmin, displayName, username, id], type: object}
                                    loggedIn: {type: boolean}
                                required:
                                    - user
@@ -1794,6 +2045,9 @@ tags:
    -
        name: Auth
        description: 'Operations about auth'
    -
        name: Auth_Config
        description: 'Operations about external auth providers'
    -
        name: Client
        description: 'Operations about clients'
--- a/api/scripts/downloadMacros.ts
+++ b/api/scripts/downloadMacros.ts
@@ -0,0 +1,39 @@
 import axios from 'axios'
 import Downloader from 'nodejs-file-downloader'
 import { createFile, listFilesInFolder } from '@sasjs/utils'
 import { sasJSCoreMacros, sasJSCoreMacrosInfo } from '../src/utils/file'
 export const downloadMacros = async () => {
  const url =
    'https://api.github.com/repos/yabwon/SAS_PACKAGES/contents/SPF/Macros'
  console.info(`Downloading macros from ${url}`)
  await axios
    .get(url)
    .then(async (res) => {
      await downloadFiles(res.data)
    })
    .catch((err) => {
      throw new Error(err)
    })
 }
 const downloadFiles = async function (fileList: any) {
  for (const file of fileList) {
    const downloader = new Downloader({
      url: file.download_url,
      directory: sasJSCoreMacros,
      fileName: file.path.replace(/^SPF\/Macros/, ''),
      cloneFiles: false
    })
    await downloader.download()
  }
  const fileNames = await listFilesInFolder(sasJSCoreMacros)
  await createFile(sasJSCoreMacrosInfo, fileNames.join('\n'))
 }
 downloadMacros()
--- a/api/src/app-modules/configureCors.ts
+++ b/api/src/app-modules/configureCors.ts
@@ -15,7 +15,7 @@ export const configureCors = (app: Express) => {
          whiteList.push(url.replace(/\/$/, ''))
      })
-    console.log('All CORS Requests are enabled for:', whiteList)
+    process.logger.info('All CORS Requests are enabled for:', whiteList)
    app.use(cors({ credentials: true, origin: whiteList }))
  }
 }
--- a/api/src/app-modules/configureExpressSession.ts
+++ b/api/src/app-modules/configureExpressSession.ts
@@ -1,22 +1,38 @@
-import { Express } from 'express'
+import { Express, CookieOptions } from 'express'
 import mongoose from 'mongoose'
 import session from 'express-session'
 import MongoStore from 'connect-mongo'
-import { ModeType } from '../utils'
+import { DatabaseType, ModeType, ProtocolType } from '../utils'
 import { cookieOptions } from '../app'
 export const configureExpressSession = (app: Express) => {
-  const { MODE } = process.env
+  const { MODE, DB_TYPE } = process.env
  if (MODE === ModeType.Server) {
    let store: MongoStore | undefined
    if (process.env.NODE_ENV !== 'test') {
-      store = MongoStore.create({
+      if (DB_TYPE === DatabaseType.COSMOS_MONGODB) {
-        client: mongoose.connection!.getClient() as any,
+        // COSMOS DB requires specific connection options (compatibility mode)
-        collectionName: 'sessions'
+        // See: https://www.npmjs.com/package/connect-mongo#set-the-compatibility-mode
-      })
+        store = MongoStore.create({
          client: mongoose.connection!.getClient() as any,
          autoRemove: 'interval'
        })
      } else {
        store = MongoStore.create({
          client: mongoose.connection!.getClient() as any
        })
      }
    }
    const { PROTOCOL, ALLOWED_DOMAIN } = process.env
    const cookieOptions: CookieOptions = {
      secure: PROTOCOL === ProtocolType.HTTPS,
      httpOnly: true,
      sameSite: PROTOCOL === ProtocolType.HTTPS ? 'none' : undefined,
      maxAge: 24 * 60 * 60 * 1000, // 24 hours
      domain: ALLOWED_DOMAIN?.trim() || undefined
    }
    app.use(
--- a/api/src/app-modules/configureLogger.ts
+++ b/api/src/app-modules/configureLogger.ts
@@ -23,7 +23,7 @@ export const configureLogger = (app: Express) => {
      path: logsFolder
    })
-    console.log('Writing Logs to :', path.join(logsFolder, filename))
+    process.logger.info('Writing Logs to :', path.join(logsFolder, filename))
    options = { stream: accessLogStream }
  }
--- a/api/src/app.ts
+++ b/api/src/app.ts
@@ -1,18 +1,21 @@
 import path from 'path'
 import express, { ErrorRequestHandler } from 'express'
 import csrf, { CookieOptions } from 'csurf'
 import cookieParser from 'cookie-parser'
 import dotenv from 'dotenv'
 import {
  copySASjsCore,
  createWeboutSasFile,
  getFilesFolder,
  getPackagesFolder,
  getWebBuildFolder,
  instantiateLogger,
  loadAppStreamConfig,
  ProtocolType,
  ReturnCode,
  setProcessVariables,
-  setupFolders,
+  setupFilesFolder,
  setupPackagesFolder,
  setupUserAutoExec,
  verifyEnvVariables
 } from './utils'
 import {
@@ -21,6 +24,7 @@ import {
  configureLogger,
  configureSecurity
 } from './app-modules'
 import { folderExists } from '@sasjs/utils'
 dotenv.config()
@@ -30,25 +34,8 @@ if (verifyEnvVariables()) process.exit(ReturnCode.InvalidEnv)
 const app = express()
 const { PROTOCOL } = process.env
 export const cookieOptions: CookieOptions = {
  secure: PROTOCOL === ProtocolType.HTTPS,
  httpOnly: true,
  sameSite: PROTOCOL === ProtocolType.HTTPS ? 'none' : undefined,
  maxAge: 24 * 60 * 60 * 1000 // 24 hours
 }
 /***********************************
 *         CSRF Protection         *
 ***********************************/
 export const csrfProtection = csrf({ cookie: cookieOptions })
 const onError: ErrorRequestHandler = (err, req, res, next) => {
-  if (err.code === 'EBADCSRFTOKEN')
+  process.logger.error(err.stack)
    return res.status(400).send('Invalid CSRF token!')
  console.error(err.stack)
  res.status(500).send('Something broke!')
 }
@@ -81,8 +68,21 @@ export default setProcessVariables().then(async () => {
  // Currently only place we use it is SAS9 Mock - POST /SASLogon/login
  app.use(express.urlencoded({ extended: true }))
-  await setupFolders()
+  await setupUserAutoExec()
-  await copySASjsCore()
+
  if (!(await folderExists(getFilesFolder()))) await setupFilesFolder()
  if (!(await folderExists(getPackagesFolder()))) await setupPackagesFolder()
  const sasautosPath = path.join(process.driveLoc, 'sas', 'sasautos')
  if (await folderExists(sasautosPath)) {
    process.logger.warn(
      `SASAUTOS was not refreshed. To force a refresh, delete the ${sasautosPath} folder`
    )
  } else {
    await copySASjsCore()
    await createWeboutSasFile()
  }
  // loading these modules after setting up variables due to
  // multer's usage of process var process.driveLoc
--- a/api/src/controllers/auth.ts
+++ b/api/src/controllers/auth.ts
@@ -1,12 +1,27 @@
-import { Security, Route, Tags, Example, Post, Body, Query, Hidden } from 'tsoa'
+import express from 'express'
 import {
  Security,
  Route,
  Tags,
  Example,
  Post,
  Patch,
  Request,
  Body,
  Query,
  Hidden
 } from 'tsoa'
 import jwt from 'jsonwebtoken'
 import { InfoJWT } from '../types'
 import {
  generateAccessToken,
  generateRefreshToken,
  getTokensFromDB,
  removeTokensInDB,
  saveTokensInDB
 } from '../utils'
 import Client from '../model/Client'
 import User from '../model/User'
@Route('SASjsApi/auth')
@Tags('Auth')
@@ -60,6 +75,18 @@ export class AuthController {
  public async logout(@Query() @Hidden() data?: InfoJWT) {
    return logout(data!)
  }
  /**
   * @summary Update user's password.
   */
  @Security('bearerAuth')
  @Patch('updatePassword')
  public async updatePassword(
    @Request() req: express.Request,
    @Body() body: UpdatePasswordPayload
  ) {
    return updatePassword(req, body)
  }
 }
 const token = async (data: any): Promise<TokenResponse> => {
@@ -73,8 +100,26 @@ const token = async (data: any): Promise<TokenResponse> => {
  AuthController.deleteCode(userInfo.userId, clientId)
-  const accessToken = generateAccessToken(userInfo)
+  // get tokens from DB
-  const refreshToken = generateRefreshToken(userInfo)
+  const existingTokens = await getTokensFromDB(userInfo.userId, clientId)
  if (existingTokens) {
    return {
      accessToken: existingTokens.accessToken,
      refreshToken: existingTokens.refreshToken
    }
  }
  const client = await Client.findOne({ clientId })
  if (!client) throw new Error('Invalid clientId.')
  const accessToken = generateAccessToken(
    userInfo,
    client.accessTokenExpiration
  )
  const refreshToken = generateRefreshToken(
    userInfo,
    client.refreshTokenExpiration
  )
  await saveTokensInDB(userInfo.userId, clientId, accessToken, refreshToken)
@@ -82,8 +127,17 @@ const token = async (data: any): Promise<TokenResponse> => {
 }
 const refresh = async (userInfo: InfoJWT): Promise<TokenResponse> => {
-  const accessToken = generateAccessToken(userInfo)
+  const client = await Client.findOne({ clientId: userInfo.clientId })
-  const refreshToken = generateRefreshToken(userInfo)
+  if (!client) throw new Error('Invalid clientId.')
  const accessToken = generateAccessToken(
    userInfo,
    client.accessTokenExpiration
  )
  const refreshToken = generateRefreshToken(
    userInfo,
    client.refreshTokenExpiration
  )
  await saveTokensInDB(
    userInfo.userId,
@@ -99,6 +153,40 @@ const logout = async (userInfo: InfoJWT) => {
  await removeTokensInDB(userInfo.userId, userInfo.clientId)
 }
 const updatePassword = async (
  req: express.Request,
  data: UpdatePasswordPayload
 ) => {
  const { currentPassword, newPassword } = data
  const userId = req.user?.userId
  const dbUser = await User.findOne({ id: userId })
  if (!dbUser)
    throw {
      code: 404,
      message: `User not found!`
    }
  if (dbUser?.authProvider) {
    throw {
      code: 405,
      message:
        'Can not update password of user that is created by an external auth provider.'
    }
  }
  const validPass = dbUser.comparePassword(currentPassword)
  if (!validPass)
    throw {
      code: 403,
      message: `Invalid current password!`
    }
  dbUser.password = User.hashPassword(newPassword)
  dbUser.needsToUpdatePassword = false
  await dbUser.save()
 }
 interface TokenPayload {
  /**
   * Client ID
@@ -125,6 +213,19 @@ interface TokenResponse {
  refreshToken: string
 }
 interface UpdatePasswordPayload {
  /**
   * Current Password
   * @example "currentPasswordString"
   */
  currentPassword: string
  /**
   * New Password
   * @example "newPassword"
   */
  newPassword: string
 }
 const verifyAuthCode = async (
  clientId: string,
  code: string
--- a/api/src/controllers/authConfig.ts
+++ b/api/src/controllers/authConfig.ts
@@ -0,0 +1,186 @@
 import express from 'express'
 import { Security, Route, Tags, Get, Post, Example } from 'tsoa'
 import { LDAPClient, LDAPUser, LDAPGroup, AuthProviderType } from '../utils'
 import { randomBytes } from 'crypto'
 import User from '../model/User'
 import Group from '../model/Group'
 import Permission from '../model/Permission'
@Security('bearerAuth')
@Route('SASjsApi/authConfig')
@Tags('Auth_Config')
 export class AuthConfigController {
  /**
   * @summary Gives the detail of Auth Mechanism.
   *
   */
  @Example({
    ldap: {
      LDAP_URL: 'ldaps://my.ldap.server:636',
      LDAP_BIND_DN: 'cn=admin,ou=system,dc=cloudron',
      LDAP_BIND_PASSWORD: 'secret',
      LDAP_USERS_BASE_DN: 'ou=users,dc=cloudron',
      LDAP_GROUPS_BASE_DN: 'ou=groups,dc=cloudron'
    }
  })
  @Get('/')
  public getDetail() {
    return getAuthConfigDetail()
  }
  /**
   * @summary Synchronises LDAP users and groups with internal DB and returns the count of imported users and groups.
   *
   */
  @Example({
    users: 5,
    groups: 3
  })
  @Post('/synchroniseWithLDAP')
  public async synchroniseWithLDAP() {
    return synchroniseWithLDAP()
  }
 }
 const synchroniseWithLDAP = async () => {
  process.logger.info('Syncing LDAP with internal DB')
  const permissions = await Permission.get({})
  await Permission.deleteMany()
  await User.deleteMany({ authProvider: AuthProviderType.LDAP })
  await Group.deleteMany({ authProvider: AuthProviderType.LDAP })
  const ldapClient = await LDAPClient.init()
  process.logger.info('fetching LDAP users')
  const users = await ldapClient.getAllLDAPUsers()
  process.logger.info('inserting LDAP users to DB')
  const existingUsers: string[] = []
  const importedUsers: LDAPUser[] = []
  for (const user of users) {
    const usernameExists = await User.findOne({ username: user.username })
    if (usernameExists) {
      existingUsers.push(user.username)
      continue
    }
    const hashPassword = User.hashPassword(randomBytes(64).toString('hex'))
    await User.create({
      displayName: user.displayName,
      username: user.username,
      password: hashPassword,
      authProvider: AuthProviderType.LDAP,
      needsToUpdatePassword: false
    })
    importedUsers.push(user)
  }
  if (existingUsers.length > 0) {
    process.logger.info(
      'Failed to insert following users as they already exist in DB:'
    )
    existingUsers.forEach((user) => process.logger.log(`* ${user}`))
  }
  process.logger.info('fetching LDAP groups')
  const groups = await ldapClient.getAllLDAPGroups()
  process.logger.info('inserting LDAP groups to DB')
  const existingGroups: string[] = []
  const importedGroups: LDAPGroup[] = []
  for (const group of groups) {
    const groupExists = await Group.findOne({ name: group.name })
    if (groupExists) {
      existingGroups.push(group.name)
      continue
    }
    await Group.create({
      name: group.name,
      authProvider: AuthProviderType.LDAP
    })
    importedGroups.push(group)
  }
  if (existingGroups.length > 0) {
    process.logger.info(
      'Failed to insert following groups as they already exist in DB:'
    )
    existingGroups.forEach((group) => process.logger.log(`* ${group}`))
  }
  process.logger.info('associating users and groups')
  for (const group of importedGroups) {
    const dbGroup = await Group.findOne({ name: group.name })
    if (dbGroup) {
      for (const member of group.members) {
        const user = importedUsers.find((user) => user.uid === member)
        if (user) {
          const dbUser = await User.findOne({ username: user.username })
          if (dbUser) await dbGroup.addUser(dbUser)
        }
      }
    }
  }
  process.logger.info('setting permissions')
  for (const permission of permissions) {
    const newPermission = new Permission({
      path: permission.path,
      type: permission.type,
      setting: permission.setting
    })
    if (permission.user) {
      const dbUser = await User.findOne({ username: permission.user.username })
      if (dbUser) newPermission.user = dbUser._id
    } else if (permission.group) {
      const dbGroup = await Group.findOne({ name: permission.group.name })
      if (dbGroup) newPermission.group = dbGroup._id
    }
    await newPermission.save()
  }
  process.logger.info('LDAP synchronization completed!')
  return {
    userCount: importedUsers.length,
    groupCount: importedGroups.length
  }
 }
 const getAuthConfigDetail = () => {
  const { AUTH_PROVIDERS } = process.env
  const returnObj: any = {}
  if (AUTH_PROVIDERS === AuthProviderType.LDAP) {
    const {
      LDAP_URL,
      LDAP_BIND_DN,
      LDAP_BIND_PASSWORD,
      LDAP_USERS_BASE_DN,
      LDAP_GROUPS_BASE_DN
    } = process.env
    returnObj.ldap = {
      LDAP_URL: LDAP_URL ?? '',
      LDAP_BIND_DN: LDAP_BIND_DN ?? '',
      LDAP_BIND_PASSWORD: LDAP_BIND_PASSWORD ?? '',
      LDAP_USERS_BASE_DN: LDAP_USERS_BASE_DN ?? '',
      LDAP_GROUPS_BASE_DN: LDAP_GROUPS_BASE_DN ?? ''
    }
  }
  return returnObj
 }
--- a/api/src/controllers/client.ts
+++ b/api/src/controllers/client.ts
@@ -1,18 +1,27 @@
-import { Security, Route, Tags, Example, Post, Body } from 'tsoa'
+import { Security, Route, Tags, Example, Post, Body, Get } from 'tsoa'
-import Client, { ClientPayload } from '../model/Client'
+import Client, {
  ClientPayload,
  NUMBER_OF_SECONDS_IN_A_DAY
 } from '../model/Client'
@Security('bearerAuth')
@Route('SASjsApi/client')
@Tags('Client')
 export class ClientController {
  /**
-   * @summary Create client with the following attributes: ClientId, ClientSecret. Admin only task.
+   * @summary Admin only task. Create client with the following attributes:
   * ClientId,
   * ClientSecret,
   * accessTokenExpiration (optional),
   * refreshTokenExpiration (optional)
   *
   */
  @Example<ClientPayload>({
    clientId: 'someFormattedClientID1234',
-    clientSecret: 'someRandomCryptoString'
+    clientSecret: 'someRandomCryptoString',
    accessTokenExpiration: NUMBER_OF_SECONDS_IN_A_DAY,
    refreshTokenExpiration: NUMBER_OF_SECONDS_IN_A_DAY * 30
  })
  @Post('/')
  public async createClient(
@@ -20,10 +29,37 @@ export class ClientController {
  ): Promise<ClientPayload> {
    return createClient(body)
  }
  /**
   * @summary Admin only task. Returns the list of all the clients
   */
  @Example<ClientPayload[]>([
    {
      clientId: 'someClientID1234',
      clientSecret: 'someRandomCryptoString',
      accessTokenExpiration: NUMBER_OF_SECONDS_IN_A_DAY,
      refreshTokenExpiration: NUMBER_OF_SECONDS_IN_A_DAY * 30
    },
    {
      clientId: 'someOtherClientID',
      clientSecret: 'someOtherRandomCryptoString',
      accessTokenExpiration: NUMBER_OF_SECONDS_IN_A_DAY,
      refreshTokenExpiration: NUMBER_OF_SECONDS_IN_A_DAY * 30
    }
  ])
  @Get('/')
  public async getAllClients(): Promise<ClientPayload[]> {
    return getAllClients()
  }
 }
-const createClient = async (data: any): Promise<ClientPayload> => {
+const createClient = async (data: ClientPayload): Promise<ClientPayload> => {
-  const { clientId, clientSecret } = data
+  const {
    clientId,
    clientSecret,
    accessTokenExpiration,
    refreshTokenExpiration
  } = data
  // Checking if client is already in the database
  const clientExist = await Client.findOne({ clientId })
@@ -32,13 +68,27 @@ const createClient = async (data: any): Promise<ClientPayload> => {
  // Create a new client
  const client = new Client({
    clientId,
-    clientSecret
+    clientSecret,
    accessTokenExpiration,
    refreshTokenExpiration
  })
  const savedClient = await client.save()
  return {
    clientId: savedClient.clientId,
-    clientSecret: savedClient.clientSecret
+    clientSecret: savedClient.clientSecret,
    accessTokenExpiration: savedClient.accessTokenExpiration,
    refreshTokenExpiration: savedClient.refreshTokenExpiration
  }
 }
 const getAllClients = async (): Promise<ClientPayload[]> => {
  return Client.find({}).select({
    _id: 0,
    clientId: 1,
    clientSecret: 1,
    accessTokenExpiration: 1,
    refreshTokenExpiration: 1
  })
 }
--- a/api/src/controllers/code.ts
+++ b/api/src/controllers/code.ts
@@ -1,34 +1,69 @@
 import express from 'express'
 import { Request, Security, Route, Tags, Post, Body } from 'tsoa'
-import { ExecutionController } from './internal'
+import { ExecutionController, getSessionController } from './internal'
 import {
  getPreProgramVariables,
  getUserAutoExec,
  ModeType,
  parseLogToArray,
  RunTimeType
 } from '../utils'
 interface ExecuteCodePayload {
  /**
-   * Code of program
+   * The code to be executed
-   * @example "* Code HERE;"
+   * @example "* Your Code HERE;"
   */
  code: string
  /**
-   * runtime for program
+   * The runtime for the code - eg SAS, JS, PY or R
   * @example "js"
   */
  runTime: RunTimeType
 }
 interface TriggerCodePayload {
  /**
   * The code to be executed
   * @example "* Your Code HERE;"
   */
  code: string
  /**
   * The runtime for the code - eg SAS, JS, PY or R
   * @example "sas"
   */
  runTime: RunTimeType
  /**
   * Amount of minutes after the completion of the job when the session must be
   * destroyed.
   * @example 15
   */
  expiresAfterMins?: number
 }
 interface TriggerCodeResponse {
  /**
   * The SessionId is the name of the temporary folder used to store the outputs.
   * For SAS, this would be the SASWORK folder. Can be used to poll job status.
   * This session ID should be used to poll job status.
   * @example "{ sessionId: '20241028074744-54132-1730101664824' }"
   */
  sessionId: string
 }
@Security('bearerAuth')
@Route('SASjsApi/code')
@Tags('Code')
 export class CodeController {
  /**
-   * Execute SAS code.
+   * Execute Code on the Specified Runtime
-   * @summary Run SAS Code and returns log
+   * @summary Run Code and Return Webout Content, Log and Print output
   * The order of returned parts of the payload is:
   * 1. Webout (if present)
   * 2. Logs UUID (used as separator)
   * 3. Log
   * 4. Logs UUID (used as separator)
   * 5. Print (if present and if the runtime is SAS)
   * Please see @sasjs/server/api/src/controllers/internal/Execution.ts for more information
   */
  @Post('/execute')
  public async executeCode(
@@ -37,6 +72,18 @@ export class CodeController {
  ): Promise<string | Buffer> {
    return executeCode(request, body)
  }
  /**
   * Trigger Code on the Specified Runtime
   * @summary Triggers code and returns SessionId immediately - does not wait for job completion
   */
  @Post('/trigger')
  public async triggerCode(
    @Request() request: express.Request,
    @Body() body: TriggerCodePayload
  ): Promise<TriggerCodeResponse> {
    return triggerCode(request, body)
  }
 }
 const executeCode = async (
@@ -55,7 +102,8 @@ const executeCode = async (
      preProgramVariables: getPreProgramVariables(req),
      vars: { ...req.query, _debug: 131 },
      otherArgs: { userAutoExec },
-      runTime: runTime
+      runTime: runTime,
      includePrintOutput: true
    })
    return result
@@ -68,3 +116,49 @@ const executeCode = async (
    }
  }
 }
 const triggerCode = async (
  req: express.Request,
  { code, runTime, expiresAfterMins }: TriggerCodePayload
 ): Promise<TriggerCodeResponse> => {
  const { user } = req
  const userAutoExec =
    process.env.MODE === ModeType.Server
      ? user?.autoExec
      : await getUserAutoExec()
  // get session controller based on runTime
  const sessionController = getSessionController(runTime)
  // get session
  const session = await sessionController.getSession()
  // add expiresAfterMins to session if provided
  if (expiresAfterMins) {
    // expiresAfterMins.used is set initially to false
    session.expiresAfterMins = { mins: expiresAfterMins, used: false }
  }
  try {
    // call executeProgram method of ExecutionController without awaiting
    new ExecutionController().executeProgram({
      program: code,
      preProgramVariables: getPreProgramVariables(req),
      vars: { ...req.query, _debug: 131 },
      otherArgs: { userAutoExec },
      runTime: runTime,
      includePrintOutput: true,
      session // session is provided
    })
    // return session id
    return { sessionId: session.id }
  } catch (err: any) {
    throw {
      code: 400,
      status: 'failure',
      message: 'Job execution failed.',
      error: typeof err === 'object' ? err.toString() : err
    }
  }
 }
--- a/api/src/controllers/group.ts
+++ b/api/src/controllers/group.ts
@@ -12,6 +12,7 @@ import {
 import Group, { GroupPayload, PUBLIC_GROUP_NAME } from '../model/Group'
 import User from '../model/User'
 import { AuthProviderType } from '../utils'
 import { UserResponse } from './user'
 export interface GroupResponse {
@@ -147,12 +148,14 @@ export class GroupController {
  @Delete('{groupId}')
  public async deleteGroup(@Path() groupId: number) {
    const group = await Group.findOne({ groupId })
-    if (group) return await group.remove()
+    if (!group)
-    throw {
+      throw {
-      code: 404,
+        code: 404,
-      status: 'Not Found',
+        status: 'Not Found',
-      message: 'Group not found.'
+        message: 'Group not found.'
-    }
+      }
    return await group.remove()
  }
 }
@@ -248,6 +251,13 @@ const updateUsersListInGroup = async (
      message: `Can't add/remove user to '${PUBLIC_GROUP_NAME}' group.`
    }
  if (group.authProvider)
    throw {
      code: 405,
      status: 'Method Not Allowed',
      message: `Can't add/remove user to group created by external auth provider.`
    }
  const user = await User.findOne({ id: userId })
  if (!user)
    throw {
@@ -256,6 +266,13 @@ const updateUsersListInGroup = async (
      message: 'User not found.'
    }
  if (user.authProvider)
    throw {
      code: 405,
      status: 'Method Not Allowed',
      message: `Can't add/remove user to group created by external auth provider.`
    }
  const updatedGroup =
    action === 'addUser'
      ? await group.addUser(user)
--- a/api/src/controllers/index.ts
+++ b/api/src/controllers/index.ts
@@ -1,4 +1,5 @@
 export * from './auth'
 export * from './authConfig'
 export * from './client'
 export * from './code'
 export * from './drive'
--- a/api/src/controllers/internal/Execution.ts
+++ b/api/src/controllers/internal/Execution.ts
@@ -28,10 +28,12 @@ interface ExecuteFileParams {
  returnJson?: boolean
  session?: Session
  runTime: RunTimeType
  forceStringResult?: boolean
 }
 interface ExecuteProgramParams extends Omit<ExecuteFileParams, 'programPath'> {
  program: string
  includePrintOutput?: boolean
 }
 export class ExecutionController {
@@ -42,7 +44,8 @@ export class ExecutionController {
    otherArgs,
    returnJson,
    session,
-    runTime
+    runTime,
    forceStringResult
  }: ExecuteFileParams) {
    const program = await readFile(programPath)
@@ -53,7 +56,8 @@ export class ExecutionController {
      otherArgs,
      returnJson,
      session,
-      runTime
+      runTime,
      forceStringResult
    })
  }
@@ -63,7 +67,9 @@ export class ExecutionController {
    vars,
    otherArgs,
    session: sessionByFileUpload,
-    runTime
+    runTime,
    forceStringResult,
    includePrintOutput
  }: ExecuteProgramParams): Promise<ExecuteReturnRaw> {
    const sessionController = getSessionController(runTime)
@@ -101,10 +107,15 @@ export class ExecutionController {
      ? await readFile(headersPath)
      : ''
    const httpHeaders: HTTPHeaders = extractHeaders(headersContent)
    if (isDebugOn(vars)) {
      httpHeaders['content-type'] = 'text/plain'
    }
    const fileResponse: boolean = httpHeaders.hasOwnProperty('content-type')
    const webout = (await fileExists(weboutPath))
-      ? fileResponse
+      ? fileResponse && !forceStringResult
        ? await readFileBinary(weboutPath)
        : await readFile(weboutPath)
      : ''
@@ -112,12 +123,29 @@ export class ExecutionController {
    // it should be deleted by scheduleSessionDestroy
    session.inUse = false
    const resultParts = []
    // INFO: webout can be a Buffer, that is why it's length should be checked to determine if it is empty
    if (webout && webout.length !== 0) resultParts.push(webout)
    // INFO: log separator wraps the log from the beginning and the end
    resultParts.push(process.logsUUID)
    resultParts.push(log)
    resultParts.push(process.logsUUID)
    if (includePrintOutput && runTime === RunTimeType.SAS) {
      const printOutputPath = path.join(session.path, 'output.lst')
      const printOutput = (await fileExists(printOutputPath))
        ? await readFile(printOutputPath)
        : ''
      if (printOutput) resultParts.push(printOutput)
    }
    return {
      httpHeaders,
      result:
-        isDebugOn(vars) || session.crashed
+        isDebugOn(vars) || session.crashed ? resultParts.join(`\n`) : webout
          ? `${webout}\n${process.logsUUID}\n${log}`
          : webout
    }
  }
--- a/api/src/controllers/internal/Session.ts
+++ b/api/src/controllers/internal/Session.ts
@@ -3,6 +3,7 @@ import { Session } from '../../types'
 import { promisify } from 'util'
 import { execFile } from 'child_process'
 import {
  getPackagesFolder,
  getSessionsFolder,
  generateUniqueFileName,
  sysInitCompiledPath,
@@ -13,8 +14,7 @@ import {
  createFile,
  fileExists,
  generateTimestamp,
-  readFile,
+  readFile
  isWindows
 } from '@sasjs/utils'
 const execFilePromise = promisify(execFile)
@@ -49,7 +49,7 @@ export class SessionController {
    }
    const headersPath = path.join(session.path, 'stpsrv_header.txt')
-    await createFile(headersPath, 'Content-type: text/plain')
+    await createFile(headersPath, 'content-type: text/html; charset=utf-8')
    this.sessions.push(session)
    return session
@@ -93,7 +93,7 @@ export class SASSessionController extends SessionController {
    }
    const headersPath = path.join(session.path, 'stpsrv_header.txt')
-    await createFile(headersPath, 'Content-type: text/plain')
+    await createFile(headersPath, 'content-type: text/html; charset=utf-8\n')
    // we do not want to leave sessions running forever
    // we clean them up after a predefined period, if unused
@@ -104,7 +104,8 @@ export class SASSessionController extends SessionController {
    // the autoexec file is executed on SAS startup
    const autoExecPath = path.join(sessionFolder, 'autoexec.sas')
-    const contentForAutoExec = `/* compiled systemInit */
+    const contentForAutoExec = `filename packages "${getPackagesFolder()}";
 /* compiled systemInit */
 ${compiledSystemInitContent}
 /* autoexec */
 ${autoExecContent}`
@@ -132,23 +133,24 @@ ${autoExecContent}`
      session.path,
      '-AUTOEXEC',
      autoExecPath,
-      isWindows() ? '-nologo' : '',
+      process.sasLoc!.endsWith('sas.exe') ? '-nologo' : '',
      process.sasLoc!.endsWith('sas.exe') ? '-nosplash' : '',
      process.sasLoc!.endsWith('sas.exe') ? '-icon' : '',
      process.sasLoc!.endsWith('sas.exe') ? '-nodms' : '',
      process.sasLoc!.endsWith('sas.exe') ? '-noterminal' : '',
      process.sasLoc!.endsWith('sas.exe') ? '-nostatuswin' : '',
      process.sasLoc!.endsWith('sas.exe') ? '-NOPRNGETLIST' : '',
      process.sasLoc!.endsWith('sas.exe') ? '-SASINITIALFOLDER' : '',
      process.sasLoc!.endsWith('sas.exe') ? session.path : ''
    ])
      .then(() => {
        session.completed = true
-        console.log('session completed', session)
+        process.logger.info('session completed', session)
      })
      .catch((err) => {
        session.completed = true
        session.crashed = err.toString()
-        console.log('session crashed', session.id, session.crashed)
+        process.logger.error('session crashed', session.id, session.crashed)
      })
    // we have a triggered session - add to array
@@ -168,7 +170,10 @@ ${autoExecContent}`
    while ((await fileExists(codeFilePath)) && !session.crashed) {}
    if (session.crashed)
-      console.log('session crashed! while waiting to be ready', session.crashed)
+      process.logger.error(
        'session crashed! while waiting to be ready',
        session.crashed
      )
    session.ready = true
  }
@@ -184,29 +189,52 @@ ${autoExecContent}`
  }
  private scheduleSessionDestroy(session: Session) {
-    setTimeout(async () => {
+    setTimeout(
-      if (session.inUse) {
+      async () => {
-        // adding 10 more minutes
+        if (session.inUse) {
-        const newDeathTimeStamp = parseInt(session.deathTimeStamp) + 10 * 1000
+          // adding 10 more minutes
-        session.deathTimeStamp = newDeathTimeStamp.toString()
+          const newDeathTimeStamp =
            parseInt(session.deathTimeStamp) + 10 * 60 * 1000
          session.deathTimeStamp = newDeathTimeStamp.toString()
-        this.scheduleSessionDestroy(session)
+          this.scheduleSessionDestroy(session)
-      } else {
+        } else {
-        await this.deleteSession(session)
+          const { expiresAfterMins } = session
-      }
+
-    }, parseInt(session.deathTimeStamp) - new Date().getTime() - 100)
+          // delay session destroy if expiresAfterMins present
          if (expiresAfterMins && !expiresAfterMins.used) {
            // calculate session death time using expiresAfterMins
            const newDeathTimeStamp =
              parseInt(session.deathTimeStamp) +
              expiresAfterMins.mins * 60 * 1000
            session.deathTimeStamp = newDeathTimeStamp.toString()
            // set expiresAfterMins to true to avoid using it again
            session.expiresAfterMins!.used = true
            this.scheduleSessionDestroy(session)
          } else {
            await this.deleteSession(session)
          }
        }
      },
      parseInt(session.deathTimeStamp) - new Date().getTime() - 100
    )
  }
 }
 export const getSessionController = (
  runTime: RunTimeType
 ): SessionController => {
-  if (process.sessionController) return process.sessionController
+  if (runTime === RunTimeType.SAS) {
    process.sasSessionController =
      process.sasSessionController || new SASSessionController()
    return process.sasSessionController
  }
  process.sessionController =
-    runTime === RunTimeType.SAS
+    process.sessionController || new SessionController()
      ? new SASSessionController()
      : new SessionController()
  return process.sessionController
 }
--- a/api/src/controllers/internal/createJSProgram.ts
+++ b/api/src/controllers/internal/createJSProgram.ts
@@ -15,7 +15,7 @@ export const createJSProgram = async (
 ) => {
  const varStatments = Object.keys(vars).reduce(
    (computed: string, key: string) =>
-      `${computed}const ${key} = '${vars[key]}';\n`,
+      `${computed}const ${key} = \`${vars[key]}\`;\n`,
    ''
  )
--- a/api/src/controllers/internal/createSASProgram.ts
+++ b/api/src/controllers/internal/createSASProgram.ts
@@ -40,8 +40,6 @@ export const createSASProgram = async (
 %mend;
 %_sasjs_server_init()
 proc printto print="%sysfunc(getoption(log))";
 run;
 `
  program = `
--- a/api/src/controllers/internal/processProgram.ts
+++ b/api/src/controllers/internal/processProgram.ts
@@ -1,6 +1,6 @@
 import path from 'path'
-import fs from 'fs'
+import { WriteStream, createWriteStream } from 'fs'
-import { execFileSync } from 'child_process'
+import { execFile } from 'child_process'
 import { once } from 'stream'
 import { createFile, moveFile } from '@sasjs/utils'
 import { PreProgramVars, Session } from '../../types'
@@ -105,30 +105,58 @@ export const processProgram = async (
        throw new Error('Invalid runtime!')
    }
-    try {
+    await createFile(codePath, program)
      await createFile(codePath, program)
-      // create a stream that will write to console outputs to log file
+    // create a stream that will write to console outputs to log file
-      const writeStream = fs.createWriteStream(logPath)
+    const writeStream = createWriteStream(logPath)
    // waiting for the open event so that we can have underlying file descriptor
    await once(writeStream, 'open')
-      // waiting for the open event so that we can have underlying file descriptor
+    await execFilePromise(executablePath, [codePath], writeStream)
-      await once(writeStream, 'open')
+      .then(() => {
-
+        session.completed = true
-      execFileSync(executablePath, [codePath], {
+        process.logger.info('session completed', session)
-        stdio: ['ignore', writeStream, writeStream]
+      })
      .catch((err) => {
        session.completed = true
        session.crashed = err.toString()
        process.logger.error('session crashed', session.id, session.crashed)
      })
-      // copy the code file to log and end write stream
+    // copy the code file to log and end write stream
-      writeStream.end(program)
+    writeStream.end(program)
      session.completed = true
      console.log('session completed', session)
    } catch (err: any) {
      session.completed = true
      session.crashed = err.toString()
      console.log('session crashed', session.id, session.crashed)
    }
  }
 }
 /**
 * Promisified child_process.execFile
 *
 * @param file - The name or path of the executable file to run.
 * @param args - List of string arguments.
 * @param writeStream - Child process stdout and stderr will be piped to it.
 *
 * @returns {Promise<{ stdout: string, stderr: string }>}
 */
 const execFilePromise = (
  file: string,
  args: string[],
  writeStream: WriteStream
 ): Promise<{ stdout: string; stderr: string }> => {
  return new Promise((resolve, reject) => {
    const child = execFile(file, args, (err, stdout, stderr) => {
      if (err) reject(err)
      resolve({ stdout, stderr })
    })
    child.stdout?.on('data', (data) => {
      writeStream.write(data)
    })
    child.stderr?.on('data', (data) => {
      writeStream.write(data)
    })
  })
 }
 const delay = (ms: number) => new Promise((resolve) => setTimeout(resolve, ms))
--- a/api/src/controllers/mock-sas9.ts
+++ b/api/src/controllers/mock-sas9.ts
@@ -2,6 +2,16 @@ import { readFile } from '@sasjs/utils'
 import express from 'express'
 import path from 'path'
 import { Request, Post, Get } from 'tsoa'
 import dotenv from 'dotenv'
 import { ExecutionController } from './internal'
 import {
  getPreProgramVariables,
  getRunTimeAndFilePath,
  makeFilesNamesMap
 } from '../utils'
 import { MulterFile } from '../types/Upload'
 dotenv.config()
 export interface Sas9Response {
  content: string
@@ -16,9 +26,17 @@ export interface MockFileRead {
 export class MockSas9Controller {
  private loggedIn: string | undefined
  private mocksPath = process.env.STATIC_MOCK_LOCATION || 'mocks'
  @Get('/SASStoredProcess')
-  public async sasStoredProcess(): Promise<Sas9Response> {
+  public async sasStoredProcess(
    @Request() req: express.Request
  ): Promise<Sas9Response> {
    const username = req.query._username?.toString() || undefined
    const password = req.query._password?.toString() || undefined
    if (username && password) this.loggedIn = req.body.username
    if (!this.loggedIn) {
      return {
        content: '',
@@ -26,17 +44,87 @@ export class MockSas9Controller {
      }
    }
    let program = req.query._program?.toString() || undefined
    const filePath: string[] = program
      ? program.replace('/', '').split('/')
      : ['generic', 'sas-stored-process']
    if (program) {
      return await getMockResponseFromFile([
        process.cwd(),
        this.mocksPath,
        'sas9',
        ...filePath
      ])
    }
    return await getMockResponseFromFile([
      process.cwd(),
      'mocks',
      'generic',
      'sas9',
-      'sas-stored-process'
+      ...filePath
    ])
  }
  @Get('/SASStoredProcess/do')
  public async sasStoredProcessDoGet(
    @Request() req: express.Request
  ): Promise<Sas9Response> {
    const username = req.query._username?.toString() || undefined
    const password = req.query._password?.toString() || undefined
    if (username && password) this.loggedIn = username
    if (!this.loggedIn) {
      return {
        content: '',
        redirect: '/SASLogon/login'
      }
    }
    const program = req.query._program ?? req.body?._program
    const filePath: string[] = ['generic', 'sas-stored-process']
    if (program) {
      const vars = { ...req.query, ...req.body, _requestMethod: req.method }
      const otherArgs = {}
      try {
        const { codePath, runTime } = await getRunTimeAndFilePath(
          program + '.js'
        )
        const result = await new ExecutionController().executeFile({
          programPath: codePath,
          preProgramVariables: getPreProgramVariables(req),
          vars: vars,
          otherArgs: otherArgs,
          runTime,
          forceStringResult: true
        })
        return {
          content: result.result as string
        }
      } catch (err) {
        process.logger.error('err', err)
      }
      return {
        content: 'No webout returned.'
      }
    }
    return await getMockResponseFromFile([
      process.cwd(),
      'mocks',
      'sas9',
      ...filePath
    ])
  }
  @Post('/SASStoredProcess/do/')
-  public async sasStoredProcessDo(
+  public async sasStoredProcessDoPost(
    @Request() req: express.Request
  ): Promise<Sas9Response> {
    if (!this.loggedIn) {
@@ -53,23 +141,38 @@ export class MockSas9Controller {
      }
    }
-    let program = req.query._program?.toString() || ''
+    const program = req.query._program ?? req.body?._program
-    program = program.replace('/', '')
+    const vars = {
      ...req.query,
      ...req.body,
      _requestMethod: req.method,
      _driveLoc: process.driveLoc
    }
    const filesNamesMap = req.files?.length
      ? makeFilesNamesMap(req.files as MulterFile[])
      : null
    const otherArgs = { filesNamesMap: filesNamesMap }
    const { codePath, runTime } = await getRunTimeAndFilePath(program + '.js')
    try {
      const result = await new ExecutionController().executeFile({
        programPath: codePath,
        preProgramVariables: getPreProgramVariables(req),
        vars: vars,
        otherArgs: otherArgs,
        runTime,
        session: req.sasjsSession,
        forceStringResult: true
      })
-    const content = await getMockResponseFromFile([
+      return {
-      process.cwd(),
+        content: result.result as string
-      'mocks',
+      }
-      ...program.split('/')
+    } catch (err) {
-    ])
+      process.logger.error('err', err)
    if (content.error) {
      return content
    }
    const parsedContent = parseJsonIfValid(content.content)
    return {
-      content: parsedContent
+      content: 'No webout returned.'
    }
  }
@@ -85,8 +188,8 @@ export class MockSas9Controller {
        return await getMockResponseFromFile([
          process.cwd(),
          'mocks',
          'generic',
          'sas9',
          'generic',
          'logged-in'
        ])
      }
@@ -95,21 +198,27 @@ export class MockSas9Controller {
    return await getMockResponseFromFile([
      process.cwd(),
      'mocks',
      'generic',
      'sas9',
      'generic',
      'login'
    ])
  }
  @Post('/SASLogon/login')
  public async loginPost(req: express.Request): Promise<Sas9Response> {
    if (req.body.lt && req.body.lt !== 'validtoken')
      return {
        content: '',
        redirect: '/SASLogon/login'
      }
    this.loggedIn = req.body.username
    return await getMockResponseFromFile([
      process.cwd(),
      'mocks',
      'generic',
      'sas9',
      'generic',
      'logged-in'
    ])
  }
@@ -122,8 +231,8 @@ export class MockSas9Controller {
      return await getMockResponseFromFile([
        process.cwd(),
        'mocks',
        'generic',
        'sas9',
        'generic',
        'public-access-denied'
      ])
    }
@@ -131,8 +240,8 @@ export class MockSas9Controller {
    return await getMockResponseFromFile([
      process.cwd(),
      'mocks',
      'generic',
      'sas9',
      'generic',
      'logged-out'
    ])
  }
@@ -152,23 +261,6 @@ export class MockSas9Controller {
  private isPublicAccount = () => this.loggedIn?.toLowerCase() === 'public'
 }
 /**
 * If JSON is valid it will be parsed otherwise will return text unaltered
 * @param content string to be parsed
 * @returns JSON or string
 */
 const parseJsonIfValid = (content: string) => {
  let fileContent = ''
  try {
    fileContent = JSON.parse(content)
  } catch (err: any) {
    fileContent = content
  }
  return fileContent
 }
 const getMockResponseFromFile = async (
  filePath: string[]
 ): Promise<MockFileRead> => {
@@ -177,7 +269,7 @@ const getMockResponseFromFile = async (
  let file = await readFile(filePathParsed).catch((err: any) => {
    const errMsg = `Error reading mocked file on path: ${filePathParsed}\nError: ${err}`
-    console.error(errMsg)
+    process.logger.error(errMsg)
    error = true
--- a/api/src/controllers/session.ts
+++ b/api/src/controllers/session.ts
@@ -2,6 +2,10 @@ import express from 'express'
 import { Request, Security, Route, Tags, Example, Get } from 'tsoa'
 import { UserResponse } from './user'
 interface SessionResponse extends UserResponse {
  needsToUpdatePassword: boolean
 }
@Security('bearerAuth')
@Route('SASjsApi/session')
@Tags('Session')
@@ -19,7 +23,7 @@ export class SessionController {
  @Get('/')
  public async session(
    @Request() request: express.Request
-  ): Promise<UserResponse> {
+  ): Promise<SessionResponse> {
    return session(request)
  }
 }
@@ -28,5 +32,6 @@ const session = (req: express.Request) => ({
  id: req.user!.userId,
  username: req.user!.username,
  displayName: req.user!.displayName,
-  isAdmin: req.user!.isAdmin
+  isAdmin: req.user!.isAdmin,
  needsToUpdatePassword: req.user!.needsToUpdatePassword
 })
--- a/api/src/controllers/stp.ts
+++ b/api/src/controllers/stp.ts
@@ -1,10 +1,12 @@
 import express from 'express'
 import { Request, Security, Route, Tags, Post, Body, Get, Query } from 'tsoa'
-import { ExecutionController, ExecutionVars } from './internal'
+import {
  ExecutionController,
  ExecutionVars,
  getSessionController
 } from './internal'
 import {
  getPreProgramVariables,
  HTTPHeaders,
  LogLine,
  makeFilesNamesMap,
  getRunTimeAndFilePath
 } from '../utils'
@@ -18,6 +20,30 @@ interface ExecutePostRequestPayload {
  _program?: string
 }
 interface TriggerProgramPayload {
  /**
   * Location of SAS program
   * @example "/Public/somefolder/some.file"
   */
  _program: string
  /**
   * Amount of minutes after the completion of the program when the session must be
   * destroyed.
   * @example 15
   */
  expiresAfterMins?: number
 }
 interface TriggerProgramResponse {
  /**
   * The SessionId is the name of the temporary folder used to store the outputs.
   * For SAS, this would be the SASWORK folder. Can be used to poll program status.
   * This session ID should be used to poll program status.
   * @example "{ sessionId: '20241028074744-54132-1730101664824' }"
   */
  sessionId: string
 }
@Security('bearerAuth')
@Route('SASjsApi/stp')
@Tags('STP')
@@ -25,20 +51,31 @@ export class STPController {
  /**
   * Trigger a Stored Program using the _program URL parameter.
   *
-   * Accepts URL parameters and file uploads.  For more details, see docs:
+   * Accepts additional URL parameters (converted to session variables)
   * and file uploads.  For more details, see docs:
   *
   * https://server.sasjs.io/storedprograms
   *
   * @summary Execute a Stored Program, returns _webout and (optionally) log.
-   * @param _program Location of code in SASjs Drive
+   * @param _program Location of Stored Program in SASjs Drive.
   * @param _debug Optional query param for setting debug mode (returns the session log in the response body).
   * @example _program "/Projects/myApp/some/program"
   * @example _debug 131
   */
  @Get('/execute')
  public async executeGetRequest(
    @Request() request: express.Request,
-    @Query() _program: string
+    @Query() _program: string,
    @Query() _debug?: number
  ): Promise<string | Buffer> {
-    const vars = request.query as ExecutionVars
+    let vars = request.query as ExecutionVars
    if (_debug) {
      vars = {
        ...vars,
        _debug
      }
    }
    return execute(request, _program, vars)
  }
@@ -50,7 +87,7 @@ export class STPController {
   * https://server.sasjs.io/storedprograms
   *
   *
-   * @summary Execute a Stored Program, return a JSON object
+   * @summary Execute a Stored Program, returns _webout and (optionally) log.
   * @param _program Location of code in SASjs Drive
   * @example _program "/Projects/myApp/some/program"
   */
@@ -69,6 +106,22 @@ export class STPController {
    return execute(request, program!, vars, otherArgs)
  }
  /**
   * Trigger Program on the Specified Runtime
   * @summary Triggers program and returns SessionId immediately - does not wait for program completion
   * @param _program Location of code in SASjs Drive
   * @example _program "/Projects/myApp/some/program"
   * @param expiresAfterMins Amount of minutes after the completion of the program when the session must be destroyed
   * @example expiresAfterMins 15
   */
  @Post('/trigger')
  public async triggerProgram(
    @Request() request: express.Request,
    @Body() body: TriggerProgramPayload
  ): Promise<TriggerProgramResponse> {
    return triggerProgram(request, body)
  }
 }
 const execute = async (
@@ -91,6 +144,8 @@ const execute = async (
      }
    )
    req.res?.header(httpHeaders)
    if (result instanceof Buffer) {
      ;(req as any).sasHeaders = httpHeaders
    }
@@ -105,3 +160,49 @@ const execute = async (
    }
  }
 }
 const triggerProgram = async (
  req: express.Request,
  { _program, expiresAfterMins }: TriggerProgramPayload
 ): Promise<TriggerProgramResponse> => {
  try {
    const vars = { ...req.body }
    const filesNamesMap = req.files?.length
      ? makeFilesNamesMap(req.files as MulterFile[])
      : null
    const otherArgs = { filesNamesMap: filesNamesMap }
    const { codePath, runTime } = await getRunTimeAndFilePath(_program)
    // get session controller based on runTime
    const sessionController = getSessionController(runTime)
    // get session
    const session = await sessionController.getSession()
    // add expiresAfterMins to session if provided
    if (expiresAfterMins) {
      // expiresAfterMins.used is set initially to false
      session.expiresAfterMins = { mins: expiresAfterMins, used: false }
    }
    // call executeFile method of ExecutionController without awaiting
    new ExecutionController().executeFile({
      programPath: codePath,
      runTime,
      preProgramVariables: getPreProgramVariables(req),
      vars,
      otherArgs,
      session
    })
    // return session id
    return { sessionId: session.id }
  } catch (err: any) {
    throw {
      code: 400,
      status: 'failure',
      message: 'Job execution failed.',
      error: typeof err === 'object' ? err.toString() : err
    }
  }
 }
--- a/api/src/controllers/user.ts
+++ b/api/src/controllers/user.ts
@@ -17,8 +17,13 @@ import {
 import { desktopUser } from '../middlewares'
 import User, { UserPayload } from '../model/User'
-import { getUserAutoExec, updateUserAutoExec, ModeType } from '../utils'
+import {
-import { GroupResponse } from './group'
+  getUserAutoExec,
  updateUserAutoExec,
  ModeType,
  ALL_USERS_GROUP
 } from '../utils'
 import { GroupController, GroupResponse } from './group'
 export interface UserResponse {
  id: number
@@ -211,7 +216,11 @@ const createUser = async (data: UserPayload): Promise<UserDetailsResponse> => {
  // Checking if user is already in the database
  const usernameExist = await User.findOne({ username })
-  if (usernameExist) throw new Error('Username already exists.')
+  if (usernameExist)
    throw {
      code: 409,
      message: 'Username already exists.'
    }
  // Hash passwords
  const hashPassword = User.hashPassword(password)
@@ -228,6 +237,15 @@ const createUser = async (data: UserPayload): Promise<UserDetailsResponse> => {
  const savedUser = await user.save()
  const groupController = new GroupController()
  const allUsersGroup = await groupController
    .getGroupByGroupName(ALL_USERS_GROUP.name)
    .catch(() => {})
  if (allUsersGroup) {
    await groupController.addUserToGroup(allUsersGroup.groupId, savedUser.id)
  }
  return {
    id: savedUser.id,
    displayName: savedUser.displayName,
@@ -255,7 +273,11 @@ const getUser = async (
    'groupId name description -_id'
  )) as unknown as UserDetailsResponse
-  if (!user) throw new Error('User is not found.')
+  if (!user)
    throw {
      code: 404,
      message: 'User is not found.'
    }
  return {
    id: user.id,
@@ -263,7 +285,7 @@ const getUser = async (
    username: user.username,
    isActive: user.isActive,
    isAdmin: user.isAdmin,
-    autoExec: getAutoExec ? user.autoExec ?? '' : undefined,
+    autoExec: getAutoExec ? (user.autoExec ?? '') : undefined,
    groups: user.groups
  }
 }
@@ -284,6 +306,24 @@ const updateUser = async (
  const params: any = { displayName, isAdmin, isActive, autoExec }
  const user = await User.findOne(findBy)
  if (username && username !== user?.username && user?.authProvider) {
    throw {
      code: 405,
      message:
        'Can not update username of user that is created by an external auth provider.'
    }
  }
  if (displayName && displayName !== user?.displayName && user?.authProvider) {
    throw {
      code: 405,
      message:
        'Can not update display name of user that is created by an external auth provider.'
    }
  }
  if (username) {
    // Checking if user is already in the database
    const usernameExist = await User.findOne({ username })
@@ -292,7 +332,10 @@ const updateUser = async (
        (findBy.id && usernameExist.id != findBy.id) ||
        (findBy.username && usernameExist.username != findBy.username)
      )
-        throw new Error('Username already exists.')
+        throw {
          code: 409,
          message: 'Username already exists.'
        }
    }
    params.username = username
  }
@@ -305,7 +348,10 @@ const updateUser = async (
  const updatedUser = await User.findOneAndUpdate(findBy, params, { new: true })
  if (!updatedUser)
-    throw new Error(`Unable to find user with ${findBy.id || findBy.username}`)
+    throw {
      code: 404,
      message: `Unable to find user with ${findBy.id || findBy.username}`
    }
  return {
    id: updatedUser.id,
@@ -332,11 +378,19 @@ const deleteUser = async (
  { password }: { password?: string }
 ) => {
  const user = await User.findOne(findBy)
-  if (!user) throw new Error('User is not found.')
+  if (!user)
    throw {
      code: 404,
      message: 'User is not found.'
    }
  if (!isAdmin) {
    const validPass = user.comparePassword(password!)
-    if (!validPass) throw new Error('Invalid password.')
+    if (!validPass)
      throw {
        code: 401,
        message: 'Invalid password.'
      }
  }
  await User.deleteOne(findBy)
--- a/api/src/controllers/web.ts
+++ b/api/src/controllers/web.ts
@@ -1,11 +1,17 @@
 import path from 'path'
 import express from 'express'
 import { Request, Route, Tags, Post, Body, Get, Example } from 'tsoa'
-import { readFile } from '@sasjs/utils'
+import { readFile, convertSecondsToHms } from '@sasjs/utils'
 import User from '../model/User'
 import Client from '../model/Client'
-import { getWebBuildFolder, generateAuthCode } from '../utils'
+import {
  getWebBuildFolder,
  generateAuthCode,
  RateLimiter,
  AuthProviderType,
  LDAPClient
 } from '../utils'
 import { InfoJWT } from '../types'
 import { AuthController } from './auth'
@@ -78,10 +84,37 @@ const login = async (
 ) => {
  // Authenticate User
  const user = await User.findOne({ username })
  if (!user) throw new Error('Username is not found.')
-  const validPass = user.comparePassword(password)
+  let validPass = false
-  if (!validPass) throw new Error('Invalid password.')
+
  if (user) {
    if (
      process.env.AUTH_PROVIDERS === AuthProviderType.LDAP &&
      user.authProvider === AuthProviderType.LDAP
    ) {
      const ldapClient = await LDAPClient.init()
      validPass = await ldapClient
        .verifyUser(username, password)
        .catch(() => false)
    } else {
      validPass = user.comparePassword(password)
    }
  }
  // code to prevent brute force attack
  const rateLimiter = RateLimiter.getInstance()
  if (!validPass) {
    const retrySecs = await rateLimiter.consume(req.ip, user?.username)
    if (retrySecs > 0) throw errors.tooManyRequests(retrySecs)
  }
  if (!user) throw errors.userNotFound
  if (!validPass) throw errors.invalidPassword
  // Reset on successful authorization
  rateLimiter.resetOnSuccess(req.ip, user.username)
  req.session.loggedIn = true
  req.session.user = {
@@ -91,7 +124,8 @@ const login = async (
    displayName: user.displayName,
    isAdmin: user.isAdmin,
    isActive: user.isActive,
-    autoExec: user.autoExec
+    autoExec: user.autoExec,
    needsToUpdatePassword: user.needsToUpdatePassword
  }
  return {
@@ -100,7 +134,8 @@ const login = async (
      id: user.id,
      username: user.username,
      displayName: user.displayName,
-      isAdmin: user.isAdmin
+      isAdmin: user.isAdmin,
      needsToUpdatePassword: user.needsToUpdatePassword
    }
  }
 }
@@ -157,3 +192,18 @@ interface AuthorizeResponse {
   */
  code: string
 }
 const errors = {
  invalidPassword: {
    code: 401,
    message: 'Invalid Password.'
  },
  userNotFound: {
    code: 401,
    message: 'Username is not found.'
  },
  tooManyRequests: (seconds: number) => ({
    code: 429,
    message: `Too Many Requests! Retry after ${convertSecondsToHms(seconds)}`
  })
 }
--- a/api/src/middlewares/authenticateToken.ts
+++ b/api/src/middlewares/authenticateToken.ts
@@ -1,6 +1,6 @@
 import { RequestHandler, Request, Response, NextFunction } from 'express'
 import jwt from 'jsonwebtoken'
-import { csrfProtection } from '../app'
+import { csrfProtection } from './'
 import {
  fetchLatestAutoExec,
  ModeType,
@@ -81,7 +81,8 @@ const authenticateToken = async (
      username: 'desktopModeUsername',
      displayName: 'desktopModeDisplayName',
      isAdmin: true,
-      isActive: true
+      isActive: true,
      needsToUpdatePassword: false
    }
    req.accessToken = 'desktopModeAccessToken'
    return next()
--- a/api/src/middlewares/authorize.ts
+++ b/api/src/middlewares/authorize.ts
@@ -5,14 +5,12 @@ import {
  PermissionSettingForRoute,
  PermissionType
 } from '../controllers/permission'
-import { getPath, isPublicRoute } from '../utils'
+import { getPath, isPublicRoute, TopLevelRoutes } from '../utils'
 export const authorize: RequestHandler = async (req, res, next) => {
  const { user } = req
-  if (!user) {
+  if (!user) return res.sendStatus(401)
    return res.sendStatus(401)
  }
  // no need to check for permissions when user is admin
  if (user.isAdmin) return next()
@@ -24,6 +22,9 @@ export const authorize: RequestHandler = async (req, res, next) => {
  if (!dbUser) return res.sendStatus(401)
  const path = getPath(req)
  const { baseUrl } = req
  const topLevelRoute =
    TopLevelRoutes.find((route) => baseUrl.startsWith(route)) || baseUrl
  // find permission w.r.t user
  const permission = await Permission.findOne({
@@ -37,6 +38,21 @@ export const authorize: RequestHandler = async (req, res, next) => {
    else return res.sendStatus(401)
  }
  // find permission w.r.t user on top level
  const topLevelPermission = await Permission.findOne({
    path: topLevelRoute,
    type: PermissionType.route,
    user: dbUser._id
  })
  if (topLevelPermission) {
    if (topLevelPermission.setting === PermissionSettingForRoute.grant)
      return next()
    else return res.sendStatus(401)
  }
  let isPermissionDenied = false
  // find permission w.r.t user's groups
  for (const group of dbUser.groups) {
    const groupPermission = await Permission.findOne({
@@ -44,8 +60,28 @@ export const authorize: RequestHandler = async (req, res, next) => {
      type: PermissionType.route,
      group
    })
-    if (groupPermission?.setting === PermissionSettingForRoute.grant)
+
-      return next()
+    if (groupPermission) {
      if (groupPermission.setting === PermissionSettingForRoute.grant) {
        return next()
      } else {
        isPermissionDenied = true
      }
    }
  }
  if (!isPermissionDenied) {
    // find permission w.r.t user's groups on top level
    for (const group of dbUser.groups) {
      const groupPermission = await Permission.findOne({
        path: topLevelRoute,
        type: PermissionType.route,
        group
      })
      if (groupPermission?.setting === PermissionSettingForRoute.grant)
        return next()
    }
  }
  return res.sendStatus(401)
 }
--- a/api/src/middlewares/bruteForceProtection.ts
+++ b/api/src/middlewares/bruteForceProtection.ts
@@ -0,0 +1,22 @@
 import { RequestHandler } from 'express'
 import { convertSecondsToHms } from '@sasjs/utils'
 import { RateLimiter } from '../utils'
 export const bruteForceProtection: RequestHandler = async (req, res, next) => {
  const ip = req.ip
  const username = req.body.username
  const rateLimiter = RateLimiter.getInstance()
  const retrySecs = await rateLimiter.check(ip, username)
  if (retrySecs > 0) {
    res
      .status(429)
      .send(`Too Many Requests! Retry after ${convertSecondsToHms(retrySecs)}`)
    return
  }
  next()
 }
--- a/api/src/middlewares/csrfProtection.ts
+++ b/api/src/middlewares/csrfProtection.ts
@@ -0,0 +1,32 @@
 import { RequestHandler } from 'express'
 import csrf from 'csrf'
 const csrfTokens = new csrf()
 const secret = csrfTokens.secretSync()
 export const generateCSRFToken = () => csrfTokens.create(secret)
 export const csrfProtection: RequestHandler = (req, res, next) => {
  if (req.method === 'GET') return next()
  // Reads the token from the following locations, in order:
  // req.body.csrf_token - typically generated by the body-parser module.
  // req.query.csrf_token - a built-in from Express.js to read from the URL query string.
  // req.headers['csrf-token'] - the CSRF-Token HTTP request header.
  // req.headers['xsrf-token'] - the XSRF-Token HTTP request header.
  // req.headers['x-csrf-token'] - the X-CSRF-Token HTTP request header.
  // req.headers['x-xsrf-token'] - the X-XSRF-Token HTTP request header.
  const token =
    req.body?.csrf_token ||
    req.query?.csrf_token ||
    req.headers['csrf-token'] ||
    req.headers['xsrf-token'] ||
    req.headers['x-csrf-token'] ||
    req.headers['x-xsrf-token']
  if (!csrfTokens.verify(secret, token)) {
    return res.status(400).send('Invalid CSRF token!')
  }
  next()
 }
--- a/api/src/middlewares/desktop.ts
+++ b/api/src/middlewares/desktop.ts
@@ -33,5 +33,6 @@ export const desktopUser: RequestUser = {
  username: userInfo().username,
  displayName: userInfo().username,
  isAdmin: true,
-  isActive: true
+  isActive: true,
  needsToUpdatePassword: false
 }
--- a/api/src/middlewares/index.ts
+++ b/api/src/middlewares/index.ts
@@ -1,5 +1,7 @@
 export * from './authenticateToken'
 export * from './authorize'
 export * from './csrfProtection'
 export * from './desktop'
 export * from './verifyAdmin'
 export * from './verifyAdminIfNeeded'
-export * from './authorize'
+export * from './bruteForceProtection'
--- a/api/src/model/Client.ts
+++ b/api/src/model/Client.ts
@@ -1,5 +1,6 @@
 import mongoose, { Schema } from 'mongoose'
 export const NUMBER_OF_SECONDS_IN_A_DAY = 86400
 export interface ClientPayload {
  /**
   * Client ID
@@ -11,6 +12,16 @@ export interface ClientPayload {
   * @example "someRandomCryptoString"
   */
  clientSecret: string
  /**
   * Number of seconds after which access token will expire. Default is 86400 (1 day)
   * @example 86400
   */
  accessTokenExpiration?: number
  /**
   * Number of seconds after which access token will expire. Default is 2592000 (30 days)
   * @example 2592000
   */
  refreshTokenExpiration?: number
 }
 const ClientSchema = new Schema<ClientPayload>({
@@ -21,6 +32,14 @@ const ClientSchema = new Schema<ClientPayload>({
  clientSecret: {
    type: String,
    required: true
  },
  accessTokenExpiration: {
    type: Number,
    default: NUMBER_OF_SECONDS_IN_A_DAY
  },
  refreshTokenExpiration: {
    type: Number,
    default: NUMBER_OF_SECONDS_IN_A_DAY * 30
  }
 })
--- a/api/src/model/Counter.ts
+++ b/api/src/model/Counter.ts
@@ -0,0 +1,15 @@
 import mongoose, { Schema } from 'mongoose'
 const CounterSchema = new Schema({
  id: {
    type: String,
    required: true,
    unique: true
  },
  seq: {
    type: Number,
    required: true
  }
 })
 export default mongoose.model('Counter', CounterSchema)
--- a/api/src/model/Group.ts
+++ b/api/src/model/Group.ts
@@ -1,7 +1,7 @@
-import mongoose, { Schema, model, Document, Model } from 'mongoose'
+import { Schema, model, Document, Model } from 'mongoose'
 import { GroupDetailsResponse } from '../controllers'
 import User, { IUser } from './User'
-const AutoIncrement = require('mongoose-sequence')(mongoose)
+import { AuthProviderType, getSequenceNextValue } from '../utils'
 export const PUBLIC_GROUP_NAME = 'Public'
@@ -27,6 +27,7 @@ interface IGroupDocument extends GroupPayload, Document {
  groupId: number
  isActive: boolean
  users: Schema.Types.ObjectId[]
  authProvider?: AuthProviderType
 }
 interface IGroup extends IGroupDocument {
@@ -42,10 +43,18 @@ const groupSchema = new Schema<IGroupDocument>({
    required: true,
    unique: true
  },
  groupId: {
    type: Number,
    unique: true
  },
  description: {
    type: String,
    default: 'Group description.'
  },
  authProvider: {
    type: String,
    enum: AuthProviderType
  },
  isActive: {
    type: Boolean,
    default: true
@@ -53,9 +62,13 @@ const groupSchema = new Schema<IGroupDocument>({
  users: [{ type: Schema.Types.ObjectId, ref: 'User' }]
 })
 groupSchema.plugin(AutoIncrement, { inc_field: 'groupId' })
 // Hooks
 groupSchema.pre('save', async function () {
  if (this.isNew) {
    this.groupId = await getSequenceNextValue('groupId')
  }
 })
 groupSchema.post('save', function (group: IGroup, next: Function) {
  group.populate('users', 'id username displayName -_id').then(function () {
    next()
--- a/api/src/model/Permission.ts
+++ b/api/src/model/Permission.ts
@@ -1,6 +1,6 @@
-import mongoose, { Schema, model, Document, Model } from 'mongoose'
+import { Schema, model, Document, Model } from 'mongoose'
 const AutoIncrement = require('mongoose-sequence')(mongoose)
 import { PermissionDetailsResponse } from '../controllers'
 import { getSequenceNextValue } from '../utils'
 interface GetPermissionBy {
  user?: Schema.Types.ObjectId
@@ -23,6 +23,10 @@ interface IPermissionModel extends Model<IPermission> {
 }
 const permissionSchema = new Schema<IPermissionDocument>({
  permissionId: {
    type: Number,
    unique: true
  },
  path: {
    type: String,
    required: true
@@ -39,7 +43,12 @@ const permissionSchema = new Schema<IPermissionDocument>({
  group: { type: Schema.Types.ObjectId, ref: 'Group' }
 })
-permissionSchema.plugin(AutoIncrement, { inc_field: 'permissionId' })
+// Hooks
 permissionSchema.pre('save', async function () {
  if (this.isNew) {
    this.permissionId = await getSequenceNextValue('permissionId')
  }
 })
 // Static Methods
 permissionSchema.static('get', async function (getBy: GetPermissionBy): Promise<
--- a/api/src/model/User.ts
+++ b/api/src/model/User.ts
@@ -1,6 +1,6 @@
-import mongoose, { Schema, model, Document, Model } from 'mongoose'
+import { Schema, model, Document, Model } from 'mongoose'
 const AutoIncrement = require('mongoose-sequence')(mongoose)
 import bcrypt from 'bcryptjs'
 import { AuthProviderType, getSequenceNextValue } from '../utils'
 export interface UserPayload {
  /**
@@ -39,9 +39,11 @@ interface IUserDocument extends UserPayload, Document {
  id: number
  isAdmin: boolean
  isActive: boolean
  needsToUpdatePassword: boolean
  autoExec: string
  groups: Schema.Types.ObjectId[]
  tokens: [{ [key: string]: string }]
  authProvider?: AuthProviderType
 }
 export interface IUser extends IUserDocument {
@@ -63,10 +65,18 @@ const userSchema = new Schema<IUserDocument>({
    required: true,
    unique: true
  },
  id: {
    type: Number,
    unique: true
  },
  password: {
    type: String,
    required: true
  },
  authProvider: {
    type: String,
    enum: AuthProviderType
  },
  isAdmin: {
    type: Boolean,
    default: false
@@ -75,6 +85,10 @@ const userSchema = new Schema<IUserDocument>({
    type: Boolean,
    default: true
  },
  needsToUpdatePassword: {
    type: Boolean,
    default: true
  },
  autoExec: {
    type: String
  },
@@ -96,7 +110,15 @@ const userSchema = new Schema<IUserDocument>({
    }
  ]
 })
-userSchema.plugin(AutoIncrement, { inc_field: 'id' })
+
 // Hooks
 userSchema.pre('save', async function (next) {
  if (this.isNew) {
    this.id = await getSequenceNextValue('id')
  }
  next()
 })
 // Static Methods
 userSchema.static('hashPassword', (password: string): string => {
--- a/api/src/routes/api/auth.ts
+++ b/api/src/routes/api/auth.ts
@@ -7,12 +7,28 @@ import {
  authenticateRefreshToken
 } from '../../middlewares'
-import { authorizeValidation, tokenValidation } from '../../utils'
+import { tokenValidation, updatePasswordValidation } from '../../utils'
 import { InfoJWT } from '../../types'
 const authRouter = express.Router()
 const controller = new AuthController()
 authRouter.patch(
  '/updatePassword',
  authenticateAccessToken,
  async (req, res) => {
    const { error, value: body } = updatePasswordValidation(req.body)
    if (error) return res.status(400).send(error.details[0].message)
    try {
      await controller.updatePassword(req, body)
      res.sendStatus(204)
    } catch (err: any) {
      res.status(err.code).send(err.message)
    }
  }
 )
 authRouter.post('/token', async (req, res) => {
  const { error, value: body } = tokenValidation(req.body)
  if (error) return res.status(400).send(error.details[0].message)
--- a/api/src/routes/api/authConfig.ts
+++ b/api/src/routes/api/authConfig.ts
@@ -0,0 +1,25 @@
 import express from 'express'
 import { AuthConfigController } from '../../controllers'
 const authConfigRouter = express.Router()
 authConfigRouter.get('/', async (req, res) => {
  const controller = new AuthConfigController()
  try {
    const response = controller.getDetail()
    res.send(response)
  } catch (err: any) {
    res.status(500).send(err.toString())
  }
 })
 authConfigRouter.post('/synchroniseWithLDAP', async (req, res) => {
  const controller = new AuthConfigController()
  try {
    const response = await controller.synchroniseWithLDAP()
    res.send(response)
  } catch (err: any) {
    res.status(500).send(err.toString())
  }
 })
 export default authConfigRouter
--- a/api/src/routes/api/client.ts
+++ b/api/src/routes/api/client.ts
@@ -1,6 +1,7 @@
 import express from 'express'
 import { ClientController } from '../../controllers'
 import { registerClientValidation } from '../../utils'
 import { authenticateAccessToken, verifyAdmin } from '../../middlewares'
 const clientRouter = express.Router()
@@ -17,4 +18,19 @@ clientRouter.post('/', async (req, res) => {
  }
 })
 clientRouter.get(
  '/',
  authenticateAccessToken,
  verifyAdmin,
  async (req, res) => {
    const controller = new ClientController()
    try {
      const response = await controller.getAllClients()
      res.send(response)
    } catch (err: any) {
      res.status(403).send(err.toString())
    }
  }
 )
 export default clientRouter
--- a/api/src/routes/api/code.ts
+++ b/api/src/routes/api/code.ts
@@ -1,5 +1,5 @@
 import express from 'express'
-import { runCodeValidation } from '../../utils'
+import { runCodeValidation, triggerCodeValidation } from '../../utils'
 import { CodeController } from '../../controllers/'
 const runRouter = express.Router()
@@ -28,4 +28,22 @@ runRouter.post('/execute', async (req, res) => {
  }
 })
 runRouter.post('/trigger', async (req, res) => {
  const { error, value: body } = triggerCodeValidation(req.body)
  if (error) return res.status(400).send(error.details[0].message)
  try {
    const response = await controller.triggerCode(req, body)
    res.status(200)
    res.send(response)
  } catch (err: any) {
    const statusCode = err.code
    delete err.code
    res.status(statusCode).send(err)
  }
 })
 export default runRouter
--- a/api/src/routes/api/group.ts
+++ b/api/src/routes/api/group.ts
@@ -18,11 +18,7 @@ groupRouter.post(
      const response = await controller.createGroup(body)
      res.send(response)
    } catch (err: any) {
-      const statusCode = err.code
+      res.status(err.code).send(err.message)
      delete err.code
      res.status(statusCode).send(err.message)
    }
  }
 )
@@ -33,11 +29,7 @@ groupRouter.get('/', authenticateAccessToken, async (req, res) => {
    const response = await controller.getAllGroups()
    res.send(response)
  } catch (err: any) {
-    const statusCode = err.code
+    res.status(err.code).send(err.message)
    delete err.code
    res.status(statusCode).send(err.message)
  }
 })
@@ -49,11 +41,7 @@ groupRouter.get('/:groupId', authenticateAccessToken, async (req, res) => {
    const response = await controller.getGroup(parseInt(groupId))
    res.send(response)
  } catch (err: any) {
-    const statusCode = err.code
+    res.status(err.code).send(err.message)
    delete err.code
    res.status(statusCode).send(err.message)
  }
 })
@@ -71,11 +59,7 @@ groupRouter.get(
      const response = await controller.getGroupByGroupName(name)
      res.send(response)
    } catch (err: any) {
-      const statusCode = err.code
+      res.status(err.code).send(err.message)
      delete err.code
      res.status(statusCode).send(err.message)
    }
  }
 )
@@ -95,11 +79,7 @@ groupRouter.post(
      )
      res.send(response)
    } catch (err: any) {
-      const statusCode = err.code
+      res.status(err.code).send(err.message)
      delete err.code
      res.status(statusCode).send(err.message)
    }
  }
 )
@@ -119,11 +99,7 @@ groupRouter.delete(
      )
      res.send(response)
    } catch (err: any) {
-      const statusCode = err.code
+      res.status(err.code).send(err.message)
      delete err.code
      res.status(statusCode).send(err.message)
    }
  }
 )
@@ -140,11 +116,7 @@ groupRouter.delete(
      await controller.deleteGroup(parseInt(groupId))
      res.status(200).send('Group Deleted!')
    } catch (err: any) {
-      const statusCode = err.code
+      res.status(err.code).send(err.message)
      delete err.code
      res.status(statusCode).send(err.message)
    }
  }
 )
--- a/api/src/routes/api/index.ts
+++ b/api/src/routes/api/index.ts
@@ -18,6 +18,7 @@ import clientRouter from './client'
 import authRouter from './auth'
 import sessionRouter from './session'
 import permissionRouter from './permission'
 import authConfigRouter from './authConfig'
 const router = express.Router()
@@ -43,6 +44,14 @@ router.use(
  permissionRouter
 )
 router.use(
  '/authConfig',
  desktopRestrict,
  authenticateAccessToken,
  verifyAdmin,
  authConfigRouter
 )
 router.use(
  '/',
  swaggerUi.serve,
--- a/api/src/routes/api/spec/client.spec.ts
+++ b/api/src/routes/api/spec/client.spec.ts
@@ -5,6 +5,7 @@ import request from 'supertest'
 import appPromise from '../../../app'
 import { UserController, ClientController } from '../../../controllers/'
 import { generateAccessToken, saveTokensInDB } from '../../../utils'
 import { NUMBER_OF_SECONDS_IN_A_DAY } from '../../../model/Client'
 const client = {
  clientId: 'someclientID',
@@ -26,6 +27,7 @@ describe('client', () => {
  let app: Express
  let con: Mongoose
  let mongoServer: MongoMemoryServer
  let adminAccessToken: string
  const userController = new UserController()
  const clientController = new ClientController()
@@ -34,6 +36,18 @@ describe('client', () => {
    mongoServer = await MongoMemoryServer.create()
    con = await mongoose.connect(mongoServer.getUri())
    const dbUser = await userController.createUser(adminUser)
    adminAccessToken = generateAccessToken({
      clientId: client.clientId,
      userId: dbUser.id
    })
    await saveTokensInDB(
      dbUser.id,
      client.clientId,
      adminAccessToken,
      'refreshToken'
    )
  })
  afterAll(async () => {
@@ -43,22 +57,6 @@ describe('client', () => {
  })
  describe('create', () => {
    let adminAccessToken: string
    beforeAll(async () => {
      const dbUser = await userController.createUser(adminUser)
      adminAccessToken = generateAccessToken({
        clientId: client.clientId,
        userId: dbUser.id
      })
      await saveTokensInDB(
        dbUser.id,
        client.clientId,
        adminAccessToken,
        'refreshToken'
      )
    })
    afterEach(async () => {
      const collections = mongoose.connection.collections
      const collection = collections['clients']
@@ -157,4 +155,80 @@ describe('client', () => {
      expect(res.body).toEqual({})
    })
  })
  describe('get', () => {
    afterEach(async () => {
      const collections = mongoose.connection.collections
      const collection = collections['clients']
      await collection.deleteMany({})
    })
    it('should respond with an array of all clients', async () => {
      await clientController.createClient(newClient)
      await clientController.createClient({
        clientId: 'clientID',
        clientSecret: 'clientSecret'
      })
      const res = await request(app)
        .get('/SASjsApi/client')
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(200)
      const expected = [
        {
          clientId: 'newClientID',
          clientSecret: 'newClientSecret',
          accessTokenExpiration: NUMBER_OF_SECONDS_IN_A_DAY,
          refreshTokenExpiration: NUMBER_OF_SECONDS_IN_A_DAY * 30
        },
        {
          clientId: 'clientID',
          clientSecret: 'clientSecret',
          accessTokenExpiration: NUMBER_OF_SECONDS_IN_A_DAY,
          refreshTokenExpiration: NUMBER_OF_SECONDS_IN_A_DAY * 30
        }
      ]
      expect(res.body).toEqual(expected)
    })
    it('should respond with Unauthorized if access token is not present', async () => {
      const res = await request(app).get('/SASjsApi/client').send().expect(401)
      expect(res.text).toEqual('Unauthorized')
      expect(res.body).toEqual({})
    })
    it('should respond with Forbideen if access token is not of an admin account', async () => {
      const user = {
        displayName: 'User 2',
        username: 'username2',
        password: '12345678',
        isAdmin: false,
        isActive: true
      }
      const dbUser = await userController.createUser(user)
      const accessToken = generateAccessToken({
        clientId: client.clientId,
        userId: dbUser.id
      })
      await saveTokensInDB(
        dbUser.id,
        client.clientId,
        accessToken,
        'refreshToken'
      )
      const res = await request(app)
        .get('/SASjsApi/client')
        .auth(accessToken, { type: 'bearer' })
        .send()
        .expect(401)
      expect(res.text).toEqual('Admin account required')
      expect(res.body).toEqual({})
    })
  })
 })
--- a/api/src/routes/api/spec/group.spec.ts
+++ b/api/src/routes/api/spec/group.spec.ts
@@ -4,8 +4,13 @@ import { MongoMemoryServer } from 'mongodb-memory-server'
 import request from 'supertest'
 import appPromise from '../../../app'
 import { UserController, GroupController } from '../../../controllers/'
-import { generateAccessToken, saveTokensInDB } from '../../../utils'
+import {
-import { PUBLIC_GROUP_NAME } from '../../../model/Group'
+  generateAccessToken,
  saveTokensInDB,
  AuthProviderType
 } from '../../../utils'
 import Group, { PUBLIC_GROUP_NAME } from '../../../model/Group'
 import User from '../../../model/User'
 const clientId = 'someclientID'
 const adminUser = {
@@ -560,6 +565,46 @@ describe('group', () => {
        `Can't add/remove user to '${PUBLIC_GROUP_NAME}' group.`
      )
    })
    it('should respond with Method Not Allowed if group is created by an external authProvider', async () => {
      const dbGroup = await Group.create({
        ...group,
        authProvider: AuthProviderType.LDAP
      })
      const dbUser = await userController.createUser({
        ...user,
        username: 'ldapGroupUser'
      })
      const res = await request(app)
        .post(`/SASjsApi/group/${dbGroup.groupId}/${dbUser.id}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(405)
      expect(res.text).toEqual(
        `Can't add/remove user to group created by external auth provider.`
      )
    })
    it('should respond with Method Not Allowed if user is created by an external authProvider', async () => {
      const dbGroup = await groupController.createGroup(group)
      const dbUser = await User.create({
        ...user,
        username: 'ldapUser',
        authProvider: AuthProviderType.LDAP
      })
      const res = await request(app)
        .post(`/SASjsApi/group/${dbGroup.groupId}/${dbUser.id}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(405)
      expect(res.text).toEqual(
        `Can't add/remove user to group created by external auth provider.`
      )
    })
  })
  describe('RemoveUser', () => {
@@ -611,6 +656,46 @@ describe('group', () => {
      expect(res.body.groups).toEqual([])
    })
    it('should respond with Method Not Allowed if group is created by an external authProvider', async () => {
      const dbGroup = await Group.create({
        ...group,
        authProvider: AuthProviderType.LDAP
      })
      const dbUser = await userController.createUser({
        ...user,
        username: 'removeLdapGroupUser'
      })
      const res = await request(app)
        .delete(`/SASjsApi/group/${dbGroup.groupId}/${dbUser.id}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(405)
      expect(res.text).toEqual(
        `Can't add/remove user to group created by external auth provider.`
      )
    })
    it('should respond with Method Not Allowed if user is created by an external authProvider', async () => {
      const dbGroup = await groupController.createGroup(group)
      const dbUser = await User.create({
        ...user,
        username: 'removeLdapUser',
        authProvider: AuthProviderType.LDAP
      })
      const res = await request(app)
        .delete(`/SASjsApi/group/${dbGroup.groupId}/${dbUser.id}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
        .expect(405)
      expect(res.text).toEqual(
        `Can't add/remove user to group created by external auth provider.`
      )
    })
    it('should respond with Unauthorized if access token is not present', async () => {
      const res = await request(app)
        .delete('/SASjsApi/group/123/123')
--- a/api/src/routes/api/spec/user.spec.ts
+++ b/api/src/routes/api/spec/user.spec.ts
@@ -4,7 +4,12 @@ import { MongoMemoryServer } from 'mongodb-memory-server'
 import request from 'supertest'
 import appPromise from '../../../app'
 import { UserController, GroupController } from '../../../controllers/'
-import { generateAccessToken, saveTokensInDB } from '../../../utils'
+import {
  generateAccessToken,
  saveTokensInDB,
  AuthProviderType
 } from '../../../utils'
 import User from '../../../model/User'
 const clientId = 'someclientID'
 const adminUser = {
@@ -110,16 +115,16 @@ describe('user', () => {
      expect(res.body).toEqual({})
    })
-    it('should respond with Forbidden if username is already present', async () => {
+    it('should respond with Conflict if username is already present', async () => {
      await controller.createUser(user)
      const res = await request(app)
        .post('/SASjsApi/user')
        .auth(adminAccessToken, { type: 'bearer' })
        .send(user)
-        .expect(403)
+        .expect(409)
-      expect(res.text).toEqual('Error: Username already exists.')
+      expect(res.text).toEqual('Username already exists.')
      expect(res.body).toEqual({})
    })
@@ -226,6 +231,36 @@ describe('user', () => {
        .expect(400)
    })
    it('should respond with Method Not Allowed, when updating username of user created by an external auth provider', async () => {
      const dbUser = await User.create({
        ...user,
        authProvider: AuthProviderType.LDAP
      })
      const accessToken = await generateAndSaveToken(dbUser!.id)
      const newUsername = 'newUsername'
      await request(app)
        .patch(`/SASjsApi/user/${dbUser!.id}`)
        .auth(accessToken, { type: 'bearer' })
        .send({ username: newUsername })
        .expect(405)
    })
    it('should respond with Method Not Allowed, when updating displayName of user created by an external auth provider', async () => {
      const dbUser = await User.create({
        ...user,
        authProvider: AuthProviderType.LDAP
      })
      const accessToken = await generateAndSaveToken(dbUser!.id)
      const newDisplayName = 'My new display Name'
      await request(app)
        .patch(`/SASjsApi/user/${dbUser!.id}`)
        .auth(accessToken, { type: 'bearer' })
        .send({ displayName: newDisplayName })
        .expect(405)
    })
    it('should respond with Unauthorized if access token is not present', async () => {
      const res = await request(app)
        .patch('/SASjsApi/user/1234')
@@ -254,7 +289,7 @@ describe('user', () => {
      expect(res.body).toEqual({})
    })
-    it('should respond with Forbidden if username is already present', async () => {
+    it('should respond with Conflict if username is already present', async () => {
      const dbUser1 = await controller.createUser(user)
      const dbUser2 = await controller.createUser({
        ...user,
@@ -265,9 +300,9 @@ describe('user', () => {
        .patch(`/SASjsApi/user/${dbUser1.id}`)
        .auth(adminAccessToken, { type: 'bearer' })
        .send({ username: dbUser2.username })
-        .expect(403)
+        .expect(409)
-      expect(res.text).toEqual('Error: Username already exists.')
+      expect(res.text).toEqual('Username already exists.')
      expect(res.body).toEqual({})
    })
@@ -349,7 +384,7 @@ describe('user', () => {
        expect(res.body).toEqual({})
      })
-      it('should respond with Forbidden if username is already present', async () => {
+      it('should respond with Conflict if username is already present', async () => {
        const dbUser1 = await controller.createUser(user)
        const dbUser2 = await controller.createUser({
          ...user,
@@ -360,9 +395,9 @@ describe('user', () => {
          .patch(`/SASjsApi/user/by/username/${dbUser1.username}`)
          .auth(adminAccessToken, { type: 'bearer' })
          .send({ username: dbUser2.username })
-          .expect(403)
+          .expect(409)
-        expect(res.text).toEqual('Error: Username already exists.')
+        expect(res.text).toEqual('Username already exists.')
        expect(res.body).toEqual({})
      })
    })
@@ -446,7 +481,7 @@ describe('user', () => {
      expect(res.body).toEqual({})
    })
-    it('should respond with Forbidden when user himself requests and password is incorrect', async () => {
+    it('should respond with Unauthorized when user himself requests and password is incorrect', async () => {
      const dbUser = await controller.createUser(user)
      const accessToken = await generateAndSaveToken(dbUser.id)
@@ -454,9 +489,9 @@ describe('user', () => {
        .delete(`/SASjsApi/user/${dbUser.id}`)
        .auth(accessToken, { type: 'bearer' })
        .send({ password: 'incorrectpassword' })
-        .expect(403)
+        .expect(401)
-      expect(res.text).toEqual('Error: Invalid password.')
+      expect(res.text).toEqual('Invalid password.')
      expect(res.body).toEqual({})
    })
@@ -528,7 +563,7 @@ describe('user', () => {
        expect(res.body).toEqual({})
      })
-      it('should respond with Forbidden when user himself requests and password is incorrect', async () => {
+      it('should respond with Unauthorized when user himself requests and password is incorrect', async () => {
        const dbUser = await controller.createUser(user)
        const accessToken = await generateAndSaveToken(dbUser.id)
@@ -536,9 +571,9 @@ describe('user', () => {
          .delete(`/SASjsApi/user/by/username/${dbUser.username}`)
          .auth(accessToken, { type: 'bearer' })
          .send({ password: 'incorrectpassword' })
-          .expect(403)
+          .expect(401)
-        expect(res.text).toEqual('Error: Invalid password.')
+        expect(res.text).toEqual('Invalid password.')
        expect(res.body).toEqual({})
      })
    })
@@ -652,16 +687,16 @@ describe('user', () => {
      expect(res.body).toEqual({})
    })
-    it('should respond with Forbidden if userId is incorrect', async () => {
+    it('should respond with Not Found if userId is incorrect', async () => {
      await controller.createUser(user)
      const res = await request(app)
        .get('/SASjsApi/user/1234')
        .auth(adminAccessToken, { type: 'bearer' })
        .send()
-        .expect(403)
+        .expect(404)
-      expect(res.text).toEqual('Error: User is not found.')
+      expect(res.text).toEqual('User is not found.')
      expect(res.body).toEqual({})
    })
@@ -731,16 +766,16 @@ describe('user', () => {
        expect(res.body).toEqual({})
      })
-      it('should respond with Forbidden if username is incorrect', async () => {
+      it('should respond with Not Found if username is incorrect', async () => {
        await controller.createUser(user)
        const res = await request(app)
          .get('/SASjsApi/user/by/username/randomUsername')
          .auth(adminAccessToken, { type: 'bearer' })
          .send()
-          .expect(403)
+          .expect(404)
-        expect(res.text).toEqual('Error: User is not found.')
+        expect(res.text).toEqual('User is not found.')
        expect(res.body).toEqual({})
      })
    })
--- a/api/src/routes/api/spec/web.spec.ts
+++ b/api/src/routes/api/spec/web.spec.ts
@@ -47,12 +47,82 @@ describe('web', () => {
    })
  })
-  describe('SASLogon/login', () => {
+  describe('SASLogon/authorize', () => {
    let csrfToken: string
-    let cookies: string
+    let authCookies: string
    beforeAll(async () => {
-      ;({ csrfToken, cookies } = await getCSRF(app))
+      ;({ csrfToken } = await getCSRF(app))
      await userController.createUser(user)
      const credentials = {
        username: user.username,
        password: user.password
      }
      ;({ authCookies } = await performLogin(app, credentials, csrfToken))
    })
    afterAll(async () => {
      const collections = mongoose.connection.collections
      const collection = collections['users']
      await collection.deleteMany({})
    })
    it('should respond with authorization code', async () => {
      const res = await request(app)
        .post('/SASLogon/authorize')
        .set('Cookie', [authCookies].join('; '))
        .set('x-xsrf-token', csrfToken)
        .send({ clientId })
      expect(res.body).toHaveProperty('code')
    })
    it('should respond with Bad Request if CSRF Token is missing', async () => {
      const res = await request(app)
        .post('/SASLogon/authorize')
        .set('Cookie', [authCookies].join('; '))
        .send({ clientId })
        .expect(400)
      expect(res.text).toEqual('Invalid CSRF token!')
      expect(res.body).toEqual({})
    })
    it('should respond with Bad Request if clientId is missing', async () => {
      const res = await request(app)
        .post('/SASLogon/authorize')
        .set('Cookie', [authCookies].join('; '))
        .set('x-xsrf-token', csrfToken)
        .send({})
        .expect(400)
      expect(res.text).toEqual(`"clientId" is required`)
      expect(res.body).toEqual({})
    })
    it('should respond with Forbidden if clientId is incorrect', async () => {
      const res = await request(app)
        .post('/SASLogon/authorize')
        .set('Cookie', [authCookies].join('; '))
        .set('x-xsrf-token', csrfToken)
        .send({
          clientId: 'WrongClientID'
        })
        .expect(403)
      expect(res.text).toEqual('Error: Invalid clientId.')
      expect(res.body).toEqual({})
    })
  })
  describe('SASLogon/login', () => {
    let csrfToken: string
    beforeAll(async () => {
      ;({ csrfToken } = await getCSRF(app))
    })
    afterEach(async () => {
@@ -66,7 +136,6 @@ describe('web', () => {
      const res = await request(app)
        .post('/SASLogon/login')
        .set('Cookie', cookies)
        .set('x-xsrf-token', csrfToken)
        .send({
          username: user.username,
@@ -79,73 +148,113 @@ describe('web', () => {
        id: expect.any(Number),
        username: user.username,
        displayName: user.displayName,
-        isAdmin: user.isAdmin
+        isAdmin: user.isAdmin,
        needsToUpdatePassword: true
      })
    })
  })
  describe('SASLogon/authorize', () => {
    let csrfToken: string
    let cookies: string
    let authCookies: string
    beforeAll(async () => {
      ;({ csrfToken, cookies } = await getCSRF(app))
    it('should respond with too many requests when attempting with invalid password for a same user too many times', async () => {
      await userController.createUser(user)
-      const credentials = {
+      const promises: request.Test[] = []
        username: user.username,
        password: user.password
      }
-      ;({ cookies: authCookies } = await performLogin(
+      const maxConsecutiveFailsByUsernameAndIp = Number(
-        app,
+        process.env.MAX_CONSECUTIVE_FAILS_BY_USERNAME_AND_IP
-        credentials,
+      )
        cookies,
        csrfToken
      ))
    })
-    afterAll(async () => {
+      Array(maxConsecutiveFailsByUsernameAndIp + 1)
-      const collections = mongoose.connection.collections
+        .fill(0)
-      const collection = collections['users']
+        .map((_, i) => {
-      await collection.deleteMany({})
+          promises.push(
-    })
+            request(app)
              .post('/SASLogon/login')
              .set('x-xsrf-token', csrfToken)
              .send({
                username: user.username,
                password: 'invalid-password'
              })
          )
        })
      await Promise.all(promises)
    it('should respond with authorization code', async () => {
      const res = await request(app)
-        .post('/SASLogon/authorize')
+        .post('/SASLogon/login')
        .set('Cookie', [authCookies, cookies].join('; '))
        .set('x-xsrf-token', csrfToken)
-        .send({ clientId })
+        .send({
          username: user.username,
          password: user.password
        })
        .expect(429)
-      expect(res.body).toHaveProperty('code')
+      expect(res.text).toContain('Too Many Requests!')
    })
-    it('should respond with Bad Request if clientId is missing', async () => {
+    it('should respond with too many requests when attempting with invalid credentials for different users but with same ip too many times', async () => {
      await userController.createUser(user)
      const promises: request.Test[] = []
      const maxWrongAttemptsByIpPerDay = Number(
        process.env.MAX_WRONG_ATTEMPTS_BY_IP_PER_DAY
      )
      Array(maxWrongAttemptsByIpPerDay + 1)
        .fill(0)
        .map((_, i) => {
          promises.push(
            request(app)
              .post('/SASLogon/login')
              .set('x-xsrf-token', csrfToken)
              .send({
                username: `user${i}`,
                password: 'invalid-password'
              })
          )
        })
      await Promise.all(promises)
      const res = await request(app)
-        .post('/SASLogon/authorize')
+        .post('/SASLogon/login')
        .set('Cookie', [authCookies, cookies].join('; '))
        .set('x-xsrf-token', csrfToken)
-        .send({})
+        .send({
          username: user.username,
          password: user.password
        })
        .expect(429)
      expect(res.text).toContain('Too Many Requests!')
    })
    it('should respond with Bad Request if CSRF Token is not present', async () => {
      await userController.createUser(user)
      const res = await request(app)
        .post('/SASLogon/login')
        .send({
          username: user.username,
          password: user.password
        })
        .expect(400)
-      expect(res.text).toEqual(`"clientId" is required`)
+      expect(res.text).toEqual('Invalid CSRF token!')
      expect(res.body).toEqual({})
    })
-    it('should respond with Forbidden if clientId is incorrect', async () => {
+    it('should respond with Bad Request if CSRF Token is invalid', async () => {
-      const res = await request(app)
+      await userController.createUser(user)
        .post('/SASLogon/authorize')
        .set('Cookie', [authCookies, cookies].join('; '))
        .set('x-xsrf-token', csrfToken)
        .send({
          clientId: 'WrongClientID'
        })
        .expect(403)
-      expect(res.text).toEqual('Error: Invalid clientId.')
+      const res = await request(app)
        .post('/SASLogon/login')
        .set('x-xsrf-token', 'INVALID_CSRF_TOKEN')
        .send({
          username: user.username,
          password: user.password
        })
        .expect(400)
      expect(res.text).toEqual('Invalid CSRF token!')
      expect(res.body).toEqual({})
    })
  })
@@ -153,27 +262,22 @@ describe('web', () => {
 const getCSRF = async (app: Express) => {
  // make request to get CSRF
-  const { header, text } = await request(app).get('/')
+  const { text } = await request(app).get('/')
  const cookies = header['set-cookie'].join()
-  const csrfToken = extractCSRF(text)
+  return { csrfToken: extractCSRF(text) }
  return { csrfToken, cookies }
 }
 const performLogin = async (
  app: Express,
  credentials: { username: string; password: string },
  cookies: string,
  csrfToken: string
 ) => {
  const { header } = await request(app)
    .post('/SASLogon/login')
    .set('Cookie', cookies)
    .set('x-xsrf-token', csrfToken)
    .send(credentials)
-  const newCookies: string = header['set-cookie'].join()
+  return { authCookies: header['set-cookie'].join() }
  return { cookies: newCookies }
 }
 const extractCSRF = (text: string) =>
--- a/api/src/routes/api/stp.ts
+++ b/api/src/routes/api/stp.ts
@@ -1,5 +1,8 @@
 import express from 'express'
-import { executeProgramRawValidation } from '../../utils'
+import {
  executeProgramRawValidation,
  triggerProgramValidation
 } from '../../utils'
 import { STPController } from '../../controllers/'
 import { FileUploadController } from '../../controllers/internal'
@@ -13,7 +16,11 @@ stpRouter.get('/execute', async (req, res) => {
  if (error) return res.status(400).send(error.details[0].message)
  try {
-    const response = await controller.executeGetRequest(req, query._program)
+    const response = await controller.executeGetRequest(
      req,
      query._program,
      query._debug
    )
    if (response instanceof Buffer) {
      res.writeHead(200, (req as any).sasHeaders)
@@ -65,4 +72,23 @@ stpRouter.post(
  }
 )
 stpRouter.post('/trigger', async (req, res) => {
  const { error, value: body } = triggerProgramValidation(req.body)
  if (error) return res.status(400).send(error.details[0].message)
  try {
    const response = await controller.triggerProgram(req, body)
    res.status(200)
    res.send(response)
  } catch (err: any) {
    const statusCode = err.code
    delete err.code
    res.status(statusCode).send(err)
  }
 })
 export default stpRouter
--- a/api/src/routes/api/user.ts
+++ b/api/src/routes/api/user.ts
@@ -23,7 +23,7 @@ userRouter.post('/', authenticateAccessToken, verifyAdmin, async (req, res) => {
    const response = await controller.createUser(body)
    res.send(response)
  } catch (err: any) {
-    res.status(403).send(err.toString())
+    res.status(err.code).send(err.message)
  }
 })
@@ -33,7 +33,7 @@ userRouter.get('/', authenticateAccessToken, async (req, res) => {
    const response = await controller.getAllUsers()
    res.send(response)
  } catch (err: any) {
-    res.status(403).send(err.toString())
+    res.status(err.code).send(err.message)
  }
 })
@@ -51,7 +51,7 @@ userRouter.get(
      const response = await controller.getUserByUsername(req, username)
      res.send(response)
    } catch (err: any) {
-      res.status(403).send(err.toString())
+      res.status(err.code).send(err.message)
    }
  }
 )
@@ -64,7 +64,7 @@ userRouter.get('/:userId', authenticateAccessToken, async (req, res) => {
    const response = await controller.getUser(req, parseInt(userId))
    res.send(response)
  } catch (err: any) {
-    res.status(403).send(err.toString())
+    res.status(err.code).send(err.message)
  }
 })
@@ -91,7 +91,7 @@ userRouter.patch(
      const response = await controller.updateUserByUsername(username, body)
      res.send(response)
    } catch (err: any) {
-      res.status(403).send(err.toString())
+      res.status(err.code).send(err.message)
    }
  }
 )
@@ -113,7 +113,7 @@ userRouter.patch(
      const response = await controller.updateUser(parseInt(userId), body)
      res.send(response)
    } catch (err: any) {
-      res.status(403).send(err.toString())
+      res.status(err.code).send(err.message)
    }
  }
 )
@@ -141,7 +141,7 @@ userRouter.delete(
      await controller.deleteUserByUsername(username, data, user!.isAdmin)
      res.status(200).send('Account Deleted!')
    } catch (err: any) {
-      res.status(403).send(err.toString())
+      res.status(err.code).send(err.message)
    }
  }
 )
@@ -163,7 +163,7 @@ userRouter.delete(
      await controller.deleteUser(parseInt(userId), data, user!.isAdmin)
      res.status(200).send('Account Deleted!')
    } catch (err: any) {
-      res.status(403).send(err.toString())
+      res.status(err.code).send(err.message)
    }
  }
 )
--- a/api/src/routes/appStream/index.ts
+++ b/api/src/routes/appStream/index.ts
@@ -1,6 +1,6 @@
 import path from 'path'
 import express, { Request } from 'express'
-import { authenticateAccessToken } from '../../middlewares'
+import { authenticateAccessToken, generateCSRFToken } from '../../middlewares'
 import { folderExists } from '@sasjs/utils'
 import { addEntryToAppStreamConfig, getFilesFolder } from '../../utils'
@@ -13,7 +13,7 @@ const router = express.Router()
 router.get('/', authenticateAccessToken, async (req, res) => {
  const content = appStreamHtml(process.appStreamConfig)
-  res.cookie('XSRF-TOKEN', req.csrfToken())
+  res.cookie('XSRF-TOKEN', generateCSRFToken())
  return res.send(content)
 })
@@ -58,7 +58,7 @@ export const publishAppStream = async (
    )
    const sasJsPort = process.env.PORT || 5000
-    console.log(
+    process.logger.info(
      'Serving Stream App: ',
      `http://localhost:${sasJsPort}/AppStream/${streamServiceName}`
    )
--- a/api/src/routes/setupRoutes.ts
+++ b/api/src/routes/setupRoutes.ts
@@ -4,7 +4,7 @@ import webRouter from './web'
 import apiRouter from './api'
 import appStreamRouter from './appStream'
-import { csrfProtection } from '../app'
+import { csrfProtection } from '../middlewares'
 export const setupRoutes = (app: Express) => {
  app.use('/SASjsApi', apiRouter)
@@ -15,5 +15,5 @@ export const setupRoutes = (app: Express) => {
    appStreamRouter(req, res, next)
  })
-  app.use('/', csrfProtection, webRouter)
+  app.use('/', webRouter)
 }
--- a/api/src/routes/web/index.ts
+++ b/api/src/routes/web/index.ts
@@ -3,6 +3,7 @@ import sas9WebRouter from './sas9-web'
 import sasViyaWebRouter from './sasviya-web'
 import webRouter from './web'
 import { MOCK_SERVERTYPEType } from '../../utils'
 import { csrfProtection } from '../../middlewares'
 const router = express.Router()
@@ -18,7 +19,7 @@ switch (MOCK_SERVERTYPE) {
    break
  }
  default: {
-    router.use('/', webRouter)
+    router.use('/', csrfProtection, webRouter)
  }
 }
--- a/api/src/routes/web/sas9-web.ts
+++ b/api/src/routes/web/sas9-web.ts
@@ -1,12 +1,26 @@
 import express from 'express'
 import { generateCSRFToken } from '../../middlewares'
 import { WebController } from '../../controllers'
 import { MockSas9Controller } from '../../controllers/mock-sas9'
 import multer from 'multer'
 import path from 'path'
 import dotenv from 'dotenv'
 import { FileUploadController } from '../../controllers/internal'
 dotenv.config()
 const sas9WebRouter = express.Router()
 const webController = new WebController()
 // Mock controller must be singleton because it keeps the states
 // for example `isLoggedIn` and potentially more in future mocks
 const controller = new MockSas9Controller()
 const fileUploadController = new FileUploadController()
 const mockPath = process.env.STATIC_MOCK_LOCATION || 'mocks'
 const upload = multer({
  dest: path.join(process.cwd(), mockPath, 'sas9', 'files-received')
 })
 sas9WebRouter.get('/', async (req, res) => {
  let response
@@ -15,7 +29,7 @@ sas9WebRouter.get('/', async (req, res) => {
  } catch (_) {
    response = '<html><head></head><body>Web Build is not present</body></html>'
  } finally {
-    const codeToInject = `<script>document.cookie = 'XSRF-TOKEN=${req.csrfToken()}; Max-Age=86400; SameSite=Strict; Path=/;'</script>`
+    const codeToInject = `<script>document.cookie = 'XSRF-TOKEN=${generateCSRFToken()}; Max-Age=86400; SameSite=Strict; Path=/;'</script>`
    const injectedContent = response?.replace(
      '</head>',
      `${codeToInject}</head>`
@@ -26,7 +40,7 @@ sas9WebRouter.get('/', async (req, res) => {
 })
 sas9WebRouter.get('/SASStoredProcess', async (req, res) => {
-  const response = await controller.sasStoredProcess()
+  const response = await controller.sasStoredProcess(req)
  if (response.redirect) {
    res.redirect(response.redirect)
@@ -40,8 +54,8 @@ sas9WebRouter.get('/SASStoredProcess', async (req, res) => {
  }
 })
-sas9WebRouter.post('/SASStoredProcess/do/', async (req, res) => {
+sas9WebRouter.get('/SASStoredProcess/do/', async (req, res) => {
-  const response = await controller.sasStoredProcessDo(req)
+  const response = await controller.sasStoredProcessDoGet(req)
  if (response.redirect) {
    res.redirect(response.redirect)
@@ -55,6 +69,26 @@ sas9WebRouter.post('/SASStoredProcess/do/', async (req, res) => {
  }
 })
 sas9WebRouter.post(
  '/SASStoredProcess/do/',
  fileUploadController.preUploadMiddleware,
  fileUploadController.getMulterUploadObject().any(),
  async (req, res) => {
    const response = await controller.sasStoredProcessDoPost(req)
    if (response.redirect) {
      res.redirect(response.redirect)
      return
    }
    try {
      res.send(response.content)
    } catch (err: any) {
      res.status(403).send(err.toString())
    }
  }
 )
 sas9WebRouter.get('/SASLogon/login', async (req, res) => {
  const response = await controller.loginGet()
--- a/api/src/routes/web/sasviya-web.ts
+++ b/api/src/routes/web/sasviya-web.ts
@@ -1,4 +1,5 @@
 import express from 'express'
 import { generateCSRFToken } from '../../middlewares'
 import { WebController } from '../../controllers/web'
 const sasViyaWebRouter = express.Router()
@@ -11,7 +12,7 @@ sasViyaWebRouter.get('/', async (req, res) => {
  } catch (_) {
    response = '<html><head></head><body>Web Build is not present</body></html>'
  } finally {
-    const codeToInject = `<script>document.cookie = 'XSRF-TOKEN=${req.csrfToken()}; Max-Age=86400; SameSite=Strict; Path=/;'</script>`
+    const codeToInject = `<script>document.cookie = 'XSRF-TOKEN=${generateCSRFToken()}; Max-Age=86400; SameSite=Strict; Path=/;'</script>`
    const injectedContent = response?.replace(
      '</head>',
      `${codeToInject}</head>`
--- a/api/src/routes/web/web.ts
+++ b/api/src/routes/web/web.ts
@@ -1,6 +1,11 @@
 import express from 'express'
 import { generateCSRFToken } from '../../middlewares'
 import { WebController } from '../../controllers/web'
-import { authenticateAccessToken, desktopRestrict } from '../../middlewares'
+import {
  authenticateAccessToken,
  bruteForceProtection,
  desktopRestrict
 } from '../../middlewares'
 import { authorizeValidation, loginWebValidation } from '../../utils'
 const webRouter = express.Router()
@@ -13,7 +18,10 @@ webRouter.get('/', async (req, res) => {
  } catch (_) {
    response = '<html><head></head><body>Web Build is not present</body></html>'
  } finally {
-    const codeToInject = `<script>document.cookie = 'XSRF-TOKEN=${req.csrfToken()}; Max-Age=86400; SameSite=Strict; Path=/;'</script>`
+    const { ALLOWED_DOMAIN } = process.env
    const allowedDomain = ALLOWED_DOMAIN?.trim()
    const domain = allowedDomain ? ` Domain=${allowedDomain};` : ''
    const codeToInject = `<script>document.cookie = 'XSRF-TOKEN=${generateCSRFToken()};${domain} Max-Age=86400; SameSite=Strict; Path=/;'</script>`
    const injectedContent = response?.replace(
      '</head>',
      `${codeToInject}</head>`
@@ -23,17 +31,26 @@ webRouter.get('/', async (req, res) => {
  }
 })
-webRouter.post('/SASLogon/login', desktopRestrict, async (req, res) => {
+webRouter.post(
-  const { error, value: body } = loginWebValidation(req.body)
+  '/SASLogon/login',
-  if (error) return res.status(400).send(error.details[0].message)
+  desktopRestrict,
  bruteForceProtection,
  async (req, res) => {
    const { error, value: body } = loginWebValidation(req.body)
    if (error) return res.status(400).send(error.details[0].message)
-  try {
+    try {
-    const response = await controller.login(req, body)
+      const response = await controller.login(req, body)
-    res.send(response)
+      res.send(response)
-  } catch (err: any) {
+    } catch (err: any) {
-    res.status(403).send(err.toString())
+      if (err instanceof Error) {
        res.status(500).send(err.toString())
      } else {
        res.status(err.code).send(err.message)
      }
    }
  }
-})
+)
 webRouter.post(
  '/SASLogon/authorize',
--- a/api/src/server.ts
+++ b/api/src/server.ts
@@ -7,11 +7,11 @@ appPromise.then(async (app) => {
  const protocol = process.env.PROTOCOL || 'http'
  const sasJsPort = process.env.PORT || 5000
-  console.log('PROTOCOL: ', protocol)
+  process.logger.info('PROTOCOL: ', protocol)
  if (protocol !== 'https') {
    app.listen(sasJsPort, () => {
-      console.log(
+      process.logger.info(
        `⚡️[server]: Server is running at http://localhost:${sasJsPort}`
      )
    })
@@ -20,7 +20,7 @@ appPromise.then(async (app) => {
    const httpsServer = createServer({ key, cert, ca }, app)
    httpsServer.listen(sasJsPort, () => {
-      console.log(
+      process.logger.info(
        `⚡️[server]: Server is running at https://localhost:${sasJsPort}`
      )
    })
--- a/api/src/types/RequestUser.ts
+++ b/api/src/types/RequestUser.ts
@@ -5,5 +5,6 @@ export interface RequestUser {
  displayName: string
  isAdmin: boolean
  isActive: boolean
  needsToUpdatePassword: boolean
  autoExec?: string
 }
--- a/api/src/types/Session.ts
+++ b/api/src/types/Session.ts
@@ -8,4 +8,5 @@ export interface Session {
  consumed: boolean
  completed: boolean
  crashed?: string
  expiresAfterMins?: { mins: number; used: boolean }
 }
--- a/api/src/types/system/process.d.ts
+++ b/api/src/types/system/process.d.ts
@@ -5,9 +5,11 @@ declare namespace NodeJS {
    pythonLoc?: string
    rLoc?: string
    driveLoc: string
    sasjsRoot: string
    logsLoc: string
    logsUUID: string
    sessionController?: import('../../controllers/internal').SessionController
    sasSessionController?: import('../../controllers/internal').SASSessionController
    appStreamConfig: import('../').AppStreamConfig
    logger: import('@sasjs/utils/logger').Logger
    runTimes: import('../../utils').RunTimeType[]
--- a/api/src/utils/appStreamConfig.ts
+++ b/api/src/utils/appStreamConfig.ts
@@ -36,7 +36,7 @@ export const loadAppStreamConfig = async () => {
    )
  }
-  console.log('App Stream Config loaded!')
+  process.logger.info('App Stream Config loaded!')
 }
 export const addEntryToAppStreamConfig = (
--- a/api/src/utils/connectDB.ts
+++ b/api/src/utils/connectDB.ts
@@ -8,6 +8,6 @@ export const connectDB = async () => {
    throw new Error('Unable to connect to DB!')
  }
-  console.log('Connected to DB!')
+  process.logger.success('Connected to DB!')
  return seedDB()
 }
--- a/api/src/utils/copySASjsCore.ts
+++ b/api/src/utils/copySASjsCore.ts
@@ -12,7 +12,7 @@ import { getMacrosFolder, sasJSCoreMacros, sasJSCoreMacrosInfo } from '.'
 export const copySASjsCore = async () => {
  if (process.env.NODE_ENV === 'test') return
-  console.log('Copying Macros from container to drive(tmp).')
+  process.logger.log('Copying Macros from container to drive.')
  const macrosDrivePath = getMacrosFolder()
@@ -30,5 +30,5 @@ export const copySASjsCore = async () => {
    await createFile(macroFileDestPath, macroContent)
  })
-  console.log('Macros Drive Path:', macrosDrivePath)
+  process.logger.info('Macros Drive Path:', macrosDrivePath)
 }
--- a/api/src/utils/createWeboutSasFile.ts
+++ b/api/src/utils/createWeboutSasFile.ts
@@ -0,0 +1,18 @@
 import path from 'path'
 import { createFile } from '@sasjs/utils'
 import { getMacrosFolder } from './file'
 const fileContent = `%macro webout(action,ds,dslabel=,fmt=,missing=NULL,showmeta=NO,maxobs=MAX);
  %ms_webout(&action,ds=&ds,dslabel=&dslabel,fmt=&fmt
    ,missing=&missing
    ,showmeta=&showmeta
    ,maxobs=&maxobs
  )  
 %mend;`
 export const createWeboutSasFile = async () => {
  const macrosDrivePath = getMacrosFolder()
  process.logger.log(`Creating webout.sas at ${macrosDrivePath}`)
  const filePath = path.join(macrosDrivePath, 'webout.sas')
  await createFile(filePath, fileContent)
 }
--- a/api/src/utils/file.ts
+++ b/api/src/utils/file.ts
@@ -10,7 +10,7 @@ export const sysInitCompiledPath = path.join(
  'systemInitCompiled.sas'
 )
-export const sasJSCoreMacros = path.join(apiRoot, 'sasjscore')
+export const sasJSCoreMacros = path.join(apiRoot, 'sas', 'sasautos')
 export const sasJSCoreMacrosInfo = path.join(sasJSCoreMacros, '.macrolist')
 export const getWebBuildFolder = () => path.join(codebaseRoot, 'web', 'build')
@@ -20,19 +20,24 @@ export const getSasjsHomeFolder = () => path.join(homedir(), '.sasjs-server')
 export const getDesktopUserAutoExecPath = () =>
  path.join(getSasjsHomeFolder(), 'user-autoexec.sas')
-export const getSasjsRootFolder = () => process.driveLoc
+export const getSasjsRootFolder = () => process.sasjsRoot
 export const getSasjsDriveFolder = () => process.driveLoc
 export const getLogFolder = () => process.logsLoc
 export const getAppStreamConfigPath = () =>
-  path.join(getSasjsRootFolder(), 'appStreamConfig.json')
+  path.join(getSasjsDriveFolder(), 'appStreamConfig.json')
 export const getMacrosFolder = () =>
-  path.join(getSasjsRootFolder(), 'sasjscore')
+  path.join(getSasjsDriveFolder(), 'sas', 'sasautos')
 export const getPackagesFolder = () =>
  path.join(getSasjsDriveFolder(), 'sas', 'sas_packages')
 export const getUploadsFolder = () => path.join(getSasjsRootFolder(), 'uploads')
-export const getFilesFolder = () => path.join(getSasjsRootFolder(), 'files')
+export const getFilesFolder = () => path.join(getSasjsDriveFolder(), 'files')
 export const getWeboutFolder = () => path.join(getSasjsRootFolder(), 'webouts')
--- a/api/src/utils/generateAccessToken.ts
+++ b/api/src/utils/generateAccessToken.ts
@@ -1,7 +1,8 @@
 import jwt from 'jsonwebtoken'
 import { InfoJWT } from '../types'
 import { NUMBER_OF_SECONDS_IN_A_DAY } from '../model/Client'
-export const generateAccessToken = (data: InfoJWT) =>
+export const generateAccessToken = (data: InfoJWT, expiry?: number) =>
  jwt.sign(data, process.secrets.ACCESS_TOKEN_SECRET, {
-    expiresIn: '1day'
+    expiresIn: expiry ? expiry : NUMBER_OF_SECONDS_IN_A_DAY
  })
--- a/api/src/utils/generateRefreshToken.ts
+++ b/api/src/utils/generateRefreshToken.ts
@@ -1,7 +1,8 @@
 import jwt from 'jsonwebtoken'
 import { InfoJWT } from '../types'
 import { NUMBER_OF_SECONDS_IN_A_DAY } from '../model/Client'
-export const generateRefreshToken = (data: InfoJWT) =>
+export const generateRefreshToken = (data: InfoJWT, expiry?: number) =>
  jwt.sign(data, process.secrets.REFRESH_TOKEN_SECRET, {
-    expiresIn: '30 days'
+    expiresIn: expiry ? expiry : NUMBER_OF_SECONDS_IN_A_DAY
  })
--- a/api/src/utils/getAuthorizedRoutes.ts
+++ b/api/src/utils/getAuthorizedRoutes.ts
@@ -1,7 +1,8 @@
 import { Request } from 'express'
 export const TopLevelRoutes = ['/AppStream', '/SASjsApi']
 const StaticAuthorizedRoutes = [
  '/AppStream',
  '/SASjsApi/code/execute',
  '/SASjsApi/stp/execute',
  '/SASjsApi/drive/deploy',
@@ -15,7 +16,7 @@ const StaticAuthorizedRoutes = [
 export const getAuthorizedRoutes = () => {
  const streamingApps = Object.keys(process.appStreamConfig)
  const streamingAppsRoutes = streamingApps.map((app) => `/AppStream/${app}`)
-  return [...StaticAuthorizedRoutes, ...streamingAppsRoutes]
+  return [...TopLevelRoutes, ...StaticAuthorizedRoutes, ...streamingAppsRoutes]
 }
 export const getPath = (req: Request) => {
--- a/api/src/utils/getCertificates.ts
+++ b/api/src/utils/getCertificates.ts
@@ -10,9 +10,9 @@ export const getCertificates = async () => {
  const certPath = CERT_CHAIN ?? (await getFileInput('Certificate Chain (PEM)'))
  const caPath = CA_ROOT
-  console.log('keyPath: ', keyPath)
+  process.logger.info('keyPath: ', keyPath)
-  console.log('certPath: ', certPath)
+  process.logger.info('certPath: ', certPath)
-  if (caPath) console.log('caPath: ', caPath)
+  if (caPath) process.logger.info('caPath: ', caPath)
  const key = await readFile(keyPath)
  const cert = await readFile(certPath)
--- a/api/src/utils/getPreProgramVariables.ts
+++ b/api/src/utils/getPreProgramVariables.ts
@@ -7,7 +7,6 @@ export const getPreProgramVariables = (req: Request): PreProgramVars => {
  const { user, accessToken } = req
  const csrfToken = req.headers['x-xsrf-token'] || req.cookies['XSRF-TOKEN']
  const sessionId = req.cookies['connect.sid']
  const { _csrf } = req.cookies
  const httpHeaders: string[] = []
@@ -16,14 +15,15 @@ export const getPreProgramVariables = (req: Request): PreProgramVars => {
  const cookies: string[] = []
  if (sessionId) cookies.push(`connect.sid=${sessionId}`)
  if (_csrf) cookies.push(`_csrf=${_csrf}`)
  if (cookies.length) httpHeaders.push(`cookie: ${cookies.join('; ')}`)
  //In desktop mode when mocking mode is enabled, user was undefined.
  //So this is workaround.
  return {
-    username: user!.username,
+    username: user ? user.username : 'demo',
-    userId: user!.userId,
+    userId: user ? user.userId : 0,
-    displayName: user!.displayName,
+    displayName: user ? user.displayName : 'demo',
    serverUrl: protocol + host,
    httpHeaders
  }
--- a/api/src/utils/getRunTimeAndFilePath.ts
+++ b/api/src/utils/getRunTimeAndFilePath.ts
@@ -4,7 +4,7 @@ import { getFilesFolder } from './file'
 import { RunTimeType } from '.'
 export const getRunTimeAndFilePath = async (programPath: string) => {
-  const ext = path.extname(programPath)
+  const ext = path.extname(programPath).toLowerCase()
  // If programPath (_program) is provided with a ".sas", ".js", ".py" or ".r" extension
  // we should use that extension to determine the appropriate runTime
  if (ext && Object.values(RunTimeType).includes(ext.slice(1) as RunTimeType)) {
--- a/api/src/utils/getSequenceNextValue.ts
+++ b/api/src/utils/getSequenceNextValue.ts
@@ -0,0 +1,15 @@
 import Counter from '../model/Counter'
 export const getSequenceNextValue = async (seqName: string) => {
  const seqDoc = await Counter.findOne({ id: seqName })
  if (!seqDoc) {
    await Counter.create({ id: seqName, seq: 1 })
    return 1
  }
  seqDoc.seq += 1
  await seqDoc.save()
  return seqDoc.seq
 }
--- a/api/src/utils/getTokensFromDB.ts
+++ b/api/src/utils/getTokensFromDB.ts
@@ -0,0 +1,55 @@
 import jwt from 'jsonwebtoken'
 import User from '../model/User'
 const isValidToken = async (
  token: string,
  key: string,
  userId: number,
  clientId: string
 ) => {
  const promise = new Promise<boolean>((resolve, reject) =>
    jwt.verify(token, key, (err, decoded) => {
      if (err) return reject(false)
      if (decoded?.userId === userId && decoded?.clientId === clientId) {
        return resolve(true)
      }
      return reject(false)
    })
  )
  return await promise.then(() => true).catch(() => false)
 }
 export const getTokensFromDB = async (userId: number, clientId: string) => {
  const user = await User.findOne({ id: userId })
  if (!user) return
  const currentTokenObj = user.tokens.find(
    (tokenObj: any) => tokenObj.clientId === clientId
  )
  if (currentTokenObj) {
    const accessToken = currentTokenObj.accessToken
    const refreshToken = currentTokenObj.refreshToken
    const isValidAccessToken = await isValidToken(
      accessToken,
      process.secrets.ACCESS_TOKEN_SECRET,
      userId,
      clientId
    )
    const isValidRefreshToken = await isValidToken(
      refreshToken,
      process.secrets.REFRESH_TOKEN_SECRET,
      userId,
      clientId
    )
    if (isValidAccessToken && isValidRefreshToken) {
      return { accessToken, refreshToken }
    }
  }
 }
--- a/api/src/utils/index.ts
+++ b/api/src/utils/index.ts
@@ -1,6 +1,7 @@
 export * from './appStreamConfig'
 export * from './connectDB'
 export * from './copySASjsCore'
 export * from './createWeboutSasFile'
 export * from './desktopAutoExec'
 export * from './extractHeaders'
 export * from './extractName'
@@ -13,18 +14,23 @@ export * from './getCertificates'
 export * from './getDesktopFields'
 export * from './getPreProgramVariables'
 export * from './getRunTimeAndFilePath'
 export * from './getSequenceNextValue'
 export * from './getServerUrl'
 export * from './getTokensFromDB'
 export * from './instantiateLogger'
 export * from './isDebugOn'
 export * from './isPublicRoute'
-export * from './zipped'
+export * from './ldapClient'
 export * from './parseLogToArray'
 export * from './rateLimiter'
 export * from './removeTokensInDB'
 export * from './saveTokensInDB'
 export * from './seedDB'
 export * from './setProcessVariables'
 export * from './setupFolders'
 export * from './setupUserAutoExec'
 export * from './upload'
 export * from './validation'
 export * from './verifyEnvVariables'
 export * from './verifyTokenInDB'
 export * from './zipped'
--- a/api/src/utils/isPublicRoute.ts
+++ b/api/src/utils/isPublicRoute.ts
@@ -27,5 +27,6 @@ export const publicUser: RequestUser = {
  username: 'publicUser',
  displayName: 'Public User',
  isAdmin: false,
-  isActive: true
+  isActive: true,
  needsToUpdatePassword: false
 }
--- a/api/src/utils/ldapClient.ts
+++ b/api/src/utils/ldapClient.ts
@@ -0,0 +1,163 @@
 import { createClient, Client } from 'ldapjs'
 import { ReturnCode } from './verifyEnvVariables'
 export interface LDAPUser {
  uid: string
  username: string
  displayName: string
 }
 export interface LDAPGroup {
  name: string
  members: string[]
 }
 export class LDAPClient {
  private ldapClient: Client
  private static classInstance: LDAPClient | null
  private constructor() {
    process.logger.info('creating LDAP client')
    this.ldapClient = createClient({ url: process.env.LDAP_URL as string })
    this.ldapClient.on('error', (error) => {
      process.logger.error(error.message)
    })
  }
  static async init() {
    if (!LDAPClient.classInstance) {
      LDAPClient.classInstance = new LDAPClient()
      process.logger.info('binding LDAP client')
      await LDAPClient.classInstance.bind().catch((error) => {
        LDAPClient.classInstance = null
        throw error
      })
    }
    return LDAPClient.classInstance
  }
  private async bind() {
    const promise = new Promise<void>((resolve, reject) => {
      const { LDAP_BIND_DN, LDAP_BIND_PASSWORD } = process.env
      this.ldapClient.bind(LDAP_BIND_DN!, LDAP_BIND_PASSWORD!, (error) => {
        if (error) reject(error)
        resolve()
      })
    })
    await promise.catch((error) => {
      throw new Error(error.message)
    })
  }
  async getAllLDAPUsers() {
    const promise = new Promise<LDAPUser[]>((resolve, reject) => {
      const { LDAP_USERS_BASE_DN } = process.env
      const filter = `(objectClass=*)`
      this.ldapClient.search(
        LDAP_USERS_BASE_DN!,
        { filter },
        (error, result) => {
          if (error) reject(error)
          const users: LDAPUser[] = []
          result.on('searchEntry', (entry) => {
            users.push({
              uid: entry.object.uid as string,
              username: entry.object.username as string,
              displayName: entry.object.displayname as string
            })
          })
          result.on('end', (result) => {
            resolve(users)
          })
        }
      )
    })
    return await promise
      .then((res) => res)
      .catch((error) => {
        throw new Error(error.message)
      })
  }
  async getAllLDAPGroups() {
    const promise = new Promise<LDAPGroup[]>((resolve, reject) => {
      const { LDAP_GROUPS_BASE_DN } = process.env
      this.ldapClient.search(LDAP_GROUPS_BASE_DN!, {}, (error, result) => {
        if (error) reject(error)
        const groups: LDAPGroup[] = []
        result.on('searchEntry', (entry) => {
          const members =
            typeof entry.object.memberuid === 'string'
              ? [entry.object.memberuid]
              : entry.object.memberuid
          groups.push({
            name: entry.object.cn as string,
            members
          })
        })
        result.on('end', (result) => {
          resolve(groups)
        })
      })
    })
    return await promise
      .then((res) => res)
      .catch((error) => {
        throw new Error(error.message)
      })
  }
  async verifyUser(username: string, password: string) {
    const promise = new Promise<boolean>((resolve, reject) => {
      const { LDAP_USERS_BASE_DN } = process.env
      const filter = `(username=${username})`
      this.ldapClient.search(
        LDAP_USERS_BASE_DN!,
        { filter },
        (error, result) => {
          if (error) reject(error)
          const items: any = []
          result.on('searchEntry', (entry) => {
            items.push(entry.object)
          })
          result.on('end', (result) => {
            if (result?.status !== 0 || items.length === 0) return reject()
            // pick the first found
            const user = items[0]
            this.ldapClient.bind(user.dn, password, (error) => {
              if (error) return reject(error)
              resolve(true)
            })
          })
        }
      )
    })
    return await promise
      .then(() => true)
      .catch(() => {
        throw new Error('Invalid password.')
      })
  }
 }
--- a/api/src/utils/parseHelmetConfig.ts
+++ b/api/src/utils/parseHelmetConfig.ts
@@ -22,12 +22,12 @@ export const getEnvCSPDirectives = (
      try {
        cspConfigJson = JSON.parse(file)
      } catch (e) {
-        console.error(
+        process.logger.error(
          'Parsing Content Security Policy JSON config failed. Make sure it is valid json'
        )
      }
    } catch (e) {
-      console.error('Error reading HELMET CSP config file', e)
+      process.logger.error('Error reading HELMET CSP config file', e)
    }
  }
--- a/api/src/utils/rateLimiter.ts
+++ b/api/src/utils/rateLimiter.ts
@@ -0,0 +1,123 @@
 import { RateLimiterMemory } from 'rate-limiter-flexible'
 export class RateLimiter {
  private static instance: RateLimiter
  private limiterSlowBruteByIP: RateLimiterMemory
  private limiterConsecutiveFailsByUsernameAndIP: RateLimiterMemory
  private maxWrongAttemptsByIpPerDay: number
  private maxConsecutiveFailsByUsernameAndIp: number
  private constructor() {
    const {
      MAX_WRONG_ATTEMPTS_BY_IP_PER_DAY,
      MAX_CONSECUTIVE_FAILS_BY_USERNAME_AND_IP
    } = process.env
    this.maxWrongAttemptsByIpPerDay = Number(MAX_WRONG_ATTEMPTS_BY_IP_PER_DAY)
    this.maxConsecutiveFailsByUsernameAndIp = Number(
      MAX_CONSECUTIVE_FAILS_BY_USERNAME_AND_IP
    )
    this.limiterSlowBruteByIP = new RateLimiterMemory({
      keyPrefix: 'login_fail_ip_per_day',
      points: this.maxWrongAttemptsByIpPerDay,
      duration: 60 * 60 * 24,
      blockDuration: 60 * 60 * 24 // Block for 1 day
    })
    this.limiterConsecutiveFailsByUsernameAndIP = new RateLimiterMemory({
      keyPrefix: 'login_fail_consecutive_username_and_ip',
      points: this.maxConsecutiveFailsByUsernameAndIp,
      duration: 60 * 60 * 24 * 24, // Store number for 24 days since first fail
      blockDuration: 60 * 60 // Block for 1 hour
    })
  }
  public static getInstance() {
    if (!RateLimiter.instance) {
      RateLimiter.instance = new RateLimiter()
    }
    return RateLimiter.instance
  }
  private getUsernameIPKey(ip: string, username: string) {
    return `${username}_${ip}`
  }
  /**
   *  This method checks for brute force attack
   *  If attack is detected then returns the number of seconds after which user can make another request
   *  Else returns 0
   */
  public async check(ip: string, username: string) {
    const usernameIPkey = this.getUsernameIPKey(ip, username)
    const [resSlowByIP, resUsernameAndIP] = await Promise.all([
      this.limiterSlowBruteByIP.get(ip),
      this.limiterConsecutiveFailsByUsernameAndIP.get(usernameIPkey)
    ])
    // NOTE: To make use of blockDuration option, comparison in both following if statements should have greater than symbol
    //       otherwise, blockDuration option will not work
    // For more info see: https://github.com/animir/node-rate-limiter-flexible/wiki/Options#blockduration
    // Check if IP or Username + IP is already blocked
    if (
      resSlowByIP !== null &&
      resSlowByIP.consumedPoints > this.maxWrongAttemptsByIpPerDay
    ) {
      return Math.ceil(resSlowByIP.msBeforeNext / 1000)
    } else if (
      resUsernameAndIP !== null &&
      resUsernameAndIP.consumedPoints > this.maxConsecutiveFailsByUsernameAndIp
    ) {
      return Math.ceil(resUsernameAndIP.msBeforeNext / 1000)
    }
    return 0
  }
  /**
   * Consume 1 point from limiters on wrong attempt and block if limits reached
   * If limit is reached, return the number of seconds after which user can make another request
   * Else return 0
   */
  public async consume(ip: string, username?: string) {
    try {
      const promises = [this.limiterSlowBruteByIP.consume(ip)]
      if (username) {
        const usernameIPkey = this.getUsernameIPKey(ip, username)
        // Count failed attempts by Username + IP only for registered users
        promises.push(
          this.limiterConsecutiveFailsByUsernameAndIP.consume(usernameIPkey)
        )
      }
      await Promise.all(promises)
    } catch (rlRejected: any) {
      if (rlRejected instanceof Error) {
        throw rlRejected
      } else {
        // based upon the implementation of consume method of RateLimiterMemory
        // we are sure that rlRejected will contain msBeforeNext
        // for further reference,
        // see https://github.com/animir/node-rate-limiter-flexible/wiki/Overall-example#login-endpoint-protection
        // or see https://github.com/animir/node-rate-limiter-flexible#ratelimiterres-object
        return Math.ceil(rlRejected.msBeforeNext / 1000)
      }
    }
    return 0
  }
  public async resetOnSuccess(ip: string, username: string) {
    const usernameIPkey = this.getUsernameIPKey(ip, username)
    const resUsernameAndIP =
      await this.limiterConsecutiveFailsByUsernameAndIP.get(usernameIPkey)
    if (resUsernameAndIP !== null && resUsernameAndIP.consumedPoints > 0) {
      await this.limiterConsecutiveFailsByUsernameAndIP.delete(usernameIPkey)
    }
  }
 }
--- a/api/src/utils/seedDB.ts
+++ b/api/src/utils/seedDB.ts
@@ -1,7 +1,9 @@
 import bcrypt from 'bcryptjs'
 import Client from '../model/Client'
 import Group, { PUBLIC_GROUP_NAME } from '../model/Group'
-import User from '../model/User'
+import User, { IUser } from '../model/User'
 import Configuration, { ConfigurationType } from '../model/Configuration'
 import { ResetAdminPasswordType } from './verifyEnvVariables'
 import { randomBytes } from 'crypto'
@@ -19,16 +21,16 @@ export const seedDB = async (): Promise<ConfigurationType> => {
    const client = new Client(CLIENT)
    await client.save()
-    console.log(`DB Seed - client created: ${CLIENT.clientId}`)
+    process.logger.success(`DB Seed - client created: ${CLIENT.clientId}`)
  }
  // Checking if 'AllUsers' Group is already in the database
-  let groupExist = await Group.findOne({ name: GROUP.name })
+  let groupExist = await Group.findOne({ name: ALL_USERS_GROUP.name })
  if (!groupExist) {
-    const group = new Group(GROUP)
+    const group = new Group(ALL_USERS_GROUP)
    groupExist = await group.save()
-    console.log(`DB Seed - Group created: ${GROUP.name}`)
+    process.logger.success(`DB Seed - Group created: ${ALL_USERS_GROUP.name}`)
  }
  // Checking if 'Public' Group is already in the database
@@ -37,22 +39,28 @@ export const seedDB = async (): Promise<ConfigurationType> => {
    const group = new Group(PUBLIC_GROUP)
    await group.save()
-    console.log(`DB Seed - Group created: ${PUBLIC_GROUP.name}`)
+    process.logger.success(`DB Seed - Group created: ${PUBLIC_GROUP.name}`)
  }
  const ADMIN_USER = getAdminUser()
  // Checking if user is already in the database
  let usernameExist = await User.findOne({ username: ADMIN_USER.username })
-  if (!usernameExist) {
+  if (usernameExist) {
    usernameExist = await resetAdminPassword(usernameExist, ADMIN_USER.password)
  } else {
    const user = new User(ADMIN_USER)
    usernameExist = await user.save()
-    console.log(`DB Seed - admin account created: ${ADMIN_USER.username}`)
+    process.logger.success(
      `DB Seed - admin account created: ${ADMIN_USER.username}`
    )
  }
-  if (!groupExist.hasUser(usernameExist)) {
+  if (usernameExist.isAdmin && !groupExist.hasUser(usernameExist)) {
    groupExist.addUser(usernameExist)
-    console.log(
+    process.logger.success(
-      `DB Seed - admin account '${ADMIN_USER.username}' added to Group '${GROUP.name}'`
+      `DB Seed - admin account '${ADMIN_USER.username}' added to Group '${ALL_USERS_GROUP.name}'`
    )
  }
@@ -62,7 +70,7 @@ export const seedDB = async (): Promise<ConfigurationType> => {
    const configuration = new Configuration(SECRETS)
    configExist = await configuration.save()
-    console.log('DB Seed - configuration added')
+    process.logger.success('DB Seed - configuration added')
  }
  return {
@@ -73,7 +81,7 @@ export const seedDB = async (): Promise<ConfigurationType> => {
  }
 }
-const GROUP = {
+export const ALL_USERS_GROUP = {
  name: 'AllUsers',
  description: 'Group contains all users'
 }
@@ -88,11 +96,52 @@ const CLIENT = {
  clientId: 'clientID1',
  clientSecret: 'clientSecret'
 }
-const ADMIN_USER = {
+
-  id: 1,
+const getAdminUser = () => {
-  displayName: 'Super Admin',
+  const { ADMIN_USERNAME, ADMIN_PASSWORD_INITIAL } = process.env
-  username: 'secretuser',
+
-  password: '$2a$10$hKvcVEZdhEQZCcxt6npazO6mY4jJkrzWvfQ5stdBZi8VTTwVMCVXO',
+  const salt = bcrypt.genSaltSync(10)
-  isAdmin: true,
+  const hashedPassword = bcrypt.hashSync(ADMIN_PASSWORD_INITIAL as string, salt)
-  isActive: true
+
  return {
    displayName: 'Super Admin',
    username: ADMIN_USERNAME,
    password: hashedPassword,
    isAdmin: true,
    isActive: true
  }
 }
 const resetAdminPassword = async (user: IUser, password: string) => {
  const { ADMIN_PASSWORD_RESET } = process.env
  if (ADMIN_PASSWORD_RESET === ResetAdminPasswordType.YES) {
    if (!user.isAdmin) {
      process.logger.error(
        `Can not reset the password of non-admin user (${user.username}) on startup.`
      )
      return user
    }
    if (user.authProvider) {
      process.logger.error(
        `Can not reset the password of admin (${user.username}) with ${user.authProvider} as authentication mechanism.`
      )
      return user
    }
    process.logger.info(
      `DB Seed - resetting password for admin user: ${user.username}`
    )
    user.password = password
    user.needsToUpdatePassword = true
    user = await user.save()
    process.logger.success(`DB Seed - successfully reset the password`)
  }
  return user
 }
--- a/api/src/utils/setProcessVariables.ts
+++ b/api/src/utils/setProcessVariables.ts
@@ -1,9 +1,31 @@
 import path from 'path'
-import { createFolder, getAbsolutePath, getRealPath } from '@sasjs/utils'
+import {
-
+  createFolder,
  getAbsolutePath,
  getRealPath,
  fileExists
 } from '@sasjs/utils'
 import dotenv from 'dotenv'
 import { connectDB, getDesktopFields, ModeType, RunTimeType, SECRETS } from '.'
 export const setProcessVariables = async () => {
  const { execPath } = process
  // Check if execPath ends with 'api-macos' to determine executable for MacOS.
  // This is needed to fix picking .env file issue in MacOS executable.
  if (execPath) {
    const envPathSplitted = execPath.split(path.sep)
    if (envPathSplitted.pop() === 'api-macos') {
      const envPath = path.join(envPathSplitted.join(path.sep), '.env')
      // Override environment variables from envPath if file exists
      if (await fileExists(envPath)) {
        dotenv.config({ path: envPath, override: true })
      }
    }
  }
  const { MODE, RUN_TIMES } = process.env
  if (MODE === ModeType.Server) {
@@ -19,7 +41,9 @@ export const setProcessVariables = async () => {
  }
  if (process.env.NODE_ENV === 'test') {
-    process.driveLoc = path.join(process.cwd(), 'sasjs_root')
+    process.sasjsRoot = path.join(process.cwd(), 'sasjs_root')
    process.driveLoc = path.join(process.cwd(), 'sasjs_root', 'drive')
    return
  }
@@ -32,7 +56,6 @@ export const setProcessVariables = async () => {
    process.rLoc = process.env.R_PATH
  } else {
    const { sasLoc, nodeLoc, pythonLoc, rLoc } = await getDesktopFields()
    process.sasLoc = sasLoc
    process.nodeLoc = nodeLoc
    process.pythonLoc = pythonLoc
@@ -41,21 +64,34 @@ export const setProcessVariables = async () => {
  const { SASJS_ROOT } = process.env
  const absPath = getAbsolutePath(SASJS_ROOT ?? 'sasjs_root', process.cwd())
  await createFolder(absPath)
-  process.driveLoc = getRealPath(absPath)
+
  process.sasjsRoot = getRealPath(absPath)
  const { DRIVE_LOCATION } = process.env
  const absDrivePath = getAbsolutePath(
    DRIVE_LOCATION ?? path.join(process.sasjsRoot, 'drive'),
    process.cwd()
  )
  await createFolder(absDrivePath)
  process.driveLoc = getRealPath(absDrivePath)
  const { LOG_LOCATION } = process.env
  const absLogsPath = getAbsolutePath(
-    LOG_LOCATION ?? `sasjs_root${path.sep}logs`,
+    LOG_LOCATION ?? path.join(process.sasjsRoot, 'logs'),
    process.cwd()
  )
  await createFolder(absLogsPath)
  process.logsLoc = getRealPath(absLogsPath)
  process.logsUUID = 'SASJS_LOGS_SEPARATOR_163ee17b6ff24f028928972d80a26784'
-  console.log('sasLoc: ', process.sasLoc)
+  process.logger.info('sasLoc: ', process.sasLoc)
-  console.log('sasDrive: ', process.driveLoc)
+  process.logger.info('sasDrive: ', process.driveLoc)
-  console.log('sasLogs: ', process.logsLoc)
+  process.logger.info('sasLogs: ', process.logsLoc)
-  console.log('runTimes: ', process.runTimes)
+  process.logger.info('runTimes: ', process.runTimes)
 }
--- a/api/src/utils/setupFolders.ts
+++ b/api/src/utils/setupFolders.ts
@@ -1,14 +1,7 @@
-import { createFile, createFolder, fileExists } from '@sasjs/utils'
+import { createFolder } from '@sasjs/utils'
-import { getDesktopUserAutoExecPath, getFilesFolder } from './file'
+import { getFilesFolder, getPackagesFolder } from './file'
 import { ModeType } from './verifyEnvVariables'
-export const setupFolders = async () => {
+export const setupFilesFolder = async () => await createFolder(getFilesFolder())
  const drivePath = getFilesFolder()
  await createFolder(drivePath)
-  if (process.env.MODE === ModeType.Desktop) {
+export const setupPackagesFolder = async () =>
-    if (!(await fileExists(getDesktopUserAutoExecPath()))) {
+  await createFolder(getPackagesFolder())
      await createFile(getDesktopUserAutoExecPath(), '')
    }
  }
 }
--- a/api/src/utils/setupUserAutoExec.ts
+++ b/api/src/utils/setupUserAutoExec.ts
@@ -0,0 +1,11 @@
 import { createFile, fileExists } from '@sasjs/utils'
 import { getDesktopUserAutoExecPath } from './file'
 import { ModeType } from './verifyEnvVariables'
 export const setupUserAutoExec = async () => {
  if (process.env.MODE === ModeType.Desktop) {
    if (!(await fileExists(getDesktopUserAutoExecPath()))) {
      await createFile(getDesktopUserAutoExecPath(), '')
    }
  }
 }
--- a/api/src/utils/upload.ts
+++ b/api/src/utils/upload.ts
@@ -51,9 +51,8 @@ export const generateFileUploadSasCode = async (
  let fileCount = 0
  const uploadedFiles: UploadedFiles[] = []
-  const sasSessionFolderList: string[] = await listFilesInFolder(
+  const sasSessionFolderList: string[] =
-    sasSessionFolder
+    await listFilesInFolder(sasSessionFolder)
  )
  sasSessionFolderList.forEach((fileName) => {
    let fileCountString = fileCount < 100 ? '0' + fileCount : fileCount
    fileCountString = fileCount < 10 ? '00' + fileCount : fileCount
--- a/api/src/utils/validation.ts
+++ b/api/src/utils/validation.ts
@@ -85,10 +85,18 @@ export const updateUserValidation = (
  return Joi.object(validationChecks).validate(data)
 }
 export const updatePasswordValidation = (data: any): Joi.ValidationResult =>
  Joi.object({
    currentPassword: Joi.string().required(),
    newPassword: passwordSchema.required()
  }).validate(data)
 export const registerClientValidation = (data: any): Joi.ValidationResult =>
  Joi.object({
    clientId: Joi.string().required(),
-    clientSecret: Joi.string().required()
+    clientSecret: Joi.string().required(),
    accessTokenExpiration: Joi.number(),
    refreshTokenExpiration: Joi.number()
  }).validate(data)
 export const registerPermissionValidation = (data: any): Joi.ValidationResult =>
@@ -170,9 +178,26 @@ export const runCodeValidation = (data: any): Joi.ValidationResult =>
    runTime: Joi.string().valid(...process.runTimes)
  }).validate(data)
 export const triggerCodeValidation = (data: any): Joi.ValidationResult =>
  Joi.object({
    code: Joi.string().required(),
    runTime: Joi.string().valid(...process.runTimes),
    expiresAfterMins: Joi.number().greater(0)
  }).validate(data)
 export const executeProgramRawValidation = (data: any): Joi.ValidationResult =>
  Joi.object({
-    _program: Joi.string().required()
+    _program: Joi.string().required(),
    _debug: Joi.number()
  })
    .pattern(/^/, Joi.alternatives(Joi.string(), Joi.number()))
    .validate(data)
 export const triggerProgramValidation = (data: any): Joi.ValidationResult =>
  Joi.object({
    _program: Joi.string().required(),
    _debug: Joi.number(),
    expiresAfterMins: Joi.number().greater(0)
  })
    .pattern(/^/, Joi.alternatives(Joi.string(), Joi.number()))
    .validate(data)
--- a/api/src/utils/verifyEnvVariables.ts
+++ b/api/src/utils/verifyEnvVariables.ts
@@ -8,6 +8,10 @@ export enum ModeType {
  Desktop = 'desktop'
 }
 export enum AuthProviderType {
  LDAP = 'ldap'
 }
 export enum ProtocolType {
  HTTP = 'http',
  HTTPS = 'https'
@@ -43,6 +47,16 @@ export enum ReturnCode {
  InvalidEnv
 }
 export enum DatabaseType {
  MONGO = 'mongodb',
  COSMOS_MONGODB = 'cosmos_mongodb'
 }
 export enum ResetAdminPasswordType {
  YES = 'YES',
  NO = 'NO'
 }
 export const verifyEnvVariables = (): ReturnCode => {
  const errors: string[] = []
@@ -64,6 +78,14 @@ export const verifyEnvVariables = (): ReturnCode => {
  errors.push(...verifyExecutablePaths())
  errors.push(...verifyLDAPVariables())
  errors.push(...verifyDbType())
  errors.push(...verifyRateLimiter())
  errors.push(...verifyAdminUserConfig())
  if (errors.length) {
    process.logger?.error(
      `Invalid environment variable(s) provided: \n${errors.join('\n')}`
@@ -104,13 +126,22 @@ const verifyMODE = (): string[] => {
  }
  if (process.env.MODE === ModeType.Server) {
-    const { DB_CONNECT } = process.env
+    const { DB_CONNECT, AUTH_PROVIDERS } = process.env
-    if (process.env.NODE_ENV !== 'test')
+    if (process.env.NODE_ENV !== 'test') {
      if (!DB_CONNECT)
        errors.push(
          `- DB_CONNECT is required for PROTOCOL '${ModeType.Server}'`
        )
      if (AUTH_PROVIDERS) {
        const authProvidersType = Object.values(AuthProviderType)
        if (!authProvidersType.includes(AUTH_PROVIDERS as AuthProviderType))
          errors.push(
            `- AUTH_PROVIDERS '${AUTH_PROVIDERS}'\n - valid options ${authProvidersType}`
          )
      }
    }
  }
  return errors
@@ -252,7 +283,7 @@ const verifyRUN_TIMES = (): string[] => {
  return errors
 }
-const verifyExecutablePaths = () => {
+const verifyExecutablePaths = (): string[] => {
  const errors: string[] = []
  const { RUN_TIMES, SAS_PATH, NODE_PATH, PYTHON_PATH, R_PATH, MODE } =
    process.env
@@ -280,11 +311,158 @@ const verifyExecutablePaths = () => {
  return errors
 }
 const verifyLDAPVariables = () => {
  const errors: string[] = []
  const {
    LDAP_URL,
    LDAP_BIND_DN,
    LDAP_BIND_PASSWORD,
    LDAP_USERS_BASE_DN,
    LDAP_GROUPS_BASE_DN,
    MODE,
    AUTH_PROVIDERS
  } = process.env
  if (MODE === ModeType.Server && AUTH_PROVIDERS === AuthProviderType.LDAP) {
    if (!LDAP_URL) {
      errors.push(
        `- LDAP_URL is required for AUTH_PROVIDER '${AuthProviderType.LDAP}'`
      )
    }
    if (!LDAP_BIND_DN) {
      errors.push(
        `- LDAP_BIND_DN is required for AUTH_PROVIDER '${AuthProviderType.LDAP}'`
      )
    }
    if (!LDAP_BIND_PASSWORD) {
      errors.push(
        `- LDAP_BIND_PASSWORD is required for AUTH_PROVIDER '${AuthProviderType.LDAP}'`
      )
    }
    if (!LDAP_USERS_BASE_DN) {
      errors.push(
        `- LDAP_USERS_BASE_DN is required for AUTH_PROVIDER '${AuthProviderType.LDAP}'`
      )
    }
    if (!LDAP_GROUPS_BASE_DN) {
      errors.push(
        `- LDAP_GROUPS_BASE_DN is required for AUTH_PROVIDER '${AuthProviderType.LDAP}'`
      )
    }
  }
  return errors
 }
 const verifyDbType = () => {
  const errors: string[] = []
  const { MODE, DB_TYPE } = process.env
  if (MODE === ModeType.Server) {
    if (DB_TYPE) {
      const dbTypes = Object.values(DatabaseType)
      if (!dbTypes.includes(DB_TYPE as DatabaseType))
        errors.push(`- DB_TYPE '${DB_TYPE}'\n - valid options ${dbTypes}`)
    } else {
      process.env.DB_TYPE = DEFAULTS.DB_TYPE
    }
  }
  return errors
 }
 const verifyRateLimiter = () => {
  const errors: string[] = []
  const {
    MODE,
    MAX_WRONG_ATTEMPTS_BY_IP_PER_DAY,
    MAX_CONSECUTIVE_FAILS_BY_USERNAME_AND_IP
  } = process.env
  if (MODE === ModeType.Server) {
    if (MAX_WRONG_ATTEMPTS_BY_IP_PER_DAY) {
      if (
        !isNumeric(MAX_WRONG_ATTEMPTS_BY_IP_PER_DAY) ||
        Number(MAX_WRONG_ATTEMPTS_BY_IP_PER_DAY) < 1
      ) {
        errors.push(
          `- Invalid value for 'MAX_WRONG_ATTEMPTS_BY_IP_PER_DAY' - Only positive number is acceptable`
        )
      }
    } else {
      process.env.MAX_WRONG_ATTEMPTS_BY_IP_PER_DAY =
        DEFAULTS.MAX_WRONG_ATTEMPTS_BY_IP_PER_DAY
    }
    if (MAX_CONSECUTIVE_FAILS_BY_USERNAME_AND_IP) {
      if (
        !isNumeric(MAX_CONSECUTIVE_FAILS_BY_USERNAME_AND_IP) ||
        Number(MAX_CONSECUTIVE_FAILS_BY_USERNAME_AND_IP) < 1
      ) {
        errors.push(
          `- Invalid value for 'MAX_CONSECUTIVE_FAILS_BY_USERNAME_AND_IP' - Only positive number is acceptable`
        )
      }
    } else {
      process.env.MAX_CONSECUTIVE_FAILS_BY_USERNAME_AND_IP =
        DEFAULTS.MAX_CONSECUTIVE_FAILS_BY_USERNAME_AND_IP
    }
  }
  return errors
 }
 const verifyAdminUserConfig = () => {
  const errors: string[] = []
  const { MODE, ADMIN_USERNAME, ADMIN_PASSWORD_INITIAL, ADMIN_PASSWORD_RESET } =
    process.env
  if (MODE === ModeType.Server) {
    if (ADMIN_USERNAME) {
      process.env.ADMIN_USERNAME = ADMIN_USERNAME.toLowerCase()
    } else {
      process.env.ADMIN_USERNAME = DEFAULTS.ADMIN_USERNAME
    }
    if (!ADMIN_PASSWORD_INITIAL)
      process.env.ADMIN_PASSWORD_INITIAL = DEFAULTS.ADMIN_PASSWORD_INITIAL
    if (ADMIN_PASSWORD_RESET) {
      const resetPasswordTypes = Object.values(ResetAdminPasswordType)
      if (
        !resetPasswordTypes.includes(
          ADMIN_PASSWORD_RESET as ResetAdminPasswordType
        )
      )
        errors.push(
          `- ADMIN_PASSWORD_RESET '${ADMIN_PASSWORD_RESET}'\n - valid options ${resetPasswordTypes}`
        )
    } else {
      process.env.ADMIN_PASSWORD_RESET = DEFAULTS.ADMIN_PASSWORD_RESET
    }
  }
  return errors
 }
 const isNumeric = (val: string): boolean => {
  return !isNaN(Number(val))
 }
 const DEFAULTS = {
  MODE: ModeType.Desktop,
  PROTOCOL: ProtocolType.HTTP,
  PORT: '5000',
  HELMET_COEP: HelmetCoepType.TRUE,
  LOG_FORMAT_MORGAN: LOG_FORMAT_MORGANType.Common,
-  RUN_TIMES: RunTimeType.SAS
+  RUN_TIMES: RunTimeType.SAS,
  DB_TYPE: DatabaseType.MONGO,
  MAX_WRONG_ATTEMPTS_BY_IP_PER_DAY: '100',
  MAX_CONSECUTIVE_FAILS_BY_USERNAME_AND_IP: '10',
  ADMIN_USERNAME: 'secretuser',
  ADMIN_PASSWORD_INITIAL: 'secretpassword',
  ADMIN_PASSWORD_RESET: ResetAdminPasswordType.NO
 }
--- a/api/src/utils/verifyTokenInDB.ts
+++ b/api/src/utils/verifyTokenInDB.ts
@@ -15,6 +15,7 @@ export const fetchLatestAutoExec = async (
    displayName: dbUser.displayName,
    isAdmin: dbUser.isAdmin,
    isActive: dbUser.isActive,
    needsToUpdatePassword: dbUser.needsToUpdatePassword,
    autoExec: dbUser.autoExec
  }
 }
@@ -41,6 +42,7 @@ export const verifyTokenInDB = async (
        displayName: dbUser.displayName,
        isAdmin: dbUser.isAdmin,
        isActive: dbUser.isActive,
        needsToUpdatePassword: dbUser.needsToUpdatePassword,
        autoExec: dbUser.autoExec
      }
    : undefined
--- a/api/tsoa.json
+++ b/api/tsoa.json
@@ -15,6 +15,10 @@
        "name": "Auth",
        "description": "Operations about auth"
      },
      {
        "name": "Auth_Config",
        "description": "Operations about external auth providers"
      },
      {
        "name": "Client",
        "description": "Operations about clients"
--- a/web/package-lock.json
+++ b/web/package-lock.json
--- a/web/package.json
+++ b/web/package.json
@@ -25,6 +25,7 @@
    "react": "^17.0.2",
    "react-copy-to-clipboard": "^5.1.0",
    "react-dom": "^17.0.2",
    "react-highlight": "^0.15.0",
    "react-monaco-editor": "^0.48.0",
    "react-router-dom": "^6.3.0",
    "react-toastify": "^9.0.1"
@@ -41,6 +42,7 @@
    "@types/react": "^17.0.37",
    "@types/react-copy-to-clipboard": "^5.0.2",
    "@types/react-dom": "^17.0.11",
    "@types/react-highlight": "^0.12.5",
    "@types/react-router-dom": "^5.3.1",
    "babel-loader": "^8.2.3",
    "babel-plugin-prismjs": "^2.1.0",
@@ -59,6 +61,7 @@
    "style-loader": "^3.3.1",
    "ts-loader": "^9.2.6",
    "typescript": "^4.5.2",
    "typescript-plugin-css-modules": "^5.0.1",
    "webpack": "5.64.3",
    "webpack-cli": "^4.9.2",
    "webpack-dev-server": "4.7.4"
--- a/web/src/App.tsx
+++ b/web/src/App.tsx
@@ -8,6 +8,7 @@ import Header from './components/header'
 import Home from './components/home'
 import Studio from './containers/Studio'
 import Settings from './containers/Settings'
 import UpdatePassword from './components/updatePassword'
 import { AppContext } from './context/appContext'
 import AuthCode from './containers/AuthCode'
@@ -29,6 +30,20 @@ function App() {
    )
  }
  if (appContext.needsToUpdatePassword) {
    return (
      <ThemeProvider theme={theme}>
        <HashRouter>
          <Header />
          <Routes>
            <Route path="*" element={<UpdatePassword />} />
          </Routes>
          <ToastContainer />
        </HashRouter>
      </ThemeProvider>
    )
  }
  return (
    <ThemeProvider theme={theme}>
      <HashRouter>
--- a/web/src/components/deleteConfirmationModal.tsx
+++ b/web/src/components/deleteConfirmationModal.tsx
@@ -31,14 +31,24 @@ const DeleteConfirmationModal = ({
  message,
  _delete
 }: DeleteConfirmationModalProps) => {
  const handleDeleteClick = (event: React.MouseEvent) => {
    event.stopPropagation()
    _delete()
  }
  const handleClose = (event: any) => {
    event.stopPropagation()
    setOpen(false)
  }
  return (
-    <BootstrapDialog onClose={() => setOpen(false)} open={open}>
+    <BootstrapDialog onClose={handleClose} open={open}>
      <DialogContent dividers>
        <Typography gutterBottom>{message}</Typography>
      </DialogContent>
      <DialogActions>
-        <Button onClick={() => setOpen(false)}>Cancel</Button>
+        <Button onClick={handleClose}>Cancel</Button>
-        <Button color="error" onClick={() => _delete()}>
+        <Button color="error" onClick={handleDeleteClick}>
          Delete
        </Button>
      </DialogActions>
--- a/web/src/components/home.tsx
+++ b/web/src/components/home.tsx
@@ -5,7 +5,7 @@ import Box from '@mui/material/Box'
 const Home = () => {
  return (
-    <Box className="main">
+    <Box className="container">
      <CssBaseline />
      <h2>Welcome to SASjs Server!</h2>
      <p>
--- a/Show More
+++ b/Show More