chore: debugging certs

2025-12-10 19:34:34 +00:00 · 2022-06-21 02:08:43 +05:00
32 changed files with 324 additions and 476 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,39 +1,3 @@
-# [0.9.0](https://github.com/sasjs/server/compare/v0.8.3...v0.9.0) (2022-07-03)
-
-
-### Features
-
-* removed secrets from env variables ([9c3da56](https://github.com/sasjs/server/commit/9c3da56901672a818f54267f9defc9f4701ab7fb))
-
-## [0.8.3](https://github.com/sasjs/server/compare/v0.8.2...v0.8.3) (2022-07-02)
-
-
-### Bug Fixes
-
-* **deploy:** extract first json from zip file ([e290751](https://github.com/sasjs/server/commit/e290751c872d24009482871a8c398e834357dcde))
-
-## [0.8.2](https://github.com/sasjs/server/compare/v0.8.1...v0.8.2) (2022-06-22)
-
-
-### Bug Fixes
-
-* getRuntimeAndFilePath function to handle the scenarion when path is provided with an extension other than runtimes ([5cc85b5](https://github.com/sasjs/server/commit/5cc85b57f80b13296156811fe966d7b37d45f213))
-
-## [0.8.1](https://github.com/sasjs/server/compare/v0.8.0...v0.8.1) (2022-06-21)
-
-
-### Bug Fixes
-
-* make CA_ROOT optional in getCertificates method ([1b5859e](https://github.com/sasjs/server/commit/1b5859ee37ae73c419115b9debfd5141a79733de))
-* update /logout route to /SASLogon/logout ([65380be](https://github.com/sasjs/server/commit/65380be2f3945bae559f1749064845b514447a53))
-
-# [0.8.0](https://github.com/sasjs/server/compare/v0.7.3...v0.8.0) (2022-06-21)
-
-
-### Features
-
-* **certs:** ENV variables updated and set CA Root for HTTPS server ([2119e9d](https://github.com/sasjs/server/commit/2119e9de9ab1e5ce1222658f554ac74f4f35cf4d))
-
 ## [0.7.3](https://github.com/sasjs/server/compare/v0.7.2...v0.7.3) (2022-06-20)


--- a/PULL_REQUEST_TEMPLATE.md
+++ b/PULL_REQUEST_TEMPLATE.md
@@ -1,19 +0,0 @@
-## Issue
-
-Link any related issue(s) in this section.
-
-## Intent
-
-What this PR intends to achieve.
-
-## Implementation
-
-What code changes have been made to achieve the intent.
-
-## Checks
-
- [ ] Code is formatted correctly (`npm run lint:fix`).
- [ ] Any new functionality has been unit tested.
- [ ] All unit tests are passing (`npm test`).
- [ ] All CI checks are green.
- [ ] Reviewer is assigned.
--- a/README.md
+++ b/README.md
@@ -99,12 +99,15 @@ SASV9_OPTIONS= -NOXCMD
 ## Additional Web Server Options
 #

-# ENV variables for PROTOCOL: `https`
-PRIVATE_KEY=privkey.pem (required)
-CERT_CHAIN=certificate.pem (required)
-CA_ROOT=fullchain.pem (optional)
+# ENV variables required for PROTOCOL: `https`
+PRIVATE_KEY=privkey.pem
+FULL_CHAIN=fullchain.pem

 # ENV variables required for MODE: `server`
+ACCESS_TOKEN_SECRET=<secret>
+REFRESH_TOKEN_SECRET=<secret>
+AUTH_CODE_SECRET=<secret>
+SESSION_SECRET=<secret>
 DB_CONNECT=mongodb+srv://<DB_USERNAME>:<DB_PASSWORD>@<CLUSTER>/<DB_NAME>?retryWrites=true&w=majority

 # options: [disable|enable] default: `disable` for `server` & `enable` for `desktop`
--- a/api/.env.example
+++ b/api/.env.example
@@ -4,14 +4,17 @@ WHITELIST=<space separated urls, each starting with protocol `http` or `https`>

 PROTOCOL=[http|https] default considered as http
 PRIVATE_KEY=privkey.pem
-CERT_CHAIN=certificate.pem
-CA_ROOT=fullchain.pem
+FULL_CHAIN=fullchain.pem

 PORT=[5000] default value is 5000

 HELMET_CSP_CONFIG_PATH=./csp.config.json if omitted HELMET default will be used
 HELMET_COEP=[true|false] if omitted HELMET default will be used

+ACCESS_TOKEN_SECRET=<secret>
+REFRESH_TOKEN_SECRET=<secret>
+AUTH_CODE_SECRET=<secret>
+SESSION_SECRET=<secret>
 DB_CONNECT=mongodb+srv://<DB_USERNAME>:<DB_PASSWORD>@<CLUSTER>/<DB_NAME>?retryWrites=true&w=majority

 RUN_TIMES=[sas|js|sas,js|js,sas] default considered as sas
--- a/api/public/swagger.yaml
+++ b/api/public/swagger.yaml
@@ -47,6 +47,41 @@ components:
                - userId
            type: object
            additionalProperties: false
+        LoginPayload:
+            properties:
+                username:
+                    type: string
+                    description: 'Username for user'
+                    example: secretuser
+                password:
+                    type: string
+                    description: 'Password for user'
+                    example: secretpassword
+            required:
+                - username
+                - password
+            type: object
+            additionalProperties: false
+        AuthorizeResponse:
+            properties:
+                code:
+                    type: string
+                    description: 'Authorization code'
+                    example: someRandomCryptoString
+            required:
+                - code
+            type: object
+            additionalProperties: false
+        AuthorizePayload:
+            properties:
+                clientId:
+                    type: string
+                    description: 'Client ID'
+                    example: clientID1
+            required:
+                - clientId
+            type: object
+            additionalProperties: false
        ClientPayload:
            properties:
                clientId:
@@ -405,13 +440,13 @@ components:
            type: object
        Pick__LeanDocument_T_.Exclude_keyof_LeanDocument_T_.Exclude_keyofDocument._id-or-id-or-__v_-or-%24isSingleNested__:
            properties:
+                id:
+                    description: 'The string version of this documents _id.'
                _id:
                    $ref: '#/components/schemas/_LeanDocument__LeanDocument_T__'
                    description: 'This documents _id.'
                __v:
                    description: 'This documents __v.'
-                id:
-                    description: 'The string version of this documents _id.'
            type: object
            description: 'From T, pick a set of properties whose keys are in the union K'
        Omit__LeanDocument_this_.Exclude_keyofDocument._id-or-id-or-__v_-or-%24isSingleNested_:
@@ -453,41 +488,6 @@ components:
                    example: /Public/somefolder/some.file
            type: object
            additionalProperties: false
-        LoginPayload:
-            properties:
-                username:
-                    type: string
-                    description: 'Username for user'
-                    example: secretuser
-                password:
-                    type: string
-                    description: 'Password for user'
-                    example: secretpassword
-            required:
-                - username
-                - password
-            type: object
-            additionalProperties: false
-        AuthorizeResponse:
-            properties:
-                code:
-                    type: string
-                    description: 'Authorization code'
-                    example: someRandomCryptoString
-            required:
-                - code
-            type: object
-            additionalProperties: false
-        AuthorizePayload:
-            properties:
-                clientId:
-                    type: string
-                    description: 'Client ID'
-                    example: clientID1
-            required:
-                - clientId
-            type: object
-            additionalProperties: false
    securitySchemes:
        bearerAuth:
            type: http
@@ -558,6 +558,86 @@ paths:
                -
                    bearerAuth: []
            parameters: []
+    /:
+        get:
+            operationId: Home
+            responses:
+                '200':
+                    description: Ok
+                    content:
+                        application/json:
+                            schema:
+                                type: string
+            summary: 'Render index.html'
+            tags:
+                - Web
+            security: []
+            parameters: []
+    /SASLogon/login:
+        post:
+            operationId: Login
+            responses:
+                '200':
+                    description: Ok
+                    content:
+                        application/json:
+                            schema:
+                                properties:
+                                    user: {properties: {displayName: {type: string}, username: {type: string}, id: {type: number, format: double}}, required: [displayName, username, id], type: object}
+                                    loggedIn: {type: boolean}
+                                required:
+                                    - user
+                                    - loggedIn
+                                type: object
+            summary: 'Accept a valid username/password'
+            tags:
+                - Web
+            security: []
+            parameters: []
+            requestBody:
+                required: true
+                content:
+                    application/json:
+                        schema:
+                            $ref: '#/components/schemas/LoginPayload'
+    /SASLogon/authorize:
+        post:
+            operationId: Authorize
+            responses:
+                '200':
+                    description: Ok
+                    content:
+                        application/json:
+                            schema:
+                                $ref: '#/components/schemas/AuthorizeResponse'
+                            examples:
+                                'Example 1':
+                                    value: {code: someRandomCryptoString}
+            summary: 'Accept a valid username/password, plus a CLIENT_ID, and return an AUTH_CODE'
+            tags:
+                - Web
+            security: []
+            parameters: []
+            requestBody:
+                required: true
+                content:
+                    application/json:
+                        schema:
+                            $ref: '#/components/schemas/AuthorizePayload'
+    /logout:
+        get:
+            operationId: Logout
+            responses:
+                '200':
+                    description: Ok
+                    content:
+                        application/json:
+                            schema: {}
+            summary: 'Accept a valid username/password'
+            tags:
+                - Web
+            security: []
+            parameters: []
    /SASjsApi/client:
        post:
            operationId: CreateClient
@@ -683,7 +763,7 @@ paths:
                            examples:
                                'Example 1':
                                    value: {status: failure, message: 'Deployment failed!'}
-            description: "Accepts JSON file and zipped compressed JSON file as well.\nCompressed file should only contain one JSON file and should have same name\nas of compressed file e.g. deploy.JSON should be compressed to deploy.JSON.zip\nAny other file or JSON file in zipped will be ignored!"
+            description: "Accepts JSON file and zipped compressed JSON file as well.\r\nCompressed file should only contain one JSON file and should have same name\r\nas of compressed file e.g. deploy.JSON should be compressed to deploy.JSON.zip\r\nAny other file or JSON file in zipped will be ignored!"
            summary: 'Creates/updates files within SASjs Drive using uploaded JSON/compressed JSON file.'
            tags:
                - Drive
@@ -771,7 +851,7 @@ paths:
                            examples:
                                'Example 1':
                                    value: {status: failure, message: 'File request failed.'}
-            description: "It's optional to either provide `_filePath` in url as query parameter\nOr provide `filePath` in body as form field.\nBut it's required to provide else API will respond with Bad Request."
+            description: "It's optional to either provide `_filePath` in url as query parameter\r\nOr provide `filePath` in body as form field.\r\nBut it's required to provide else API will respond with Bad Request."
            summary: 'Create a file in SASjs Drive'
            tags:
                - Drive
@@ -822,7 +902,7 @@ paths:
                            examples:
                                'Example 1':
                                    value: {status: failure, message: 'File request failed.'}
-            description: "It's optional to either provide `_filePath` in url as query parameter\nOr provide `filePath` in body as form field.\nBut it's required to provide else API will respond with Bad Request."
+            description: "It's optional to either provide `_filePath` in url as query parameter\r\nOr provide `filePath` in body as form field.\r\nBut it's required to provide else API will respond with Bad Request."
            summary: 'Modify a file in SASjs Drive'
            tags:
                - Drive
@@ -1374,7 +1454,7 @@ paths:
                                anyOf:
                                    - {type: string}
                                    - {type: string, format: byte}
-            description: "Trigger a SAS or JS program using the _program URL parameter.\n\nAccepts URL parameters and file uploads.  For more details, see docs:\n\nhttps://server.sasjs.io/storedprograms"
+            description: "Trigger a SAS or JS program using the _program URL parameter.\r\n\r\nAccepts URL parameters and file uploads.  For more details, see docs:\r\n\r\nhttps://server.sasjs.io/storedprograms"
            summary: 'Execute a Stored Program, returns raw _webout content.'
            tags:
                - STP
@@ -1402,7 +1482,7 @@ paths:
                            examples:
                                'Example 1':
                                    value: {status: success, _webout: 'webout content', log: [], httpHeaders: {Content-type: application/zip, Cache-Control: 'public, max-age=1000'}}
-            description: "Trigger a SAS or JS program using the _program URL parameter.\n\nAccepts URL parameters and file uploads.  For more details, see docs:\n\nhttps://server.sasjs.io/storedprograms\n\nThe response will be a JSON object with the following root attributes:\nlog, webout, headers.\n\nThe webout attribute will be nested JSON ONLY if the response-header\ncontains a content-type of application/json AND it is valid JSON.\nOtherwise it will be a stringified version of the webout content."
+            description: "Trigger a SAS or JS program using the _program URL parameter.\r\n\r\nAccepts URL parameters and file uploads.  For more details, see docs:\r\n\r\nhttps://server.sasjs.io/storedprograms\r\n\r\nThe response will be a JSON object with the following root attributes:\r\nlog, webout, headers.\r\n\r\nThe webout attribute will be nested JSON ONLY if the response-header\r\ncontains a content-type of application/json AND it is valid JSON.\r\nOtherwise it will be a stringified version of the webout content."
            summary: 'Execute a Stored Program, return a JSON object'
            tags:
                - STP
@@ -1424,86 +1504,6 @@ paths:
                    application/json:
                        schema:
                            $ref: '#/components/schemas/ExecuteReturnJsonPayload'
-    /:
-        get:
-            operationId: Home
-            responses:
-                '200':
-                    description: Ok
-                    content:
-                        application/json:
-                            schema:
-                                type: string
-            summary: 'Render index.html'
-            tags:
-                - Web
-            security: []
-            parameters: []
-    /SASLogon/login:
-        post:
-            operationId: Login
-            responses:
-                '200':
-                    description: Ok
-                    content:
-                        application/json:
-                            schema:
-                                properties:
-                                    user: {properties: {displayName: {type: string}, username: {type: string}, id: {type: number, format: double}}, required: [displayName, username, id], type: object}
-                                    loggedIn: {type: boolean}
-                                required:
-                                    - user
-                                    - loggedIn
-                                type: object
-            summary: 'Accept a valid username/password'
-            tags:
-                - Web
-            security: []
-            parameters: []
-            requestBody:
-                required: true
-                content:
-                    application/json:
-                        schema:
-                            $ref: '#/components/schemas/LoginPayload'
-    /SASLogon/authorize:
-        post:
-            operationId: Authorize
-            responses:
-                '200':
-                    description: Ok
-                    content:
-                        application/json:
-                            schema:
-                                $ref: '#/components/schemas/AuthorizeResponse'
-                            examples:
-                                'Example 1':
-                                    value: {code: someRandomCryptoString}
-            summary: 'Accept a valid username/password, plus a CLIENT_ID, and return an AUTH_CODE'
-            tags:
-                - Web
-            security: []
-            parameters: []
-            requestBody:
-                required: true
-                content:
-                    application/json:
-                        schema:
-                            $ref: '#/components/schemas/AuthorizePayload'
-    /SASLogon/logout:
-        get:
-            operationId: Logout
-            responses:
-                '200':
-                    description: Ok
-                    content:
-                        application/json:
-                            schema: {}
-            summary: 'Destroy the session stored in cookies'
-            tags:
-                - Web
-            security: []
-            parameters: []
 servers:
    -
        url: /
--- a/api/src/app.ts
+++ b/api/src/app.ts
@@ -1,6 +1,5 @@
 import path from 'path'
 import express, { ErrorRequestHandler } from 'express'
-import mongoose from 'mongoose'
 import csrf from 'csurf'
 import session from 'express-session'
 import MongoStore from 'connect-mongo'
@@ -98,44 +97,45 @@ if (CORS === CorsType.ENABLED) {
  app.use(cors({ credentials: true, origin: whiteList }))
 }

+/***********************************
+ *         DB Connection &          *
+ *        Express Sessions          *
+ *        With Mongo Store          *
+ ***********************************/
+if (MODE === ModeType.Server) {
+  let store: MongoStore | undefined
+
+  // NOTE: when exporting app.js as agent for supertest
+  // we should exclude connecting to the real database
+  if (process.env.NODE_ENV !== 'test') {
+    const clientPromise = connectDB().then((conn) => conn!.getClient() as any)
+
+    store = MongoStore.create({ clientPromise, collectionName: 'sessions' })
+  }
+
+  app.use(
+    session({
+      secret: process.env.SESSION_SECRET as string,
+      saveUninitialized: false, // don't create session until something stored
+      resave: false, //don't save session if unmodified
+      store,
+      cookie: cookieOptions
+    })
+  )
+}
+
+app.use(express.json({ limit: '100mb' }))
+app.use(express.static(path.join(__dirname, '../public')))
+
+const onError: ErrorRequestHandler = (err, req, res, next) => {
+  if (err.code === 'EBADCSRFTOKEN')
+    return res.status(400).send('Invalid CSRF token!')
+
+  console.error(err.stack)
+  res.status(500).send('Something broke!')
+}
+
 export default setProcessVariables().then(async () => {
-  /***********************************
-   *         DB Connection &          *
-   *        Express Sessions          *
-   *        With Mongo Store          *
-   ***********************************/
-  if (MODE === ModeType.Server) {
-    let store: MongoStore | undefined
-
-    if (process.env.NODE_ENV !== 'test') {
-      store = MongoStore.create({
-        client: mongoose.connection!.getClient() as any,
-        collectionName: 'sessions'
-      })
-    }
-
-    app.use(
-      session({
-        secret: process.secrets.SESSION_SECRET,
-        saveUninitialized: false, // don't create session until something stored
-        resave: false, //don't save session if unmodified
-        store,
-        cookie: cookieOptions
-      })
-    )
-  }
-
-  app.use(express.json({ limit: '100mb' }))
-  app.use(express.static(path.join(__dirname, '../public')))
-
-  const onError: ErrorRequestHandler = (err, req, res, next) => {
-    if (err.code === 'EBADCSRFTOKEN')
-      return res.status(400).send('Invalid CSRF token!')
-
-    console.error(err.stack)
-    res.status(500).send('Something broke!')
-  }
-
  await setupFolders()
  await copySASjsCore()

--- a/api/src/controllers/auth.ts
+++ b/api/src/controllers/auth.ts
@@ -129,8 +129,8 @@ const verifyAuthCode = async (
  clientId: string,
  code: string
 ): Promise<InfoJWT | undefined> => {
-  return new Promise((resolve) => {
-    jwt.verify(code, process.secrets.AUTH_CODE_SECRET, (err, data) => {
+  return new Promise((resolve, reject) => {
+    jwt.verify(code, process.env.AUTH_CODE_SECRET as string, (err, data) => {
      if (err) return resolve(undefined)

      const clientInfo: InfoJWT = {
--- a/api/src/controllers/group.ts
+++ b/api/src/controllers/group.ts
@@ -20,7 +20,7 @@ export interface GroupResponse {
  description: string
 }

-export interface GroupDetailsResponse {
+interface GroupDetailsResponse {
  groupId: number
  name: string
  description: string
@@ -249,10 +249,9 @@ const updateUsersListInGroup = async (
      message: 'User not found.'
    }

-  const updatedGroup =
-    action === 'addUser'
-      ? await group.addUser(user)
-      : await group.removeUser(user)
+  const updatedGroup = (action === 'addUser'
+    ? await group.addUser(user._id)
+    : await group.removeUser(user._id)) as unknown as GroupDetailsResponse

  if (!updatedGroup)
    throw {
@@ -261,6 +260,9 @@ const updateUsersListInGroup = async (
      message: 'Unable to update group.'
    }

+  if (action === 'addUser') user.addGroup(group._id)
+  else user.removeGroup(group._id)
+
  return {
    groupId: updatedGroup.groupId,
    name: updatedGroup.name,
--- a/api/src/controllers/internal/Execution.ts
+++ b/api/src/controllers/internal/Execution.ts
@@ -1,6 +1,10 @@
 import path from 'path'
 import fs from 'fs'
-import { getSessionController, processProgram } from './'
+import {
+  getSASSessionController,
+  getJSSessionController,
+  processProgram
+} from './'
 import { readFile, fileExists, createFile, readFileBinary } from '@sasjs/utils'
 import { PreProgramVars, Session, TreeNode } from '../../types'
 import {
@@ -72,7 +76,10 @@ export class ExecutionController {
    session: sessionByFileUpload,
    runTime
  }: ExecuteProgramParams): Promise<ExecuteReturnRaw | ExecuteReturnJson> {
-    const sessionController = getSessionController(runTime)
+    const sessionController =
+      runTime === RunTimeType.SAS
+        ? getSASSessionController()
+        : getJSSessionController()

    const session =
      sessionByFileUpload ?? (await sessionController.getSession())
--- a/api/src/controllers/internal/FileUploadController.ts
+++ b/api/src/controllers/internal/FileUploadController.ts
@@ -1,7 +1,7 @@
 import { Request, RequestHandler } from 'express'
 import multer from 'multer'
 import { uuidv4 } from '@sasjs/utils'
-import { getSessionController } from '.'
+import { getSASSessionController, getJSSessionController } from '.'
 import {
  executeProgramRawValidation,
  getRunTimeAndFilePath,
@@ -37,23 +37,17 @@ export class FileUploadController {
    try {
      ;({ runTime } = await getRunTimeAndFilePath(programPath))
    } catch (err: any) {
-      return res.status(400).send({
+      res.status(400).send({
        status: 'failure',
        message: 'Job execution failed',
        error: typeof err === 'object' ? err.toString() : err
      })
    }

-    let sessionController
-    try {
-      sessionController = getSessionController(runTime)
-    } catch (err: any) {
-      return res.status(400).send({
-        status: 'failure',
-        message: err.message,
-        error: typeof err === 'object' ? err.toString() : err
-      })
-    }
+    const sessionController =
+      runTime === RunTimeType.SAS
+        ? getSASSessionController()
+        : getJSSessionController()

    const session = await sessionController.getSession()
    // marking consumed true, so that it's not available
--- a/api/src/controllers/internal/Session.ts
+++ b/api/src/controllers/internal/Session.ts
@@ -5,16 +5,14 @@ import { execFile } from 'child_process'
 import {
  getSessionsFolder,
  generateUniqueFileName,
-  sysInitCompiledPath,
-  RunTimeType
+  sysInitCompiledPath
 } from '../../utils'
 import {
  deleteFolder,
  createFile,
  fileExists,
  generateTimestamp,
-  readFile,
-  isWindows
+  readFile
 } from '@sasjs/utils'

 const execFilePromise = promisify(execFile)
@@ -90,7 +88,7 @@ ${autoExecContent}`

    // Additional windows specific options to avoid the desktop popups.

-    execFilePromise(process.sasLoc!, [
+    execFilePromise(process.sasLoc, [
      '-SYSIN',
      codePath,
      '-LOG',
@@ -101,9 +99,9 @@ ${autoExecContent}`
      session.path,
      '-AUTOEXEC',
      autoExecPath,
-      isWindows() ? '-nosplash' : '',
-      isWindows() ? '-icon' : '',
-      isWindows() ? '-nologo' : ''
+      process.platform === 'win32' ? '-nosplash' : '',
+      process.platform === 'win32' ? '-icon' : '',
+      process.platform === 'win32' ? '-nologo' : ''
    ])
      .then(() => {
        session.completed = true
@@ -194,21 +192,7 @@ export class JSSessionController extends SessionController {
  }
 }

-export const getSessionController = (
-  runTime: RunTimeType
-): SASSessionController | JSSessionController => {
-  if (runTime === RunTimeType.SAS) {
-    return getSASSessionController()
-  }
-
-  if (runTime === RunTimeType.JS) {
-    return getJSSessionController()
-  }
-
-  throw new Error('No Runtime is configured')
-}
-
-const getSASSessionController = (): SASSessionController => {
+export const getSASSessionController = (): SASSessionController => {
  if (process.sasSessionController) return process.sasSessionController

  process.sasSessionController = new SASSessionController()
@@ -216,7 +200,7 @@ const getSASSessionController = (): SASSessionController => {
  return process.sasSessionController
 }

-const getJSSessionController = (): JSSessionController => {
+export const getJSSessionController = (): JSSessionController => {
  if (process.jsSessionController) return process.jsSessionController

  process.jsSessionController = new JSSessionController()
--- a/api/src/controllers/internal/createJSProgram.ts
+++ b/api/src/controllers/internal/createJSProgram.ts
@@ -1,4 +1,3 @@
-import { isWindows } from '@sasjs/utils'
 import { PreProgramVars, Session } from '../../types'
 import { generateFileUploadJSCode } from '../../utils'
 import { ExecutionVars } from './'
@@ -21,7 +20,9 @@ export const createJSProgram = async (
  const preProgramVarStatments = `
 let _webout = '';
 const weboutPath = '${
-    isWindows() ? weboutPath.replace(/\\/g, '\\\\') : weboutPath
+    process.platform === 'win32'
+      ? weboutPath.replace(/\\/g, '\\\\')
+      : weboutPath
  }'; 
 const _sasjs_tokenfile = '${tokenFile}';
 const _sasjs_username = '${preProgramVariables?.username}';
--- a/api/src/controllers/internal/processProgram.ts
+++ b/api/src/controllers/internal/processProgram.ts
@@ -40,7 +40,7 @@ export const processProgram = async (
      // waiting for the open event so that we can have underlying file descriptor
      await once(writeStream, 'open')

-      execFileSync(process.nodeLoc!, [codePath], {
+      execFileSync(process.nodeLoc, [codePath], {
        stdio: ['ignore', writeStream, writeStream]
      })

--- a/api/src/controllers/web.ts
+++ b/api/src/controllers/web.ts
@@ -49,10 +49,10 @@ export class WebController {
  }

  /**
-   * @summary Destroy the session stored in cookies
+   * @summary Accept a valid username/password
   *
   */
-  @Get('/SASLogon/logout')
+  @Get('/logout')
  public async logout(@Request() req: express.Request) {
    return new Promise((resolve) => {
      req.session.destroy(() => {
--- a/api/src/middlewares/authenticateToken.ts
+++ b/api/src/middlewares/authenticateToken.ts
@@ -35,7 +35,7 @@ export const authenticateAccessToken: RequestHandler = async (
    req,
    res,
    next,
-    process.secrets.ACCESS_TOKEN_SECRET,
+    process.env.ACCESS_TOKEN_SECRET as string,
    'accessToken'
  )
 }
@@ -45,7 +45,7 @@ export const authenticateRefreshToken: RequestHandler = (req, res, next) => {
    req,
    res,
    next,
-    process.secrets.REFRESH_TOKEN_SECRET,
+    process.env.REFRESH_TOKEN_SECRET as string,
    'refreshToken'
  )
 }
--- a/api/src/model/Configuration.ts
+++ b/api/src/model/Configuration.ts
@@ -1,45 +0,0 @@
-import mongoose, { Schema } from 'mongoose'
-
-export interface ConfigurationType {
-  /**
-   * SecretOrPrivateKey to sign Access Token
-   * @example "someRandomCryptoString"
-   */
-  ACCESS_TOKEN_SECRET: string
-  /**
-   * SecretOrPrivateKey to sign Refresh Token
-   * @example "someRandomCryptoString"
-   */
-  REFRESH_TOKEN_SECRET: string
-  /**
-   * SecretOrPrivateKey to sign Auth Code
-   * @example "someRandomCryptoString"
-   */
-  AUTH_CODE_SECRET: string
-  /**
-   * Secret used to sign the session cookie
-   * @example "someRandomCryptoString"
-   */
-  SESSION_SECRET: string
-}
-
-const ConfigurationSchema = new Schema<ConfigurationType>({
-  ACCESS_TOKEN_SECRET: {
-    type: String,
-    required: true
-  },
-  REFRESH_TOKEN_SECRET: {
-    type: String,
-    required: true
-  },
-  AUTH_CODE_SECRET: {
-    type: String,
-    required: true
-  },
-  SESSION_SECRET: {
-    type: String,
-    required: true
-  }
-})
-
-export default mongoose.model('Configuration', ConfigurationSchema)
--- a/api/src/model/Group.ts
+++ b/api/src/model/Group.ts
@@ -1,6 +1,5 @@
 import mongoose, { Schema, model, Document, Model } from 'mongoose'
-import { GroupDetailsResponse } from '../controllers'
-import User, { IUser } from './User'
+import User from './User'
 const AutoIncrement = require('mongoose-sequence')(mongoose)

 export interface GroupPayload {
@@ -28,9 +27,8 @@ interface IGroupDocument extends GroupPayload, Document {
 }

 interface IGroup extends IGroupDocument {
-  addUser(user: IUser): Promise<GroupDetailsResponse>
-  removeUser(user: IUser): Promise<GroupDetailsResponse>
-  hasUser(user: IUser): boolean
+  addUser(userObjectId: Schema.Types.ObjectId): Promise<IGroup>
+  removeUser(userObjectId: Schema.Types.ObjectId): Promise<IGroup>
 }
 interface IGroupModel extends Model<IGroup> {}

@@ -72,31 +70,28 @@ groupSchema.pre('remove', async function () {
 })

 // Instance Methods
-groupSchema.method('addUser', async function (user: IUser) {
-  const userObjectId = user._id
-  const userIdIndex = this.users.indexOf(userObjectId)
-  if (userIdIndex === -1) {
-    this.users.push(userObjectId)
-    user.addGroup(this._id)
+groupSchema.method(
+  'addUser',
+  async function (userObjectId: Schema.Types.ObjectId) {
+    const userIdIndex = this.users.indexOf(userObjectId)
+    if (userIdIndex === -1) {
+      this.users.push(userObjectId)
+    }
+    this.markModified('users')
+    return this.save()
  }
-  this.markModified('users')
-  return this.save()
-})
-groupSchema.method('removeUser', async function (user: IUser) {
-  const userObjectId = user._id
-  const userIdIndex = this.users.indexOf(userObjectId)
-  if (userIdIndex > -1) {
-    this.users.splice(userIdIndex, 1)
-    user.removeGroup(this._id)
+)
+groupSchema.method(
+  'removeUser',
+  async function (userObjectId: Schema.Types.ObjectId) {
+    const userIdIndex = this.users.indexOf(userObjectId)
+    if (userIdIndex > -1) {
+      this.users.splice(userIdIndex, 1)
+    }
+    this.markModified('users')
+    return this.save()
  }
-  this.markModified('users')
-  return this.save()
-})
-groupSchema.method('hasUser', function (user: IUser) {
-  const userObjectId = user._id
-  const userIdIndex = this.users.indexOf(userObjectId)
-  return userIdIndex > -1
-})
+)

 export const Group: IGroupModel = model<IGroup, IGroupModel>(
  'Group',
--- a/api/src/model/User.ts
+++ b/api/src/model/User.ts
@@ -35,7 +35,6 @@ export interface UserPayload {
 }

 interface IUserDocument extends UserPayload, Document {
-  _id: Schema.Types.ObjectId
  id: number
  isAdmin: boolean
  isActive: boolean
@@ -44,7 +43,7 @@ interface IUserDocument extends UserPayload, Document {
  tokens: [{ [key: string]: string }]
 }

-export interface IUser extends IUserDocument {
+interface IUser extends IUserDocument {
  comparePassword(password: string): boolean
  addGroup(groupObjectId: Schema.Types.ObjectId): Promise<IUser>
  removeGroup(groupObjectId: Schema.Types.ObjectId): Promise<IUser>
--- a/api/src/routes/web/web.ts
+++ b/api/src/routes/web/web.ts
@@ -48,7 +48,7 @@ webRouter.post(
  }
 )

-webRouter.get('/SASLogon/logout', desktopRestrict, async (req, res) => {
+webRouter.get('/logout', desktopRestrict, async (req, res) => {
  try {
    await controller.logout(req)
    res.status(200).send('OK!')
--- a/api/src/types/system/process.d.ts
+++ b/api/src/types/system/process.d.ts
@@ -1,13 +1,12 @@
 declare namespace NodeJS {
  export interface Process {
-    sasLoc?: string
-    nodeLoc?: string
+    sasLoc: string
+    nodeLoc: string
    driveLoc: string
    sasSessionController?: import('../../controllers/internal').SASSessionController
    jsSessionController?: import('../../controllers/internal').JSSessionController
    appStreamConfig: import('../').AppStreamConfig
    logger: import('@sasjs/utils/logger').Logger
    runTimes: import('../../utils').RunTimeType[]
-    secrets: import('../../model/Configuration').ConfigurationType
  }
 }
--- a/api/src/utils/connectDB.ts
+++ b/api/src/utils/connectDB.ts
@@ -9,5 +9,7 @@ export const connectDB = async () => {
  }

  console.log('Connected to DB!')
-  return seedDB()
+  await seedDB()
+
+  return mongoose.connection
 }
--- a/api/src/utils/generateAccessToken.ts
+++ b/api/src/utils/generateAccessToken.ts
@@ -2,6 +2,6 @@ import jwt from 'jsonwebtoken'
 import { InfoJWT } from '../types'

 export const generateAccessToken = (data: InfoJWT) =>
-  jwt.sign(data, process.secrets.ACCESS_TOKEN_SECRET, {
+  jwt.sign(data, process.env.ACCESS_TOKEN_SECRET as string, {
    expiresIn: '1day'
  })
--- a/api/src/utils/generateAuthCode.ts
+++ b/api/src/utils/generateAuthCode.ts
@@ -2,6 +2,6 @@ import jwt from 'jsonwebtoken'
 import { InfoJWT } from '../types'

 export const generateAuthCode = (data: InfoJWT) =>
-  jwt.sign(data, process.secrets.AUTH_CODE_SECRET, {
+  jwt.sign(data, process.env.AUTH_CODE_SECRET as string, {
    expiresIn: '30s'
  })
--- a/api/src/utils/generateRefreshToken.ts
+++ b/api/src/utils/generateRefreshToken.ts
@@ -2,6 +2,6 @@ import jwt from 'jsonwebtoken'
 import { InfoJWT } from '../types'

 export const generateRefreshToken = (data: InfoJWT) =>
-  jwt.sign(data, process.secrets.REFRESH_TOKEN_SECRET, {
+  jwt.sign(data, process.env.REFRESH_TOKEN_SECRET as string, {
    expiresIn: '30 days'
  })
--- a/api/src/utils/getCertificates.ts
+++ b/api/src/utils/getCertificates.ts
@@ -2,32 +2,25 @@ import path from 'path'
 import { fileExists, getString, readFile } from '@sasjs/utils'

 export const getCertificates = async () => {
-  const { PRIVATE_KEY, CERT_CHAIN, CA_ROOT } = process.env
-
-  let ca
+  const { PRIVATE_KEY, FULL_CHAIN, CA } = process.env

  const keyPath = PRIVATE_KEY ?? (await getFileInput('Private Key (PEM)'))
-  const certPath = CERT_CHAIN ?? (await getFileInput('Certificate Chain (PEM)'))
-  const caPath = CA_ROOT
+  const certPath = FULL_CHAIN ?? (await getFileInput('Full Chain (PEM)'))
+  const caPath = CA ?? (await getFileInput('Full Chain (PEM)'))

  console.log('keyPath: ', keyPath)
  console.log('certPath: ', certPath)
-  if (caPath) console.log('caPath: ', caPath)
+  console.log('caPath: ', caPath)

  const key = await readFile(keyPath)
  const cert = await readFile(certPath)
-  if (caPath) ca = await readFile(caPath)
+  const ca = await readFile(caPath)

  return { key, cert, ca }
 }

-const getFileInput = async (
-  filename: string,
-  required: boolean = true
-): Promise<string> => {
+const getFileInput = async (filename: string): Promise<string> => {
  const validator = async (filePath: string) => {
-    if (!required) return true
-
    if (!filePath) return `Path to ${filename} is required.`

    if (!(await fileExists(path.join(process.cwd(), filePath)))) {
--- a/api/src/utils/getDesktopFields.ts
+++ b/api/src/utils/getDesktopFields.ts
@@ -1,20 +1,15 @@
 import path from 'path'
 import { getString } from '@sasjs/utils/input'
-import { createFolder, fileExists, folderExists, isWindows } from '@sasjs/utils'
-import { RunTimeType } from './verifyEnvVariables'
+import { createFolder, fileExists, folderExists } from '@sasjs/utils'
+
+const isWindows = () => process.platform === 'win32'

 export const getDesktopFields = async () => {
  const { SAS_PATH, NODE_PATH } = process.env

-  let sasLoc, nodeLoc
-
-  if (process.runTimes.includes(RunTimeType.SAS)) {
-    sasLoc = SAS_PATH ?? (await getSASLocation())
-  }
-
-  if (process.runTimes.includes(RunTimeType.JS)) {
-    nodeLoc = NODE_PATH ?? (await getNodeLocation())
-  }
+  const sasLoc = SAS_PATH ?? (await getSASLocation())
+  const nodeLoc = NODE_PATH ?? (await getNodeLocation())
+  // const driveLoc = DRIVE_PATH ?? (await getDriveLocation())

  return { sasLoc, nodeLoc }
 }
--- a/api/src/utils/getRunTimeAndFilePath.ts
+++ b/api/src/utils/getRunTimeAndFilePath.ts
@@ -5,10 +5,14 @@ import { RunTimeType } from '.'

 export const getRunTimeAndFilePath = async (programPath: string) => {
  const ext = path.extname(programPath)
-  // If programPath (_program) is provided with a ".sas" or ".js" extension
-  // we should use that extension to determine the appropriate runTime
-  if (ext && Object.values(RunTimeType).includes(ext.slice(1) as RunTimeType)) {
+  // if program path is provided with extension we should split that into code path and ext as run time
+  if (ext) {
    const runTime = ext.slice(1)
+    const runTimeTypes = Object.values(RunTimeType)
+
+    if (!runTimeTypes.includes(runTime as RunTimeType)) {
+      throw `The '${runTime}' runtime is not supported.`
+    }

    const codePath = path
      .join(getFilesFolder(), programPath)
--- a/api/src/utils/seedDB.ts
+++ b/api/src/utils/seedDB.ts
@@ -1,73 +1,6 @@
 import Client from '../model/Client'
-import Group from '../model/Group'
 import User from '../model/User'
-import Configuration, { ConfigurationType } from '../model/Configuration'

-import { randomBytes } from 'crypto'
-
-export const SECRETS: ConfigurationType = {
-  ACCESS_TOKEN_SECRET: randomBytes(64).toString('hex'),
-  REFRESH_TOKEN_SECRET: randomBytes(64).toString('hex'),
-  AUTH_CODE_SECRET: randomBytes(64).toString('hex'),
-  SESSION_SECRET: randomBytes(64).toString('hex')
-}
-
-export const seedDB = async (): Promise<ConfigurationType> => {
-  // Checking if client is already in the database
-  const clientExist = await Client.findOne({ clientId: CLIENT.clientId })
-  if (!clientExist) {
-    const client = new Client(CLIENT)
-    await client.save()
-
-    console.log(`DB Seed - client created: ${CLIENT.clientId}`)
-  }
-
-  // Checking if 'AllUsers' Group is already in the database
-  let groupExist = await Group.findOne({ name: GROUP.name })
-  if (!groupExist) {
-    const group = new Group(GROUP)
-    groupExist = await group.save()
-
-    console.log(`DB Seed - Group created: ${GROUP.name}`)
-  }
-
-  // Checking if user is already in the database
-  let usernameExist = await User.findOne({ username: ADMIN_USER.username })
-  if (!usernameExist) {
-    const user = new User(ADMIN_USER)
-    usernameExist = await user.save()
-
-    console.log(`DB Seed - admin account created: ${ADMIN_USER.username}`)
-  }
-
-  if (!groupExist.hasUser(usernameExist)) {
-    groupExist.addUser(usernameExist)
-    console.log(
-      `DB Seed - admin account '${ADMIN_USER.username}' added to Group '${GROUP.name}'`
-    )
-  }
-
-  // checking if configuration is present in the database
-  let configExist = await Configuration.findOne()
-  if (!configExist) {
-    const configuration = new Configuration(SECRETS)
-    configExist = await configuration.save()
-
-    console.log('DB Seed - configuration added')
-  }
-
-  return {
-    ACCESS_TOKEN_SECRET: configExist.ACCESS_TOKEN_SECRET,
-    REFRESH_TOKEN_SECRET: configExist.REFRESH_TOKEN_SECRET,
-    AUTH_CODE_SECRET: configExist.AUTH_CODE_SECRET,
-    SESSION_SECRET: configExist.SESSION_SECRET
-  }
-}
-
-const GROUP = {
-  name: 'AllUsers',
-  description: 'Group contains all users'
-}
 const CLIENT = {
  clientId: 'clientID1',
  clientSecret: 'clientSecret'
@@ -80,3 +13,23 @@ const ADMIN_USER = {
  isAdmin: true,
  isActive: true
 }
+
+export const seedDB = async () => {
+  // Checking if client is already in the database
+  const clientExist = await Client.findOne({ clientId: CLIENT.clientId })
+  if (!clientExist) {
+    const client = new Client(CLIENT)
+    await client.save()
+
+    console.log(`DB Seed - client created: ${CLIENT.clientId}`)
+  }
+
+  // Checking if user is already in the database
+  const usernameExist = await User.findOne({ username: ADMIN_USER.username })
+  if (!usernameExist) {
+    const user = new User(ADMIN_USER)
+    await user.save()
+
+    console.log(`DB Seed - admin account created: ${ADMIN_USER.username}`)
+  }
+}
--- a/api/src/utils/setProcessVariables.ts
+++ b/api/src/utils/setProcessVariables.ts
@@ -1,33 +1,19 @@
 import path from 'path'
 import { createFolder, getAbsolutePath, getRealPath } from '@sasjs/utils'

-import { connectDB, getDesktopFields, ModeType, RunTimeType, SECRETS } from '.'
+import { getDesktopFields, ModeType, RunTimeType } from '.'

 export const setProcessVariables = async () => {
-  const { MODE, RUN_TIMES } = process.env
-
-  if (MODE === ModeType.Server) {
-    // NOTE: when exporting app.js as agent for supertest
-    // it should prevent connecting to the real database
-    if (process.env.NODE_ENV !== 'test') {
-      const secrets = await connectDB()
-
-      process.secrets = secrets
-    } else {
-      process.secrets = SECRETS
-    }
-  }
-
  if (process.env.NODE_ENV === 'test') {
    process.driveLoc = path.join(process.cwd(), 'sasjs_root')
    return
  }

-  process.runTimes = (RUN_TIMES?.split(',') as RunTimeType[]) ?? []
+  const { MODE } = process.env

  if (MODE === ModeType.Server) {
-    process.sasLoc = process.env.SAS_PATH
-    process.nodeLoc = process.env.NODE_PATH
+    process.sasLoc = process.env.SAS_PATH as string
+    process.nodeLoc = process.env.NODE_PATH as string
  } else {
    const { sasLoc, nodeLoc } = await getDesktopFields()

@@ -40,6 +26,9 @@ export const setProcessVariables = async () => {
  await createFolder(absPath)
  process.driveLoc = getRealPath(absPath)

+  const { RUN_TIMES } = process.env
+  process.runTimes = (RUN_TIMES as string).split(',') as RunTimeType[]
+
  console.log('sasLoc: ', process.sasLoc)
  console.log('sasDrive: ', process.driveLoc)
  console.log('runTimes: ', process.runTimes)
--- a/api/src/utils/verifyEnvVariables.ts
+++ b/api/src/utils/verifyEnvVariables.ts
@@ -78,7 +78,33 @@ const verifyMODE = (): string[] => {
  }

  if (process.env.MODE === ModeType.Server) {
-    const { DB_CONNECT } = process.env
+    const {
+      ACCESS_TOKEN_SECRET,
+      REFRESH_TOKEN_SECRET,
+      AUTH_CODE_SECRET,
+      SESSION_SECRET,
+      DB_CONNECT
+    } = process.env
+
+    if (!ACCESS_TOKEN_SECRET)
+      errors.push(
+        `- ACCESS_TOKEN_SECRET is required for PROTOCOL '${ModeType.Server}'`
+      )
+
+    if (!REFRESH_TOKEN_SECRET)
+      errors.push(
+        `- REFRESH_TOKEN_SECRET is required for PROTOCOL '${ModeType.Server}'`
+      )
+
+    if (!AUTH_CODE_SECRET)
+      errors.push(
+        `- AUTH_CODE_SECRET is required for PROTOCOL '${ModeType.Server}'`
+      )
+
+    if (!SESSION_SECRET)
+      errors.push(
+        `- SESSION_SECRET is required for PROTOCOL '${ModeType.Server}'`
+      )

    if (process.env.NODE_ENV !== 'test')
      if (!DB_CONNECT)
@@ -103,16 +129,16 @@ const verifyPROTOCOL = (): string[] => {
  }

  if (process.env.PROTOCOL === ProtocolType.HTTPS) {
-    const { PRIVATE_KEY, CERT_CHAIN } = process.env
+    const { PRIVATE_KEY, FULL_CHAIN } = process.env

    if (!PRIVATE_KEY)
      errors.push(
        `- PRIVATE_KEY is required for PROTOCOL '${ProtocolType.HTTPS}'`
      )

-    if (!CERT_CHAIN)
+    if (!FULL_CHAIN)
      errors.push(
-        `- CERT_CHAIN is required for PROTOCOL '${ProtocolType.HTTPS}'`
+        `- FULL_CHAIN is required for PROTOCOL '${ProtocolType.HTTPS}'`
      )
  }

@@ -232,5 +258,5 @@ const DEFAULTS = {
  PORT: '5000',
  HELMET_COEP: HelmetCoepType.TRUE,
  LOG_FORMAT_MORGAN: LOG_FORMAT_MORGANType.Common,
-  RUN_TIMES: RunTimeType.SAS
+  RUN_TIMES: `${RunTimeType.SAS}`
 }
--- a/api/src/utils/zipped.ts
+++ b/api/src/utils/zipped.ts
@@ -28,8 +28,7 @@ export const extractJSONFromZip = async (zipFile: Express.Multer.File) => {

  for await (const entry of zip) {
    const fileName = entry.path as string
-    // grab the first json found in .zip
-    if (fileName.toUpperCase().endsWith('.JSON')) {
+    if (fileName.toUpperCase().endsWith('.JSON') && fileName === fileInZip) {
      fileContent = await entry.buffer()
      break
    } else {
--- a/web/src/context/appContext.tsx
+++ b/web/src/context/appContext.tsx
@@ -88,7 +88,7 @@ const AppContextProvider = (props: { children: ReactNode }) => {
  }, [])

  const logout = useCallback(() => {
-    axios.get('/SASLogon/logout').then(() => {
+    axios.get('/logout').then(() => {
      setLoggedIn(false)
      setUsername('')
      setDisplayName('')